Re: [Freeipa-users] Problem migrating passwords fro NIS to IdM
On 18/11/2014 22:56, Jakub Hrozek wrote:
On 18 Nov 2014, at 23:23, Roderick Johnstone r...@ast.cam.ac.uk wrote:
On 18/11/2014 22:19, Dmitri Pal wrote:
On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
Hi
I'm trying to migrate some nis accounts to RHEL 6 IdM while still
keeping the original passwords.
I followed the instructions at:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
The passwords are in SHA-512 format and I have been testing the
migration with commands like this (generated via a script from my nis
passwd file) on my IdM server:
$ ipa user-add xxx --first=NIS --last=USER --gidnumber= --uid=
'--gecos=test account' --homedir=/home/ --shell=/bin/bash
--setattr userpassword='{SHA-512}xxx'
where the xxx is the hashed password from the NIS password file
with the leading $6$ stripped off.
Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
left with:
passwd: files sss
and the account that I migrated cannot log in.
From the sssd log file (below) it looks like its trying to migrate the
password but failing with an LDAP authentication failure.
I'd appreciate any pointers to how to find out whats going wrong here.
Accounts which I created manually in the web gui are working ok.
Thanks
Roderick Johnstone
Part of sssd log file
=
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'xxx.xxx.xxx.xxx' as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
is missing, starting password migration.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
(0x0100): Executing simple bind as:
uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
(0x0400): Bind result: Invalid credentials(49), no errmsg set
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 8, NULL)
[Success]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
Did you enable migration mode on the IPA server?
Yes, I ran:
ipa config-mod --enable-migration=true
on the IPA server.
Roderick
Sorry, I missed this thread involved SSSD logs.
Normally, error 49 (Invalid credentials) means really a wrong password. Are you
sure the password was not mistyped (different keyboard layout or caps lock
perhaps) ?
Definitely not mistyped. I have tried lots of times.
Also tried typing the password in as username to check that each
character echos as expected, so pretty sure its not key layout issue.
Did you try the web UI migration?
Not yet. I'll see if I can find some docs on how to do that.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem migrating passwords fro NIS to IdM
On 18/11/2014 22:58, Rob Crittenden wrote:
Roderick Johnstone wrote:
On 18/11/2014 22:19, Dmitri Pal wrote:
On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
Hi
I'm trying to migrate some nis accounts to RHEL 6 IdM while still
keeping the original passwords.
I followed the instructions at:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
The passwords are in SHA-512 format and I have been testing the
migration with commands like this (generated via a script from my nis
passwd file) on my IdM server:
$ ipa user-add xxx --first=NIS --last=USER --gidnumber= --uid=
'--gecos=test account' --homedir=/home/ --shell=/bin/bash
--setattr userpassword='{SHA-512}xxx'
where the xxx is the hashed password from the NIS password file
with the leading $6$ stripped off.
Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
left with:
passwd: files sss
and the account that I migrated cannot log in.
From the sssd log file (below) it looks like its trying to migrate the
password but failing with an LDAP authentication failure.
I'd appreciate any pointers to how to find out whats going wrong here.
Accounts which I created manually in the web gui are working ok.
Thanks
Roderick Johnstone
Part of sssd log file
=
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'xxx.xxx.xxx.xxx' as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
is missing, starting password migration.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
(0x0100): Executing simple bind as:
uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
(0x0400): Bind result: Invalid credentials(49), no errmsg set
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 8, NULL)
[Success]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
Did you enable migration mode on the IPA server?
Yes, I ran:
ipa config-mod --enable-migration=true
on the IPA server.
Roderick
The has name probably needs to match something in cn=Password Storage
Schemes,cn=plugins,cn=config.
I'd try either {SHA512} or {SSHA512} and see if one of those works better.
rob
Rob
I had wondered about the specification of the password hash type.
I chose SHA-512 as it seemed to be suggested in the
passwordStorageScheme attribute described in Table 14.1 of the Redhat
Directory Server Admin Guide,
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html.
But now I come to re-read that doc it suggests perhaps that SHA covers
all the SHA- variants, so I'll give it another go using {SHA}xxx as
the userpassword specification.
I have also seen the userpassword attribute referred to in other places
as userPassword and wondered whether the attribute name is case
sensitive. Do you know?
Thanks for your input.
