Re: [Freeipa-users] Adding user accounts
On Fri, 2011-03-25 at 20:13 +0100, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 Added user mysql14 User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysq...@ix.nixtra.com UID: 110 GID: 110 Regards, Siggi Hello Sigbjorn, it is not common to manually specify GID. Can you please tell me what's your use case for doing that? Maybe I can help with a proper way to do that. In your case, GID was set to UID because it's the GID of User Private Group mysql14 which was automatically associated with the user mysql14. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Regression in adding reverse dns records
Steven Whately wrote: My mistake. I was missing the trailing . Before: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 After: ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa. 1 Cheers Steve Whately A bit of a lousy error message though. I filed https://fedorahosted.org/freeipa/ticket/1129 so we can try to improve it. thanks rob On Sat, Mar 26, 2011 at 12:11 PM, Steven Whatelyste...@whately.me wrote: Thanks for all the hard work thats gone into V2.0 GA. I can no-longer add reverse dns records. Either the command has changed, or the new validation added to reverse dns records is broken. ipa dnsrecord-add --ptr-rec=server.example.com. 1.168.192.in-addr.arpa 1 ipa: ERROR: invalid 'cn': IP address must have exactly 4 components Cheers Steve Whately ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding user accounts
Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-mod, changing the GID of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. There currently isn't an option for that. You can delete a managed group this way: $ ipa user-add --first=Tim --last=Test ttest You now have a group ttest too, lets delete it. $ ipa group-detach ttest $ ipa group-del ttest The first command detaches it from the user (this is not reversible) and the second removes it altogether. rob Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? We will take a look. https://fedorahosted.org/freeipa/ticket/1127 Looks like a bug so I filed a ticket. # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 Added user mysql14 User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysq...@ix.nixtra.com UID: 110 GID: 110 Regards, Siggi -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ethers table?
Done, thanks. Rgds, Siggi On Mon, March 28, 2011 15:49, Dmitri Pal wrote: On 03/28/2011 09:26 AM, Sigbjorn Lie wrote: Hi, We're using the ethers table in NIS today to generate DHCP config files for clients to we can send different TFTP,DNS,etc options to different clients depening on which type of machine they are (mostly Windows, Linux, etc). At some locations we're also required to only serve IP to clients known by mac address. I'm missing a ethers table in IPA. Having the MAC address added as an attribute to the host object, and a lookup table for ethers, like hostgroup to netgroup is done would be very useful. Any plans for this? Please file a ticket with the request and describe the requirement in as many details as you can. https://fedorahosted.org/freeipa Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding user accounts
Sigbjorn Lie wrote: Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? One thing I should warn you of though that we've run into from time to time. Some of our LDAP operations are done as post-operations, that is they execute after the data has been returned to the client. Managed Entries (private groups) is one of these. I can definitely see the case where you try to detach a managed group that hasn't quite finished being created yet. I'd probably put a 1 or 2 second sleep after the user creation to be sure, even if it does slow things considerably. We're working with the 389-ds devs on this. There is the tradeoff of speed vs correctness (users don't like watching a blinking prompt). Some of these post-ops could take a while. rob Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-mod, changing the GID of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. There currently isn't an option for that. You can delete a managed group this way: $ ipa user-add --first=Tim --last=Test ttest You now have a group ttest too, lets delete it. $ ipa group-detach ttest $ ipa group-del ttest The first command detaches it from the user (this is not reversible) and the second removes it altogether. rob Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? We will take a look. https://fedorahosted.org/freeipa/ticket/1127 Looks like a bug so I filed a ticket. # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 Added user mysql14 User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysq...@ix.nixtra.com UID: 110 GID: 110 Regards, Siggi -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding user accounts
