Re: [Freeipa-users] stickybits and freeipa
Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const , int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const , int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const , PSTRING const ) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const , PSTRING const ) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const , PSTRING const , int, JSTRING const ) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 06/16/2015 06:18 AM, Ludwig Krispenz wrote: On 06/16/2015 02:08 PM, Janelle wrote: On Jun 16, 2015, at 01:56, thierry bordaz tbor...@redhat.com wrote: On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=+uid=janelle, The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. you can delete the nsuniqeid= entry to get rid of it. +1 thierry There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig ~J -- But everything I try to delete fails. Is there a procedure in 389-DS I can read for this? Maybe I am missing an option in ldapmodify? I am happy to delete, if only it would let me. hm, it should be straightforwrd: ldpapmodify -D user which has permissions to delete .. dn: nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com changetype: delete if it fails, what is the error you get ? This is probably https://fedorahosted.org/389/ticket/48133 which is fixed in 389-ds-base-1.2.11.15-53.el6 ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Host don't update DNS
Hi guys, How do I force the host to update its own DNS record? -- *Esdras La-Roque* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Host don't update DNS
On 16/06/15 15:32, Esdras La-Roque wrote: Hi guys, How do I force the host to update its own DNS record? -- *Esdras La-Roque* Hello, SSSD do synchronization automatically. (dyndns_update=true in sssd.conf) We need more info: Do you have integrated DNS? If yes, do you have enabled dynamic updates for the particular zone? What is your IPA version? Martin -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Host don't update DNS
Thanks! I put dyndns_update=true in sssd.conf only and that's works fine! 2015-06-16 10:51 GMT-03:00 Martin Basti mba...@redhat.com: On 16/06/15 15:32, Esdras La-Roque wrote: Hi guys, How do I force the host to update its own DNS record? -- *Esdras La-Roque* Hello, SSSD do synchronization automatically. (dyndns_update=true in sssd.conf) We need more info: Do you have integrated DNS? If yes, do you have enabled dynamic updates for the particular zone? What is your IPA version? Martin -- Martin Basti -- *Esdras La-Roque* Analista e Desenvolvedor de Sistemas Mestrando em Ciência da Computação LPI-1 | Linux Professional Institute - Nível 1 MCITP | Microsoft Virtualization Administrator NCLA | Novell Certified Linux Administrator DCTS | Data Center Technical Specialist -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] stickybits and freeipa
On Tue, 2015-06-16 at 14:50 +0200, richard wrote: Hi, I have made a trace with gdb, and this is the output from that. So it looks like the suid user isnt found. Hi Richard, this looks like a bug in the application you are using, as a failure to lookup a user (if that is the case), should never end up with a segfault. I would contact that application developer and file a bug with them. Simo. Program received signal SIGSEGV, Segmentation fault. 0x08518f44 in utilcuti_GetUsrid(void) () Missing separate debuginfos, use: debuginfo-install atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 mesa-libEGL-10.3.3-1.20141110.fc20.i686 mesa-libGL-10.3.3-1.20141110.fc20.i686 mesa-libgbm-10.3.3-1.20141110.fc20.i686 mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686 (gdb) bt #0 0x08518f44 in utilcuti_GetUsrid(void) () #1 0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const *, char *, char const *) () #2 0x0839dc51 in lock_LockFile(char const *, char, short, char *, char const *, char const *, char const *, char const *, char *, char const *, char *) () #3 0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const , int) () #4 0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const , int) () #5 0x0839fd20 in FILE_RESOURCE::DAVDelete(void) () #6 0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) () #7 0x083b3854 in Document::Delete(void) () #8 0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) () #9 0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) () #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) () #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) () #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) () #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) () #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) () #15 0x081b2aee in EXECUTECMD::File(PSTRING const , PSTRING const ) () #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const , PSTRING const ) () #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) () #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) () #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) () #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) () #21 0x081af72b in KEY_T::Execute(void) () #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const , PSTRING const , int, JSTRING const ) () #23 0x08059106 in EXCO::Initiate(void) () #24 0x0805a355 in EXCO::Edit(void) () #25 0x080544f5 in main () // Richard 2015-06-15 15:34 skrev Simo Sorce: On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 06/16/2015 02:08 PM, Janelle wrote: On Jun 16, 2015, at 01:56, thierry bordaz tbor...