Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). Thank you very much Kevin Tang From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 12:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear all, I am new to IPA and have some question about set up. I already setup IPA server (CentOS 6.4 64bit), IPA client (CentOS 6.4 64bit), and Windows AD (Windows 2008 R2 Standard 64bit). IPA Server and Windows AD already have 2-ways trusted. Windows AD user can logon under IPA client PC. I have 3 question about further setup. 1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. 2) Windows Login issue. I want to logon under Windows AD Client PC (Client PC's OS is Windows 7), Since this Windows PC already join win_ad domain, it can allow Windows AD domain user to logon. But when I try to logon IPA user, for example, logon as 'userB@ipa_ad.com' or 'ipa_ad.com\userB'. It always show 'There are currently no logon servers available to service the logon request.' and does not allow IPA user to logon. How do I do now? I need to modify Windows AD setting? or Windows client PC setting? We do not support this mode yet, it requires implementation of Global Catalog service on IPA side which is not done yet. Plans for doing that are in Fedora 20-21 time frame. 3) Windows Login issue. Can I login under Windows AD Client PC with IPA username only (not include IPA domain)? that is, only use 'userB' as username to login? No. Only users from the domain Windows PC is joined to could be logged without explicit domain name. Since IPA domain belongs to a separate forest, you cannot log in without explicit domain prefix. Please note, even that will only be possible when we implement Global Catalog service on IPA side. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
On 09/04/2013 04:02 PM, Rich Megginson wrote: On 09/04/2013 07:58 AM, John Moyer wrote: It was our opinion that it wasn't an index issue. I cleared the logs from the IPA server, and then just ran a JIRA sync with the server. I gave Rich the log file from my IPA for that sync. I can't find the exact conversation, but we determined that JIRA was connecting to LDAP some 1000 times or so to do the sync. In parallel to our investigation in FreeIPA, I think it would be beneficial to either check if Jira can be configured so that it does the synchronization in one LDAP connection instead of connecting 1000 of times to do the searches. If this is not possible, I think that a bug should be filed so that they can fix it eventually in future versions. Right. For every single entry in IPA (user and group), JIRA LDAP sync does - connect/bind/search/unbind/disconnect. This is horribly inefficient, but it is what it is, and apparently other apps work the same way (nexus? svn?), so this would be a good avenue to investigate performance. The logs didn't show but one search done that didn't have an index which is why we concluded it wasn't an index issue. Adding indexing did help, but not much, and not nearly enough to make the performance acceptable. Ok, it seems that the problem is indeed a slow LDAP bind with FreeIPA. It is important to note that it will always be slower that simple auth LDAP Binds with a plain LDAP instance as FreeIPA has several DS plugin hooked to the Bind operation which provides some of the functionality. Our current plan is to profile the bind operation and see if some of our DS plugin does not take more time than it should. Hopefully, we will find some suboptimal or unnecessary check which could be optimized and which would improve the overall result. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
1) IPA Client Login issue. In IPA client, if Windows AD user want to login, It need to type full name such as 'userA@win_ad.com'. How do I let Windows AD user logon only with their username? That means only use 'userA' to logon IPA Client PC rather than 'userA@win_ad.com' ? Not supported. There could be some obscure SSSD setting to allow one SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD domains are represented as subdomains of a single IPA provider, full UPN is used to distinguish and discover which subdomain they belong to for performance reasons. Actually you can use default_domain_suffix in the [sssd] section. But then you need to fully-qualify the users from the IPA domain. default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well. Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. u...@domain.name, to log in. Default: not set ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Clients locked screens freeze or crash problem
