[Freeipa-users] LDAP Conflicts
Hello All,According to ipa_check_consistency we have "LDAP Conflicts" (https://github.com/peterpakos/ipa_check_consistency). How do I find and resolve them? I've seen:Re: [Freeipa-devel] LDAP conflicts resolution API | | | Re: [Freeipa-devel] LDAP conflicts resolution API | | | But not sure if I am looking in the right place. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Hi,Was there any out-come to this? I running: sudo1.8.12-1ubuntu3, which is well behind up to date releases. Many thanks,James Harrison From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; "pbrez...@redhat.com" <pbrez...@redhat.com> Cc: "pbrez...@redhat.com" <pbrez...@redhat.com> Sent: Monday, 9 January 2017, 15:18 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi All,I have attached three files from running sudo -i on the same machine enrolled into Free IPA. They have the output from various versions of sudo. tail -f sudo_debug, syslog, auth.log and sssd/*.log from /var/log to show chronological order of events. The attached files are: sudo-1.8.19-1.txt --- from Debian sudo-1.8.16-0ubuntu1.2.txt --- Current released Xenial sudo sudo1.8.12-1ubuntu3.txt --- Previous sudo from "wily" https://launchpad.net/ubuntu/wily/amd64/sudo/1.8.12-1ubuntu3 The machine's /etc/sudo.conf has:Debug sudo /var/log/sudo_debug all@debug Debug sudoers.so /var/log/sudo_debug all@debug Plugin sudoers_policy sudoers.so Plugin sudoers_io sudoers.so Hope this helps. Regards,James Harrison From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com>; pbrez...@redhat.com Sent: Monday, 9 January 2017, 13:09 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (09/01/17 12:44), James Harrison wrote: >All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. > Could you provide sudo logs with 1.8.19-1 https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO sssd log files will be helpfull as well. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. James From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <jamesaharriso...@yahoo.co.uk> > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): aut
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
All,1.8.19-1 from Debian does not appear to work too. James From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 On (06/01/17 17:15), James Harrison wrote: >Any ideas? > From: James Harrison <jamesaharriso...@yahoo.co.uk> > To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> > Sent: Thursday, 5 January 2017, 13:36 > Subject: FreeIPA sudo not working on ububtu xenial sssd version > 1.13.4-1ubuntu1.1 > >Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >I get 1 rule returned, which I expect. >Many thanks,James Harrison > > >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning >info for user [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >Retrieving rules for [x_james.harrison] from [domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event >"ltdb_callback": 0x1c11d70 >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to >get sudo rules from cache >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] >(0x0200): Searching sysdb with >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting >rules with higher-wins logic >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] >(0x0400): Returning 1 rules for [x_james.harri...@domain.com] >(Thu Jan 5 12:09:57 2017) [sssd[sudo]] [reset_idle_timer] (0x4000): Idle >timer re-set for client [0x1c0e770][18] > Yes, 1 rule was returned for user x_james.harrison. Can you see something in output of "sudo -l" >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [get_client_cred] (0x4000): Client >creds: euid[0] egid[1082600012] pid[5470]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client >connected! >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): >Received client version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered >version [3]. >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] > >==> auth.log <== >Jan 5 12:10:17 pul-lp-sql-00 sudo: pam_unix(sudo:auth): authentication >failure; logname=x_james.harrison uid=1082600012 euid=0 tty=/dev/pts/1 >ruser=x_james.harrison rhost= user=x_james.harrison > I do not understand a reason why there is a failure in auth.log; because there isn't sssd_pam.log @see above. >==> sssd/sssd_pam.log <== >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer >re-set for client [0x2466e50][19] >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): >entering pam_cmd_authenticate >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): >name 'x_james.harrison' matched without domain, user is x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): command: >SSS_PAM_AUTHENTICATE >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): user: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: >/dev/pts/1 >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: >x_james.harrison >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not >set >(Thu Jan 5 12:10:17 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok
Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Any ideas? From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 5 January 2017, 13:36 Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get a kerberos ticket, but cannot run sudo. I get 1 rule returned, which I expect. Many thanks,James Harrison (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [x_james.harri...@domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [x_james.harrison] from [domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1da40 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1da40 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c18790 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1b720 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1b720 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c12600 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0f550 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0dfd0 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0dfd0 "ltdb_timeout"
[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1
Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get a kerberos ticket, but cannot run sudo. I get 1 rule returned, which I expect. Many thanks,James Harrison (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_user] (0x0400): Returning info for user [x_james.harri...@domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x0400): Retrieving rules for [x_james.harrison] from [domain.com] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1da40 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1da40 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*))(&(dataExpireTimestamp<=1483618197)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c11d70 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c11e30 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c11d70 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_rules] (0x2000): About to get sudo rules from cache (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c18790 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c1b720 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c1b720 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c18790 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c12600 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0f550 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c12600 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=x_james.harrison)(sudoUser=#1082600012)(sudoUser=%admins)(sudoUser=%ipausers)(sudoUser=%x_james.harrison)(sudoUser=+*)))] (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1c0f550 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1c0dfd0 (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Running timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c0dfd0 "ltdb_timeout" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Ending timer event 0x1c0f550 "ltdb_callback" (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sort_sudo_rules] (0x0400): Sorting rules with higher-wins logic (Thu Jan 5 12:09:57 2017) [sssd[sudo]] [sudosrv_get_sudo
[Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones
Hi All,I realise Free IPA doesn't yet support secondary zones in the web interface or command line tools (I might be wrong :) ) When I talk about secondary zones I mean a zone replicated from Windows DNS masters. Can the Free IPA bind configs be manually altered to host secondary zones. Is it supported or will they just be over-written by Freeipa? I've been hunting for an answer online, but found nothing about this. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA Openssh client install error
In the ipaclient-install.log I see: 2016-12-14T14:58:10Z DEBUG stderr= 2016-12-14T14:58:10Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2016-12-14T14:58:10Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-12-14T14:58:10Z INFO Configured /etc/ssh/ssh_config 2016-12-14T14:58:10Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config' 2016-12-14T14:58:10Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-12-14T14:58:10Z DEBUG Starting external process 2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys -o AuthorizedKeysCommandUser=nobody 2016-12-14T14:58:10Z DEBUG Process finished, return code=1 2016-12-14T14:58:10Z DEBUG stdout= 2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration option: AuthorizedKeysCommand^M 2016-12-14T14:58:10Z DEBUG Starting external process 2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys -o AuthorizedKeysCommandRunAs=nobody 2016-12-14T14:58:10Z DEBUG Process finished, return code=1 2016-12-14T14:58:10Z DEBUG stdout= 2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration option: AuthorizedKeysCommand^M 2016-12-14T14:58:10Z DEBUG Starting external process 2016-12-14T14:58:10Z DEBUG args=sshd -t -f /dev/null -o PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u -o PubKeyAgentRunAs=nobody 2016-12-14T14:58:10Z DEBUG Process finished, return code=1 2016-12-14T14:58:10Z DEBUG stdout= 2016-12-14T14:58:10Z DEBUG stderr=command-line: line 0: Bad configuration option: PubKeyAgent^M 2016-12-14T14:58:10Z WARNING Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available. From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Wednesday, 14 December 2016, 15:18 Subject: Free IPA Openssh client install error Hi,I installed the freeipa client on an Ubuntu Precise system (12.04) I get the following message at the end of the install: "Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available." Any clues? Is there a fix? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Free IPA Openssh client install error
Hi,I installed the freeipa client on an Ubuntu Precise system (12.04) I get the following message at the end of the install: "Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available." Any clues? Is there a fix? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's credentials. AD Still doesn't work. Thanks From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
I tried to clone the git repos and I got access right errors James From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,An update. I just got Trusty enrolled into FreeIPA by removing everything in: /etc/pki/nssdb and running: /usr/bin/certutil -N --empty-password -d /etc/pki/nssdb ... before the client-install is run. I get user IDs with Freeipa and AD domains: root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@IPA.REALM.COMuid=108269(x_james.harrison) gid=108269(x_james.harrison) groups=108269(x_james.harrison),108260(admins),1082600010(ipausers) root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@AD.DOMAIN.LOCAL uid=1039812876(x_james.harrison@ad.domain.local) gid=1039812876(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.locall) However auth issues still the same as Precise. Doesnt accept the ssh public key stored with the IPA user or the Trust ID view user. Xenial has no problems. Regards,James Harrison From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 8 December 2016, 15:02 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account Hi,I would prefer not to compile anything. It means we have to maintain the package, rather than the distro maintainers. Trusty has a completely different set of errors to Precise. Xenial works with no problems. I run a script that allows the system to join the IPA domain (the same script regardless of Ubuntu distro): ( $P_W is read in from stdin) ipa-client-install \ --server="$IPA_SERVER" \ --domain=dns.domain.com \ --principal=admin \ --password="$P_W" \ --preserve-sssd \ --mkhomedir \ --no-ntp \ -U Enter (Admins) Password: Confirm Password: Hostname: jamestrusty.dns.domain.com Realm: IPA.REALM.COM DNS Domain: dns.domain.com IPA Server: pul-lv-ipa-01.dns.domain.com BaseDN: dc=int,dc=worldfirst,dc=com Synchronizing time with KDC... Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct 5 12:35:26 UTC 2016 (1) Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting ... ... ... ... ... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=SOMECERT Issuer: CN=SOMECERT Valid From: Wed Mar 12 00:00:00 2014 UTC Valid Until: Sun Mar 11 23:59:59 3029 UTC Enrolled in IPA realm IPA.REALM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted SSSD service could not be stopped Client uninstall complete. From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,I would prefer not to compile anything. It means we have to maintain the package, rather than the distro maintainers. Trusty has a completely different set of errors to Precise. Xenial works with no problems. I run a script that allows the system to join the IPA domain (the same script regardless of Ubuntu distro): ( $P_W is read in from stdin) ipa-client-install \ --server="$IPA_SERVER" \ --domain=dns.domain.com \ --principal=admin \ --password="$P_W" \ --preserve-sssd \ --mkhomedir \ --no-ntp \ -U Enter (Admins) Password: Confirm Password: Hostname: jamestrusty.dns.domain.com Realm: IPA.REALM.COM DNS Domain: dns.domain.com IPA Server: pul-lv-ipa-01.dns.domain.com BaseDN: dc=int,dc=worldfirst,dc=com Synchronizing time with KDC... Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct 5 12:35:26 UTC 2016 (1) Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting ... ... ... ... ... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=SOMECERT Issuer: CN=SOMECERT Valid From: Wed Mar 12 00:00:00 2014 UTC Valid Until: Sun Mar 11 23:59:59 3029 UTC Enrolled in IPA realm IPA.REALM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted SSSD service could not be stopped Client uninstall complete. From: Lukas Slebodnik <lsleb...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk> Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi all, I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service. I am getting a PAM error at the end of the procedure. Also I cant seem to authenticate against the public ssh key from the id override user. I appreciate any help you can send my way. Best regards, James Harrison Below is more information root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL Password for x_james.harrison@AD.DOMAIN.LOCAL: root@jamesprecise:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: x_james.harrison@AD.DOMAIN.LOCAL Valid starting Expires Service principal 07/12/16 17:56:30 08/12/16 03:56:30 krbtgt/AD.DOMAIN.LOCAL@AD.DOMAIN.LOCAL renew until 08/12/16 17:56:23 root@jamesprecise:~# id x_james.harrison@AD.DOMAIN.LOCAL uid=1039812876(x_james.harrison@ad.domain.local) gid=1039812876(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.local) root@pul-lv-ipa-02 ~]# ipa idoverrideuser-show External_AD_views x_james.harrison@ad.domain.local Anchor to override: x_james.harrison@ad.domain.local User login: x_james.harrison Login shell: /bin/bash SSH public key: ssh-rsa B3NzaC1yc2EDAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1n7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp JamesHarrison Here are the software versions: root@jamesprecise:# dpkg -l | grep -i freeipa ii freeipa-client 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- client ii libipa-hbac0 1.11.5-1ubuntu3~precise1 FreeIPA HBAC Evaluator library ii python-freeipa 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- python modules ii python-libipa-hbac 1.11.5-1ubuntu3~precise1 Python bindings for the FreeIPA HBAC Evaluator library root@jamesprecise:# dpkg -l | grep -i openssh-server ii openssh-server 1:5.9p1-5ubuntu1.10 secure shell (SSH) server, for secure access from remote machines root@jamesprecise:/var/log# dpkg -l | grep -i sssd ii libsss-idmap0 1.11.5-1ubuntu3~precise1 ID mapping library for SSSD ii sssd 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- metapackage ii sssd-ad 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Active Directory back end ii sssd-ad-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- PAC responder ii sssd-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- common files ii sssd-ipa 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- IPA back end ii sssd-krb5 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos back end ii sssd-krb5-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos helpers ii sssd-ldap 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- LDAP back end ii sssd-proxy 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- proxy back end ii sudo 1.8.9p5-1ubuntu1.1~sssd1 Provide limited super user privileges to specific users Ubuntu PPAs: root@jamesprecise:~# ls -l /etc/apt/sources.list.d/ total 16 -rw-r--r-- 1 root root 65 Dec 7 08:48 freeipa-ppa-precise.list -rw-r--r-- 1 root root 61 Dec 7 08:48 ppa_freeipa_ppa_precise.list -rw-r--r-- 1 root root 62 Dec 7 08:48 ppa_sssd_updates_precise.list -rw-r--r-- 1 root root 66 Dec 7 08:48 sssd-updates-precise.list cat /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session required pam_unix.so session optional pam_sss.so session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 root@jamesprecise:~# root@jamesprecise:~# cat /etc/pam.d/common-auth auth [success=3 default=ignore] pam_unix.so nullok_secure auth [success=2 default
[Freeipa-users] Something I dont get with FriiIPA and AD Trusts and Users and Greoups
Hi all,I have established an AD trust Between Free IPA and our Windows network and its working. No problems there. I have created the IDM Groups for active directory as proposed in section 5.5 of the Windows_Integration_Guide. Now what? The group in Free IPA I've created (from section 5.5) allows me to do what? Am I supposed to get a synchronised list of Domain Admin users in Free IPA? I can log in to a Linux client using AD credentials, regardless of the AD users external map (The user I'm logging is with is a member of the AD Domain Admins group). Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Differences between "ipa-replica-manage connect --winsync..." and ipa-adtrust-install ... ipa trust-add...
