Re: [Freeipa-users] Issues creating trust with AD.
On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote: Update: For some reason the AD server has rebooted himself. After the reboot i couldn't preform kinit with AD users. I found a bugzilla that describes the symptoms that i experienced : https://bugzilla.redhat.com/show_bug.cgi?id=878564 Not sure if it is the same bug - the bugzilla reports bug in samba4-4.0.0-48.el6.rc4.x86_64 while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade). I have rebooted the IPA server to see if it changes anything. After the reboot i was able to kinit with AD users, but not only that - now i am able to login with AD users to client machines. Any idea on what just happened? Sounds like a bug in windbindd which we currently use to talk to the Windows DCs for this functionality. Apparently winbindd failed to detect the DC came back online. A restart of the ipa server caused winbindd to restart and retry to get online. Can you please open a bug to track this issue ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] adding ubuntu client to red hat server
Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com (mailto:tma...@boingo.com) ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.com] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
I also ran into this problem. I ended up using vm’s to test and just reverting to snapshots. I believe that the install script checks for presence a couple of files that you can delete to be able retry though, have a look in the install script. (Also, did you try with ‘—force'?) Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:42 AM, Todd Maugh wrote: thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.com (mailto:m...@willsheldon.com)] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.com (mailto:freeipa-users@redhat.com) Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com (mailto:tma...@boingo.com) ___ Freeipa-users mailing list Freeipa-users@redhat.com (mailto:Freeipa-users@redhat.com) https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
OK I got it to go through with this but i don't understand the errors cause it didn't seem to work. Domain boingo.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm BOINGO.COM trying https://se-idm-01.boingo.com/ipa/xml Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml' Hostname (se-idm-ubuntu-client-01.boingo.com) not found in DNS Failed to update DNS records. certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' Could not update DNS SSHFP records. From: Will Sheldon [m...@willsheldon.com] Sent: Friday, February 21, 2014 9:46 AM To: Todd Maugh Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I also ran into this problem. I ended up using vm’s to test and just reverting to snapshots. I believe that the install script checks for presence a couple of files that you can delete to be able retry though, have a look in the install script. (Also, did you try with ‘—force'?) Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:42 AM, Todd Maugh wrote: thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.commailto:m...@willsheldon.com] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Trying to use the CLI logs me out
I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 01:15:52PM -0500, Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I'm not sure I understand, does the login itself fail or do you log in fine, but running 'ipa' kicks you out? Does login as root (or a local, non-ipa user) work? I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. What SSSD version is this? Can we see the logs to take a look where the delay is? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
Do you have your IPA server set as the name server for the client in /etc/resolv.conf ? This is my install script, it may help you a bit. It does need a bit more work http://pastebin.com/mqdTZ3RU Ideally I’d like to convert it to an ansible playbook and have it from from the IPA host. Slightly unrelated, but have a read of this ticket, it makes some good suggestions at the bottom: https://bugs.launchpad.net/bugs/1280215 Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:55 AM, Todd Maugh wrote: OK I got it to go through with this but i don't understand the errors cause it didn't seem to work. Domain boingo.com (http://boingo.com) is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm BOINGO.COM trying https://se-idm-01.boingo.com/ipa/xml Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml' Hostname (se-idm-ubuntu-client-01.boingo.com (http://se-idm-ubuntu-client-01.boingo.com)) not found in DNS Failed to update DNS records. certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' Could not update DNS SSHFP records. From: Will Sheldon [m...@willsheldon.com (mailto:m...@willsheldon.com)] Sent: Friday, February 21, 2014 9:46 AM To: Todd Maugh Cc: freeipa-users@redhat.com (mailto:freeipa-users@redhat.com) Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I also ran into this problem. I ended up using vm’s to test and just reverting to snapshots. I believe that the install script checks for presence a couple of files that you can delete to be able retry though, have a look in the install script. (Also, did you try with ‘—force'?) Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:42 AM, Todd Maugh wrote: thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.com (mailto:m...@willsheldon.com)] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.com (mailto:freeipa-users@redhat.com) Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 1:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. I would also run ldapsearch in the client after you manually kinit'ed, to see which part of the show is boink. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Sorry, I wasn't clear at all. Running the ipa command terminates my session. I can log in just fine. All the IPA services appear to be working. But no interaction via the command line is possible; it all ends with terminated sessions after about a 5 second pause: [ipamaster]# ipa help Connection to ipamaster closed. [desktop]$ On 02/21/2014 01:27 PM, Jakub Hrozek wrote: On Fri, Feb 21, 2014 at 01:15:52PM -0500, Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I'm not sure I understand, does the login itself fail or do you log in fine, but running 'ipa' kicks you out? Does login as root (or a local, non-ipa user) work? I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. What SSSD version is this? Can we see the logs to take a look where the delay is? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ When you logged back in, did /tmp/out have anything interesting? On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 21, 2014, at 2:13 PM, Mauricio Tavares raubvo...@gmail.com wrote: On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman bret.wort...@damascusgrp.com wrote: Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ When you logged back in, did /tmp/out have anything interesting? On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run ipa CLI commands on (even ipa help), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote:
IM in limbo here trying to solve this issue
It would help if you said what issue you were having...
