Re: [Freeipa-users] webmin can't work after installing freeipa
Dear I have some scripts that should be run on all servers and I should use webmin. anyway i fixed it by changing authentication mechanism from pam to don't use pam. From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 6:56 AM Subject: Re: [Freeipa-users] webmin can't work after installing freeipa On 09/07/2014 01:45 PM, mohammad sereshki wrote: Hi I configured IPA on solaris as client and it works correctly. but the problem is I have webmin to manage my servers and it can't login after IPA installation. Please help me. thanks Why do you need webmin if you are deploying IPA? What is your goal? IPA is the central store for the accounts it takes over the machine and configures the client on the server. Other tools should not be used after you install it. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS not responding properly....
On 6.9.2014 09:18, Bret Wortman wrote: Check. [root@ipa1 data]# ipa dnszone-show foo.net Zone name: foo.net Authoritative nameserver: ipa1.foo.net. Administrator e-mail address: hostmaster.foo.net. SOA serial: 1400521450 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Zone forwarders: 8.8.8.8 I suspect that you use IPA version 4.0, right? Configuration Zone forwarders: 8.8.8.8 instructs IPA to ignore whole content of the zone and to forward all queries to specified servers. The errors you can see in logs are saying that you are trying to add records to zone which doesn't exist (because 'forward zone' is not a real zone :-). The master and forward zones are clearly separated in IPA 4.0: http://www.freeipa.org/page/V4/Forward_zones My guess is that you can simply remove the forwarder and thing will start working again: $ ipa dnszone-mod foo.net --forwarder='' Have a nice day! Petr^2 Spacek On 09/05/2014 01:56 PM, Petr Spacek wrote: Hello, On 5.9.2014 18:14, Bret Wortman wrote: I've got an odd situation with one of our networks. Our systems are properly registered in DNS within IPA, and the web interface and IPA queries work to resolve the hosts, but named isn't playing along with us. [root@ipa1 data]# ipa dnsrecord-find foo.net --name=asterisk Record name: asterisk A record: 192.168.252.155 Number of entries returned 1 [root@ipa1 data]# host asterisk.foo.net Host asterisk.foo.net not found: 3(NXDOMAIN) [root@ipa1 data]# cat /etc/resolv.conf search foo.net nameserver 192.168.252.61- This is ipa1 nameserver 192.168.252.62 nameserver 192.168.252.63 [root@ipa1 data]# ifconfig ens192: flags=4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 192.168.252.61 netmask 255.255.255.0 broadcast 192.168.252.255 inet6 fe80::250:56ff:fe04:401 prefixlen 64 scopeid 0x20link ether 00:50:56:04:04:01 txqueuelen 1000 (Ethernet) RX packets 2189 bytes 332143 (324.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1523 bytes 428925 (418.8 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73UP,LOOPBACK,RUNNING mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10host loop txqueuelen 0 (Local Loopback) RX packets 1037 bytes 718872 (702.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1037 bytes 718872 (702.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@ipa1 data]# When I dig into the named.run file, I see the trace below (I ran an rndc reload after seeing the request to do so at the end of an earlier section of the file; it obviously didn't help much). I'm not sure where else to look. /etc/named.conf and /var/named/named.ca both are in line with what we have on another similar system where everything is working just fine. Any thoughts? Please double check output from $ ipa dnszone-show foo.net It should contain line like: Active zone: TRUE Petr^2 Spacek 05-Sep-2014 12:04:47.111 received control channel command 'reload' 05-Sep-2014 12:04:47.111 zone 252.168.192.in-addr.arpa/IN: shutting down 05-Sep-2014 12:04:47.112 loading configuration from '/etc/named.conf' 05-Sep-2014 12:04:47.112 using default UDP/IPv4 port range: [1024, 65535] 05-Sep-2014 12:04:47.112 using default UDP/IPv6 port range: [1024, 65535] 05-Sep-2014 12:04:47.113 sizing zone task pool based on 6 zones 05-Sep-2014 12:04:47.116 option 'serial_autoincrement' is not supported, ignoring 05-Sep-2014 12:04:47.194 automatic empty zone: 10.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 16.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 17.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 18.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 19.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 20.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 21.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 22.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 23.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 24.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.194 automatic empty zone: 25.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.195 automatic empty zone: 26.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 27.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 28.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 29.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 30.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 31.172.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196 automatic empty zone: 168.192.IN-ADDR.ARPA 05-Sep-2014 12:04:47.196
Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule
On Sun, Sep 07, 2014 at 11:41:16PM +0200, Gregor Bregenzer wrote: Hi! I have an AD trust with FreeIPA 4.0.1 and defined a HBAC rule for a specific user group (=ad_users which is an posix group that has an external group as member) to login on a specific client (=linux1.linux.intern). The problem is: once i disable the rule and the AD user is not allowed to login anymore, the user on the client gets another uid and gid via sssd. I use the posix attributes from AD, which will get received by sssd perfectly. The client is running on CentOS 6.5 and uses sssd 1.9.2.129.el6_5.4 AD domain = aaa.intern IPA domain = linux.intern AD-User: user1 (uid=1005,gid=10005) Here an example: 1.) disable the hbac rule and the default allow_all rule: 2.) check the uid/gid on the client (=linux1.linux.intern) and it looks fine: [root@linux1 sssd]# getent passwd user1@aaa user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash 3.) Login with ssh to client as user1. It will be denied upon correct password input and ssh sessions closes. Up until now everything as expected. But now: 4.) check for the uid/gid on the client - something totally different. It now also receives the Firstname and Lastname from AD, latter is empty: [root@linux1 sssd]# getent passwd user1@aaa user1@aaa.intern:*:11601:11601:user1:/home/user1@aaa.intern:/bin/bash 5.) Enable the hbac rule and login works, but the unexpected uid/gid stays the same: login as: user1@aaa user1@aaa@192.168.0.100's password: login as: user1@aaa user1@aaa@192.168.0.100's password: Last failed login: Sun Sep 7 23:19:49 CEST 2014 from 192.168.0.26 on ssh:notty There were 2 failed login attempts since the last successful login. Creating home directory for user1@aaa. Last login: Sun Sep 7 23:21:02 2014 from 192.168.0.26 [user1@aaa.intern@linux1 ~]$ id uid=11601(user1@aaa.intern) gid=11601(user1@aaa.intern) Gruppen=11601(user1@aaa.intern),193304(ad_users) [user1@aaa.intern@linux1 ~]$ - Anyone have a clue what might be the problem? I would expect some kind of collision, but to be sure I need the SSSD log files. Please try to reproduce the switch and send me the log file, if possilbe with debug_level=9. bye, Sumit Here's the sssd.conf: [root@linux1 sssd]# cat /etc/sssd/sssd.conf [domain/linux.intern] debug_level=6 cache_credentials = False krb5_store_password_if_offline = False ipa_domain = linux.intern id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = linux1.linux.intern chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa1.linux.intern ldap_tls_cacert = /etc/ipa/ca.crt use_fully_qualified_domains = True # For the SUDO integration sudo_provider = ldap ldap_uri = ldap://ipa1.linux.intern ldap_sudo_search_base = ou=sudoers,dc=linux,dc=intern ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/linux1.linux.intern ldap_sasl_realm = LINUX.INTERN krb5_server = ipa1.linux.intern entry_cache_sudo_timeout = 30 [sssd] debug_level=6 services = nss, pam, ssh, sudo config_file_version = 2 default_domain_suffix=aaa.intern domains = linux.intern [nss] debug_level=9 override_homedir = /home/%u override_shell = /bin/bash [pam] debug_level=6 [sudo] debug_level=6 [autofs] [ssh] debug_level=6 [pac] Thanks! Gregor -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
Is there any article to describe how to configure ubuntu client for ipa and sudo policy? On 02-09-2014 11:13, Lukas Slebodnik wrote: On (02/09/14 11:02), Tevfik Ceydeliler wrote: Step 0 root@clnt:/home/awtadm# grep sudoers /etc/nsswitch.conf sudoers_debug:1 sudoers: files sss root@clnt:/home/awtadm# ipa-client-install --no-ntp IPA client is already configured on this system. root@clnt:/home/awtadm# grep services /etc/sssd/sssd.conf services = nss, pam, ssh, sudo You need to restart sssd after modification of option services in /etc/sssd/sssd.conf. I forgot to mention it. Step1 (there is some problem when create rule on CLI. No problem prompt on Web-based) ... [root@srv ~]# ipa sudorule-add-option readfiles Sudo Option: !authenticate