Re: [Freeipa-users] CentOS 6 -> 7 migration

[Rob Verduijn]

Sounds feasable, however I'm not sure which solution entails the most work.

In step 3 you loose all the extra functionalities( cups/squid/ntp ) as
well, while these stay preserved by a p2v including a nice backup.
You do need a backup of all the functions before proceeding with step3.

Rob Verduijn

2017-02-26 14:40 GMT+01:00 Ian Pilcher <arequip...@gmail.com>:

> On 02/26/2017 05:08 AM, Rob Verduijn wrote:
>
>> You should consider setting up a temporary vm to migrate from.
>> On one of your client systems, I assume you got at least 1 ipa client
>>
>> Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your
>> current system to a vm  (side effect : instant full backup)
>>
>> When you got the vm up and running you can reinstall your main system
>> with the new os and ipa.
>> Then replicate the old ipa to the new one.
>>
>
> Hmm.  The system that runs IPA is the "network server" in my home
> network.  It runs various services -- DNS, NTP, CUPS, squid, etc. -- as
> well as routing between various VLANs.  So simply P2V'ing it would be
> a major project in its own right.
>
> What about this, though ...
>
> 1.  Set up a new CentOS 7 VM running IPA
>
> 2.  Replicate the IPA data from the old CentOS 6 system to the VM.
>
> 3.  Install CentOS 7 on the original system
>
> 4.  Replicate the IPA data back from the VM
>
> Will this work?
>
> --
> 
> Ian Pilcher arequip...@gmail.com
>  "I grew up before Mark Zuckerberg invented friendship" 
> 
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CentOS 6 -> 7 migration

[Rob Verduijn]

Upgrading centos6 to 7 is not a smart thing, unless you like to suffer a
lot of issues.

Then there are many comaptibility issues regarding the upgrade from ipa3.3
to 4.4

You should consider setting up a temporary vm to migrate from.
On one of your client systems, I assume you got at least 1 ipa client

Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your
current system to a vm  (side effect : instant full backup)

When you got the vm up and running you can reinstall your main system with
the new os and ipa.
Then replicate the old ipa to the new one.

Rob Verduijn



2017-02-26 0:45 GMT+01:00 Ian Pilcher <arequip...@gmail.com>:

> Is there any way to migrate an IPA server from 6 -> 7 without losing all
> of the IPA configuration and data?  All of the documentation I can find
> involves setting up a replica, replicating the data over, and then
> decommissioning the old system; not exactly an option with a single
> system.
>
> --
> 
> Ian Pilcher arequip...@gmail.com
>  "I grew up before Mark Zuckerberg invented friendship" 
> 
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-dnskeysyncd not starting

[Rob Verduijn]

2016-12-19 18:53 GMT+01:00 Martin Basti <mba...@redhat.com>:

>
>
> On 19.12.2016 17:51, Rob Verduijn wrote:
>
> 2016-12-19 17:06 GMT+01:00 Martin Basti <mba...@redhat.com>:
>
>>
>>
>> On 19.12.2016 16:27, Rob Verduijn wrote:
>>
>>
>>
>> 2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>:
>>
>>>
>>>
>>>
>>> 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
>>>
>>>> On 19.12.2016 14:07, Rob Verduijn wrote:
>>>> > Hello,
>>>> >
>>>> > I'm running ipa on centos 7.3 with the latest patches applied.
>>>> >
>>>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to
>>>> start and
>>>> > I keep seeing this message in my logs:
>>>> >
>>>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
>>>> > python2[25663]: GSSAPI client step 1
>>>> > python2[25663]: GSSAPI client step 1
>>>> > ns-slapd[2569]: GSSAPI server step 1
>>>> > python2[25663]: GSSAPI client step 1
>>>> > ns-slapd[2569]: GSSAPI server step 2
>>>> > python2[25663]: GSSAPI client step 2
>>>> > ns-slapd[2569]: GSSAPI server step 3
>>>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
>>>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer:
>>>> INFO
>>>> > Initial LDAP dump is done, sychronizing with ODS and BIND
>>>> > python2[25674]: GSSAPI client step 1
>>>> > python2[25674]: GSSAPI client step 1
>>>> > ns-slapd[2569]: GSSAPI server step 1
>>>> > python2[25674]: GSSAPI client step 1
>>>> > ns-slapd[2569]: GSSAPI server step 2
>>>> > python2[25674]: GSSAPI client step 2
>>>> > ns-slapd[2569]: GSSAPI server step 3
>>>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
>>>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd",
>>>> line 110,
>>>> > in 
>>>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
>>>> > msgid=ldap_search):
>>>> > ipa-dnskeysyncd[25663]: File
>>>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
>>>> > syncrepl_poll
>>>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
>>>> > ipa-dnskeysyncd[25663]: File
>>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>>> line 115,
>>>> > in syncrepl_refreshdone
>>>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
>>>> > ipa-dnskeysyncd[25663]: File
>>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>>> line 181,
>>>> > in hsm_replica_sync
>>>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
>>>> > ipa-dnskeysyncd[25663]: File
>>>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494,
>>>> in run
>>>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
>>>> arg_string,
>>>> > str(output))
>>>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
>>>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
>>>> status 1
>>>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>>>> > status=1/FAILURE
>>>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>>>> > systemd[1]: ipa-dnskeysyncd.service failed.
>>>> >
>>>> > for some reason the ipa-dnskeysyncd keeops crashing.
>>>> > Anybody know where to start looking for this one ?
>>>>
>>>> Please raise the debug level so we can see something in the logs:
>>>>
>>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
>>>> hes_or_returns_no_data
>>>>
>>>> --
>>>> Petr^2 Spacek
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>
>>> Hello,
>>>
>>> The file /etc/ipa/ipa.conf or the fi

Re: [Freeipa-users] ipa-dnskeysyncd not starting

[Rob Verduijn]

2016-12-19 17:06 GMT+01:00 Martin Basti <mba...@redhat.com>:

>
>
> On 19.12.2016 16:27, Rob Verduijn wrote:
>
>
>
> 2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>:
>
>>
>>
>>
>> 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
>>
>>> On 19.12.2016 14:07, Rob Verduijn wrote:
>>> > Hello,
>>> >
>>> > I'm running ipa on centos 7.3 with the latest patches applied.
>>> >
>>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
>>> and
>>> > I keep seeing this message in my logs:
>>> >
>>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
>>> > python2[25663]: GSSAPI client step 1
>>> > python2[25663]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 1
>>> > python2[25663]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 2
>>> > python2[25663]: GSSAPI client step 2
>>> > ns-slapd[2569]: GSSAPI server step 3
>>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
>>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
>>> > Initial LDAP dump is done, sychronizing with ODS and BIND
>>> > python2[25674]: GSSAPI client step 1
>>> > python2[25674]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 1
>>> > python2[25674]: GSSAPI client step 1
>>> > ns-slapd[2569]: GSSAPI server step 2
>>> > python2[25674]: GSSAPI client step 2
>>> > ns-slapd[2569]: GSSAPI server step 3
>>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
>>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
>>> 110,
>>> > in 
>>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
>>> > msgid=ldap_search):
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
>>> > syncrepl_poll
>>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>> line 115,
>>> > in syncrepl_refreshdone
>>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py",
>>> line 181,
>>> > in hsm_replica_sync
>>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
>>> > ipa-dnskeysyncd[25663]: File
>>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
>>> run
>>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
>>> arg_string,
>>> > str(output))
>>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
>>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
>>> status 1
>>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>>> > status=1/FAILURE
>>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>>> > systemd[1]: ipa-dnskeysyncd.service failed.
>>> >
>>> > for some reason the ipa-dnskeysyncd keeops crashing.
>>> > Anybody know where to start looking for this one ?
>>>
>>> Please raise the debug level so we can see something in the logs:
>>>
>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
>>> hes_or_returns_no_data
>>>
>>> --
>>> Petr^2 Spacek
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>> Hello,
>>
>> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist
>> on my system.
>> How to set debugging in this case ?
>>
>> Rob
>>
>
> I've set the debug level in /etc/ipa/default.conf
>
> now I get this output
>  systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
> status=1/FAILURE
>  systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>  systemd[1]: ipa-dnskeysyncd.service failed.
>  systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart

Re: [Freeipa-users] ipa-dnskeysyncd not starting

[Rob Verduijn]

2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>:

>
>
>
> 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>:
>
>> On 19.12.2016 14:07, Rob Verduijn wrote:
>> > Hello,
>> >
>> > I'm running ipa on centos 7.3 with the latest patches applied.
>> >
>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
>> and
>> > I keep seeing this message in my logs:
>> >
>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
>> > python2[25663]: GSSAPI client step 1
>> > python2[25663]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 1
>> > python2[25663]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 2
>> > python2[25663]: GSSAPI client step 2
>> > ns-slapd[2569]: GSSAPI server step 3
>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
>> > Initial LDAP dump is done, sychronizing with ODS and BIND
>> > python2[25674]: GSSAPI client step 1
>> > python2[25674]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 1
>> > python2[25674]: GSSAPI client step 1
>> > ns-slapd[2569]: GSSAPI server step 2
>> > python2[25674]: GSSAPI client step 2
>> > ns-slapd[2569]: GSSAPI server step 3
>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
>> 110,
>> > in 
>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
>> > msgid=ldap_search):
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
>> > syncrepl_poll
>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
>> 115,
>> > in syncrepl_refreshdone
>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
>> 181,
>> > in hsm_replica_sync
>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
>> > ipa-dnskeysyncd[25663]: File
>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
>> run
>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
>> arg_string,
>> > str(output))
>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit
>> status 1
>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
>> > status=1/FAILURE
>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
>> > systemd[1]: ipa-dnskeysyncd.service failed.
>> >
>> > for some reason the ipa-dnskeysyncd keeops crashing.
>> > Anybody know where to start looking for this one ?
>>
>> Please raise the debug level so we can see something in the logs:
>>
>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras
>> hes_or_returns_no_data
>>
>> --
>> Petr^2 Spacek
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
> Hello,
>
> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist
> on my system.
> How to set debugging in this case ?
>
> Rob
>

I've set the debug level in /etc/ipa/default.conf

now I get this output
 systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
status=1/FAILURE
 systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
 systemd[1]: ipa-dnskeysyncd.service failed.
 systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart.
 systemd[1]: Started IPA key daemon.
 systemd[1]: Starting IPA key daemon...
 ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind...
 python2[30568]: GSSAPI client step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 1
 python2[30568]: GSSAPI client step 1
 ns-slapd[26744]: GSSAPI server step 2
 python2[30568]: GSSAPI client step 2
 ns-slapd[26744]: GSSAPI server step 3
 ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process
 ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
Initia

Re: [Freeipa-users] ipa-dnskeysyncd not starting

[Rob Verduijn]

2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>:

> On 19.12.2016 14:07, Rob Verduijn wrote:
> > Hello,
> >
> > I'm running ipa on centos 7.3 with the latest patches applied.
> >
> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start
> and
> > I keep seeing this message in my logs:
> >
> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
> > python2[25663]: GSSAPI client step 1
> > python2[25663]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 1
> > python2[25663]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 2
> > python2[25663]: GSSAPI client step 2
> > ns-slapd[2569]: GSSAPI server step 3
> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
> > Initial LDAP dump is done, sychronizing with ODS and BIND
> > python2[25674]: GSSAPI client step 1
> > python2[25674]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 1
> > python2[25674]: GSSAPI client step 1
> > ns-slapd[2569]: GSSAPI server step 2
> > python2[25674]: GSSAPI client step 2
> > ns-slapd[2569]: GSSAPI server step 3
> > ipa-dnskeysyncd[25663]: Traceback (most recent call last):
> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line
> 110,
> > in 
> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
> > msgid=ldap_search):
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
> > syncrepl_poll
> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
> 115,
> > in syncrepl_refreshdone
> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line
> 181,
> > in hsm_replica_sync
> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
> > ipa-dnskeysyncd[25663]: File
> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in
> run
> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode,
> arg_string,
> > str(output))
> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status
> 1
> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
> > status=1/FAILURE
> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
> > systemd[1]: ipa-dnskeysyncd.service failed.
> >
> > for some reason the ipa-dnskeysyncd keeops crashing.
> > Anybody know where to start looking for this one ?
>
> Please raise the debug level so we can see something in the logs:
>
> http://www.freeipa.org/page/Troubleshooting#ipa_command_
> crashes_or_returns_no_data
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>

Hello,

The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist on
my system.
How to set debugging in this case ?

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-dnskeysyncd not starting

[Rob Verduijn]

Hello,

I'm running ipa on centos 7.3 with the latest patches applied.