Hello,Are there any differences between establishing a Replication Agreement using "ipa-replica-manage connect --winsync" and establishing an AD Trust Relationship using the commands ipa-adtrust-install ... ipa trust-add ... Are they used together or are they different methods to accomplish the same goal: to get AD user accounts? Which one is preferred? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Specify different ssh port for ipa-conncheck
Hello.Thanks for your help Martin that worked. James Harrison On Thu, 10 Nov, 2016 at 12:15, Martin Basti<mba...@redhat.com> wrote: On 10.11.2016 13:00, James Harrison wrote: Hi All, We use port 2234 for all sshd connections on our systems. It looks loke ipa-conncheck uses port 22. Can this be changed to use 2234? This would be for replicas and clients I presume. This is quite urgent. Many thanks, James Harrison Hello, maybe is possible to use local ssh config and manually set port per host http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ if not then it is not possible to change SSH port without changing ipa-conncheck code You didn't specify version of IPA, so in master git branch related code is in ipa-replica-conncheck, class SshExec.__call__ Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Specify different ssh port for ipa-conncheck
We get the below message for replica machines and Ive seen it for client machines too: [root@pul-lv-ipa-02 bin]# /root/bin/freeipa-replica-install.sh /var/lib/ipa/replica-info-$(hostname -f).gpg Using reverse zone(s) 23.10.in-addr.arpa. Run connection check to master Check connection from replica to remote master 'aa..com ': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master Check SSH connection to remote master Could not SSH into remote host. Error output: OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to aa..com [10.23.45.88] port 22. debug1: connect to address 10.23.45.88 port 22: Connection refused ssh: connect to host pul-lv-ipa-01.int.worldfirst.com port 22: Connection refused Could not SSH to remote host. ipa.ipapython.install.cli.install_tool(Replica): ERROR Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. From: James Harrison <jamesaharriso...@yahoo.co.uk> To: "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Thursday, 10 November 2016, 12:00 Subject: Specify different ssh port for ipa-conncheck Hi All,We use port 2234 for all sshd connections on our systems. It looks loke ipa-conncheck uses port 22. Can this be changed to use 2234? This would be for replicas and clients I presume. This is quite urgent. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Specify different ssh port for ipa-conncheck
Hi All,We use port 2234 for all sshd connections on our systems. It looks loke ipa-conncheck uses port 22. Can this be changed to use 2234? This would be for replicas and clients I presume. This is quite urgent. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Remove AD domain in auth commands
Hello Sorry didn't explain. The ipa is the default domain, but I also want to use the Windows domain to authenticate, but I want the OS to detect what realm to use in the ssh command. Thanks On Mon, 7 Nov, 2016 at 11:48, Martin Basti<mba...@redhat.com> wrote: AFAIK Jakub already answered thathttps://www.redhat.com/archives/freeipa-users/2016-November/msg00031.html On 07.11.2016 12:05, James Harrison wrote: Anyone ? Sent from Yahoo Mail on Android On Fri, 4 Nov, 2016 at 11:04, James Harrison <jamesaharriso...@yahoo.co.uk> wrote: Hello, I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with its AD schema emulating a Windows 2012 system I have established a trust between the two and it appears to work. I can reference a user on the AD domain, but the only way is to add the AD domain. The only way to ssh to the master IPA server is like this: ssh "x_@IPAWIN.LOCAL"@10.10.10.10 Another example is using kinit: I have to do the following to get a credential: kinit x_@IPAWIN.LOCAL Ideally I would not need or use the "@IPAWIN.LOCAL". Can anyone help? Best regards, James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Remove AD domain in auth commands
Anyone ? Sent from Yahoo Mail on Android On Fri, 4 Nov, 2016 at 11:04, James Harrison<jamesaharriso...@yahoo.co.uk> wrote: Hello, I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with its AD schema emulating a Windows 2012 system I have established a trust between the two and it appears to work. I can reference a user on the AD domain, but the only way is to add the AD domain. The only way to ssh to the master IPA server is like this: ssh "x_@IPAWIN.LOCAL"@10.10.10.10 Another example is using kinit: I have to do the following to get a credential:kinit x_@IPAWIN.LOCAL Ideally I would not need or use the "@IPAWIN.LOCAL". Can anyone help? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Remove AD domain in auth commands
Hello, I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with its AD schema emulating a Windows 2012 system I have established a trust between the two and it appears to work. I can reference a user on the AD domain, but the only way is to add the AD domain. The only way to ssh to the master IPA server is like this: ssh "x_@IPAWIN.LOCAL"@10.10.10.10 Another example is using kinit: I have to do the following to get a credential:kinit x_@IPAWIN.LOCAL Ideally I would not need or use the "@IPAWIN.LOCAL". Can anyone help? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Promote CA-less replica
Hello all, That is really good to know. Thank you for helping me out with this. James From: Rob Crittenden <rcrit...@redhat.com> To: "jamesaharriso...@yahoo.co.uk" <jamesaharriso...@yahoo.co.uk>; Martin Babinsky <mbabi...@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, 21 October 2016, 14:18 Subject: Re: [Freeipa-users] Promote CA-less replica James Harrison wrote: > Hi, > Thanks again. > > Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba > compilation choice stopping AD trusts from working (samba isn't using > MIT kerberos). We're now using CentOS 7.2. > > While we know the CentOS version will operate correctly, we only get to > use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for > CentOS? Not until RHEL 7.3 is released and rebuilt for CentOS. rob > > Best regards > James Harrison > ---- > *From:* Rob Crittenden <rcrit...@redhat.com> > *To:* James Harrison <jamesaharriso...@yahoo.co.uk>; Martin Babinsky > <mbabi...@redhat.com>; "freeipa-users@redhat.com" > <freeipa-users@redhat.com> > *Sent:* Wednesday, 19 October 2016, 14:28 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > James Harrison wrote: > > Hi, > > Martin thanks for your quick response. Based on your comments. I have > > further questions. > > > > >> equal peers and can be considered masters > > > > 1. If there any urgency for us to recreate a "master" server to perform > > any "master" type functions? How do we re-attach "replicas" to this new > > "master"? > > Like he said, all IPA servers are equal (some are just more equal than > others). If you truly have a CA-less system the the only thing that > distinguishes one master from another is the presence of the DNS > service. From below it looks like you install DNS on all which makes > them all masters. > > You can manage the replication topology using ipa-replica-manage. > > > > > >> As long as the others have valid CA and server certs > > 2. This is the install script we are using on the "replicas" > > > > ipa-replica-install \ > > --setup-dns --ssh-trust-dns --no-dnssec-validation \ > > -p x \ > > --admin-password=xxx \ > > --ip-address=replica_ip \ > > --no-forwarders \ > > -U --mkhomedir --log-file=freeipa_log_file $1 > > > > 3. The $1 is the cert generated from the "master". If theres no > > distinction between a "master" and a "replica" in a CA-less environment, > > can a "replica" run the ipa-replica-prepare script once > > ipa-replica-install has been successfully run? > > I think you mean $1 is the replica file generated from some master. > Seeing how you generate that would tell us whether you are truly in a > CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to > ipa-replica-prepare). > > To answer your question, yes. In a CA-less environment any master can > generate a prepare file. > > You can add/remove connections using ipa-replica-manage. The initial > connection is between the master that generated the prepare file and the > host it was installed on. > > rob > > > > > > Thank you for any help. > > Best regards, > > James Harrison > > > > > > *From:* Martin Babinsky <mbabi...@redhat.com > > > *To:* freeipa-users@redhat.com > > *Sent:* Wednesday, 19 October 2016, 11:01 > > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > > > On 10/19/2016 11:35 AM, James Harrison wrote: > > > > Hi James, > > > > > Hi, > > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > > > > > I have some questions: > > > 1. Do DNS replicate among other replicas is we change/add DNS records? > > > If not can this behaviour be changed? > > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > > added/removed DNS record will replicate to other IPA DNS servers. > > > > > 2. How do we promote a replica to become a master? We have not > > > configured our servers to become a CA. Our CA is Comodo and we have > > > configured FreeIPA to use a certificate, key and interim certificates > > > from Comodo. using the options: >
Re: [Freeipa-users] Promote CA-less replica
Hi,Thanks again. Lastly, we've switched away from Ubuntu's FreeIPA due to a bad Samba compilation choice stopping AD trusts from working (samba isn't using MIT kerberos). We're now using CentOS 7.2. While we know the CentOS version will operate correctly, we only get to use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for CentOS? Best regardsJames Harrison From: Rob Crittenden <rcrit...@redhat.com> To: James Harrison <jamesaharriso...@yahoo.co.uk>; Martin Babinsky <mbabi...@redhat.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Wednesday, 19 October 2016, 14:28 Subject: Re: [Freeipa-users] Promote CA-less replica James Harrison wrote: > Hi, > Martin thanks for your quick response. Based on your comments. I have > further questions. > > >> equal peers and can be considered masters > > 1. If there any urgency for us to recreate a "master" server to perform > any "master" type functions? How do we re-attach "replicas" to this new > "master"? Like he said, all IPA servers are equal (some are just more equal than others). If you truly have a CA-less system the the only thing that distinguishes one master from another is the presence of the DNS service. From below it looks like you install DNS on all which makes them all masters. You can manage the replication topology using ipa-replica-manage. > > >> As long as the others have valid CA and server certs > 2. This is the install script we are using on the "replicas" > > ipa-replica-install \ > --setup-dns --ssh-trust-dns --no-dnssec-validation \ > -p x \ > --admin-password=xxx \ > --ip-address=replica_ip \ > --no-forwarders \ > -U --mkhomedir --log-file=freeipa_log_file $1 > > 3. The $1 is the cert generated from the "master". If theres no > distinction between a "master" and a "replica" in a CA-less environment, > can a "replica" run the ipa-replica-prepare script once > ipa-replica-install has been successfully run? I think you mean $1 is the replica file generated from some master. Seeing how you generate that would tell us whether you are truly in a CA-less environment or not (e.g. you'd need to pass in PKCS#12 files to ipa-replica-prepare). To answer your question, yes. In a CA-less environment any master can generate a prepare file. You can add/remove connections using ipa-replica-manage. The initial connection is between the master that generated the prepare file and the host it was installed on. rob > > Thank you for any help. > Best regards, > James Harrison > > ---- > *From:* Martin Babinsky <mbabi...@redhat.com> > *To:* freeipa-users@redhat.com > *Sent:* Wednesday, 19 October 2016, 11:01 > *Subject:* Re: [Freeipa-users] Promote CA-less replica > > On 10/19/2016 11:35 AM, James Harrison wrote: > > Hi James, > > > Hi, > > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > > > I have some questions: > > 1. Do DNS replicate among other replicas is we change/add DNS records? > > If not can this behaviour be changed? > IPA-intergrated DNS stores records in the replicated LDAP subtree so any > added/removed DNS record will replicate to other IPA DNS servers. > > > 2. How do we promote a replica to become a master? We have not > > configured our servers to become a CA. Our CA is Comodo and we have > > configured FreeIPA to use a certificate, key and interim certificates > > from Comodo. using the options: > > > > --http_pkcs12= > > --http_pin= > > --dirsrv_pkcs12=... > > --dirsrv_pin= > > > > Hope someone can help. Quite urgent. > > > The terms FreeIPA master/replica are quite arbitrary as all replicas are > equal peers and can be considered masters. The only notion of 'master' > is when you use a Dogtag CA (then one of the CA replicas is designated a > renewal master and does renew certificates in the topology and one is > CRL master generating certificate revocation lists) and/or DNSSec (then > one of DNS replica is designated a key master generating zone signing > keys and other DNS replicas pull these keys). > > As you are using CA-less replicas then there should be no loss in the > fact that the one designated 'master' is down (unless it was e.g. the > only DNS server). As long as the others have valid CA and server certs > they should be working just fine. > > > > You can just install a new replica in place of the master by generating > replica file on another replicaa nd supplying the requ
Re: [Freeipa-users] Promote CA-less replica
Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas" to this new "master"? >> As long as the others have valid CA and server certs 2. This is the install >> script we are using on the "replicas" ipa-replica-install \ --setup-dns --ssh-trust-dns --no-dnssec-validation \ -p x \ --admin-password=xxx \ --ip-address=replica_ip \ --no-forwarders \ -U --mkhomedir --log-file=freeipa_log_file $1 3. The $1 is the cert generated from the "master". If theres no distinction between a "master" and a "replica" in a CA-less environment, can a "replica" run the ipa-replica-prepare script once ipa-replica-install has been successfully run? Thank you for any help.Best regards,James Harrison From: Martin Babinsky <mbabi...@redhat.com> To: freeipa-users@redhat.com Sent: Wednesday, 19 October 2016, 11:01 Subject: Re: [Freeipa-users] Promote CA-less replica On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, > Hi, > Were using FreeIPA on Ubuntu Xenial. We lost the Master server. > > I have some questions: > 1. Do DNS replicate among other replicas is we change/add DNS records? > If not can this behaviour be changed? IPA-intergrated DNS stores records in the replicated LDAP subtree so any added/removed DNS record will replicate to other IPA DNS servers. > 2. How do we promote a replica to become a master? We have not > configured our servers to become a CA. Our CA is Comodo and we have > configured FreeIPA to use a certificate, key and interim certificates > from Comodo. using the options: > > --http_pkcs12= > --http_pin= > --dirsrv_pkcs12=... > --dirsrv_pin= > > Hope someone can help. Quite urgent. > The terms FreeIPA master/replica are quite arbitrary as all replicas are equal peers and can be considered masters. The only notion of 'master' is when you use a Dogtag CA (then one of the CA replicas is designated a renewal master and does renew certificates in the topology and one is CRL master generating certificate revocation lists) and/or DNSSec (then one of DNS replica is designated a key master generating zone signing keys and other DNS replicas pull these keys). As you are using CA-less replicas then there should be no loss in the fact that the one designated 'master' is down (unless it was e.g. the only DNS server). As long as the others have valid CA and server certs they should be working just fine. You can just install a new replica in place of the master by generating replica file on another replicaa nd supplying the required certificates through options. > Regards, > James Harrison > > -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Promote CA-less replica
Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions:1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? 2. How do we promote a replica to become a master? We have not configured our servers to become a CA. Our CA is Comodo and we have configured FreeIPA to use a certificate, key and interim certificates from Comodo. using the options: --http_pkcs12=--http_pin= --dirsrv_pkcs12=... --dirsrv_pin= Hope someone can help. Quite urgent. Regards, James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI Authentication Issues
