[Freeipa-users] Help troubleshooting migrate-ds
Hi there! In a freshly installed FreeIPA server, I try: # ipa migrate-ds LDAP URI: ldaps://ldap.example.com Contraseña: ipa: ERROR: no es posible conectar con u'ldaps://ldap.example.com': LDAP Server Down This is a related line I found in the logfile: [Fri May 03 12:30:53 2013] [error] ipa: INFO: ad...@example.com: migrate_ds(u'ldaps://ldap.example.com', u'', binddn=u'cn=admin,dc=example,dc=com', usercontainer=u'ou=example,ou=users', groupcontainer=u'ou=example,ou=groups', userobjectclass=(u'person',), groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), userignoreobjectclass=None, userignoreattribute=None, groupignoreobjectclass=None, groupignoreattribute=None, groupoverwritegid=False, schema=u'RFC2307bis', continue=False, basedn=u'ou=cuentas,dc=example,dc=com', compat=False, exclude_groups=None, exclude_users=None): NetworkError Am I missing something? There is some prerequisites in the DNS server for this to work? Of course, the IPA server has full network contact with the LDAP server (tcp/636), i see some packets doing a tpcdump in the LDAP server. Is there a way to get a more verbose log output of what is going on? Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Hey Pavel/guys Any luck recreating the problem? Thx for the help Aly Thanks Pavel, Very much appreciated Aly On Tue, Apr 30, 2013 at 1:41 PM, Pavel Brezina pbrez...@redhat.com wrote: - Original Message - From: Pavel Březina pbrez...@redhat.com To: Aly Khimji aly.khi...@gmail.com Cc: freeipa-users@redhat.com Sent: Monday, April 29, 2013 9:11:25 PM Subject: Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. Hi, I'm sorry, I had some technical diffucilties and didn't manage to get to it today. Will try it as soon as possible. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] users account functionality
Sorry for my english. My doubt is about the user's functions. For example when I want to do the login into the web site and I don't remember the pass. I click in a link, button... and I receive a mail with the instructions for reset the pass, or with a temporary pass that I must change... The others functions are when the user want to create a account, and fill in a form with name, surname... and the admin receive a mail and active the account. The same for delete the account. Exist something already implemented or have I to do it? Is not a problem for me do it, but it's better use something already tested and working. I hope now my doubt is more clear. thanks. On 02/05/13 15:49, John Dennis wrote: On 05/02/2013 04:42 AM, Juan Armario wrote: Hi, I'm Juan and I'm building a freeipa application and need to know if it possible integrate a module or if is already developed, the typical functionality when we want an authentication service for our users, like remember password, create users, and send an email for confirmation, or send a account delete request. We have installed the basic freeipa and we need to incorporate this functionality. Exist this or have I to implement it? It's a little hard to understand exactly what you're looking to accomplish, for instance what does remember password mean? It doesn't sound like what you're looking for requires adding a plugin module, rather you're looking to add a front-end to IPA which is easy to do with scripts. IPA is quite amenable to scripting because we provide a command line interface. You can either call the ipa command from a shell script or you can write your own Python scripts and invoke the IPA API directly. Be careful though, the type of operations you've described all require administrator privileges, it's not something a general user can do. -- Juan Armario Muñoz Departamento de Aplicaciones Centro Informático Científico de Andalucía Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía Avenida de la Reina Mercedes s/n 41012 - Sevilla (España) Teléfono: (+34) 955.056.600 Email: juan.arma...@cica.es ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Upgrade Test Case
On Wed, 2013-05-01 at 14:20 -0400, Rob Crittenden wrote: Dean Hunter wrote: On Tue, 2013-04-30 at 20:55 +0300, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, Dean Hunter wrote: I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? Apart from general F18-F19 upgrade issues (if any), there is Kerberos change from 1.10 to 1.11 which brings change in KDC driver ABI. As result, you will need to restart KDC after upgrade. Thank you. So I did this: # Upgrade to Fedora 19 yum update yum yum clean all yum --releasever=19 distro-sync --nogpgcheck -y reboot And I have a number of small issues not related to FreeIPA. Is Red Hat Bugzilla the best place to report them? Yes, please do. If you want to let us know the BZ's you file we can cc ourselves as needed. thanks! rob Here are the bug reports for the update of a Fedora 18 / Free IPA Server 3.1 to Fedora 19 / Free IPA Server 3.2: https://bugzilla.redhat.com/show_bug.cgi?id=959488 selinux-policy-targeted https://bugzilla.redhat.com/show_bug.cgi?id=959493 openssh https://bugzilla.redhat.com/show_bug.cgi?id=959498 freeipa-server-selinux ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO
Hi, I'm sorry, not yet. I have spend significant amount of last two days creating trust environment but I had some troubles getting it to work. I'll get back to it on Monday. - Original Message - From: Aly Khimji aly.khi...@gmail.com To: Pavel Březina pbrez...@redhat.com, freeipa-users@redhat.com Sent: Friday, May 3, 2013 12:42:12 PM Subject: Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO Hey Pavel/guys Any luck recreating the problem? Thx for the help Aly Thanks Pavel, Very much appreciated Aly On Tue, Apr 30, 2013 at 1:41 PM, Pavel Brezina pbrez...@redhat.com wrote: - Original Message - From: Pavel Březina pbrez...@redhat.com To: Aly Khimji aly.khi...@gmail.com Cc: freeipa-users@redhat.com Sent: Monday, April 29, 2013 9:11:25 PM Subject: Re: [Freeipa-users] Issue IPA: AD Users and IPA Users when using SSS/LDAP with SUDO On 04/29/2013 08:31 PM, Aly Khimji wrote: Hey Pavel/Guys, Do you see anything in the new logs that might help? I saw this bug https://bugzilla.redhat.com/show_bug.cgi?id=871160 that reports this issue exactly. However its reported as fixed but I am still having the same issue. I am building out a new test environment and I am also deploying a FC18 client which seems to have newer sssd/libsss_sudo packages that i suppose haven't made it up stream yet Currently installed on my client libsss_sudo-1.9.2-82.7.el6_4.x86_64 sssd-client-1.9.2-82.7.el6_4.x86_64 libsss_idmap-1.9.2-82.7.el6_4.x86_64 libsss_autofs-1.9.2-82.el6.x86_64 sssd-1.9.2-82.7.el6_4.x86_64 I've increased the logging to 10, just incase it helps. here it the sss_sudo log for a login, then sudo attempt Thx Aly Hi, I'm sorry for such a late answer. The logs says, that in the time of using sudo, the user akhimji is not present in the cache, which should not happen if you managed to log in. I will try to reproduce the issue first thing tomorrow and let you know. Hi, I'm sorry, I had some technical diffucilties and didn't manage to get to it today. Will try it as soon as possible. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Upgrade Test Case
On Fri, 2013-05-03 at 14:32 -0400, Rob Crittenden wrote: Dean Hunter wrote: On Wed, 2013-05-01 at 14:20 -0400, Rob Crittenden wrote: Dean Hunter wrote: On Tue, 2013-04-30 at 20:55 +0300, Alexander Bokovoy wrote: On Tue, 30 Apr 2013, Dean Hunter wrote: I have a small FreeIPA 3.1 installation on Fedora 18. I thought it might be useful to try to upgrade it to FreeIPA 3.2 on Fedora 19 before I tried to rebuild it from scratch, as I imagined larger installations would not be able to rebuild. I thought the test cases for FreeIPA Test Day might have instructions for the upgrade, but I did not find an upgrade test case. Is an upgrade as trivial as pointing yum to a different set of repositories and updating? Apart from general F18-F19 upgrade issues (if any), there is Kerberos change from 1.10 to 1.11 which brings change in KDC driver ABI. As result, you will need to restart KDC after upgrade. Thank you. So I did this: # Upgrade to Fedora 19 yum update yum yum clean all yum --releasever=19 distro-sync --nogpgcheck -y reboot And I have a number of small issues not related to FreeIPA. Is Red Hat Bugzilla the best place to report them? Yes, please do. If you want to let us know the BZ's you file we can cc ourselves as needed. thanks! rob Here are the bug reports for the update of a Fedora 18 / Free IPA Server 3.1 to Fedora 19 / Free IPA Server 3.2: https://bugzilla.redhat.com/show_bug.cgi?id=959488 selinux-policy-targeted https://bugzilla.redhat.com/show_bug.cgi?id=959493 openssh https://bugzilla.redhat.com/show_bug.cgi?id=959498 freeipa-server-selinux Thanks. The openssh bug is fixed in FreeIPA upstream but not yet added to release yet. The two selinux errors are identical, I closed the IPA side. Please don't let this discourage you from opening bugs. It can be difficult to know what component is at fault sometimes! regards rob Thank you. Yes, after a while they all look the same and then I can not see the critical differences. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users