Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and Samba 4
On Mon, 2012-12-17 at 22:48 -0500, William Muriithi wrote: I know this may be a loaded question, but I am asking it anyways. Can anyone tell me what the current status and future plan for IPA / Samba 4 is? We plan to support setting up trusts with Samba4 just like we do with AD when Samba4 will start supporting Cross-forest trusts. It currently doesn't. Simo. Yes, its amazing samba4 has finally gone GA. Plan to set up an instance as a backup AD to existing AD some day when I get some time. Not well documented though, wish there was well writen book on it. Anyway backup AD would be the best way to set some experience I am assuming A related question, would there be any need to have a replica when using trust if the AD is just one instance? What I am asking in another way is, if the AD fail, wouldn't the FreeIPA fail to authenticate users till AD issues are fixed? It depends on the case. In general the answer would be yes, however. - if you already have a cross-realm TGT you should still be able to access all IPA services as the AD KDC is not required until a renew is necessary. - if you do password based logins then sssd may cache offline credentials and still let you in (but you will not have a TGT, so you may not use kerberized services). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On Tue, 2012-12-18 at 05:24 +, Johan Petersson wrote: Hi, Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. So it seems that it does not cope with pre existing principals, at least not from IPA Server. I will contact Oracle about this issue and see what they say. Is there any support for using this appliance in an Active Directory domain ? It is possible that they have alternative instructions there. IIRC AD also does not allow you to create principals via the kadmin interface. However they may have tied the 'AD option; if any in knots so that it also doesn't work with anything but a real AD. IT would be nice to hear how Oracle justifies requiring high credentials on an appliance otherwise. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Now I'm re-installing RHEL so I can start from scratch, and I'll attempt to install Satellite without joining it to the domain. I'm not fond of this option -- I don't want to have stand-alone machines that I have to manage separately, that's why I installed IPA in the first place. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Mon, Dec 17, 2012 at 3:03 PM, Dmitri Pal d...@redhat.com wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Central group, in IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. Now I'm re-installing RHEL so I can start from scratch, and I'll attempt to install Satellite without joining it to the domain. I'm not fond of this option -- I don't want to have stand-alone machines that I have to manage separately, that's why I installed IPA in the first place. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. I did wipe it out, but I do know that getent group dba returned the IPA group *before* I put in the filter, I stupidly didn't check after. I'm in the middle of re-installing the OS now on the VM, we'll see how it goes. Red Hat says they got it to work in their lab with an IPA controlled Oracle user and dba group. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] testing AD trust on Fedora 18
Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get this: [root@m ~] ipa dnszone-add AD.DOMAIN --name-server=AD.NAME --admin-email=MY.EMAIL --force --forwarder=AD.IP –forward-policy=only ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' and when I set ipa trust-add I get the following error: [root@m ~] ipa trust-add --type=ad AD.DOMAIN --admin Adminstrator --password Active directory domain administrator's password: ipa: ERROR: unable to parse cookie header 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=IPA.DOMAIN; Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed: [root@m ~]# rpm -qa | grep freeipa freeipa-client-3.1.0-1.fc18.x86_64 freeipa-server-3.1.0-1.fc18.x86_64 freeipa-python-3.1.0-1.fc18.x86_64 freeipa-server-strict-3.1.0-1.fc18.x86_64 freeipa-server-trust-ad-3.1.0-1.fc18.x86_64 freeipa-admintools-3.1.0-1.fc18.x86_64 freeipa-server-selinux-3.1.0-1.fc18.x86_64 so... any ideas? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Thanks. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
On 12/18/2012 01:39 PM, David Copperfield wrote: Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Yes there is a simmering effort. But there are unfortunately no results we can share yet. Thanks. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
Got it. Is there any IPA resources on market we can hire for a backup/restoration solution? Our company is at Bay Area. Thanks. --David From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, December 18, 2012 10:42 AM Subject: Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? On 12/18/2012 01:39 PM, David Copperfield wrote: Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Yes there is a simmering effort. But there are unfortunately no results we can share yet. Thanks. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0?
