Re: [Freeipa-users] EXTERNAL: Re: Multiple CA certificates (for PassSync)
Yeah I knew that the passync utility would only communicate with 1 server. I'm not too worried about password sync for our new IdM server until it actually replaces the old server. I just didn't know how Windows would handle having multiple CA certs and if it would get cranky because of it. Last thing I want to do is have users coming to complain about the passwords not syncing. Thanks for the input guys, I'll give it a shot to see how it goes. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, July 09, 2015 10:37 AM To: Rob Crittenden; Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Multiple CA certificates (for PassSync) On 07/09/2015 07:23 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? I'm not sure if you can do this. The CA is probably the least of your problems. I don't believe the AD passsync service can be aware of multiple consumers like this. Right. passsync can talk to only 1 IdM server. To use multiple CA certs, just use the certutil tool to install an additional CA cert as per the docs. Rich may know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Multiple CA certificates
Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using the password sync between IdM and Active Directory. I can't find any information on this so I figured I'd ask you guys to see if anyone has done this before. Can I have two CA certificates from 2 IdM servers installed on the Active Directory server? And will this cause any issues with our password sync? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Usernames not being seen on IPA Master
: [Freeipa-users] Usernames not being seen on IPA Master On Thu, Apr 16, 2015 at 01:13:56PM +, Joseph, Matthew (EXP) wrote: Hello, I'm running into an issue where a new user account created on the master server is not being seen for changing file permissions and such. Is the new user visible on the master itself via the standard system interfaces (getent passwd $newuser, id $user) ? I can login using the newly created user account but when I try to change permissions on a file/directory it comes up with the following error; Chown: changing ownership of 'username' : Invalid argument Can you strace the chown invocation so that we're sure what part really fails? Now if I go to my replica IPA server it works fine. I deleted the user and created it again with the same username, gave the account a different UID and when I tried to permission the directory again it states the same error as above. Please note that file ownership is defined by IDs, not usernames, so if you recreate a user with different ID, you need to chown all his previously used files. I changed the permissions on the replica server and went back to the master and looked at the permissions of the directory and it's showing the old UID. I can login as the new user and the permissions are fine, the user can create and modify files in that directory. When I run ipa user-find -all -raw username it brings up all of the correct information that I entered for the account. I searched for the old UID that was used with this account before but it doesn't seem to exist in IPA. I've tried restarting the IPA service and remounting the directory that contains the required folders but with no luck. I cleared the SSSD and the NSCD cache. Using nscd along with SSSD is discouraged. We recommend to disable nscd, at last for the maps that SSSD caches. SSSD provides its own fast in-memory cache, so you won't lose performance. Does IPA have another cache that needs to be cleared or anything like that? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Usernames not being seen on IPA Master
Hello, I'm running into an issue where a new user account created on the master server is not being seen for changing file permissions and such. I can login using the newly created user account but when I try to change permissions on a file/directory it comes up with the following error; Chown: changing ownership of 'username' : Invalid argument Now if I go to my replica IPA server it works fine. I deleted the user and created it again with the same username, gave the account a different UID and when I tried to permission the directory again it states the same error as above. I changed the permissions on the replica server and went back to the master and looked at the permissions of the directory and it's showing the old UID. I can login as the new user and the permissions are fine, the user can create and modify files in that directory. When I run ipa user-find -all -raw username it brings up all of the correct information that I entered for the account. I searched for the old UID that was used with this account before but it doesn't seem to exist in IPA. I've tried restarting the IPA service and remounting the directory that contains the required folders but with no luck. I cleared the SSSD and the NSCD cache. Does IPA have another cache that needs to be cleared or anything like that? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Usernames not being seen on IPA Master
The UID is 2600 and the GID is 2000. It's a common group which all of our users are in. Yeah the error comes when trying to change ownership of files/directory (new or old). Just seems a bit odd the replica server is able to change ownership of files/directories fine. Matt -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Thursday, April 16, 2015 10:56 AM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Usernames not being seen on IPA Master On Thu, Apr 16, 2015 at 01:42:52PM +, Joseph, Matthew (EXP) wrote: Hey Jakub, Getent passwd returns all of the IPA users when searching either the username or UID. Yes I know that permissions are defined by UID/GID, used a new UID that has not been previously used for this new account for this test. Good to know, I disabled the nscd service. Here is the output of the strace for chown on a directory. execve(/bin/chown, [chown, wpooh, /home/wpooh], [/* 32 vars */]) = 0 brk(0) = 0x1095000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b698000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360\355\341\0044\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1918016, ...}) = 0 mmap(0x3404e0, 3741864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3404e0 mprotect(0x3404f89000, 2093056, PROT_NONE) = 0 mmap(0x3405188000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x188000) = 0x3405188000 mmap(0x340518d000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x340518d000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b674000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b673000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b672000 arch_prctl(ARCH_SET_FS, 0x7f5f4b673700) = 0 mprotect(0x3405188000, 16384, PROT_READ) = 0 mprotect(0x340481f000, 4096, PROT_READ) = 0 munmap(0x7f5f4b675000, 142486) = 0 brk(0) = 0x1095000 brk(0x10b6000) = 0x10b6000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0 mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f457e1000 close(3)= 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_FILE, path=/var/run/nscd/socket}, 110) = -1 ENOENT (No such file or directory) close(3)= 0 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_FILE, path=/var/run/nscd/socket}, 110) = -1 ENOENT (No such file or directory) close(3)= 0 open(/etc/nsswitch.conf, O_RDONLY)= 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1734, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 read(3, #\n# /etc/nsswitch.conf\n#\n# An ex..., 4096) = 1734 read(3, , 4096) = 0 close(3)= 0 munmap(0x7f5f4b697000, 4096)= 0 open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=142486, ...}) = 0 mmap(NULL, 142486, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5f4b675000 close(3)= 0 open(/lib64/libnss_files.so.2, O_RDONLY) = 3 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360!\0\0\0\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5f455d3000 mprotect(0x7f5f455df000, 2097152, PROT_NONE) = 0 mmap(0x7f5f457df000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f5f457df000 close(3)= 0 mprotect(0x7f5f457df000, 4096, PROT_READ) = 0 munmap(0x7f5f4b675000, 142486) = 0 open(/etc/passwd, O_RDONLY|O_CLOEXEC) = 3 fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) fstat(3, {st_mode=S_IFREG|0644, st_size=3404, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5f4b697000 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3404 read(3, , 4096) = 0 close(3)= 0 munmap(0x7f5f4b697000, 4096)= 0 open(/etc/ld.so.cache, O_RDONLY
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
