[Freeipa-users] Trouble with replica install
Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error 2013-12-16T09:26:50Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 527, in main raise RuntimeError(Failed to configure the client) 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
Sorry, when I said selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. It should have read as selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue. Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error 2013-12-16T09:26:50Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 527, in main raise RuntimeError(Failed to configure the client) 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
On 16.12.2013 10:55, Les Stott wrote: Sorry, when I said selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. It should have read as selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue. Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek 2013-12-16T09:26:50Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 527, in main raise RuntimeError(Failed to configure the client) 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
Petr, The below was the error from apache error logs Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: Sorry, when I said selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. It should have read as selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue. Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek 2013-12-16T09:26:50Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 527, in main raise RuntimeError(Failed to configure the client) 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml I can login to the gui and it seems ok, but I'm rolling this into production so I've got to get it right. I'm hoping this is just some bug because its an older freeipa on redhat (minimal install) etc. selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. Is this error critical? How can I fix it? Thanks in advance, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install - SOLVED
Figured it out. Missing apache modules (not loaded). One of the following LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. Regards, Les From: Les Stott Sent: Monday, December 16, 2013 11:44 PM To: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Trouble with replica install Petr, The below was the error from apache error logs Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: Sorry, when I said selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. It should have read as selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue. Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error
Re: [Freeipa-users] Trouble with replica install - SOLVED
On Mon, 16 Dec 2013, Les Stott wrote: Figured it out. Missing apache modules (not loaded). One of the following LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. I wonder if this server was refurbished from some other task where original configuration was already changed. FreeIPA install scripts assumes non-modified configuration files. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA integration with AIX and sudo
Hi, I'm trying to integrate on AIX environment (as clients) a centralized authentication and authorization with freeipa, and using sudo also with sudo rules on freeipa. I followed several how-to and notes found by googeling, but still have problem with sudo. Everything is fine wiith root account (sudo -l list all sudo rules), but with a user from freeipa I have Memory fault. Does anybody have good experience with FreeIPA (installed on CentOS), AIX (6.1) and sudo (from Perzl)? Thanks in advance, Yves ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replica master in strange state -- how to resolve?
I had a replica that was completely failing to respond to its clients, so I removed it by first running "ipa-replica-manage del" on the replica master, then "ipa-server-install -U --uninstall" on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integration with AIX and sudo
I am an unfortunate AIX sufferer as well. I've gotten through setting this up. First, what version of sudo are you running on the AIX box? On Mon, Dec 16, 2013 at 8:46 AM, y...@degauquier.net wrote: Hi, I'm trying to integrate on AIX environment (as clients) a centralized authentication and authorization with freeipa, and using sudo also with sudo rules on freeipa. I followed several how-to and notes found by googeling, but still have problem with sudo. Everything is fine wiith root account (sudo -l list all sudo rules), but with a user from freeipa I have Memory fault. Does anybody have good experience with FreeIPA (installed on CentOS), AIX (6.1) and sudo (from Perzl)? Thanks in advance, Yves ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA integration with AIX and sudo
Hi, I'm running the Sudo version 1.8.8 downloaded as RPM on http://www.oss4aix.org/download/RPMS/sudo/ Authentication is fine, but sudo is wrong. If in /etc/security/user for default stanza I don't mention SYSTEM = KRB5ALDAP registry = LDAP then when running sudo with a freeipa user it return the message that the id of the user is wrong. If I mention the 2 lines, then I have a Memory fault message. On 16/12/13 19:38, KodaK wrote: I am an unfortunate AIX sufferer as well. I've gotten through setting this up. First, what version of sudo are you running on the AIX box? On Mon, Dec 16, 2013 at 8:46 AM, y...@degauquier.net mailto:y...@degauquier.net wrote: Hi, I'm trying to integrate on AIX environment (as clients) a centralized authentication and authorization with freeipa, and using sudo also with sudo rules on freeipa. I followed several how-to and notes found by googeling, but still have problem with sudo. Everything is fine wiith root account (sudo -l list all sudo rules), but with a user from freeipa I have Memory fault. Does anybody have good experience with FreeIPA (installed on CentOS), AIX (6.1) and sudo (from Perzl)? Thanks in advance, Yves ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install - SOLVED
