Re: [Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Fraser Tweedale 
On Mon, Jan 11, 2016 at 12:55:52PM +0100, Martin Kosek wrote:
> On 01/11/2016 12:51 PM, Arthur Fayzullin wrote:
> > Bingo!!!
> > that it is!!!
> > dm password contains % - symbol!
> > 
> > I am not sure but with previous versions that have not caused any problem.
> 
> Good :-)
> 
> Still, it would be nice to fix Dogtag installation procedures to not parse
> passwords that way. Endi, please just make sure there is a Dogtag Bugzilla
> filed and in some realistic milestone as this bug's root cause is not so 
> obvious.
> 
There is an existing BZ and upstream ticket:

https://bugzilla.redhat.com/show_bug.cgi?id=1283631
https://fedorahosted.org/pki/ticket/1703

> > 
> > Thanks a lot!
> > 
> > 11.01.2016 16:48, Martin Kosek пишет:
> >> On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
> >>> Good day, Colleagues!
> >>>
> >>> And Happy New Year!
> >>>
> >>> I have tried to install test stend with ipa v4.2 and 2 master-master
> >>> servers.
> >>>
> >>> files /etc/hosts on both servers contain:
> >>> 127.0.0.1   localhost localhost.localdomain localhost4
> >>> localhost4.localdomain4
> >>> ::1 localhost localhost.localdomain localhost6
> >>> localhost6.localdomain6
> >>>
> >>> 10.254.1.114 radipa00.test.ckt radipa00
> >>> 10.254.1.154 radipa01.test.ckt radipa01
> >>>
> >>> prepare key for replica server:
> >>> [root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
> >>> radipa01.test.ckt
> >>>
> >>> copy it to replica:
> >>> [root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> >>> r...@radipa01.test.ckt:/var/lib/ipa/
> >>>
> >>> then on replica start installation:
> >>> [root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
> >>> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
> >>> --forwarder=77.88.8.7 --forwarder=77.88.8.3
> >>> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> >>>
> >>> and!!! I have got such error:
> >>>   [2/23]: configuring certificate server instance
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> >>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> >>> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> >>> installation logs and the following files/directories for more 
> >>> information:
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> >>> /var/log/pki-ca-install.log
> >>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> >>> /var/log/pki/pki-tomcat
> >>>   [error] RuntimeError: CA configuration failed.
> >>> Your system may be partly configured.
> >>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >>>
> >>> log file contains this error:
> >>> [root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
> >>> 'application_version': '[APPLICATION_VERSION]'}
> >>> 2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
> >>> not be parsed correctly.  This might be because of unescaped '%%'
> >>> characters.  You must escape '%%' characters in deployment files
> >>> (example - 'setting=foobar').
> >>> 2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
> >>> ('%' must be followed by '%' or '(', found: '%')
> >>>
> >>> I have reproduced that error several times with cenos7 and fedora23
> >>> installations.
> >>>
> >>> I am really confused if I am doing something wrong or may it is
> >>> something else...
> >>> what it can be?
> >>> 
> >>> Best wishes!
> >> CCing Endi. There used to be an error, when DM password (used also for 
> >> Dogtag)
> >> contained special characters, PKI installer choked on it. I could not find 
> >> the
> >> bug number right now.
> > 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade to FreeIPA 4.2.0 broke Katello/Foreman realm proxy

2016-01-11 Thread nathan 
I'm not sure which mailing list is the best for this because it involves 2
products, but I think the fault here is with FreeIPA.

Basically I have a Katello server running as a realm proxy.  It is joined
as a client to the FreeIPA domain.  I have provisioned 20 hosts last week
using its Foreman realm proxy feature and they all worked fine.

This weekend I updated to Katello 2.4/FreeIPA 4.2.0.  Now, when I create a
new host, it is not properly provisioned.

A post to the foreman users mailing list seems to indicate that foreman is
working because it got an OTP from FreeIP :
https://groups.google.com/forum/#!topic/foreman-users/GlGSM6EAyUs

However, even through an OTP is retrieved, the host record is not created
in FreeIPA.  When I login to the webui and search for the host by name,
nothing is found.

Here are the dirsrv logs from the IPA server that Katello is contacting. 
I see what appears to be an attempt to create a host, and no error
messages indicating a failure, but the host is not actually created.