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
On 11/18/2014 07:44 PM, Will Sheldon wrote: No, not resolved yet I did test with GSSAPI (-Y) and like you it worked. :( Hello, Would it be possible to get server1/server2 logs (error/access) and config (dse.ldif) ?. Turning on replication logs would help ( http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting). In the sample of the log, there is a failure while ending a replication session. No replication error before ? It is like suddenly server1 was no longer able to reach server2 (dns or network issue ?). thanks thierry Will Sheldon On November 18, 2014 at 8:37:10 AM, dbisc...@hrz.uni-kassel.de (dbisc...@hrz.uni-kassel.de mailto:dbisc...@hrz.uni-kassel.de) wrote: Hi, On Fri, 7 Nov 2014, Dmitri Pal wrote: On 11/07/2014 01:24 AM, Will Sheldon wrote: On November 6, 2014 at 10:07:54 PM, Dmitri Pal (d...@redhat.com mailto:d...@redhat.com) wrote: On 11/07/2014 12:18 AM, Will Sheldon wrote: On the whole we are loving FreeIPA, Many thanks and much respect to all involved, we've had a great 12-18 months hassle free use out of it - it is a fantastically stable trouble free solution... however now we've run into a small issue we (as mere mortals) are finding it hard to resolve :-/ We upgraded our ipa servers (3.0.0-42) to Centos 6.6. everything seems to go well, but one server is behaving oddly. It's likely not an IPA issue, it also reset it's hostname somehow after the upgrade (it's an image in an openstack environment) If anyone has any pointers as to how to debug I'd be hugely appreciative :) Two servers, server1.domain.com and server2.domain.com Server1 can't push data to server2, there are updates and new records on server1 that do not exist on server2. from the logs on server1: [07/Nov/2014:01:33:42 +] NSMMReplicationPlugin - agmt=cn=meToserver2.domain.com (server2:389): Warning: unable to send endReplication extended operation (Can't contact LDAP server) [07/Nov/2014:01:33:47 +] NSMMReplicationPlugin - agmt=cn=meToserver2.domain.com (server2:389): Replication bind with GSSAPI auth resumed [07/Nov/2014:01:33:48 +] NSMMReplicationPlugin - agmt=cn=meToserver2.domain.com (server2:389): Warning: unable to replicate schema: rc=2 [07/Nov/2014:01:33:48 +] NSMMReplicationPlugin - agmt=cn=meToserver2.domain.com (server2:389): Consumer failed to replay change (uniqueid (null), CSN (null)): Can't contact LDAP server(-1). Will retry later. Try to see a) Server 1 properly resolves server 2 b) You can connect from server 1 to server 2 using ldapsearch c) your firewall has proper ports open d) dirserver on server 2 is actually running All seems working: [root@server1 ~]# ldapsearch -x -H ldap://server2.domain.com -s base -b '' namingContexts Can you try kinit admin and then use kerberos GSSAPI to connect, i.e. -Y switch? is this resolved? I observe it on my systems, too. Exact same symptoms. ldapsearch with -Y GSSAPI works. Did you find anything in the server2 logs? On my server2, I see sasl_io_recv failed to decode packet for connection #. Could there be something wrong with default buffer sizes as described in https://bugzilla.redhat.com/show_bug.cgi?id=953653 I have nsslapd-sasl-max-buffer-size: 65536 on both machines, but my database is rather small: ~30 users, 10 hosts and services. # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=domain,dc=com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@server1 ~]# And: [root@server2 ~]# /etc/init.d/dirsrv status dirsrv DOMAIN-COM (pid 1009) is running... dirsrv PKI-IPA (pid 1083) is running... [root@server2 ~]# Check logs on server 2 to see whether it actually sees an attempt to connect, I suspect not, so it is most likely a DNS/FW issue or dir server is not running on 2. and the servers: [root@server1 ~]# ipa-replica-manage list -v `hostname` Directory Manager password: server2.domain.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update started last update ended: 2014-11-07 01:35:58+00:00 [root@server1 ~]# [root@server2 ~]# ipa-replica-manage list -v `hostname` Directory Manager password: server1.domain.com: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2014-11-07 01:35:43+00:00 [root@server2 ~]# Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on
Re: [Freeipa-users] Problem migrating passwords fro NIS to IdM
On 19/11/2014 08:33, Roderick Johnstone wrote:
On 18/11/2014 22:58, Rob Crittenden wrote:
Roderick Johnstone wrote:
On 18/11/2014 22:19, Dmitri Pal wrote:
On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
Hi
I'm trying to migrate some nis accounts to RHEL 6 IdM while still
keeping the original passwords.