Yes the cert is correct. The userCertificate field matches the output of "certutil -L -d /etc/httpd/alias/ -n ipaCert -a" with the header and footer removed, and the serial number matches as well albeit in decimal instead of hex. # ipara, people, ipaca dn: uid=ipara,ou=people,o=ipaca description: 2;4886718345;CN=Certificate Authority,O=DOMAIN.COM; CN=IPA RA, O=DOMAIN.COM userCertificate:: userstate: 1 uid: ipara sn: ipara usertype: agentType objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: ipara On Wed, Mar 23, 2016 at 4:31 PM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 03/23/2016 03:50 PM, Sam James wrote: > >> Hello everyone, >> >> I've been banging my head against the wall for a few days now trying to >> resolve >> an issue with PKI and I'm hoping I might get some help. First some >> context. >> >> About a week ago I was alerted that all of our replicas were offline due >> to >> pki-tomcatd not starting. Futher investigation determined that all of >> the pki >> certs had expired two days earlier. I turned back time and successfully >> updated >> the certs and certmonger updated the rest of the replicas. >> >> Now I'm seeing the following symptoms: >> 1. Searching certificates via the web UI will display certificate info. >> 2. Attemping to view certificate details results in an "IPA Error 4301: >> CertificateOperationError" the exception being "Invalid Credential.". >> 3. Issuing the ipa cert-show command results in the same "Invalid >> Credential." >> exception. >> 4. PKI debug log shows: SignedAuditEventFactory: create() >> >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA >> RA,O=DOMAIN.COM <http://DOMAIN.COM>] authentication failure >> 5. PKI system log shows: Cannot authenticate agent with certificate >> Serial >> 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM <http://DOMAIN.COM>. >> Error: User >> not found. >> > > PKI has some build-in accounts which uses certificates for authentication. > It matches a user by a certificate. The error above means that it cannot > find any user for cert with serial no 0x123456789 > > So the possible cause is the user you checked > (uid=ipara,ou=people,o=ipaca) has still old cert. I.e. you've updated > description, but is the cert correct? > > > >> In trolling this list I've done the following things troubleshooting: >> >> 1. Ensured the certs being monitored by certmonger are correct. >> 2. Ensured the certs in the http and pki-tomcat NSS databases are as >> expected. >> 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct >> description >> and cert (it had the wrong serialnumber in the description but i've >> updated that). >> 4. Ensured the CS.cfg has the correct certs (it did). >> >> Any suggestions or assistance would be apprecitated. >> >> Thanks! >> Sam >> >> -- > Petr Vobornik > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PKI Authentication Issues
Hello everyone, I've been banging my head against the wall for a few days now trying to resolve an issue with PKI and I'm hoping I might get some help. First some context. About a week ago I was alerted that all of our replicas were offline due to pki-tomcatd not starting. Futher investigation determined that all of the pki certs had expired two days earlier. I turned back time and successfully updated the certs and certmonger updated the rest of the replicas. Now I'm seeing the following symptoms: 1. Searching certificates via the web UI will display certificate info. 2. Attemping to view certificate details results in an "IPA Error 4301: CertificateOperationError" the exception being "Invalid Credential.". 3. Issuing the ipa cert-show command results in the same "Invalid Credential." exception. 4. PKI debug log shows: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA RA,O=DOMAIN.COM] authentication failure 5. PKI system log shows: Cannot authenticate agent with certificate Serial 0x123456789 Subject DN CN=IPA RA,O=DOMAIN.COM. Error: User not found. In trolling this list I've done the following things troubleshooting: 1. Ensured the certs being monitored by certmonger are correct. 2. Ensured the certs in the http and pki-tomcat NSS databases are as expected. 3. Ensured the uid=ipara,ou=people,o=ipaca object has the correct description and cert (it had the wrong serialnumber in the description but i've updated that). 4. Ensured the CS.cfg has the correct certs (it did). Any suggestions or assistance would be apprecitated. Thanks! Sam -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replica install failing with : "Clone does not have all the required certificates"
I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and the replica process is failing to install on the new system: 2016-01-13T17:27:46Z DEBUG Starting external process 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o' 2016-01-13T17:28:19Z DEBUG Process finished, return code=1 2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca- spawn.20160113122746.log Loading deployment configuration from /tmp/tmpjklK4o. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- tomcat/ca/deployment.cfg. Installation failed. 2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site- packages/urllib3/connectionpool.py:769: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certifi cate verification is strongly advised. See: https://urllib3.readthedocs .org/en/latest/security.html InsecureRequestWarning) pkispawn: WARNING ... unable to validate security domain user/password through REST interface. Interface not available pkispawn: ERROR... Exception from Java Configuration Servlet: 500 Server Error: Internal Server Error pkispawn: ERROR... ParseError: not well-formed (invalid token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base.P KIException ","Code":500,"Message":"Clone does not have all the required certificates"} 2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o'' returned non- zero exit status 1 2016-01-13T17:28:19Z CRITICAL See the installation logs and the following files/directories for more information: 2016-01-13T17:28:19Z CRITICAL /var/log/pki-ca-install.log 2016-01-13T17:28:19Z CRITICAL /var/log/pki/pki-tomcat 2016-01-13T17:28:19Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site- packages/ipaserver/install/cainstance.py", line 620, in __spawn_instance DogtagInstance.spawn_instance(self, cfg_file) File "/usr/lib/python2.7/site- packages/ipaserver/install/dogtaginstance.py", line 201, in spawn_instance self.handle_setup_error(e) File "/usr/lib/python2.7/site- packages/ipaserver/install/dogtaginstance.py", line 465, in handle_setup_error raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-01-13T17:28:19Z DEBUG [error] RuntimeError: CA configuration failed. 2016-01-13T17:28:19Z DEBUG File "/usr/lib/python2.7/site- packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 311, in run It looks to me that the original, first install version 3.0 system is generating a bad gpg file. Will a reinstall of the orginal cert file solve this? If so, where and what is the best procedure? Is there a way to add CA capability to an existing master replicant by reusing it's original replica.gpg file? Background: the old v3.0 system runs on a virtual machine (ovirt). The physical host had a series of "bad days" that involved multiple crashes and lock-ups that were ultimately attributed to insufficient cooling of the RAID card. It is suspected that the data was scrambled on the drive. The original cert is backed up but the remaining machine backups are of dubious quality (long story - bad week at the datacenter). This is the last system on old hardware that was hit when the datacenter cooling totally failed and erased all the backups. Some days your're the pigeon, some days you're the statue. -- Jim Kinney Senior System Administrator 36 Eagle Row Suite 588 Department of Biomedical Informatics Emory University School of Medicine jkin...@emory.edu 404-712-0300 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica install failing with : "Clone does not have all the required certificates"
Followup: I also tested converting an existing 4.2 system to be a CA by running ipa-ca-install and got the same error. So it seems the original system had a failure point prior to the heating issues. The 4.2 system has been running for quite a while (with regular updates from an early 4.0). On Wed, 2016-01-13 at 18:10 -0500, James Kinney wrote: > I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and > the replica process is failing to install on the new system: > > 2016-01-13T17:27:46Z DEBUG Starting external process > 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpjklK4o' > 2016-01-13T17:28:19Z DEBUG Process finished, return code=1 > 2016-01-13T17:28:19Z DEBUG stdout=Log file: /var/log/pki/pki-ca- > spawn.20160113122746.log > Loading deployment configuration from /tmp/tmpjklK4o. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > > Installation failed. > > > 2016-01-13T17:28:19Z DEBUG stderr=/usr/lib/python2.7/site- > packages/urllib3/connectionpool.py:769: InsecureRequestWarning: > Unverified HTTPS request is being made. Adding certifi > cate verification is strongly advised. See: https://urllib3.readthedo > cs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn: WARNING ... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn: ERROR... Exception from Java Configuration > Servlet: 500 Server Error: Internal Server Error > pkispawn: ERROR... ParseError: not well-formed (invalid > token): line 1, column 0: > {"Attributes":{"Attribute":[]},"ClassName":"com.netscape.certsrv.base > .PKIException > ","Code":500,"Message":"Clone does not have all the required > certificates"} > > 2016-01-13T17:28:19Z CRITICAL Failed to configure CA instance: > Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o'' > returned non-zero exit status 1 > 2016-01-13T17:28:19Z CRITICAL See the installation logs and the > following files/directories for more information: > 2016-01-13T17:28:19Z CRITICAL /var/log/pki-ca-install.log > 2016-01-13T17:28:19Z CRITICAL /var/log/pki/pki-tomcat > 2016-01-13T17:28:19Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site- > packages/ipaserver/install/service.py", line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site- > packages/ipaserver/install/service.py", line 408, in run_step > method() > File "/usr/lib/python2.7/site- > packages/ipaserver/install/cainstance.py", line 620, in > __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > File "/usr/lib/python2.7/site- > packages/ipaserver/install/dogtaginstance.py", line 201, in > spawn_instance > self.handle_setup_error(e) > File "/usr/lib/python2.7/site- > packages/ipaserver/install/dogtaginstance.py", line 465, in > handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > RuntimeError: CA configuration failed. > > 2016-01-13T17:28:19Z DEBUG [error] RuntimeError: CA configuration > failed. > 2016-01-13T17:28:19Z DEBUG File "/usr/lib/python2.7/site- > packages/ipapython/admintool.py", line 171, in execute > return_value = self.run() > File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", > line 311, in run > > > > It looks to me that the original, first install version 3.0 system is > generating a bad gpg file. Will a reinstall of the orginal cert file > solve this? If so, where and what is the best procedure? Is there a > way to add CA capability to an existing master replicant by reusing > it's original replica.gpg file? > > Background: the old v3.0 system runs on a virtual machine (ovirt). > The physical host had a series of "bad days" that involved multiple > crashes and lock-ups that were ultimately attributed to insufficient > cooling of the RAID card. It is suspected that the data was scrambled > on the drive. The original cert is backed up but the remaining > machine backups are of dubious quality (long story - bad week at the > datacenter). > > This is the last system on old hardware that was hit when the > datacenter cooling totally failed and erased all the backups. Some > days your're the pigeon, some days you're the statue. > > > -- > > > > Jim Kinney > Senior System Administrator > 36 Eagle Row Suite 588 > Department of Biomedical Informatics > Emory Unive
[Freeipa-users] IPA 4.2 - installer changes for --external-ca
IPA 4.2 hit the Centos 7 mirrors a day or two ago. It looks like the behaviour of the installer has changed somewhat with regards to the 2 phase --external-ca install Previously, we ran: command => "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p '${ipa_admin_pwd}' --hostname='${::fqdn}' -r '${ipa_realm}' -n '${::domain}' --mkhomedir --setup-dns --forwarder=8.8.8.8 --external-ca", then command => "/sbin/ipa-server-install -p ${ipa_admin_pwd} --external-cert-file=/root/ipa.crt --external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt", this worked fine. The behaviour on IPA 4.2 is different - it will leave you without a DNS server if you use the above commands. It doesn't seem to pass some options through to the 2nd phase installer, one of which is the DNS configuration. We've now switched to this. $ipa_install_command = "/sbin/ipa-server-install -U -a '${ipa_admin_pwd}' -p '${ipa_admin_pwd}' -r '${ipa_realm}'" command => "${ipa_install_command} --hostname='${::fqdn}' -n '${::domain}' --external-ca", command => "${ipa_install_command} --external-cert-file=/root/ipa.crt --external-cert-file=/etc/pki/ca-trust/source/anchors/root_ca.crt --mkhomedir --setup-dns --forwarder=8.8.8.8 ", It seems you have to supply more information to the phase2 installer than in IPA 4.1. We do more than 10 installs of IPA per day as part of CI, I think now we're back to a working configuration again. Hopefully this will help others who come along this path. James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA with external CA signed certs
On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. I'm guessing you don't include the entire CA certchain of Vault. Dogtag is failing to startup because it can't verify its own cert chain: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! rob Hi Rob, Thanks for the reply. I do present the IPA installer with both the CA and the IPA cert - the IPAs python-based install code is happy with the cert chain, but the Java based dogtag code chokes on it. OpenSSL is happy with it too. # [root@foo ~]# openssl verify ipa.crt ipa.crt: O = LOCAL, CN = Certificate Authority error 20 at 0 depth lookup:unable to get local issuer certificate [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt ipa.crt: OK ### Any hints on how to reproduce this with more debug output? I'd like to know exactly what Dogtag doesn't like about the certificate. thanks James M Let me CC at least Jan Ch. and David, they may be able to help and should also make sure FreeIPA gets better in validating the certs, as appropriate. Any thoughts guys? I cc'd one of the dogtag guys to see if he knows. You might also try using certutil to validate the certificates, it might give you some hints to what is going on. I'm assuming your certdb (it can vary by version) is in /var/lib/pki/pki-tomcat/alias certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of certificates installed. You can verify each one to see what is going on. The -u flag specfies usage. See the certutil man page for a full set of options. For example: # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' certutil: certificate is valid rob Hi All, I've created a ticket to track this https://fedorahosted.org/pki/ticket/1697 Rob - certutil output: Some certificates types seem not to be approved. Not sure if this is a red herring. ## [root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-caCTu,Cu,Cu root.com CT,c, ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' certutil: certificate is valid [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'root.com' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' certutil: certificate is valid [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' certutil: certificate is valid # regards James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA with external CA signed certs
