Re: [Freeipa-users] adding group fails with Type or value exists
On 11/16/2012 12:48 AM, Qing Chang wrote: On 15/11/2012 6:10 PM, John Dennis wrote: On 11/15/2012 04:21 PM, Qing Chang wrote: Adding group produces error message Type or value exists and fails. As shown below, I tried a few different group name to ensure that there is no duplicates: [root@ipa1 ~]# ipa -d group-add example --desc=Test ipa: DEBUG: Caught fault 4203 from server http://ipa1/ipa/xml: Type or value exists: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Type or value exists: Saw in a thread in March, it did not appear there was a resolution. Hello Qing: What version of ipa are you using? Which distribution (e.g. F17, RHEL 6.3)? ipa-admintools.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-client.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-pki-ca-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-pki-common-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-python.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-server.x86_64 2.2.0-16.el6@rhel-x86_64-server-6 ipa-server-selinux.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 libipa_hbac.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 libipa_hbac-python.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 python-iniparse.noarch 0.3.1-2.1.el6 @anaconda-RedHatEnterpriseLinux-20171049.x86_64/6.2 Red Hat Enterprise Linux Server release 6.3 (Santiago) Thanks, Qing Hello Quing, did you by any chance modified the list of default group objectclasses? I managed to reproduce the same error with adding posixgroup to the list: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,posixgroup ... Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup ... # ipa group-add foo --desc foo ipa: ERROR: Type or value exists: posixgroup should not be in the list as it is later added in group-add command when the group is non-posix. In my case, remedy was simple: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject # ipa group-add foo --desc foo - Added group foo - Group name: foo Description: foo GID: 67447 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] failure to register dns on joining IPA domain
hi, this is a part of ipaclient-install.log 2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt : zone ipa.domain.tld. update delete host.ipa.domain.tld. IN SSHFP send update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876 89307F4ADCF3 update add host.ipa.domain.tld. 1200 IN SSHFP 2 1 0E48943001D3BFB1C0B272C4787C 74C7003DB5CD send 2012-11-16T12:12:32Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2012-11-16T12:12:32Z DEBUG stdout= 2012-11-16T12:12:32Z DEBUG stderr=update failed: SERVFAIL I can manually add the A record, but it would be nice to have the sshfp records automatically added as well :-) What can be possibly going wrong? This is in a test centos 6.3 environment (fully patched). -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] failure to register dns on joining IPA domain
On 11/16/2012 01:29 PM, Natxo Asenjo wrote: hi, this is a part of ipaclient-install.log 2012-11-16T12:12:32Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt : zone ipa.domain.tld. update delete host.ipa.domain.tld. IN SSHFP send update add host.ipa.domain.tld. 1200 IN SSHFP 1 1 904DA80AD2554ABEC354599E6876 89307F4ADCF3 update add host.ipa.domain.tld. 1200 IN SSHFP 2 1 0E48943001D3BFB1C0B272C4787C 74C7003DB5CD send 2012-11-16T12:12:32Z DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2012-11-16T12:12:32Z DEBUG stdout= 2012-11-16T12:12:32Z DEBUG stderr=update failed: SERVFAIL I can manually add the A record, but it would be nice to have the sshfp records automatically added as well :-) What can be possibly going wrong? This is in a test centos 6.3 environment (fully patched). Hello, do you use IPA managed DNS or own DNS server? Please provide logs from named if you use IPA managed DNS, ideally with higher debug level. 1) Modify log severity in /etc/named.conf on your DNS server: logging { channel default_debug { file data/named.run; severity debug 10; }; }; 2) restart named $ service named restart 3) install a new client - and hope for failure 4) send file /var/named/data/named.run to me I will look into it. Thank you for bug report! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sssd cache
hi, when running getent negroup netgroupname I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html I can clean records with sss_cache, but this command is not available. Running yum whatprovides */sss_cache finds nothing either. I ended up wiping the cache and restarting the sssd daemon to have it working, but there should be another way I have missed. Do you have any ideas? TIA. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