Hi, As in a backup software client that can talk to the IPA instance? Im not aware of one. What I do is dump a userroot to ldif every so oftenbefore and after I do patching or any significant changeI do so on at least 2 of the 3 IPA masters with, /var/lib/dirsrv/scripts-ODS-VUW-AC-NZ/db2ldif.pl -D cn=directory manager -w - -n userroot -a /var/lib/dirsrv/slapd-ODS-VUW-AC-NZ/bak/userroot.`/bin/date +%Y%m%d%H%M`.ldif I have recovered using this as well. (oh joy!) I also have a proven method to swap CA cert function to another server ie promote a replica, I actually did it 3 weeks ago! regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of David Copperfield [cao2...@yahoo.com] Sent: Wednesday, 19 December 2012 7:39 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Backup and Restore procedures for IPA 2.2.0? Hi all, Is the backup and restore procedure for IPA available now? It's rumored months back that some one was working on it but not sure what is the progress on it. Please shed a light if you have any ideas. I'm running the default latest 2.2.0 IPA on Redhat/Centos 6.3. Thanks. David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] testing AD trust on Fedora 18
On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get this: [root@m ~] ipa dnszone-add AD.DOMAIN --name-server=AD.NAME http://AD.NAME --admin-email=MY.EMAIL --force --forwarder=AD.IP –forward-policy=only ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' This is an error message from something I wrote. I can't explain why it can't parse the expires cookie attribute because using the value cited in the error message it parses just fine. The only thing I can think of is that the time module was not imported in cookie.py, but in my copy of the file it is imported. However one thing I did immediately notice, the cookie has Domain=IPA.DOMAIN, that's not valid, it's supposed to be a FQDN. What is the value of xmlrpc_uri in your /etc/ipa/default.conf? and when I set ipa trust-add I get the following error: [root@m ~] ipa trust-add --type=ad AD.DOMAIN --admin Adminstrator --password Active directory domain administrator's password: ipa: ERROR: unable to parse cookie header 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=IPA.DOMAIN; Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' Sorry, someone else will have to help you with the below: ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed:-- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] testing AD trust on Fedora 18
On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get this: [root@m ~] ipa dnszone-add AD.DOMAIN --name-server=AD.NAME http://AD.NAME --admin-email=MY.EMAIL --force --forwarder=AD.IP –forward-policy=only ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' This is an error message from something I wrote. I can't explain why it can't parse the expires cookie attribute because using the value cited in the error message it parses just fine. The only thing I can think of is that the time module was not imported in cookie.py, but in my copy of the file it is imported. However one thing I did immediately notice, the cookie has Domain=IPA.DOMAIN, that's not valid, it's supposed to be a FQDN. What is the value of xmlrpc_uri in your /etc/ipa/default.conf? and when I set ipa trust-add I get the following error: [root@m ~] ipa trust-add --type=ad AD.DOMAIN --admin Adminstrator --password Active directory domain administrator's password: ipa: ERROR: unable to parse cookie header 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=IPA.DOMAIN; Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' Sorry, someone else will have to help you with the below: I guess this error message is just triggered by the cookie error. bye, Sumit ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed:-- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
On 12/18/2012 06:24 AM, Johan Petersson wrote: Hi, Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. So it seems that it does not cope with pre existing principals, at least not from IPA Server. I will contact Oracle about this issue and see what they say. Thank you for your help, Johan. We have these ZFS Storage Appliances at work too. There is a way to access the root shell of the ZFS Storage Appliance. It's been a long time since I've done it, but a quick googelig turned up this: http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html Hopefully the scp commands still exists when you get access to the shell of the Solaris OS, so you can copy the pre-created keytab into /etc/krb5/krb5.keytab. CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS server and the NFS server. This file will already contain the keytab for the CIFS/SMB service if you have already joined the ZFS Storage Appliance to AD. In which case copy the pre-created keytab from IPA into /etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together. I see I've kept the keytab from my AD in the beginning of the file and added the keytab from IPA to the end of the file. I do recall there being some significance to doing it this way. I've written this howto for NexentaStor a while back. Perhaps this will be of some assistance to complete the configuration of the ZFS Storage Appliance too? https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html Please let me know how you get on. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] testing AD trust on Fedora 18
On 12/18/2012 03:30 PM, Sumit Bose wrote: On Tue, Dec 18, 2012 at 03:16:47PM -0500, John Dennis wrote: On 12/18/2012 01:26 PM, Andre Rodrigues wrote: Hi all, I'm testing AD trust following this how to: http://www.freeipa.org/page/IPAv3_testing_AD_trust but when I set ipa dnszone-add I get this: [root@m ~] ipa dnszone-add AD.DOMAIN --name-server=AD.NAME http://AD.NAME --admin-email=MY.EMAIL --force --forwarder=AD.IP –forward-policy=only ipa: ERROR: unable to parse cookie header 'ipa_session=f963e8e4006fdcd79e1a2a5a989b4d01; Domain=IPA.DOMAIN; Path=/ipa; Expires=Thu, 18 Dec 2012 13:54:33 GMT; Secure; HttpOnly': unable to parse expires datetime 'Thu, 18 Dec 2012 13:54:33' This is an error message from something I wrote. I can't explain why it can't parse the expires cookie attribute because using the value cited in the error message it parses just fine. The only thing I can think of is that the time module was not imported in cookie.py, but in my copy of the file it is imported. However one thing I did immediately notice, the cookie has Domain=IPA.DOMAIN, that's not valid, it's supposed to be a FQDN. What is the value of xmlrpc_uri in your /etc/ipa/default.conf? and when I set ipa trust-add I get the following error: [root@m ~] ipa trust-add --type=ad AD.DOMAIN --admin Adminstrator --password Active directory domain administrator's password: ipa: ERROR: unable to parse cookie header 'ipa_session=7d6aeb2c92ff3197a9d3c04421f6ba15; Domain=IPA.DOMAIN; Path=/ipa; Expires=Tue, 18 Dec 2012 18:32:05 GMT; Secure; HttpOnly': unable to parse expires datetime 'Tue, 18 Dec 2012 18:32:05' Sorry, someone else will have to help you with the below: I guess this error message is just triggered by the cookie error. In theory no, the inability to process a cookie should do nothing other than log the fact, everything else should proceed as normal (without cookies you just get slower performance, but it should continue to work). However, the values in the cookie show something is very wrong with the configuration. Please provide the contents of /etc/ipa/default.conf. Do you have a .ipa/default.conf file set? If so that overrides the values in /etc/ipa/default.conf. If you have that as well please provide that as well. Adding verbose debugging information will help. Add the -d option to the ipa command to turn on debug level information and capture the output. Those messages will help us diagnose the problem. bye, Sumit ipa: ERROR: Cannot perform join operation without Samba 4 support installed. Make sure you have installed server-trust-ad sub-package of IPA but I have the server-trust-ad installed:-- -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] anyone know how to do sssd filters?