And what version of the client you are running.
Trolling through the log I see a couple of things:
ntpdate failed, but that can happen if you already have ntpd configured
on your client. We have a ticket open on that.
The DNS update failed, presumably because you aren't using IPA for DNS.
Not a big deal.
The certmonger failure is due to a bad uninstall in the past. It is
still tracking an old cert. You can clear it with:
# ipa-getcert list
# ipa-getcert stop-tracking -i request id
The SSH keys are failing to load because they already exist in the host
entry. I guess it was pre-created, or left over from a previous attempt?
It doesn't appear to be a fatal error.
rob
here is my out put with the debug
root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
ipa-client-install -d --no-dns-sshfp
--hostname=se-idm-ubuntu-client-01.boingo.com --force-join
--domain=boingo.com --server=se-idm-01.boingo.com
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary':
False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
'hostname': 'se-idm-ubuntu-client-01.boingo.com', 'no_ac': False,
'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates':
False, 'mkhomedir': False, 'conf_ssh': True, 'force_join': True,
'server': ['se-idm-01.boingo.com'], 'prompt_password': False, 'permit':
False, 'debug': True, 'preserve_sssd': False, 'uninstall': False}
missing options might be asked for interactively later
Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
WARNING: ntpd timedate synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
[IPA Discovery]
Starting IPA discovery with domain=boingo.com,
servers=['se-idm-01.boingo.com'],
hostname=se-idm-ubuntu-client-01.boingo.com
Server and domain forced
[Kerberos realm search]
Search DNS for TXT record of _kerberos.boingo.com
DNS record not found: NXDOMAIN
[LDAP server check]
Verifying that se-idm-01.boingo.com (realm None) is an IPA server
Init LDAP connection to: se-idm-01.boingo.com
Search LDAP server for IPA base DN
Check if naming context 'dc=boingo,dc=com' is for IPA
Naming context 'dc=boingo,dc=com' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=boingo,dc=com (sub)
Found: cn=BOINGO.COM,cn=kerberos,dc=boingo,dc=com
Discovery result: Success; server=se-idm-01.boingo.com,
domain=boingo.com, kdc=None, basedn=dc=boingo,dc=com
Validated servers: se-idm-01.boingo.com
will use discovered domain: boingo.com
Using servers from command line, disabling DNS discovery
will use provided server: se-idm-01.boingo.com
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to
always access the discovered server for all operations and will not fail
over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
will use discovered realm: BOINGO.COM
will use discovered basedn: dc=boingo,dc=com
Hostname: se-idm-ubuntu-client-01.boingo.com
Hostname source: Provided as option
Realm: BOINGO.COM
Realm source: Discovered from LDAP DNS records in se-idm-01.boingo.com
DNS Domain: boingo.com
DNS Domain source: Forced
IPA Server: se-idm-01.boingo.com
IPA Server source: Provided as option
BaseDN: dc=boingo,dc=com
BaseDN source: From IPA server ldap://se-idm-01.boingo.com:389
Continue to configure the system with these values? [no]: yes
Starting external process
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r BOINGO.COM
Process finished, return code=0
stdout=
stderr=Removing principal host/se-idm-ubuntu-client-01.boingo@boingo.com
Removed old keys for realm BOINGO.COM from /etc/krb5.keytab
Starting external process
args=/bin/hostname se-idm-ubuntu-client-01.boingo.com
Process finished, return code=0
stdout=
stderr=
Backing up system configuration file '/etc/hostname'
Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.boingo.com
DNS record not found: NXDOMAIN
Starting external process
args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com
Process finished, return code=1
stdout=
stderr=
Starting external process
args=/usr/sbin/ntpdate -s -b -v se-idm-01.boingo.com
Process finished, return code=1
stdout=
stderr=
Starting external process
Re: [Freeipa-users] Ubuntu Client HELL
thanks Rob! the main issue I am having is that the install is not completing
and setting this ubuntu host up as a client.