I followed the instructions at:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
The passwords are in SHA-512 format and I have been testing the
migration with commands like this (generated via a script from my nis
passwd file) on my IdM server:
$ ipa user-add xxx --first=NIS --last=USER --gidnumber= --uid=
'--gecos=test account' --homedir=/home/ --shell=/bin/bash
--setattr userpassword='{SHA-512}xxx'
where the xxx is the hashed password from the NIS password file
with the leading $6$ stripped off.
Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
left with:
passwd: files sss
and the account that I migrated cannot log in.
From the sssd log file (below) it looks like its trying to migrate
the
password but failing with an LDAP authentication failure.
I'd appreciate any pointers to how to find out whats going wrong here.
Accounts which I created manually in the web gui are working ok.
Thanks
Roderick Johnstone
Part of sssd log file
=
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'xxx.xxx.xxx.xxx' as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
is missing, starting password migration.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
(0x0100): Executing simple bind as:
uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
(0x0400): Bind result: Invalid credentials(49), no errmsg set
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 8, NULL)
[Success]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
Did you enable migration mode on the IPA server?
Yes, I ran:
ipa config-mod --enable-migration=true
on the IPA server.
Roderick
The has name probably needs to match something in cn=Password Storage
Schemes,cn=plugins,cn=config.
I'd try either {SHA512} or {SSHA512} and see if one of those works
better.
rob
Rob
I had wondered about the specification of the password hash type.
I chose SHA-512 as it seemed to be suggested in the
passwordStorageScheme attribute described in Table 14.1 of the Redhat
Directory Server Admin Guide,
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html.
But now I come to re-read that doc it suggests perhaps that SHA covers
all the SHA- variants, so I'll give it another go using {SHA}xxx as
the userpassword specification.
I have also seen the userpassword attribute referred to in other places
as userPassword and wondered whether the attribute name is case
sensitive. Do you know?
Thanks for your input.
Roderick
Rob
I just tried with --setattr userpassword='{SHA}xxx' but I get the
same result:
[simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no
errmsg set
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
I'm wondering if its something to do with the quoting. The hashed
password contains $ and there are the {} around the SHA so I'm using
strong single quotes to prevent anything following the $ being
interpreted as a variable, I hope. Maybe this is a ref herring.
Roderick
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating with NIS Domains and Netgroups
thank you, It is work by using ldap+krb5 (nisclient:centos4.8).By the way, Is it possible to enroll nisclient ? And how to do this?And how to carry out HBAC RULES for nisclient?I try to use WebUI,but i am not succeed,look like this: Enrollment Kerberos Key: Kerberos Key Not Present One-Time-Password: One-Time-Password Not Present -- Host Certificate Status: *No Valid Certificate* regards, zhongq 2014-11-19 6:17 GMT+08:00 Dmitri Pal d...@redhat.com: On 11/18/2014 02:13 AM, Zhong Qiang wrote: hi, I have some hosts installed centos4.8/6.5/5.9,and want to centralize identity/policy/authorization.but ipa client isn't compatible with centos4.8,so I try to configure FreeIPA integrated with NIS Domains. IPAserver:centos7 (+DNS) nisclient:centos4.8 ipaclient:centos6.6 I followed the instructions of this page: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/nis.html,to add netgroup(nis_test) and users(zhongq).then configured nis client installed centos4.8.on the nis client, I could get users data ,look like that: [root@nisclient ~]# getent passwd zhongq zhongq:*:72481:72481:强 é:/home/zhongq:/bin/sh However,I do not succeed to log into nisclient with zhongq account. Any ideas? Regards, zhongq You need to use some other method for authentication. NIS only supported for identity not for authentication. Use pam_ldap or pam_krb5 for authentication part. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa-server from copr repo
hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Ho can I fix this? 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