On Tue, Dec 18, 2012 at 10:38 AM, KodaK sako...@gmail.com wrote: On Tue, Dec 18, 2012 at 9:17 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the DBA group and then install. Anyway, I'm trying to play around with filter_groups in sssd, and I can't seem to get it to take. The man page isn't exactly clear, but here's what I've tried: filter_groups = dba filter_groups= dba@fqdn In the [domain], [sssd] and [nss] sections of the config file. What's the right syntax? Do I need it in every section? Is it a local group or a central group? Where Dmitri's question is headed is that if dba is a local group (aka stored in /etc/passwd), then the SSSD should be queried at all. ^^^ /etc/group obviously I figured. :) The group dba is stored in IPA. Here's a funny thing, though (short rundown): Installed RHEL 6.3 on Satelite server, joined it to the domain. Try to install Satellite: get the Could not install database. I try to filter out the group in IPA, try to install Satellite, get: The group 'dba' should exist. This makes me think that the filter is doing every dba not just dba on the IPA server. I removed the Satellite server from IPA (ipa-client-install --uninstall) and I get the same message (dba should exist.) Fun stuff. Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. I did wipe it out, but I do know that getent group dba returned the IPA group *before* I put in the filter, I stupidly didn't check after. I'm in the middle of re-installing the OS now on the VM, we'll see how it goes. Red Hat says they got it to work in their lab with an IPA controlled Oracle user and dba group. So, in case anyone else ever runs into this, this is what I had to do to get around the problem: First, maybe I missed it, but I don't see any recommendation in the documentation that the user oracle and dba *must* exist before you start the install. Combine that with the fact that the suggestion I got from support that the dba group can't exist and you have the recipe that had me going down the wrong path for quite some time. This had nothing to do with IPA at all, really. The answer, which like most is incredibly simple, was to create a local oracle user and dba group, overriding the dba group in IPA. After that the install went fine(ish.) --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA.
I pursued that idea myself earlier but when getting the huge warranty void message when accessing a shell + that the file system was read-only i gave up. I will definitely look at it again and read the information you provided, thank you for your help. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Tuesday, December 18, 2012 21:48 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Problem generating Oracle ZFS Storage Appliance host and nfs principals and keys to IPA/Free IPA. On 12/18/2012 06:24 AM, Johan Petersson wrote: Hi, Unfortunately i still get the same error from the Appliance even after having added both host and nfs principals in the IPA web interface. failed to create principal 'host/zfs1.home@HOME': libkadm5clnt error: 43787522 (Operation requires ``add'' privilege) I get the impression that the Appliance does not recognize existing principals since i still get the same create principal error. So it seems that it does not cope with pre existing principals, at least not from IPA Server. I will contact Oracle about this issue and see what they say. Thank you for your help, Johan. We have these ZFS Storage Appliances at work too. There is a way to access the root shell of the ZFS Storage Appliance. It's been a long time since I've done it, but a quick googelig turned up this: http://weblogs.java.net/blog/kohsuke/archive/2009/01/under_the_hood.html Hopefully the scp commands still exists when you get access to the shell of the Solaris OS, so you can copy the pre-created keytab into /etc/krb5/krb5.keytab. CAUTION! The /etc/krb5/krb5.keytab is by default shared between the CIFS server and the NFS server. This file will already contain the keytab for the CIFS/SMB service if you have already joined the ZFS Storage Appliance to AD. In which case copy the pre-created keytab from IPA into /etc/krb5/krb5.keytab-IPA, and use ktutil to merge the two files together. I see I've kept the keytab from my AD in the beginning of the file and added the keytab from IPA to the end of the file. I do recall there being some significance to doing it this way. I've written this howto for NexentaStor a while back. Perhaps this will be of some assistance to complete the configuration of the ZFS Storage Appliance too? https://www.redhat.com/archives/freeipa-users/2011-July/msg00033.html Please let me know how you get on. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users