It seem to run fine however the ipa-dnskeysyncd keeps failing to start and
I keep seeing this message in my logs:

ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind...
python2[25663]: GSSAPI client step 1
python2[25663]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 1
python2[25663]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 2
python2[25663]: GSSAPI client step 2
ns-slapd[2569]: GSSAPI server step 3
ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process
ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO
Initial LDAP dump is done, sychronizing with ODS and BIND
python2[25674]: GSSAPI client step 1
python2[25674]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 1
python2[25674]: GSSAPI client step 1
ns-slapd[2569]: GSSAPI server step 2
python2[25674]: GSSAPI client step 2
ns-slapd[2569]: GSSAPI server step 3
ipa-dnskeysyncd[25663]: Traceback (most recent call last):
ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110,
in 
ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1,
msgid=ldap_search):
ipa-dnskeysyncd[25663]: File
"/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in
syncrepl_poll
ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone()
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 115,
in syncrepl_refreshdone
ipa-dnskeysyncd[25663]: self.hsm_replica_sync()
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 181,
in hsm_replica_sync
ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA])
ipa-dnskeysyncd[25663]: File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run
ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, arg_string,
str(output))
ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command
'/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1
systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited,
status=1/FAILURE
systemd[1]: Unit ipa-dnskeysyncd.service entered failed state.
systemd[1]: ipa-dnskeysyncd.service failed.

for some reason the ipa-dnskeysyncd keeops crashing.
Anybody know where to start looking for this one ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FYI incorrect configuration when using ipa-client-automount

[Rob Verduijn]

Hello,

I've was being bugged by a non functional automounter.

So I tried a fresh centos7.3 install (minimal) with only the additional
package ipa-client.

I did the installation and update to latest patch level and reboot.

Then ran ipa-client-install --enable-dns-updates
Did the yes/admin account/auth
And I had a fully functional freeipa-domain-client.

Then I ran ipa-client-automount
yes again.
and no functional automounter.

It appeared that the 'ipa-client-automount' tool did not adjust the
/etc/nsswitch.conf file properly.

In one occasion it replaced 'automount: files nisplus' with 'automount:
files'
in another it did not change it at all.

After editing /etc/nsswitch.conf and setting it to 'automount: files sss'
all was working as expected.

Because there is not mention about centos on
https://fedorahosted.org/freeipa/
and I'm used to seeing closed not supported on the redhat bugzilla when the
word centos is mentioned
I've posterd it in the centos buglist :
https://bugs.centos.org/view.php?id=12415

Cheers
Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

[Rob Verduijn]

2016-12-15 13:47 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>:

> On 12/12/2016 08:53 PM, Rob Verduijn wrote:
> > Hello,
> >
> > I've recently upgraded to centos 7.3.
> > Didn't intend to so soon but should have checked the anounce lists before
> > launching my ansible update playbook.
> >
> > Most of my servers came through, and mostly also the ipa server.
> > There were duplicate rpms and a failed rpm upgrade.
> > After some yum magic the rpm duplicates where gone and all the updates
> installed.
> >
> > Manually running ipa-server-upgrade also seems to finish properly.
> >
> > However
> > ipactl start keeps failing on the ntpd service.
> > Not a big surprise since its running chronyd.
> >
> > I now start the ipa server with 'ipactl start --ignore-service-failure'
> >
> > Is there a way to explain the script that it should check for chronyd
> instead of
> > ntpd ?
> >
> > I also see this a lot in the logs:
> > dns_rdatatype_fromtext() failed for attribute
> > 'idnsTemplateAttribute;cnamerecord': unknown class/type
> >
> > Is that a serious error ?
> >
> > Rob Verduijn
> >
>
> This looks like 7.3 update incorrectly added NTP service to IPA server
> services (which is displayed as NTP role in `ipa server-show $server`).
>
> A workaround might be to disable the service or remove the service
> entry. Disabling is IMHO safer.  IPA CLI tools don't allow
> enabling/disabling of services so it must be done by LDAP mod.
>
> It can be done by removing  'enabledService' config value from server's
> service entry, e.g.:
>
> dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> changetype: modify
> delete: ipaConfigString
> ipaConfigString: enabledService
> -
>
> Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g.
> dc=example,dc=com
>
>
> Rob, have you originally installed the replica with NTPD and then later
> switched manually to chrony?
>
> --
> Petr Vobornik
>

Hello,

I can't remember if I installed and configured freeipa and then switched to
chronyd or the other way around.

I had my ntpd/ntpdate services masked because I got tired of stopping and
disabling them all the time.
It seems ipactl can't deal with that.

Currently I unmasked the services and enabled them (disabling chronyd) so
that the server boots properly.

I will try your ldiff to see if I can switch back, since I do not use my
ipa server as a time source for clients.

I'll let you know the results.

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa fails to start after centos 7.3 upgrade

[Rob Verduijn]

Hello,

I've recently upgraded to centos 7.3.
Didn't intend to so soon but should have checked the anounce lists before
launching my ansible update playbook.

Most of my servers came through, and mostly also the ipa server.
There were duplicate rpms and a failed rpm upgrade.
After some yum magic the rpm duplicates where gone and all the updates
installed.

Manually running ipa-server-upgrade also seems to finish properly.

However
ipactl start keeps failing on the ntpd service.
Not a big surprise since its running chronyd.

I now start the ipa server with 'ipactl start --ignore-service-failure'

Is there a way to explain the script that it should check for chronyd
instead of ntpd ?

I also see this a lot in the logs:
dns_rdatatype_fromtext() failed for attribute
'idnsTemplateAttribute;cnamerecord': unknown class/type

Is that a serious error ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

[Rob Verduijn]

2016-12-01 19:44 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>:

>
>
> 2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
>
>> Rob Verduijn wrote:
>> >
>> >
>> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
>> > <mailto:rcrit...@redhat.com>>:
>> >
>> > Rob Verduijn wrote:
>> > > Hello,
>> > >
>> > > For some reason my ipa server no longer boots.
>> > > It keeps trying to start pki-tomcat service.
>> > >
>> > > Does anybody know where I should start looking to get this fixed ?
>> > >
>> > > Rob Verduijn
>> > >
>> > > ipactl -d start gives this output:
>> > > ipa: DEBUG: The CA status is: check interrupted due to error:
>> Command
>> > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> '--no-check-certificate'
>> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>''
>> returned
>> > > non-zero exit status 8
>> > > ipa: DEBUG: Waiting for CA to start...
>> > > ipa: DEBUG: Starting external process
>> > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
>> > > '--no-check-certificate'
>> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'
>> > > ipa: DEBUG: Process finished, return code=8
>> > > ipa: DEBUG: stdout=
>> > > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
>> > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
>> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>
>> > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)...
>> 172.16.1.13
>> > > Connecting to freeipa02.tjako.thuis
>> > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
>> > > HTTP request sent, awaiting response...
>> > >   HTTP/1.1 500 Internal Server Error
>> > >   Server: Apache-Coyote/1.1
>> > >   Content-Type: text/html;charset=utf-8
>> > >   Content-Language: en
>> > >   Content-Length: 2134
>> > >   Date: Thu, 01 Dec 2016 10:06:13 GMT
>> > >   Connection: close
>> > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
>> > >
>> > > There are also some java warnings in the logs, but its java and I
>> can
>> > > never tell if its a serious error when java gives a warning.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'serverCertNickFile' to
>> > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
>> > > matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
>> did not
>> > > find a matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'passwordClass' to 'org.apache.tomcat.util.net
>> > <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile'
>> > > did not find a matching property.
>> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
>> > > org.apache.catalina.startup.SetAllPropertiesRule begin
>> > > Dec  1 09:53:59 freeipa02 server: WARNING:
>> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
>> matching
>> > > property.
>> > > Dec  1 09:53:59 freeipa02 server: 

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

[Rob Verduijn]

2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Rob Verduijn wrote:
> >
> >
> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>>:
> >
> > Rob Verduijn wrote:
> > > Hello,
> > >
> > > For some reason my ipa server no longer boots.
> > > It keeps trying to start pki-tomcat service.
> > >
> > > Does anybody know where I should start looking to get this fixed ?
> > >
> > > Rob Verduijn
> > >
> > > ipactl -d start gives this output:
> > > ipa: DEBUG: The CA status is: check interrupted due to error:
> Command
> > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> '--no-check-certificate'
> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>''
> returned
> > > non-zero exit status 8
> > > ipa: DEBUG: Waiting for CA to start...
> > > ipa: DEBUG: Starting external process
> > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > > '--no-check-certificate'
> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'
> > > ipa: DEBUG: Process finished, return code=8
> > > ipa: DEBUG: stdout=
> > > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>
> > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)...
> 172.16.1.13
> > > Connecting to freeipa02.tjako.thuis
> > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> > > HTTP request sent, awaiting response...
> > >   HTTP/1.1 500 Internal Server Error
> > >   Server: Apache-Coyote/1.1
> > >   Content-Type: text/html;charset=utf-8
> > >   Content-Language: en
> > >   Content-Length: 2134
> > >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> > >   Connection: close
> > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> > >
> > > There are also some java warnings in the logs, but its java and I
> can
> > > never tell if its a serious error when java gives a warning.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'serverCertNickFile' to
> > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> > > matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf'
> did not
> > > find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'passwordClass' to 'org.apache.tomcat.util.net
> > <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile'
> > > did not find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.catalina.startup.SetAllPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a
> matching
> > > property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > > Dec  1 09:53:59 freeipa02 server: WARNING:
> > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > > 'xmlValidation' to 'false' did not find a matching property.
> > > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > >

Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd

[Rob Verduijn]

2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

> Rob Verduijn wrote:
> > Hello,
> >
> > For some reason my ipa server no longer boots.
> > It keeps trying to start pki-tomcat service.
> >
> > Does anybody know where I should start looking to get this fixed ?
> >
> > Rob Verduijn
> >
> > ipactl -d start gives this output:
> > ipa: DEBUG: The CA status is: check interrupted due to error: Command
> > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned
> > non-zero exit status 8
> > ipa: DEBUG: Waiting for CA to start...
> > ipa: DEBUG: Starting external process
> > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
> > '--no-check-certificate'
> > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'
> > ipa: DEBUG: Process finished, return code=8
> > ipa: DEBUG: stdout=
> > ipa: DEBUG: stderr=--2016-12-01 11:06:12--
> > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
> > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
> > Connecting to freeipa02.tjako.thuis
> > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
> > HTTP request sent, awaiting response...
> >   HTTP/1.1 500 Internal Server Error
> >   Server: Apache-Coyote/1.1
> >   Content-Type: text/html;charset=utf-8
> >   Content-Language: en
> >   Content-Length: 2134
> >   Date: Thu, 01 Dec 2016 10:06:13 GMT
> >   Connection: close
> > 2016-12-01 11:06:13 ERROR 500: Internal Server Error.
> >
> > There are also some java warnings in the logs, but its java and I can
> > never tell if its a serious error when java gives a warning.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'serverCertNickFile' to
> > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a
> > matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not
> > find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile'
> > did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.catalina.startup.SetAllPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
> > property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlValidation' to 'false' did not find a matching property.
> > Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
> > org.apache.tomcat.util.digester.SetPropertiesRule begin
> > Dec  1 09:53:59 freeipa02 server: WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'xmlNamespaceAware' to 'false' did not find a matching property.
> >
> >
> > I'm running centos7.2 x86_64 with the latest patches applied.
> > some package versions below
> > rpm -qa|egrep "ipa|tomcat"|sort
> > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
> > libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > python-iniparse-0.4-9.el7.noarch
> > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
> > sssd-ipa-1.13.0-40.el7_2.12.x86_64
> > tomcat-7.0.54-8.el7_2.noarch
> > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
> > tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
> > tomcatjss-7.1.2-1.el7.noarch
> > tomcat-lib-7.0.54-8.el7_2.noarch
> > to

[Freeipa-users] ipa fails to start hangs on pki-tomcatd

[Rob Verduijn]

Hello,

For some reason my ipa server no longer boots.
It keeps trying to start pki-tomcat service.

Does anybody know where I should start looking to get this fixed ?

Rob Verduijn

ipactl -d start gives this output:
ipa: DEBUG: The CA status is: check interrupted due to error: Command
''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' '
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned
non-zero exit status 8
ipa: DEBUG: Waiting for CA to start...
ipa: DEBUG: Starting external process
ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30'
'--no-check-certificate' '
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'
ipa: DEBUG: Process finished, return code=8
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=--2016-12-01 11:06:12--
https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus
Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13
Connecting to freeipa02.tjako.thuis
(freeipa02.tjako.thuis)|172.16.1.13|:8443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 500 Internal Server Error
  Server: Apache-Coyote/1.1
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 2134
  Date: Thu, 01 Dec 2016 10:06:13 GMT
  Connection: close
2016-12-01 11:06:13 ERROR 500: Internal Server Error.

There are also some java warnings in the logs, but its java and I can never
tell if its a serious error when java gives a warning.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf'
did not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find
a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did
not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.catalina.startup.SetAllPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching
property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlValidation' to 'false' did not find a matching property.
Dec  1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM
org.apache.tomcat.util.digester.SetPropertiesRule begin
Dec  1 09:53:59 freeipa02 server: WARNING:
[SetPropertiesRule]{Server/Service/Engine/Host} Setting property
'xmlNamespaceAware' to 'false' did not find a matching property.