[11/Jan/2016:22:45:03 +] conn=36483 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="namingContexts"
[11/Jan/2016:22:45:03 +] conn=36483 op=0 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:04 +] conn=36483 op=1 UNBIND
[11/Jan/2016:22:45:04 +] conn=36483 op=1 fd=112 closed - U1
[11/Jan/2016:22:45:06 +] conn=36484 fd=112 slot=112 connection from
10.21.2.100 to 10.178.0.99
[11/Jan/2016:22:45:06 +] conn=36484 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[11/Jan/2016:22:45:06 +] conn=36484 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[11/Jan/2016:22:45:06 +] conn=36484 op=-1 fd=112 closed - Peer reports
failure of signature verification or key exchange.
[11/Jan/2016:22:45:07 +] conn=36237 op=5 UNBIND
[11/Jan/2016:22:45:07 +] conn=36237 op=5 fd=150 closed - U1
[11/Jan/2016:22:45:10 +] conn=36485 fd=112 slot=112 connection from
10.21.0.150 to 10.178.0.99
[11/Jan/2016:22:45:10 +] conn=36485 op=0 SRCH base="" scope=0
filter="(objectClass=*)" attrs="* altServer namingContexts
supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext
lastusn highestcommittedusn aci"
[11/Jan/2016:22:45:10 +] conn=36485 op=0 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:10 +] conn=6 op=236763 SRCH
base="dc=mydomain,dc=net" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/fe1.mydomain@mydomain.net)(krbPrincipalName=host/fe1.mydomain@mydomain.net)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[11/Jan/2016:22:45:10 +] conn=6 op=236763 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:10 +] conn=6 op=236764 SRCH
base="cn=ipaConfig,cn=etc,dc=mydomain,dc=net" scope=0
filter="(objectClass=*)" attrs="ipaConfigString ipaKrbAuthzData
ipaUserAuthType"
[11/Jan/2016:22:45:10 +] conn=6 op=236764 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:10 +] conn=6 op=236765 SRCH
base="cn=MYDOMAIN.NET,cn=kerberos,dc=mydomain,dc=net" scope=0
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[11/Jan/2016:22:45:10 +] conn=6 op=236765 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:10 +] conn=6 op=236766 SRCH
base="dc=mydomain,dc=net" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/mydomain@mydomain.net)(krbPrincipalName=krbtgt/mydomain@mydomain.net)))"
attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth
krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
ipatokenRadiusConfigLink objectClass"
[11/Jan/2016:22:45:10 +] conn=6 op=236766 RESULT err=0 tag=101
nentries=1 etime=0
[11/Jan/2016:22:45:10 +] conn=6 op=236767 SRCH
base="cn=global_policy,cn=MYDOMAIN.NET,cn=kerberos,dc=mydomain,dc=net"
scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife
krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure

[Freeipa-users] Documentation on Testing page

2016-01-11 Thread Anthony Cheng 
Hi all,

I have been looking at the documentation, specifically the test page:
http://www.freeipa.org/page/Testing

It looks like it has missing info on the Build section, specifically I
don't see reference to a makefile or where to run make to build the
testing utility.

Thanks, Anthony

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Users enable to run Cron

2016-01-11 Thread Jakub Hrozek 
On Mon, Jan 11, 2016 at 02:06:01PM +0530, Yogesh Sharma wrote:
> Team,
> 
> None of the ipa-users are able to execute crons on any servers. If we
> create local user then we are able to do.
> 
> There is no cron.allow and we do not have any user listed in cron.deny.
> 
> Is there something from FreeIPA end which is blocking. Just a confirmation,
> as we continue to troubleshoot it further at our end.

Does HBAC allow the cron services?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and project Atomic

2016-01-11 Thread Lukas Slebodnik 
On (09/01/16 18:41), Marc Boorshtein wrote:
>I'm moving an environment from one that uses all separate VMs to one using
>project Atomic and Docker images.  A couple of questions:
>
>1.  Are there any known issues joining an atomic host to a FreeIPA domain?
> (Or has anyone tried it?)
I think the best source of information is
http://www.projectatomic.io/blog/2015/12/fedora-atomic-sssd-container/
or longer verison
http://www.adelton.com/docs/docker/fedora-atomic-sssd-container


LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and project Atomic

2016-01-11 Thread Jan Pazdziora 
On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote:
> I'm moving an environment from one that uses all separate VMs to one using
> project Atomic and Docker images.  A couple of questions:
> 
> 1.  Are there any known issues joining an atomic host to a FreeIPA domain?
>  (Or has anyone tried it?)

As Lukáš has noted, the fedora/sssd container exists which allows
you to execute ipa-client-install (or realm join) and then run sssd:

http://www.adelton.com/docs/docker/fedora-atomic-sssd-container

The only outstanding issue is that sudo rules currently do not
work on Fedora Atomic (but work on RHEL Atomic).

> 2.  Is there any reason I couldn't run FreeIPA in a container in this
> setup?  It seems odd to run FreeIPA on a container for a server in its own
> domain.  My first thought is to have the FreeIPA servers running on their
> own VMs.