@redhat.com wrote: On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=+uid=janelle, The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. you can delete the nsuniqeid= entry to get rid of it. +1 thierry There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig ~J -- But everything I try to delete fails. Is there a procedure in 389-DS I can read for this? Maybe I am missing an option in ldapmodify? I am happy to delete, if only it would let me. hm, it should be straightforwrd: ldpapmodify -D user which has permissions to delete .. dn: nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com changetype: delete if it fails, what is the error you get ? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On Jun 16, 2015, at 01:56, thierry bordaz tbor...@redhat.com wrote: On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=+uid=janelle, The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. you can delete the nsuniqeid= entry to get rid of it. +1 thierry There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig ~J -- But everything I try to delete fails. Is there a procedure in 389-DS I can read for this? Maybe I am missing an option in ldapmodify? I am happy to delete, if only it would let me. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replication conflicts
One example of duplicate: krbprincipalname=HTTP/nw-rhidm02.unix.megafon...@unix.megafon.ru+nsuniqueid=5a726d95-0e9611e5-8418a085-d3870578,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru the original one: krbprincipalname=HTTP/nw-rhidm02.unix.megafon...@unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru On three servers placed on one site we have such duplicates. On all other servers we have only record with normal name, with content of record, which have +nsuniqueid=5a726d95-0e9611e5-8418a085-d3870578 on affected servers. Plus we have one record with no original one, only name with +nsuniqueid, and no such record on all other servers. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Tuesday, June 16, 2015 5:30 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 12:44 PM, Alexander Frolushkin wrote: It looks like our duplicates have some internal source, it source is not a client system, but one of our IPA servers. to get these kind of conflict two servers have to be involved if you say internal source, what kind of entries are affected ? do you mean these entries are created internally on server by a plugin ? Is it possible to get such duplicate records in combination of replication multipath and some clock skew (it is not ideally synchronized because of very big distances between sites)? the clock skew should have no effect, the replication protocol additinally manages it own time used in genratio of CSNs and tries to synchronize time, it could affect the oreder changes are applied during replication, but for these conflicts there have to be two independent ADDs WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two duplicate entries, one: uid=x,suffix one: nsuniqueid=+uid=x,suffix these entries appear if the entry uid=x was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов.
[Freeipa-users] Question for AD trust and Webservices
Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). === Henry Hofmann PGP.sig Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
Good morning, Just a quick note. I hope that all my questions do not make any one the DEV Team think that I do not support FreeIPA wholly and completely. I am a huge fan of this package and have in fact discussed with several of my clients (I'm a consultant of course) who have purchased RH support contracts just because of this. The product is wonderful and has potential of being even better as you continue to add new features. Thank you so much for all the support you have provided. I hope RH understands too that many new customers come from recommendations from us consultant-types :-) Ok, so I just wanted to throw that in this thread -- a big THANK YOU to the IPA Team and all the work accomplished so far. You are the best! ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 06/16/2015 03:54 PM, Janelle wrote: Good morning, Just a quick note. I hope that all my questions do not make any one the DEV Team think that I do not support FreeIPA wholly and completely. I am a huge fan of this package and have in fact discussed with several of my clients (I'm a consultant of course) who have purchased RH support contracts just because of this. The product is wonderful and has potential of being even better as you continue to add new features. Thank you so much for all the support you have provided. I hope RH understands too that many new customers come from recommendations from us consultant-types :-) Ok, so I just wanted to throw that in this thread -- a big THANK YOU to the IPA Team and all the work accomplished so far. You are the best! thanks, and don't worry. we need people like you, consistently, patiently pushing us to resolve things. And believe me, the corrupted ruvs haunt me as much as you Ludwig ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Janelle Sent: Tuesday, June 16, 2015 6:55 