I was able to get the group modified and deleted with your commands Rob. Thank you very much for the help. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 3:16 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: I tried to do the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca And I get the ldap_delete: no such object Maybe this will help: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I can't see what you're seeing so it's hard to get more precise. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 2:32 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Hey Rob, It couldn't find the group when I did your command. I replaced show with find and was able to find the dn number. I can use the ldapdelete command to delete the entry right? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
I tried to do the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca And I get the ldap_delete: no such object Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 2:32 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replica Issues
Hey Suhail, Issue has been resolved; it was actually my replica server being about 10 minutes out of sync from the master which was causing the credential errors. Matt From: Choudhury, Suhail [mailto:suhail.choudh...@bskyb.com] Sent: Wednesday, July 30, 2014 9:00 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: RE: IPA Replica Issues Hi, Check your GSSAPIAuthentication settings in sshd.conf and restart sshd: GSSAPIAuthentication yes GSSAPICleanupCredentials yes Last week I had some replication problems between replicas which were fixed after re-enabling GSSAPI. Regards, Suhail Choudhury. DevOps | Recommendations Team | BSkyB From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Joseph, Matthew (EXP) [matthew.jos...@lmco.com] Sent: 28 July 2014 17:46 To: freeipa-users@redhat.com Subject: [Freeipa-users] IPA Replica Issues Hello, I'm currently running into some issues with my replica server. I noticed it wasn't getting any updates from the master server so I tried to do a force-sync but it states that it is an invalid password which I know it is not the case. I tried doing an ipa-replica-manager list replica_server but it gives me the SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 'desc' Invalid Credentials I've tried doing a kdestroy and have it prompt me for the password but again, same error. Any idea what this would be? Thanks, Matt Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Sorry I should clarify what is weird is I supply the Directory Manager password and it's not accepting it. Any idea why this is happening? I know a few months back I changed the admin password and I followed the steps on both my Master and Replica servers from the following link; http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I've tried supplying both the old and the new Directory manager password but neither are working. -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, July 28, 2014 5:04 PM To: Joseph, Matthew (EXP) Cc: Mark Heslin; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues On Mon, 2014-07-28 at 18:39 +, Joseph, Matthew (EXP) wrote: Weird, when I do kdestroy it prompts me for a password to do the ipa-replica-manage list command and I supply the password but it states invaloud crednetials. When I do kinit and supply the password it works. They use the same account/password don't they? No, if you look carefully when you do not have a ticket it asks you for the Directory Manager password, which is/should not the same as any of your users. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Ok I got the directory manager password figured out. I had to go through the steps again and it took the change this time. So from my replica server I can perform the ipa-replica-manage list and supply the directory manager password and it works. When I try to do a force-sync it displays the following error in the errors log on my master server; Replication bind with GSSAPI auth failed; LDAP Error 49 (Invalid Credentials) (SASL (-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, July 29, 2014 7:22 AM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues Sorry I should clarify what is weird is I supply the Directory Manager password and it's not accepting it. Any idea why this is happening? I know a few months back I changed the admin password and I followed the steps on both my Master and Replica servers from the following link; http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I've tried supplying both the old and the new Directory manager password but neither are working. -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, July 28, 2014 5:04 PM To: Joseph, Matthew (EXP) Cc: Mark Heslin; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues On Mon, 2014-07-28 at 18:39 +, Joseph, Matthew (EXP) wrote: Weird, when I do kdestroy it prompts me for a password to do the ipa-replica-manage list command and I supply the password but it states invaloud crednetials. When I do kinit and supply the password it works. They use the same account/password don't they? No, if you look carefully when you do not have a ticket it asks you for the Directory Manager password, which is/should not the same as any of your users. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Figured out the issue. My time was off by about 10 minutes between the replica and master server. This caused the credential errors. I put the time back to where it should be and the replication went perfect. Would a newer version of FreeIPA display this better in the logs? Currently I'm using 2.2.0-16 Thanks guys. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, July 29, 2014 9:15 AM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues Ok I got the directory manager password figured out. I had to go through the steps again and it took the change this time. So from my replica server I can perform the ipa-replica-manage list and supply the directory manager password and it works. When I try to do a force-sync it displays the following error in the errors log on my master server; Replication bind with GSSAPI auth failed; LDAP Error 49 (Invalid Credentials) (SASL (-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, July 29, 2014 7:22 AM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues Sorry I should clarify what is weird is I supply the Directory Manager password and it's not accepting it. Any idea why this is happening? I know a few months back I changed the admin password and I followed the steps on both my Master and Replica servers from the following link; http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password I've tried supplying both the old and the new Directory manager password but neither are working. -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, July 28, 2014 5:04 PM To: Joseph, Matthew (EXP) Cc: Mark Heslin; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues On Mon, 2014-07-28 at 18:39 +, Joseph, Matthew (EXP) wrote: Weird, when I do kdestroy it prompts me for a password to do the ipa-replica-manage list command and I supply the password but it states invaloud crednetials. When I do kinit and supply the password it works. They use the same account/password don't they? No, if you look carefully when you do not have a ticket it asks you for the Directory Manager password, which is/should not the same as any of your users. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Replica Issues
Hello, I'm currently running into some issues with my replica server. I noticed it wasn't getting any updates from the master server so I tried to do a force-sync but it states that it is an invalid password which I know it is not the case. I tried doing an ipa-replica-manager list replica_server but it gives me the SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 'desc' Invalid Credentials I've tried doing a kdestroy and have it prompt me for the password but again, same error. Any idea what this would be? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Hey Mark, I can do the ipa-replica-manage list command just fine, it displays all the servers. I just found it weird when on the master if I did the ipa-replica-manage list replica_server that it gave that error. I did the following from the Red Hat site but it just segfaults. Retrieve a new keytab for the principal using the ipa-getkeytab command. This requires the location of the original keytab for the service or host (-k), the principal (-p), and the IdM server hostname (-s). For example, this refreshes the host principal with a keytab in the default location of /etc/krb5.keytab: # ipa-getkeytab -p host/client.example@example.com -s ipa.example.com -k /etc/krb5.keytab When I do klist it shows an ldap key that would be expiring tomorrow evening. I looked at the sssd logs and I see nothing in there. The slapd logs show the same error I listed below. Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Mark Heslin Sent: Monday, July 28, 2014 3:13 PM To: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] IPA Replica Issues On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote: Hello, I'm currently running into some issues with my replica server. I noticed it wasn't getting any updates from the master server so I tried to do a force-sync but it states that it is an invalid password which I know it is not the case. I tried doing an ipa-replica-manager list replica_server but it gives me the SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 'desc' Invalid Credentials I've tried doing a kdestroy and have it prompt me for the password but again, same error. Any idea what this would be? Thanks, Matt Joe, Are you actually getting a valid Kerberos ticket - on the surface it would not appear so. Also, the command is 'ipa-replica-manage list': Example: # ipa-replica-manage list idm-srv1.example.com: master idm-srv2.example.com: master -m -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: IPA Replica Issues