On 03/28/2011 10:50 AM, Rob Crittenden wrote: Sigbjorn Lie wrote: Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? One thing I should warn you of though that we've run into from time to time. Some of our LDAP operations are done as post-operations, that is they execute after the data has been returned to the client. Managed Entries (private groups) is one of these. I can definitely see the case where you try to detach a managed group that hasn't quite finished being created yet. I'd probably put a 1 or 2 second sleep after the user creation to be sure, even if it does slow things considerably. We're working with the 389-ds devs on this. There is the tradeoff of speed vs correctness (users don't like watching a blinking prompt). Some of these post-ops could take a while. I think we should seriously consider a -noprivategroup option rob Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-mod, changing the GID of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. There currently isn't an option for that. You can delete a managed group this way: $ ipa user-add --first=Tim --last=Test ttest You now have a group ttest too, lets delete it. $ ipa group-detach ttest $ ipa group-del ttest The first command detaches it from the user (this is not reversible) and the second removes it altogether. rob Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? We will take a look. https://fedorahosted.org/freeipa/ticket/1127 Looks like a bug so I filed a ticket. # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 Added user mysql14 User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysq...@ix.nixtra.com UID: 110 GID: 110 Regards, Siggi -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2 on F14
Hello Just tried to install 2.0 on a F14. It tells my that freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only 1.2.7. Can I also use 389-ds-base-1.2.7 and is it actually possible to install freeipa on F14? I wouldn't like to use F15 because its already beta. Regards Roland -- -- Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2 on F14
Hello Thanks a lot. Worked fine. FreeIPA is up and running. Btw: Thanks for all the development work on it. Sorry for this addional offtopic question: The ipa server is part of pilot project to establish a new network software stack based on this free ipa and openafs for a company wide authentication- and network file system. I made some extended googeling for setting up openafs but couldn't find good documentations for it. Do You know about some good howtos to install openafs and integrate it with kerberos? Regards Roland - Ursprüngliche Mail - Von: Rob Crittenden rcrit...@redhat.com An: Roland Käser roland.kae...@intersoft-networks.ch CC: freeipa-users@redhat.com Gesendet: Montag, 28. März 2011 18:11:56 Betreff: Re: [Freeipa-users] FreeIPA 2 on F14 Roland Kaeser wrote: Hello Just tried to install 2.0 on a F14. It tells my that freeipa-server-2.0rc3 requires 389-ds-base 1.2.8 but available is only 1.2.7. Can I also use 389-ds-base-1.2.7 and is it actually possible to install freeipa on F14? I wouldn't like to use F15 because its already beta. Regards Roland I didn't add the 2.0.0 GA builds for our devel repo. The GA release is in Fedora 15 and rawhide. The problem with Fedora 14 is we require dogtag 9 and while it works fine the dogtag team hasn't really done a lot of their own testing and AFAIU don't want to certify that it works in production. I did a great majority of the IPA development in F-14 and dogtag really works fine there but I'm not sure I'd want to put my infrastructure on non-official bits. That said, it should work fine you'd just have to build it yourself. You should be able to get the F-15 srpm from http://koji.fedoraproject.org/koji/buildinfo?buildID=235696 and do a mock build of it: mock -r fedora-14-x86_64 freeipa-2.0.0-1.fc15.src.rpm You'll also want to enable updates-testing and add this repo to get dogtag to actually install it: [freeipa-devel] name=FreeIPA Development baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch enabled=1 gpgcheck=0 regards rob -- InterSoft Networks Roland Käser, Systems Engineer OpenSource Fulachstr. 197, 8200 Schaffhausen Tel: +41 77 415 79 11 -- Diejenigen, die ihre Freiheit zugunsten der Sicherheit aufgeben, werden am Ende keines von beiden haben - und verdienen es auch nicht. (Benjamin Franklin) -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding user accounts