Alexander, I think it was a case of a manually locked down (post install) system that had been previously built. The master was on a vm that was a newer build, but not done in the same way as the older server, so it had a more default out of the box configuration. At least now I now to check this before installing the replica on existing machines. Regards, Les -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, 17 December 2013 12:52 AM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install - SOLVED On Mon, 16 Dec 2013, Les Stott wrote: Figured it out. Missing apache modules (not loaded). One of the following LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so I'm not sure which one, i just matched what was on the master and reinstalled the replica - no errors. Been a long day so i don't feel like going through one by one, uninstalling/reinstalling etc. I imagine its probably mod_authz_groupfile.so, but others are probably needed too. I wonder if this server was refurbished from some other task where original configuration was already changed. FreeIPA install scripts assumes non-modified configuration files. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] i could use some help with installing FreeIPA
My install fails on the invocation of pkispawn with a Socket Error in the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue with special characters in the DM's password, as my Directory Manager and IPA Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] ) Configuration and Error Messages follow. Target System: Fedora19 64bit LXC Container running on top of a Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU. Attempting to install freeipa server 3.3.3 . SEllinux has been set to 'disabled' on the host and container. /etc/hosts: # IPFQDNAlias(es) 127.0.0.1 localhost.localdomain localhost localhost4 192.168.253.94 woeg.marphod.netwoeg # Peers 192.168.253.99 skete.marphod.net skete wiki.marphod.net wiki www.marphod.net www [... several more machines] /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search marphod.net nameserver 192.168.253.1 /etc/sysconfig/network: NETWORKING=yes HOSTNAME=woeg.marphod.net No software firewall on the Container: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Not using NetworkManager. The machine has a virtual nic, and is connected to the bridge on the host, and can interact with the outside world. Installation commands: # ipa-server-install --uninstall -U # pkidestroy -s CA -i pki-tomcat # ipa-server-install -N -d --no-host-dns I select the defaults during the interactive install. During installation, everything seems to run fine up to the invocation of pkispawn. I then get the errors: text Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.servicefailed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and 'journalctl -xn' for details. pkispawn: ERROR... server failed to restart ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') ipa : DEBUGThe ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Configuration of CA failed /text the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ... skipping... is from the file) text ...skipping... y still be down 2013-12-16 18:12:23 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - server may still be down 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:25 pkispawn: DEBUG... No connection - server may still be down ... (error repeated 12 more times) ... 2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1 2013-12-16 18:12:39 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/configuration.py, line 102, in spawn sys.exit(1) /text -- That's the news from the Mystic River, where all the alliums are strong, all the degu are good looking, and all the stuffed animals are above average. May the ducks of your life quack ever harmoniously - A. Yelton gal...@capaccess.org gal...@marphod.net marp...@gmail.com others ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] i could use some help with installing FreeIPA
On 12/16/2013 06:46 PM, Galen Brownsmith wrote: My install fails on the invocation of pkispawn with a Socket Error in the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue with special characters in the DM's password, as my Directory Manager and IPA Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] ) Configuration and Error Messages follow. Target System: Fedora19 64bit LXC Container running on top of a Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU. Attempting to install freeipa server 3.3.3 . SEllinux has been set to 'disabled' on the host and container. /etc/hosts: # IPFQDNAlias(es) 127.0.0.1 localhost.localdomain localhost localhost4 192.168.253.94 woeg.marphod.net http://woeg.marphod.netwoeg # Peers 192.168.253.99 skete.marphod.net http://skete.marphod.net skete wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net http://www.marphod.net www [... several more machines] /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search marphod.net http://marphod.net nameserver 192.168.253.1 /etc/sysconfig/network: NETWORKING=yes HOSTNAME=woeg.marphod.net http://woeg.marphod.net No software firewall on the Container: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Not using NetworkManager. The machine has a virtual nic, and is connected to the bridge on the host, and can interact with the outside world. Installation commands: # ipa-server-install --uninstall -U # pkidestroy -s CA -i pki-tomcat # ipa-server-install -N -d --no-host-dns I select the defaults during the interactive install. During installation, everything seems to run fine up to the invocation of pkispawn. I then get the errors: text Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and 'journalctl -xn' for details. pkispawn: ERROR... server failed to restart ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') ipa : DEBUGThe ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Configuration of CA failed /text the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ... skipping... is from the file) text ...skipping... y still be down 2013-12-16 18:12:23 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - server may still be down 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:25 pkispawn: DEBUG... No connection - server may still be down ... (error repeated 12 more times) ... 2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1 2013-12-16 18:12:39 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/configuration.py, line 102, in spawn sys.exit(1) /text You are trying it in a container. I do not know whether this makes a difference. It might be due to the fact that underlying directory server has not started. Please look at the pki instance DS logs to determine whether the DS instance was installed and configured correctly. http://www.freeipa.org/page/Troubleshooting#Server_Installation Please publish these logs here.