I'm running centos7.2 x86_64 with the latest patches applied.
some package versions below
rpm -qa|egrep "ipa|tomcat"|sort
ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64
libipa_hbac-1.13.0-40.el7_2.12.x86_64
python-iniparse-0.4-9.el7.noarch
python-libipa_hbac-1.13.0-40.el7_2.12.x86_64
sssd-ipa-1.13.0-40.el7_2.12.x86_64
tomcat-7.0.54-8.el7_2.noarch
tomcat-el-2.2-api-7.0.54-8.el7_2.noarch
tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch
tomcatjss-7.1.2-1.el7.noarch
tomcat-lib-7.0.54-8.el7_2.noarch
tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sss / nsswitch

[Rob Verduijn]

2016-09-23 10:27 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:

> On (13/09/16 16:18), Rob Verduijn wrote:
> >2016-09-13 15:07 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>:
> >
> >> On (13/09/16 10:39), Sumit Bose wrote:
> >> >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote:
> >> >> Hi,
> >> >>
> >> >> Thanks that did it.
> >> >>
> >> >> Is there a less painfull way to be notified of these changes ?
> >> >>
> >> >> My nfs configuration gets broken much more than I like because of
> >> changes
> >> >> like these.
> >> >> I know fedora is supposed to be testing grounds unstable software,
> but I
> >> >> would really like to hear a heads up more often.
> >> >
> >> >The change was mentioned in the upstream release notes of SSSD-1.14.1
> >> >https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 but of
> course I
> >> >cannot be expected to read all upstream release note before running
> 'dnf
> >> >update'.
> >> >
> >> >The change was necessary because before the plugin was in the
> >> >sssd-common package and this caused that some nfs dependencies were
> >> >pulled in even on systems where nfs is not needed at all. Since neither
> >> >SSSD nor nfs-idmap strictly require the plugin the new package is not
> >> >automatically installed during update.
> >> >
> >>
> >> Sorry for troubles. We can add weak dependency info sssd-common on
> >> sssd-nfs-idmap and it might be installed by default.
> >> IIRC dnf does not inform about suggested packages; but recommends minght
> >> work. Feel free ot file a BZ.
> >>
> >> The reason why it is in separate package is "container world".
> >> You need to have install packge sssd-nfs-idmap on host
> >> but sssd can be running in container.
> >>
> >> LS
> >>
> >
> >
> >I probably should've noticed that the version number went from 1.13.x to
> >1.14.x which usually is something noteworthy.
> >I'll just add the release notes from sssd to my list of must reads when
> >there is an update.
> >
> The package sssd-nfs-idmap should be installed with sssd-1.14.1-3
> It needn't be due to weak dependencies. But recommended packages
> are installed by default with dnf.
>
> rpm -q --recommends  sssd-common-1.14.1-3
> libsss_autofs(x86-64) = 1.14.1-3.fc24
> libsss_sudo = 1.14.1-3.fc24
> sssd-nfs-idmap = 1.14.1-3.fc24
>
> LS
>

Does this also apply when you run dnf update ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sss / nsswitch

[Rob Verduijn]

Hi all,

Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24.

Then after the reboot the nfs-idmap service told me it couldn't start
because it could not find method sss.

So I filed a bug report and tried switching the method nsswitch.

But now all files on my kerberos nfs4 shares belong to nobody:nobodyy again.

Anybody who has a tip on how to work around this until they fix sssd ?

Cheers
Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

[Rob Verduijn]

hi,

just a long shot here..

I've been battling sudo for a couple days now and found that my issue was
one related to symlinks
on centos7 'which cat' says /bin/cat
but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when
it sees one and to prevent abuse it requires the 'real' path for the sudo
rule :  ALL=(ALL) /usr/bin/cat
on centos6 which cat also says /bin/cat but since /bin is not a symlink it
requires the sudo rule to be  ALL=(ALL) /bin/cat
so for the sudo to work on both centos6 and centos7 you would require 2
sudo rules.

Ignore me if this is irrelevant.

Just my 2 cents
Rob

2016-07-14 10:38 GMT+02:00 Lukas Slebodnik :

> On (14/07/16 10:09), Tomas Simecek wrote:
> >Thanks all of you guys,
> >I have updated to:
> >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64
> >sssd-1.13.3-22.el6_8.4.x86_64
> >sssd-ldap-1.13.3-22.el6_8.4.x86_64
> >sssd-client-1.13.3-22.el6_8.4.x86_64
> >sssd-ad-1.13.3-22.el6_8.4.x86_64
> >sssd-proxy-1.13.3-22.el6_8.4.x86_64
> >libsss_idmap-1.13.3-22.el6_8.4.x86_64
> >sssd-common-1.13.3-22.el6_8.4.x86_64
> >sssd-ipa-1.13.3-22.el6_8.4.x86_64
> >python-sssdconfig-1.13.3-22.el6_8.4.noarch
> >sssd-krb5-1.13.3-22.el6_8.4.x86_64
> >sssd-common-pac-1.13.3-22.el6_8.4.x86_64
> >(there does not seem to be libsss_sudo in Centos as suggested by Danila).
> >and restarted sssd.
> >
> >There are two rules enabled. One HBAC as I presented earlier:
> >  Rule name: Unixari na test servery
> >  Enabled: TRUE
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >  Services: login, sshd, sudo, sudo-i, su, su-l
> >
> >and one sudo rule:
> >Rule name: Pokusne
> >  Enabled: TRUE
> >  Command category: all
> >  User Groups: grpunixadmins
> >  Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz
> >
> >Default "all-access" rules are disabled.
> >
> >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I
> >still get:
> >
> >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf
> >[sudo] password for simecek.to...@sd-stc.cz:
> >simecek.to...@sd-stc.cz is not in the sudoers file.  This incident will
> be
> >reported.
> >
> >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz).
> >
> >sssd.conf:
> >[domain/linuxdomain.cz]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = linuxdomain.cz
> >id_provider = ipa
> >krb5_realm = LINUXDOMAIN.CZ
> >auth_provider = ipa
> >access_provider = ipa
> >ipa_hostname = zp-cml-test.linuxdomain.cz
> >chpass_provider = ipa
> >ipa_server = svlxxipap.linuxdomain.cz
> >ldap_tls_cacert = /etc/ipa/ca.crt
> >override_shell = /bin/bash
> >sudo_provider = ipa
> >ldap_uri = ldap://svlxxipap.linuxdomain.cz
> >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz
> >ldap_sasl_mech = GSSAPI
> >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz
> >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz
> >ldap_sasl_realm = LINUXDOMAIN.CZ
> >krb5_server = svlxxipap.linuxdomain.cz
> >debug_level = 0x3ff0
> >[sssd]
> >services = nss, sudo, pam, ssh
> >config_file_version = 2
> >domains = linuxdomain.cz
> >[nss]
> >homedir_substring = /home
> >[pam]
> >[sudo]
> >debug_level = 0x3ff0
> >[autofs]
> >[ssh]
> >[pac]
> >[ifp]
> >
> >
> >sssd_sudo.log from the moment I tried sudo:
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=
> >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\
> >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz
> >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=%
> >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000):
> About
> >to get sudo rules from cache
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid]
> >(0x0400): No such entry
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache]
> >(0x0200): Searching sysdb with
> >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=
> simecek.to...@sd-stc.cz
> >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=%
> >unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=%
> mfcr_...@sd-stc.cz
> >)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz
> >)(sudoUser=+*)))]
> >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz]
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client
> >disconnected!
> >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000):
> >Terminated client [0x260b690][17]
> >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000):
> >Received SBUS method 

Re: [Freeipa-users] what is the best way to create a search account

[Rob Verduijn]

thanx

2016-06-30 13:59 GMT+02:00 Tomasz Torcz <to...@pipebreaker.pl>:

> On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote:
> > Hello,
> >
> >
> > What would be the most appropriate way to create a search account so
> that a
> > third party tool (wildfly) can use it to search the ipa domain for
> > credentials ?
>
>   I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>
>
> --
> Tomasz Torcz"Funeral in the morning, IDE hacking
> xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] what is the best way to create a search account

[Rob Verduijn]

Hello,


What would be the most appropriate way to create a search account so that a
third party tool (wildfly) can use it to search the ipa domain for
credentials ?

Cheers
Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

[Rob Verduijn]

Hi,

I avoided the slow filling group by using the AD-Group with spaces
(was a tad more challenging for scipting)

But here's the releases (some of them)

ipa 4.2 and sssd 1.13

ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
sssd-common-1.13.0-40.el7_2.2.x86_64
sssd-client-1.13.0-40.el7_2.2.x86_64
sssd-ad-1.13.0-40.el7_2.2.x86_64

Cheers
Rob Verduijn

2016-05-04 18:06 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
> On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote:
>> to make sure I did the following on the ipa host
>>
>> systemctl stop sssd.service
>> rm -f /var/lib/sss/db/*
>> systemctl start sssd.service
>>
>> now there is no cheating from cach
>> getent passwd u...@ad-domain.com works and gives userid
>> id u...@ad-domain.com works fine and show all goups the user is a
>> member of including ad_linux_administrators (ipa group) and 'linux
>> administrat...@ad-domain.com'
>> getent group ad_linux_administrators only shows the group ad, no
>> members, these pop up after a very long time
>> getent group 'linux administrat...@ad-domain.com' imediatly show all members
>
> Please note that getent group only works with very recent versions of
> ipa and sssd. What version are you running.
>
>>
>> weird
>>
>> Rob Verduijn
>>
>> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
>> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> >> This goes especially for ad groups that are bested in ipa_groups
>> >>
>> >> ie :
>> >> microsft group is defined as an external group,
>> >> and that external group is member of an ipa group
>> >> and that ipa group takes forever.
>> >>
>> >> Regards
>> >> Rob Verduijn
>> >
>> > All the work in this area is done by sssd on the server. The sssd there
>> > runs a periodical task to re-fetch new external groups memberships every
>> > 10 seconds. So I would expect the group memberships to turn up after 10
>> > seconds at worst.
>> >
>> > Are you sure (from sssd logs) that maybe sssd is not going into offline
>> > state and just consults its cache?
>> >
>> >>
>> >>
>> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
>> >> > Hello,
>> >> >
>> >> > I'm using a trust to microsoft active directory to allow users access
>> >> > to linux servers.
>> >> >
>> >> > But when a user is added it takes a very long time for ipa to register 
>> >> > this.
>> >> > And even more time for the ipa clients since they have to wait for the
>> >> > ipa servers.
>> >> >
>> >> > Since I hate to tell the users to wait for a couple hours, and also I
>> >> > do not like to clean up the sssd cache folder each time a new user
>> >> > appears.
>> >> >
>> >> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >> >
>> >> > Regards
>> >> > Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

[Rob Verduijn]

to make sure I did the following on the ipa host

systemctl stop sssd.service
rm -f /var/lib/sss/db/*
systemctl start sssd.service

now there is no cheating from cach
getent passwd u...@ad-domain.com works and gives userid
id u...@ad-domain.com works fine and show all goups the user is a
member of including ad_linux_administrators (ipa group) and 'linux
administrat...@ad-domain.com'
getent group ad_linux_administrators only shows the group ad, no
members, these pop up after a very long time
getent group 'linux administrat...@ad-domain.com' imediatly show all members

weird

Rob Verduijn

2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
> On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote:
>> This goes especially for ad groups that are bested in ipa_groups
>>
>> ie :
>> microsft group is defined as an external group,
>> and that external group is member of an ipa group
>> and that ipa group takes forever.
>>
>> Regards
>> Rob Verduijn
>
> All the work in this area is done by sssd on the server. The sssd there
> runs a periodical task to re-fetch new external groups memberships every
> 10 seconds. So I would expect the group memberships to turn up after 10
> seconds at worst.
>
> Are you sure (from sssd logs) that maybe sssd is not going into offline
> state and just consults its cache?
>
>>
>>
>> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
>> > Hello,
>> >
>> > I'm using a trust to microsoft active directory to allow users access
>> > to linux servers.
>> >
>> > But when a user is added it takes a very long time for ipa to register 
>> > this.
>> > And even more time for the ipa clients since they have to wait for the
>> > ipa servers.
>> >
>> > Since I hate to tell the users to wait for a couple hours, and also I
>> > do not like to clean up the sssd cache folder each time a new user
>> > appears.
>> >
>> > Is there a way to tell ipa and all clients to refresh their cache ?
>> >
>> > Regards
>> > Rob Verduijn
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] get freeipa to update ad users and groups more often

[Rob Verduijn]

This goes especially for ad groups that are bested in ipa_groups

ie :
microsft group is defined as an external group,
and that external group is member of an ipa group
and that ipa group takes forever.

Regards
Rob Verduijn


2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
> Hello,
>
> I'm using a trust to microsoft active directory to allow users access
> to linux servers.
>
> But when a user is added it takes a very long time for ipa to register this.
> And even more time for the ipa clients since they have to wait for the
> ipa servers.
>
> Since I hate to tell the users to wait for a couple hours, and also I
> do not like to clean up the sssd cache folder each time a new user
> appears.
>
> Is there a way to tell ipa and all clients to refresh their cache ?
>
> Regards
> Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] get freeipa to update ad users and groups more often

[Rob Verduijn]

Hello,

I'm using a trust to microsoft active directory to allow users access
to linux servers.

But when a user is added it takes a very long time for ipa to register this.
And even more time for the ipa clients since they have to wait for the
ipa servers.

