Re: [Freeipa-users] need info on AD / IPA coexistence
We use the group.example.com as the primary domain name, even for windows clients. So a typical windows pc has: ip: 192.168.0.100 dns1: linux-dns-server1 dns2: linux-dns-server2 search: group.example.com That way the windows pcs only use their melb.example.com domain for authentication and then switch back to group.example.com to communicate with other hosts on the network. Anyaywaz, this is just how I worked it out, there must be a better way out there... cya Craig On Fri, Feb 24, 2012 at 02:44:59AM +, Steven Jones wrote: I think we are doing the same thing here, seemed to have arrived at the same conclusion!.I have the AD DNS servers hand off the sub-domain to the IPA servers, so they are the masters for all things linux/unix, the reverse IP domains on the IPA servers are slaved from the AD DNS however as the subnets are mixed clients. This means I have to add linux servers manually in the reverse AD zones, not sure what I will do with clients as they are dhcp, have a look to see if I can do dns updates for a client dynamically regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Craig T [free...@noboost.org] Sent: Friday, 24 February 2012 3:27 p.m. To: Brian Cook Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] need info on AD / IPA coexistence Hi Brian, I spent a lot of time on this topic. In the end we decided to do the following; Microsoft domain: melb.example.com Linux Domain: group.example.com The linux DNS server is a slave to the Windows AD DNS servers a master DNS for group.example.com. All PCs point to our Linux DNS server which is hosting a slave copy of the melb.example.com. Amazingly this all works fine. note: at the moment at least, we are keeping two separate user lists. I had sync working at one stage, but couldn't get the group memberships to come over correctly when going from Linux -- AD. cya Craig On Thu, Feb 23, 2012 at 09:12:37PM -0500, Brian Cook wrote: I would not expect that there would be any problem with AD and IPA coexisting when the realm names are different, but I have heard reports that there are problems, especially when Linux clients are configured to use AD for DNS. Trying to figure out what the problem is. I understand your delegated dns setup. What if the customer must use AD for all DNS? -Brian On Feb 23, 2012, at 3:28 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Hi, Subnet? IP addressing will not matter its DNS as the main issue, for me anyway., I cant see IP / sunbets matter? So, yes if you have AD as the same realm as IPA then only one will work well from what I can read, IPA has to have its neat auto-discovery/balancing features turned off, or at least hobbled. So, as an example I have vuw.ac.nz as the AD DNS domain/ kerberos realm and then unix.vuw.ac.nz as the sub-domain/sub kerberos realm, with AD delegating DNS to the IPA servers. This way the unix domain is independent but referenced... eg I find the auto-discovery is working fine... So windows clients talk to AD directly, linux clients talk to IPA directly, if the linux clients need to DNS the IPA servers get that for them from AD. I have some visio diagrams of how I have done it if you want themit may not be the best way? but with so little architecture info available its all I have. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Brian Cook [bc...@redhat.com] Sent: Friday, 24 February 2012 9:59 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] need info on AD / IPA coexistence I have heard that we currently have problems with IPA and AD existing on the same subnet, possibly only when using AD as DNS servers, possibly even when the realm names are different. I have not been able to find good concrete information or BZ's regarding this. I am looking for clarification as to what problems exist, why, is it a bug or just a fact, is it our bug our is it a MS-AD issue, etc. I need to understand what is going on as I have customers who are looking to deploy mixed IPA / AD environments. Any help or information would be appreciated. Thanks, Brian --- Brian Cook Solutions Architect, West Region Red Hat, Inc. 407-212-7079 bc...@redhat.commailto:bc...@redhat.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? It seem like the only option to quickly recover access to your user. Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of krbPrincipalKey entry just be simply clicking on the attribute entry!! Not a good idea. Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- Also could you ldapsearch this user entry before you change your password using 'cn=Directory Manager' as user in order to retrieve the key attribute and send the ldif to me in private ? I want to see if the key blob at least looks normal (do not worry about your password, the key material is itself encrypted). It might also be handy to see who last updated this entry before you reset the password (if it isn't too late): modifyTimestamp lastModifiedBy Anyone else seen this error? Haven't seen any report, and haven't ever occurred in my testing. Simo, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials
Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? Is it a bug? Anyone else seen this error? Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error on Server with Public IP?? cannot use IP network address
A friend of mine help me work this out. FreeIPA install script is checking to see if the IP is the same as the broadcast address. I've never hosted a VPS server so I'm not sure of the IP mask could have been better configured? venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:100.111.111.1 P-t-P:100.111.111.1 Bcast:100.111.111.1 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 The workaround: /usr/lib/python2.6/site-packages/ipapython/ipautil.py line 145 as below.. remark all 4 lines and it'll continue if addr == net.network: raise ValueError(cannot use IP network address) if addr.version == 4 and addr == net.broadcast: raise ValueError(cannot use broadcast IP address) cya Craig On Wed, Feb 08, 2012 at 03:39:34PM +1100, Craig T wrote: Hi, Is IPA somehow restricted from running on machines with a public IP address? I'm attempting to install IPA for practise on my Linux VPS (Centos 6.2 x86_64); ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Error: Server host name [mx1.example.com]: root: DEBUGwill use host_name: mx1.example.com The domain name has been calculated based on the host name. Please confirm the domain name [example.com]: root: DEBUGread domain_name: example.com root: DEBUGargs=/sbin/ip -family inet -oneline address show root: DEBUGstdout=1: loinet 127.0.0.1/8 scope host lo 3: venet0inet 127.0.0.1/32 scope host venet0 3: venet0inet 100.111.111.1/32 brd 100.111.111.1 scope global venet0:0 3: venet0inet 100.111.111.2/32 brd 100.111.111.2 scope global venet0:1 root: DEBUGstderr= Unexpected error - see ipaserver-install.log for details: cannot use IP network address root: DEBUGcannot use IP network address File /usr/sbin/ipa-server-install, line 1151, in module sys.exit(main()) File /usr/sbin/ipa-server-install, line 770, in main ip = CheckedIPAddress(hostaddr, match_local=True) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 145, in __init__ raise ValueError(cannot use IP network address) cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Dovecot IMAP with IPA 2.x?
hi, Has anyone setup Dovecot IMAP to work with IPA 2.x yet? I'm thinking the best config would be to use; * IMAPS between the mail clients and Dovecot server * LDAPS with Passdb LDAP with authentication binds to connect to IPA? ref: http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Host Based Access Control and Solaris?
Hi, Server: RHEL6.2 Spec: ipa-server-2.1.3-9 1) After reading the IPA documentation, it seems that HBAC is only available to SSSD clients. This would suggest that I'm not going to be able to configure it for Solaris hosts? Using host-based access control requires SSSD to be installed and configured on the IPA client machine. 2) Does this mean that I won't be able to control who can log onto our solaris servers? Perhaps I'll have to configure a custom /etc/hosts.deny entry? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Hot Backup Solution for IPA 2.x?
Hi, Is there a hot backup technique for IPA? From my reading the best solution is to setup a replication server then shut the replication server down and do a backup? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
Thanks for that, I will try it again tomorrow. Just curious, but I'm getting the impression that when we do finally go live with IPA v2.x. It will take some monitoring to ensure that clients are always compatible? I imagine that when Fedora 18 comes out, my now current IPA Server my have issues with that ipa-client? Are Redhat planning to make this backward and forward compatible? I only ask because at this stage we don't have a SOE for our LAN. cya Craig On Mon, Dec 19, 2011 at 10:30:38AM +0200, Alexander Bokovoy wrote: On Mon, 19 Dec 2011, Craig T wrote: Hi, Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? Server: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client: Fedora release 16 (Verne) freeipa-client-2.1.3-5.fc16.x86_64 freeipa-python-2.1.3-5.fc16.x86_64 Please use packages for 2.1.4 version for the clients (available in updates-testing). -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fedora 16 with new RHEL 6.2 Server? (RPC failed at server Error)
Hi, Has anyone done testing with the new RHEL6.2 and Fedora 16x64 client? Server: Red Hat Enterprise Linux Server release 6.2 (Santiago) ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client: Fedora release 16 (Verne) freeipa-client-2.1.3-5.fc16.x86_64 freeipa-python-2.1.3-5.fc16.x86_64 Error: -- ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringchtpc.teratext.saic.com.au/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring3.1.5-2.fc16.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n XML-RPC RESPONSE: ?xml version='1.0' encoding='UTF-8'?\n methodResponse\n fault\n valuestruct\n member\n namefaultCode/name\n valueint911/int/value\n /member\n member\n namefaultString/name\n valuestringMissing or invalid HTTP Referer, missing/string/value\n /member\n /struct/value\n /fault\n /methodResponse\n RPC failed at server. Missing or invalid HTTP Referer, missing -- Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NetApp Filer with IPA?
