Re: [Freeipa-users] Minimal compatibility with REHL / CentOS 5.5

2015-11-15 Thread Rob Crittenden 
Andrey Ptashnik wrote:
> Hello IPA team,
> 
> I’m wondering if there is any compatibility that can be established with
> legacy RHEL CentOS 5.5 machines. Is there any easy way to setup minimal
> feature set like central authentication and maybe something else?

ipa-client exists there. You can use that.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Cannot add or delete ssh user keys

2015-11-15 Thread Jens Dieskau 

Hello everybody,

Since the last version of FreeIPA I cannot add or delete any ssh user 
keys for synced users. Neither on commandline nor web ui.


It works flawless with local created users. But it does not work with 
users created by winsync. See error message below.


If I add the ntUser objectClass manually to a local user, it also 
doesn't work any more. Maybe this is somehow the origin of the bug?

Are there any other logs I could check out?


Thanks,
Jens


ipa -vv user-mod name --sshpubkey="ssh-rsa foobar name@host"
ipa: INFO: trying https://ipa.cs.ucc.md/ipa/session/json
ipa: INFO: Request: {
"id": 0,
"method": "ping",
"params": [
[],
{}
]
}
ipa: INFO: Response: {
"error": null,
"id": 0,
"principal": "ad...@cs.ucc.md",
"result": {
"messages": [
{
"code": 13001,
"message": "API Version number was not sent, forward 
compatibility not guaranteed. Assuming server's API version, 2.156",

"name": "VersionMissing",
"type": "warning"
}
],
"summary": "IPA server version 4.2.3. API version 2.156"
},
"version": "4.2.3"
}
ipa: INFO: Forwarding 'user_mod' to json server 
'https://ipa.cs.ucc.md/ipa/session/json'

ipa: INFO: Request: {
"id": 0,
"method": "user_mod",
"params": [
[
"name"
],
{
"all": false,
"ipasshpubkey": [
"ssh-rsa foobar name@host"
],
"no_members": false,
"random": false,
"raw": false,
"rights": false,
"version": "2.156"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 4203,
"message": "Type or value exists: ",
"name": "DatabaseError"
},
"id": 0,
"principal": "ad...@cs.ucc.md",
"result": null,
"version": "4.2.3"
}
ipa: ERROR: Type or value exists:

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA user can't login to linux.

2015-11-15 Thread zhiyong xue 
We integrated the Apache Syncope server with FreeIPA server. So user can
self register ID from Apache Syncope then synchronize to FreeIPA. The
problems are:
*1) User created from Apache Syncope can't login to linux. The user created
from FreeIPA web gui works well.*

This is the user(syncopex5) information created from Apache Syncope:
# syncopex5, users, compat, example.com
dn: uid=syncopex5,cn=users,cn=compat,dc=example,dc=com
cn: x5syncope
objectClass: posixAccount
objectClass: top
gidNumber: 657600034
gecos: x5syncope
uidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
uid: syncopex5

# syncopex5, users, accounts, example.com
dn: uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: x5syncope
displayName: x5syncope
uid: syncopex5
gecos: x5syncope
uidNumber: 657600034
gidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
sn: syncope
givenName: x5
initials: xs

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

*2) The user also can't be deleted from web UI and CLI. It said "syncopex5:
user not found".*
*The errors log:*
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4130 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4131 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4221 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4222 (rc: 32)
[13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4353 (rc: 32)
[13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4354 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5129 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5130 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5155 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5156 (rc: 32)
[16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
[16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)

*The access log:*
[16/Nov/2015:02:52:50 +] conn=5512 op=36 UNBIND
[16/Nov/2015:02:52:50 +] conn=5512 op=36 fd=621 closed - U1
[16/Nov/2015:02:52:59 +] conn=5513 fd=621 slot=621 connection from
192.168.10.39 to 192.168.10.39
[16/Nov/2015:02:52:59 +] conn=5513 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +] conn=5513 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +] conn=5513 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[16/Nov/2015:02:52:59 +] conn=5513 op=3 SRCH
base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[16/Nov/2015:02:52:59 +] conn=5513 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=4 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=1
filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))"
attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber gidNumber
sn homeDirectory mail givenName nsAccountLock"
[16/Nov/2015:02:52:59 +] conn=5513 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=5 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(userPassword=*)" attrs="userPassword"
[16/Nov/2015:02:52:59 +] conn=5513 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=6 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[16/Nov/2015:02:52:59 +] conn=5513 op=6 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=7 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-15 Thread Rob Crittenden 
zhiyong xue wrote:
> We integrated the Apache Syncope server with FreeIPA server. So user can
> self register ID from Apache Syncope then synchronize to FreeIPA. The
> problems are:
> *1) User created from Apache Syncope can't login to linux. The user
> created from FreeIPA web gui works well.*

For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting
This is unlikely to fix things but it will help with later debugging.

This likely revolves around how you are creating these accounts. We'll
need information on what you're doing. The more details the better.

> *2) The user also can't be deleted from web UI and CLI. It said
> "syncopex5: user not found".*

Again, you probably aren't creating the users correctly.

I can only assume that you are creating the users directly via an LDAP
add. This is working around the IPA framework which does additional work.

Knowing what version of IPA this is would help too.

You'll probably also want to read this:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in
IPA 4.2.

rob
rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project