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Migration error? Good morning, Just a quick note. I hope that all my questions do not make any one the DEV Team think that I do not support FreeIPA wholly and completely. I am a huge fan of this package and have in fact discussed with several of my clients (I'm a consultant of course) who have purchased RH support contracts just because of this. The product is wonderful and has potential of being even better as you continue to add new features. Thank you so much for all the support you have provided. I hope RH understands too that many new customers come from recommendations from us consultant-types :-) Ok, so I just wanted to throw that in this thread -- a big THANK YOU to the IPA Team and all the work accomplished so far. You are the best! Seconded! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6.6 Installation Issues
On 16.6.2015 19:15, Randall Harrison wrote: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux and IPtables (for testing purposes only) 2.) reboot 3.) yum update 4.) reboot 5.) yum install ipa-server bind bind-dyndb-ldap 6.) ipa-server-install --setup-dns 7.) the install scrip errors out I have attached the ipa-server install log and pki-ca log. All help is appreciated! We never tests with SELinux disabled - and the logs show some errors related to SEmanage. It might be an innocent error but it also might a real problem. Please retest it with SELinux enabled for and let us know if it makes any difference or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6.6 Installation Issues
(First of all, always Cc the list. I'm adding it back to the loop.) Interesting. Which versions of packages do you have installed? $ rpm -qa 'ipa*' 'java-*' 'pki*' Dogtag might not work if you have java-1.8.0 installed. To eliminate this problem I would recommend you to let only java-1.7.0 installed on the system. (Again - I'm not sure because I'm not a Dogtag expert.) Petr^2 Spacek On 16.6.2015 19:56, Randall Harrison wrote: It errored out the same on this install. Here are the updated log files. On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison randall.harriso...@gmail.com wrote: Ok, I will test that and let you know! On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek pspa...@redhat.com wrote: On 16.6.2015 19:15, Randall Harrison wrote: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux and IPtables (for testing purposes only) 2.) reboot 3.) yum update 4.) reboot 5.) yum install ipa-server bind bind-dyndb-ldap 6.) ipa-server-install --setup-dns 7.) the install scrip errors out I have attached the ipa-server install log and pki-ca log. All help is appreciated! We never tests with SELinux disabled - and the logs show some errors related to SEmanage. It might be an innocent error but it also might a real problem. Please retest it with SELinux enabled for and let us know if it makes any difference or not. -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6.6 Installation Issues
Yes, please remove java 1.8.0* This is unfortunate and known issue caused by over-enthusiastic people doing Software Collections project who released 1.8 Java directly into the release tree. We have a bug for it where dogtag does introduce some dependency requirements to weed out java-1.8.0 on RHEL 6.x but this fix is not yet released. - Original Message - Ok, Here are the versions you requested: IPA ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 JAVA: java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64 java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64 PKI: pki-ca-9.0.3-38.el6_6.noarch pki-common-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-util-9.0.3-38.el6_6.noarch pki-symkey-9.0.3-38.el6_6.x86_64 pki-silent-9.0.3-38.el6_6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-selinux-9.0.3-38.el6_6.noarch On Tue, Jun 16, 2015 at 11:18 AM, Petr Spacek pspa...@redhat.com wrote: (First of all, always Cc the list. I'm adding it back to the loop.) Interesting. Which versions of packages do you have installed? $ rpm -qa 'ipa*' 'java-*' 'pki*' Dogtag might not work if you have java-1.8.0 installed. To eliminate this problem I would recommend you to let only java-1.7.0 installed on the system. (Again - I'm not sure because I'm not a Dogtag expert.) Petr^2 Spacek On 16.6.2015 19:56, Randall Harrison wrote: It errored out the same on this install. Here are the updated log files. On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison randall.harriso...@gmail.com wrote: Ok, I will test that and let you know! On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek pspa...@redhat.com wrote: On 16.6.2015 19:15, Randall Harrison wrote: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux and IPtables (for testing purposes only) 2.) reboot 3.) yum update 4.) reboot 5.) yum install ipa-server bind bind-dyndb-ldap 6.) ipa-server-install --setup-dns 7.) the install scrip errors out I have attached the ipa-server install log and pki-ca log. All help is appreciated! We never tests with SELinux disabled - and the logs show some errors related to SEmanage. It might be an innocent error but it also might a real problem. Please retest it with SELinux enabled for and let us know if it makes any difference or not. -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Crazy Cert problem?
Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However, prior to the re-install it was saying the wonderful: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. It was rebuilt - new OS and doing a brand new ipa-server-install (NOT a replica or trying to join it back in to the existing ring of servers) and at the end of the ipa-server-install - it gives: Done. Restarting the directory server Restarting the KDC Restarting the certificate server Restarting the web server Unable to set admin password Command ''/usr/bin/ldappasswd' '-h' 'ipa001.example.com' '-ZZ' '-x' '-D' 'cn=Directory Manager' '-y' '/var/lib/ipa/tmp5Fxy2Z' '-T' '/var/lib/ipa/tmpnz0jLs' 'uid=admin,cn=users,cn=accounts,dc=example,dc=com'' returned non-zero exit status 1 Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'example.com' '--server' 'ipa001.example.com' '--realm' 'example.com' '--hostname' 'ipa001.example.com'' returned non-zero exit status 1 and checking /var/log/ipaclient-install.log - the exact same TLS error But this is a brand new system, with brand new OS and the install was ipa-server-install to install a clean server. I don't understand how this is happening. There is no peer to be not trusted? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6.6 Installation Issues
Ok, Here are the versions you requested: IPA ipa-admintools-3.0.0-42.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-42.el6.centos.x86_64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 JAVA: java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64 java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6.x86_64 java-1.8.0-openjdk-headless-1.8.0.45-28.b13.el6_6.x86_64 PKI: pki-ca-9.0.3-38.el6_6.noarch pki-common-9.0.3-38.el6_6.noarch pki-java-tools-9.0.3-38.el6_6.noarch pki-setup-9.0.3-38.el6_6.noarch pki-util-9.0.3-38.el6_6.noarch pki-symkey-9.0.3-38.el6_6.x86_64 pki-silent-9.0.3-38.el6_6.noarch pki-native-tools-9.0.3-38.el6_6.x86_64 pki-selinux-9.0.3-38.el6_6.noarch On Tue, Jun 16, 2015 at 11:18 AM, Petr Spacek pspa...@redhat.com wrote: (First of all, always Cc the list. I'm adding it back to the loop.) Interesting. Which versions of packages do you have installed? $ rpm -qa 'ipa*' 'java-*' 'pki*' Dogtag might not work if you have java-1.8.0 installed. To eliminate this problem I would recommend you to let only java-1.7.0 installed on the system. (Again - I'm not sure because I'm not a Dogtag expert.) Petr^2 Spacek On 16.6.2015 19:56, Randall Harrison wrote: It errored out the same on this install. Here are the updated log files. On Tue, Jun 16, 2015 at 10:34 AM, Randall Harrison randall.harriso...@gmail.com wrote: Ok, I will test that and let you know! On Tue, Jun 16, 2015 at 10:30 AM, Petr Spacek pspa...@redhat.com wrote: On 16.6.2015 19:15, Randall Harrison wrote: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux and IPtables (for testing purposes only) 2.) reboot 3.) yum update 4.) reboot 5.) yum install ipa-server bind bind-dyndb-ldap 6.) ipa-server-install --setup-dns 7.) the install scrip errors out I have attached the ipa-server install log and pki-ca log. All help is appreciated! We never tests with SELinux disabled - and the logs show some errors related to SEmanage. It might be an innocent error but it also might a real problem. Please retest it with SELinux enabled for and let us know if it makes any difference or not. -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cannot login with GSSAPI to IPA client
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd 1.11.6-30. The server is CentOS 7 / IPA 4.1.3 When I try to log in using MIT kerberos and a valid ticket it works on one client, and fails on the other. I have compared the /etc/krb5.conf, /etc/sssd/sssd.conf and /etc/openldap/ldap.conf files on both clients and they are identical (other than the hostnames). I can't seem to find any other difference between the clients. Password authentication works on both machines. Here is the dub log of the failed login machine (sshd) I think the relevant line is the very last one where it postpones the login for some reason Postponed gssapi-with-mic for username from 10.5.5.57 port 15076 ssh2 === [root@fe1 pam.d]# /usr/sbin/sshd -p 22 -D -ddd -e debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 687 debug2: parse_server_config: config /etc/ssh/sshd_config len 687 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes debug3: /etc/ssh/sshd_config:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:101 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:107 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:120 setting UseDNS no debug3: /etc/ssh/sshd_config:130 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:137 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:138 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:139 setting UsePAM yes debug3: /etc/ssh/sshd_config:140 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='22' debug1: rexec_argv[3]='-D' debug1: rexec_argv[4]='-ddd' debug1: rexec_argv[5]='-e' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 687 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config: config rexec len 687 debug3: rexec:21 setting Protocol 2 debug3: rexec:36 setting SyslogFacility AUTHPRIV debug3: rexec:66 setting PasswordAuthentication yes debug3: rexec:70 setting ChallengeResponseAuthentication no debug3: rexec:82 setting GSSAPICleanupCredentials