Re: [Freeipa-users] Help regarding SUDo rule implementation

[Ben .T.George]

HI All

sudo rules got worked .actually i tried after 6 hours, what is the default
time to get affect this rule affect normally, is there any way to manually
pull changes from client?

Regards,
Ben

On Sun, May 1, 2016 at 11:46 PM, Ben .T.George 
wrote:

> HI
>
> i have a working setup of FreeIPA 4.3 with AD integrated, I can able to
> apply HBAC rules and from client side it's working.
>
> how can i apply sudo rules to that specific POSIX group.
>
> i have created sample rue and added 2 commands put option as !authenticate
> and attached this rule to client, but still sudo -l is not working
>
> /etc/nsswitch.conf file has : sudoers: files sss
>
> and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh
>
> Thanks & Regards,
> Ben
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Account/password expirations

[Prasun Gera]

It turns out that this was a permissions issue. Everything works now.
Thanks.

On Sat, Apr 30, 2016 at 11:26 PM, Prasun Gera  wrote:

> Ah, this doesn't work on ubuntu (14.04). The command itself works, but
> sshd on ubuntu isn't probably compiled with support for this although I see
> "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" in sshd_config. I
> don't think the freeipa/sssd ppas package sshd. Any way to get this working
> on ubuntu 14.04 ?
>
> On Fri, Apr 29, 2016 at 12:30 PM, Anon Lister 
> wrote:
>
>> Yep sorry I missed that. You need to put your public keys in IPA.
>> On Apr 29, 2016 3:32 AM, "Jakub Hrozek"  wrote:
>>
>> On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote:
>> > >
>> > > Your can still authenticate with SSH keys, but to access any NFS 4
>> shares
>> > > they will need a Kerberos ticket, which can be obtained via a 'kinit'
>> after
>> > > logging in.
>> > >
>> >
>> > Then how does the key authentication work if the .ssh directory on nfs4
>> is
>> > not accessible ?  Doesn't the key authentication process rely on
>> > .ssh/authorized keys being readable by the authentication module ?
>>
>> SSSD can fetch the authorized keys from IPA, see man
>> sss_ssh_authorizedkeys(1)
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client password authentication failed

[siology.io]

That plugins.py file does exist, but it's totally empty.

And yes, all i get on the browser is an empty white screen window,

On 30 April 2016 at 02:20, Petr Vobornik  wrote:

> On 04/29/2016 12:44 AM, siology.io wrote:
> > On a clean centos 7 VM, after installation of ipa-server browsing to the
> ipa web
> > UI gets me in the httpd error_logs:
> >
> > [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote
> 10.0.4.10:244
> > ] mod_wsgi (pid=10162): Target WSGI script
> > '/usr/share/ipa/wsgi/plugins.py' does not contain WSGI application
> 'application'.
> >
> > Is this a known issue ? I didn't get much out of google.
> >
>
> I don't see this issue on RHEL 7.2 nor FreeIPA 4.3.x on F23. Could you
> paste here content of your /usr/share/ipa/wsgi/plugins.py file?
>
> Does it prevent to load Web UI?
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Help regarding SUDo rule implementation

[Ben .T.George]

HI

i have a working setup of FreeIPA 4.3 with AD integrated, I can able to
apply HBAC rules and from client side it's working.

how can i apply sudo rules to that specific POSIX group.

i have created sample rue and added 2 commands put option as !authenticate
and attached this rule to client, but still sudo -l is not working

/etc/nsswitch.conf file has : sudoers: files sss

and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh

Thanks & Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain?

[Petr Vobornik]

On 04/28/2016 05:30 PM, Matrix wrote:
> Hi, Petr
> 
> Thanks for your quickly reply.
> 
> I want to integrated linux servers with existed AD, centralized manage 
> HBAC/Sudo 
> rules.
> 
> So i have setup a standalone IPA server with domain 'example.net', trying to 
> sync users from existed AD to it with following cmd:
> 
> ipa-replica-manage connect --winsync 
> --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='' 
> --passsync='' --cacert='/etc/openldap/cacerts/ipaad.cer' 
> --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net
> 
> 
> After it has been successfully established, users in AD did not sync to IPA.