Weird, when I do kdestroy it prompts me for a password to do the ipa-replica-manage list command and I supply the password but it states invaloud crednetials. When I do kinit and supply the password it works. They use the same account/password don't they? From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Mark Heslin Sent: Monday, July 28, 2014 3:27 PM To: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] IPA Replica Issues On 07/28/2014 02:12 PM, Mark Heslin wrote: On 07/28/2014 12:46 PM, Joseph, Matthew (EXP) wrote: Hello, I'm currently running into some issues with my replica server. I noticed it wasn't getting any updates from the master server so I tried to do a force-sync but it states that it is an invalid password which I know it is not the case. I tried doing an ipa-replica-manager list replica_server but it gives me the SASL(-13) authentication failure: GSSAPI Failure: gss_accept_sec_context, 'desc' Invalid Credentials I've tried doing a kdestroy and have it prompt me for the password but again, same error. Any idea what this would be? Thanks, Matt Joe, Are you actually getting a valid Kerberos ticket - on the surface it would not appear so. Also, the command is 'ipa-replica-manage list': Example: # ipa-replica-manage list idm-srv1.example.com: master idm-srv2.example.com: master -m Joe, I forgot to add, you should be able to do this without a Kerberos ticket but you'll need to specify the Directory Mnager password: Example: # ipa-replica-manage list Directory Manager password: idm-srv1.example.com: master idm-srv2.example.com: master # klist klist: No credentials cache found (ticket cache KEYRING:persistent:0:0) I'm runnning RHEL 7 - not sure whether or not this behavior is different on earlier versions. -m -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
When I run the netstat command it shows the following Tcp 0 0.0.0.0:10230.0.0.0:* LISTEN 10465/ypserv UDP 0 0.0.0.0:10230.0.0.0:* 10465/ypserv Like I stated this was working fine until we had our holiday shutdown for 2 weeks and when it came back online this stopped working. I tried restarting ypserv and ypbind on the secondary IPA server and it stopped working. Does ipa-server-2.2.0-16 have some bug issues with the NIS compatibility mode? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
I forgot to show my current configuration. Yp.conf - Domain mydomain.ca server primaryIPA Domain mydomain.ca server secondaryIPA /etc/sysconfig/network --- NISDOMAIN=mydomain.ca Nsswitch.conf --- has nis added for passwd/group/automount I've been trying different combinations of adding the nsslapd-pluginarg0: 1023 and running ypserv on the same port. Should nsslapd and ypserv be running on the same port when I do the netstat command? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
So looking at NIS documentation I noticed my /var/yp folder did not have the same folders/files as it should. It should have a Makefile, nicknames, binding (folder) and mydomainname (folder) I created a folder which matched my domainname and ypbind was finally able to start. But I can't do a ypcat since it can't find the maps which I would assume live under that domainname folder. Any ideas? -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, January 07, 2014 9:23 AM To: Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues I forgot to show my current configuration. Yp.conf - Domain mydomain.ca server primaryIPA Domain mydomain.ca server secondaryIPA /etc/sysconfig/network --- NISDOMAIN=mydomain.ca Nsswitch.conf --- has nis added for passwd/group/automount I've been trying different combinations of adding the nsslapd-pluginarg0: 1023 and running ypserv on the same port. Should nsslapd and ypserv be running on the same port when I do the netstat command? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Ypinit -c does not exist for Linux. At least from what I can see. It looks like it's a server issue. It seems when I try to initialize NIS (through ypserv and ypbind) on the Primary and Secondary IPA servers it does not know to check IPA for the user information. Maybe I'm wrong but are the ipa-nis-manage and ipa-compat-manage commands not used to enable the NIS compatibility mode? From: Ondrej Valousek [mailto:ovalou...@vendavo.com] Sent: Tuesday, January 07, 2014 11:12 AM To: Joseph, Matthew (EXP); Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: RE: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Did you try tu run ypinit -c ? Not sure now - it might be necessary to initialize the Nis subsystem. O. Odesláno ze Samsung Mobile Původnà zpráva Od: Joseph, Matthew (EXP) Datum:07. 01. 2014 15:52 (GMT+01:00) Komu: Petr Spacek ,Rob Crittenden ,d...@redhat.com,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues So looking at NIS documentation I noticed my /var/yp folder did not have the same folders/files as it should. It should have a Makefile, nicknames, binding (folder) and mydomainname (folder) I created a folder which matched my domainname and ypbind was finally able to start. But I can't do a ypcat since it can't find the maps which I would assume live under that domainname folder. Any ideas? -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, January 07, 2014 9:23 AM To: Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues I forgot to show my current configuration. Yp.conf - Domain mydomain.ca server primaryIPA Domain mydomain.ca server secondaryIPA /etc/sysconfig/network --- NISDOMAIN=mydomain.ca Nsswitch.conf --- has nis added for passwd/group/automount I've been trying different combinations of adding the nsslapd-pluginarg0: 1023 and running ypserv on the same port. Should nsslapd and ypserv be running on the same port when I do the netstat command? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
No worries. We have a couple of older clients on our network that consist of RHEL 4.3, RHEL 5.3, RHEL 5.5, Solaris 7, Solaris 8, and Solaris 10. Unfortunately I won't be able to get rid of those machines for the next year or so. I figured for those older clients it would just be easier to have them all go through NIS. I had it working for a good year and then it just stopped. From: Ondrej Valousek [mailto:ovalou...@vendavo.com] Sent: Tuesday, January 07, 2014 11:44 AM To: Joseph, Matthew (EXP); Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: RE: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Ok. Just curious - why are you running Nis on Linux where we have native client available? Sorry for this OT question. O. Odesláno ze Samsung Mobile Původnà zpráva Od: Joseph, Matthew (EXP) Datum:07. 01. 2014 16:17 (GMT+01:00) Komu: Ondrej Valousek ,Petr Spacek ,Rob Crittenden ,d...@redhat.com,freeipa-users@redhat.com Předmět: RE: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Ypinit -c does not exist for Linux. At least from what I can see. It looks like it's a server issue. It seems when I try to initialize NIS (through ypserv and ypbind) on the Primary and Secondary IPA servers it does not know to check IPA for the user information. Maybe I'm wrong but are the ipa-nis-manage and ipa-compat-manage commands not used to enable the NIS compatibility mode? From: Ondrej Valousek [mailto:ovalou...@vendavo.com] Sent: Tuesday, January 07, 2014 11:12 AM To: Joseph, Matthew (EXP); Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: RE: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Did you try tu run ypinit -c ? Not sure now - it might be necessary to initialize the Nis subsystem. O. Odesláno ze Samsung Mobile Původnà zpráva Od: Joseph, Matthew (EXP) Datum:07. 01. 2014 15:52 (GMT+01:00) Komu: Petr Spacek ,Rob Crittenden ,d...