The main reason against the FreeIPA server in a container, provided
you use

https://github.com/adelton/docker-freeipa
https://hub.docker.com/r/adelton/freeipa-server/

would be the lack of SELinux isolation of the individual components,
plus expectation that we sometimes see that containers are like
virtual machines (and people treat them like those especially from
security point of view) when they are not.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Arthur Fayzullin 
Good day, Colleagues!

And Happy New Year!

I have tried to install test stend with ipa v4.2 and 2 master-master
servers.

files /etc/hosts on both servers contain:
127.0.0.1   localhost localhost.localdomain localhost4
localhost4.localdomain4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6

10.254.1.114 radipa00.test.ckt radipa00
10.254.1.154 radipa01.test.ckt radipa01

prepare key for replica server:
[root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
radipa01.test.ckt

copy it to replica:
[root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
r...@radipa01.test.ckt:/var/lib/ipa/

then on replica start installation:
[root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
--mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
--forwarder=77.88.8.7 --forwarder=77.88.8.3
/var/lib/ipa/replica-info-radipa01.test.ckt.gpg

and!!! I have got such error:
  [2/23]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpvgc4S6'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
/var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

log file contains this error:
[root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
'application_version': '[APPLICATION_VERSION]'}
2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
not be parsed correctly.  This might be because of unescaped '%%'
characters.  You must escape '%%' characters in deployment files
(example - 'setting=foobar').
2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
('%' must be followed by '%' or '(', found: '%')

I have reproduced that error several times with cenos7 and fedora23
installations.

I am really confused if I am doing something wrong or may it is
something else...
what it can be?

Best wishes!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA Users enable to run Cron

2016-01-11 Thread Yogesh Sharma 
Team,

None of the ipa-users are able to execute crons on any servers. If we
create local user then we are able to do.

There is no cron.allow and we do not have any user listed in cron.deny.

Is there something from FreeIPA end which is blocking. Just a confirmation,
as we continue to troubleshoot it further at our end.


*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade to FreeIPA 4.2.0 broke Katello/Foreman realm proxy

2016-01-11 Thread Jan Pazdziora 
On Mon, Jan 11, 2016 at 03:01:40PM -0800, nat...@nathanpeters.com wrote:
> 
> Basically I have a Katello server running as a realm proxy.  It is joined
> as a client to the FreeIPA domain.  I have provisioned 20 hosts last week
> using its Foreman realm proxy feature and they all worked fine.
> 
> This weekend I updated to Katello 2.4/FreeIPA 4.2.0.  Now, when I create a
> new host, it is not properly provisioned.
> 
> A post to the foreman users mailing list seems to indicate that foreman is
> working because it got an OTP from FreeIP :
> https://groups.google.com/forum/#!topic/foreman-users/GlGSM6EAyUs

In that thread you note that the issue was in fact a replication
problem.

Did you manage to resolve it?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-11 Thread Prasun Gera 
This is the output of the command:

ldapsearch  -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d=
-f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: nis-domain=domain.edu+nis-map=auto.home,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20150321091139Z
ModifyTimestamp: 20150321091139Z

dn: nis-domain=domain.edu+nis-map=auto.local,cn=NIS
Server,cn=plugins,cn=confi
 g
CreateTimestamp: 20150321091209Z
ModifyTimestamp: 20150321091209Z

dn: nis-domain=domain.edu+nis-map=auto.master,cn=NIS
Server,cn=plugins,cn=conf
 ig
CreateTimestamp: 20150321091201Z
ModifyTimestamp: 20150321091201Z

dn: nis-domain=domain.edu+nis-map=ethers.byaddr,cn=NIS
Server,cn=plugins,cn=co
 nfig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=ethers.byname,cn=NIS
Server,cn=plugins,cn=co
 nfig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=group.bygid,cn=NIS
Server,cn=plugins,cn=conf
 ig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=group.byname,cn=NIS
Server,cn=plugins,cn=con
 fig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=netgroup,cn=NIS
Server,cn=plugins,cn=config
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=netid.byname,cn=NIS
Server,cn=plugins,cn=con
 fig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=passwd.byname,cn=NIS
Server,cn=plugins,cn=co
 nfig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z

dn: nis-domain=domain.edu+nis-map=passwd.byuid,cn=NIS
Server,cn=plugins,cn=con
 fig
CreateTimestamp: 20150320220124Z
ModifyTimestamp: 20150320220124Z


All the maps are listed from what I can tell. passwd is the one that is not
working as expected. Autofs maps are working all right on nis clients.