I am good in waiting;) Thanks for the prompt reply. -- Sent from mobile On November 19, 2014 11:54:40 AM Martin Kosek mko...@redhat.com wrote: On 11/19/2014 11:37 AM, Tamas Papp wrote: hi All, -- Finished Dependency Resolution Error: Package: freeipa-server-4.1.1-1.1.el7.centos.x86_64 (mkosek-freeipa) Requires: pki-ca = 10.2.0-3 Available: pki-ca-10.0.5-3.el7.noarch (base) pki-ca = 10.0.5-3.el7 Available: pki-ca-10.1.2-3.el7.centos.noarch (mkosek-freeipa) pki-ca = 10.1.2-3.el7.centos You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest We are working on a fix right now. So hopefully, the fixed CentOS repo would be available during today. Ho can I fix this? Waiting a bit and then trying to install again :-) 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating with NIS Domains and Netgroups
On 11/19/2014 05:25 AM, Zhong Qiang wrote: thank you, It is work by using ldap+krb5 (nisclient:centos4.8).By the way, Is it possible to enroll nisclient ? And how to do this?And how to carry out HBAC RULES for nisclient?I try to use WebUI,but i am not succeed,look Only SSSD understands IPA HBAC. We have CentOS 7 nowadays and 7.1 is on the way so 4.8 is very old and your options will be very limited. like this: Enrollment Kerberos Key: Kerberos Key Not Present One-Time-Password: One-Time-Password Not Present Host Certificate Status: *No Valid Certificate* regards, zhongq 2014-11-19 6:17 GMT+08:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 11/18/2014 02:13 AM, Zhong Qiang wrote: hi, I have some hosts installed centos4.8/6.5/5.9,and want to centralize identity/policy/authorization.but ipa client isn't compatible with centos4.8,so I try to configure FreeIPA integrated with NIS Domains. IPAserver:centos7 (+DNS) nisclient:centos4.8 ipaclient:centos6.6 I followed the instructions of this page: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/nis.html,to add netgroup(nis_test) and users(zhongq).then configured nis client installed centos4.8.on the nis client, I could get users data ,look like that: [root@nisclient ~]# getent passwd zhongq zhongq:*:72481:72481:强 é:/home/zhongq:/bin/sh However,I do not succeed to log into nisclient with zhongq account. Any ideas? Regards, zhongq You need to use some other method for authentication. NIS only supported for identity not for authentication. Use pam_ldap or pam_krb5 for authentication part. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem migrating passwords fro NIS to IdM
Roderick Johnstone wrote:
On 19/11/2014 08:33, Roderick Johnstone wrote:
On 18/11/2014 22:58, Rob Crittenden wrote:
Roderick Johnstone wrote:
On 18/11/2014 22:19, Dmitri Pal wrote:
On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
Hi
I'm trying to migrate some nis accounts to RHEL 6 IdM while still
keeping the original passwords.
I followed the instructions at:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
The passwords are in SHA-512 format and I have been testing the
migration with commands like this (generated via a script from my nis
passwd file) on my IdM server:
$ ipa user-add xxx --first=NIS --last=USER --gidnumber=
--uid=
'--gecos=test account' --homedir=/home/ --shell=/bin/bash
--setattr userpassword='{SHA-512}xxx'
where the xxx is the hashed password from the NIS password file
with the leading $6$ stripped off.
Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
left with:
passwd: files sss
and the account that I migrated cannot log in.
From the sssd log file (below) it looks like its trying to migrate
the
password but failing with an LDAP authentication failure.
I'd appreciate any pointers to how to find out whats going wrong
here.
Accounts which I created manually in the web gui are working ok.
Thanks
Roderick Johnstone
Part of sssd log file
=
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'xxx.xxx.xxx.xxx' as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos
password
is missing, starting password migration.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
(0x0100): Executing simple bind as:
uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
(0x0400): Bind result: Invalid credentials(49), no errmsg set
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 8, NULL)
[Success]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
Did you enable migration mode on the IPA server?
Yes, I ran:
ipa config-mod --enable-migration=true
on the IPA server.
Roderick
The has name probably needs to match something in cn=Password Storage
Schemes,cn=plugins,cn=config.
I'd try either {SHA512} or {SSHA512} and see if one of those works
better.
rob
Rob
I had wondered about the specification of the password hash type.
I chose SHA-512 as it seemed to be suggested in the
passwordStorageScheme attribute described in Table 14.1 of the Redhat
Directory Server Admin Guide,
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html.
But now I come to re-read that doc it suggests perhaps that SHA covers
all the SHA- variants, so I'll give it another go using {SHA}xxx as
the userpassword specification.