Hi, I have a IPA test network based on Red Hat 6.4 Servers and Clients where home directories are shared through NFS4 with krb5p. Autofs is handled by SSSD and everything works great except when the user do not logout and just lock the pc before a weekend or at least longer than a day. In this case the whole desktop crashes or are frozen unresponsive with the screensaver. Could this have to do with the NFS4 Home Directories through Kerberos and that the users ticket is no longer valid? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and sudo
On 09/09/2013 07:32 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: On 09/08/2013 01:35 AM, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best sources of information for configuring sudo for use with the current release of FreeIPA on Fedora 19? 1. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html 2. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf There is also the Identity_Management_Guide as part of the RHEL product documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html This and the pdf above are the latest word in this area. Hi, those documents describes configuration for SSSD 1.9. Although it is still valid, we have simplified configuration for IPA provider in 1.10. The most up to date document for your version of SSSD is always man sssd-sudo. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Thank you. Please verify that I have correctly understood your note. Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference to the manual pages, which I now understand, as well as this example configuration: sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com I have used this configuration with good results. However, reading man sssd-sudo from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: When the SSSD is configured to use the IPA provider, the sudo provider is automatically enabled. The sudo search base is configured to use the compat tree (ou=sudoers,$DC). I forgot that the configuration was simplified also in 1.9. You can just stick with contents of sssd-sudo. I.e. you only need to put sudo to services (there's an RFE to do it automatically by ipa-client-install) and sudoers: files sss to /etc/nsswitch.conf May I suggest that you change IPA provider to IPA as the ID provider? There are a number of providers identified in sssd.conf and most of them are configured to use IPA. This is a valid point, thanks. Testing shows that the only change now required to sssd.conf is the addition of sudo to the services list in the sssd section [sssd]: services = autofs, nss, pam, ssh, sudo Add to this the one line change in nsswitch.conf sudoers:files sss and I am done. Correct. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and sudo
On 09/09/2013 05:53 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:35 +0200, Pavel Březina wrote: On 09/09/2013 12:26 AM, Dean Hunter wrote: On Sun, 2013-09-08 at 23:11 +0200, Jakub Hrozek wrote: On Sun, Sep 08, 2013 at 03:42:16PM -0500, Dean Hunter wrote: On Sat, 2013-09-07 at 19:35 -0400, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best sources of information for configuring sudo for use with the current release of FreeIPA on Fedora 19? 1. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html 2. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf There is also the Identity_Management_Guide as part of the RHEL product documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html This and the pdf above are the latest word in this area. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Some sudo rules are causing: [dean@desktop2 ~]$ sudo id sudo: internal error, tried to erealloc3(0) This is a known bug: https://bugzilla.redhat.com/show_bug.cgi?id=1000389 I think the sudo rules are just missing the sudoHost attribute. , but others do not. In the trial and error process of determining which rule specifications are causing the error, I have been restarting the virtual machine I am using as the sudo client between tests. Is there a better way to clear the SSSD cache between trials to make sure I am testing the most recent rule change? Unfortunately right now the only way is to rm the sssd cache which would also remove any cached credentials. I thought there was an RFE open to track the enhancement to make sss_cache invalidate and refresh sudo rules, but I can't find it now in the SSSD trac, so I filed another one: https://fedorahosted.org/sssd/ticket/2081 Worst case, we mark it as a duplicate. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I saw bug report 1000389, but I could not understand it or whether it applied to me. I discovered that sudo rules for which I specified a host group caused the error. Rules with a host category of all instead of the host group did not cause the error. Is this what 1000389 says? ipa sudorule-addserver-admins --desc Server Administrators ipa sudorule-modserver-admins --cmdcat all # ipa sudorule-add-host server-admins --hostgroups servers ipa sudorule-modserver-admins --hostcat all ipa sudorule-add-option server-admins --sudooption '!authenticate' ipa sudorule-add-runasuser server-admins --users root ipa sudorule-add-runasgroup server-admins --groups root ipa sudorule-add-user server-admins --groups server-admins Does the machine where sudo prints this error belongs to the hostgroup 'servers'? If the answer is *no* then you are hitting 1000389. Yes, the virtual machine where the sudo internal error occurs is a member of the hostgroup. So I guess this is a new error and should be reported? FYI Dean reported https://bugzilla.redhat.com/show_bug.cgi?id=1006611 I still think it is the same bug as 1000389, however with slightly different back trace. I'll follow up in BZ. This problem exists with the latest updates on both Fedora 18 and Fedora 19. I also discovered that libsss_sudo.so is missing from Fedora 18 installations. It needs to be installed separately by installing libsss_sudo package. Yes, I did find the package and installed it. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and sudo
On 09/11/2013 11:21 AM, Pavel Březina wrote: On 09/09/2013 07:32 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: On 09/08/2013 01:35 AM, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best sources of information for configuring sudo for use with the current release of FreeIPA on Fedora 19? 1. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html 2. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf There is also the Identity_Management_Guide as part of the RHEL product documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html This and the pdf above are the latest word in this area. Hi, those documents describes configuration for SSSD 1.9. Although it is still valid, we have simplified configuration for IPA provider in 1.10. The most up to date document for your version of SSSD is always man sssd-sudo. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Thank you. Please verify that I have correctly understood your note. Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference to the manual pages, which I now understand, as well as this example configuration: sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com I have used this configuration with good results. However, reading man sssd-sudo from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: When the SSSD is configured to use the IPA provider, the sudo provider is automatically enabled. The sudo search base is configured to use the compat tree (ou=sudoers,$DC). I forgot that the configuration was simplified also in 1.9. You can just stick with contents of sssd-sudo. I.e. you only need to put sudo to services (there's an RFE to do it automatically by ipa-client-install) and sudoers: files sss to /etc/nsswitch.conf May I suggest that you change IPA provider to IPA as the ID provider? There are a number of providers identified in sssd.conf and most of them are configured to use IPA. This is a valid point, thanks. https://fedorahosted.org/sssd/ticket/2085 Testing shows that the only change now required to sssd.conf is the addition of sudo to the services list in the sssd section [sssd]: services = autofs, nss, pam, ssh, sudo Add to this the one line change in nsswitch.conf sudoers:files sss and I am done. Correct. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA AD Trust issue
Dear Alexander, Understand, thank you very much. Kevin. From: Alexander Bokovoy aboko...@redhat.com To: kevint...@umac.mo Cc: freeipa-users@redhat.com Date: 09/11/2013 02:52 PM Subject:Re: [Freeipa-users] IPA AD Trust issue On Wed, 11 Sep 2013, kevint...@umac.mo wrote: Dear Alexander, If I use 'ipa-replica-prepare' to replica Windows AD to/from IPA AD, Will all user account in Windows AD 'copy' to IPA AD, and my IPA client can logon with Windows AD username only? (only use 'userA' to login directly, not 'userA@win_ad.com'). If you are using ipa-replica-prepare against Windows AD, you are using winsync/passsync which is copying user entries from AD to IPA. In this case AD users become IPA users. It is not a trust per se, only a synchronization. In particular, users will not be able to use their AD Kerberos credentials at all. But yes, in winsync case these users will be able to login with just a user name. Or after replication, can I use IPA account logon Windows Client PC only with ipa username? (only use 'userB' logon, rather than 'userB@ipa_ad.com' to logon). No, synchronization is from AD to IPA, not the other way around. A change in IPA for the account which was synchronized from AD will be propagated back to AD but IPA users will not be copied to AD. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Clients locked screens freeze or crash problem