On Mon, Jan 11, 2016 at 4:21 PM, Alexander Bokovoy 
wrote:

> On Mon, 11 Jan 2016, Prasun Gera wrote:
>
>> I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
>> users reported that he is not able to log in to certain systems any more.
>> It turns out that there is some change in behaviour w.r.t NIS clients
>> after
>> this upgrade. I see that his username is not visible in "ypcat passwd" on
>> the old clients that are using NIS. This user was added natively through
>> ipa. The old users that were migrated from NIS still work as expected on
>> the NIS clients. I can also confirm that if I add a new user now in ipa,
>> it
>> is not visible in NIS maps. Until we phase out the NIS clients completely,
>> I would like all users to be able to log into them. This used to be the
>> case, but a recent update seems to have changed that. I don't know if this
>> is intentional. How do i revert to the old behaviour ?
>>
> Do you see all the maps configured?
>
> # ldapsearch  -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d=
> -f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
>
> We have a bug in the upgrade script that was fixed this morning
> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00154.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Documentation on Testing page

2016-01-11 Thread Rob Crittenden 
Anthony Cheng wrote:
> Hi all,
> 
> I have been looking at the documentation, specifically the test page:
> http://www.freeipa.org/page/Testing
> 
> It looks like it has missing info on the Build section, specifically I
> don't see reference to a makefile or where to run make to build the
> testing utility.

You just run make from the top-level directory.

There is a BUILD.txt to help get you started as well.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-11 Thread nathan 
I have 3 FreeIPA 4.2.0 servers running on CentOS 7.2

I am getting replication errors that I cannot seem to figure out.

Here is the setup : (I refer to master and slave because apparently your
CA is the only one who can create replica certs so it is the 'master')

dc1 : master, been running for a long time on 4.1.4, recently upgraded to
4.2.0
dc2 : replica, been running for a long time on 4.1.4, recently upgraded to
4.2.0
dc3 : replica, newly added as fresh freeipa 4.2.0 after the other 2 were
upgraded.

Changes from dc2 were not being replicated to dc1 for a long time and I
had to ipa-replica-manage re-initialize 3 times for it to finally start
replicating again.  Every time it reported success, but the first 2 times,
any changes on dc2 were not replicated to dc1.

Although replication seems to be working again, I've not got a bunch of
errors in my logs and status checks, and fear it may start failing in the
future again due to some verbage in the log entries.

Also, although I've read the busy replica error is supposed to be
'transient' i've been refreshing the output of the replica-manage list
command for an hour and it hasn't gone away...

I'm also quite confused about the 1970 dates...

[root@dc1 slapd-MYDOMAIN-NET]# ipa-replica-manage list -v `hostname`
dc2.mydomain.net: replica
  last init status: 0 Total update succeeded
  last init ended: 2016-01-12 04:08:47+00:00
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2016-01-12 04:25:15+00:00
dc3.mydomain.net: replica
  last init status: 0 Total update succeeded
  last init ended: 2016-01-10 08:06:35+00:00
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2016-01-12 04:25:15+00:00

[root@dc2 slapd-MYDOMAIN-NET]# ipa-replica-manage list -v `hostname`
dc1.mydomain.net: replica
  last init status: 1 Replication error acquiring replica: replica busy
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: 1 Can't acquire busy replica
  last update ended: 2016-01-12 04:25:05+00:00

  [root@dc3 slapd-MYDOMAIN-NET]# ipa-replica-manage list -v `hostname`
dc1.mydomain.net: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: 0 Replica acquired successfully: Incremental update
started
  last update ended: 1970-01-01 00:00:00+00:00


dc2 error logs :

[12/Jan/2016:04:08:47 +] NSMMReplicationPlugin - replica_reload_ruv:
Warning: new data for replica dc=mycompany,dc=net does not match the data
in the changelog.
 Recreating the changelog file. This could affect replication with
replica's  consumers in which case the consumers should be reinitialized.
[12/Jan/2016:04:08:47 +] NSMMReplicationPlugin - replication keep
alive entry

[Freeipa-users] IPA users not visible in NIS passwd map

2016-01-11 Thread Prasun Gera 
I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
users reported that he is not able to log in to certain systems any more.
It turns out that there is some change in behaviour w.r.t NIS clients after
this upgrade. I see that his username is not visible in "ypcat passwd" on
the old clients that are using NIS. This user was added natively through
ipa. The old users that were migrated from NIS still work as expected on
the NIS clients. I can also confirm that if I add a new user now in ipa, it
is not visible in NIS maps. Until we phase out the NIS clients completely,
I would like all users to be able to log into them. This used to be the
case, but a recent update seems to have changed that. I don't know if this
is intentional. How do i revert to the old behaviour ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA users not visible in NIS passwd map

2016-01-11 Thread Alexander Bokovoy 

On Mon, 11 Jan 2016, Prasun Gera wrote:

I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
users reported that he is not able to log in to certain systems any more.
It turns out that there is some change in behaviour w.r.t NIS clients after
this upgrade. I see that his username is not visible in "ypcat passwd" on
the old clients that are using NIS. This user was added natively through
ipa. The old users that were migrated from NIS still work as expected on
the NIS clients. I can also confirm that if I add a new user now in ipa, it
is not visible in NIS maps. Until we phase out the NIS clients completely,
I would like all users to be able to log into them. This used to be the
case, but a recent update seems to have changed that. I don't know if this
is intentional. How do i revert to the old behaviour ?