I have also seen the userpassword attribute referred to in other places
as userPassword and wondered whether the attribute name is case
sensitive. Do you know?
Thanks for your input.
Roderick
Rob
I just tried with --setattr userpassword='{SHA}xxx' but I get the
same result:
[simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no
errmsg set
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
I'm wondering if its something to do with the quoting. The hashed
password contains $ and there are the {} around the SHA so I'm using
strong single quotes to prevent anything following the $ being
interpreted as a variable, I hope. Maybe this is a ref herring.
I think your quoting is correct.
I've only used this method with crypt passwords. I guess theoretically
it should work with other crypt(3) schemes but I've never tried. There
could be some 389-ds-specific gotchas.
Crypt defines the storage as $id$salt$encrypted so perhaps strip out the
$id$ part since that is being defined by {SHA}, but I'm really only
guessing. The 389-ds guys may know.
LDAP attributes are not case sensitive.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem migrating passwords fro NIS to IdM
Rob Crittenden wrote:
Roderick Johnstone wrote:
On 19/11/2014 08:33, Roderick Johnstone wrote:
On 18/11/2014 22:58, Rob Crittenden wrote:
Roderick Johnstone wrote:
On 18/11/2014 22:19, Dmitri Pal wrote:
On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
Hi
I'm trying to migrate some nis accounts to RHEL 6 IdM while still
keeping the original passwords.
I followed the instructions at:
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
The passwords are in SHA-512 format and I have been testing the
migration with commands like this (generated via a script from my nis
passwd file) on my IdM server:
$ ipa user-add xxx --first=NIS --last=USER --gidnumber=
--uid=
'--gecos=test account' --homedir=/home/ --shell=/bin/bash
--setattr userpassword='{SHA-512}xxx'
where the xxx is the hashed password from the NIS password file
with the leading $6$ stripped off.
Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
left with:
passwd: files sss
and the account that I migrated cannot log in.
From the sssd log file (below) it looks like its trying to migrate
the
password but failing with an LDAP authentication failure.
I'd appreciate any pointers to how to find out whats going wrong
here.
Accounts which I created manually in the web gui are working ok.
Thanks
Roderick Johnstone
Part of sssd log file
=
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[fo_set_port_status] (0x0400): Marking port 0 of duplicate server
'xxx.xxx.xxx.xxx' as 'working'
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos
password
is missing, starting password migration.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
(0x0100): Executing simple bind as:
uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
(0x0400): Bind result: Invalid credentials(49), no errmsg set
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 8, NULL)
[Success]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
(Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
[be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
Did you enable migration mode on the IPA server?
Yes, I ran:
ipa config-mod --enable-migration=true
on the IPA server.
Roderick
The has name probably needs to match something in cn=Password Storage
Schemes,cn=plugins,cn=config.
I'd try either {SHA512} or {SSHA512} and see if one of those works
better.
rob
Rob
I had wondered about the specification of the password hash type.
I chose SHA-512 as it seemed to be suggested in the
passwordStorageScheme attribute described in Table 14.1 of the Redhat
Directory Server Admin Guide,
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html.
But now I come to re-read that doc it suggests perhaps that SHA covers
all the SHA- variants, so I'll give it another go using {SHA}xxx as
the userpassword specification.
I have also seen the userpassword attribute referred to in other places
as userPassword and wondered whether the attribute name is case
sensitive. Do you know?
Thanks for your input.
Roderick
Rob
I just tried with --setattr userpassword='{SHA}xxx' but I get the
same result:
[simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no
errmsg set
[ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
migration not possible.
I'm wondering if its something to do with the quoting. The hashed
password contains $ and there are the {} around the SHA so I'm using
strong single quotes to prevent anything following the $ being
interpreted as a variable, I hope. Maybe this is a ref herring.
I think your quoting is correct.
I've only used this method with crypt passwords. I guess theoretically
it should work with other crypt(3) schemes but I've never tried. There
could be some 389-ds-specific gotchas.
Crypt defines the storage as $id$salt$encrypted so perhaps strip out the
$id$ part since that is being defined by {SHA}, but I'm really only
guessing. The 389-ds guys may know.
LDAP attributes are not case sensitive.
Ok, this question was bugging me so I took a second to look into it.