On 12/11/15 15:21, Rob Crittenden wrote: James Masson wrote: On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. I'm guessing you don't include the entire CA certchain of Vault. Dogtag is failing to startup because it can't verify its own cert chain: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! rob Hi Rob, Thanks for the reply. I do present the IPA installer with both the CA and the IPA cert - the IPAs python-based install code is happy with the cert chain, but the Java based dogtag code chokes on it. OpenSSL is happy with it too. # [root@foo ~]# openssl verify ipa.crt ipa.crt: O = LOCAL, CN = Certificate Authority error 20 at 0 depth lookup:unable to get local issuer certificate [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt ipa.crt: OK ### Any hints on how to reproduce this with more debug output? I'd like to know exactly what Dogtag doesn't like about the certificate. thanks James M Let me CC at least Jan Ch. and David, they may be able to help and should also make sure FreeIPA gets better in validating the certs, as appropriate. Any thoughts guys? I cc'd one of the dogtag guys to see if he knows. You might also try using certutil to validate the certificates, it might give you some hints to what is going on. I'm assuming your certdb (it can vary by version) is in /var/lib/pki/pki-tomcat/alias certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of certificates installed. You can verify each one to see what is going on. The -u flag specfies usage. See the certutil man page for a full set of options. For example: # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' certutil: certificate is valid rob Hi All, I've created a ticket to track this https://fedorahosted.org/pki/ticket/1697 Rob - certutil output: Some certificates types seem not to be approved. Not sure if this is a red herring. ## [root@foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-caCTu,Cu,Cu root.com CT,c, ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' certutil: certificate is valid [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'root.com' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' certutil: certificate is valid [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' certutil: certificate is invalid: Certificate type not approved for application. [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert cert-pki-ca' certutil: certificate is valid # That's why I pointed you to the certutil man page to find out the differnet usages to test. The C usage is SSL client usage. Depending on the cert the usage may be different. rob Missed that. Here are those commands again with different certusage checking In short, they're all superficially valid. ## [root@foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' certutil: certificate is valid [root@foo ~]# certutil -V -u Y -d /var/lib/pki/pki-tomcat/alias -n 'root.com' certutil: certificate is valid [root@foo ~]# certutil -V -u O -d /var/lib/pki/pki-tomcat/alias -n 'ocspSigningCert cert-pki-ca' certutil: certificate is valid
Re: [Freeipa-users] IPA with external CA signed certs
On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. I'm guessing you don't include the entire CA certchain of Vault. Dogtag is failing to startup because it can't verify its own cert chain: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! rob Hi Rob, Thanks for the reply. I do present the IPA installer with both the CA and the IPA cert - the IPAs python-based install code is happy with the cert chain, but the Java based dogtag code chokes on it. OpenSSL is happy with it too. # [root@foo ~]# openssl verify ipa.crt ipa.crt: O = LOCAL, CN = Certificate Authority error 20 at 0 depth lookup:unable to get local issuer certificate [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt ipa.crt: OK ### Any hints on how to reproduce this with more debug output? I'd like to know exactly what Dogtag doesn't like about the certificate. thanks James M Let me CC at least Jan Ch. and David, they may be able to help and should also make sure FreeIPA gets better in validating the certs, as appropriate. Any thoughts guys? James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA with external CA signed certs
On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. I'm guessing you don't include the entire CA certchain of Vault. Dogtag is failing to startup because it can't verify its own cert chain: 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SystemCertsVerification: system certs verification failure 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! rob Hi Rob, Thanks for the reply. I do present the IPA installer with both the CA and the IPA cert - the IPAs python-based install code is happy with the cert chain, but the Java based dogtag code chokes on it. OpenSSL is happy with it too. # [root@foo ~]# openssl verify ipa.crt ipa.crt: O = LOCAL, CN = Certificate Authority error 20 at 0 depth lookup:unable to get local issuer certificate [root@foo ~]# openssl verify -CAfile vaultca.crt ipa.crt ipa.crt: OK ### Any hints on how to reproduce this with more debug output? I'd like to know exactly what Dogtag doesn't like about the certificate. thanks James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA with external CA signed certs
Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used with upstream Dogtag. I've also tried the external-ca-type option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. Errors below. thanks James M ### -BEGIN CERTIFICATE- MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5MDcGA1UEBRMwNjQ2Mjcx MDAwODA3NTg1NjA0ODA0NzYyODExNzAyMTM0NDk5MDQ1ODM4NjM2OTEwMB4XDTE1 MTAxNTE0MzY1NloXDTE1MTAxNjAwMzY1NlowMDEOMAwGA1UEChMFTE9DQUwxHjAc BgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBANMByCz97mhj8nG/R7T5K/lUlat4jnfFyo5/xn4eTzhcqDD/ NixixWqT6TPWBg5Mep7Wnn0EBwG9DjB2dq6+9Ai3TGMzFWkeKvMrZuTouLFoS9SR 6s5wybFfbAoTuV5lq0rIZClqi6ELnAyOccQEuV4UA0PBoe1UjycZf20eSU/52eH4 SiMbLYliDOuWbARgYYwtwc7HVPUwangk4toPH6h2FZ9+tTj8oB6Zxf3lK65IzyCT IHj+53gyySB78CDV2FZ67cI5u1KKcpC/CyjkbO4DKHWWxzxuvUM4F0K20l+cMoP6 Kpr7aGYotY3B6uTocMg59Gwlsvgl0gE03LI9Vp0CAwEAAaNjMGEwHQYDVR0OBBYE FLjG7oRluBaMxV5Wi6rBSvgHDzjuMB8GA1UdIwQYMBaAFCw0iwWuCOlUcS6ZIPM8 X50f1nLnMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3 DQEBCwUAA4IBAQBVAoAuZgu6RkY0ufVcNDDNORgOwSgNbvyt1rQNC5mxhLw0Ott+ XyxuzgycyEFCdQP1VChG5i0nOfrEixX7eSQVgN3LKaeiRVsGh1H+ucp/YVnhPvc1 lLtAHVwPn+OuvdJR68K3/twtZ4Fh0BtRFeAmuIOk+QomDhxsxt8LgbaPbdS/vuZw Xn27REGErgT8bDWp447YU6pOb+rPj9ZNHdS1TeDG5h1A0ArH5IUVgyASFkM4SEVH pKneAWEDy+Ik67FoYQbHpYyII1L7R5vskZZv1xhYkH8csJ8iTcrRCa+EiBvhtsWg uuHzqst1ryPKdNtxPM+D96vRSJxCYBUFeKqh -END CERTIFICATE- ### ### [19/27]: restarting certificate server ipa : CRITICAL Failed to restart the certificate server. See the installation log for details. [20/27]: requesting RA certificate from CA [error] RuntimeError: Unable to submit RA cert request ### ### 2015-10-15T14:44:31Z DEBUG The CA status is: check interrupted 2015-10-15T14:44:31Z DEBUG Waiting for CA to start... 2015-10-15T14:44:32Z DEBUG request 'https://foo.local:8443/ca/admin/ca/getStatus' 2015-10-15T14:44:32Z DEBUG request body '' 2015-10-15T14:44:32Z DEBUG request status 404 2015-10-15T14:44:32Z DEBUG request reason_phrase u'Not Found' 2015-10-15T14:44:32Z DEBUG request headers {'date': 'Thu, 15 Oct 2015 14:44:32 GMT', 'content-length': '993', 'content-type': 'text/html;charset=utf-8', 'content-language': 'en', 'server': 'Apache-Coyote/1.1'} 2015-10-15T14:44:32Z DEBUG request body 'Apache Tomcat/7.0.54 - Error report<!--H1 </tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} </tt><tt>H2 {font-family:Tahoma,Arial, </tt><tt>sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 </tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} </tt><tt>BODY </tt><tt>{font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} </tt><tt> B </tt><tt>{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} </tt><tt>P </tt><tt>{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A </tt><tt>{color : black;}A.name {color : black;}HR {color : #525D76;}--> HTTP Status 404 - /ca/admin/ca/getStatussize="1" noshade="noshade">type Status reportmessage /ca/admin/ca/getStatusdescription The requested resource is not availa ble.Apache Tomcat/7.0.54' 2015-10-15T14:44:32Z DEBUG The CA status is: check interrupted 2015-10-15T14:44:32Z DEBUG Waiting for CA to start... 2015-10-15T14:44:33Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 840, in __restart_instance self.restart(self.dogtag_constants.PKI_INSTANCE_NAME) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 282, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 209, in restart self.wait_until_running() File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 197, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2015-10-15T14:44:33Z CRITICAL Failed to restart the certificate server. See the installation log for details. 2015-10-15T14:44:33Z DEBUG duration: 303 seconds 2015-10-15T14:44:33Z DEBUG [20/27]: requesting RA certificate from CA 2015-10-15T14:44:33Z DEBUG Starting external process 2015-10-15T14:44:33Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-f' '-R' '-k' 'rsa' '-g' '2048' '-s' 'CN=IPA RA,O=LOCAL' '-z' '/tmp/tmpKsFaxb'
Re: [Freeipa-users] Automatic IPA CA cert generation
On 24/09/15 01:20, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these IPAs are self-signed, as part of the normal "ipa-server-install" setup process. We would like to switch to issuing signed intermediate CA certs to the IPAs we deploy. The documentation lists the two part process necessary for this. First "--external-ca" - and then "--external-cert-file" Are there any ways to skip this, and give the setup process a known public/private key+cert up front? I'm hoping to avoid the need to have to use/send this automatically generated CSR every time. thanks James M Hello James, currently it's not possible but making installation with externally signed CA single step sounds really useful to me. Currently certmonger is generating the CSR for FreeIPA server in the first step of installation. Certmonger is also able to send certificate to external CA for signing. I'm not sure if we could combine these two cermonger's abilities right now but if not it shouldn't be difficult to add functionality to certmonger to send the CSR to preconfigured CA instead of just storing it in file. This would of course require configuring the certmonger with information about the CA before FreeIPA server installation but it's just one command (getcert-add-ca). Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? There are two sides to this - one is using Certmonger for automatic signing of intermediate CA certificate to be used by IPA, the other is simply using a CA cert that the administrator already possesses, e.g. in a PKCS #12 file. These should be separate tickets. Cheers, Fraser -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Done - https://fedorahosted.org/freeipa/ticket/5317 https://fedorahosted.org/freeipa/ticket/5318 Would it be possible to use Certmonger to help the 2 step process used at the moment? ie. run 'ipa-server-install' the first time - get the CSR use local Certmonger to handle the CSR submission to upstream CA use the resulting Cert in the second 'ipa-server-install' Any pointers? regards James M I don't see an option for certmonger to use an existing CSR but you could ask it to create and track a new CSR for the same key. See getcert-request(1) for full details. Cheers, Fraser Any hints of how to make a request via Certmonger that would keep IPA happy? Looking at the CSR, the awkward bits are... ### Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign ### I presume this is done with... -U EXTUSAGE set requested extended key usage OID How do I convert the IPA CSR text output for use with Certmonger? thanks James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Automatic IPA CA cert generation
On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these IPAs are self-signed, as part of the normal "ipa-server-install" setup process. We would like to switch to issuing signed intermediate CA certs to the IPAs we deploy. The documentation lists the two part process necessary for this. First "--external-ca" - and then "--external-cert-file" Are there any ways to skip this, and give the setup process a known public/private key+cert up front? I'm hoping to avoid the need to have to use/send this automatically generated CSR every time. thanks James M Hello James, currently it's not possible but making installation with externally signed CA single step sounds really useful to me. Currently certmonger is generating the CSR for FreeIPA server in the first step of installation. Certmonger is also able to send certificate to external CA for signing. I'm not sure if we could combine these two cermonger's abilities right now but if not it shouldn't be difficult to add functionality to certmonger to send the CSR to preconfigured CA instead of just storing it in file. This would of course require configuring the certmonger with information about the CA before FreeIPA server installation but it's just one command (getcert-add-ca). Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? There are two sides to this - one is using Certmonger for automatic signing of intermediate CA certificate to be used by IPA, the other is simply using a CA cert that the administrator already possesses, e.g. in a PKCS #12 file. These should be separate tickets. Cheers, Fraser -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Done - https://fedorahosted.org/freeipa/ticket/5317 https://fedorahosted.org/freeipa/ticket/5318 Would it be possible to use Certmonger to help the 2 step process used at the moment? ie. run 'ipa-server-install' the first time - get the CSR use local Certmonger to handle the CSR submission to upstream CA use the resulting Cert in the second 'ipa-server-install' Any pointers? regards James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Automatic IPA CA cert generation
Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside these IPAs are self-signed, as part of the normal "ipa-server-install" setup process. We would like to switch to issuing signed intermediate CA certs to the IPAs we deploy. The documentation lists the two part process necessary for this. First "--external-ca" - and then "--external-cert-file" Are there any ways to skip this, and give the setup process a known public/private key+cert up front? I'm hoping to avoid the need to have to use/send this automatically generated CSR every time. thanks James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PKI-CAD service fails, IPA won't start
line 101: log_success_msg: command not found Sep 10 14:41:13 [IPA server] systemd[1]: Started PKI Certificate Authority Server pki-ca. Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:16 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:25 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 1 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:34 [IPA server] httpd[846]: GSSAPI client step 2 Sep 10 14:41:34 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:39 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:41:50 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 1 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 2 Sep 10 14:43:32 [IPA server] ns-slapd[690]: GSSAPI server step 3 Sep 10 14:46:06 [IPA server] ipactl[545]: Failed to start pki-cad Service Sep 10 14:46:06 [IPA server] ipactl[545]: Shutting down Not entirely sure what the issue is here, the server config wasn't modified at all. Most of the logfiles in /var/log/pki-ca are completely empty. The dirsrv access logs for the slapd-PKI-IPA directory cut off around the time that I attempted the client install. The dirsrv error log contains: [10/Sep/2015:14:40:44 +] - 389-Directory/1.3.1.22.a1 B2014.073.1751 starting up [10/Sep/2015:14:40:46 +] NSMMReplicationPlugin - ruv_compare_ruv: RUV [changelog max RUV] does not contain element [{replica 96 ldap://[IPA server]:7389} 5022b7490060 5493118400010060] which is present in RUV [database RUV] [10/Sep/2015:14:40:46 +] NSMMReplicationPlugin - replica_check_for_data_reload: Warning: for replica o=ipaca there were some differences between the changelog max RUV and the database RUV. If there are obsolete elements in the database RUV, you should remove them using the CLEANALLRUV task. If they are not obsolete, you should check their status to see why there are no changes from those servers in the changelog. [10/Sep/2015:14:40:46 +] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [10/Sep/2015:14:40:46 +] - Listening on All Interfaces port 7390 for LDAPS requests [10/Sep/2015:14:40:48 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) That last message repeats a few more times until the ipactl process kills the directory services. I'm at a complete loss. Has anyone else seen this or could point out what exactly happened? I can start the individual services, but the IPA service always fails, due to either the PKI-CAD service failing or the timeout. Sorry for the wall of text. James Cassidy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Issues
Hi all, I'm a fairly advanced user, however, having issues with setting up freeIPA. I've started with Fedora 22 server (both with minimal install and basic install), modified the hosts and hostname file respectively to xx.xx.xx.xx ipa.cloud.local ipa cloud.local and began the install options selected were: no ipa.cloud.local cloud.local CLOUD.LOCAL Directory Manager Password: set IPA admin password: set yes But I always get this error: CA did not start in 300.0s I've modified the /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to increase the timeout value, but no luck. Suggestions? Thanks, James smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues
Freeipa 4.1.4 On 06/18/2015 10:28 AM, Simo Sorce wrote: On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote: Hi all, I'm a fairly advanced user, however, having issues with setting up freeIPA. I've started with Fedora 22 server (both with minimal install and basic install), modified the hosts and hostname file respectively to xx.xx.xx.xx ipa.cloud.local ipa cloud.local and began the install options selected were: no ipa.cloud.local cloud.local CLOUD.LOCAL Directory Manager Password: set IPA admin password: set yes But I always get this error: CA did not start in 300.0s I've modified the /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to increase the timeout value, but no luck. Suggestions? What pki-base package version do you have installed ? Simo. smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Issues
This is a virtual machine, rng-tools-5-4.fc22.x86_64 is installed ... I did just try to create a gpg key and it seemed to have entropy issues... I did however run the command $ rngd -W 4096 $ cat /proc/sys/kernel/random/entropy_avail to fill the entropy up again (previously reporting around 3081), now it is at 4094. gpg works now with no issues, redid the install but still failed at the same step. On 06/18/2015 10:53 AM, Alexander Bokovoy wrote: - Original Message - Hi all, I'm a fairly advanced user, however, having issues with setting up freeIPA. I've started with Fedora 22 server (both with minimal install and basic install), modified the hosts and hostname file respectively to xx.xx.xx.xx ipa.cloud.local ipa cloud.local and began the install options selected were: no ipa.cloud.local cloud.local CLOUD.LOCAL Directory Manager Password: set IPA admin password: set yes But I always get this error: CA did not start in 300.0s I've modified the /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py to increase the timeout value, but no luck. Suggestions? Is this a VM? Do you have a driver for random number generator added to it? like virtio-rng for libvirtd/kvm. It might well be that the VM struggles to get enough entropy to generate certificates. smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Is something.local hostname possible
Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa-users Digest, Vol 83, Issue 65
I've tried increasing the timeout limit but no dice (the exact number was 30 seconds I think for the error.). I'm not running avahi but just a straight up Ubuntu federa server with nothing else but this. Eventually we'll try to tie this into either a Hortonworks, MapR, Cloudera server as authentication, but I can't tie it to our domain since I'm not in charge of it and frankly I tried and just goes to oblivion since I'm inside the firewall and the domain is outside and not going to punch those holes. Anyone else have thoughts? James On 06/12/2015 11:00 AM, freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Is something.local hostname possible (James Benson) 2. Re: Is something.local hostname possible (Tamas Papp) -- Message: 1 Date: Fri, 12 Jun 2015 10:40:12 -0500 From: James Benson james.ben...@utsa.edu To: freeipa-users@redhat.com Subject: [Freeipa-users] Is something.local hostname possible Message-ID: 557afd5c.5000...@utsa.edu Content-Type: text/plain; charset=utf-8; Format=flowed Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -- next part -- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: https://www.redhat.com/archives/freeipa-users/attachments/20150612/025ae655/attachment.bin -- Message: 2 Date: Fri, 12 Jun 2015 17:48:47 +0200 From: Tamas Papp tom...@martos.bme.hu To: James Benson james.ben...@utsa.edu, freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is something.local hostname possible Message-ID: 14de8758b18.2774.b4c2854741c50caf28b8595b5e98f...@martos.bme.hu Content-Type: text/plain; charset=us-ascii; format=flowed I can't answer you, but don't use .local, it conflicts with avahi. -- Sent from mobile On June 12, 2015 17:45:52 James Benson james.ben...@utsa.edu wrote: Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 83, Issue 65 * smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
Yes, as soon as 389-ds-base-1.2.11.15-56.el6 will be available, I will update the master. Rich Megginson says that 389-ds-base-1.2.11.15-56.el6 will be shipped with rhel 6.7. Thus I will wait for 6.7 before trying to update the master and create a rhel 7 replica. Many thanks. 2015-06-08 14:56 GMT+02:00 thierry bordaz tbor...@redhat.com: Hi, Would you update your master to 389-ds-base-1.2.11.15-56.el6, before attempting the upgrade to 7 ? thanks thierry On 06/08/2015 12:30 PM, James James wrote: My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz tbor...@redhat.com: Hello James, The fact that the master is more powerfull than the replica increase the possibility to hit that bug. The bug fix is on the master side. The master is made smarter to adapt its replication flow to the speed of the consumer. The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and 389-ds-base-1.2.11.15-56.el6. What is the current version of your master ? thanks thierry On 06/08/2015 09:49 AM, James James wrote: Hi Thierry, thanks for you answer. I was away for a long time, this is why my post comes later . This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0) to rhel7 (ipa4.xx) ? I have a physical machine for the master and a VM as replica. The solution is to use a physical machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com: On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen when the master is more powerful than the consumer. If you are using VM you may try to get master/replica with nearly the same cpu/memory. thanks thierry Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like this is planned to be fixed in RHEL 6.7 with version 389-ds-base-1.2.11.15-56.el6 I don't know if there are any workarounds. 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have been fixed in 389-ds-base-1.3.3 branch. What version of 389-ds-base? rpm -q 389-ds-base 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
Hi Thierry, thanks for you answer. I was away for a long time, this is why my post comes later . This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0) to rhel7 (ipa4.xx) ? I have a physical machine for the master and a VM as replica. The solution is to use a physical machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com: On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen when the master is more powerful than the consumer. If you are using VM you may try to get master/replica with nearly the same cpu/memory. thanks thierry Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like this is planned to be fixed in RHEL 6.7 with version 389-ds-base-1.2.11.15-56.el6 I don't know if there are any workarounds. 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have been fixed in 389-ds-base-1.3.3 branch. What version of 389-ds-base? rpm -q 389-ds-base 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz tbor...@redhat.com: Hello James, The fact that the master is more powerfull than the replica increase the possibility to hit that bug. The bug fix is on the master side. The master is made smarter to adapt its replication flow to the speed of the consumer. The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and 389-ds-base-1.2.11.15-56.el6. What is the current version of your master ? thanks thierry On 06/08/2015 09:49 AM, James James wrote: Hi Thierry, thanks for you answer. I was away for a long time, this is why my post comes later . This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0) to rhel7 (ipa4.xx) ? I have a physical machine for the master and a VM as replica. The solution is to use a physical machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz tbor...@redhat.com: On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen when the master is more powerful than the consumer. If you are using VM you may try to get master/replica with nearly the same cpu/memory. thanks thierry Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like this is planned to be fixed in RHEL 6.7 with version 389-ds-base-1.2.11.15-56.el6 I don't know if there are any workarounds. 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have been fixed in 389-ds-base-1.3.3 branch. What version of 389-ds-base? rpm -q 389-ds-base 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg
[Freeipa-users] Successful Install on VB...
Dear all, I recently install Fedora Server 22 on a virtualbox with the ethernet bridged (can successfully ping it, ssh, etc) and I can do a kinit admin and ipa user-add as the instructions detail in the next steps, however, I cannot access the webui. Has anyone else ran into this issue? I've tried to check the services, however, they don't seem to want to start (no errors, just don't see them in the service status menu) Any help would be great as I would greatly like to use the website over commands if possible. Thank you, James smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:46 AM, James James wrote: [root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 Ok. Looks like this is planned to be fixed in RHEL 6.7 with version 389-ds-base-1.2.11.15-56.el6 I don't know if there are any workarounds. 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have been fixed in 389-ds-base-1.3.3 branch. What version of 389-ds-base? rpm -q 389-ds-base 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress in progress yet not in progress The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints Update in progress, %d seconds elapsed. Once it gets a status
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress in progress yet not in progress The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints Update in progress, %d seconds elapsed. Once it gets a status, the update is done, and it looks at nsds5ReplicaLastInitStatus. If it isn't empty, doesn't include 'replica busy' or 'Total update succeeded' then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, ir prints Update in progress yet not in progress and tries the loop again. AFAICT this part of a replica install doesn't restart 389-ds. /var/log/ipareplica-install.log may hold some details. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
[root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 2015-05-15 16:32 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 08:22 AM, James James wrote: I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 That issue should have been fixed in 389-ds-base-1.3.3 branch. What version of 389-ds-base? rpm -q 389-ds-base 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress in progress yet not in progress The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints Update in progress, %d seconds elapsed. Once it gets a status, the update is done, and it looks at nsds5ReplicaLastInitStatus. If it isn't empty, doesn't include 'replica busy' or 'Total update succeeded' then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, ir prints Update in progress yet not in progress and tries the loop again. AFAICT this part of a replica install doesn't restart 389-ds
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
I think that : Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress looks like a time error : https://fedorahosted.org/freeipa/ticket/4756 2015-05-15 16:00 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 05/15/2015 07:55 AM, James James wrote: Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? What timeout error? 2015-04-17 4:52 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 10:44 PM, James James wrote: The ipareplica-install.log file in attachment ... Here are the pertinent bits: 2015-04-15T15:06:31Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-15T15:06:32Z DEBUG flushing ldap://ipa.example.com:389 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldap://ipa.example.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x484f4d0 2015-04-15T15:06:32Z DEBUG flushing ldaps://ipa1.example.com:636 from SchemaCache 2015-04-15T15:06:32Z DEBUG retrieving schema for SchemaCache url= ldaps://ipa1.example.com:636 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4170290 2015-04-15T15:08:44Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py, line 368, in __setup_replica r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 969, in setup_replication raise RuntimeError(Failed to start replication) RuntimeError: Failed to start replication 2015-04-15T15:08:44Z DEBUG [error] RuntimeError: Failed to start replication The times are a little off, but I believe this corresponds to [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication I don't know why setup_replication is reporting an error if replication completed successfully. 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress in progress yet not in progress The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints Update in progress, %d seconds elapsed. Once it gets a status, the update is done, and it looks at nsds5ReplicaLastInitStatus. If it isn't empty, doesn't include 'replica busy' or 'Total update succeeded' then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, ir prints Update in progress yet not in progress and tries the loop again. AFAICT this part of a replica install doesn't restart 389-ds. /var/log/ipareplica-install.log may hold some details. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
The ipareplica-install.log file in attachment ... 2015-04-16 2:22 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rich Megginson wrote: On 04/15/2015 02:58 PM, James James wrote: Nothing on the replica .. maybye a process on the master. How can I check that ? I have no idea. But it seems highly unlikely that a process on the master is able to shutdown a process on the replica . . . I would say that there is some problem with the ipa-replica-install not properly checking the status - see below: 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com mailto:rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress in progress yet not in progress The error log below clearly shows that replica init succeeded after 127 seconds. IPA-ers - wasn't there some bug about checking replica status properly? The loop looks at nsds5BeginReplicaRefresh, nsds5replicaUpdateInProgress and nsds5ReplicaLastInitStatus. It loops looking for nsds5BeginReplicaRefresh. If there is no value it prints Update in progress, %d seconds elapsed. Once it gets a status, the update is done, and it looks at nsds5ReplicaLastInitStatus. If it isn't empty, doesn't include 'replica busy' or 'Total update succeeded' then it looks to see if nsds5replicaUpdateInProgress is TRUE. If it is, ir prints Update in progress yet not in progress and tries the loop again. AFAICT this part of a replica install doesn't restart 389-ds. /var/log/ipareplica-install.log may hold some details. rob 2015-04-15T15:06:11Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument /var/lib/ipa/replica-info-ipa1.example.com.gpg and options: {'no_forwarders': False, 'conf_ssh': True, 'skip_schema_check': False, 'ui_redirect': True, 'trust_sshfp': False, 'unattended': False, 'ip_addresses': [], 'no_host_dns': False, 'mkhomedir': False, 'no_reverse': False, 'setup_dns': False, 'create_sshfp': True, 'conf_sshd': True, 'forwarders': None, 'debug': False, 'conf_ntp': True, 'setup_ca': False, 'skip_conncheck': False, 'reverse_zones': []} 2015-04-15T15:06:11Z DEBUG IPA version 4.1.0-18.el7.centos.3 2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-04-15T15:06:11Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-15T15:06:11Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-04-15T15:06:11Z DEBUG Starting external process 2015-04-15T15:06:11Z DEBUG args='/usr/sbin/httpd' '-t' '-D' 'DUMP_VHOSTS' 2015-04-15T15:06:11Z DEBUG Process finished, return code=0 2015-04-15T15:06:11Z DEBUG stdout=VirtualHost configuration: *:8443 is a NameVirtualHost default server ipa1.example.com (/etc/httpd/conf.d/nss.conf:86) port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86) port 8443 namevhost ipa1.example.com (/etc/httpd/conf.d/nss.conf:86) 2015-04-15T15:06:11Z DEBUG stderr= 2015-04-15T15:06:11Z DEBUG Starting external process 2015-04-15T15:06:11Z DEBUG args='/bin/systemctl' 'is-enabled' 'chronyd.service' 2015-04-15T15:06:11Z DEBUG Process finished, return code=1 2015-04-15T15:06:11Z DEBUG stdout= 2015-04-15T15:06:11Z DEBUG stderr=Failed to issue method call: No such file or directory 2015-04-15T15:06:11Z DEBUG Starting external process 2015-04-15T15:06:11Z DEBUG args='/bin/systemctl' 'is-active' 'chronyd.service' 2015-04-15T15:06:11Z DEBUG Process finished, return code=3 2015-04-15T15:06:11Z DEBUG stdout=unknown 2015-04-15T15:06:11Z DEBUG stderr= 2015-04-15T15:06:15Z DEBUG Starting external process 2015-04-15T15:06:15Z DEBUG args='/usr/bin/gpg-agent' '--batch' '--homedir' '/tmp/tmpxNp5r9ipa/ipa-8fobNZ/.gnupg' '--daemon' '/usr/bin/gpg' '--batch' '--homedir' '/tmp/tmpxNp5r9ipa/ipa-8fobNZ/.gnupg' '--passphrase-fd' '0' '--yes' '--no-tty' '-o' '/tmp/tmpxNp5r9ipa/files.tar' '-d' '/var/lib/ipa/replica-info-ipa1.example.com.gpg' 2015-04-15T15:06:15Z DEBUG Process finished, return code=0 2015-04-15T15:06:15Z DEBUG Starting external process 2015-04-15T15:06:15Z DEBUG args='tar' 'xf' '/tmp/tmpxNp5r9ipa
Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...