@redhat.com,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues So looking at NIS documentation I noticed my /var/yp folder did not have the same folders/files as it should. It should have a Makefile, nicknames, binding (folder) and mydomainname (folder) I created a folder which matched my domainname and ypbind was finally able to start. But I can't do a ypcat since it can't find the maps which I would assume live under that domainname folder. Any ideas? -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, January 07, 2014 9:23 AM To: Petr Spacek; Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues I forgot to show my current configuration. Yp.conf - Domain mydomain.ca server primaryIPA Domain mydomain.ca server secondaryIPA /etc/sysconfig/network --- NISDOMAIN=mydomain.ca Nsswitch.conf --- has nis added for passwd/group/automount I've been trying different combinations of adding the nsslapd-pluginarg0: 1023 and running ypserv on the same port. Should nsslapd and ypserv be running on the same port when I do the netstat command? -Original Message- From: Petr Spacek [mailto:pspa...@redhat.com] Sent: Tuesday, January 07, 2014 6:59 AM To: Joseph, Matthew (EXP); Rob Crittenden; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues On 7.1.2014 11:22, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Yup, I checked the status of the port to make sure nothing else was using it. I configured it for an empty port below 1024. You can use command netstat -lpn (as root) and check if the process is listening on the correct port and interface. Petr^2 Spacek -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, January 06, 2014 6:13 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Can't run them how? Nope, ypbind was stopped when those errors came up. Can you confirm that nothing else is bound to the port? rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
That is right, I forgot about adding those options. So what I did was stopped ypserv (since the IPA plugin functions should handle all incoming NIS requests right?) Restarted the dirsrv and rpcbind. I try running ypbind on both the server and client but it fails with the same error. I tried running ypcat from a client and it gives the following error; No such map passwd.byname: Reason: Can't communicate with portmapper. So I checked port 1023 (ns-slapd is running) and nothing else is using port 1023. I restarted dirsrv and rpcbind 2 times each and then it finally worked. I'm going to try to reboot the server at the earliest time possible to make sure the config sticks. Thank you for the help guys and helping me understand how the NIS module in IPA works. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, January 07, 2014 11:36 AM To: Nalin Dahyabhai; Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Nalin Dahyabhai wrote: On Tue, Jan 07, 2014 at 05:22:22AM -0500, Joseph, Matthew (EXP) wrote: When I run ypcat on the IPA servers it states that ypbind can't communicate. I started ypbind on the secondary IPA server so now I can run ypcat. Is running ypbind on the IPA servers necessary? According to all of the documentation I read it doesn't mention anything about ypbind on the servers. Any system on which you intend to run ypcat, ypmatch, or any of the NIS client commands should run ypbind, whether it's talking to a more traditional NIS server or an IPA server with its NIS service enabled. I run ypcat w/o ypbind all the time for testing. You just need to specify the server and domain on the command-line: $ ypcat -h `hostname` -d example.com passwd rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Hello, I can add the old UNIX servers using NIS to the secondary IPA server but not the primary. The servers can ping the primary with no issues. I didn't think the IPA servers could run ypcat? Either way neither of the servers can run the ypcat commands. Nope, ypbind was stopped when those errors came up. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, January 02, 2014 2:58 PM To: Joseph, Matthew (EXP); d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NIS Compat issues
Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] kinit admin password expired
Hello, I've seem to run into an issue with our admin account on our FreeIPA server. Our password expired (I thought I disabled the password expiration for this account) and when I run kinit admin it prompts me for a new password. I type in the old password and then the new one two times but then it states that kinit: Password has expired while getting initial credentials. When I run kinit admin again on it the new password is actually set but it tells me that again I need to change the password. Luckily that is not our only admin account for FreeIPA but can someone please explain what is happening here? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Automount issues
Anyone have any suggestions or run into this problem? I just don't see where my configuration is wrong. I removed the / at the end of the mount and it mounts all of the directories but it's still mounting them as /home/home/user1 /home/home/user2 and so on. Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, May 14, 2013 8:05 AM To: freeipa-users@redhat.com Subject: EXTERNAL: [Freeipa-users] Automount issues Hello, I'm currently having issues using automount from my clients. On my IPA Server and Replica there is no issues trying to mount but when I do it from a client I get some weird results. I have a mount point on a server that shows as the following in the IPA GUI. -rw,soft nfs_server.domain.ca:/export/home/ Under auto.master here is the configuration for auto.home Key: /home Mount Information: auto.home When I run automount -f -d on the client I see the following entry; Lookup_mount: lookup(ldap): looking up home Dev_ioctl_send_fail: token = 49 Failed to mount /home/home I don't understand where it's getting the extra home entry from. It does that for every single one of my automounts were it tries to duplicate the directory (ie: /program/program /export/export /share/share) Like I said above the automounts work perfect on the IPA server and Replica. Any ideas? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Automount issues
Hello, I'm currently having issues using automount from my clients. On my IPA Server and Replica there is no issues trying to mount but when I do it from a client I get some weird results. I have a mount point on a server that shows as the following in the IPA GUI. -rw,soft nfs_server.domain.ca:/export/home/ Under auto.master here is the configuration for auto.home Key: /home Mount Information: auto.home When I run automount -f -d on the client I see the following entry; Lookup_mount: lookup(ldap): looking up home Dev_ioctl_send_fail: token = 49 Failed to mount /home/home I don't understand where it's getting the extra home entry from. It does that for every single one of my automounts were it tries to duplicate the directory (ie: /program/program /export/export /share/share) Like I said above the automounts work perfect on the IPA server and Replica. Any ideas? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Syncing with AD
Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do not recall IPA ever removing users from AD. From what I remember, only certain attributes were bi-directional and deletes were not performed on AD. Has this changed? All in all I think the FreeIPA project is amazing and it really gives us in the Linux community something we haven't had before. If I can iron out the problems above I am sure it will become a great tool for me and my client. Any input would be most appreciated. Thanks //James. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do not recall IPA ever removing users from AD. From what I remember, only certain attributes were bi-directional and deletes were not performed on AD. Has this changed? All in all I think the FreeIPA project is amazing and it really gives us in the Linux community something we haven't had before. If I can iron out the problems above I am sure it will become a great tool for me and my client. Any input would be most appreciated. Thanks //James. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
Hey James, One more thing, what are the values in the registry for your password sync application? The default option for the User Name Field was wrong. It was set to userid (or something similar to that) when it should have been uid. I don't think that's your problem but who knows what else might be wrong. Also is your IPA sync user in the same OU as your normal users? Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, May 14, 2013 10:50 AM To: James A Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
