Re: [Freeipa-users] State of play with 2FA and Kerberos please?
2014-07-07 23:00 GMT+02:00 Steven Jones steven.jo...@vuw.ac.nz: Hi, Apparently RHEL7 has limited 2FA? Is there any documentation on what it can do at present in RHEL7 please? IPA in RHEL 7 doesn't support 2FA at the moment. Docs are here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html FreeIPA 4.0.0 does support 2FA, check out the release announcement: https://www.redhat.com/archives/freeipa-users/2014-July/msg00028.html - Jitse -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
Jakub, So far I have no logs, unfortunately since this is quite the disruptive activity I am not willing to reproduce. If I get some time I can try to built a replica environment and try it there, but I don't see me having that time. John On 7/7/14, 4:28 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 04:09:24PM -0300, Bruno Henrique Barbosa wrote: I can confirm this, I usually run through this after a power outage on my datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every VM manually. Hello Bruno, see my reply to John, if you can capture the sssd logs, that would be very welcome in tracking down the problem. - Mensagem original - De: John Moyer john.mo...@digitalreasoning.com Para: Jakub Hrozek jhro...@redhat.com, freeipa-users@redhat.com Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop working The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. sssd.conf [domain/digitalreasoning.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = digitalreasoning.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.digitalreasoning.com chpass_provider = ipa ipa_server = _srv_, server1.digitalreasoning.com dns_discovery_domain = digitalreasoning.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = digitalreasoning.com [nss] [pam] [sudo] [autofs] [ssh] [pac] On 7/7/14, 2:19 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: blockquote Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Can you log in as root to the clients and check out /var/log/secure and/or the sssd logs? Do your clients cache credentials? I suspect that when IPA went down, the clients went offline and still haven't re-checked the online status..how long since the IPA server went offline? /blockquote Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS records not removed
Hi, which version of IPA do you use? It looks like a bug. On 08/07/14 13:36, Stephen Benjamin wrote: Hi, When trying to delete a host with updatedns=true, it's not working - it can't find the records, but they do exist. Any ideas what's wrong? The records exist... [root@ipa01 httpd]# ipa dnsrecord-show katello.example.org realm-rhel6 Record name: realm-rhel6 A record: 192.168.100.147 [root@ipa01 httpd]# ipa dnsrecord-show 100.168.192.in-addr.arpa. 147 Record name: 147 PTR record: realm-rhel6.katello.example.org. But the API says the records are NotFound: [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: raw: host_del((u'realm-rhel6.katello.example.org',), updatedns=True) [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: host_del((u'realm-rhel6.katello.example.org',), updatedns=True) [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: raw: service_find(u'realm-rhel6.katello.example.org') [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: service_find(u'realm-rhel6.katello.example.org', all=False, raw=False, no_members=False, pkey_only=False) [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: raw: dnszone_show(u'katello.example.org') [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: dnszone_show(u'katello.example.org', rights=False, all=False, raw=False) [Tue Jul 08 14:17:59 2014] [error] ipa: INFO: realm-caps...@katello.example.org: host_del((u'realm-rhel6.katello.example.org',), updatedns=True): NotFound [Tue Jul 08 14:17:59 2014] [error] ipa: DEBUG: response: NotFound: realm-rhel6.katello.example.org: host not found Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] State of play with 2FA and Kerberos please?
Hi, Thanks, presumably 6~12months away, maybe even 2+ years aka RHEL8 :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University ITS, Level 8 Rankin Brown Building, Wellington, NZ 6012 0064 4 463 6272 From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Jitse Klomp jitsekl...@gmail.com Sent: Wednesday, 9 July 2014 12:55 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] State of play with 2FA and Kerberos please? 2014-07-07 23:00 GMT+02:00 Steven Jones steven.jo...@vuw.ac.nzmailto:steven.jo...@vuw.ac.nz: Hi, Apparently RHEL7 has limited 2FA? Is there any documentation on what it can do at present in RHEL7 please? IPA in RHEL 7 doesn't support 2FA at the moment. Docs are here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html? ?FreeIPA 4.0.0 does support 2FA, check out the release announcement: https://www.redhat.com/archives/freeipa-users/2014-July/msg00028.html - Jitse -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-manage list fail on server 2
FYI.. 160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 192.168.156.89 to 192.168.156.89 163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1 There is not abt binding but i unsure how to fix .. 2014-07-09 2:01 GMT+08:00 Rich Megginson rmegg...@redhat.com: On 07/08/2014 02:16 AM, barry...@gmail.com wrote: Resent as size limit. Here u are server1 's access log seem one side broken the problem is how to make it replicate again. At server 1 it is ok master server1 master server2 Another side server 2 contains 2 ip replication. ipa-replica-manage list shown Can't contact LDAP server I dont know why but the prolematic server is sever 2 not server 1 log of server2 [08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection from 192.168.15.89 (server1) to 192.168.15.88(server2) [08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1 [08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection from 192.168.15.89 to 192.168.15.88 [08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1 [08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection from 192.168.15.89 to 192.168.15.88 [08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1 You never answered my question below. Are you sure that this connection is a replication session? Can you post all of the operations from the access log from conn=936207? In the future, please avoid spamming the list with large log files. In general, it's better to provide excerpts from the log files showing the problem, paste them to fpaste.org, and post the link to the mailing list. If for some reason you need to post a large file, please use a file sharing service and post the link to the file. Can you take a look at your errors log from server 1 and server 2 and see if there are any relevant errors? If I had to guess, I would say that there is some sort of network error between server 1 and server 2 that causes the excessive closed - B1. Perhaps there will be more information in the errors log. 2014-07-07 22:21 GMT+08:00 Rich Megginson rmegg...@redhat.com: On 07/04/2014 03:28 AM, barry...@gmail.com wrote: FOUND something strange that server 1 replicate to itself rather than server2 Server1 access log Wrong [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from 192.168.15.89( server1 ) to 192.168.15.89 (server1) Are you sure that this connection is a replication session? Can you post all of the operations from the access log from conn=936207? Server 2 access log OK [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from 192.168.15.89(server2) to 192.168.15.88 (server2) 2014-07-04 9:25 GMT+08:00 barry...@gmail.com: Just sure now one side flow is broken, if u update server1 , it 100% work server2 will upgrade. but if u update server2 there is chance non-syn e.g it create username in server1 with posfix grp ok but in server2 it only created posfix grp but no username /attribute it occur serveral times. I have to use command line grp del ...etc. to force del them and recreate them.,. Result below: server2.abc.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 00:33:18+00:00 Directory Manager password: server1.abc.com: replica last init status: 0 Total update succeeded last init ended: 2014-06-20 10:07:02+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-07-04 01:14:19+00:00 [root@(LIVE)server2 ~]$ ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING 2014-07-04 1:34 GMT+08:00 Rob Crittenden rcrit...@redhat.com: barry...@gmail.com wrote: Yes they are running. Server 1 can syn to server2 but error at server 2 like this. How do you know server 1 is syncing with server 2? On server 1 I'd run: ipa-replica-manage list -v `hostname` This will show the replication status. And what does ipactl status show on server 2? rob 2014/7/3 下午10:14 於 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com 寫道: Please keep relies on the list. barry...@gmail.com mailto:barry...@gmail.com wrote: I saw the error beloe and errpr log is it related ? 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_492' not found)) errno 0 (Success) [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not