Nothing on the replica .. maybye a process on the master. How can I check that ? 2015-04-15 21:37 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 12:43 PM, James James wrote: Here the log 2015-04-15 18:58 GMT+02:00 Rich Megginson rmegg...@redhat.com: On 04/15/2015 09:46 AM, James James wrote: Hello, I have been looking to solve my problem but I 'm asking for some help. The replication begins but cannot be completed I want to install a new fresh replica but I've always got this error : [21/35]: configure dirsrv ccache [22/35]: enable SASL mapping fallback [23/35]: restarting directory server [24/35]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 127 seconds elapsed Update in progress yet not in progress Update in progress yet not in progress [ipa.example.com] reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] [error] RuntimeError: Failed to start replication Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Failed to start replication On the master I have this message : 15/Apr/2015:15:57:37 +0200] NSMMReplicationPlugin - CleanAllRUV Task: Successfully cleaned rid(19). [15/Apr/2015:17:06:32 +0200] NSMMReplicationPlugin - agmt=cn= meToipa1.example.com (ipa1:389): Replica has a different generation ID than the local data. [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - Beginning total update of replica agmt=cn=meToipa1.example.com (ipa1:389). What is happening on the consumer (ipa1.example.com) error and access log at this time? [15/Apr/2015:17:06:33 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is going offline; disabling replication [15/Apr/2015:17:06:33 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [15/Apr/2015:17:06:53 +0200] - import userRoot: Processed 1399 entries -- average rate 70.0/sec, recent rate 69.9/sec, hit ratio 0% ... [15/Apr/2015:17:08:39 +0200] - import userRoot: Import complete. Processed 1539 entries in 126 seconds. (12.21 entries/sec) [15/Apr/2015:17:08:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=lix,dc=polytechnique,dc=fr is coming online; enabling replication So it would appear that initialization finished successfully. But then . . . [15/Apr/2015:17:41:25 +0200] NSMMReplicationPlugin - agmt=cn= meToipa1.example.com (ipa1:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [15/Apr/2015:17:41:16 +0200] - slapd shutting down - freed 1 work q stack objects - freed 2 op stack objects [15/Apr/2015:17:41:16 +0200] - slapd stopped. So the server is down. Did someone or some process shutdown the replica at this time? [15/Apr/2015:17:41:29 +0200] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) Any hints will be useful. Thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica with external ca + custom subject in certificate
It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run : # ipa-cacert-manage renew --self-signed I've got this message : [root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured on this system If I want to install the CA I've got this message : [root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U CA is already installed. Should I have to promote the replica to a standalone master before installing the CA ? Any hints will be appreciated... James 2015-04-08 7:27 GMT+02:00 Jan Cholasta jchol...@redhat.com: Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): On 04/07/2015 02:08 PM, James James wrote: I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon. I have created a test server (ipa-dev) with the same configuration (centos 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever to be installed with an external CA. In the same time my external CA has changed and wants the emailAddress field in the certificate request 's subject. CSR during installation with external CA is produced by Dogtag, so you are constrained with the options and capabilities provided by ipa-server-install. Maybe it would be possible to modify the CSR and update the Subject manually, but I expect it would crash the installer later (JanC may know more (CCed)) The subject name identifies the CA in server (and other) certificates. If you change it, you break the trust chain from the CA certificate to the server certificates and that will break all SSL in IPA. If it is not possible to add emailAddress in the subject, is it possible to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? It is, with ipa-cacert-manage - see links below. You can change your external CA to self-signed CA in IPA 4.1 or newer by running: # ipa-cacert-manage renew --self-signed You can't change external CA to CA-less. Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/07/2015 01:44 PM, James James wrote: ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal https://www.freeipa.org/page/V4/CA_certificate_renewal (Although I am still not sure about your use case and if this would help you) 2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/03/2015 11:39 AM, James James wrote: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com I am not a bit confused. Do you plan to have FreeIPA *without* a CA or with own CA signed by external CA? FreeIPA supports these kinds of setups right now: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. CCing Honza who should know the definitive answer. However, FreeIPA was not very flexible in configuring special subjects for it's CA certificate (i.e. cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica with external ca + custom subject in certificate
ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? 2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/03/2015 11:39 AM, James James wrote: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com I am not a bit confused. Do you plan to have FreeIPA *without* a CA or with own CA signed by external CA? FreeIPA supports these kinds of setups right now: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. CCing Honza who should know the definitive answer. However, FreeIPA was not very flexible in configuring special subjects for it's CA certificate (i.e. cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica with external ca + custom subject in certificate
I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon. I have created a test server (ipa-dev) with the same configuration (centos 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever to be installed with an external CA. In the same time my external CA has changed and wants the emailAddress field in the certificate request 's subject. If it is not possible to add emailAddress in the subject, is it possible to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/07/2015 01:44 PM, James James wrote: ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal https://www.freeipa.org/page/V4/CA_certificate_renewal (Although I am still not sure about your use case and if this would help you) 2015-04-07 12:51 GMT+02:00 Martin Kosek mko...@redhat.com: On 04/03/2015 11:39 AM, James James wrote: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com I am not a bit confused. Do you plan to have FreeIPA *without* a CA or with own CA signed by external CA? FreeIPA supports these kinds of setups right now: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. CCing Honza who should know the definitive answer. However, FreeIPA was not very flexible in configuring special subjects for it's CA certificate (i.e. cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Replica with external ca + custom subject in certificate
Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa and external ca
Hi everybody, sorry to repost my original question but this time my problem is better described. I want to install a ipa sever on centos 6 with an external ca. My problem is to add emailAddress in the subject field when I type the command : [root@ipa-dev ~]# ipa-server-install --external_ca --subject=O=orga,C=FR,OU=MyOU Does somebody knows how to do ? Best. James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password entry through Trust not correct
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Saturday, March 21, 2015 10:42 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password entry through Trust not correct On 03/20/2015 08:56 PM, McEvoy, James wrote: When I look at the password entries for my rfc2307 account in Active directory I get three different answers. The only correct one is on a server where I used sssd to join AD directly ( the last one ). Do I need to configure rfc2307? When I configured the server to join AD directly I use the option --enablerfc2307bis when I run authconfig. from a freeipa client: $ getent passwd jemce...@enas.netmailto:jemce...@enas.net jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoyUrlBlockedError.aspx: from the ipa server: [root@ipa ~]# getent passwd jemce...@enas.netmailto:jemce...@enas.net jemce...@enas.net:*:10001:10004:JamesUrlBlockedError.aspx McEvoy:/home/enas.net/jemcevoy:/bin/bash from a server that joined AD directly using sssd: $ getent passwd jemce...@enas.netmailto:jemce...@enas.net jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash Hi, Let us step back. What versions of the server and of the client and on what platforms? When you set trust, how did you set it? It might be that IPA server did not detect that you have Posix extensions in AD. There is some heuristics involved so probably you should use explicit parameters to tell IPA whether you have posix in AD or not. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. Hi Dmitri, My IPA Server is running Fedora 21 directly on an HP DL360-G7 server. The Version of the freeipa is: freeipa-server-4.1.3-2.fc21.x86_64 The freeipa server has a trust with a Windows 2008R2 Active Directory domain named ENAS.Net. The client is in an LXC container with both the hosting server and the LXC guest running Fedora 20. The client is running freeipa-client-3.3.5-1.fc20.x86_64. This is at the top of the file /var/log/ipaclient-install.log in the client: 2015-03-19T19:20:38Z DEBUG /usr/sbin/ipa-client-install was invoked with options : {'domain': 'lnx.lab', 'force': False, 'krb5_offline_passwords': True, 'primary ': False, 'realm_name': 'LNX.LAB', 'force_ntpd': False, 'create_sshfp': True, 'c onf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_ cert_file': None, 'principal': 'ad...@lnx.lab', 'keytab': None, 'hostname': 'ctn 017-135.lnx.lab', 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp ': False, 'dns_updates': True, 'mkhomedir': True, 'conf_ssh': True, 'force_join' : False, 'server': ['ipa.lnx.lab'], 'prompt_password': False, 'permit': False, ' debug': False, 'preserve_sssd': False, 'uninstall': False} The client is getting the correct POSIX uid/gid from Active Directory, it is the home directory which looks samba style to me and the shell is completely missing. Monday morning (PDT) I will kickstart another server with Fedora 21 to see the results when it joins freeipa and uses the trust. I will try both directly and from an LXC guest to see if the correct POSIX attributes get passed through from the Active Directory Identity Management for Unix plugin. -- jim -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Password entry through Trust not correct
When I look at the password entries for my rfc2307 account in Active directory I get three different answers. The only correct one is on a server where I used sssd to join AD directly ( the last one ). Do I need to configure rfc2307? When I configured the server to join AD directly I use the option --enablerfc2307bis when I run authconfig. from a freeipa client: $ getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy: from the ipa server: [root@ipa ~]# getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004:James McEvoy:/home/enas.net/jemcevoy:/bin/bash from a server that joined AD directly using sssd: $ getent passwd jemce...@enas.net jemcevoy:*:10001:10004:James McEvoy:/home/jemcevoy:/bin/bash -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Firewalld rules to allow AD Join
Hi FreeIPA Users: I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can someone tell me what firewalld is blocking on me? --jim These are my open services: # firewall-cmd --zone=public --list-all public (default) interfaces: sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps http https kerberos kpasswd ldap ldaps mdns ntp samba ssh ports: masquerade: no forward-ports: icmp-blocks: [root@ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue As soon as I turn off the firewall it works: [root@ipa ~]# systemctl stop firewalld [root@ipa ~]# ipa trust-add ENAS.NET --type=ad --admin=Administrator --password Active Directory domain administrator's password: - Re-established trust to domain enas.net - Realm name: enas.net Domain NetBIOS name: ENAS Domain Security Identifier: S-1-5-21-1497210546-3194758708-3931123408 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified The only error the I have found is in the samba logs where lsasd has the following: [2015/03/19 18:19:22.792043, 1] ipa_sam.c:1671(search_krb_princ) get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/enas@lnx.lab'. [2015/03/19 18:19:23.080328, 1] ipa_sam.c:1671(search_krb_princ) get_trusted_domain_int: no object found with filter 'krbPrincipalName=krbtgt/lnx@enas.net'. and winbindd-imap has this in it: [2015/03/20 14:21:14.966125, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * [2015/03/20 14:21:14.968671, 1] ../source3/winbindd/idmap.c:202(idmap_init_domain) idmap range not specified for domain * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web UI customization
Hello, I am with a ipa 3.3 server on centos 7. I want to customize the web ui user add page (to include krbprincipalexpiration field with a jquery calendar... ). I have read http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf , https://pvoborni.fedorapeople.org/api/#!/guide/Phases and http://fossies.org/dox/freeipa-4.1.3/classipalib_1_1plugins_1_1user_1_1user__add.html http://fossies.org/dox/freeipa4.1.3/classipalib_1_1plugins_1_1user_1_1user__add.html but I can't figure out how to do what I want Can somebody give me clues or examples Thanks ... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] issues with secondary groups? (sssd)
On Mon, 2015-03-02 at 13:25 +0100, Jakub Hrozek wrote: On Mon, Mar 02, 2015 at 04:09:34AM -0800, Janelle wrote: That was the point. The clients were not installed with IPA client install. I have 2000 clients and still working on a simple way to automate the client install with ansible or puppet. Currently just trying to get it working with simple sssd/ldap only auth. I would recommend against enrolling clients in any other way than with ipa-client-install. I've CC-ed James Shubin, who worked on automating client installs with Puppet (and Puppet-iting IPA in general), I wonder if there's some howto we can link to? The Puppet-IPA module has documentation: https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md It has a client section too. HTH, James signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4.0.4 now in Debian unstable!