ipa: ERROR: no such entry ... Then: awtadm@clnt:~$ su user1 Password: uid=142344(user1) gid=142344(user1) groups=142344(user1) user1@clnt:/home/awtadm$ sudo -l [sudo] password for user1: Sorry, user user1 may not run sudo on clnt. There is no reason to try sudo commands if sudo -l fails. It works for me on ubuntu 14.04. It is very likely you have problem on FreeIPA Server. Other people can help you with server part, I could help you just with client configuration. (From my point of view, problem is solved) One more time, please follow instructions: http://www.freeipa.org/docs/master/html-desktop/index.html#sudo LS -- br img src=http://www.yasar.com.tr/banner/yhbanner.jpg; /img brbr Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? (I didn't have to set up a keytab file fo the legacy debian clients, and in the solaris-clients doc previously mentioned, there's no mention of it). Well, since I read somewhere the keytab file need to be there, I copied it over from the IPA server to the solaris clients, Then I get a different error: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found This error seems to indicate that there isn't an matching entry found in the keytab file, so I added an entry for the solaris client, but I'm still getting the same 'Key table entry not found' error (it could be the entry I added is wrong, of course). But, for now, just want to be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian hosts then?) Thanks in advance, -- *Gerardo Padierna Nanclares* Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A Tel: 961 208973 Email: asl.gera...@gmail.com mailto:asl.gera...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] How to use sudo rules on ubuntu
On (08/09/14 11:24), Tevfik Ceydeliler wrote: Is there any article to describe how to configure ubuntu client for ipa and sudo policy? I have already described steps in this thread. It works for me. You did the same steps. It means there is problem on server side. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
hi Please go ahead with below structure, It works! Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? View on www.redhat.com Preview by Yahoo From: Gerardo Padierna asl.gera...@gmail.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 2:14 PM Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? (I didn't have to set up a keytab file fo the legacy debian clients, and in the solaris-clients doc previously mentioned, there's no mention of it). Well, since I read somewhere the keytab file need to be there, I copied it over from the IPA server to the solaris clients, Then I get a different error: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found This error seems to indicate that there isn't an matching entry found in the keytab file, so I added an entry for the solaris client, but I'm still getting the same 'Key table entry not found' error (it could be the entry I added is wrong, of course). But, for now, just want to be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian hosts then?) Thanks in advance, -- Gerardo Padierna Nanclares Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A Tel: 961 208973 Email: asl.gera...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Announcing FreeIPA 4.0.2
The FreeIPA team is proud to announce FreeIPA v4.0.2! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds will be available for Fedora 21. Builds for Fedora 20 are available in the official [https://copr.fedoraproject.org/coprs/mkosek/freeipa/ COPR repository]. == Highlights in 4.0.2 == === Enhancements === * TOTP watermark support was added. The last token interval is now being added to database and replicated in FreeIPA realm. Note that the number of writes is kept the same as an unnecessary LDAP write was eliminated. * Effective Attributes widget in the Add Permission Web UI page was improved * ipa-csreplica-manage can now set CA renewal master * trust-add is now capable of ensuring conditions for a Trust are met prior to establishing it in complex environments (e.g. only adding trust via AD DC with a PDC role in a forest root domain, falling back when no closest AD DC is available for the local site) === Bug fixes === * Server installation with certificates signed by external CA could crash with IndexError * ipa-client-install could add duplicate sss to /etc/nsswitch.conf when configuring sudo * ipa-client-install crashed when non-zero minSSF was set on FreeIPA server * Installers and helper tools now communicate with certmonger via its DBUS API instead of manipulating its configuration files, fixing the related intermittent uninstallation failures * idrange-* commands no longer allow unsupported range types (ipa-ad-winsync, ipa-ipa-trust) * user-add no longer fails when --user-auth-type is specified * Entries in Schema Compatibility tree are now accessible anonymously by default to aid legacy clients. == Known Issues == * The Directory Server may crash during install due to 389-ds bug 47889 (https://fedorahosted.org/389/ticket/47889). * Enumeration in SSSD may fail due to 389-ds bug 47885 (https://fedorahosted.org/389/ticket/47885). * Zone removal may misbehave due to a bind-dyndb-ldap bug. If FreeIPA is used to manage DNS root zones, bind-dyndb-ldap 5.1 or higher is recommended. Bind-dyndb-ldap 5.2 was built for Fedora 20 (http://copr.fedoraproject.org/coprs/mkosek/freeipa/build/31135/), 21 (https://admin.fedoraproject.org/updates/bind-dyndb-ldap-5.2-1.fc21), rawhide (http://koji.fedoraproject.org/koji/buildinfo?buildID=575841). == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot: # ipa-ldap-updater --upgrade # ipa-upgradeconfig Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 3.3.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode. == Detailed Changelog since 4.0.1 == === Alexander Bokovoy (5) === * ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC * ipaserver/dcerpc.py: make PDC discovery more robust * ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012 * ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust * ipaserver/dcerpc.py: Make sure trust is established only to forest root domain === David Kupka (7) === * Fix group-remove-member crash when group is removed from a protected group * test group: remove group from protected group. * Verify otptoken timespan is valid * Add record(s) to /etc/host when IPA is configured as DNS server. * Use certmonger D-Bus API instead of messing with its files. * Do not restart apache server when not necessary. * Allow user to force Kerberos realm during installation. === Gabe (1) === * ipa trust-add command should be interactive === Jakub Hrozek (1) === * CLIENT: Explicitly require python-backports-ssl_match_hostname === Jan Cholasta (11) === * Check
[Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Hello everyone... I'm trying to request SSL Certificates from my machines (ex : vadqualif02) for a specific service (ex : Syslog-ng). I would like to distinguish between my client and server certificates by changing the DN. The problem is that when I try to do that (see the command below), I'm still getting the default DN (CN=hostname). sudo ipa-getcert request -r -f /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra Any ideas ? Thx in advance. El Fatayri Anwar -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa 3.0.0] Changing the DN in the signing request
Anwar El fatayri wrote: *Hello everyone...* * * *I'm trying to request SSL Certificates from my machines (ex : vadqualif02) for a specific service (ex : Syslog-ng).* * * *I would like to distinguish between my client and server certificates by changing the DN. The problem is that when I try to do that (see the command below), I'm still getting the default DN (CN=hostname).* * * * sudo ipa-getcert request -r -f /etc/pki/tls/certs/syslog-ng_vadqualif02.lbg.office.lyra.crt -k /etc/pki/tls/private/syslog-ng_vadqualif02.lbg.office.lyra.key -N OU=toto,CN=roro -K SYSLOG-NG_CLIENT/vadqualif02.lbg.office.l...@office.lyra Any ideas ? I'm surprised this isn't just being rejected instead. IPA requires that the CN of the CSR match the host/service being requested for. It will also drop anything other than CN and replace it with the subject of the CA (usually O=EXAMPLE.COM). There is no way around this. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa server install fails on fedora 20
Can somebody help with the following problem(s) I’ve encountered while trying to install the freeipa server? Problem #1: On fedora 20, I have: 1. using yum install acquired the free-ipa-server package. 2. ran ipa-server-install — that has failed with “CA did not start in 300s” One thing that’s noticeable in the logs (the snippet is included below) is that request for request ' https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus' https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus' has 443 as port as for before all the requests for 8443 (e.g.., same (manual) request on port 8443 succeeds). Seems like an install script somewhere has the wrong port ? 2014-09-08T19:21:07Z DEBUG Waiting for CA to start... 