On the AD server open up regedit (start -- run -- regedit) and go to HKEY_LOCAL_MACHINE -- Software -- PasswordSync and just copy and paste your parameters that are set. Remove any sensitive information of course. In reference to the other email the PasswordSync log is under C:\Program Files\ Red Hat password Synchronization\ and there should be a file called passsync.log If you open up Active Directory Users and Computers and right click on your Domain container (Domain.com) and go to Properties you should see a Security Tab. Find your IPA pass sync user and see what permissions he has. He should have Read (Also gives him access to Read Domain Password Lockout Policies and Read Other Domain Parameters) Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 11:26 AM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:56 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, One more thing, what are the values in the registry for your password sync application The default option for the User Name Field was wrong. It was set to userid (or something similar to that) when it should have been uid. I don't think that's your problem but who knows what else might be wrong. uuuhh registry? I am not sure exaclty what you mean by this? I need to change some registry setting on the AD server? Also is your IPA sync user in the same OU as your normal users? Yes ... Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, May 14, 2013 10:50 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, I tried recreating the replica information and doing the ipa-replica-install and it's still failing at trying to start the replication. I've also tried doing a force sync and it comes up with that generation ID error. Matt -Original Message- From: Jatin Nansi [mailto:jna...@redhat.com] Sent: Thursday, April 11, 2013 10:18 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/11/2013 08:55 PM, Joseph, Matthew (EXP) wrote: Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. OK, then it was just the CA certificate that was missing, the MD5 hash information that I provided does not apply. About: Replica Data has a different generation ID than the local data Its probably best if you reinitialize the replica. If the ipa-replica-install script never completed, you could try creating a new replica information file from the existing IPA server and redo the whole replica installation. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Sorry didn't read your full message and realize you wanted all of the information for it. The Signature Algorithm is PKCS #1 SHA-256 with RSA Encryption. Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Yes you are correct. For some reason my IPA CA certs were missing. I've added them back onto both the Server and Client so now I am back to getting the; Replica Data has a different generation ID than the local data Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 11, 2013 10:13 AM To: Joseph, Matthew (EXP); Jatin Nansi; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, Here is the output; Server-Cert u,u,u I am using nss-3-13.3-6 I am using the IPA CA. The thing is, the IPA CA isn't there for some reason, on either side. You should also have something like EXAMPLE.COM IPA CA Ct,C,C You might check the working master with somethign like: certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-REALM That will validate the cert trust. I'd suspect it will fail. So you'd need to add the IPA CA. certutil -A -n 'EXAMPLE.COM IPA CA' -d /etc/dirsrv/slapd-REALM -t CT,C,C -a -i /etc/ipa/ca.crt This may address the symptom but how you ended up with the CA missing is baffling. rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jatin Nansi Sent: Wednesday, April 10, 2013 9:36 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors On 04/10/2013 09:55 PM, Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt Check the version of the nss package on your IPA server. There was a change that went into nss-3.14 that disables support for certificate signatures using the MD5 hash algorithm. To check if you are using MD5 certificate signatures, use this command to examine the certificates - cerutil -L -d/etc/dirsrv/slapd-DOMAIN-CA/ Server-Cert If this is the case, the workaround is to downgrade the nss package to version 3.13. The fix is to re-issue your certificates using the SHA256 hashes. Are you using the IPA CA, or are you managing the CA independently of IPA? -- Jatin Nansi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey Rob, Here is the output from cerutil -L -d /etc/dirsrv/slapd-DOMAIN-CA/ Server: Server-Cert u,u,u Client: Server-Cert u,u,u Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 11:01 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey Rob, Yes I've tried to do that. Everytime I try to run an ipa-replica-install I make sure I create a new replica file from the server. Well, it is confusing because this worked once, when you got the error about replication ID. I guess I'd use certutil to compare what /etc/dirsrv/slapd-REALM looks like on the replica vs the existing master. The error is related to SSL trust. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 10, 2013 10:47 AM To: Joseph, Matthew (EXP); Nathan Kinder Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Joseph, Matthew (EXP) wrote: Hey, I'm still trying to figure out this error but I am getting nothing. Anyone have any suggestions or ideas on why this is failing? Is there a chance you're using a replica file prepared from a different IPA installation? I'd probably go ahead and use ipa-replica-prepare to create a new file and try installing that. rob Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Monday, April 08, 2013 12:30 PM *To:* Nathan Kinder *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Monday, April 08, 2013 12:28 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com *Subject:* Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt *From:*Nathan Kinder [mailto:nkin...@redhat.com] *Sent:* Thursday, April 04, 2013 6:00 PM *To:* Joseph, Matthew (EXP) *Cc:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); *IPA_Server:* ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ *IPA_Replica:* ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca mailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.camailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): Replica has a different generation ID than the local data. This is probably just fallout from the replica initialization failure. If a replica is never initialized, it will get a generation ID mismatch error when the master contacts it. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error
Re: [Freeipa-users] EXTERNAL: Re: ipa-replica-install errors
Hey, Yup, the client side says the following; Op=-1 fd=64 closed - Peer does not recognize and trust the CA that issued your certificate. Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Monday, April 08, 2013 12:28 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/08/2013 07:16 AM, Joseph, Matthew (EXP) wrote: Hey, So on the IPA server under the access logs I am getting the following error. Error: could not send startTLS request: Error -11 (connect error) errno 0 (success) Any ideas? Does the access log on the receiving side show a connection attempt from the master at the same time? The access log will be located at /var/log/dirsrv/slapd-DOMAIN/access. -NGK Matt From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Thursday, April 04, 2013 6:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] ipa-replica-install errors On 04/04/2013 07:14 AM, Joseph, Matthew (EXP) wrote: Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.camailto:ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the x to point it towards a shadow file. Would I need to remove the x from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
It looks like I missed a step in setting up my IPA server for NIS compatability. [root@server ~]# ldapmodify -D cn=directory server -w secret -p 389 -h ipaserver.example.com dn: cn=config changetype: modify replace: passwordStorageScheme passwordStorageScheme: crypt When I try to run that command I get the following error; Ldap_bind: No Such Object (32) I can manually add that to the dse.ldif right? If so where would it go? Thanks, Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 8:14 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the x to point it towards a shadow file. Would I need to remove the x from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
Hey Rob, The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. What do you think the best course of action would be for my situation? Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, April 05, 2013 10:36 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the x to point it towards a shadow file. Would I need to remove the x from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. What kind of client are you configuring, and do you need it to be pure NIS? rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Active Directory -- IPA Password Sync