Do you see all the maps configured?

# ldapsearch  -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d= -f2) 
-b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp

We have a bug in the upgrade script that was fixed this morning
https://www.redhat.com/archives/freeipa-devel/2016-January/msg00154.html

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 4.2 (or 4.3) clients on 4.1.4 server?

2016-01-11 Thread Janelle 

Good day,

Just wondering if anyone knows of any reason a 4.2 client running on 
RHEL 7.2 would have any issues talking to 4.1.4 server on RHEL 7.1? The 
reason I ask is the process of upgrading. In this case we have to do 
clients first.


Thank you
~Janelle

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Arthur Fayzullin 
Bingo!!!
that it is!!!
dm password contains % - symbol!

I am not sure but with previous versions that have not caused any problem.

Thanks a lot!

11.01.2016 16:48, Martin Kosek пишет:
> On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
>> Good day, Colleagues!
>>
>> And Happy New Year!
>>
>> I have tried to install test stend with ipa v4.2 and 2 master-master
>> servers.
>>
>> files /etc/hosts on both servers contain:
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1 localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>>
>> 10.254.1.114 radipa00.test.ckt radipa00
>> 10.254.1.154 radipa01.test.ckt radipa01
>>
>> prepare key for replica server:
>> [root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
>> radipa01.test.ckt
>>
>> copy it to replica:
>> [root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>> r...@radipa01.test.ckt:/var/lib/ipa/
>>
>> then on replica start installation:
>> [root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
>> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
>> --forwarder=77.88.8.7 --forwarder=77.88.8.3
>> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>>
>> and!!! I have got such error:
>>   [2/23]: configuring certificate server instance
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
>> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>> installation logs and the following files/directories for more information:
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>> /var/log/pki-ca-install.log
>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>> /var/log/pki/pki-tomcat
>>   [error] RuntimeError: CA configuration failed.
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> log file contains this error:
>> [root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
>> 'application_version': '[APPLICATION_VERSION]'}
>> 2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
>> not be parsed correctly.  This might be because of unescaped '%%'
>> characters.  You must escape '%%' characters in deployment files
>> (example - 'setting=foobar').
>> 2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
>> ('%' must be followed by '%' or '(', found: '%')
>>
>> I have reproduced that error several times with cenos7 and fedora23
>> installations.
>>
>> I am really confused if I am doing something wrong or may it is
>> something else...
>> what it can be?
>> 
>> Best wishes!
> CCing Endi. There used to be an error, when DM password (used also for Dogtag)
> contained special characters, PKI installer choked on it. I could not find the
> bug number right now.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Martin Kosek 
On 01/11/2016 12:51 PM, Arthur Fayzullin wrote:
> Bingo!!!
> that it is!!!
> dm password contains % - symbol!
> 
> I am not sure but with previous versions that have not caused any problem.

Good :-)

Still, it would be nice to fix Dogtag installation procedures to not parse
passwords that way. Endi, please just make sure there is a Dogtag Bugzilla
filed and in some realistic milestone as this bug's root cause is not so 
obvious.

> 
> Thanks a lot!
> 
> 11.01.2016 16:48, Martin Kosek пишет:
>> On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
>>> Good day, Colleagues!
>>>
>>> And Happy New Year!
>>>
>>> I have tried to install test stend with ipa v4.2 and 2 master-master
>>> servers.
>>>
>>> files /etc/hosts on both servers contain:
>>> 127.0.0.1   localhost localhost.localdomain localhost4
>>> localhost4.localdomain4
>>> ::1 localhost localhost.localdomain localhost6
>>> localhost6.localdomain6
>>>
>>> 10.254.1.114 radipa00.test.ckt radipa00
>>> 10.254.1.154 radipa01.test.ckt radipa01
>>>
>>> prepare key for replica server:
>>> [root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
>>> radipa01.test.ckt
>>>
>>> copy it to replica:
>>> [root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>>> r...@radipa01.test.ckt:/var/lib/ipa/
>>>
>>> then on replica start installation:
>>> [root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
>>> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
>>> --forwarder=77.88.8.7 --forwarder=77.88.8.3
>>> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
>>>
>>> and!!! I have got such error:
>>>   [2/23]: configuring certificate server instance
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
>>> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
>>> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
>>> installation logs and the following files/directories for more information:
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>>> /var/log/pki-ca-install.log
>>> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
>>> /var/log/pki/pki-tomcat
>>>   [error] RuntimeError: CA configuration failed.
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>
>>> log file contains this error:
>>> [root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
>>> 'application_version': '[APPLICATION_VERSION]'}
>>> 2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
>>> not be parsed correctly.  This might be because of unescaped '%%'
>>> characters.  You must escape '%%' characters in deployment files
>>> (example - 'setting=foobar').
>>> 2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
>>> ('%' must be followed by '%' or '(', found: '%')
>>>
>>> I have reproduced that error several times with cenos7 and fedora23
>>> installations.
>>>
>>> I am really confused if I am doing something wrong or may it is
>>> something else...
>>> what it can be?
>>> 
>>> Best wishes!
>> CCing Endi. There used to be an error, when DM password (used also for 
>> Dogtag)
>> contained special characters, PKI installer choked on it. I could not find 
>> the
>> bug number right now.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA Users enable to run Cron