I cleared out the old cert as you suggested, the ssh keys were copied over from
a previous attempt. IM not using IPA as DNS and I understand the ntp part.
so now my install finishes up like this:
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
NSSConnection init se-idm-01.boingo.com
Connecting: 66.103.90.130:0
handshake complete, peer = 66.103.90.130:443
received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b;
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT;
Secure; HttpOnly'
storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b;
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT;
Secure; HttpOnly' for principal
host/se-idm-ubuntu-client-01.boingo@boingo.com
Starting external process
args=keyctl search @s user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available
Starting external process
args=keyctl search @s user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available
Starting external process
args=keyctl padd user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s
Process finished, return code=0
stdout=700576616
stderr=
Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no
modifications to be performed
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone boingo.com.
update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP
send
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1
AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2
B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1
D456E5C237736406CB5F4B4C24C836217B6D977E
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2
8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1
270551D349212B7112D4A9079FF490C8D6733041
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2
0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662
send
Starting external process
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
Process finished, return code=1
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server
DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database.
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
Starting external process
args=/usr/sbin/service nscd status
Process finished, return code=1
stdout=
stderr=nscd: unrecognized service
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
thanks in advance for any help
-Todd
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, February 21, 2014 11:57 AM
To: freeipa-users
Subject: Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote:
IM in limbo here trying to solve this issue
It would help if you said what issue you were having...
And what version of the client you are running.
Trolling through the log I see a couple of things:
ntpdate failed, but that can happen if you already have ntpd configured
on your client. We have a ticket open on that.
The DNS update failed, presumably because you aren't using IPA for DNS.
Not a big deal.
The certmonger failure is due to a bad uninstall in the past. It is
still tracking an old cert. You can clear it with:
# ipa-getcert list
# ipa-getcert stop-tracking -i request id
The SSH keys are failing to load because they already exist in the host
entry. I guess it was pre-created, or left over from a previous attempt?
It doesn't appear to be a fatal error.
rob
here is my out put with the debug
root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
ipa-client-install -d --no-dns-sshfp
--hostname=se-idm-ubuntu-client-01.boingo.com --force-join
--domain=boingo.com --server=se-idm-01.boingo.com
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary':
False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
'hostname':
Re: [Freeipa-users] Issues creating trust with AD.
I would like to clarify myself, i wasn't accurate when i compared it to : https://bugzilla.redhat.com/show_bug.cgi?id=878564. I have tried to reproduce the bug by restarting the AD. *I was able to preform winbindd commands:* [root@ipaserver1 ~]# wbinfo -u ADEXAMPLE\administrator ADEXAMPLE\guest ADEXAMPLE\genadi ADEXAMPLE\krbtgt ADEXAMPLE\linux$ ADEXAMPLE\daniel [root@ipaserver1 ~]# wbinfo -g admins editors default smb group ad_users ADEXAMPLE\domain computers ADEXAMPLE\domain controllers ADEXAMPLE\schema admins ADEXAMPLE\enterprise admins ADEXAMPLE\domain admins ADEXAMPLE\domain users ADEXAMPLE\domain guests ADEXAMPLE\group policy creator owners ADEXAMPLE\read-only domain controllers ADEXAMPLE\enterprise read-only domain controllers ADEXAMPLE\dnsupdateproxy [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\administrator S-1-5-21-2887728911-2909484380-3974070232-500 SID_USER (1) [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\guest S-1-5-21-2887728911-2909484380-3974070232-501 SID_USER (1) [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\genadi S-1-5-21-2887728911-2909484380-3974070232-1000 SID_USER (1) [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\krbtgt S-1-5-21-2887728911-2909484380-3974070232-502 SID_USER (1) [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\linux$ S-1-5-21-2887728911-2909484380-3974070232-1104 SID_USER (1) [root@ipaserver1 ~]# wbinfo -n ADEXAMPLE\daniel S-1-5-21-2887728911-2909484380-3974070232-1105 SID_USER (1) *But kinit with AD users failed:* [root@ipaserver1 ~]# kinit gen...@adexample.com kinit: Cannot resolve servers for KDC in realm ADEXAMPLE.COM while getting initial credentials *But after few minutes i was able to to kinit with AD users agian:* [root@ipaserver1 ~]# kinit gen...@adexample.com Password for gen...@adexample.com: I think i was too fast on making conclusions. Not sure if opening a bug is needed. 2014-02-21 17:38 GMT+02:00 Simo Sorce s...@redhat.com: On Fri, 2014-02-21 at 00:27 +0200, Genadi Postrilko wrote: Update: For some reason the AD server has rebooted himself. After the reboot i couldn't preform kinit with AD users. I found a bugzilla that describes the symptoms that i experienced : https://bugzilla.redhat.com/show_bug.cgi?id=878564 Not sure if it is the same bug - the bugzilla reports bug in samba4-4.0.0-48.el6.rc4.x86_64 while my version is samba4-4.0.0-58.el6.rc4.x86_64 (after downgrade). I have rebooted the IPA server to see if it changes anything. After the reboot i was able to kinit with AD users, but not only that - now i am able to login with AD users to client machines. Any idea on what just happened? Sounds like a bug in windbindd which we currently use to talk to the Windows DCs for this functionality. Apparently winbindd failed to detect the DC came back online. A restart of the ipa server caused winbindd to restart and retry to get online. Can you please open a bug to track this issue ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ubuntu Client HELL
