Re: [Freeipa-users] Debian client installation

2017-02-17 Thread Timo Aaltonen 
On 17.02.2017 17:37, Per Qvindesland wrote:
> Hi All
> 
> I have installed free ipa client by using 
> http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian 
> which works, but I am unable to get the sudo to work, on debian 7.11 
> machines,  sssd installed version is 1.9.6 which I think is pretty old.
> 
> Does anyone have any suggestions on how to get sudo to work on debian 7? 
> perhaps another more updated how to?

you need sudo built with sssd support, which that repo is lacking.


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Installing on Ubuntu

2017-02-17 Thread Timo Aaltonen 
On 18.02.2017 03:24, Robert L. Harris wrote:
> 
>I have an Ubuntu 16.04 test system which is currently clean.  I'm
> trying to install freeipa-server via apt and I'm getting an error about
> files missing :
> 
> Setting up freeipa-server (4.3.1-0ubuntu1) ...
> Running ipa-server-upgrade...
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
> command ipa-server-upgrade manually.
> Unexpected error - see /var/log/ipaupgrade.log for details:
> IOError: [Errno 2] No such file or directory:
> u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif'
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> more information
> dpkg: error processing package freeipa-server (--configure):
>  subprocess installed post-installation script returned error exit status 1
> dpkg: dependency problems prevent configuration of freeipa-server-dns:
>  freeipa-server-dns depends on freeipa-server (>= 4.3.1-0ubuntu1); however:
>   Package freeipa-server is not configured yet.

It shouldn't run ipa-server-upgrade on a clean install. What does:
python2 -c 'from ipaserver.install import installutils; print "yes" if
installutils.is_ipa_configured() else "no";'

return?


-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Installing on Ubuntu

2017-02-17 Thread Robert L. Harris 
   I have an Ubuntu 16.04 test system which is currently clean.  I'm trying
to install freeipa-server via apt and I'm getting an error about files
missing :

Setting up freeipa-server (4.3.1-0ubuntu1) ...
Running ipa-server-upgrade...
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno 2] No such file or directory:
u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif'
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more
information
dpkg: error processing package freeipa-server (--configure):
 subprocess installed post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of freeipa-server-dns:
 freeipa-server-dns depends on freeipa-server (>= 4.3.1-0ubuntu1); however:
  Package freeipa-server is not configured yet.


Anyone seen this?  The only source I see for these files is the slapd
package which conflicts with freeipa.

Robert
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Debian client installation

2017-02-17 Thread Per Qvindesland 
Hi All

I have installed free ipa client by using 
http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian which 
works, but I am unable to get the sudo to work, on debian 7.11 machines,  sssd 
installed version is 1.9.6 which I think is pretty old.

Does anyone have any suggestions on how to get sudo to work on debian 7? 
perhaps another more updated how to?

Regards
Per




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How to change kerberos key lifetime?

2017-02-17 Thread Lukas Slebodnik 
On (16/02/17 18:05), William Muriithi wrote:
>> The fact that your desktops are using SSSD changes the situation 
>> dramatically.
>>
>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
>> logging-in.
>> And can be configured to renew the ticket for the user until the ticket renew
>> life time expires.
>>
>> Given this you can keep ticket life time reasonable short (~1 day) set ticket
>> renewable life time to longer period (~2 weeks) and maintain reasonable
>> security level without negative impact on user's daily work.
>>
>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
>> in sssd-krb5 man page.
>>
>Thanks a lot.  I did actually end up using this.   Will wait for a
>couple of days and see if anybody if the situation is better and
>update you.
>
>Curious though, why isn't renewal interval setup by default?  Is there
>a negative consequence of having SSSD renewing tickets by default?  I
>can't think of any and hence a bit lost on explaining the default
>setup

Desktop/laptop user usually does not need automatic renewal.
They authenticate/login/unlock screen quite often and for each
action sssd authenticate against IPA server which automatically get/renew
krb5 ticket. Unless machine is offline.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can't add replica: failed to start the directory server

2017-02-17 Thread Tiemen Ruiten 
I went through that bugreport, particularly this section...