2016-01-11 Thread Yogesh Sharma 
HBAC has "Any Service" enabled, However, while doing HBAC Test, I am
getting Access Denied.

Checking it. Thanks for the suggestion. Any further suggestion would be
helpful.

*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Mon, Jan 11, 2016 at 2:14 PM, Jakub Hrozek  wrote:

> On Mon, Jan 11, 2016 at 02:06:01PM +0530, Yogesh Sharma wrote:
> > Team,
> >
> > None of the ipa-users are able to execute crons on any servers. If we
> > create local user then we are able to do.
> >
> > There is no cron.allow and we do not have any user listed in cron.deny.
> >
> > Is there something from FreeIPA end which is blocking. Just a
> confirmation,
> > as we continue to troubleshoot it further at our end.
>
> Does HBAC allow the cron services?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error while installin ipa-replica with ca

2016-01-11 Thread Martin Kosek 
On 01/11/2016 12:01 PM, Arthur Fayzullin wrote:
> Good day, Colleagues!
> 
> And Happy New Year!
> 
> I have tried to install test stend with ipa v4.2 and 2 master-master
> servers.
> 
> files /etc/hosts on both servers contain:
> 127.0.0.1   localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 
> 10.254.1.114 radipa00.test.ckt radipa00
> 10.254.1.154 radipa01.test.ckt radipa01
> 
> prepare key for replica server:
> [root@radipa00 ipa]# ipa-replica-prepare --ip-address=10.254.1.154
> radipa01.test.ckt
> 
> copy it to replica:
> [root@radipa00 ipa]# scp /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> r...@radipa01.test.ckt:/var/lib/ipa/
> 
> then on replica start installation:
> [root@radipa01 ~]# ipa-replica-install --setup-ca --setup-kra
> --mkhomedir --ssh-trust-dns --ip-address=10.254.1.154 --setup-dns
> --forwarder=77.88.8.7 --forwarder=77.88.8.3
> /var/lib/ipa/replica-info-radipa01.test.ckt.gpg
> 
> and!!! I have got such error:
>   [2/23]: configuring certificate server instance
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpvgc4S6'' returned non-zero exit status 1
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
> installation logs and the following files/directories for more information:
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki-ca-install.log
> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL  
> /var/log/pki/pki-tomcat
>   [error] RuntimeError: CA configuration failed.
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> 
> log file contains this error:
> [root@radipa01 ~]# less /var/log/pki/pki-ca-spawn.2016050634.log
> 'application_version': '[APPLICATION_VERSION]'}
> 2016-01-11 15:06:34 pkispawn: ERROR... Deployment file could
> not be parsed correctly.  This might be because of unescaped '%%'
> characters.  You must escape '%%' characters in deployment files
> (example - 'setting=foobar').
> 2016-01-11 15:06:34 pkispawn: ERROR... Interpolation error
> ('%' must be followed by '%' or '(', found: '%')
> 
> I have reproduced that error several times with cenos7 and fedora23
> installations.
> 
> I am really confused if I am doing something wrong or may it is
> something else...
> what it can be?
> 
> Best wishes!

CCing Endi. There used to be an error, when DM password (used also for Dogtag)
contained special characters, PKI installer choked on it. I could not find the
bug number right now.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and project Atomic

2016-01-11 Thread Lukas Slebodnik 
On (11/01/16 11:35), Jan Pazdziora wrote:
>On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote:
>> I'm moving an environment from one that uses all separate VMs to one using
>> project Atomic and Docker images.  A couple of questions:
>> 
>> 1.  Are there any known issues joining an atomic host to a FreeIPA domain?
>>  (Or has anyone tried it?)
>
>As Lukáš has noted, the fedora/sssd container exists which allows
>you to execute ipa-client-install (or realm join) and then run sssd:
>
>   http://www.adelton.com/docs/docker/fedora-atomic-sssd-container
>
>The only outstanding issue is that sudo rules currently do not
>work on Fedora Atomic (but work on RHEL Atomic).
>
Related sssd change for sudo might be in fedora in couple of days.
The change is awaiting a review atm.
So next release of Fedora Atomic might contain the change.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

2016-01-11 Thread fvende.ext 
Hi,

Ok, it's enough clear for me. Thanks a lot for all your responses !