Since I hate to tell the users to wait for a couple hours, and also I
do not like to clean up the sssd cache folder each time a new user
appears.

Is there a way to tell ipa and all clients to refresh their cache ?

Regards
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa client deletes dns record from ipa domain

[Rob Verduijn]

found it,


I needed to set dyndns_iface to the proper device

It was set to the original device which was bridged, so no ip address
was assigned to it.
After setting it to bridge0 the update went ok

Rob Verduijn

2016-05-02 13:06 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>:
> debug logging from sssd is rather overwhelming,
> What am I looking for in the logs ?
>
> Rob
>
> 2016-05-02 11:54 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
>> On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote:
>>> Hello,
>>>
>>> I'm a bit at loss here.
>>> For some reason when I set 'dyndns_update = True' the system deletes
>>> it's dns a record from the ipa domain.
>>>
>>> I have this with some systems not all, which makes it more confusing for me.
>>>
>>> I've deleted the sssd cache, triple checked all the configs and logs ,
>>> but I can't seem to find any errors or inconsystencies with the flawed
>>> system or the ones that do work.
>>>
>>> Any ideas what could cause this ?
>>>
>>> I now have set it to false on the system that keeps deleting its
>>> record, but I keep wondering what is causing this.
>>
>> I guess sssd logs would tell something. I thought we removed the old and
>> re-added the new records within the same transaction, but I could be
>> wrong..
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa client deletes dns record from ipa domain

[Rob Verduijn]

debug logging from sssd is rather overwhelming,
What am I looking for in the logs ?

Rob

2016-05-02 11:54 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>:
> On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote:
>> Hello,
>>
>> I'm a bit at loss here.
>> For some reason when I set 'dyndns_update = True' the system deletes
>> it's dns a record from the ipa domain.
>>
>> I have this with some systems not all, which makes it more confusing for me.
>>
>> I've deleted the sssd cache, triple checked all the configs and logs ,
>> but I can't seem to find any errors or inconsystencies with the flawed
>> system or the ones that do work.
>>
>> Any ideas what could cause this ?
>>
>> I now have set it to false on the system that keeps deleting its
>> record, but I keep wondering what is causing this.
>
> I guess sssd logs would tell something. I thought we removed the old and
> re-added the new records within the same transaction, but I could be
> wrong..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa client deletes dns record from ipa domain

[Rob Verduijn]

Hello,

I'm a bit at loss here.
For some reason when I set 'dyndns_update = True' the system deletes
it's dns a record from the ipa domain.

I have this with some systems not all, which makes it more confusing for me.

I've deleted the sssd cache, triple checked all the configs and logs ,
but I can't seem to find any errors or inconsystencies with the flawed
system or the ones that do work.

Any ideas what could cause this ?

I now have set it to false on the system that keeps deleting its
record, but I keep wondering what is causing this.

Regards
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA and samba 4

[Rob Verduijn]

Howdy,

out of curiousity  any targetted release for UPN ?

Cheers
Rob

2016-03-10 15:15 GMT+01:00 Petr Spacek :
> On 10.3.2016 13:34, Giulio Casella wrote:
>> I've seen that howto, but it's not my case. I cannot establish a trust 
>> between
>> IPA and AD, because AD domain involves additional UPNs (mydomain.com and
>> another.mydomain.com) in addition to main domain foobar.local. This scenario
>> is not supported by current version of FreeIPA (maybe in future releases).
>> So: FreeIPA domain and AD domain have to be different.
>
> For the record, UPN support is soonish.
>
> Petr^2 Spacek
>
>>
>> Giulio
>>
>> Il 10/03/2016 13:23, Justin Stephenson ha scritto:
>>> Hello,
>>>
>>> Are you looking for this? This leverages the AD trust to allow samba
>>> within IPA to resolve AD users from a trusted AD domain/forest
>>>
>>> *Howto/Integrating a Samba File Server With IPA*
>>>
>>>
>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>
>>>
>>> -Justin
>>>
>>> On 03/10/2016 06:29 AM, Giulio Casella wrote:
 Hi guys,
 I've got a FreeIPA domain up and running, with a nfs server, joined to
 IPA domain, offering user's home directories.

 I'd like to give users on Windows 7 PC (not joined to the same domain)
 the ability to mount those home directories via samba (entering
 credentials, not kerberos, being different domains).

 How can I configure samba to use IPA kerberos authentication
 authentication to offer access to home directories?

 I know this could be configured more as a samba question, but I hope
 someone in this list already faced my scenario.

 Thanks in advance,
 Giulio

>>>
>>
>
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] what is the sudo rule runasuser local user account

[Rob Verduijn]

Hello,

I've noticed that the sudorule-add-runasuser no longer has en --external option

What is the current method to add a local service account to a sud
rule list so that users may run sudo as that service account (ie
apache or jboss)

Cheers
Rob Verudijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

[Rob Verduijn]

On Centos7.2 all patches applied I used the command:
ipa-client-install --enable-dns-updates

Rob

2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> Hello,
>>
>> I've noticed that the sudorule-add-runasuser no longer has en --external 
>> option
>>
>> What is the current method to add a local service account to a sud
>> rule list so that users may run sudo as that service account (ie
>> apache or jboss)
>>
>> Cheers
>> Rob Verudijn
>
> I know I'm not answering your question but how did you configure the
> client side earlier? Did you use the native/legacy sudo ldap driver?
>
> The reason I'm asking this is that sssd only supports users it handles,
> so in the IPA case it only supports IPA users anyway..
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

[Rob Verduijn]

That does seem to work for me as well,
however I can only add the external user via the web-gui

Any idea how to do this with the command line tools ?

Rob Verduijn

2016-02-04 17:00 GMT+01:00 Baird, Josh <jba...@follett.com>:
> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
> problem.
>
> Example:
>
>   Rule name: TestDBAs
>   Description: access for members of the TestDBAs group
>   Enabled: TRUE
>   Command category: all
>   User Groups: testdbas
>   Host Groups: corp_oracle
>   RunAs External User: oracle
>
> In this example, 'oracle' is a local user on the server (not in IPA).  I hope 
> this functionality does not go away.
>
> Thanks,
>
> Josh
>
>> -Original Message-
>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
>> boun...@redhat.com] On Behalf Of Rob Verduijn
>> Sent: Thursday, February 04, 2016 10:54 AM
>> To: Jakub Hrozek
>> Cc: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user
>> account
>>
>> On Centos7.2 all patches applied I used the command:
>> ipa-client-install --enable-dns-updates
>>
>> Rob
>>
>> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
>> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> >> Hello,
>> >>
>> >> I've noticed that the sudorule-add-runasuser no longer has en
>> >> --external option
>> >>
>> >> What is the current method to add a local service account to a sud
>> >> rule list so that users may run sudo as that service account (ie
>> >> apache or jboss)
>> >>
>> >> Cheers
>> >> Rob Verudijn
>> >
>> > I know I'm not answering your question but how did you configure the
>> > client side earlier? Did you use the native/legacy sudo ldap driver?
>> >
>> > The reason I'm asking this is that sssd only supports users it
>> > handles, so in the IPA case it only supports IPA users anyway..
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] what is the sudo rule runasuser local user account

[Rob Verduijn]

hi all,

I tried and figured it out..

ipa sudorule-add-runasuser  --users=

Is the command syntax I was looking for.
I guess that if the --users isn't an ipa user it is automatically
flagged as an external user.

Cheers
Rob Verduijn




2016-02-04 17:33 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote:
>> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no 
>> problem.
>>
>> Example:
>>
>>   Rule name: TestDBAs
>>   Description: access for members of the TestDBAs group
>>   Enabled: TRUE
>>   Command category: all
>>   User Groups: testdbas
>>   Host Groups: corp_oracle
>>   RunAs External User: oracle
>
> ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup
> -- that's the user you want to run sudo as. That's still supported.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa replica is ad trust controller but refuses ad users

[Rob Verduijn]

Hello,

I've set up an ipa-server with an one way trust to a windows 2012r2 controller.
All works on this server.
I can login with ad accounts on this server.

I added an ipa replica, and checked it all worked.

Now I tried
ipa-trust-add --add-agents on the first ipa server.
restarted ipa on both servers

but this did not help
then i did a
ipa-adtrust-install on the second ipa server
and a ipa trust-add --type=ad windows.domain

all dns queries from the docs work
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration

I get both ipa servers returned in the queries.
On the windows server and the ipa server.

On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user
and get an answer
On the second I get : unknown user

What could be the cause of this, why does the second server not do
ad-authentication ?

Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users

[Rob Verduijn]

hmmm
It suddenly started to work.weird.

On both servers I changed  dns_lookup_realm = true (was false)
stoped sssd and cleared the sssd cache
rm /var/lib/sss/db/*
started sssd and it works now

But I find it hard to believe that was the cause.
Is there a cache involved somewhere ?

Rob Verduijn

2016-01-28 13:26 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>:
> Hello,
>
> I've set up an ipa-server with an one way trust to a windows 2012r2 
> controller.
> All works on this server.
> I can login with ad accounts on this server.
>
> I added an ipa replica, and checked it all worked.
>
> Now I tried
> ipa-trust-add --add-agents on the first ipa server.
> restarted ipa on both servers
>
> but this did not help
> then i did a
> ipa-adtrust-install on the second ipa server
> and a ipa trust-add --type=ad windows.domain
>
> all dns queries from the docs work
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration
>
> I get both ipa servers returned in the queries.
> On the windows server and the ipa server.
>
> On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user
> and get an answer
> On the second I get : unknown user
>
> What could be the cause of this, why does the second server not do
> ad-authentication ?
>
> Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multimaster ad one way trust setup

[Rob Verduijn]

Cool

Thanx
Rob Verduijn

2016-01-25 12:59 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
> On Mon, 25 Jan 2016, Rob Verduijn wrote:
>>
>> Since the first option has less impact, that one sounds the most
>> interesting.
>> However, does this also remain functional when the first ipa server is
>> taken offline ?
>
> Yes. What this option enables is to allow IPA master to become 'trust
> agent' which means SSSD on that master will be able to use cross-forest
> trust credentials to talk to AD for user/group information and
> authentication purposes. It does not allow that master to *manage* the
> trust itself.
>
>>
>> Rob Verduijn
>>
>> 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
>>>
>>> On Mon, 25 Jan 2016, Rob Verduijn wrote:
>>>>
>>>>
>>>> Hi all,
>>>>
>>>> When you have an ipa 4.2 server with an one way trust to the ad.
>>>> What steps are needed to install a second ipa master that also has a
>>>> one way trust to the ad ?
>>>
>>>
>>> Depends on what you want to achieve.
>>>
>>> If you want second IPA master to be able to resolve AD users, just
>>> install the master and run 'ipa-adtrust-install --add-agents' on the
>>> *first* master. This will prompt you to be asked on adding the second
>>> master to the list of hosts allowed to use cross-forest trust
>>> credentials.
>>>
>>> If you want to use the second IPA master to *manage* trust, you'd need
>>> to run 'ipa-adtrust-install' on the it. No need to specify
>>> '--add-agents' because the master where 'ipa-adtrust-install' is being
>>> run will be automatically added to the list.
>>> --
>>> / Alexander Bokovoy
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default shell for AD-domain accounts

[Rob Verduijn]

Maybe the difference was that I used a fresh demo installation from
windows 2012r2 server.
I only added the ad-controller, dns and ntp functionality for testing.
(and all the patches...which literaly takes a day to complete on a
system with 4 cores and 4G ram)

I also found out that dnsseq is not default, so I disabled dnsseq
validation on the ipa server in the named.conf.
Because this already cost me a day's work debugging and not to mention
lack of knowledge on how to do this in ad.

Minor side note,
according to : 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
In the dns verification checks it tells you to verify the kerberos udp record
dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com.
This yields no response

There is no udp record in the ad , but there is a tcp record.
dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.
This gives a response

I also validated the trust on the AD side, I'm not sure this is needed.

After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and
I get a response telling me the uid/gid/ad-id/ad-group etc.