On 02/21/2014 03:07 PM, Todd Maugh wrote:
thanks Rob! the main issue I am having is that the install is not completing
and setting this ubuntu host up as a client.
I cleared out the old cert as you suggested, the ssh keys were copied over from
a previous attempt. IM not using IPA as DNS and I understand the ntp part.
so now my install finishes up like this:
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
NSSConnection init se-idm-01.boingo.com
Connecting: 66.103.90.130:0
handshake complete, peer = 66.103.90.130:443
received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b;
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT;
Secure; HttpOnly'
storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b;
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT;
Secure; HttpOnly' for principal
host/se-idm-ubuntu-client-01.boingo@boingo.com
Starting external process
args=keyctl search @s user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available
Starting external process
args=keyctl search @s user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available
Starting external process
args=keyctl padd user
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s
Process finished, return code=0
stdout=700576616
stderr=
Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no
modifications to be performed
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone boingo.com.
update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP
send
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1
AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2
B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1
D456E5C237736406CB5F4B4C24C836217B6D977E
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2
8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1
270551D349212B7112D4A9079FF490C8D6733041
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2
0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662
send
Starting external process
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
Process finished, return code=1
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
code may provide more information, Minor = Server
DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database.
nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt'
returned non-zero exit status 1
Could not update DNS SSHFP records.
Starting external process
args=/usr/sbin/service nscd status
Process finished, return code=1
stdout=
stderr=nscd: unrecognized service
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
thanks in advance for any help
-Todd
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, February 21, 2014 11:57 AM
To: freeipa-users
Subject: Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote:
IM in limbo here trying to solve this issue
It would help if you said what issue you were having...
And what version of the client you are running.
Trolling through the log I see a couple of things:
ntpdate failed, but that can happen if you already have ntpd configured
on your client. We have a ticket open on that.
The DNS update failed, presumably because you aren't using IPA for DNS.
Not a big deal.
The certmonger failure is due to a bad uninstall in the past. It is
still tracking an old cert. You can clear it with:
# ipa-getcert list
# ipa-getcert stop-tracking -irequest id
The SSH keys are failing to load because they already exist in the host
entry. I guess it was pre-created, or left over from a previous attempt?
It doesn't appear to be a fatal error.
rob
here is my out put with the debug
root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
ipa-client-install -d --no-dns-sshfp
--hostname=se-idm-ubuntu-client-01.boingo.com --force-join
--domain=boingo.com --server=se-idm-01.boingo.com
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary':
False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
Re: [Freeipa-users] Ubuntu Client HELL
Todd Maugh wrote: thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client. I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part. so now my install finishes up like this: Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' NSSConnection init se-idm-01.boingo.com Connecting: 66.103.90.130:0 handshake complete, peer = 66.103.90.130:443 received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo@boingo.com Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s Process finished, return code=0 stdout=700576616 stderr= Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone boingo.com. update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP send update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662 send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process finished, return code=1 stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database. nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. Starting external process args=/usr/sbin/service nscd status Process finished, return code=1 stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' It's hard to say based on this. The next thing it would do in Fedora is run authconfig. I'm unfamiliar with the Ubuntu port, particularly the upstream version it is based on. It isn't possible to know why it is failing without more information. There is no clear indication in the log of why it died. strace might be handy here. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