On Sun, Oct 26, 2014 at 2:29 PM, Timo Aaltonen tjaal...@ubuntu.com wrote: Hi! Sooo.. as a followup to last weeks announcement about Dogtag 10.2 getting in Debian, today marks the day that FreeIPA finally made it to the distro! And unless release critical bugs are found it'll migrate to the testing branch after spending 10 days on unstable, just in time before the freeze of the next release. The past week was spent on fixing the remaining issues around client server install. Thanks to everyone on #freeipa-devel that helped me on times of despair :) It'll take some time to wrap the distro patches into something that upstream could accept with a straight face.. In the meantime, feel free to kick the tires by installing 'freeipa-server' or 'freeipa-client' and report bugs if you find any! The packages will also get in the next Ubuntu release, and I'll backport them to 14.04 later this year. ps. special thanks to Benjamin Drung who joined the ranks of pkg-freeipa-devel earlier this year, reviewed all the new packages with attention to detail, sponsored them for me before I got upload rights, and most importantly stuck around all this time :) -- t -- Awesome news! If someone is willing to test, I'm willing to write the patches to puppet-ipa [1] so that it works on Debian. Let me know. Cheers, James [1] https://github.com/purpleidea/puppet-ipa -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. You underestimate me ;) Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. OP (and myself) were also curious on if there were any machine specific optimizations to add? Eg: sysctl, /proc tuning, etc... Anything out there? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information
On 7 October 2014 05:58, Alexander Bokovoy aboko...@redhat.com wrote: Hi! As Andrea Veri describes in the blog[1], GNOME Project's infrastructure is now powered by FreeIPA. While GNOME was already using SSSD since very early days of SSSD project, move to FreeIPA on the server side took more time. Yup :) I wonder who convinced him to look at FreeIPA... Hrmm ;) [1] https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Enrolling with multiple IPA servers
On 6 October 2014 14:43, Alexander Bokovoy aboko...@redhat.com wrote: If you have some masters that are accessible by these isolated nodes, enroll isolated nodes against these masters. Nobody prevents you to select your deployment strategy and manipulate configuration files afterwards. Purpleidea's puppet module even allows you to define IPA masters' topology right in puppet scripts, if puppet is in use. To elaborate on this, you can specify an algorithm to define the shape of the cluster. There are two built-in POC algorithms provided, but more will be accepted. Shape means how do I algorithmically define who is neighbours with who. The two provided are flat and ring: [1] https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md#topology [2] https://github.com/purpleidea/puppet-ipa/tree/master/lib/puppet/parser/functions HTH James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information
On 7 October 2014 19:54, Dmitri Pal d...@redhat.com wrote: On 10/07/2014 09:27 AM, James wrote: On 7 October 2014 05:58, Alexander Bokovoy aboko...@redhat.com wrote: Hi! As Andrea Veri describes in the blog[1], GNOME Project's infrastructure is now powered by FreeIPA. While GNOME was already using SSSD since very early days of SSSD project, move to FreeIPA on the server side took more time. Yup :) I wonder who convinced him to look at FreeIPA... Hrmm ;) Motherland should know its heros! ;-) Your team are the heros. I'm just an integrator who likes your code... and maybe has a few feature requests :) [1] https://www.dragonsreach.it/2014/10/07/the-gnome-infrastructure-is-now-powered-by-freeipa/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information
On 7 October 2014 21:55, Fraser Tweedale ftwee...@redhat.com wrote: This is great. Can we use the GNOME project's experience as a story or case study in promoting FreeIPA to other projects/communities? IMO we need a couple of examples like this on the freeipa.org front page. I would recommend waiting a little bit to let them get more familiar with the tool... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ACI for ipa-getkeytab
My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ACI for ipa-getkeytab
SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden rcrit...@redhat.com: James James wrote: My user : realm-proxy is in a group (Smart Proxy Host Management) which has the Manager host keytab permission : Permission name: Manage host keytab Permissions: write Attributes: krbprincipalkey, krblastpwdchange Type: host Granted to Privilege: Host Administrators, Host Enrollment, Smart Proxy Host Management When I try to retreive a keytab from another host when my principal is the realm-proxy : [root@client1 ~]# kinit realm-pr...@example.com mailto:realm-pr...@example.com -k -t /tmp/freeipa.keytab [root@client1 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: realm-pr...@example.com mailto: realm-pr...@example.com Valid starting Expires Service principal 09/09/2014 14:35:50 09/10/2014 14:35:50 krbtgt/example@example.com mailto:example@example.com [root@client1 ~]# ipa-getkeytab --server=ipa.example.com http://ipa.example.com --principal=host/client1.example.com http://client1.example.com --keytab=/etc/krb5.keytab Operation failed! Insufficient access rights I can't retrieve the key .. I'd need to see the smart-proxy user, show --all --raw would be best. I just tested this on a RHEL-6 instance I had handy and it worked fine: # ipa user-add --first=test --last=user tuser1 --password # ipa role-add 'host keytab' --desc 'manage host keytabs' # ipa privilege-add 'manage host keytab' --desc 'manage host keytabs' # ipa privilege-add-permission 'manage host keytab' --permissions='manage host keytab' # ipa role-add-privilege 'host keytab' --privileges='manage host keytab' # ipa role-add-member --users=tuser1 'host keytab' # kinit tuser1 # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com Keytab successfully retrieved and stored in: /tmp/test.keytab rob 2014-09-09 16:14 GMT+02:00 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com: James James wrote: My IPA version is 3.0.0 . Thanks The permission 'Manage host keytab' should do the trick. rob 2014-09-09 1:22 GMT+02:00 Dmitri Pal d...@redhat.com mailto: d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com: On 09/08/2014 06:52 PM, James James wrote: Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. Which version of IPA? There reason for the question is because in FreeIPA 4.0 the ACIs were significantly reworked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ACI for ipa-getkeytab
Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos 7 and 4.0
On Sat, Aug 23, 2014 at 12:13 AM, Chris Whittle cwhi...@gmail.com wrote: I'm trying to install the repo from https://copr.fedoraproject.org/coprs/pviktori/freeipa/ and when I go to install I get yum install freeipa-server Loaded plugins: fastestmirror, langpacks Repository pviktori-freeipa is listed more than once in the configuration http://copr-be.cloud.fedoraproject.org/results/pviktori/freeipa/fedora-7-x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404 - Not Found Trying other mirror. Loading mirror speeds from cached hostfile * base: mirror-centos.hostingswift.com * extras: centos.host-engine.com * updates: centos.arvixe.com No package freeipa-server available. Error: Nothing to do Am I missing something? I remember that there was a thread about Centos 7 and FreeIPA 4 but for the life of me I can't find it. Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum search freeipa' to find it. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Multi-OS FreeIPA in puppet-ipa
I've just pushed out a WIP feature branch for multi-os puppet-ipa. This is an elegant way to create a multi-os compatible puppet module. It can be useful for managing differences between RHEL and Debian, but also between CentOS and RHEL, and even RHEL 6.x and RHEL 7, etc... Some background on the technique when I did this for puppet-gluster: https://ttboj.wordpress.com/2014/06/04/hiera-data-in-modules-and-os-independent-puppet/ Since I'm only currently testing CentOS/RHEL 6.x, please report any issues with other versions or OS's, and I'll patch them ASAP. WIP branch: https://github.com/purpleidea/puppet-ipa/tree/feat/yamldata I'll rebase this branch as new patches are added, and I'll usually keep it current against git master. Once someone ACK's that it is working against another OS or version, then I'll maintain it in git master. Thank you, James signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimal permissions for joiner account?
On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich mlasev...@lasevich.net wrote: Sorry, I did not intend to belittle your efforts - just misread the code Didn't take it that way, no worries :) (saw you pass in $admin and $password and made wrong assumption that $admin was admin username) as well as trying to avoid puppet as I find Salt much quicker and much simpler (and already established in my setup) I sat down tonight and threw together a quick salt reactor that does same thing as your module - creates the host account in IPA with a generated OTP password and joins the host to the domain using that generated OTP (and while at it, validates the host against AWS and populates the metadata into IPA) Ended up having to join the salt master to the domain, which I was avoiding doing for security reasons, but I can just disable IPA logins in PAM and call it a day. The nice bit is that it is using the host's keytab for authentication, so I do not need any extra credentials sitting around. Seems to be working just fine. :-). I ended up granting the salt-master host the Host Administrators privilege. It seems that Host Enrollment privilege is not sufficient to enroll hosts - go figure. Great! The only thing that bugs me is that I am calling IPA python code from my salt reactor python code via subprocess - there has got to be a better, more direct way - but I found documentation too confusing to follow at 1 am - will be a project for another day. There is the python ipa API, not sure how stable or official it is, but if you look in my code I use it occasionally. Thanks for your help. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimal permissions for joiner account?
On Thu, Aug 14, 2014 at 7:29 PM, Michael Lasevich mlasev...@lasevich.net wrote: Not that much. For one, I am using Salt instead if Puppet, but more importantly, if I am reading this correctly it seems to be just using full admin account. I can already do that. By orchestration I meant setting up the OTP for client join on the server, then passing that OTP to the client to join it. It is not that hard to throw together, but timing in this process can be problematic. I prefer to avoid it for the moment if I can and just create a non-admin account for this. The point I was trying to make is that the puppet module I linked you to does all of this automatically for you. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimal permissions for joiner account?
On Thu, Aug 14, 2014 at 8:29 PM, Michael Lasevich mlasev...@lasevich.net wrote: I appreciate it. Maybe I did not read it close enough, but it seemed to send the admin password to every client, which is what I am trying to avoid. Oh no!! Definitely not :) I went to great pains to specifically avoid this actually. If you're interested in how the DM and admin passwords are managed, read: https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/ If you're interested in how the clients auth, they do so via getkeytab, and in order for that to work, puppet passes a temporary one-time password to the client, uses it, and verifies that _that_ client auth-ed. If the password isn't used by that client, then a new OTP is generated, and the original is discarded (as it was probably used by the wrong client, or maliciously in that rare scenario). All of this to say, that this was quite complex to write, so I would consider using the module as is (and even extending it as needed!). Secondly, I'd like to point out that I'm not doing any orchestration, only config management. Which means this can actually scale! I will take a closer look, maybe I can bite the bullet and implement the few lines of code that are required to make this work in Salt (it would take way too much work and be generally counterproductive to switch to Puppet). Of course I can only help with the puppet case, but if you don't switch (this module is a winning module, in the same way that rails saved ruby, so I would take a closer look) you can at least use it as a reference architecture when writing a salt module. That;s the beauty of Free Software! Good luck! HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt
Thanks a lot for your answer. I will switch to RHEL 7 to use 3.3 .. Best regards. James 2014-08-11 17:05 GMT+02:00 Martin Kosek mko...@redhat.com: On 08/10/2014 01:58 PM, James James wrote: Hello, Is there a way to patch my ipa .3.0.0 with this patch: https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ? The DateTime data type will be very useful ! Regards It would be quite difficult, if not only because of the API versioning problem we have with parallel branches of FreeIPA, like RHEL-6.x/CentOS-6.x is (judging based on your version). There is an upstream ticket filed: https://fedorahosted.org/freeipa/ticket/4427 But I do not think it would help in your case. Especially as this is just a convenience fix, the best advise I can give is either to a) Hack this around in your IPA codebase, making sure that the capability API version is correct b) Live with old string variant c) Upgrade to newer IPA, like 3.3 in RHEL-7.0 or 4.0 in Fedora 20! :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] WebUI krbprincipal expiration calendar widegt
Hello, Is there a way to patch my ipa .3.0.0 with this patch: https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ? The DateTime data type will be very useful ! Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA + Chef
On Thu, Jul 31, 2014 at 11:55 AM, Ash Alam a...@paperlesspost.com wrote: Hi I am currently deploying CentOS and FreeIPA and i am looking for some recommendation on chef cookbooks. I have googled around but haven't found anything that is current. I found a git repo from Sean OMeara but last contribution was 3 years ago. If anyone can point me in the right direction i would very grateful. Thank You I've got a puppet module that I'm actively working on... https://github.com/purpleidea/puppet-ipa If you don't find a ready chef module, you can consider using puppet instead, or start porting it to chef. A lot of the code can be re-used, since my module contains a good amount of puppet. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA replica topologies
Hi there, Is the following correct or incorrect? Say I want to build a triangle of ipa replicas. A - B - C - (back to A) I do ipa-server-install on A I do ipa-replica-prepare on A ... transfer files to B I do ipa-replica-install on B then: Option ONE: I do ipa-replica-prepare on B ... transfer files to C Option TWO: I do ipa-replica-prepare on A ... transfer files to C Continuing on... I do ipa-replica-install on C Since all three hosts are now installed, to close the loop, I do : Option ONE: ipa-replica-manage connect C A Option TWO: ipa-replica-manage connect B C Is this all correct? Is option ONE or option TWO preferable and why? Is the closing of the loop the correct interpretation and method? Can the closing of the loop be done from any host in the cluster ? If there's a large cluster can it be done from someone not directly connected to the two peers we want to connect? Thanks again! James signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA replica topologies
On Thu, Jul 3, 2014 at 3:39 AM, Simo Sorce sso...@redhat.com wrote: Option TWO is preferable if you have the CA only on A. You should be able to run the connect command on any administrative host IIRC. Thanks for the reply! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --root-ca-file=/root/STAR_CA-2048.crt Usage: ipa-server-install [options] ipa-server-install: error: no such option: --dirsrv_pkcs7 I need to convert it to pkcs12 using the converter here (awesome free tool): https://www.sslshopper.com/ssl-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? Thanks. On 1/6/14 4:09 AM, Jan Cholasta wrote: ipa-server-install --dirsrv_pkcs -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 formatted certificates, but the person who issued it did not set a password, so FreeIPA will not let me install it to know if it works for sure. I am having the certificate reissued again with a password in pkcs12 format and all should be well with the world again. Thanks for your help and guidance on this. Your level of support is better than I could have expected. On 1/6/14 11:01 AM, Rob Crittenden wrote: James Scollard wrote: That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an new issue now. Globalsign has issued me a pkcs7 certificate. FreeIPA does not recognize the format: [root@ldapm6x00 ~]# ipa-server-install --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7 --root-ca-file=/root/STAR_CA-2048.crt Usage: ipa-server-install [options] ipa-server-install: error: no such option: --dirsrv_pkcs7 I need to convert it to pkcs12 using the converter here (awesome free tool): https://www.sslshopper.com/ssl-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? The private exists wherever you generated the CSR. If you used openssl then it would be in a flat file somewhere. If you used NSS then it would be in that database. rob -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Globalsign External CA Certificate Import Failure
When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.com.crt --external_ca_file=/root/sun.weather.com.crt The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: Subject of the external certificate is not correct (got CN=*.sun.weather.com,O=The Weather Channel Interactive\, Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate Authority,O=SUN.WEATHER.COM). CN= and O= are correct, so why is IPA refusing to use the certificate? It appears to be expecting bogus data instead of using the provided identity. This doesnt appear to be an issue with the certificate, although I have never installed FreeIPA with a Globalsign certificate. I did nto see this problem with Network Solutions wildcard certificates though. Any suggestions would be appreciated. Thanks. -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Globalsign External CA Certificate Import Failure