I have updated the NIS-TO-IPA scripts with the suggestions for private group workarounds from Rob, and the license updated to GPL v3 as suggested by Dmitri. Download link is still the same: http://www.nixtra.com/ipa/NIS-TO-IPA-current.php A -noprivategroup option is very much welcome. Shall I open a request in bugzilla? Rgds, Siggi On 03/28/2011 04:56 PM, Dmitri Pal wrote: On 03/28/2011 10:50 AM, Rob Crittenden wrote: Sigbjorn Lie wrote: Fantastic! Thanks. I will update my scripts. Is there any downside to doing this? One thing I should warn you of though that we've run into from time to time. Some of our LDAP operations are done as post-operations, that is they execute after the data has been returned to the client. Managed Entries (private groups) is one of these. I can definitely see the case where you try to detach a managed group that hasn't quite finished being created yet. I'd probably put a 1 or 2 second sleep after the user creation to be sure, even if it does slow things considerably. We're working with the 389-ds devs on this. There is the tradeoff of speed vs correctness (users don't like watching a blinking prompt). Some of these post-ops could take a while. I think we should seriously consider a -noprivategroup option rob Rgds, Siggi On Mon, March 28, 2011 16:02, Rob Crittenden wrote: Sigbjorn Lie wrote: Thanks. I also noticed that a group with the same GID number as the users UID number is automatically created when creating the user account, this is a problem for existing environments who's already used the same ID number for a group. I see that even after doing a user-mod, changing the GID of the account, the private (invisible) group still exists. I'm missing an option to choose if I want to create or not create a private group for the user. There currently isn't an option for that. You can delete a managed group this way: $ ipa user-add --first=Tim --last=Test ttest You now have a group ttest too, lets delete it. $ ipa group-detach ttest $ ipa group-del ttest The first command detaches it from the user (this is not reversible) and the second removes it altogether. rob Rgds, Siggi On Sat, March 26, 2011 18:21, Dmitri Pal wrote: On 03/25/2011 03:13 PM, Sigbjorn Lie wrote: Hi, Using --gidnumber when adding a new user with ipa user-add does not seem to have any effect. A gid number with the same value as what I specify in with the --uid parameter is chosen. I presume this is not the way user-add is intended to work? We will take a look. https://fedorahosted.org/freeipa/ticket/1127 Looks like a bug so I filed a ticket. # ipa user-add mysql14 --first=MySQL --last=Server --homedir=/var/lib/mysql --shell=/bin/false --uid=110 --gidnumber=3004 Added user mysql14 User login: mysql14 First name: MySQL Last name: Server Full name: MySQL Server Display name: MySQL Server Initials: MS Home directory: /var/lib/mysql GECOS field: mysql14 Login shell: /bin/false Kerberos principal: mysq...@ix.nixtra.com UID: 110 GID: 110 Regards, Siggi -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2 on F14/RHEl 6.1
Hi. I see IPA 2.0 is F15.uh. Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2 on F14 / RHEL 6.1
Hi. Is free-ipa going to be put into RHEL6.1? ie Im assuming that F14will become 6.1? Or should I assume that since ipa2 is in F15 we wont see anything til 6.2 sometime near the end of the year? I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? I have to put together a huge visualised test bed to test our systems thats a lot of work to re-do..So should I abandon F14 and go to F15 and then delay things until the end of the year? or next year? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1
On 03/28/2011 05:30 PM, Steven Jones wrote: Hi. I see IPA 2.0 is F15.uh. Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? You assumption is correct. IPA is planned for 6.1 as tech preview in the same shape as FreeIPA v2. We will be working on 2.1 for several months now. It will be a stabilization release. See the trak instance for the list of the issues we plan to address. The intent is to have 2.1 or core parts of it ported to RHEL and released as fully supported version in 6.2. So I guess you do not need to delay or abandon your plans. Hope this helps. So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] replica install failure....
Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IPA.AC.NZ -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IPA.AC.NZ -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IPA.AC.NZ -ca_server_cert_subject_name CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ -ca_audit_signing_cert_subject_name CN=CA A! udit,O=IPA.AC.NZ -ca_sign_cert_subject_name CN=Certificate Authority,O=IPA.AC.NZ -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fed14-64-ipam002 jonesst1]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users