Hello, I imagine this is a common issue/question when trying to implement the password sync between AD and IPA. We have two Windows 2003 domain controllers (for redundancy) so when a user issues a password change on the Windows side there is no primary domain controller that it will always use for password changes. So right now IPA is only getting 50% of the Password changes that are done through Windows due to password changes going through both domain controllers. Looking through the documentation IPA will only allow a password sync agreement between 1 AD and 1 IPA server. Is there a solution for this issue? How are people getting around this? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Active Directory -- IPA Password Sync
Thank you very much for that. Works like a charm. How does this work though? You setup the winsync agreement between your IPA Server and AD server using the hostname. How does IPA know that it can trust a second DC? Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Friday, April 05, 2013 11:56 AM To: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Active Directory -- IPA Password Sync On 04/05/2013 10:52 AM, Joseph, Matthew (EXP) wrote: Hello, I imagine this is a common issue/question when trying to implement the password sync between AD and IPA. We have two Windows 2003 domain controllers (for redundancy) so when a user issues a password change on the Windows side there is no primary domain controller that it will always use for password changes. So right now IPA is only getting 50% of the Password changes that are done through Windows due to password changes going through both domain controllers. Looking through the documentation IPA will only allow a password sync agreement between 1 AD and 1 IPA server. Is there a solution for this issue? How are people getting around this? One winsync agreement but passsync should be installed on both DCs. Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
Hey Rob, I was able to get NIS passwords working. I had a space at the end of dn: cn=config (stupid me). Thanks for the help! Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, April 05, 2013 11:07 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hey Rob, The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. What do you think the best course of action would be for my situation? You have two choices. You can try the instructions at http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for authentication. We haven't tested this for many moons but it should still work. Or you can proceed and try to use crypt passwords which will be sent in the passwd entry. The LDIF you provided should have worked fine, I'm not sure why it didn't, particularly the error it returned. If you do it on the IPA server you shoudl just need: ldapmodify -x -D 'cn=directory manager' -W dn: ... As for migrating existing passwords, you need to enable migration mode (ipa config-mod --enable-migration=true) and set the password when the user is added. ipa user-add --first=Rob --last=Crittenden rcritten --setattr userPassword='{CRYPT}hash' ypcat passwd should confirm that the password is visible. We don't recommend this. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, April 05, 2013 10:36 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the x to point it towards a shadow file. Would I need to remove the x from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. What kind of client are you configuring, and do you need it to be pure NIS? rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues
Hey Rob, I modified the command but now I am getting the following; Ldapmodify: wrong attributeType at line 4, entry cn=config Looking at the command I don't see any entry in my dse.ldif for passwordStorageScheme. I'm assuming it should be a changetype: add instead of modify. But it's not complaining about that. It can't seem to find the dn: cn=config which is weird since I see it in the file. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, April 05, 2013 11:07 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hey Rob, The NIS Clients that I am adding are Solaris 2.7, and Solaris 8. So I believe looking at the IPA document they would need to be Solaris 9 or above for it to communicate with IPA natively using LDAP. These Servers aren't going to be around much longer (Probably another year at the most) so I am just looking for the quickest way possible to get them to communicate with IPA. What do you think the best course of action would be for my situation? You have two choices. You can try the instructions at http://freeipa.org/page/ConfiguringUnixClients to configure LDAP for authentication. We haven't tested this for many moons but it should still work. Or you can proceed and try to use crypt passwords which will be sent in the passwd entry. The LDIF you provided should have worked fine, I'm not sure why it didn't, particularly the error it returned. If you do it on the IPA server you shoudl just need: ldapmodify -x -D 'cn=directory manager' -W dn: ... As for migrating existing passwords, you need to enable migration mode (ipa config-mod --enable-migration=true) and set the password when the user is added. ipa user-add --first=Rob --last=Crittenden rcritten --setattr userPassword='{CRYPT}hash' ypcat passwd should confirm that the password is visible. We don't recommend this. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, April 05, 2013 10:36 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Joseph, Matthew (EXP) wrote: My old NIS server we used shadow passwords. When I migrated my passwd nis file to IPA I'm assuming it also imported the part of the file that contains the x to point it towards a shadow file. Would I need to remove the x from the nis passwd file and re-migrate it to IPA? Is there a better way to get around this? This is why I asked what nsswitch.conf looked like. IPA does not provide the shadow map, so no passwords at all area available. It is possible to add a shadow map, but it is unsecure and one of the primary reasons people don't use NIS much any more. What kind of client are you configuring, and do you need it to be pure NIS? rob Matt -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Friday, April 05, 2013 6:40 AM To: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: NIS Compat Password Issues Hey Rob, The passwd section of nsswitch.conf is the following; Passwd: files nis Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, April 04, 2013 3:05 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] NIS Compat Password Issues Joseph, Matthew (EXP) wrote: Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? What does your nsswitch.conf look like? Note that IPA does not provide the shadow map (because it sends hashes in the clear). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-replica-install errors
Hello, I'm trying to setup a replica server with ipa-2.2.0-16 on both the Server and the Replica Server. Here are the steps I ran (From the Red Hat 6.3 IdM Administration Guide); IPA_Server: ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ ipareplica:/var/lib/ipa/ IPA_Replica: ipa-replica-install --setup-ca --setup-dns /var/lib/ipa/replica-info-ipareplica.exam ple.com.gpg -- Below is the error I am getting when running ipa-replica-install; Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'IPA_Server.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@domain.ca password: Execute check on remote master Check connection from master to remote replica 'IPA_Replica.domain.ca': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server for the CA: Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server done configuring pkids. Configuring certificate server: Estimated time 3 minutes 30 seconds [1/13]: creating certificate server user [2/13]: creating pki-ca instance [3/13]: configuring certificate server instance [4/13]: disabling nonces [5/13]: creating RA agent certificate database [6/13]: importing CA chain to RA certificate database [7/13]: fixing RA database permissions [8/13]: setting up signing cert profile [9/13]: set up CRL publishing [10/13]: set certificate subject base [11/13]: enabling Subject Key Identifier [12/13]: configuring certificate server to start on boot [13/13]: Configure HTTP to proxy connections done configuring pki-cad. Restarting the directory and certificate servers Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. [IPA_Server.domain.ca] reports: Update failed! Status: [-11 - System error] creation of replica failed: Failed to start replication Also in the error log(/var/log/dirsrv/slapd-DOMAIN-CA/errors) is the following error; NSMMReplicationPlugin - agmt=cn=metoIPA_Server.domain.ca (ipa_server:389): Replica has a different generation ID than the local data. Any thoughts or ideas on this issue? Searching google I don't see anyone getting the Status:-11 - System Error. Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NIS Compat Password Issues