Re: [Freeipa-users] i could use some help with installing FreeIPA
Dmitri Pal wrote: On 12/16/2013 06:46 PM, Galen Brownsmith wrote: My install fails on the invocation of pkispawn with a Socket Error in the pki-ca-spawn log ; anyone have any ideas? (It isn't the issue with special characters in the DM's password, as my Directory Manager and IPA Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] ) Configuration and Error Messages follow. Target System: Fedora19 64bit LXC Container running on top of a Fedora19 64bit host. Kernel 3.11.10, Q9550 Intel CPU. Attempting to install freeipa server 3.3.3 . SEllinux has been set to 'disabled' on the host and container. /etc/hosts: # IPFQDNAlias(es) 127.0.0.1 localhost.localdomain localhost localhost4 192.168.253.94 woeg.marphod.net http://woeg.marphod.net woeg # Peers 192.168.253.99 skete.marphod.net http://skete.marphod.net skete wiki.marphod.net http://wiki.marphod.net wiki www.marphod.net http://www.marphod.net www [... several more machines] /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search marphod.net http://marphod.net nameserver 192.168.253.1 /etc/sysconfig/network: NETWORKING=yes HOSTNAME=woeg.marphod.net http://woeg.marphod.net No software firewall on the Container: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Not using NetworkManager. The machine has a virtual nic, and is connected to the bridge on the host, and can interact with the outside world. Installation commands: # ipa-server-install --uninstall -U # pkidestroy -s CA -i pki-tomcat # ipa-server-install -N -d --no-host-dns I select the defaults during the interactive install. During installation, everything seems to run fine up to the invocation of pkispawn. I then get the errors: text Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and 'journalctl -xn' for details. pkispawn: ERROR... server failed to restart ipa : CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1 ipa : DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 622, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1074, in main dm_password, subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 478, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 364, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 604, in __spawn_instance raise RuntimeError('Configuration of CA failed') ipa : DEBUGThe ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Configuration of CA failed /text the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ... skipping... is from the file) text ...skipping... y still be down 2013-12-16 18:12:23 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - server may still be down 2013-12-16 18:12:24 pkispawn: DEBUG... No connection - exception thrown: Cannot connect to proxy. Socket error: [Errno 111] Connection refused. 2013-12-16 18:12:25 pkispawn: DEBUG... No connection - server may still be down ... (error repeated 12 more times) ... 2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1 2013-12-16 18:12:39 pkispawn: DEBUG... File /usr/sbin/pkispawn, line 374, in main rv = instance.spawn() File /usr/lib/python2.7/site-packages/pki/deployment/configuration.py, line 102, in spawn sys.exit(1) /text You are trying it in a container. I do not know whether this makes a difference. It might be due to the fact that underlying directory server has not started. Please look at the pki instance DS logs to determine whether the DS instance was installed and configured correctly. http://www.freeipa.org/page/Troubleshooting#Server_Installation Please publish these logs here. I'm not entirely sure that IPA works in a container. I think that Nathaniel looked at this a few months ago but I can't recall his findings. rob
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users