date:20130401

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

2013-04-01 Thread Pekka . Panula

> From: Dmitri Pal 
> >> I want also my AD users (from IPA trust) to login inside thru ssh but 

> >> afaik this seems to have some older SSSD version and same 
configuration 
> >> options that goes ok with CentOS 6 ipa-client wont work with CentOS 
5. 
> >>
> >> So what should i modify that i can login to my CentOS 5 machine that 
i can 
> >> to login AD trust users from IPA? Is there newer SSSD daemon 
available for 
> >> centos 5?
> >>
> > No, it is not and it would be quite hard to build it, I think. You'd
> > need pretty recent version of Kerberos to support the PAC responder 
that
> > handles users coming via trusts for instance.
> 
> Yes this is quite a problem with the current solution.

Is there any guides for rhel 5.x/centos 5.x when using IPA and if that 
same 
system needs also AD users logins enabled, should we just enable some PAM 
module 
and all works if SSSD/IPA is also used?

> But we are looking for some ways to mitigate that.
> Question for you about the older systems:
> 
> What would you prefer: those systems pointing to IPA and IPA having a
> way to serve account and authentication or point them directly to AD?
> Do you require kerberos authentication and SSO from those machines or
> simple LDAP authentication is OK?
> Do you have a requirement for all the authentications to actually happen
> in AD for audit purposes or they can happen in IPA when users come from
> the old clients and in AD with trusts when users access newer clients?
> 
> Thanks for the input!
> 
> Dmitri

For me, would be good if all comes from (thru) IPA, but thats not 
an requirement for me.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

2013-04-01 Thread Pekka . Panula

Rob Crittenden  wrote on 29.03.2013 01:09:49:

> >  > Anyhow, you can override the shell on the client using the
> >  > override_shell directive of sssd.conf. Simply put it into the 
domain
> >  > section and restart the SSSD.
> >
> > Thanks for that tip, will try that one.
> 
> Let me also note that changing the default shell doesn't change the 
> shell for any existing users (not entirely sure how this applies to 
> trust users, it might get particularly wonky on different machines as 
> each machine's sssd cache could have a different shell).

It worked when i did override_shell to [nss] section.
If i recall right, it did not worked when it was in [domain/domain.com] 
section.

Not worrying me if it forces all to bash, because we all use only it.

BTW: is there any place when i can submit feature requests, eg. default 
shell IPA configuration to be used with AD trusts users also.

Regards,
 Pekka Panula___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar

Finally I worked. It must have been some configuration issues at my end. I
spin up fresh VMs and followed steps again and it worked like a cake.

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_IPA_Replicas.html


Thank you so much for all help.


On Monday, April 1, 2013, Chandan Kumar wrote:

> Thanks for prompt response. I was wrong in mentioning that krb is not
> running on UDP port it is running.
>
> Now this time, I did not specify --skip-conncheck and ended up with same
> error. I could see ldap requests are reaching to the Primary IPA server
> from secondary (both from tshark and directory server logs).
>
> #ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg
>
> (I tried with/without --setup-ca got same result)
>
> I have pasted the directory server (Primary ipa01 machine) logs in the
> blow paste bin
>
> http://pastebin.com/HxAwMiDw
>
> And replication logs (on the replica ipa02 machine)
>
> http://pastebin.com/QNNRVw2k.
>
> I am not using IPA server for DNS, I have separate DNS server and both
> host names are getting resolved.
>
> Connection with ldap search command.
>
> It appears the it is not able to connect at secure port (this could be the
> reason)
>
> #ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
> Enter LDAP Password:
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> -
> Works perfect on non Secure port
>
> # ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
>
> -
>
> I was under impression that ipa-replica-install does the SSL stuff, may be
> I am wrong.
>
> Thanks
> Chandan
>
> On Monday, April 1, 2013, Rob Crittenden wrote:
>
>> Chandan Kumar wrote:
>>
>>> Hello,
>>>
>>> I am new to FreeIPA so far I have setup the Server and few test clients,
>>> all went really smooth. However, I am having hard time in setting up the
>>> replication and any help will great!.
>>>
>>> I am using CentOS 6.4. Package Info
>>>
>>> ipa-server-3.0.0-26.el6_4.2.**x86_64
>>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64
>>>
>>> I followed the steps mentioned in
>>>
>>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/**
>>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_**
>>> up_Multi_Master_Replication.**html
>>>
>>
>> FYI, these are very out-of-date.
>>
>>  When I try to setup the replica with the replica prepare file from the
>>> master  with --skip-conneccheck  (because krb is not running on UDP
>>> ports)
>>>
>>
>> I don't understand, you got an error about KRB not running on the UDP
>> ports?
>>
>>  ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>>> --skip-conncheck.
>>>
>>> At the end I get below error
>>>
>>> --**---
>>>[22/31]: setting up initial replication
>>> Starting replication, please wait until this has completed.
>>> [ipa01.ma.net ] reports: Update failed! Status: [-1
>>>   - LDAP error: Can't contact LDAP server]
>>>
>>
>> Well, something is blocking the connection, or the server on ipa01 isn't
>> running. This is a really low-level networking error.
>>
>>
>>> I also find similar error reported while setting up ipa on Fedora 18 at
>>> https://www.redhat.com/**archives/freeipa-users/2013-**
>>> February/msg00440.html
>>>
>>> But could not find its resolution.
>>>
>>
>> We never heard back from the user. You're saying you see the same error?
>>
>>  I am able to connect to the 389/636 port from the slave. Firewall is off
>>> on both ends and hostnames resolves properly.
>>>
>>
>> On ipa02 you might try:
>>
>> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
>>
>> You might also try wireshark to monitor the connection request.
>>
>> rob
>>
>
>
> --
>
> --
> http://about.me/chandank
>
>