Rob Verduijn

2016-01-25 9:24 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
> On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote:
>> Hi,
>>
>> H microsoft removes the UI, but leaves the schema extension.
>> Does not really make sense, but after some googling this does seem to
>> be the case.
>>
>> Your comment made me check google with some different keywords and I
>> found that there was this irritation that was solved by somebody. (at
>> microsoft)
>>
>> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx
>>
>> That explains why modifying the loginShell attribute did not work.
>>
>> I put the 'ldap_user_shell=msSFU30LoginShell' in the
>> [domain/ipadomain] section from sssd.conf.
>> This is required I guess on all ipa-clients that AD-accounts get access to.
>
> Hmm, is this really required? The thing is that the IPA clients get
> their information through an extended operation and it's the SSSD on the
> IPA server that does the heavy lifting and just passes the info to the
> clients.
>
> I'll try to find some time later to test this..
>
>>
>> And now all users seem to get the /bin/bash that can be set in the
>> AD-user attribute loginShell
>>
>> ( glad to see the keep their camel case in sync everywhere in the AD )
>>
>> Thanks for thinking along on this one.
>> Rob Verduijn
>>
>> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
>> >
>> >> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verdu...@gmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'm trying to get an ipa server to trust a microsoft AD-domain.
>> >>
>> >> So far I've managed to get the trust to work and I can login with an
>> >> active directory user on the ipa clients.
>> >>
>> >> Now I see the default shell is set to /bin/sh.
>> >> Since the preffered shel is bash for me I wish to change this.
>> >> It doesn't help to set this in the ipa server config since these
>> >> accounts are external ms accounts.
>> >>
>> >> In the goog old days we used to have posix attributes schemas in the
>> >> AD one of them being the shell.
>> >>
>> >> Sadly this is a thing of the past.
>> >   
>> >
>> > Are you referring to IMU being deprecated? IIRC the attributes should 
>> > work..even though MS is deprecating the UI..
>> >
>> > Alternatively, since the clients read the ID info via the server, 
>> > overrinding the shell in IPA server's sssd.conf should work as well.
>> >
>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>> >>
>> >> How do I define a new default shell for all ms-AD accounts in ipa ?
>> >>
>> >> Cheers
>> >> Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] multimaster ad one way trust setup

[Rob Verduijn]

Hi all,

When you have an ipa 4.2 server with an one way trust to the ad.
What steps are needed to install a second ipa master that also has a
one way trust to the ad ?

Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Default shell for AD-domain accounts

[Rob Verduijn]

Hello,

I'm trying to get an ipa server to trust a microsoft AD-domain.

So far I've managed to get the trust to work and I can login with an
active directory user on the ipa clients.

Now I see the default shell is set to /bin/sh.
Since the preffered shel is bash for me I wish to change this.
It doesn't help to set this in the ipa server config since these
accounts are external ms accounts.

In the goog old days we used to have posix attributes schemas in the
AD one of them being the shell.

Sadly this is a thing of the past.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html

How do I define a new default shell for all ms-AD accounts in ipa ?

Cheers
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default shell for AD-domain accounts

[Rob Verduijn]

Doing this on a per user basis is nice when you have only a few users.
Since I expect this to become a source of frustration in the future
for new users., is there any way to automate this with a workaround ?
ie somehow pull the groups from the ad and automagically create the
user view override ?

Cheers
Rob Verduijn

2016-01-24 15:40 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
> On Sun, 24 Jan 2016, Rob Verduijn wrote:
>>
>> Hello,
>>
>> I'm trying to get an ipa server to trust a microsoft AD-domain.
>>
>> So far I've managed to get the trust to work and I can login with an
>> active directory user on the ipa clients.
>>
>> Now I see the default shell is set to /bin/sh.
>> Since the preffered shel is bash for me I wish to change this.
>> It doesn't help to set this in the ipa server config since these
>> accounts are external ms accounts.
>>
>> In the goog old days we used to have posix attributes schemas in the
>> AD one of them being the shell.
>>
>> Sadly this is a thing of the past.
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>>
>> How do I define a new default shell for all ms-AD accounts in ipa ?
>
> You can use ID overrides per user to add shell override.
>
> We don't have templated overrides, though, so these are individual, per
> user.
> --
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Default shell for AD-domain accounts

[Rob Verduijn]

Hi,

H microsoft removes the UI, but leaves the schema extension.
Does not really make sense, but after some googling this does seem to
be the case.

Your comment made me check google with some different keywords and I
found that there was this irritation that was solved by somebody. (at
microsoft)

http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx

That explains why modifying the loginShell attribute did not work.

I put the 'ldap_user_shell=msSFU30LoginShell' in the
[domain/ipadomain] section from sssd.conf.
This is required I guess on all ipa-clients that AD-accounts get access to.

And now all users seem to get the /bin/bash that can be set in the
AD-user attribute loginShell

( glad to see the keep their camel case in sync everywhere in the AD )

Thanks for thinking along on this one.
Rob Verduijn

2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>:
>
>> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verdu...@gmail.com> wrote:
>>
>> Hello,
>>
>> I'm trying to get an ipa server to trust a microsoft AD-domain.
>>
>> So far I've managed to get the trust to work and I can login with an
>> active directory user on the ipa clients.
>>
>> Now I see the default shell is set to /bin/sh.
>> Since the preffered shel is bash for me I wish to change this.
>> It doesn't help to set this in the ipa server config since these
>> accounts are external ms accounts.
>>
>> In the goog old days we used to have posix attributes schemas in the
>> AD one of them being the shell.
>>
>> Sadly this is a thing of the past.
>   
>
> Are you referring to IMU being deprecated? IIRC the attributes should 
> work..even though MS is deprecating the UI..
>
> Alternatively, since the clients read the ID info via the server, overrinding 
> the shell in IPA server's sssd.conf should work as well.
>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>>
>> How do I define a new default shell for all ms-AD accounts in ipa ?
>>
>> Cheers
>> Rob Verduijn
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] service account for ovirt

[Rob Verduijn]

Hello,

I've tested the solution you suggested it doesnt work
I think ovirt-engine looks for the other users in the same context as
the bind user, it will ofcourse find not many there,


I can't get the seconf option with the keytab to work.
So I'm stuck with the full blown user account for this.

Here's what I did :

The ovirt os is centos 6 x86_64
All the latest patches have been applied.
It can be a member of the freeipa domain but this is not required for
the ovirt-freeipa authentication to work.
personally I think its nice to have the ovirt machine under freeipa
supervision as wel.

the freeipa os is centos7 x*6_64
All the latest patches have been applied.

The ovirt environment is configured, up and running.

There are two ways of single sign on for ovirt.
see 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html

This howto is for the first option
you require a search account in the freeipa domain.
add a user account to the freeipa domain
login with that account so it asks you to set a new password for it
then reset the experation date for the password to somewhere in the
far future with the procedure below

#
# Add the search account for ovirt to the freeipa domain.
#
# executed these commands on the freeipa server as root.
#

# first set the variables
export SUFFIX='dc=example,dc=com'
export OVIRT_SERVER=ovirt.example.com
export FREEIPA_DOMAIN=EXAMPLE.COM
export USERNAME=ovirt
export YOUR_PASSWORD='top_secret_random_very_long_password'

# create an ldif file
cat > resetexperation.ldif << EOF
dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX
changetype: modify
replace: krbpasswordexpiration
krbpasswordexpiration: 20380119031407Z
EOF

# apply the ldif file
# the password requested is the directory admin password, this is NOT
the same account as the freeipa admin
ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif

# for the second option also :
# add the service for http to freeipa
kinit admin
ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN

#
# The following commands are executed as root on the ovirt-engine machine.
# This is the example that allows single sign on from the portal to the vm's
# Assuming the forementioned bindaccount exists in the freeipa domain
#

#
# first install the required package :
#

yum install -y ovirt-engine-extension-aaa-ldap

#
# create the ovirt configuration files
# examples can be found here :
# /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/.
#

mkdir /etc/ovirt-engine/aaa
mkdir /etc/ovirt-engine/extenstions.d

#
# set the vars again ( exports do not work between vm's)
#

export SUFFIX='dc=example,dc=com'
export YOUR_PASSWORD='top_secret_random_very_long_password'
export FREEIPA_SERVER=freeipa.example.com
export PROFILE_NAME=profile1

#
# create the config files
#
cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF
include = 
vars.server = $FREEIPA_SERVER
vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX
vars.password = $YOUR_PASSWORD
pool.default.serverset.single.server = \${global:vars.server}
pool.default.auth.simple.bindDN = \${global:vars.user}
pool.default.auth.simple.password = \${global:vars.password}
EOF

cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF
ovirt.engine.extension.name = $PROFILE_NAME-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = ../aaa/$PROFILE_NAME.properties
EOF

cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF
ovirt.engine.extension.name = $PROFILE_NAME-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME
ovirt.engine.aaa.authn.authz.plugin = $PROFILE_NAME-authz
config.profile.file.1 = ../aaa/$PROFILE_NAME.properties
EOF

#
# change owner and permissions of the profile file
#
chown ovirt:ovirt /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties
chmod 400 /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties

#
#  restart the ovirt engine
#
service ovirt-engine restart

#
#  done you can now add freeipa users to the rhevm portal in the users menu
#  after the users have been added you can assign permissions for them
on the vm's
#


Cheers
Rob Verduijn

2015-11-18 20:34 GMT+01:00 Martin Kosek <mko...@redhat.com>:
> On 11/18/2015 04:27 PM, Rob Verduijn wrote:
>>
>> 2015-11

Re: [Freeipa-users] service account for ovirt

[Rob Verduijn]

2015-11-18 15:51 GMT+01:00 Martin Kosek <mko...@redhat.com>:
> On 11/18/2015 08:23 AM, Rob Verduijn wrote:
>> Hello all,
>>
>> I've read a lot regarding service accounts on this mailinglist in the past.
>> But it's rather unclear to me what is the current preffered method to
>> create a service account for a service running on a different machine.
>>
>> In this case it would be  a service account for ovirt so that freeipa
>> users can authenticate in the ovirt portal using their freeipa
>> credentials.
>
> It sounds like that you do not want system user account, but you are OK with
> service account so that you can get a keytab for your oVirt instance. In that
> case, simple
>
> $ ipa service-add HTTP/frontend.ovirt.test
> and
> $ ipa-getkeytab ...
> should be enough, right?
>
> Maybe I just do not understand the use case.
>
>> I could ofcourse create an account and then apply a ldf to set its
>> password expiration to the next millennium to make sure the password
>> does not expire.
>>
>> Anybody who has a good suggestion on how to deal with this ?
>>
>> Cheers
>> Rob Verduijn
>>
>



Hello,

I think some more context should clear this up a bit.

according to the rhev administrator guide: (ovirt referes to rhev manuals a lot)
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html

It talks about two options as a single sign on solution.

On have the single sign on work for the portal, but then it won't work
for the vm's.
( something about not being able to pass a password since the portal
won't have one to pass )

Or have the single sign on work for the vm's but than you have to sign
in to the portal so it can pass on your credentials to the vm's.

 I guess there is some interesting technical challenge to deal with to
merge those two cases.

The first option requires privileges to browse the freeipa directory
to look for user accounts.
I do not know if that can be solved with something as simple as a
keytab and a pricipal.

My current working solution is an account with a very long password
experation time in the freeipa directory
( a random 32 character/number password is being used for this )

However something tells me that there is a more elegant solution.
And I was wondering if anyone knows one.

Cheers
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] service account for ovirt

[Rob Verduijn]

Hello all,

I've read a lot regarding service accounts on this mailinglist in the past.
But it's rather unclear to me what is the current preffered method to
create a service account for a service running on a different machine.

In this case it would be  a service account for ovirt so that freeipa
users can authenticate in the ovirt portal using their freeipa
credentials.

I could ofcourse create an account and then apply a ldf to set its
password expiration to the next millennium to make sure the password
does not expire.

Anybody who has a good suggestion on how to deal with this ?

Cheers
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

[Rob Verduijn]

2015-10-30 20:14 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:
> Rob Verduijn wrote:
>> Hello all,
>>
>> It has been a while since I asked this before.
>>
>> Multitenancy was put in the freezer back then in favor of this nice project :
>> https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2
>> Darn...I failed to pay attention a little and suddenly 1.1.1 is
>> peeking around the corner already.
>>
>> Now that ipsilon has reached 1.0.0, is there a change regarding the
>> possibility for multitenancy ?
>> http://www.freeipa.org/page/V3/Multitenancy
>
> I'm not sure how Ipsilon releases and IPA multitenancy are inter-related.
>
> rob
>

The answer from Dimitri in this mailthread from some time ago is why I
thought so.
https://www.redhat.com/archives/freeipa-users/2015-February/msg00339.html

Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?

[Rob Verduijn]

Hello all,

It has been a while since I asked this before.

Multitenancy was put in the freezer back then in favor of this nice project :
https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2
Darn...I failed to pay attention a little and suddenly 1.1.1 is
peeking around the corner already.

Now that ipsilon has reached 1.0.0, is there a change regarding the
possibility for multitenancy ?
http://www.freeipa.org/page/V3/Multitenancy

Cheers
Rob Verduijn

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] certificate alert

[Rob Verduijn]

Hello,

Is there an easy way to get alerts for soon to expire certificates in freeipa ?

Because the day you forget to do the checks via the gui or cli is the
day you will be regretting.

Cheers
Rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] indirect automount offsets

[Rob Verduijn]

Hello,

It indeed works
--key=*  --info='/ -rw nfs.example.com:/homes/ /subdir -rw
nfs2.example.com:/subdir'

however the directory is not mounted.

I know it works because when running automount in debug mode I see
mounted nfs.example.com:/homes/test on /home/test

and then it tries to mount the subdir
do_mount_autofs_offset: mount offset /home/test/subdir at /home/test

however it fails with the error
mount_autofs_offset: can't create mount directory: /home/test/subdir,
Permission denied
failed to mount offset

as a test I set an acl on the /exports/homes dir on the fileserver.
setfacl -R -m other:rwx /exports/homes
setfacl -R -m d:other:rwx /eports/homes
and created the mountpoint in the home directory (it failed when it
does not exist do to root squash I guess)
mkdir /exports/homes/test/subdir

and the offset subdir mount is mounted by autofs on the client.

any ideas on how to set the privileges in such a way that not
everybody requires access to the exports ?