Hello, I've having issues with trying to login to our NIS clients that are looking at IPA as a NIS Server. The NIS Client can view all of the usernames when I do a ypcat passwd but when I try to login a with a user account it will not accept the password. I've even tried setting it as simple as Password123 and still nothing. I don't see anything NIS related in the error logs on the IPA server. Can someone point me in the right direction for this? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, ad...@domain.ca for HTTP/ipa_ser...@domain.ca, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? Thanks, Matt -Original Message- From: Joseph, Matthew (EXP) Sent: Tuesday, April 02, 2013 3:01 PM To: 'Rob Crittenden'; freeipa-users@redhat.com Subject: RE: EXTERNAL: Re: [Freeipa-users] Client Installation Error Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Awesome that was the issue Rob. Thanks! Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 03, 2013 10:14 AM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey Rob, I updated my client's ipa, libcurl, and xmlrpc to what the server is using that I listed below. I am now getting the following error; Joining realm failed: HTTP response code is 401, not 200 On the server I looked at the krb5kdc.log to see if there was any errors and I'm getting the following error; IPA_Server.domain.ca krb5kdc[2029](info): TGS_REQ (4 etypes {18 17 16 23}) IP_ADDRESS_OF_CLIENT: UNKNOWN_SERVER: authtime 0, ad...@domain.ca for HTTP/ipa_ser...@domain.ca, Server not found in Kerberos Database. I've checked on the server side and the client I'm trying to add is in DNS and the host table. He can ping him fine so there is no issue with communication. Any ideas? Any other logs/information I can provide you? It may be your obfuscation, but is it a FQDN in the HTTP service principal? It should be. If you're using /etc/hosts be sure that the FQDN version is first (so foo.example.com foo rather than foo foo.example.com). rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Client Installation Error
Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Client Installation Error
Hey Rob, I'm running 2.0.0-23.el6.x86-64. So if I upgrade to the version you listed below then I should be all good? Is this a known problem with just 2.0.0-23 or is it also previous versions? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 02, 2013 2:58 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Client Installation Error Joseph, Matthew (EXP) wrote: Hey, I'm trying to add a client to IPA and I'm getting the following error; Joining realm failed because of failing XML-RPC request This error may be caused by incompatible server/client major versions. Client is running Red Hat 6.1 with the following IPA and Curl packages installed; Ipa-*-2.0.0-23 Curl-7.19.7-26 Libcurl-7.19.7-26 Server is running Red Hat 6.3 with the following IPA and Curl Packages installed; Ipa-*-2.2.0-16 Curl-7.19.7-26 Libcurl-7.19.7-26 From what I've seen from other people is that the issue is with libcurl blocking GSSAPI requests. Is that still the case? If so what are my options here to get around this problem? I assume I can downgrade my Curl but will that affect anything major? Thanks, Matt Exactly what version of ipa-client do you have installed? You need 2.0.0-23.el6_1.2 to fix ticket delegation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA - NIS Compatability
Hello, I'm trying to point a Solaris 10 server to use IPA as it's NIS Server. The Solaris 10 server has no issues communicating with IPA but it can only see a few maps (Users, Groups). Looking at the documentation it says you can add entries so I tried to for Hosts but I can't get ypcat hosts to bring up the hosts table. Here is the entry that is in dse.ldif: Dn= nis-domain=domain.ca+nis-map=hosts.byname,CN=NIS Server,cn=plugin,cn=config objectClass: top objectClass: extensibleObject nis-map: hosts.byname nis=base: cn=computers,cn=accounts,dc=domain,dc=ca nis-domain: domain.ca nis-secure: no creatorsName: cn=directory manager modifiersName: cn=directory manager So when I run ypcat hosts it just brings up a blank entry so it is actually seeing that a table should be there. Any ideas? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: IPA - NIS Compatability
Hey Nalin, Sorry typo on my part. It does say nis-base. -Original Message- From: Nalin Dahyabhai [mailto:na...@redhat.com] Sent: Wednesday, March 27, 2013 12:57 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] IPA - NIS Compatability On Wed, Mar 27, 2013 at 11:07:44AM -0400, Joseph, Matthew (EXP) wrote: Here is the entry that is in dse.ldif: Dn= nis-domain=domain.ca+nis-map=hosts.byname,CN=NIS Server,cn=plugin,cn=config objectClass: top objectClass: extensibleObject nis-map: hosts.byname nis=base: cn=computers,cn=accounts,dc=domain,dc=ca nis-domain: domain.ca nis-secure: no creatorsName: cn=directory manager modifiersName: cn=directory manager So when I run ypcat hosts it just brings up a blank entry so it is actually seeing that a table should be there. Any ideas? Looks like you've got a typo: nis=base where nis-base was intended. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Winsync Issues
Hey Rich, I found out the issue. Thank you for pointing me in the right direction. The user I am using for Password Sync has a login name of idmpasssync but the display name was IDM Password Sync. I changed the display name to idmpasssync and I was able to do the ldapsearch. I just ran the ipa-replica-manage command and was able to make a connection. Thanks again, Matt From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 5:00 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 01:45 PM, Joseph, Matthew (EXP) wrote: Hey Rich, I've changed the password multiple times now and it's still not accepting the password. I've even set it as simple as password. I forgot to mention in my initial post that my domain looks more like this. Domain1.domain2.ca So my command looks like cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca That shouldn't make a difference should it? As long as that is the DN you are using with ldapsearch -D, and the same as the DN you are passing to ipa-manage-replica, that should be fine. Let's take a step back. Do you know the windows admin password? If so, try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=administrator,cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca -w 'admin password' -s base -b cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 4:31 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 01:26 PM, Joseph, Matthew (EXP) wrote: Hey Rich, Tried the command you listed below and it says ldap_bind: Invalid Credentials (49) This means you have the wrong password. If I take away the -w 'WindowsIDMPassSyncPW' then it will bring back the results of the LDAP search. This means it is doing an anonymous search of which AD allows. Try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=idmpasssync,cn=users,dc=domain,dc=ca -w 'WindowsIDMPassSyncPW' -s base -b cn=users,dc=domain,dc=ca From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 4:12 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote: Hello, I'm currently in the processing of installing/configuring IPA 2.2.0-16 on a Red Hat 6.4 Server and I'm running into some issues trying to get IPA to replicate to a Windows 2003 SP2 DC. Here is the steps I took (I used the Red Hat Identity Management Guide) 1) Create idmpasssync user under AD and give him the permissions requested 2) Download IPA cert from web gui 3) Installed IPA cert under Trusted Root Certificates Authorities 4) Exported Windows cert to Red Hat Server 5) Copied both IPA and Windows certs to /etc/openldap/cacerts 6) Run the following command a. Ipa-replica-manage connect -winsync -binddn cn=idmpasssync,cn=users,dc=domain,dc=ca -bindpw WindowsIDMPassSyncPW - passsync WindowsIDMPassSyncPW -cacert /etc/openldap/cacerts/windows.cer adserver.domain.ca -v 7) After running that command I get the following error; a. Added CA Certificate /etc/openldap/cacerts/windows.cer to certificate database for IPAserver.domain.ca ipa: INFO: Failed to connect to AD server adserver.domain.ca ipa: INFO: The error was: {'info': 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid Credentials'} Failed to setup winsync replication I checked the IPA logs and it says the same thing above, no new information I know I entered the password correctly and I even changed it on the Active Directory side just to make sure. Can anyone see what I am doing wrong on this configuration? Try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=idmpasssync,cn=users,dc=domain,dc=ca -w 'WindowsIDMPassSyncPW' -s base -b Matt ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Winsync Issues