On Wed, Sep 11, 2013 at 08:11:24AM +, Johan Petersson wrote: Hi, I have a IPA test network based on Red Hat 6.4 Servers and Clients where home directories are shared through NFS4 with krb5p. Autofs is handled by SSSD and everything works great except when the user do not logout and just lock the pc before a weekend or at least longer than a day. In this case the whole desktop crashes or are frozen unresponsive with the screensaver. Could this have to do with the NFS4 Home Directories through Kerberos and that the users ticket is no longer valid? Hi Johann, is the home directory mounted using user's credentials? Have you checked the Kerberos credentials renewing? See man sssd-krb5, options like krb5_renew_interval ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote: Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) 1) Is there any SELinux AVC in the logs? [dean@desktop2 ~]$ sudo ausearch --message avc no matches 2) Is /home/net an NFS mount? Yes 3) Is use_nfs_home_dirs SELinux boolean set to on? [dean@desktop2 ~]$ getsebool use_nfs_home_dirs use_nfs_home_dirs -- on Here is the script I use to configure IPA NFS clients: # Configure the Network File System client setsebool -P use_nfs_home_dirs on cat /usr/lib/systemd/system/nfs-secure.service \ | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \ /etc/systemd/system/nfs-secure.service # RedHat bug 972363 ipa-client-automount \\ --location VM \\ --unattended sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf # FreeIPA bug 3733 systemctl restart sssd.service # FreeIPA bug 3733 systemctl restart autofs.service # FreeIPA bug 3733 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 08:27 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 07:10 +0300, Alexander Bokovoy wrote: Hi Dean, On Tue, 10 Sep 2013, Dean Hunter wrote: How do I determine the cause of this problem? [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Tue Sep 10 21:10:01 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ rpm -q freeipa-client freeipa-client-3.1.5-1.fc18.x86_64 -bash-4.2$ I can log in as dean on desktop2 using gdm without a problem. But when I try to log in using ssh then I am denied access to the user's home directory. Is there any SELinux AVC in the logs? Is /home/net an NFS mount? Does use_nfs_home_dirs SELinux boolean set to on? (getsebool -a|grep home) 1) Is there any SELinux AVC in the logs? [dean@desktop2 ~]$ sudo ausearch --message avc no matches 2) Is /home/net an NFS mount? Yes 3) Is use_nfs_home_dirs SELinux boolean set to on? [dean@desktop2 ~]$ getsebool use_nfs_home_dirs use_nfs_home_dirs -- on Here is the script I use to configure IPA NFS clients: # Configure the Network File System client setsebool -P use_nfs_home_dirs on cat /usr/lib/systemd/system/nfs-secure.service \ | sed -e s/WantedBy=nfs.target/WantedBy=multi-user.target/ \ /etc/systemd/system/nfs-secure.service # RedHat bug 972363 ipa-client-automount \\ --location VM \\ --unattended sed -i 's/sss files/ files sss/g' /etc/nsswitch.conf # FreeIPA bug 3733 systemctl restart sssd.service # FreeIPA bug 3733 systemctl restart autofs.service # FreeIPA bug 3733 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 11:49 AM, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. Simo, Would setting KRBCCACHE explicitly on the client help? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA integrating samba4 + AD
Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Thank you! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 12:08 -0400, Dmitri Pal wrote: On 09/11/2013 11:49 AM, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. Simo, Would setting KRBCCACHE explicitly on the client help? It depends, it would not help if you used GSSAPI SSO auth but did *not* delegate your credentials for example, as you have no credentials on the target system in that case. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On 09/11/2013 04:02 PM, Christovam Paynes Silva wrote: It is a pity! Thank you! I did not get a feeling that we understand the whole picture correctly to say that we provided the full answer.. What I get from the description: 1) Presence of Windows Clients = 100 2) Presence of AD to rule them 3) Presence of users (I deduce in AD too, but unclear) = 1000 Intent: use open source technologies instead of proprietary solution. What is not clear: a) Are the users that come through the portal the same users that use Windows Clients or not? Is there an overlap? b) Is there any kind of Linux servers/machines in the picture? If you do not have Linux systems and all users can be stored in one place it might be that you do not need FreeIPA. It might be that you can solve the problem by using Samba4 instead of AD, connecting your clients to it, putting your external portal users into a special OU in Samba4, configuring FreeRADIUS to use this OU for authentication. Configure your portal to use RADIUS. HTH Thanks Dmitri 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com mailto:s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and sudo