Before we go into debugging, please make sure that you have done the
steps described in section 7.4 of Windows integration guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html

> 
> 
> For 'trusts' integration method, since user did not sync to IPA at all, how 
> to 
> set sudo/HBAC rules for users? I have not tried it.
> 
> 
> Matrix
> 
> 
> 
> 
> -- Original --
> *From: * "Petr Vobornik";;
> *Date: * Thu, Apr 28, 2016 11:21 PM
> *To: * "Matrix"; "freeipa-users";
> *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync 
> userbetween different suffix AD and IPA domain?
> 
> On 04/28/2016 04:44 PM, Matrix wrote:
>  > Hi, all
>  >
>  > I am trying to do a centrelized solution
>  >
>  > AD domain is 'examplemedia.net'
>  >
>  > IPA domain is 'example.net'
>  >
>  > After ipa-replica has been established, i found that nothing has been 
> synced
>  > from AD to IPA.
>  >
>  > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>  >
>  > I doubt that for different suffix is supported ?  If so, anyone can show 
> some
>  > hint for me to investigate more?
>  >
>  > Thanks for your kindly help.
>  >
>  > Matrix
> 
> Hello,
> 
> what is your goal and current setup?
> 
> By "ipa-replica has been established" do you mean that you installed a
> new currently standalone IPA server? And connected it somehow with AD?
> 
> Or did you run `ipa-replica-manage connect --winsync ...`
> 
> It would be good to mention that IPA server[1] cannot be a replica of an
> AD server. But it can integrate with it. Either by using
> winsync(synchronization) or the recommended solution: Trusts [2].
> 
> Documentation:
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
> [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
> 
> HTH
> -- 
> Petr Vobornik
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unexpiring user passwords

[Natxo Asenjo]

On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler  wrote:


> We have a situation where the passwords in FreeIPA need to be synchronized
> with another system in the company (a database of users, which is the
> authoritative source for users and passwords).  But, from what I read, the
> documentation is telling me we can't do that, because if we followed this
> work
> flow:
>
> 1. Users goes to "master DB" and changes their password
> 2. master DB runs a script which sets password on FreeIPA system
> 3. User's login is now broken because the password is expired.
>

leaving the design/philosophy aside, you could modify your users'
krbpasswordexpiration ldap attribute in your script that changes the
freeipa password from your master DB password source. It's quite simple
using your ldap tools of choice.

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unexpiring user passwords

[Rob Crittenden]

Joshua J. Kugler wrote:

I have read this page http://www.freeipa.org/page/New_Passwords_Expired

Aside from the fact that the decision should have been left to the company and
their policies, and violates the tenant that software should have sane
defaults while leaving flexibility to the user, I'm wondering if you can help
me.

We have a situation where the passwords in FreeIPA need to be synchronized
with another system in the company (a database of users, which is the
authoritative source for users and passwords).  But, from what I read, the
documentation is telling me we can't do that, because if we followed this work
flow:

1. Users goes to "master DB" and changes their password
2. master DB runs a script which sets password on FreeIPA system
3. User's login is now broken because the password is expired.

It is really unfortunate that this design decision was made, because
1. It prevents FreeIPA from being integrated with existing systems (telling
people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us
at all)
2. It doesn't really improve security as claimed, because if the user's new
password is intercepted, the interceptor can use that password to login and
change the expired password, still giving access.

Is there a way around this? Is there a password synchronization protocol that
can be used to link up systems that need to have common logins?


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#password-sync

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Unexpiring user passwords

[Joshua J. Kugler]

I have read this page http://www.freeipa.org/page/New_Passwords_Expired
 
Aside from the fact that the decision should have been left to the company and 
their policies, and violates the tenant that software should have sane 
defaults while leaving flexibility to the user, I'm wondering if you can help 
me.

We have a situation where the passwords in FreeIPA need to be synchronized 
with another system in the company (a database of users, which is the 
authoritative source for users and passwords).  But, from what I read, the 
documentation is telling me we can't do that, because if we followed this work 
flow:

1. Users goes to "master DB" and changes their password
2. master DB runs a script which sets password on FreeIPA system
3. User's login is now broken because the password is expired.

It is really unfortunate that this design decision was made, because
1. It prevents FreeIPA from being integrated with existing systems (telling 
people, effectively, you have to use FreeIPA for EVERYTHING or you can't use us 
at all)
2. It doesn't really improve security as claimed, because if the user's new 
password is intercepted, the interceptor can use that password to login and 
change the expired password, still giving access.

Is there a way around this? Is there a password synchronization protocol that 
can be used to link up systems that need to have common logins?

Thanks for any help you can offer!

j

-- 
Joshua J. Kugler -- Fairbanks, AK
Blogs: http://jjncj.com/blog/ (Family) -- http://joshuakugler.com (Geek)
Every knee shall bow, and every tongue confess, in heaven, on earth, and under 
the earth, that Jesus Christ is LORD

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc'

[Alexander Bokovoy]

On Sun, 01 May 2016, Matrix wrote:

Hi, Alexander

log from /var/log/httpd/error_log

lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
Processing section "[global]"
INFO: Current debug levels:
 all: 100
 tdb: 100
 printdrivers: 100
 lanman: 100
 smb: 100
 rpc_parse: 100
 rpc_srv: 100
 rpc_cli: 100
 passdb: 100
 sam: 100
 auth: 100
 winbind: 100
 vfs: 100
 idmap: 100
 quota: 100
 acls: 100
 locking: 100
 msdfs: 100
 dmapi: 100
 registry: 100
 scavenger: 100
 dns: 100
 ldb: 100
pm_process() returned Yes
Using binding ncacn_np:ipaserver.dev.example.net[,print,smb2]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f1c1c0ff6b0
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c458350
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c45ba70
s4_tevent: Running timer event 0x7f1c1c458350 "composite_trigger"
s4_tevent: Destroying timer event 0x7f1c1c45ba70 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 
netmask=255.255.254.0
added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name 
ipaserver.dev.example.net<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c46d740
s4_tevent: Ending timer event 0x7f1c1c458350 "composite_trigger"
s4_tevent: Running timer event 0x7f1c1c46d740 "composite_trigger"
s4_tevent: Ending timer event 0x7f1c1c46d740 "composite_trigger"
s4_tevent: Added timed event "connect_multi_timer": 0x7f1c1c242c70
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d750
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d750
s4_tevent: Destroying timer event 0x7f1c1c242c70 "connect_multi_timer"
Socket options:
   SO_KEEPALIVE = 0
   SO_REUSEADDR = 0
   SO_BROADCAST = 0
   TCP_NODELAY = 1
   TCP_KEEPCNT = 9
   TCP_KEEPIDLE = 7200
   TCP_KEEPINTVL = 75
   IPTOS_LOWDELAY = 0
   IPTOS_THROUGHPUT = 0
   SO_REUSEPORT = 0
   SO_SNDBUF = 2626560
   SO_RCVBUF = 1061296
   SO_SNDLOWAT = 1
   SO_RCVLOWAT = 1
   SO_SNDTIMEO = 0
   SO_RCVTIMEO = 0
   TCP_QUICKACK = 1
   TCP_DEFER_ACCEPT = 0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c2e3430
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c2e3430 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d600
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d600
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for ad...@dev.example.net will expire in 84175 secs
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c42a450
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c42a450 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c3e7650
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c3e7650 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c4441c0
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c4441c0 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c05db70
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c05db70
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c47fd40
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c47fd40 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1cb553c0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1cb553c0
s4_tevent: Destroying timer event 0x7f1c1c0ff6b0 
"dcerpc_connect_timeout_handler"

Ok, so it is local smbd not answering well. This warrants going with the
full logs procedure as 

Re: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc'

[Matrix]

Hi, Alexander

log from /var/log/httpd/error_log

lpcfg_load: refreshing parameters from /usr/share/ipa/smb.conf.empty
Processing section "[global]"
INFO: Current debug levels:
  all: 100
  tdb: 100
  printdrivers: 100
  lanman: 100
  smb: 100
  rpc_parse: 100
  rpc_srv: 100
  rpc_cli: 100
  passdb: 100
  sam: 100
  auth: 100
  winbind: 100
  vfs: 100
  idmap: 100
  quota: 100
  acls: 100
  locking: 100
  msdfs: 100
  dmapi: 100
  registry: 100
  scavenger: 100
  dns: 100
  ldb: 100
pm_process() returned Yes
Using binding ncacn_np:ipaserver.dev.example.net[,print,smb2]
s4_tevent: Added timed event "dcerpc_connect_timeout_handler": 0x7f1c1c0ff6b0
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c458350
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c45ba70
s4_tevent: Running timer event 0x7f1c1c458350 "composite_trigger"
s4_tevent: Destroying timer event 0x7f1c1c45ba70 "composite_trigger"
Mapped to DCERPC endpoint \pipe\lsarpc
added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 
netmask=255.255.254.0
added interface eth0 ip=192.168.10.241 bcast=192.168.11.255 
netmask=255.255.254.0
resolve_lmhosts: Attempting lmhosts lookup for name 
ipaserver.dev.example.net<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost
s4_tevent: Added timed event "composite_trigger": 0x7f1c1c46d740
s4_tevent: Ending timer event 0x7f1c1c458350 "composite_trigger"
s4_tevent: Running timer event 0x7f1c1c46d740 "composite_trigger"
s4_tevent: Ending timer event 0x7f1c1c46d740 "composite_trigger"
s4_tevent: Added timed event "connect_multi_timer": 0x7f1c1c242c70
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d750
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d750
s4_tevent: Destroying timer event 0x7f1c1c242c70 "connect_multi_timer"
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c2e3430
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c2e3430 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c04d600
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c04d600
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Ticket in credentials cache for ad...@dev.example.net will expire in 84175 secs
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c42a450
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c42a450 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically sealed
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c3e7650
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c3e7650 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c2ad220
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c4441c0
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c4441c0 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1c05db70
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1c05db70
s4_tevent: Added timed event "tevent_req_timedout": 0x7f1c1c47fd40
signed SMB2 message
s4_tevent: Schedule immediate event "tevent_queue_immediate_trigger": 
0x7f1c1c2dd3d0
s4_tevent: Run immediate event "tevent_queue_immediate_trigger": 0x7f1c1c2dd3d0
s4_tevent: Destroying timer event 0x7f1c1c47fd40 "tevent_req_timedout"
s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1cb553c0
s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1cb553c0
s4_tevent: Destroying timer event 0x7f1c1c0ff6b0 
"dcerpc_connect_timeout_handler"
[Sun May 01 13:53:05.420066 2016] [:error] [pid 6995] ipa: INFO: 
[jsonserver_session] 