Hi, Has anyone tried configuring a NetApp Fas 270 filer to work with IPA? I had it working perfectly via LDAP auth with 389 Directory Server (No IPA config) earlier, however I'm new to IPA and I'm not sure about the importance of being part of the IPA REALM for a device that will just use LDAP auth? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
brilliant! I checked /var/log/messages and found; Nov 30 10:33:58 chtvm-centos-6 sssd[be[teratext.saic.com.au]]: Starting up Nov 30 10:33:58 chtvm-centos-6 kernel: sssd_be[1516]: segfault at 10 ip 003a12a13eee sp 7fffdb5e3b60 error 4 in libldap-2.4.so.2.5.2[3a12a0+43000] Nov 30 10:33:58 chtvm-centos-6 kernel: abrt-hook-ccpp[1598]: segfault at 0 ip 0039fea800d2 sp 7fff4a1fc5f8 error 4 in libc-2.12.so[39fea0+175000] Nov 30 10:33:58 chtvm-centos-6 kernel: Process 1598(abrt-hook-ccpp) has RLIMIT_CORE set to 1 Nov 30 10:33:58 chtvm-centos-6 kernel: Aborting core I then upgraded openldap to openldap-2.4.23-19.el6.x86_64 and now the ipa-client-install script works perfectly ;) Regards, Craig On Wed, Nov 30, 2011 at 12:39:38PM +0100, Jakub Hrozek wrote: On Tue, Nov 29, 2011 at 09:43:55PM -0500, Rob Crittenden wrote: Craig T wrote: Hi, I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. See errors below; -- [root@chtvm-centos-6 /]# ipa-client-install Discovery was successful! Hostname: chtvm-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: chtvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. - File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - File: /var/log/sssd/sssd_pam.log (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. - Also the {nss,pam}_dp_reconnect_init functions are only called when the back end crashes and the other processes are reconnecting to a new back end instance. Can you check logs (/var/log/messages should have the info) if there are any messages indicating a crash? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Solaris 10 as IPA Client?
Hi, Anyone had any success using Solaris 10 as a IPA client (using ipa-server-2.1.1-4.el6.x86_64)? Does anyone have any more detailed documentation on the topic? I find that Section 3.3.1. Configuring Solaris 10 from the Identitiy Management Guide very light. #Solaris 10 (Newest Edition) Oracle Solaris 10 8/11 s10x_u10wos_17b X86 Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. Assembled 23 August 2011 bash-3.2# ldapclient -v init chtvm-389.teratext.saic.com.au Arguments parsed: defaultServerList: chtvm-389.teratext.saic.com.au Handling init option About to configure machine by downloading a profile No profile specified. Using default Proxy DN: NULL Proxy password: NULL Authentication method: 0 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail stop: sleep 10 microseconds stop: network/smtp:sendmail... success Stopping nscd stop: sleep 10 microseconds stop: sleep 20 microseconds stop: system/name-service-cache:default... success Stopping autofs stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: system/filesystem/autofs:default... success ldap not running nisd not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf - /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain - /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is teratext.saic.com.au file_backup: stat(/var/yp/binding/teratext.saic.com.au)=-1 file_backup: No /var/yp/binding/teratext.saic.com.au directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname teratext.saic.com.au... success start: sleep 10 microseconds start: sleep 20 microseconds start: sleep 40 microseconds start: sleep 80 microseconds start: sleep 160 microseconds start: sleep 320 microseconds start: sleep 640 microseconds start: sleep 1280 microseconds start: sleep 2560 microseconds start: sleep 5120 microseconds start: sleep 1770 microseconds start: network/ldap/client:default... timed out start: network/ldap/client:default... offline to disable stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: sleep 640 microseconds stop: sleep 1280 microseconds stop: sleep 2560 microseconds stop: sleep 890 microseconds stop: network/ldap/client:default... timed out start: sleep 10 microseconds start: system/filesystem/autofs:default... success start: sleep 10 microseconds start: system/name-service-cache:default... success start: sleep 10 microseconds start: sleep 20 microseconds start: network/smtp:sendmail... success restart: sleep 10 microseconds restart: milestone/name-services:default... success Error resetting system. Recovering old