-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar

Thanks for prompt response. I was wrong in mentioning that krb is not
running on UDP port it is running.

Now this time, I did not specify --skip-conncheck and ended up with same
error. I could see ldap requests are reaching to the Primary IPA server
from secondary (both from tshark and directory server logs).

#ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa02.ma.net.gpg

(I tried with/without --setup-ca got same result)

I have pasted the directory server (Primary ipa01 machine) logs in the blow
paste bin

http://pastebin.com/HxAwMiDw

And replication logs (on the replica ipa02 machine)

http://pastebin.com/QNNRVw2k.

I am not using IPA server for DNS, I have separate DNS server and both host
names are getting resolved.

Connection with ldap search command.

It appears the it is not able to connect at secure port (this could be the
reason)

#ldapsearch -x -D "cn=Directory Manager" -W -H ldaps://ipa01.ma.net
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

-
Works perfect on non Secure port

# ldapsearch -x -D "cn=Directory Manager" -W -H ldap://ipa01.ma.net
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

-

I was under impression that ipa-replica-install does the SSL stuff, may be
I am wrong.

Thanks
Chandan

On Monday, April 1, 2013, Rob Crittenden wrote:

> Chandan Kumar wrote:
>
>> Hello,
>>
>> I am new to FreeIPA so far I have setup the Server and few test clients,
>> all went really smooth. However, I am having hard time in setting up the
>> replication and any help will great!.
>>
>> I am using CentOS 6.4. Package Info
>>
>> ipa-server-3.0.0-26.el6_4.2.**x86_64
>> 389-ds-base-1.2.11.15-12.el6_**4.x86_64
>>
>> I followed the steps mentioned in
>>
>> http://freeipa.org/docs/1.2/**Installation_Deployment_Guide/**
>> en-US/html/chap-Installation_**and_Deployment_Guide-Setting_**
>> up_Multi_Master_Replication.**html
>>
>
> FYI, these are very out-of-date.
>
>  When I try to setup the replica with the replica prepare file from the
>> master  with --skip-conneccheck  (because krb is not running on UDP ports)
>>
>
> I don't understand, you got an error about KRB not running on the UDP
> ports?
>
>  ipa-replica-install /var/lib/ipa/replica-info-**ipa02.ma.net.gpg
>> --skip-conncheck.
>>
>> At the end I get below error
>>
>> --**---
>>[22/31]: setting up initial replication
>> Starting replication, please wait until this has completed.
>> [ipa01.ma.net ] reports: Update failed! Status: [-1
>>   - LDAP error: Can't contact LDAP server]
>>
>
> Well, something is blocking the connection, or the server on ipa01 isn't
> running. This is a really low-level networking error.
>
>
>> I also find similar error reported while setting up ipa on Fedora 18 at
>> https://www.redhat.com/**archives/freeipa-users/2013-**
>> February/msg00440.html
>>
>> But could not find its resolution.
>>
>
> We never heard back from the user. You're saying you see the same error?
>
>  I am able to connect to the 389/636 port from the slave. Firewall is off
>> on both ends and hostnames resolves properly.
>>
>
> On ipa02 you might try:
>
> $ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts
>
> You might also try wireshark to monitor the connection request.
>
> rob
>