On Fri 16 Nov 2012 08:56:59 AM EST, Natxo Asenjo wrote: On Fri, Nov 16, 2012 at 2:52 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, when running getent negroup netgroupname I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html I can clean records with sss_cache, but this command is not available. ahem ... this is in sssd-tools, which is in the 2nd dvd iso which is not in my local mirror (just the first one). Sorry for the noise. Two points here. 1) sss_cache is moving to the main package in RHEL 6.4, so you won't have to install the separate sssd-tools package for it. 2) You might also look at the manpage for entry_cache_netgroup_timeout. If you want to have a shorter timeout period for netgroups, you can set it individually (starting with SSSD 1.8.0, IIRC). I'd suggest not setting it shorter than 10s for performance reasons though. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd cache
Hello On Fri, Nov 16, 2012 at 7:22 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, when running getent negroup netgroupname I get old entries. Apparently sssd is being helpful :-) and caching info, but it should not do it when I am connected to the domain (IMHO). According to https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-cache.html I can clean records with sss_cache, but this command is not available. Running yum whatprovides */sss_cache finds nothing either. sss_cache is shipped with sssd-tools package, which can be found in Red Hat Enterprise Linux Server optional or EPEL optional repository. I guess we have a bugzilla opened to move sssd-tools package to move in base channel, as of now you can Download it from optional channel I ended up wiping the cache and restarting the sssd daemon to have it working, but there should be another way I have missed. Do you have any ideas? TIA. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Regards Arpit Tolani ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem adding DNS Zones
Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org --name-server=dns.project.net--admin-email= r...@project.net ipa: ERROR: Nameserver 'dns.project.net' does not have a corresponding A/ record # ipa dnsrecord-find project.net dns Record name: dns A record: a.b.c.d Number of entries returned 1 # host dns.project.net dns.project.net has address a.b.c.d # -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem adding DNS Zones
On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org http://0.pool.ntp.org --name-server=dns.project.net http://dns.project.net --admin-email=r...@project.net mailto:r...@project.net ipa: ERROR: Nameserver 'dns.project.net http://dns.project.net' does not have a corresponding A/ record # ipa dnsrecord-find project.net http://project.net dns Record name: dns A record: a.b.c.d Number of entries returned 1 # host dns.project.net http://dns.project.net dns.project.net http://dns.project.net has address a.b.c.d # -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman Hello Bret, can you try reloading the httpd server where your IPA server is being run? This issue can happen if you for example change the nameserver in /etc/resolv.conf during httpd run time. Python framework in this httpd server would still be initialized with the old nameserver address and may not be able to resolve the address. Second note: it is safer to use --name-server option in a FQDN form, i.e. dns.project.net. instead of dns.project.net . With newer IPA versions, nameserver set to dns.project.net would effectively mean this FQDN: dns.project.net.0.pool.ntp.org. HTH, Martin Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem adding DNS Zones
On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org http://0.pool.ntp.org --name-server=dns.project.net http://dns.project.net --admin-email=r...@project.net mailto:r...@project.net ipa: ERROR: Nameserver 'dns.project.net http://dns.project.net' does not have a corresponding A/ record # ipa dnsrecord-find project.net http://project.net dns Record name: dns A record: a.b.c.d Number of entries returned 1 # host dns.project.net http://dns.project.net dns.project.net http://dns.project.net has address a.b.c.d # -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, this may be a known bug: https://fedorahosted.org/freeipa/ticket/3063 is this 100% reproducible in your set-up? Tomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding group fails with Type or value exists
