[Freeipa-users] WARNING: Do not upgrade FreeIPA deployments to Fedora 20 final (yet)
Greetings! As many of you are aware, Fedora Project releases Fedora 20 today, Tuesday, December 17th. This post serves as a warning against upgrading your FreeIPA deployments to Fedora 20 using release images. Please check Fedora 20 Common Bugs page https://fedoraproject.org/wiki/Common_F20_bugs for the complete list of issues. FreeIPA relies heavily on 389-ds Directory Server. Fedora 20 introduces new version series of 389-ds, 1.3.2.x. Along with multiple enhancements, unfortunately, few bugs went into the version currently available in Fedora 20 stable tree. These bugs are causing crashes under certain conditions and we don't recommend updating your existing configurations due to these consequences. As an update to the Fedora 20 Common Bugs page, over last night fellow developers from 389-ds and slapi-nis projects have fixed https://bugzilla.redhat.com/show_bug.cgi?id=1043546 and https://bugzilla.redhat.com/show_bug.cgi?id=1041732 but there will be some delay before the builds featuring the fixes will appear in Fedora 20 updates repository. Remaining bugs are under investigation. I'll post an update note once we'll get remaining issues fixed and packages pushed to Fedora 20 updates repository. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
Bret Wortman wrote: On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # Strange. The -r is for recursion and should delete all the children too. Oh well. Instead try this: ldapsearch -LLL -x -D 'cn=Directory manager' -W -b cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn Those are all the dns to pass to ldapdelete. Delete the leaf nodes (the service entries) first, then the fsipa value. My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Right, -n is to show what would be done without actually doing anything. It is handy with a command like this, especially when using recursion. cheers rob Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
On 12/17/2013 09:15 AM, Rob Crittenden wrote: Bret Wortman wrote: On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # Strange. The -r is for recursion and should delete all the children too. Oh well. Instead try this: ldapsearch -LLL -x -D 'cn=Directory manager' -W -b cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn Those are all the dns to pass to ldapdelete. Delete the leaf nodes (the service entries) first, then the fsipa value. Worked like a champ. Thanks. My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Right, -n is to show what would be done without actually doing anything. It is handy with a command like this, especially when using recursion. Sorry, I wasn't clear -- when I used -n, it just returned immediately. Didn't show it doing anything, probably because of the error above, but it didn't report that error either; just swallowed it. cheers rob Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WARNING: Do not upgrade FreeIPA deployments to Fedora 20 final (yet)
On Tue, 17 Dec 2013, KodaK wrote: I took a look at the bugs page and I didn't see it mentioned, but I'm asking anyway: is anyone aware of any client-side issues on fedora IRT IPA? We have some fedora workstations that auth against IPA in RHEL 6. We are unaware of any problems with Fedora clients versus RHEL 6 IPA server. Obviously, some IPA CLI commands will not work against the older server but still will be visible in the CLI help, but the rest should be working. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo issues with FreeIPA
Hi, I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. When trying to run the following simple command as a user managed by FreeIPA I got the following response: * sudo /usr/bin/vim test.txt* *jsmith is not allowed to run sudo on myhost. This incident will be reported.* I might have missed in the configuration of the serve or SSSD on the client host. Is there any guideline for sudo integration with FreeIPA? The following is the SSSD configuration on the client host: [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa sudo_provider = ldap ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaserver.example.net chpass_provider = ipa ipa_server = _srv_ ipa_backup_server = replica.example.net dns_discovery_domain = example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.net [nss] [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] Thanks, Dimitar ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Question: re replica install
Hi All, (RHEL 6.4, FreeIPA 3.0.0-37) Say I want to install a replica server in a restricted network, but I don't want to enable http management on the replica. I am pretty sure the following is true, but ask the question just to be sure Can a replica work (for authentication and replication) without http? I cant see a switch on ipa-replica-install to not setup http, so I imagine if the above was possible I could... 1. Install the replica 2. Let it configure http 3. Turn off http Thanks, Les ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa client wont install on host where a ipa server guest is already installed.
Greetings, I have a question on a Free-ipa install. I am running freeipa as a guest KVM virtual machine. I have found myself running into a problem when trying to install ipa-client on the host which the guest resides. Upon trying to install the ipa-client I am given the msg that I must first uninstall the ipa server. Has anyone experienced this and how might I get around this problem? Thank you in advance. Regards, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa client wont install on host where a ipa server guest is already installed.
On Tue, Dec 17, 2013 at 08:23:36PM -0500, Joshua Nager wrote: I am running freeipa as a guest KVM virtual machine. I have found myself running into a problem when trying to install ipa-client on the host which the guest resides. Upon trying to install the ipa-client I am given the msg that I must first uninstall the ipa server. What is the OS version and the exact message that you get? Has anyone experienced this and how might I get around this problem? Are you sure you don't have the IPA server installed on both the KVM guest *and* on the host? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo issues with FreeIPA
Thanks Dmitri. Those settings for ldap in sssd.conf fixed the issue. Dimitar On Tue, Dec 17, 2013 at 6:47 PM, Dmitri Pal d...@redhat.com wrote: On 12/17/2013 06:34 PM, Dimitar Georgievski wrote: Hi, I am running FreeIPA 3.3.3 on CentOS 6.5. Everything works fine except that I have problem enforcing sudo policies on the hosts that are part of the managed domain. When trying to run the following simple command as a user managed by FreeIPA I got the following response: * sudo /usr/bin/vim test.txt * *jsmith is not allowed to run sudo on myhost. This incident will be reported.* I might have missed in the configuration of the serve or SSSD on the client host. Is there any guideline for sudo integration with FreeIPA? The following is the SSSD configuration on the client host: [domain/example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.net id_provider = ipa auth_provider = ipa access_provider = ipa sudo_provider = ldap ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = ipaserver.example.net chpass_provider = ipa ipa_server = _srv_ ipa_backup_server = replica.example.net dns_discovery_domain = example.net [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.net [nss] [pam] [sudo] debug_level = 0x3ff0 [autofs] [ssh] [pac] Thanks, Dimitar ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users