-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Rob Crittenden

Chandan Kumar wrote:

Hello,

I am new to FreeIPA so far I have setup the Server and few test clients,
all went really smooth. However, I am having hard time in setting up the
replication and any help will great!.

I am using CentOS 6.4. Package Info

ipa-server-3.0.0-26.el6_4.2.x86_64
389-ds-base-1.2.11.15-12.el6_4.x86_64

I followed the steps mentioned in

http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html

FYI, these are very out-of-date.

When I try to setup the replica with the replica prepare file from the
master with --skip-conneccheck (because krb is not running on UDP ports)

I don't understand, you got an error about KRB not running on the UDP ports?

ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg
--skip-conncheck.

At the end I get below error

-
[22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa01.ma.net ] reports: Update failed! Status: [-1
- LDAP error: Can't contact LDAP server]

Well, something is blocking the connection, or the server on ipa01 isn't
running. This is a really low-level networking error.

I also find similar error reported while setting up ipa on Fedora 18 at
https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html

But could not find its resolution.

We never heard back from the user. You're saying you see the same error?

I am able to connect to the 389/636 port from the slave. Firewall is off
on both ends and hostnames resolves properly.

On ipa02 you might try:

$ ldapsearch -x -H ldap://ipa01.ma.net -s base -b '' namingContexts

You might also try wireshark to monitor the connection request.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Issue while setting up Replication

2013-04-01 Thread Chandan Kumar

Hello,

I am new to FreeIPA so far I have setup the Server and few test clients,
all went really smooth. However, I am having hard time in setting up the
replication and any help will great!.

I am using CentOS 6.4. Package Info

ipa-server-3.0.0-26.el6_4.2.x86_64
389-ds-base-1.2.11.15-12.el6_4.x86_64

I followed the steps mentioned in

http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/chap-Installation_and_Deployment_Guide-Setting_up_Multi_Master_Replication.html

When I try to setup the replica with the replica prepare file from the
master  with --skip-conneccheck  (because krb is not running on UDP ports)

ipa-replica-install /var/lib/ipa/replica-info-ipa02.ma.net.gpg
--skip-conncheck.

At the end I get below error

-
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa01.ma.net] reports: Update failed! Status: [-1  - LDAP error: Can't
contact LDAP server]

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Failed to start replication
---
On the log file
---

2013-04-01T16:25:53Z DEBUG retrieving schema for SchemaCache url=ldaps://
ipa01.ma.net:636 conn
=
2013-04-01T16:25:54Z INFO   File
"/usr/lib/python2.6/site-packages/ipaserver/install/installut
ils.py", line 614, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 473, in main
ds = install_replica_ds(config)

  File "/usr/sbin/ipa-replica-install", line 150, in install_replica_ds
pkcs12_info)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
line 300, in create_replica
self.start_creation(runtime=60)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",
line 358, in start_creation
method()
:
  File "/usr/lib/python2.6/site-packages/ipaserver/install/dsinstance.py",
line 313, in __setup_replica
r_bindpw=self.dm_password)

  File "/usr/lib/python2.6/site-packages/ipaserver/install/replication.py",
line 865, in setup_replication
raise RuntimeError("Failed to start replication")

2013-04-01T16:25:54Z INFO The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication



I also find similar error reported while setting up ipa on Fedora 18 at
https://www.redhat.com/archives/freeipa-users/2013-February/msg00440.html

But could not find its resolution.

I am able to connect to the 389/636 port from the slave. Firewall is off on
both ends and hostnames resolves properly.



Thanks





-- 

--
http://about.me/chandank
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

Re: [Freeipa-users] Issue while setting up Replication

[Freeipa-users] Issue while setting up Replication

Re: [Freeipa-users] Issue while setting up Replication

[Freeipa-users] Issue while setting up Replication

6 matches

Site Navigation

Mail list logo

Footer information