The trick is to use CRYPT and not be too clever about knowing the scheme
the password is stored in.
This worked for me:
# grep myuser /etc/shadow
$ ipa user-add --first=test
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 11:57 AM, Tamas Papp wrote: I am good in waiting;) Thanks for the prompt reply. Ok Tamas, I think we *finally* got somewhere. Can you please try the mkosek/freeipa Copr repo now? I was able to install upstream freeipa-server 4.1.1 package on my RHEL-7.0 machine (should be the same for CentOS) and run ipa-server-install: # yum install freeipa-server --enablerepo=mkosek-freeipa ... Resolving Dependencies -- Running transaction check --- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed ... Transaction Summary Install 1 Package (+338 Dependent packages) Upgrade ( 11 Dependent packages) Total download size: 146 M ... # rpm -q freeipa-server freeipa-server-4.1.1-1.2.el7.centos.x86_64 # ipa-server-install --setup-dns # kinit admin Password for ad...@example.com: Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Hi Martin,
Yes, setting selinux to permissive allowed me to install and configure IPA
4.1 on CentOS 7.
:-)
On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The
location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But
here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com
wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be
installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
Good news!
To clarify on the selinux-policy side. By not maintaining it for the CentOS I
meant that FreeIPA Copr should not maintain system policy for any system, not
just SELinux.
Ideally, it should have a SELinux policy module that would be compiled for
SELinux only and that would only contain the additional policy required by IPA
on top of 7.0.
But this is not a priority for now we do not have enough capacity for it ATM.
But if anyone wishes to contribute that part, doors are open :-)
Martin
On 11/19/2014 05:56 PM, Bill Peck wrote:
Hi Martin,
Yes, setting selinux to permissive allowed me to install and configure IPA 4.1
on CentOS 7.
:-)
On Wed, Nov 19, 2014 at 11:41 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com mailto:b...@pecknet.com
To: Martin Kosek mko...@redhat.com mailto:mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu mailto:tom...@martos.bme.hu,
freeipa-users@redhat.com mailto:freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The
location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But
here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be
installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com mailto:ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
hi Martin,
Much better:)
Unfortunately not perfect yet.
[...]
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
ipa : ERRORNamed service failed to start (Command
''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero
exit status 1)
named service failed to start
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
Restarting the web server
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service''
returned non-zero exit status 1
This helped:
chmod 777 /var/named/dyndb-ldap/ipa/
Probably chown or chgrp named would be just enough.
Cheers,
tamas
On 11/19/2014 05:41 PM, Martin Kosek wrote:
It is highly probable the issue is caused by SELinux (check for AVCs in
/var/log/audit/audit.log).
Can you try with SELinux permissive? We specifically did not build
selinux-policy as we do not think we should be the ones maintaining it for
CentOS.
HTH,
Martin
- Original Message -
From: Bill Peck b...@pecknet.com
To: Martin Kosek mko...@redhat.com
Cc: Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com
Sent: Wednesday, November 19, 2014 5:34:10 PM
Subject: Re: [Freeipa-users] freeipa-server from copr repo
Hi Marin,
I was able to install from the copr repo now as well. Thank you!
However I wasn't able to finish the install:
[23/27]: configure certmonger for renewals
[24/27]: configure certificate renewals
[error] DBusException: org.fedorahosted.certmonger.bad_arg: The location
/etc/pki/pki-tomcat/alias could not be accessed due to insufficient
permissions.
Don't know if you need the command for how I was installing ipa. But here
is the line from my anseible playbook.
shell: ipa-server-install -a {{ adminpassword }} --hostname={{ servername
}} -r {{ realm }} -p {{ directorypassword }} -n {{ domain }} --setup-dns
--forwarder={{ dnsforwarder }} -U creates={{ slapd }}
On Wed, Nov 19, 2014 at 11:23 AM, Martin Kosek mko...@redhat.com wrote:
On 11/19/2014 11:57 AM, Tamas Papp wrote:
I am good in waiting;)
Thanks for the prompt reply.
Ok Tamas, I think we *finally* got somewhere. Can you please try the
mkosek/freeipa Copr repo now?
I was able to install upstream freeipa-server 4.1.1 package on my
RHEL-7.0
machine (should be the same for CentOS) and run ipa-server-install:
# yum install freeipa-server --enablerepo=mkosek-freeipa
...