Rob Verduijn

2015-04-16 5:36 GMT+02:00 Rob Crittenden rcrit...@redhat.com:
 Rob Verduijn wrote:
 Hello,

 I'm trying to figure out how to use automounts in freeipa with offsets.

 currently I have this:
 the default location containing 3 maps
 auto.direct
 auto.home
 auto.master

 auto.direct is empty
 auto.home contains:
 key : * mount information : -rw nfs.example.com:/homes/
 auto.master contains
 key : /-  mount-information : auto.direct
 key: /home mount information : auto.home

 in autofs file this would be :
 auto.master :
 /- /etc/auto.direct
 /home /etc/auto.home

 and auto.home would contain:
 test -rw nfs.example.com:/homes/

 now I would like to do the automount indirect offset like this :
 test / -rw nfs.example.com:/homes/test \
 /newfolder nfs2.example.com:/newfolder \
 /anotherfolder nfs3.example.com:/anotherfolder \
 /anotherfolder/2deep nfs4.example.com:/2deep

 which would automount the newfolder like this :
 /home/test/newfolder
 and anotherfolder like this
 /home/test/anotherfolder
 and 2deep like this
 /home/test/anotherfolder/2deep

 is this possible in freeipa ?
 Rob


 If it's possible with LDAP-stored autofs it should be possible with IPA.
 I've typically used much simpler configurations with automount.

 Theoreticaly it should work just the way you'd set it in a file, as
 you've posted. Did you try it? You'd set --key=test --info='/ -rw ...'

 rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] indirect automount offsets

[Rob Verduijn]

Hello,

I'm trying to figure out how to use automounts in freeipa with offsets.

currently I have this:
the default location containing 3 maps
auto.direct
auto.home
auto.master

auto.direct is empty
auto.home contains:
key : * mount information : -rw nfs.example.com:/homes/
auto.master contains
key : /-  mount-information : auto.direct
key: /home mount information : auto.home

in autofs file this would be :
auto.master :
/- /etc/auto.direct
/home /etc/auto.home

and auto.home would contain:
test -rw nfs.example.com:/homes/

now I would like to do the automount indirect offset like this :
test / -rw nfs.example.com:/homes/test \
/newfolder nfs2.example.com:/newfolder \
/anotherfolder nfs3.example.com:/anotherfolder \
/anotherfolder/2deep nfs4.example.com:/2deep

which would automount the newfolder like this :
/home/test/newfolder
and anotherfolder like this
/home/test/anotherfolder
and 2deep like this
/home/test/anotherfolder/2deep

is this possible in freeipa ?
Rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and cached credentials

[Rob Verduijn]

For which sssd release is this feature targetted ?

Rob Verduijn

2015-03-12 23:26 GMT+01:00 Dmitri Pal d...@redhat.com:

 On 03/12/2015 04:59 PM, Jakub Hrozek wrote:

 On 12 Mar 2015, at 21:32, Rob Verduijn rob.verdu...@gmail.com wrote:

 Hello,

 I was looking into otp authentication and found some articles on how to
 enable this in freeipa.

 I can't seem to figure out how this is going to deal with cashed
 credentials on a laptop that is not able to connect the ipa server.

 How is this going to work out when 'native OTP' is being used ?

 I'm sorry, but currently it doesn't as with the current (sssd-1.12.x)
 version we treat the long and one-time part as a single blob, so we can't
 cache it.

 In the next version, we'll work on prompting for and handling the short
 and long term parts of the authtok separately, so we'll be able to cache
 credentials.

  Yes. Please do not use current version for laptops.
 See the warning: https://access.redhat.com/documentation/en-US/Red_Hat_
 Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index.
 html#otp

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP and cached credentials

[Rob Verduijn]

Hello,

I was looking into otp authentication and found some articles on how to
enable this in freeipa.

I can't seem to figure out how this is going to deal with cashed
credentials on a laptop that is not able to connect the ipa server.

How is this going to work out when 'native OTP' is being used ?
Or with a radius proxy ?

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] multi-tenancy status

[Rob Verduijn]

Now that sounds like an interesting project  :-)

besides the following links any other places where I can read up about it ?
https://fedorahosted.org/ipsilon/
http://www.freeipa.org/page/Web_App_Authentication
http://en.wikipedia.org/wiki/Identity_provider
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

Cheers
Rob

2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com:

  On 02/24/2015 12:34 PM, Rob Verduijn wrote:

 Hello,

  I'm interested in setting up ipa with multiple tenancies.

  However I can only find this document about the subject:
 http://www.freeipa.org/page/V3/Multitenancy

  What is the status of the implementation of  multiple tenancies.


 Unscheduled.
 Too much work to implement as proposed.
 We will go with IPA to IPA trusts and SAML based federation (project
 Ipsilon) first.


  Cheers
 Rob Verduijn




 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] multi-tenancy status

[Rob Verduijn]

Thanx,

That all sounds very interesting, I've got some reading up to do.
I'm going to point this out to some people :-)

Rob

2015-02-24 20:55 GMT+01:00 Rob Crittenden rcrit...@redhat.com:

 Rob Verduijn wrote:
  Now that sounds like an interesting project  :-)
 
  besides the following links any other places where I can read up about
 it ?
  https://fedorahosted.org/ipsilon/
  http://www.freeipa.org/page/Web_App_Authentication
  http://en.wikipedia.org/wiki/Identity_provider
  http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

 For more details on SAML2 than you'll even want, see
 https://wiki.oasis-open.org/security/FrontPage

 mod_auth_mellon is an SP for Apache that is compatible with Ipsilon.
 There is also https://shibboleth.net/

 Devs hang out in #ipsilon on freenode

 Ipsilon will be one of the changes in F-22:
 http://fedoraproject.org/wiki/Releases/22/ChangeSet#Ipsilon

 A test day is planned for March 12 (assuming approved by FESCO).

 rob

 
  Cheers
  Rob
 
  2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com
  mailto:d...@redhat.com:
 
  On 02/24/2015 12:34 PM, Rob Verduijn wrote:
  Hello,
 
  I'm interested in setting up ipa with multiple tenancies.
 
  However I can only find this document about the subject:
  http://www.freeipa.org/page/V3/Multitenancy
 
  What is the status of the implementation of  multiple tenancies.
 
  Unscheduled.
  Too much work to implement as proposed.
  We will go with IPA to IPA trusts and SAML based federation (project
  Ipsilon) first.
 
 
  Cheers
  Rob Verduijn
 
 
 
 
  --
  Thank you,
  Dmitri Pal
 
  Sr. Engineering Manager IdM portfolio
  Red Hat, Inc.
 
 
  --
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go To http://freeipa.org for more info on the project
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] multi-tenancy status

[Rob Verduijn]

Hello,

I'm interested in setting up ipa with multiple tenancies.

However I can only find this document about the subject:
http://www.freeipa.org/page/V3/Multitenancy

What is the status of the implementation of  multiple tenancies.

Cheers
Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] DS failed after upgrade

[Rob Verduijn]

Hi all,

Either I was to worn out last night, or another update has happened.
This morning the directory server did start after the update.
local dns zones however where not available again after the update
ipa-ldap-updater did not help to fix it.

The are again only 7 DNS aci objects are still in the ds.( same as before
when it failed )
I also noticed that there are also quite a lot lower case dns aci objects.

Rob




2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com:

  Changed subject.
 Rob CCed

 On 07/11/14 09:52, Martin Basti wrote:

 Forward message back to list


  Original Message   Subject: Re: [Freeipa-users] dns
 stops working after upgrade  Date: Thu, 6 Nov 2014 21:42:55 +0100  From: Rob
 Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com  To: Martin
 Basti mba...@redhat.com mba...@redhat.com

 Hi again,

  I tried the update to 4.1.1
 It didn't went well, actually it went worse than to 4.1.
 Now the directory service went down and was no longer able to start.

  Some part of the logs is below.
 Besides the warnings about a weak cipher there was not much in the
 journalctl.

  It's getting late overhere, I'll dig into the logs tomorrow.

  Rob

  Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory
 Server TJAKO-THUIS
 Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory
 Server TJAKO-THUIS..
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_des_sha is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_3des_sha is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since
 allowWeakCipher is on (default setting for the backward compatibility).
 We strongly recommend to set it to off.  Please replace the value of
 allowWeakCipher with off in the encryption config entry
 cn=encryption,cn=config and restart the server.
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher suite fortezza is not available in NSS 3.17.
 Ignoring fortezza
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in
 NSS 3.17.  Ignoring fortezza_rc4_128_sha
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher suite fortezza_null is not available in NSS
 3.17.  Ignoring fortezza_null
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100] - SSL alert: Cipher tls_rsa_export1024_with_rc4_56_sha is weak.  It
 is enabled since allowWeakCipher is on (default setting for the backward
 compatibility). We strongly recommend to set it to off.  Please

Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

[Rob Verduijn]

Hello,

Yes this time there are
This section :
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity
postoperation,cn=plugins,cn=config
SNIP
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:

and this one
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
snip
2014-11-07T13:10:18Z ERROR Add failure

and this one: (but since I do not have AD it's kinda logical)
2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
snip
2014-11-07T13:10:19Z ERROR Upgrade failed with
2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
  File
/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py,
line 152, in __upgrade
self.modified = (ld.update(self.files, ordered=True) or
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 874, in update
updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
line 123, in update
(restart, apply_now, res) = self.run(update.name, **kw)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
line 146, in run
return self.Updater[method](**kw)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1399, in
__call__
return self.execute(**options)
  File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py,
line 89, in execute
api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in
__call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in
run
return self.execute(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 2528,
in execute
result = super(dnszone_mod, self).execute(*keys, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line
1385, in execute
dn = self.obj.get_dn(*keys, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 1784,
in get_dn
assert zone.is_absolute()
AssertionError
snip
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG   File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
  File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py,
line 151, in run
raise admintool.ScriptError('IPA upgrade failed.', 1)

2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed, exception:
ScriptError: IPA upgrade failed.
2014-11-07T13:10:23Z ERROR IPA upgrade failed.
2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
options: {'debug': False, 'quiet': True}
2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20


and another
2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity
postoperation,cn=plugins,cn=config
snip
2014-11-07T13:10:03Z DEBUG Live 1, updated 1
2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
'Operations error'}
2014-11-07T13:10:03Z ERROR Update failed: Operations error:

That's it
Rob




2014-11-07 13:56 GMT+01:00 Martin Basti mba...@redhat.com:

  On 07/11/14 13:52, Rob Verduijn wrote:

 Hi all,

  Either I was to worn out last night, or another update has happened.
 This morning the directory server did start after the update.
 local dns zones however where not available again after the update
 ipa-ldap-updater did not help to fix it.

  The are again only 7 DNS aci objects are still in the ds.( same as
 before when it failed )
 I also noticed that there are also quite a lot lower case dns aci objects.

  Rob


   Hi,

 do you have any errors in /var/log/ipaupgrade.log ?



 2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com:

  Changed subject.
 Rob CCed

 On 07/11/14 09:52, Martin Basti wrote:

 Forward message back to list


  Original Message   Subject: Re: [Freeipa-users] dns
 stops working after upgrade  Date: Thu, 6 Nov 2014 21:42:55 +0100  From: Rob
 Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com  To: Martin
 Basti mba...@redhat.com mba...@redhat.com

 Hi again,

  I tried the update to 4.1.1
 It didn't went well, actually it went worse than to 4.1.
 Now the directory service went down and was no longer able to start.

  Some part of the logs is below.
 Besides the warnings about a weak cipher there was not much in the
 journalctl.

  It's getting late overhere, I'll dig into the logs tomorrow.

  Rob

  Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory
 Server TJAKO-THUIS
 Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory
 Server TJAKO-THUIS..
 Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58
 +0100

Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

[Rob Verduijn]

Yup that solved it.

Everything looks ok now :-)

Thank you for you great effort.
Rob

2014-11-07 14:55 GMT+01:00 Martin Basti mba...@redhat.com:

  On 07/11/14 14:26, Rob Verduijn wrote:

 Hello,

  Yes this time there are
 This section :
  2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
 integrity postoperation,cn=plugins,cn=config
  SNIP
  2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR:
 {'desc': 'Operations error'}
 2014-11-07T13:10:03Z ERROR Update failed: Operations error:

  and this one
 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
 Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
  snip
 2014-11-07T13:10:18Z ERROR Add failure

  Known issues

  and this one: (but since I do not have AD it's kinda logical)
 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust
 Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis
  snip
  2014-11-07T13:10:19Z ERROR Upgrade failed with
 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last):
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py,
 line 152, in __upgrade
 self.modified = (ld.update(self.files, ordered=True) or
   File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
 line 874, in update
 updates = api.Backend.updateclient.update(POST_UPDATE,
 self.dm_password, self.ldapi, self.live_run)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
 line 123, in update
 (restart, apply_now, res) = self.run(update.name, **kw)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
 line 146, in run
 return self.Updater[method](**kw)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1399,
 in __call__
 return self.execute(**options)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py, line
 89, in execute
 api.Command.dnszone_mod(zone[u'idnsname'][0], **update)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in
 __call__
 ret = self.run(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in
 run
 return self.execute(*args, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 2528, in execute
 result = super(dnszone_mod, self).execute(*keys, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line
 1385, in execute
 dn = self.obj.get_dn(*keys, **options)
   File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line
 1784, in get_dn
 assert zone.is_absolute()
 AssertionError


 This is the problem, it is new bug.