On Wed, 2013-09-11 at 11:21 +0200, Pavel Březina wrote: On 09/09/2013 07:32 PM, Dean Hunter wrote: On Mon, 2013-09-09 at 11:23 +0200, Pavel Březina wrote: On 09/08/2013 01:35 AM, Dmitri Pal wrote: On 09/07/2013 02:11 PM, Christian Horn wrote: On Sat, Sep 07, 2013 at 12:06:37PM -0500, Dean Hunter wrote: Are [1] and[2] still the current and best sources of information for configuring sudo for use with the current release of FreeIPA on Fedora 19? 1. http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/sudo.html 2. http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf There is also the Identity_Management_Guide as part of the RHEL product documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html This and the pdf above are the latest word in this area. Hi, those documents describes configuration for SSSD 1.9. Although it is still valid, we have simplified configuration for IPA provider in 1.10. The most up to date document for your version of SSSD is always man sssd-sudo. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Thank you. Please verify that I have correctly understood your note. Your slides from 12-20-2012 applied to SSSD 1.9 and included a reference to the manual pages, which I now understand, as well as this example configuration: sudo_provider = ldap ldap_uri = ldap://ipa.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/hostname.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipa.example.com I have used this configuration with good results. However, reading man sssd-sudo from sssd-1.9.5-2.fc18.x86_64 I find this paragraph: When the SSSD is configured to use the IPA provider, the sudo provider is automatically enabled. The sudo search base is configured to use the compat tree (ou=sudoers,$DC). I forgot that the configuration was simplified also in 1.9. You can just stick with contents of sssd-sudo. I.e. you only need to put sudo to services (there's an RFE to do it automatically by ipa-client-install) and sudoers: files sss to /etc/nsswitch.conf May I suggest that you change IPA provider to IPA as the ID provider? There are a number of providers identified in sssd.conf and most of them are configured to use IPA. This is a valid point, thanks. Testing shows that the only change now required to sssd.conf is the addition of sudo to the services list in the sssd section [sssd]: services = autofs, nss, pam, ssh, sudo Add to this the one line change in nsswitch.conf sudoers:files sss and I am done. Correct. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Nope, there is still one step remaining. nisdomainname must be configured: ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integrating samba4 + AD
It is a pity! Thank you! 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 16:37 -0300, Christovam Paynes Silva wrote: Hello Simo, thanks for the feedback. I would use the Samba4 with AD and authenticate my clients windows in FreeIPA. Is this possible? It is not possible at this point to combine Samba4 AD and freeIPA. Simo. 2013/9/11 Simo Sorce s...@redhat.com On Wed, 2013-09-11 at 14:06 -0300, Christovam Paynes Silva wrote: Hello! First I apologize if this topic is redundant. I'm looking on the implementation of FreeIPA . Looking for the forums , have some comments that authentication does not work with Samba4 . Elsewhere say that that possibility exists . Today we have nearly 200 computers in the domain with the Active Directory and one wireless captive portal with 1000 + proxy users . I would like to see if the following scenario is possible : 1 - Integrating Samba4 with Active Directory , to use their GPO and authenticate network users through the FreeIPA . 2 - Authenticate proxy servers in FreeIPA . 3 - And if it is possible some integration with FreeRADIUS Hi Christovam, it is a bit unclear what you mean by integrating here. Is your intent to use Samba4 as an AD domain controller for your Windows client s and IPA for your servers ? If that's the case unfortunately this is not possible at the moment as samba4 does not yet support Forest level trusts. A Microsoft AD server can be used this way instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA on Fedora 20: Configuration of CA failed