system settings. Stopping network services Stopping sendmail stop: sleep 10 microseconds stop: network/smtp:sendmail... success Stopping nscd stop: sleep 10 microseconds stop: sleep 20 microseconds stop: system/name-service-cache:default... success Stopping autofs stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: system/filesystem/autofs:default... success Stopping ldap stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: sleep 640 microseconds stop: sleep 1280 microseconds stop: sleep 2560 microseconds stop: sleep 890 microseconds stop: network/ldap/client:default... timed out Stopping ldap failed with (7) Error (1) while stopping services during reset recover: stat(/var/ldap/restore/defaultdomain)=0 recover: open(/var/ldap/restore/defaultdomain) recover: read(/var/ldap/restore/defaultdomain) recover: old domainname teratext.saic.com.au recover: stat(/var/ldap/restore/ldap_client_file)=-1 recover: stat(/var/ldap/restore/ldap_client_cred)=-1 recover:
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: On Tue, November 29, 2011 01:52, Craig T wrote: Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the ipa-client-install command, the installer seems to pause on kerberos; [root@server-centos-6 ~]# ipa-client-install Discovery was successful! Hostname: server-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: server-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled When run in debug mode it shows this; Kerberos 5 enabled root: DEBUGargs=getent passwd admin root: DEBUG stdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= Advice anyone? I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages from RHEL 6.2 beta for clients instead. I found the IPA server was easiest to test using Fedora 15. For production, wait for RHEL 6.2. It's not far away now. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
Hi, I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. See errors below; -- [root@chtvm-centos-6 /]# ipa-client-install Discovery was successful! Hostname: chtvm-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: chtvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. - File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - File: /var/log/sssd/sssd_pam.log (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. - Debug Version: File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0 (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/ private/sbus-dp_example.com] (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open connection: name=org.freedesktop.DBus.Error. NoServer, message=Failed to connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection refused (Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - getent passwd admin returns no result at all. Regards, Craig On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote: Craig T wrote: I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. I would think the version you have would work fine. What it is doing is testing to be sure that nss is working as expected. It can take some time for sssd to come up, connect to the IPA server, etc, so we loop and try several times (IIRC 5 in your version) to look up a known remote user (admin). If it never does successfully get the admin user you should get an error that nss_ldap can't be configured (yeah, I know, we're using sssd. We fixed this). If you aren't getting this message and the client otherwise seems to be installing ok then things are fine. rob cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: On Tue, November 29, 2011 01:52, Craig T wrote: Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the ipa-client-install command, the installer seems to pause on kerberos; [root@server-centos-6 ~]# ipa-client-install
Re: [Freeipa-users] Joining realm failed because of failing XML-RPC request
Hi Alexander, I took Steven Jones's advice and updated the IPA client to ipa-client-2.1.1-4.el6.x86_64 and the client started working perfectly! cya Craig On Fri, Nov 25, 2011 at 06:50:10AM +0200, Alexander Bokovoy wrote: On Fri, 25 Nov 2011, Craig T wrote: Did anyone end up finding a solution to this issue? --- $ sudo ipa-client-install Discovery was successful! Hostname: testpc.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: testvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for ad...@example.com: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. Check /var/log/ipaclient-install.log for details. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users