 The workaround is replace the code in:
 /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68
 - zones = api.Command.dnszone_find(all=True)['result']
 + zones = api.Command.dnszone_find(all=True, raw=True)['result']

 (I didn't test it)

 and run ipa-ldap-updater --upgrade

 Thank you for patience.



  snip
  2014-11-07T13:10:23Z ERROR IPA upgrade failed.
  2014-11-07T13:10:23Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
 execute
 return_value = self.run()
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py,
 line 151, in run
 raise admintool.ScriptError('IPA upgrade failed.', 1)

  2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed,
 exception: ScriptError: IPA upgrade failed.
 2014-11-07T13:10:23Z ERROR IPA upgrade failed.
 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with
 options: {'debug': False, 'quiet': True}
 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20


  and another
 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential
 integrity postoperation,cn=plugins,cn=config
  snip
  2014-11-07T13:10:03Z DEBUG Live 1, updated 1
 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc':
 'Operations error'}
 2014-11-07T13:10:03Z ERROR Update failed: Operations error:

  That's it
 Rob




 2014-11-07 13:56 GMT+01:00 Martin Basti mba...@redhat.com:

  On 07/11/14 13:52, Rob Verduijn wrote:

 Hi all,

  Either I was to worn out last night, or another update has happened.
 This morning the directory server did start after the update.
 local dns zones however where not available again after the update
 ipa-ldap-updater did not help to fix it.

  The are again only 7 DNS aci objects are still in the ds.( same as
 before when it failed )
 I also noticed that there are also quite a lot lower case dns aci objects.

  Rob


   Hi,

 do you have any errors in /var/log/ipaupgrade.log ?



 2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com:

  Changed subject.
 Rob CCed

 On 07/11/14 09:52, Martin Basti wrote:

 Forward message back to list


  Original Message   Subject: Re: [Freeipa-users] dns
 stops working after upgrade  Date: Thu, 6 Nov 2014 21:42:55 +0100  From:
 Rob Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com  To: Martin
 Basti mba

[Freeipa-users] missing package in 4.1.1 repo

[Rob Verduijn]

Hi,

There is a dependency error in the updated repo.
I did a yum clean all
then a yum update.

I got this error:
Error: Package: freeipa-server-4.1.1-1.fc20.x86_64 (mkosek-freeipa)
   Requires: slapi-nis = 0.54.1-1
   Removing: slapi-nis-0.52-1.fc20.x86_64 (@private.updates)
   slapi-nis = 0.52-1.fc20
   Updated By: slapi-nis-0.54-1.fc20.x86_64 (mkosek-freeipa)
   slapi-nis = 0.54-1.fc20
   Available: slapi-nis-0.50-1.fc20.x86_64 (fedora)
   slapi-nis = 0.50-1.fc20


yum list --show-duplicates slapi-nis
Installed Packages
slapi-nis.x86_64 0.54-1.fc20
   @mkosek-freeipa
Available Packages
slapi-nis.x86_64 0.50-1.fc20
   private.base
slapi-nis.x86_64 0.52-1.fc20
   private.updates
slapi-nis.x86_64 0.54-1.fc20
   mkosek-freeipa

there is no 0.54.1-1.fc20 version of slapi-nis

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello again,

I don't know about foreman upstream, the current version that I am using
included in the katello installation is 1.6
And the foreman manpage still requires the configuration of the
realm-smart-proxy.
http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm

About the snapshot:
I removed all the katello entries from my current freeipa installation ( I
peeked in the script to see what it did )
  - user (foreman-realm)
  - role (Smart Host Proxy Manager)
  - privilege (Smart Host Proxy Management)
  - 3 custom permissions ( modify host password, write host certificate,
modify host userclass )
applied the update to freeipa 4.1.
my local dns zones did not resolv again
running the ipa-ldap-updater did not fix it

So I guess that it is not due to the katello integration or the
realm-smart-proxy script.

Rob

2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 4.11.2014 17:15, Rob Verduijn wrote:

 The problem with 'foreman-prepare-realm' and freeipa was that it claimed
 that a few o thef permissions required did not exist when it tried to add
 them to the 'smart proxy host management' privilege.

 I think it was because the permissions were all in lower case without the
 'System: ' prefix. This is just an assumption since I did not get to work
 even after adding them manually. So I figured to try it again after
 reverting back to 3.3.5.

 After downgrading I learned that it did not work due to a bug in a ruby
 script. (fixed by commenting out line 505-506
 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
 https://bugs.ruby-lang.org/issues/8182 and
 https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )

 After which I tried the upgrade again.

 regarding
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
 I did look again using the kredentials as mentioned in step 4. and saw
 only
 3 objects (1x idnsConfigObject 2x nsContainer)
 When using admin credentials I saw all the dns zone entries.

 I can see the zone entries in the ipa gui.

 Also when I look at the permissions in ipa there are no longer any
 permissions that have the 'System: ' prefix.


 AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x
 because it was obsoleted by 'native' proxy delivered by Foreman upstream.

 Am I right, Rob (Crittenden)? :-)

 Anyway, back to your DNS problem. Did it worked before you installed
 Foreman proxy? Or not? I.e. is it working when you revert the snapshot?

 Do you have other replicas in the replication topology? Please keep in
 mind that changes in LDAP (including changes to permissions) are replicated
 so reverting one VM and not others is not necessarily enough.

 Petr^2 Spacek


  2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 4.11.2014 15:27, Rob Verduijn wrote:

  Hello again,

 I've managed to integrate my katello configuration with freeipa.
 Now I not only use freeipa authentication in katello but also when a
 host
 is defined in katello it automagically gets created in the freeipa
 realm ,
 certs, otp,dns all working great.

 however, to obtain all this integration greatness I had to downgrade my
 freeipa to 3.3.5 again (revert snapshot) because the katello realm
 integration tool (foreman-prepare-realm) is not capable of dealing with
 4.X
 versions of freeipa.

  It would be nice if you could get tell us more details about the
 problem
 you had with Katello, AFAIK we are not aware of any.

   And now the named-pkcs11 again does not see my internal zones.


 This page
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
 thinks
 I should contact the freeipa-users list


 Do I understand correctly that you did all the steps 0-4 successfully and
 then you found out that you can't see DNS objects in LDAP (step 5) when
 using ldapsearch with DNS principal?

 Can you see the objects in IPA web UI or CLI? If it is the case then we
 will need help from LDAP ACI expert (pviktori? :-).

 Petr^2 Spacek


   The command 'ipa-ldap-updater

 /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
 and the command 'ipa-ldap-updater' didn't fix it either.

 So I am now stuck at freeipa 3.3.5 again (with a working katello
 integration, so I got some mixed emotions about it)
 Any ideas anyone ?
 Rob






 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

   Hello,


 I've tested the update again.

 The bind-utils conflict is still there when I issue yum update
 freeipa-server ( as indicated on the freeipa 4.1 download page
 http://www.freeipa.org/page/Downloads#Upgrading )

 'yum update' works fine

 My internal zones didn't resolv after the update
 ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't
 fix
 it
 ipa-ldap-updater did fix the 'access control instructions' and my
 internal
 dns zones started to resolv again :-)

 Cheers
 Rob


 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com:

   On 29.10.2014 16:46, Rob Verduijn wrote:


   Hello,


 # ipa-ldap

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

I use only a single freeipa server (so no replica to bother)

Internal zones worked before the update
After the update, internal zones no longer worked.
After reverting back the snapshot the internal zones worked again, no
additional actions were needed.

Rob

2014-11-05 16:11 GMT+01:00 Petr Spacek pspa...@redhat.com:

 Hello,

 Rob V., you did not answered to my question when DNS worked for you last
 time. Did it work right after reverting the snapshot?

 Petr^2 Spacek


 On 5.11.2014 16:09, Rob Verduijn wrote:

 Hello again,

 I don't know about foreman upstream, the current version that I am using
 included in the katello installation is 1.6
 And the foreman manpage still requires the configuration of the
 realm-smart-proxy.
 http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm

 About the snapshot:
 I removed all the katello entries from my current freeipa installation ( I
 peeked in the script to see what it did )
- user (foreman-realm)
- role (Smart Host Proxy Manager)
- privilege (Smart Host Proxy Management)
- 3 custom permissions ( modify host password, write host certificate,
 modify host userclass )
 applied the update to freeipa 4.1.
 my local dns zones did not resolv again
 running the ipa-ldap-updater did not fix it

 So I guess that it is not due to the katello integration or the
 realm-smart-proxy script.

 Rob

 2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 4.11.2014 17:15, Rob Verduijn wrote:

  The problem with 'foreman-prepare-realm' and freeipa was that it claimed
 that a few o thef permissions required did not exist when it tried to
 add
 them to the 'smart proxy host management' privilege.

 I think it was because the permissions were all in lower case without
 the
 'System: ' prefix. This is just an assumption since I did not get to
 work
 even after adding them manually. So I figured to try it again after
 reverting back to 3.3.5.

 After downgrading I learned that it did not work due to a bug in a ruby
 script. (fixed by commenting out line 505-506
 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
 https://bugs.ruby-lang.org/issues/8182 and
 https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )

 After which I tried the upgrade again.

 regarding
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
 I did look again using the kredentials as mentioned in step 4. and saw
 only
 3 objects (1x idnsConfigObject 2x nsContainer)
 When using admin credentials I saw all the dns zone entries.

 I can see the zone entries in the ipa gui.

 Also when I look at the permissions in ipa there are no longer any
 permissions that have the 'System: ' prefix.


 AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x
 because it was obsoleted by 'native' proxy delivered by Foreman upstream.

 Am I right, Rob (Crittenden)? :-)

 Anyway, back to your DNS problem. Did it worked before you installed
 Foreman proxy? Or not? I.e. is it working when you revert the snapshot?

 Do you have other replicas in the replication topology? Please keep in
 mind that changes in LDAP (including changes to permissions) are
 replicated
 so reverting one VM and not others is not necessarily enough.

 Petr^2 Spacek


   2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com:


   On 4.11.2014 15:27, Rob Verduijn wrote:


   Hello again,


 I've managed to integrate my katello configuration with freeipa.
 Now I not only use freeipa authentication in katello but also when a
 host
 is defined in katello it automagically gets created in the freeipa
 realm ,
 certs, otp,dns all working great.

 however, to obtain all this integration greatness I had to downgrade
 my
 freeipa to 3.3.5 again (revert snapshot) because the katello realm
 integration tool (foreman-prepare-realm) is not capable of dealing
 with
 4.X
 versions of freeipa.

   It would be nice if you could get tell us more details about the

 problem
 you had with Katello, AFAIK we are not aware of any.

And now the named-pkcs11 again does not see my internal zones.


 This page
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
 thinks
 I should contact the freeipa-users list


  Do I understand correctly that you did all the steps 0-4
 successfully and
 then you found out that you can't see DNS objects in LDAP (step 5) when
 using ldapsearch with DNS principal?

 Can you see the objects in IPA web UI or CLI? If it is the case then we
 will need help from LDAP ACI expert (pviktori? :-).

 Petr^2 Spacek


The command 'ipa-ldap-updater

  /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
 and the command 'ipa-ldap-updater' didn't fix it either.

 So I am now stuck at freeipa 3.3.5 again (with a working katello
 integration, so I got some mixed emotions about it)
 Any ideas anyone ?
 Rob






 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

Hello,


 I've tested the update again.

 The bind-utils conflict

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

Yes I noticed the name change it took me a while to realise it was a known
ruby bug in katello that caused the real problem.

I also checked after I updated the 'katello integrated' update from 3.3.5
to 4.1 and the permissions were neatly renamed to their new counterparts.

However the internal dns no longer worked :(

Rob

2014-11-05 16:17 GMT+01:00 Stephen Benjamin step...@redhat.com:

 On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote:
   Also when I look at the permissions in ipa there are no longer any
   permissions that have the 'System: ' prefix.
  
   AFAIK the foreman proxy is not necessary (and not supported) with IPA
   4.x because it was obsoleted by 'native' proxy delivered by Foreman
   upstream.
  
   Am I right, Rob (Crittenden)? :-)
 
  I believe he's referring to the native smart proxy here. It includes a
  script to setup permissions. I guess it hasn't been tested against a 4.x
  IPA master.