Re: [Freeipa-users] AD Trust failed with 'CIFS server configuration does not allow access to \\pipe\lsarpc'

[Alexander Bokovoy]

On Sun, 01 May 2016, Matrix wrote:

Hi, list

I am trying to setup an integration env between IPA and AD Window 2012 R2.

Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad 
examplemedia.net --admin Administrator --password"

# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin 
Administrator --password
ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc


IPA / Samba Version, I am running with:

ipa-server-4.2.0-15.el7.x86_64
samba-4.2.3-12.el7_2.x86_64

# tailf /var/log/httpd/error_log
[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: 
[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', 
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', 
all=False, raw=False, version=u'2.156'): RemoteRetrieveError
[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: 
[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', 
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', 
all=False, raw=False, version=u'2.156'): RemoteRetrieveError

I have also tried latest ipa-server version shipped by RHEL. the same error 
occurred.

It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed 
it.
Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try 
'ipa trust-add'. You'll get more detailed debugging output in error_log.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] dnsforwardzone-add giving error

[Ben .T.George]

HI LIst,

i dont; know how to explain this issue. I was trying IPA 4.3.1

while adding DNS, i am getting below error

[root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw
--forwarder=192.168.37.131 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is handled
by server(s): corp.kwttestdc.com.kw.


and in my resolv.conf , i have given like below:

nameserver 127.0.0.1

someone please explan what is the issue and how to fix this one.

Regards,
Ben
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] dnsforwardzone-add giving error

[Ben .T.George]

HI

After reboot i tried the same command and i got below error

[root@global ~]# ipa dnsforwardzone-add kwttestdc.com.kw
--forwarder=192.168.37.131 --forward-policy=only
Server will check DNS forwarder(s).
This may take some time, please wait ...
ipa: ERROR: DNS check for domain kwttestdc.com.kw. failed: All nameservers
failed to answer the query kwttestdc.com.kw. IN SOA: Server 127.0.0.1 UDP
port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53
anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered
The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS
operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL.


this is the first time i am seeing this error.



On Sun, May 1, 2016 at 3:30 PM, Ben .T.George  wrote:

> HI LIst,
>
> i dont; know how to explain this issue. I was trying IPA 4.3.1
>
> while adding DNS, i am getting below error
>
> [root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw
> --forwarder=192.168.37.131 --forward-policy=only
> Server will check DNS forwarder(s).
> This may take some time, please wait ...
> ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is
> handled by server(s): corp.kwttestdc.com.kw.
>
>
> and in my resolv.conf , i have given like below:
>
> nameserver 127.0.0.1
>
> someone please explan what is the issue and how to fix this one.
>
> Regards,
> Ben
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] AD Trust failed with 'CIFS server configuration does not allow access to \\pipe\lsarpc'

[Matrix]

Hi, list

I am trying to setup an integration env between IPA and AD Window 2012 R2.

Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad 
examplemedia.net --admin Administrator --password"

# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin 
Administrator --password
ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc


IPA / Samba Version, I am running with: 

ipa-server-4.2.0-15.el7.x86_64
samba-4.2.3-12.el7_2.x86_64

# tailf /var/log/httpd/error_log
[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: 
[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', 
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', 
all=False, raw=False, version=u'2.156'): RemoteRetrieveError
[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: 
[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', 
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', 
all=False, raw=False, version=u'2.156'): RemoteRetrieveError

I have also tried latest ipa-server version shipped by RHEL. the same error 
occurred. 

It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed 
it. 

Matrix-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version

[Ben .T.George]

Hi All,

again link for IPA 4.3.1 is offline

https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/



On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George 
wrote:

> Hi
>
> Wow.Thanks for your fast response.
>
> Regards
> Ben
> On 12 Apr 2016 16:09, "Martin Basti"  wrote:
>
>>
>>
>> On 12.04.2016 14:59, Ben .T.George wrote:
>>
>> Hi List,
>>
>> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link
>> provided in website is broken.
>> https://www.freeipa.org/page/Releases/4.3.1
>>
>> please someone give me right package details.
>>
>> Regards,
>> Ben
>>
>>
>> Hello,
>>
>> thank you for report, I fixed the page
>>
>> CentOS repos:
>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/
>>
>> Martin
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project