Best regards,
Fx

-Message d'origine-
De : Rob Crittenden [mailto:rcrit...@redhat.com] 
Envoyé : mardi 5 janvier 2016 15:37
À : freeipa-users@redhat.com; bahan w
Cc : VENDE Francois Xavier Ext DTSI/DSI
Objet : Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

Lukas Slebodnik wrote:
> On (05/01/16 15:11), bahan w wrote:
>> Hello.
>>
>> I have some questions related to this point :
>> 1. On a RHEL6.6, may I install the package ipa-client 4.x and enroll 
>> to an ipa server 4.x located on a RHEL7 ? May you remind me the 
>> version of sssd embedded with ipa-client 4.x ?
> rhel6.6 has ipa-client-3.0.0-47.el6 and sssd-1.11.x
> rhel6.7 has ipa-client-3.0.0-47.el6 and sssd-1.12.x
> 
> and sssd-1.11+ works well with ipa-server 4.x

Strictly speaking, sssd isn't "embedded" with ipa-client. There is some 
correlation based on distro release, as Lukas has listed, but that's about it.

There is no IPA 4.x for RHEL 6.x.

>> 2. The ipa-server 4.x can only be installed on RHEL7+, true/false ?
>>
> true ( +fedora :-)
> 
> LS
> 


_

Ce message et ses pieces jointes peuvent contenir des informations 
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce 
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages 
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou 
falsifie. Merci.

This message and its attachments may contain confidential or privileged 
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete 
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been 
modified, changed or falsified.
Thank you.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-11 Thread Zoske, Fabian 
I looked deeper into the problem and tested it with ubuntu 16.04 Alpha which 
includes SSSD 1-13-3.
Now I have the same problem on Ubuntu.
On Ubuntu 14.04 I have installed the shipped SSSD-1.11.5 and everything works.

Best regards,
Fabian


-Ursprüngliche Nachricht-
Von: Sumit Bose [mailto:sb...@redhat.com] 
Gesendet: Dienstag, 15. Dezember 2015 13:38
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] Cross Domain Trust

On Tue, Dec 15, 2015 at 10:58:09AM +, Zoske, Fabian wrote:
> I’ve setup an IPA-Server with a handful of clients and AD-Trust.
> The server is a CentOS7.1 with IPA4.1 and the clients are mostly Ubuntu 
> Server 14.04 LTS.
> Our IPA-Domain is like ipa-domain.com and our AD-Domain is like 
> ad-domain.local, but our user principals in AD are 
> u...@old-domain.com for backward compatibility.
> 
> On the Ubuntu clients I can login with my AD-Credentials, but when trying to 
> do the same on a joined CentOS Server I can’t login.
> In the logs I can see, that there is no KDC for OLD-DOMAIN.COM is found.
> 
> Why does this scenario works on Ubuntu but not on CentOS?
> Can I do something about this?

Are there any differences in /etc/krb5.conf on the Ubuntu client and on the 
CentOS servers?

What name servers are configured? Typically the clients should use the IPA 
server as a name server.

bye,
Sumit

> 
> Best regards,
> Fabian

> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] The -e skip_version_check=1 with 4.2 client against 6.4-based server

2016-01-11 Thread Jan Pazdziora 

Hello,

we have IPA client on

[root@centos72-20160110 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with the following packages:

[root@centos72-20160110 ~]# rpm -qf
/usr/lib/python2.7/site-packages/ipapython/version.py
ipa-python-4.2.0-15.el7.centos.3.x86_64
[root@centos72-20160110 ~]# rpm -qf /usr/bin/ipa
ipa-admintools-4.2.0-15.el7.centos.3.x86_64

We try to call the ipa commands against old FreeIPA server version,
taking advantage of the

-e skip_version_check=1

option added by

https://fedorahosted.org/freeipa/ticket/4768


[root@centos72-20160110 ~]# /usr/bin/ipa user-find
ipa: ERROR: 2.156 client incompatible with 2.49 server at 
u'https://aab-ipaserver.example.com/ipa/xml'

[root@centos72-20160110 ~]# /usr/bin/ipa -e skip_version_check=1 user-find
ipa: ERROR: 2.51 client incompatible with 2.49 server at 
u'https://aab-ipaserver.example.com/ipa/xml'

Alas, it seems that skip_version_check=1 sets the version to 2.51
which is still too new to the 2.49 version of the 6.4 based-server
with ipa-server-3.0.0-42.el6.x86_64.