2014-09-08T19:21:08Z DEBUG request ' https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus' 2014-09-08T19:21:08Z DEBUG request body '' 2014-09-08T19:21:08Z DEBUG request status 503 2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service Unavailable' 2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep 2014 19:21:08 GMT', 'content-length': '299', 'content-type': 'text/html; charset=iso-8859-1', 'connection': 'close', 'server': 'Apache/2.4.10 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN\nhtmlhead\ntitle503 Service Unavailable/title\n/headbody\nh1Service Unavailable/h1\npThe server is temporarily unable to service your\nrequest due to maintenance downtime or capacity\nproblems. Please try again later./p\n/body/html\n' 2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable Problem #2: The next problem I’m encountering and doesn’t seem to be related to the CA setup is on the next step of “kinit admin”. It fails with “generic pre authentication failure while getting initial credentials stracing kinit show that it tried to open file “/var/lib/sss/pubconf/ kdcinfo.GATEWAY.2WIRE.NET http://kdcinfo.gateway.2wire.net/”) and fails with “no such file” error. “pubconf” dir only has empty “krb5.include.d”. I don’t know if this failure is due to the fact that the setup didn’t run all the way and some configuration is missing or this is a separate issue . Are these bugs that need to be filled with bugzilla or am I doing something incorrectly? Any help would be appreciated. Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa server install fails on fedora 20
On 09/08/2014 03:49 PM, Olga Kornievskaia wrote: Can somebody help with the following problem(s) I've encountered while trying to install the freeipa server? Problem #1: On fedora 20, I have: 1. using yum install acquired the free-ipa-server package. 2. ran ipa-server-install --- that has failed with CA did not start in 300s One thing that's noticeable in the logs (the snippet is included below) is that request for request 'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus' https://ipa1.gateway.2wire.net/ca/admin/ca/getStatus%27 has 443 as port as for before all the requests for 8443 (e.g.., same (manual) request on port 8443 succeeds). Seems like an install script somewhere has the wrong port ? 443 is the right port. Do you have something already running on the same box on that port? That might prevent things from installing and running. Please try on a clean machine or VM. Also more logs will be helpful. Please see this [1] on how to troubleshoot. The second problem is most likely an artifact of the incomplete install. [1] http://www.freeipa.org/page/Troubleshooting 2014-09-08T19:21:07Z DEBUG Waiting for CA to start... 2014-09-08T19:21:08Z DEBUG request 'https://ipa1.gateway.2wire.net:443/ca/admin/ca/getStatus' 2014-09-08T19:21:08Z DEBUG request body '' 2014-09-08T19:21:08Z DEBUG request status 503 2014-09-08T19:21:08Z DEBUG request reason_phrase u'Service Unavailable' 2014-09-08T19:21:08Z DEBUG request headers {'date': 'Mon, 08 Sep 2014 19:21:08 GMT', 'content-length': '299', 'content-type': 'text/html; charset=iso-8859-1', 'connection': 'close', 'server': 'Apache/2.4.10 (Fedora) mod_auth_kerb/5.4 mod_nss/2.4.6 NSS/3.15.3 Basic ECC mod_wsgi/3.5 Python/2.7.5'}2014-09-08T19:21:08Z DEBUG request body '!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN\nhtmlhead\ntitle503 Service Unavailable/title\n/headbody\nh1Service Unavailable/h1\npThe server is temporarily unable to service your\nrequest due to maintenance downtime or capacity\nproblems. Please try again later./p\n/body/html\n' 2014-09-08T19:21:08Z DEBUG The CA status is: Service Unavailable Problem #2: The next problem I'm encountering and doesn't seem to be related to the CA setup is on the next step of kinit admin. It fails with generic pre authentication failure while getting initial credentials stracing kinit show that it tried to open file /var/lib/sss/pubconf/kdcinfo.GATEWAY.2WIRE.NET http://kdcinfo.gateway.2wire.net/) and fails with no such file error. pubconf dir only has empty krb5.include.d. I don't know if this failure is due to the fact that the setup didn't run all the way and some configuration is missing or this is a separate issue . Are these bugs that need to be filled with bugzilla or am I doing something incorrectly? Any help would be appreciated. Thank you. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ACI for ipa-getkeytab
Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Sane request?
Is it sane to request that freeipa store ssh keys for users who come into the environment via a trust? Not all of them, of course, but those who want to store public keys there. My freeipa server is mostly there to manage machines, and users (incl. me) mostly come in over trusts from the corporate AD. It'd sure be nice if I could put my laptop's public key on the freeipa server and use it everywhere. Food for thot. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project