I'm trying to install FreeIPA Server on Fedora 20 (with all updates installed) but it fails on ipa-server-install -N command. Error message: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM' returned non-zero exit status 1 which pointed me to [1] and [2]. I've found bug 953488 [3] but recommended solution does not work for me. Is there any way I can install and configure FreeIPA server on Fedora 20? Here are some lines from /var/log/ipaserver-install.log: 2013-09-11T20:13:40Z DEBUG Starting external process 2013-09-11T20:13:40Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM 2013-09-11T20:13:40Z DEBUG Process finished, return code=1 2013-09-11T20:13:40Z DEBUG stdout=Loading deployment configuration from /tmp/tmppTdhYM. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2013-09-11T20:13:40Z DEBUG stderr=pkispawn: WARNING ... Dangling symlink '/var/lib/pki/pki-tomcat/pki-tomcat'--'/usr/sbin/tomcat-sysd' 2013-09-11T20:13:40Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM' returned non-zero exit status 1 2013-09-11T20:13:40Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1022, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-09-11T20:13:40Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed and few more lines from /var/log/pki/pki-ca-spawn.20130911221340.log: 2013-09-11 22:13:40 pkispawn: INFO ... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: DEBUG... chmod 770 /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: DEBUG... chown 995:994 /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: INFO ... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin 2013-09-11 22:13:40 pkispawn: DEBUG... chown -h 995:994 /var/lib/pki/pki-tomcat/bin 2013-09-11 22:13:40 pkispawn: WARNING ... Dangling symlink '/var/lib/pki/pki-tomcat/pki-tomcat'--'/usr/sbin/tomcat-sysd' 2013-09-11 22:13:40 pkispawn: DEBUG... Error Type: SystemExit 2013-09-11 22:13:40 pkispawn: DEBUG... Error Message: 1 2013-09-11 22:13:40 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/instance_layout.py, line 87, in spawn uid=0, gid=0) File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 1774, in create sys.exit(1) Mateusz Marzantowicz [1] https://www.redhat.com/archives/freeipa-users/2013-July/msg00247.html [2] https://www.redhat.com/archives/freeipa-users/2012-December/msg00010.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=953488 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA on Fedora 20: Configuration of CA failed
On 09/11/2013 03:33 PM, Mateusz Marzantowicz wrote: I'm trying to install FreeIPA Server on Fedora 20 (with all updates installed) but it fails on ipa-server-install -N command. Error message: CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM' returned non-zero exit status 1 which pointed me to [1] and [2]. I've found bug 953488 [3] but recommended solution does not work for me. Is there any way I can install and configure FreeIPA server on Fedora 20? I believe that this is all caused by a recent change to the way Tomcat startup works in F20, which breaks the Dogtag CA. We hope to have a new build of Dogtag soon that addresses this. Thanks, -NGK Here are some lines from /var/log/ipaserver-install.log: 2013-09-11T20:13:40Z DEBUG Starting external process 2013-09-11T20:13:40Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM 2013-09-11T20:13:40Z DEBUG Process finished, return code=1 2013-09-11T20:13:40Z DEBUG stdout=Loading deployment configuration from /tmp/tmppTdhYM. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2013-09-11T20:13:40Z DEBUG stderr=pkispawn: WARNING ... Dangling symlink '/var/lib/pki/pki-tomcat/pki-tomcat'--'/usr/sbin/tomcat-sysd' 2013-09-11T20:13:40Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmppTdhYM' returned non-zero exit status 1 2013-09-11T20:13:40Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1022, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2013-09-11T20:13:40Z DEBUG The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed and few more lines from /var/log/pki/pki-ca-spawn.20130911221340.log: 2013-09-11 22:13:40 pkispawn: INFO ... mkdir -p /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: DEBUG... chmod 770 /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: DEBUG... chown 995:994 /var/lib/pki/pki-tomcat/work/Catalina/localhost/ca 2013-09-11 22:13:40 pkispawn: INFO ... ln -s /usr/share/tomcat/bin /var/lib/pki/pki-tomcat/bin 2013-09-11 22:13:40 pkispawn: DEBUG... chown -h 995:994 /var/lib/pki/pki-tomcat/bin 2013-09-11 22:13:40 pkispawn: WARNING ... Dangling symlink '/var/lib/pki/pki-tomcat/pki-tomcat'--'/usr/sbin/tomcat-sysd' 2013-09-11 22:13:40 pkispawn: DEBUG... Error Type: SystemExit 2013-09-11 22:13:40 pkispawn: DEBUG... Error Message: 1 2013-09-11 22:13:40 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/instance_layout.py, line 87, in spawn uid=0, gid=0) File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 1774, in create sys.exit(1) Mateusz Marzantowicz [1] https://www.redhat.com/archives/freeipa-users/2013-July/msg00247.html [2] https://www.redhat.com/archives/freeipa-users/2012-December/msg00010.html [3] https://bugzilla.redhat.com/show_bug.cgi?id=953488 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 3. logout of dean@desktop2 4. logout of root@ipa2 then ssh dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Permission Denied