Resolving Dependencies
-- Running transaction check
--- Package freeipa-server.x86_64 0:4.1.1-1.2.el7.centos will be installed
...
Transaction Summary
Install 1 Package (+338 Dependent packages)
Upgrade ( 11 Dependent packages)
Total download size: 146 M
...
# rpm -q freeipa-server
freeipa-server-4.1.1-1.2.el7.centos.x86_64
# ipa-server-install --setup-dns
# kinit admin
Password for ad...@example.com:
Thanks,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:23 PM, Tamas Papp wrote: hi Martin, Much better:) Unfortunately not perfect yet. [...] Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named ipa : ERRORNamed service failed to start (Command ''/bin/systemctl' 'restart' 'named-pkcs11.service'' returned non-zero exit status 1) named service failed to start Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'ipa.service'' returned non-zero exit status 1 This helped: chmod 777 /var/named/dyndb-ldap/ipa/ Probably chown or chgrp named would be just enough. Cheers, tamas Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:24 PM, Tamas Papp wrote: On 11/19/2014 09:29 PM, Martin Kosek wrote: Ah, yes. This one is not a problem with the CentOS port, but rather existing problem in FreeIPA 4.1.1 which will be fixed in FreeIPA 4.1.2 on all platforms, including Fedora 21 and CentOS. See upstream ticket: https://fedorahosted.org/freeipa/ticket/4716 Until this is fixed, correct workaround is to chown this directory by named:named and chmod rights to 0770. I will with the team when 4.1.2 is about to be released, if it is not soon, I can just add the patch to the 4.1.1 in Copr repo. Thanks for all. Just a question. My understanding is that 4.x will not hit RH 7 ever. So for IPA 4.x we have to wait until RH8, am I correct? Thanks, tamas Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-server from copr repo
On 11/19/2014 10:27 PM, Martin Kosek wrote: Actually no, FreeIPA 4.1 is planned to be included in RHEL-7.1 release - so you can look forward to that :-) Very good! Then everything is good for testing:) t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] buggered 389?
I suddenly started getting errors when I try to use ipa-getkeytab: [root@ipa1 kerberize]# ipa-getkeytab -s jn01 -p hdfs/jn01 -k jn01.hdfs.keytab SASL Bind failed Can't contact LDAP server (-1) ! ldap seems to be answering on the non-SASL port (ei: ldapsearch -x -h localhost CN=richard works fine) but if I don't use the -x, I get: ldapsearch -h localhost CN=richard SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: I'm kinda at a loss for how to debug this. I'm not really finding any errors in the dirsrv logs, just a warning that my DB is bigger than the cache. I'd appreciate some ideas on where to look. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] DNS forwarders
I have a quick question Do I need to configure the forwarders of freeipa-server 4.1.1 when doing the freeipa-install-server? I forgot the reason why I don't need to because my email suddenly deleted that message from Martin, and now I can't remember why or how not to include a forwarder, and how to add a forwarder manually.. TIA-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS forwarders
I've installed freeipa 4.1.1 --setup-dns --no-forwarders so far the installation went well .. but I need to configure freeipa server as a forwarder right? so I used te web UI and added the freeipaserver ip as a forwarder, then I rebooted the freeipa server. after the reboot I couldn't access the web browser. Any idea on how can I fix this?? TIA On Wednesday, November 19, 2014 7:41 PM, Rolf Nufable rolf_16_nufa...@yahoo.com wrote: I have a quick question Do I need to configure the forwarders of freeipa-server 4.1.1 when doing the freeipa-install-server? I forgot the reason why I don't need to because my email suddenly deleted that message from Martin, and now I can't remember why or how not to include a forwarder, and how to add a forwarder manually.. TIA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Freeipa Forwarders
I have a quick question Do I need to configure the forwarders of freeipa-server 4.1.1 when doing the freeipa-install-server? I forgot the reason why I don't need to because my email suddenly deleted that message from Martin, and now I can't remember why or how not to include a forwarder, and how to add a forwarder manually.. **UPDATE I've installed freeipa 4.1.1 --setup-dns --no-forwarders so far the installation went well .. but I need to configure freeipa server as a forwarder right? so I used te web UI and added the freeipaserver ip as a forwarder, then I rebooted the freeipa server. after the reboot I couldn't access the web browser. Any idea on how can I fix this?? TIA -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