On 16/11/2012 3:25 AM, Martin Kosek wrote: On 11/16/2012 12:48 AM, Qing Chang wrote: On 15/11/2012 6:10 PM, John Dennis wrote: On 11/15/2012 04:21 PM, Qing Chang wrote: Adding group produces error message Type or value exists and fails. As shown below, I tried a few different group name to ensure that there is no duplicates: [root@ipa1 ~]# ipa -d group-add example --desc=Test ipa: DEBUG: Caught fault 4203 from server http://ipa1/ipa/xml: Type or value exists: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Type or value exists: Saw in a thread in March, it did not appear there was a resolution. Hello Qing: What version of ipa are you using? Which distribution (e.g. F17, RHEL 6.3)? ipa-admintools.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-client.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-pki-ca-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-pki-common-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-python.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-server.x86_64 2.2.0-16.el6@rhel-x86_64-server-6 ipa-server-selinux.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 libipa_hbac.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 libipa_hbac-python.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 python-iniparse.noarch 0.3.1-2.1.el6 @anaconda-RedHatEnterpriseLinux-20171049.x86_64/6.2 Red Hat Enterprise Linux Server release 6.3 (Santiago) Thanks, Qing Hello Quing, did you by any chance modified the list of default group objectclasses? I managed to reproduce the same error with adding posixgroup to the list: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,posixgroup ... Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup ... # ipa group-add foo --desc foo ipa: ERROR: Type or value exists: posixgroup should not be in the list as it is later added in group-add command when the group is non-posix. In my case, remedy was simple: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject # ipa group-add foo --desc foo - Added group foo - Group name: foo Description: foo GID: 67447 Martin Brilliant observation, I do have posixgroup added thinking that's necessary to ensure posix group is created... Removed and works. Many thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem adding DNS Zones
Hello, you didn't specified IPA version, OS version etc., so my reply will be valid latest IPA master but not necessarily for Your version: You are trying to use name server from another zone so you have to enter absolute DNS name. Value dns.project.net is missing the trailing dot, so DNS name was read as relative. As a result zone origin (i.e. 0.pool.ntp.org) was appended to the name - and not found in (empty!) zone 0.pool.ntp.org. You have to specify --ip-address if you want to create a new NS record with relative name. --ip-address and --name-server combination will create NS+A record pair. Petr^2 Spacek On 11/16/2012 04:11 PM, Bret Wortman wrote: Using FreeIPA on a private network (where it's easier to just alias our own servers to these names than to edit config file after config file). Any idea what I'm doing wrong here? # ipa dnszone-add 0.pool.ntp.org --name-server=dns.project.net --admin-email=r...@project.net ipa: ERROR: Nameserver 'dns.project.net' does not have a corresponding A/ record # ipa dnsrecord-find project.net dns Record name: dns A record: a.b.c.d Number of entries returned 1 # host dns.project.net dns.project.net has address a.b.c.d ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] testing cross realm trusts
Hi I'm trying to setup a cross realm trust with AD using directions here: http://freeipa.org/page/IPAv3_testing_AD_trust#Prepare_FreeIPA_server_for_trusts I got all the way to creating the trust, but then I get: [root@ipa1 slapd-IPA-TEST]# ipa trust-add --type=ad msad.test --admin Administrator --password Active directory domain administrator's password: ipa: ERROR: invalid Gettext('ID range exists', domain='ipa', localedir=None): ID range already exists, must be added manually [root@ipa1 slapd-IPA-TEST]# freeipa packages on my box: freeipa-client-3.0.0.rc1-0.fc17.x86_64 freeipa-python-3.0.0.rc1-0.fc17.x86_64 freeipa-admintools-3.0.0.rc1-0.fc17.x86_64 freeipa-server-selinux-3.0.0.rc1-0.fc17.x86_64 freeipa-server-trust-ad-3.0.0.rc1-0.fc17.x86_64 freeipa-server-3.0.0.rc1-0.fc17.x86_64 Thanks, Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA on a dual boot system
Hi fellow FreeIPA users! I just got my FreeIPA set up perfectly and I was wondering if it's possible to set it up in the other OS in a dual boot configuration. Since I'm still on the same computer (therefore, the same MAC address), ipa-client-install fails saying that I'm already joined to the domain. Is there anything I can do allow the dual booted OS to join? Do I need to change my network configuration? Thanks in advance! Xiao-Long Chen ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users