Is this behaviour expected? Why does it force a particular value (2.51)
rather than ignoring the difference altogether?

I have verified that the option works on Fedora client against older
Fedora server (but I did not try ipa-server-3.0.0 there).

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cross Domain Trust

2016-01-11 Thread Lukas Slebodnik 
On (11/01/16 14:56), Zoske, Fabian wrote:
>I looked deeper into the problem and tested it with ubuntu 16.04 Alpha which 
>includes SSSD 1-13-3.
>Now I have the same problem on Ubuntu.
>On Ubuntu 14.04 I have installed the shipped SSSD-1.11.5 and everything works.
>
It might be issue on ipa server.
sssd-1.11 fetch trusted users from ipa server in different way than
sssd-1.12+

Could you try to upgrade FreeIPA from CentOS 7.1 to CentOS 7.2

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] The -e skip_version_check=1 with 4.2 client against 6.4-based server

2016-01-11 Thread Jan Pazdziora 
On Mon, Jan 11, 2016 at 07:05:16PM +0100, Martin Basti wrote:
> On 11.01.2016 16:57, Jan Pazdziora wrote:
> >
> >We try to call the ipa commands against old FreeIPA server version,
> >taking advantage of the
> >
> > -e skip_version_check=1
> >
> >option added by
> >
> > https://fedorahosted.org/freeipa/ticket/4768
> >
> >[root@centos72-20160110 ~]# /usr/bin/ipa user-find
> >ipa: ERROR: 2.156 client incompatible with 2.49 server at 
> >u'https://aab-ipaserver.example.com/ipa/xml'
> >
> >[root@centos72-20160110 ~]# /usr/bin/ipa -e skip_version_check=1 user-find
> >ipa: ERROR: 2.51 client incompatible with 2.49 server at 
> >u'https://aab-ipaserver.example.com/ipa/xml'
> >
> >Alas, it seems that skip_version_check=1 sets the version to 2.51
> >which is still too new to the 2.49 version of the 6.4 based-server
> >with ipa-server-3.0.0-42.el6.x86_64.
> >
> >Is this behaviour expected? Why does it force a particular value (2.51)
> >rather than ignoring the difference altogether?
> >
> >I have verified that the option works on Fedora client against older
> >Fedora server (but I did not try ipa-server-3.0.0 there).
>
> With API version 2.52 IPA started to use capabilities, which allows us to
> handle changes in API in compatible way.

So for API version 2.52+, why is that option needed there at all?

> So only with version 2.51 (last
> version without capabilities) we can guarantee that it will work. Server may
> not work with older API version than 2.51, because changes in API may be
> incompatible.

The fact that the calls might not work was an expected part of that
ticket -- that "proceed at own risk". So it looks like something else
was implemented that what we thought would be the result.

That makes it rather unfortunate because we cannot use this
option / approach when talking from newer clients to
RHEL 6 / CentOS 6 servers. Do we plan to have some option for these
setups?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] The -e skip_version_check=1 with 4.2 client against 6.4-based server

2016-01-11 Thread Martin Basti 



On 11.01.2016 16:57, Jan Pazdziora wrote:

Hello,

we have IPA client on

[root@centos72-20160110 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

with the following packages:

[root@centos72-20160110 ~]# rpm -qf
/usr/lib/python2.7/site-packages/ipapython/version.py
ipa-python-4.2.0-15.el7.centos.3.x86_64
[root@centos72-20160110 ~]# rpm -qf /usr/bin/ipa
ipa-admintools-4.2.0-15.el7.centos.3.x86_64

We try to call the ipa commands against old FreeIPA server version,
taking advantage of the

-e skip_version_check=1

option added by

https://fedorahosted.org/freeipa/ticket/4768


[root@centos72-20160110 ~]# /usr/bin/ipa user-find
ipa: ERROR: 2.156 client incompatible with 2.49 server at 
u'https://aab-ipaserver.example.com/ipa/xml'

[root@centos72-20160110 ~]# /usr/bin/ipa -e skip_version_check=1 user-find
ipa: ERROR: 2.51 client incompatible with 2.49 server at 
u'https://aab-ipaserver.example.com/ipa/xml'

Alas, it seems that skip_version_check=1 sets the version to 2.51
which is still too new to the 2.49 version of the 6.4 based-server
with ipa-server-3.0.0-42.el6.x86_64.

Is this behaviour expected? Why does it force a particular value (2.51)
rather than ignoring the difference altogether?

I have verified that the option works on Fedora client against older
Fedora server (but I did not try ipa-server-3.0.0 there).

With API version 2.52 IPA started to use capabilities, which allows us 
to handle changes in API in compatible way. So only with version 2.51 
(last version without capabilities) we can guarantee that it will work. 
Server may not work with older API version than 2.51, because changes in 
API may be incompatible.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project