OK, I think I found the error. On the logs I get something like this
*before* the failing dirsrv restart:

2017-01-14T03:41:28Z DEBUG   [27/44]: retrieving DS Certificate
2017-01-14T03:41:28Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-14T03:41:28Z DEBUG Starting external process
2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d
/etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a
2017-01-14T03:41:28Z DEBUG Process finished, return code=255
2017-01-14T03:41:28Z DEBUG stdout=
2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert:
EXAMPLE.COM IPA CA
: PR_FILE_NOT_FOUND_ERROR: File not found

So, when the process stopped, I run the command again:

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n
EXAMPLE.COM IPA CA -a
certutil: Could not find cert: EXAMPLE.COM
: PR_FILE_NOT_FOUND_ERROR: File not found


and thought "wait... something is missing there":

# /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n
"EXAMPLE.COM IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

So, could this be the problem?

...and indeed when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
> [sudo] password for tiemen:
> certutil: Could not find cert: IPA.RDMEDIA.COM
> : PR_FILE_NOT_FOUND_ERROR: File not found


and when I run

[tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d
/etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM IPA CA" -a
-BEGIN CERTIFICATE-

-END CERTIFICATE-

valid certificate output. Where can I change this command to quote this
string?


On 16 February 2017 at 17:29, Jeff Goddard  wrote:

> Might be another instance of this: https://fedorahosted.org/
> freeipa/ticket/6613
>
> Jeff
>
> On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten 
> wrote:
>
>> Hello,
>>
>> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but
>> I'm getting this error:
>>
>> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX"
>>> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4
>>> Checking DNS forwarders, please wait ...
>>> Run connection check to master
>>> Connection check OK
>>> Configuring NTP daemon (ntpd)
>>>   [1/4]: stopping ntpd
>>>   [2/4]: writing configuration
>>>   [3/4]: configuring ntpd to start on boot
>>>   [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv). Estimated time: 1 minute
>>>   [1/44]: creating directory server user
>>>   [2/44]: creating directory server instance
>>>   [3/44]: updating configuration in dse.ldif
>>>   [4/44]: restarting directory server
>>>   [5/44]: adding default schema
>>>   [6/44]: enabling memberof plugin
>>>   [7/44]: enabling winsync plugin
>>>   [8/44]: configuring replication version plugin
>>>   [9/44]: enabling IPA enrollment plugin
>>>   [10/44]: enabling ldapi
>>>   [11/44]: configuring uniqueness plugin
>>>   [12/44]: configuring uuid plugin
>>>   [13/44]: configuring modrdn plugin
>>>   [14/44]: configuring DNS plugin
>>>   [15/44]: enabling entryUSN plugin
>>>   [16/44]: configuring lockout plugin
>>>   [17/44]: configuring topology plugin
>>>   [18/44]: creating indices
>>>   [19/44]: enabling referential integrity plugin
>>>   [20/44]: configuring certmap.conf
>>>   [21/44]: configure autobind for root
>>>   [22/44]: configure new location for managed entries
>>>   [23/44]: configure dirsrv ccache
>>>   [24/44]: enabling SASL mapping fallback
>>>   [25/44]: restarting directory server
>>>   [26/44]: creating DS keytab
>>>   [27/44]: retrieving DS Certificate
>>>   [28/44]: restarting directory server
>>> ipa : CRITICAL Failed to restart the directory server (Command
>>> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned
>>> non-zero exit status 1). See the installation log for details.
>>>   [29/44]: setting up initial replication
>>>   [error] error: [Errno 111] Connection refused
>>> Your system may be partly configured.
>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111]
>>> Connection refused
>>> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe
>>> ipa-replica-install command failed. See /var/log/ipareplica-install.log
>>> for more information
>>
>>
>> In /var/log/ipareplica-install.log we find:
>>
>> 2017-02-16T15:53:59Z DEBUG   [27/44]: retrieving DS Certificate
>>> 2017-02-16T15:53:59Z DEBUG Loading Index file from
>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>> 2017-02-16T15:53:59Z DEBUG Starting external process
>>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d
>>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a
>>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255
>>> 2017-02-16T15:53:59Z DEBUG stdout=
>>>