On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 mailto:dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 mailto:dean@desktop2 3. logout of dean@desktop2 mailto:dean@desktop2 4. logout of root@ipa2 mailto:root@ipa2 then ssh dean@desktop2 mailto:dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? Does it succeed if after step 3 but before step 4 you do kdestoy? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list
Re: [Freeipa-users] Permission Denied
On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org [dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 3. logout of dean@desktop2 4. logout of root@ipa2 then ssh dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was
Re: [Freeipa-users] Permission Denied
On 09/11/2013 10:10 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:34 -0400, Dmitri Pal wrote: On 09/11/2013 09:27 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 21:10 -0400, Dmitri Pal wrote: On 09/11/2013 08:49 PM, Dean Hunter wrote: On Wed, 2013-09-11 at 11:49 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 10:39 -0500, Dean Hunter wrote: On Wed, 2013-09-11 at 11:20 -0400, Simo Sorce wrote: On Wed, 2013-09-11 at 08:39 -0500, Dean Hunter wrote: I do NOT believe this: [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:32:21 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 ~]$ su - Password: [root@ipa2 ~]# ssh dean@desktop2 dean@desktop2's password: Last login: Wed Sep 11 08:34:29 2013 from ipa2.hunter.org [dean@desktop2 ~]$ logout Connection to desktop2 closed. [root@ipa2 ~]# logout [dean@ipa2 ~]$ ssh dean@desktop2 Last login: Wed Sep 11 08:35:16 2013 from ipa2.hunter.org [dean@desktop2 ~]$ Are you using a kerberized NFS mount ? I think what is happening is that when going via SSH rpc.gssd cannot find your ticket, ssh may be doing something wrong in this case. Simo. Yes, I am using Kerberos with NFS. Should I report this as a bug? We need to decide what component is faulty. It may be possible we can get it working somehow. When you ssh in what is the ccache ssh assign you ? can you run klist and post the output (sanitize it if needed) ? Simo. I hope this is what you requested: [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ssh dean@desktop2 mailto:dean@desktop2 Last login: Wed Sep 11 19:41:48 2013 from ipa2.hunter.org Could not chdir to home directory /home/net/dean: Permission denied -bash: /home/net/dean/.bash_profile: Permission denied -bash-4.2$ hostname desktop2.hunter.org -bash-4.2$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_138741) -bash-4.2$ logout -bash: /home/net/dean/.bash_logout: Permission denied Connection to desktop2 closed. [dean@ipa2 mailto:dean@ipa2 ~]$ klist Ticket cache: DIR::/run/user/138741/krb5cc/tktFDDxRR Default principal: d...@hunter.org mailto:d...@hunter.org Valid starting ExpiresService principal 09/11/13 19:43:28 09/12/13 19:43:28 krbtgt/hunter@hunter.org mailto:hunter@hunter.org 09/11/13 19:44:43 09/12/13 19:43:28 host/desktop2.hunter@hunter.org mailto:desktop2.hunter@hunter.org [dean@ipa2 mailto:dean@ipa2 ~]$ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Do I get it right: you tried twice and the first time it did not work while the second it did? There might be a race condition mounting your home directory using your ticket. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Starting clean after rebuilding ipa2 and desktop2 and a gdm login to ipa2 as dean, if I ssh dean@desktop2 mailto:dean@desktop2 it will consistently fail as noted in my last note. However, if I: 1. su - 2. ssh dean@desktop2 mailto:dean@desktop2 3. logout of dean@desktop2 mailto:dean@desktop2 4. logout of root@ipa2 mailto:root@ipa2 then ssh dean@desktop2 mailto:dean@desktop2 succeeds! Does that answer your question? So I do not think there is a race. It is more like the super user session leaves something behind that was missing? Does it succeed if after step 3 but before step 4 you do kdestoy? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?