yes debug3: rexec:98 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES debug3: rexec:99 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: rexec:100 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: rexec:101 setting AcceptEnv XMODIFIERS debug3: rexec:107 setting X11Forwarding yes debug3: rexec:120 setting UseDNS no debug3: rexec:130 setting Subsystem sftp/usr/libexec/openssh/sftp-server debug3: rexec:137 setting KerberosAuthentication no debug3: rexec:138 setting PubkeyAuthentication yes debug3: rexec:139 setting UsePAM yes debug3: rexec:140 setting GSSAPIAuthentication yes debug3: rexec:141 setting AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: inetd sockets after dupping: 3, 3 Connection from 10.5.5.57 port 15076 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.63 debug1: no match: PuTTY_Release_0.63 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string
[Freeipa-users] ssh key issues with IPA enabled servers
Hi, I am trying to setup ssh keys into an IPA enabled server. This refuses to work asking for a password each time. If I drop the server out of IPA the ssh keys then work. I can ssh from a non-IPA RHEL7 server to an IPA enabled server but non-IPA user fine, but when I try to go to a IPA user it asks for the password. Am I missing a setting in IPA? or do I have a bug or ssh setting I am missing? regards Steven -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question for AD trust and Webservices
On Tue, 16 Jun 2015, Henry Hofmann wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I understand this is for application which is using Kerberos. No, it is not only for that. I have some web applications like redmine and owncloud which have a own user management. They needs to be configure to LDAP to grant authorizations without Kerberos. And not all of them used apache or tomcat as application server. For OwnCloud use https://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406 and read a backstory in https://github.com/owncloud/core/issues/10130 For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You don't need to include the user which runs redmine into shadow group with FreeIPA because user accounts are never in /etc/shadow for FreeIPA so you don't need that access. Both these methods rely on PAM authentication which is powered by SSSD. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=+uid=janelle, you can delete the nsuniqeid= entry to get rid of it. There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question for AD trust and Webservices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). === Henry Hofmann -BEGIN PGP SIGNATURE- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVX/RmXEu+nQzo7NUAQiEhwf/TTnwzqWoQY9VqfrxtJ0uDYyQhFd/hinv Bx6GZAGTHN3laughfXsdXMqDC8Dc51ZYsTf5SBYxuzu52dtkiG/vAs8q6tjNU/Cq LjFDoE7EwTLFOvpE1HTkGwDZZZBfEpwimhq6urvTMLDRyTS0cgZaCCn/Do+P0EnB kcv9QYmSLS/vB4yOSLAKheX7u+HXJ9mCX98bkXmwWO6ZLXmNKSjfDAXNKVWAjPJT EXjj9Mngdwx2vSAZNycqeNGGs80W14YrZWBMuXqbyf22IZ6oMHowdYuxUnE4YCfe 5fFr/XVNXq8Ap4mxhtp6S129pHb0JYcHem0Y1Jp7F+0uxlaS3N1jzg== =ePi1 -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question for AD trust and Webservices
On 16.6.2015 09:34, Henry Hofmann wrote: Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). Best solution is to use something like this: http://www.freeipa.org/page/Web_App_Authentication Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. Please see presentation: AD Trust for Legacy Clients by Tomas Babej: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? these entries are already a result of conflict resolution, If you add the same entry simultaneously on two servers (meaning add it on A and add it on B (before B has received the replicated add from A), there exist two entries with the same dn, which is not possible. So conflict resolution does not arbitrarily throw one away, but renames it and leaves it to the admin, which on to keep. So you should have one entry uid=janelle,... and one nsuniqueid=+uid=janelle, The error you get is coming from 'uid uniqueness'. Like ludwig mention, it exists duplicated entries with both of them 'uid=janelle'. 'uid uniqueness' plugin prevents you to do a direct MODRDN on one of them because, it finds duplicated 'uid=janelle'. you can delete the nsuniqeid= entry to get rid of it. +1 thierry There is a request to hide these nsuniqueid+uid entries from regular searches, it will be in a next release of 389 Ludwig ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replication conflicts
It looks like our duplicates have some internal source, it source is not a client system, but one of our IPA servers. Is it possible to get such duplicate records in combination of replication multipath and some clock skew (it is not ideally synchronized because of very big distances between sites)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two duplicate entries, one: uid=x,suffix one: nsuniqueid=+uid=x,suffix these entries appear if the entry uid=x was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replication conflicts
Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ?? ? ? ? ? ??? ?? ???, ??? ??? ??. ? ? ? ??? ??, ??? ?? ? ??? ???-, ? ?. ?? ?? ??? ? ?, ?? ?, ?, ??? ??? ??? ?? ? ??? ??? ? ? ? ?. ?? ??? ? , ??, ??? ??? ?? ? ??? ?? ?? ? ? ? ? ??? ? ? ??. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question for AD trust and Webservices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I understand this is for application which is using Kerberos. I have some web applications like redmine and owncloud which have a own user management. They needs to be configure to LDAP to grant authorizations without Kerberos. And not all of them used apache or tomcat as application server. Henry - -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Dienstag, 16. Juni 2015 10:35 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question for AD trust and Webservices On 16.6.2015 09:34, Henry Hofmann wrote: Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). Best solution is to use something like this: http://www.freeipa.org/page/Web_App_Authentication Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. Please see presentation: AD Trust for Legacy Clients by Tomas Babej: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf - -- Petr^2 Spacek - -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -BEGIN PGP SIGNATURE- Version: PGP Universal 3.1.0 (Build 860) Charset: us-ascii wsBVAwUBVX/vp3Eu+nQzo7NUAQiz7wgAk3a9f8IowhvYgqWZHB7WsKCYpoNOgnI8 OKeRdO7K2uJToZ+AnJfD8CzXgQUPM3avr3KINk7pSGN+Tjv3p9nOrrzNAZu4nLOT JNrkLxEXqMqv6BhE3LBdCc1mvgbPR4KKKLhwM5UrSEPNNwDBLZk5jc+FflG7PDf7 WxlmYcjpI+XTg3k6b1XXLcprpKRmhk3e9pPv/yRxs3vhxtgaxmZIIqnlcNHsTkI8 H1onvia75Py4PhFZsshX9HdK6dtyof0XJqNZ4flCVjboQR4nEe9ofUnwYjrelbpr iHzSzKCHZmZnp55Ey8Ox9D5N7TbvmWHVPOXUbjxbPMrKvajA7UfCxw== =+cZZ -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question for AD trust and Webservices
On 16.6.2015 11:43, Henry Hofmann wrote: I understand this is for application which is using Kerberos. I have some web applications like redmine and owncloud which have a own user management. They needs to be configure to LDAP to grant authorizations without Kerberos. And not all of them used apache or tomcat as application server. Yes, use-cases with 'dumb' applications are covered by AD Trust for Legacy Clients presentation as mentioned below. It can be used for any standard-compliant LDAP client. I hope this helps. Petr^2 Spacek -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: Dienstag, 16. Juni 2015 10:35 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question for AD trust and Webservices On 16.6.2015 09:34, Henry Hofmann wrote: Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this article (http://www.freeipa.org/page/IPAv3_Architecture#IPA_managed_server_and_Password_based_Login). Best solution is to use something like this: http://www.freeipa.org/page/Web_App_Authentication Alternatively you should be able to treat web application as 'legacy' LDAP client (which is not trust-aware) and use so-called compat tree. Please see presentation: AD Trust for Legacy Clients by Tomas Babej: http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replication conflicts
On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation J We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two duplicate entries, one: uid=x,suffix one: nsuniqueid=+uid=x,suffix these entries appear if the entry uid=x was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 ?? ? ? ? ? ??? ?? ???, ??? ??? ??. ? ? ? ??? ??, ??? ?? ? ??? ???-, ? ?. ?? ?? ??? ? ?, ?? ?, ?, ??? ??? ??? ?? ? ??? ??? ? ? ? ?. ?? ??? ? , ??, ??? ??? ?? ? ??? ?? ?? ? ? ? ? ??? ? ? ??. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replication conflicts
On 06/16/2015 12:44 PM, Alexander Frolushkin wrote: It looks like our duplicates have some internal source, it source is not a client system, but one of our IPA servers. to get these kind of conflict two servers have to be involved if you say internal source, what kind of entries are affected ? do you mean these entries are created internally on server by a plugin ? Is it possible to get such duplicate records in combination of replication multipath and some clock skew (it is not ideally synchronized because of very big distances between sites)? the clock skew should have no effect, the replication protocol additinally manages it own time used in genratio of CSNs and tries to synchronize time, it could affect the oreder changes are applied during replication, but for these conflicts there have to be two independent ADDs WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Ludwig Krispenz *Sent:* Tuesday, June 16, 2015 3:52 PM *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] replication conflicts On 06/16/2015 11:42 AM, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation J We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our servers, very often on servers from specific site. Usually it is simply a doubles and we can remove the renamed change to get everything back. But why do we have them at all? May be someone could explain, how we can detect the cause of this replication conflicts? if you are talking about having two duplicate entries, one: uid=x,suffix one: nsuniqueid=+uid=x,suffix these entries appear if the entry uid=x was added, simultaneously, on two servers. I think this can happen if a client tries to add an entry and if it doesn't get a response in some time retries on another server. to find out which client this is you need to check on which servers the entries were originally added and then see which client was doing it Sometime it is moderately harmful, because, for example HBAC stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be