Thanks for the reply, Version: Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest version... I'm not sure I understand the answer. I created the CSR and they signed it using their automation, and returned the new ones to me for installation, which failed. SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. The node itself is x.sun.weather.com, we have a wildcard certificate for sun.weather.com, and this domain controller needs the certificate for the domain for setup to complete. What am I doing wrong here? On 1/3/14 3:58 PM, Rob Crittenden wrote: James Scollard wrote: When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.com.crt --external_ca_file=/root/sun.weather.com.crt The log file for this installation can be found in /var/log/ipaserver-install.log Directory Manager password: Subject of the external certificate is not correct (got CN=*.sun.weather.com,O=The Weather Channel Interactive\, Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate Authority,O=SUN.WEATHER.COM). CN= and O= are correct, so why is IPA refusing to use the certificate? It appears to be expecting bogus data instead of using the provided identity. This doesnt appear to be an issue with the certificate, although I have never installed FreeIPA with a Globalsign certificate. I did nto see this problem with Network Solutions wildcard certificates though. Any suggestions would be appreciated. This isn't related to the external CA, it just can't modify the subject of the IPA CA, which it did in this case. I'm not even entirely sure what it would mean to have the CA certificate itself be a wildcard cert. Doesn't seem to be a valid use-case though. Looks like this validation was added in in v3. rob -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian
Jumping in here, if someone is organizing a TODO list to get freeipa on debian, feel free to add porting/testing puppet-ipa to this. I'm the puppet-ipa [1] guy. I'm happy to work on that part whenever someone has a working debian freeipa install for me to use. Once it works or at least mostly, feel free to ping me somehow. HTH, James [1] https://github.com/purpleidea/puppet-ipa ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Providing minimal permissions to read replication status
On 1 August 2013 09:36, Martin Kosek mko...@redhat.com wrote: The patch for this would do basically this: - remove the following aci: (targetattr != aci)(version 3.0; aci replica admins read access; allow (read, search, compare) groupdn = ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;) ... from installer and from LDAP as it is too general - add new permission ACI like this: (targetattr=*)(targetfilter=(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree)))(version 3.0; acl permission:Read Replication Agreements; allow (read, search, compare) groupdn = ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;) - make sure that Replication Administrators privilege has it assigned. I created an upstream ticket to track this effort: https://fedorahosted.org/freeipa/ticket/3829 Reading the upstream documentation I'm wondering if it'd be sensible to include an additional ACI in replica-acis.ldif of: dn: $SUFFIX changetype: modify add: aci aci: (targetattr=dn nsDS5ReplConflict nsUniqureID)(targetfilter=(|(objectclass=nsTombstone)(nsDS5ReplConflict=*)))((version 3.0; aci conflict read access; allow (read, search, compare) groupdn = ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;) From the upstream documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig This would allow a user with Read Replication Agreements permission to be able to search for conflicts or tombstone records which would seem sane from a monitoring point of view... What do you think? Also just to confirm the only thing I need to do with ACIs like this is to update the ldif (delegation.ldif and replica-acis.ldif) with the new role/privilege/permission and acis in install/share for the new installs and add an appropriate entry (not quite ldif) in install/updates to update the default schema of those updating in future, given no new attributes - right? Cheers, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Providing minimal permissions to read replication status
On 1 August 2013 15:55, Rob Crittenden rcrit...@redhat.com wrote: James Hogarth wrote: On 1 August 2013 09:36, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: The patch for this would do basically this: - remove the following aci: (targetattr != aci)(version 3.0; aci replica admins read access; allow (read, search, compare) groupdn = ldap:///cn=Modify Replication Agreements,cn=permissions,cn=**pbac,$SUFFIX;) ... from installer and from LDAP as it is too general - add new permission ACI like this: (targetattr=*)(targetfilter=(**|(objectclass=nsds5Replica)(** objectclass=**nsds5replicationagreement)(**objectclass=** nsDSWindowsReplicationAgreemen**t)(objectClass=nsMappingTree))** )(version 3.0; acl permission:Read Replication Agreements; allow (read, search, compare) groupdn = ldap:///cn=Read Replication Agreements,cn=permissions,cn=**pbac,$SUFFIX;) - make sure that Replication Administrators privilege has it assigned. I created an upstream ticket to track this effort: https://fedorahosted.org/**freeipa/ticket/3829https://fedorahosted.org/freeipa/ticket/3829 Reading the upstream documentation I'm wondering if it'd be sensible to include an additional ACI in replica-acis.ldif of: dn: $SUFFIX changetype: modify add: aci aci: (targetattr=dn nsDS5ReplConflict nsUniqureID)(targetfilter=(|(**objectclass=nsTombstone)(** nsDS5ReplConflict=*)))((**version 3.0; aci conflict read access; allow (read, search, compare) groupdn = ldap:///cn=Read Replication Agreements,cn=permissions,cn=** pbac,$SUFFIX;) From the upstream documentation here: https://access.redhat.com/**site/documentation/en-US/Red_** Hat_Directory_Server/9.0/html-**single/Configuration_Command_** and_File_Reference/index.html#**Replication_Attributes_under_** cnreplica_cnsuffixName_**cnmapping_tree_cnconfighttps://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Configuration_Command_and_File_Reference/index.html#Replication_Attributes_under_cnreplica_cnsuffixName_cnmapping_tree_cnconfig This would allow a user with Read Replication Agreements permission to be able to search for conflicts or tombstone records which would seem sane from a monitoring point of view... What do you think? I think this would be a separate issue. Being able to find the conflicting issues leads directly to the question what do I do with them? That is ticket https://fedorahosted.org/**freeipa/ticket/1025https://fedorahosted.org/freeipa/ticket/1025 Thanks Rob - I think it worthwhile adding the permissions in place to at least find them as a 'quick win' as it were ... What to do after that is an interesting question and would probably take a fair chuck of work to make it nicely visible plus show ways to resolve it. Also just to confirm the only thing I need to do with ACIs like this is to update the ldif (delegation.ldif and replica-acis.ldif) with the new role/privilege/permission and acis in install/share for the new installs and add an appropriate entry (not quite ldif) in install/updates to update the default schema of those updating in future, given no new attributes - right? You'll need to create a .update file in install/updates to modify an existing installation. That's great - I had a look through the README in there and looking at other similar bits appears to be fairly simple. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Providing minimal permissions to read replication status
Hi, We're looking to add monitoring to our IPA replicas and want to provide a user with the minimum possible permissions to do so. Allowing the user to have the Replication Administrators role works but for monitoring the ability to add/modify/remove is overkill by a long shot. There's no existing permission for Read Replication Agreements - only add, remove and modify. I've tried to use ipa perimssion-add with --filter to allow access to objectClass=nsds5replicationagreement but checking the status via: ldapsearch -Y GSSAPI -h c6test2.c6ipa.local -b cn=config '(objectclass=nsds5replicationagreement)' Does not show anything unless the account being tested with gets replication administrator privileges... I've tried using subtree as well but the ipa command errors that the base of cn=config is not $SUFFIX ... and out of scope. What am I missing to set this up - or is this not possible with the role/privilege/permission mechanism within IPA? I can see how the replication administration permissions are added in replica-acis.ldif but I'm concerned that if I manually add an ACI via pure LDIF commands it will cause issues with future IPA upgrades due to schema differences - so was hoping to remain within the IPA command side of things... 1) Is this even possible with the ipa command? 2) If I use ldapmodify to add a new permission by hand via ldif for Read Replication Agreements will this likely break on IPA upgrades in future? Cheers, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Question about design of ldap dns
Please contact me on IRC (pspacek in #freeipa @ FreeNode) or via e-mail. We need to coordinate, because bind-dyndb-ldap is undergoing heavy refactoring right now. Also, remember that modification in bind-dyndb-ldap will require modification on FreeIPA side (CLI/WebUI/API). Sure - I'm usually in #freeipa as JHogarth when I'm about ... Yes indeed .. I've been doing quite a bit of work in dns.js the past week or so to expose TTL in general anyway... We can't do this, because definition of *Record attributes is outside of our control. Definitions of these attributes come from http://drift.uninett.no/nett/**ip-nett/dnsattributes.schemahttp://drift.uninett.no/nett/ip-nett/dnsattributes.schema and it is used by BIND DLZ LDAP driver. Ah that's a shame ... it would have been quite a smooth way to handle it but compatibility is of course critical. Could you post some real world examples, please? I would love to see some real world records with real TTLs and statistics. How many names with different TTLs have you? How many names and records have you in total? As one example TXT record and SSHFP to describe a system (and it's fingerprint) having a long TTL since they are unlikely to change and an A record with a shorter TTL for a dynamic DNS scenario with a non-sticky lease. There was a specific issue I was bumping into with this in the past (but not a major one) and became an itch to scratch... especially since BIND zone files would support such a setup but the bind-dyndb-ldap won't ... the disparity was something that niggled at me. In all honesty this is an edge case and since I was planning to dive in anyway I thought I might as well take a look given I have some free time at the moment... The default TTL in bind-dyndb-ldap and the exposing/modifying TTL in the Web UI is not dependent on such behaviour in any way. This could work, but it has significant overhead. At least indexes in LDAP server could grow rapidly. That is a legitimate concern for sure... The other problem is that you will lost the uniqueness-check on LDAP side. DNS doesn't allow one record with same name and data to appear multiple times and current attribute-based design prevents this 'for free'. But you would still be limited to this since there could only be one arecord, txtrecord, etc for a given idnsname with that structure. The other problem is that records in single RRset can't have multiple TTL values. I.e. (under single name) all A records have to have the same TTL, all records has to have same TTL etc. Hmm I'll have to check BIND again but I thought that when doing round robin A records (as an example) differing TTL was possible ... but admittedly I've not verified this and this would be an inconsistency if so. Of course, all of these can be handled in bind-dyndb-ldap, but doing so on database side is much more elegant. Agreed on this dn: idnsName=bar+dNSTTL=3600,**idnsName=example.com idnsName: bar dNSTTL: 3600 aRecord: 5.6.7.8 This way you don't have to change the format of existing attributes nor add new attributes. This one is my favourite, but again: It will require refactoring on FreeIPA side. Also, I'm not sure if this could work with BIND DLZ LDAP... I do like the compound RDN idea but it sounds like it would potentially be a lot of upheaval... To summarize it: Is it worth to spend time on this? I would love to see some real numbers. Good question! It's an itch I have a couple of weeks to scratch at the moment so there's no 'cost' on my time right now associated with it (although I recognise it increases complexity for the maintainers and QA of course as an after-effect)... but the complexity is fairly high and could potentially touch a lot of areas... The more basic bit of work I was doing (just the exposure and modification of TTL in the UI) would have a far improved cost-benefit ratio and only touches dns.js and dns.py (the latter I propose exposing TTL by default rather than needing --all for it in the API ... it makes the dns.js changes cleaner). Adding the ability to configure default TTL in bind-dyndb-ldap also doesn't need any of the per RRtype stuff so avoids complexity there... Thank you for your time and passion! Well it's about time the linux world had something like this (rather than the old mish-mash of kerberos, openldap, etc and associated scripts to sort of glue users together that was the previous situation) so I champion it wherever I can! James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Question about design of ldap dns
Hi guys, I'm just picking up the nice to have ticket of configure the default TTL as part of my general TTL refactor work seeing as the exposing and modification of TTL in the UI is unlikely to be complete before 3.3 freeze (mostly working but a few bugs remaining) : https://fedorahosted.org/bind-dyndb-ldap/ticket/70 https://fedorahosted.org/freeipa/ticket/2956 The approach I'm considering is to make the record capable of an individual TTL by just appending the TTL to the record so it would look like: dn: idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com idnsName: bar ARecord: 192.168.1.100 7200 This is an approach that matches how things like MX and SRV are dealt with (except those have numbers at the front) and would require much simpler modifications. Then there would be a precedence to the actual TTL used in this order: 1) If a TTL is in the record data use that 2) If a TTL is in the idnsName data (the current dnsTTL attribute) then use that 3) If a TTL is in the zone data (as per the ticket name to be decided) then use that 4) If a TTL is specified in the named.conf configuration for the bind-dyndb-ldap plugin then use that. Although potentially not as nice as making each data entry a first class citizen as an object in LDAP such as for an example: dn: aRecord=192.168.1.100,idnsName=bar, idnsName=example.com, cn=dns, dc=example, dc=com aRecordName: bar aRecordData: 192.168.1.100 aRecordTTL: 7200 It'd require far less upheaval in terms of migrations and testing... What are your thoughts on this before I start digging into this part of the code base? Cheers, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules user and host group bugs?
Did anyone find a solution for this? I am having the same experience. Wow that was a mess... To use hostgroups for sudo ensure nisdomainname is set on the hosts to the IPA domain. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named seg faulting
I meanwhile I recommend you to build version 2.6: https://fedorahosted.org/released/bind-dyndb-ldap/bind-dyndb-ldap-2.6.tar.bz2 It includes some fixes not-yet accepted for RHEL. Interesting... I might build and test but generally I prefer to keep to packages accepted to rhel... As an FYI to other CentOS users the srpm was published yesterday and was built and pushed to the CentOS repositories last night. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named seg faulting
Upgrade to bind-dyndb-ldap-2.3-2.el6_4.1 should fix the problem. Thanks Petr ... looks like that's not in the CentOS repositories ... I'll give those guys a heads up ... A quick look and it appears that the SRPM isn't in the public FTP server ... opened bug https://bugzilla.redhat.com/show_bug.cgi?id=980046 to get this corrected. James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo Commands and groups confusion
I believe that at one point we included a configuration very similar to the snippet above in man sssd-sudo. It should be there in 6.4, not 100% sure now. Just checked the man page and indeed that minimal snippet is there ... I really need to spend more time going through new man pages etc at each point release! My quick testing has it working a treat though and it's a lot more lightweight with the caching going on than it was before I've just let a couple of my colleagues know who were struggling a bit with the ldap-sudo and binding stuff ... this is just so much simpler. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Syncing with AD
On Tue, May 14, 2013 at 5:07 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/14/2013 07:57 AM, Rob Crittenden wrote: James A wrote: Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/**site/documentation/en-US/Red_** Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/**index.htmlhttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/**site/documentation/en-US/Red_** Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/** managing-sync-agmt.htmlhttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? No, a special IPA system account user is needed so the PassSync service running in AD can bind to the IPA LDAP server to make password changes. This entry needs to be created in IPA regardless of whether you are using the PassSync service or not. So binddn/bindpw is for the AD user we use to bind from IPA to AD, and passsync is the password set on the IPA passsync account. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/**site/documentation/en-US/Red_** Hat_Enterprise_Linux/6/html/**Identity_Management_Guide/** managing-sync-agmt.html#**unidirectional-synchttps://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I'm not really sure about #2 or #3. Hopefully one of the 389-ds devs will chime in with some suggestions. Write access is not required if you are only doing one way sync. Here is the information about adding the specific rights to the windows sync user http://port389.org/wiki/Howto:**WindowsSync#Creating_AD_User_** with_Replication_Rightshttp://port389.org/wiki/Howto:WindowsSync#Creating_AD_User_with_Replication_Rights BINGO :) Thank you! Now I am very close! The instructions read In the 'Permissions for Windows Sync' list, make sure Read is checked under the Allow column. This I don't have (I can't find this setting where the instructions say it should be) I do have replicate directory changes, replicating directory changes all, replication synchronization and monitor active directory replication. When I set Replication Synchronization and Replicate Directory Changes permissions on the user, I can sync new accounts using this useraccount. But... When I delete a user on the IPA server, then sync again the user doesn't show up in IPA. The good news is that the user doesn't get deleted in the AD, but I can't sync it back to the IPA. If I create a new user in the AD it gets synced ok. (to IPA). I realize some of these are more windows/AD-centric issues, but given that I use IPA for syncing from the AD I hope maybe someone can shed some (more) light on this on this maillist thanks, //James. All in all I think the FreeIPA project is amazing and it really gives us in the Linux community something we haven't had before. If I can iron out the problems above I am sure it will become a great tool for me and my client. Glad you like it! cheers rob __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users