Hello, I'm currently in the processing of installing/configuring IPA 2.2.0-16 on a Red Hat 6.4 Server and I'm running into some issues trying to get IPA to replicate to a Windows 2003 SP2 DC. Here is the steps I took (I used the Red Hat Identity Management Guide) 1) Create idmpasssync user under AD and give him the permissions requested 2) Download IPA cert from web gui 3) Installed IPA cert under Trusted Root Certificates Authorities 4) Exported Windows cert to Red Hat Server 5) Copied both IPA and Windows certs to /etc/openldap/cacerts 6) Run the following command a. Ipa-replica-manage connect -winsync -binddn cn=idmpasssync,cn=users,dc=domain,dc=ca -bindpw WindowsIDMPassSyncPW - passsync WindowsIDMPassSyncPW -cacert /etc/openldap/cacerts/windows.cer adserver.domain.ca -v 7) After running that command I get the following error; a. Added CA Certificate /etc/openldap/cacerts/windows.cer to certificate database for IPAserver.domain.ca ipa: INFO: Failed to connect to AD server adserver.domain.ca ipa: INFO: The error was: {'info': 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid Credentials'} Failed to setup winsync replication I checked the IPA logs and it says the same thing above, no new information I know I entered the password correctly and I even changed it on the Active Directory side just to make sure. Can anyone see what I am doing wrong on this configuration? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Winsync Issues
Hey Rich, Tried the command you listed below and it says ldap_bind: Invalid Credentials (49) If I take away the -w 'WindowsIDMPassSyncPW' then it will bring back the results of the LDAP search. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 4:12 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote: Hello, I'm currently in the processing of installing/configuring IPA 2.2.0-16 on a Red Hat 6.4 Server and I'm running into some issues trying to get IPA to replicate to a Windows 2003 SP2 DC. Here is the steps I took (I used the Red Hat Identity Management Guide) 1) Create idmpasssync user under AD and give him the permissions requested 2) Download IPA cert from web gui 3) Installed IPA cert under Trusted Root Certificates Authorities 4) Exported Windows cert to Red Hat Server 5) Copied both IPA and Windows certs to /etc/openldap/cacerts 6) Run the following command a. Ipa-replica-manage connect -winsync -binddn cn=idmpasssync,cn=users,dc=domain,dc=ca -bindpw WindowsIDMPassSyncPW - passsync WindowsIDMPassSyncPW -cacert /etc/openldap/cacerts/windows.cer adserver.domain.ca -v 7) After running that command I get the following error; a. Added CA Certificate /etc/openldap/cacerts/windows.cer to certificate database for IPAserver.domain.ca ipa: INFO: Failed to connect to AD server adserver.domain.ca ipa: INFO: The error was: {'info': 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid Credentials'} Failed to setup winsync replication I checked the IPA logs and it says the same thing above, no new information I know I entered the password correctly and I even changed it on the Active Directory side just to make sure. Can anyone see what I am doing wrong on this configuration? Try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=idmpasssync,cn=users,dc=domain,dc=ca -w 'WindowsIDMPassSyncPW' -s base -b Matt ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Winsync Issues
Hey Rich, I've changed the password multiple times now and it's still not accepting the password. I've even set it as simple as password. I forgot to mention in my initial post that my domain looks more like this. Domain1.domain2.ca So my command looks like cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca That shouldn't make a difference should it? From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 4:31 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 01:26 PM, Joseph, Matthew (EXP) wrote: Hey Rich, Tried the command you listed below and it says ldap_bind: Invalid Credentials (49) This means you have the wrong password. If I take away the -w 'WindowsIDMPassSyncPW' then it will bring back the results of the LDAP search. This means it is doing an anonymous search of which AD allows. Try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=idmpasssync,cn=users,dc=domain,dc=ca -w 'WindowsIDMPassSyncPW' -s base -b cn=users,dc=domain,dc=ca From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 21, 2013 4:12 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Winsync Issues On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote: Hello, I'm currently in the processing of installing/configuring IPA 2.2.0-16 on a Red Hat 6.4 Server and I'm running into some issues trying to get IPA to replicate to a Windows 2003 SP2 DC. Here is the steps I took (I used the Red Hat Identity Management Guide) 1) Create idmpasssync user under AD and give him the permissions requested 2) Download IPA cert from web gui 3) Installed IPA cert under Trusted Root Certificates Authorities 4) Exported Windows cert to Red Hat Server 5) Copied both IPA and Windows certs to /etc/openldap/cacerts 6) Run the following command a. Ipa-replica-manage connect -winsync -binddn cn=idmpasssync,cn=users,dc=domain,dc=ca -bindpw WindowsIDMPassSyncPW - passsync WindowsIDMPassSyncPW -cacert /etc/openldap/cacerts/windows.cer adserver.domain.ca -v 7) After running that command I get the following error; a. Added CA Certificate /etc/openldap/cacerts/windows.cer to certificate database for IPAserver.domain.ca ipa: INFO: Failed to connect to AD server adserver.domain.ca ipa: INFO: The error was: {'info': 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid Credentials'} Failed to setup winsync replication I checked the IPA logs and it says the same thing above, no new information I know I entered the password correctly and I even changed it on the Active Directory side just to make sure. Can anyone see what I am doing wrong on this configuration? Try this: ldapsearch -xLLL -ZZ -h adserver.domain.ca -D cn=idmpasssync,cn=users,dc=domain,dc=ca -w 'WindowsIDMPassSyncPW' -s base -b Matt ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hey, So if I remove the IPA Password Sync user from the Account Operators then delete a user from IPA it won't replicate to Active Directory. When I create a user on the Active Directory side it will replicate it to IPA. So I started testing out the password sync to see if that will work but I am not having any luck with it (even when our password sync user on the windows side is added to Account Operators). I think I know the issue but I am having trouble finding out the back end of the IPA Directory structure. In the /var/log/dirsrv/slapd/errors file the last few lines say the follow. Ipalockout_preop - [file ipa_lockout.c, line 527] Failed to retrieve entry uid=passsyncuser,cn=sysaccounts,cn=etc,dc=ad,dc=ca : 32 From looking at that I assume the passsync user I created on the IPA side does not live under the sysaccounts CN. So I guess what I'm looking for is the backend structure of how the users are setup. Does his entry in the backend of IPA actually look like this; uid=passsyncuser,cn=users,dc=ipadomain,dc=ca Thanks, Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] OneWaySync Issues
Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync Thanks, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hey Rob, According to the Red Hat Identity Management documentation provided by Red hat it says to do it with the ldapmodify command. They don't mention any options during the replicator/sync agreement process about uni-directional sync. Matt -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Tuesday, January 22, 2013 3:04 PM To: Rob Crittenden Cc: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues On 01/22/2013 11:46 AM, Rob Crittenden wrote: Joseph, Matthew (EXP) wrote: Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. I thought the oneWaySync attribute was in the replication/sync agreement entry, not in the ipa-winsync plugin config entry? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: OneWaySync Issues
Hello Rob, Sorry typo on my part. The command I put in is actually fromWindows Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, January 22, 2013 2:47 PM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] OneWaySync Issues Joseph, Matthew (EXP) wrote: Hello, I'm trying to configure the oneWaySync option for IPA so only the Windows AD can replicate changes to IPA. When I use the command that I listed below it says it works but when I delete a user form IPA it will then delete the user in Active Directory. Is my command listed below correct? Anyone able to help? Parameters: Server = rhserver Domain = redhat.ca Password = 12345678 Contents of /tmp/unisync; dn: cn=ipa-winsync,cn=plugins,cn=config changetype: modify replace: oneWaySync oneWaySync: From Windows So I enter the following command; *ldapmodify -x -D dc=redhat,dc=ca -w 12345678 -h rhserver.redhat.ca -f /tmp/unisync* There should be no space in oneWaySync, it should be fromWindows. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users