 The permissions have changed names in FreeIPA 4.0, which means the
 script won't work.  I've tested this one against 4.1 on F21 and it
 works:


 https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm

 There's an open pull request against foreman's Smart Proxy to include
 that in the next release:

   https://github.com/theforeman/smart-proxy/pull/231




 --
 Stephen Benjamin

 __
 Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn
 Handelsregister: Amtsgericht München, HRB 153243
 Geschäftsführer: Charles Cachera, Michael Cunningham,
 Michael O'Neill, Charles Peters



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Great news about the script.
I will as soon as I get the upgrade to 4.1 to work with internal dns
support.

yup 12 default permissions + 3 custom permissions in the
smart-host-proxy-management privilege
I guessed I leave those 12 default permissions since I expect it might
break things when I remove those :P

Rob

2014-11-05 16:20 GMT+01:00 Stephen Benjamin step...@redhat.com:

 On Wed, Nov 05, 2014 at 04:09:18PM +0100, Rob Verduijn wrote:
  Hello again,
 
  I don't know about foreman upstream, the current version that I am using
  included in the katello installation is 1.6
  And the foreman manpage still requires the configuration of the
  realm-smart-proxy.
  http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm
 
  About the snapshot:
  I removed all the katello entries from my current freeipa installation (
 I
  peeked in the script to see what it did )
- user (foreman-realm)
- role (Smart Host Proxy Manager)
- privilege (Smart Host Proxy Management)
- 3 custom permissions ( modify host password, write host certificate,
  modify host userclass )
  applied the update to freeipa 4.1.
  my local dns zones did not resolv again
  running the ipa-ldap-updater did not fix it

 It's more like 12 permissions for that privilege, the complaints of
 missing permissions you saw is because they've changed names in FreeIPA
 4, you can try this script instead:

 https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm


  So I guess that it is not due to the katello integration or the
  realm-smart-proxy script.
 
  Rob
 
  2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com:
 
   On 4.11.2014 17:15, Rob Verduijn wrote:
  
   The problem with 'foreman-prepare-realm' and freeipa was that it
 claimed
   that a few o thef permissions required did not exist when it tried to
 add
   them to the 'smart proxy host management' privilege.
  
   I think it was because the permissions were all in lower case without
 the
   'System: ' prefix. This is just an assumption since I did not get to
 work
   even after adding them manually. So I figured to try it again after
   reverting back to 3.3.5.
  
   After downgrading I learned that it did not work due to a bug in a
 ruby
   script. (fixed by commenting out line 505-506
   in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
   https://bugs.ruby-lang.org/issues/8182 and
   https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )
  
   After which I tried the upgrade again.
  
   regarding
   https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
   I did look again using the kredentials as mentioned in step 4. and saw
   only
   3 objects (1x idnsConfigObject 2x nsContainer)
   When using admin credentials I saw all the dns zone entries.
  
   I can see the zone entries in the ipa gui.
  
   Also when I look at the permissions in ipa there are no longer any
   permissions that have the 'System: ' prefix.
  
  
   AFAIK the foreman proxy is not necessary (and not supported) with IPA
 4.x
   because it was obsoleted by 'native' proxy delivered by Foreman
 upstream.
  
   Am I right, Rob (Crittenden)? :-)
  
   Anyway, back to your DNS problem. Did it worked before you installed
   Foreman proxy? Or not? I.e. is it working when you revert the snapshot?
  
   Do you have other replicas in the replication topology? Please keep in
   mind that changes in LDAP (including changes to permissions) are
 replicated
   so reverting one VM and not others is not necessarily enough.
  
   Petr^2 Spacek
  
  
2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com:
  
On 4.11.2014 15:27, Rob Verduijn wrote:
  
Hello again,
  
   I've managed to integrate my katello configuration with freeipa.
   Now I not only use freeipa authentication in katello but also when a
   host
   is defined in katello it automagically gets created in the freeipa
   realm ,
   certs, otp,dns all working great.
  
   however, to obtain all this integration greatness I had to
 downgrade my
   freeipa to 3.3.5 again (revert snapshot) because the katello realm
   integration tool (foreman-prepare-realm) is not capable of dealing
 with
   4.X
   versions of freeipa.
  
It would be nice if you could get tell us more details about the
   problem
   you had with Katello, AFAIK we are not aware of any.
  
 And now the named-pkcs11 again does not see my internal zones.
  
  
   This page
  
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
   thinks
   I should contact the freeipa-users list
  
  
   Do I understand correctly that you did all the steps 0-4
 successfully and
   then you found out that you can't see DNS objects in LDAP (step 5)
 when
   using ldapsearch with DNS principal?
  
   Can you see the objects in IPA web UI or CLI? If it is the case then
 we
   will need help from LDAP ACI expert (pviktori? :-).
  
   Petr^2 Spacek
  
  
 The command 'ipa-ldap-updater
  
   /usr/share/ipa/updates/55

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

I saw in the upstream foreman-prepare-realm script that the new permission
names should include a prefix System: 
That Prefix is not there, what did change was that some permissions where
no longer lower case only.
ie in 3.3.5 the permission is 'write dns configuration' and in 4.1 it
becomes 'Write DNS Configuration'

Rob

2014-11-05 16:25 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 5.11.2014 16:20, Rob Verduijn wrote:

 Hello,

 Yes I noticed the name change it took me a while to realise it was a known
 ruby bug in katello that caused the real problem.

 I also checked after I updated the 'katello integrated' update from 3.3.5
 to 4.1 and the permissions were neatly renamed to their new counterparts.

 However the internal dns no longer worked :(


 So the permissions broke after upgrade to 4.1, right? pviktori, can you
 give us some advice?

 Thanks!

 Petr^2 Spacek

  Rob

 2014-11-05 16:17 GMT+01:00 Stephen Benjamin step...@redhat.com:

  On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote:

 Also when I look at the permissions in ipa there are no longer any
 permissions that have the 'System: ' prefix.


 AFAIK the foreman proxy is not necessary (and not supported) with IPA
 4.x because it was obsoleted by 'native' proxy delivered by Foreman
 upstream.

 Am I right, Rob (Crittenden)? :-)


 I believe he's referring to the native smart proxy here. It includes a
 script to setup permissions. I guess it hasn't been tested against a 4.x
 IPA master.


 The permissions have changed names in FreeIPA 4.0, which means the
 script won't work.  I've tested this one against 4.1 on F21 and it
 works:


 https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/
 sbin/foreman-prepare-realm

 There's an open pull request against foreman's Smart Proxy to include
 that in the next release:

https://github.com/theforeman/smart-proxy/pull/231--

 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek
 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello again,

I've managed to integrate my katello configuration with freeipa.
Now I not only use freeipa authentication in katello but also when a host
is defined in katello it automagically gets created in the freeipa realm ,
certs, otp,dns all working great.

however, to obtain all this integration greatness I had to downgrade my
freeipa to 3.3.5 again (revert snapshot) because the katello realm
integration tool (foreman-prepare-realm) is not capable of dealing with 4.X
versions of freeipa.

And now the named-pkcs11 again does not see my internal zones.

This page
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks
I should contact the freeipa-users list
The command 'ipa-ldap-updater
/usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
and the command 'ipa-ldap-updater' didn't fix it either.

So I am now stuck at freeipa 3.3.5 again (with a working katello
integration, so I got some mixed emotions about it)
Any ideas anyone ?
Rob






2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello,

 I've tested the update again.

 The bind-utils conflict is still there when I issue yum update
 freeipa-server ( as indicated on the freeipa 4.1 download page
 http://www.freeipa.org/page/Downloads#Upgrading )

 'yum update' works fine

 My internal zones didn't resolv after the update
 ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix
 it
 ipa-ldap-updater did fix the 'access control instructions' and my internal
 dns zones started to resolv again :-)

 Cheers
 Rob


 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 29.10.2014 16:46, Rob Verduijn wrote:

 Hello,

 # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
   fixes the problem.

 I can resolv my internal dns zones again:-)

 Many thanx.

 Since this problem happened every time I tried to update the freeipa
 server.
 I could re-run the update with some debug options if you like so you can
 pinpoint what goes wrong with the update script if you like.


 I have re-build some packages in mkosek's CORP so now you should not see
 encounter dependency problems. Simple 'yum upgrade' should give you all the
 required packages.

 We are looking at other problems in upgrade process right now so there is
 not much to test except package dependencies.

 --
 Petr^2 Spacek



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

The problem with 'foreman-prepare-realm' and freeipa was that it claimed
that a few o thef permissions required did not exist when it tried to add
them to the 'smart proxy host management' privilege.

I think it was because the permissions were all in lower case without the
'System: ' prefix. This is just an assumption since I did not get to work
even after adding them manually. So I figured to try it again after
reverting back to 3.3.5.

After downgrading I learned that it did not work due to a bug in a ruby
script. (fixed by commenting out line 505-506
in /usr/share/ruby/xmlrpc/client.rb on the katello host, see
https://bugs.ruby-lang.org/issues/8182 and
https://bugzilla.redhat.com/show_bug.cgi?id=1071187 )

After which I tried the upgrade again.

regarding
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
I did look again using the kredentials as mentioned in step 4. and saw only
3 objects (1x idnsConfigObject 2x nsContainer)
When using admin credentials I saw all the dns zone entries.

I can see the zone entries in the ipa gui.

Also when I look at the permissions in ipa there are no longer any
permissions that have the 'System: ' prefix.

Rob

2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 4.11.2014 15:27, Rob Verduijn wrote:

 Hello again,

 I've managed to integrate my katello configuration with freeipa.
 Now I not only use freeipa authentication in katello but also when a host
 is defined in katello it automagically gets created in the freeipa realm ,
 certs, otp,dns all working great.

 however, to obtain all this integration greatness I had to downgrade my
 freeipa to 3.3.5 again (revert snapshot) because the katello realm
 integration tool (foreman-prepare-realm) is not capable of dealing with
 4.X
 versions of freeipa.

 It would be nice if you could get tell us more details about the problem
 you had with Katello, AFAIK we are not aware of any.

  And now the named-pkcs11 again does not see my internal zones.

 This page
 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart
 thinks
 I should contact the freeipa-users list


 Do I understand correctly that you did all the steps 0-4 successfully and
 then you found out that you can't see DNS objects in LDAP (step 5) when
 using ldapsearch with DNS principal?

 Can you see the objects in IPA web UI or CLI? If it is the case then we
 will need help from LDAP ACI expert (pviktori? :-).

 Petr^2 Spacek


  The command 'ipa-ldap-updater
 /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it.
 and the command 'ipa-ldap-updater' didn't fix it either.

 So I am now stuck at freeipa 3.3.5 again (with a working katello
 integration, so I got some mixed emotions about it)
 Any ideas anyone ?
 Rob






 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

  Hello,

 I've tested the update again.

 The bind-utils conflict is still there when I issue yum update
 freeipa-server ( as indicated on the freeipa 4.1 download page
 http://www.freeipa.org/page/Downloads#Upgrading )

 'yum update' works fine

 My internal zones didn't resolv after the update
 ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't
 fix
 it
 ipa-ldap-updater did fix the 'access control instructions' and my
 internal
 dns zones started to resolv again :-)

 Cheers
 Rob


 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 29.10.2014 16:46, Rob Verduijn wrote:

  Hello,

 # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
fixes the problem.

 I can resolv my internal dns zones again:-)

 Many thanx.

 Since this problem happened every time I tried to update the freeipa
 server.
 I could re-run the update with some debug options if you like so you
 can
 pinpoint what goes wrong with the update script if you like.


 I have re-build some packages in mkosek's CORP so now you should not see
 encounter dependency problems. Simple 'yum upgrade' should give you all
 the
 required packages.

 We are looking at other problems in upgrade process right now so there
 is
 not much to test except package dependencies.

 --
 Petr^2 Spacek


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

I've checked and I see a lot of objects representing my dns entries.
Still I get no answers if i try to resolve any of them :(

Rob

2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 28.10.2014 18:42, Rob Verduijn wrote:

 before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
 after the update its 6.0-5.fc20.x86_64.rpm from copr repo

 Regards
 Rob


 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com:

On 28/10/14 16:10, Rob Verduijn wrote:

   Hello all,

   I've been digging into my problem of being unable to update from 3.3.5
 to 4.1

   First I add the repo from copr

   Then  I used to update it by issueing 'yum update' which resulted in an
 update in which my local dns zone entries no longer resolved.

   So i tried the instructions mentioned on the site :
 yum update freeipa-server
 And this failed with a conflict in

   bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
 bind-utils-32:9.9.4-15.P2.fc20.x86_64

   I noticed the new bind comes from the copr repo and the old bind utils
 from fedora.

   So I first run 'yum update bind-utils -y'
 Then I ran yum update freeipa-server
 and see it fail with errors about softhsm

   I remembered reading about package errors with softhsm and installed
 the
 softhsm-devel package first.

   so revert back the freeipa kvm snapshot to 3.3.5  and try again
 yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
 freeipa-server -y

   However when restarting named-pkcs11 I can see in the system log that
 it
 has 0 zones loaded

   Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
 serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.127.in-addr.arpa/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 localhost.localdomain/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
 0.0.ip6.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
 instance
 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

   It claims 0 zones loaded but I can see my forward and reverse zones in
 ipa

   what could cause it not to load the zones that I defined in ipa ?


 This problem is usually caused by broken IPA upgrade which destroys ACIs
 in LDAP which allow access to DNS sub-tree.

 Please follow instructions on:

 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.
 NozonesfromLDAPareloaded

 ... and let us know if you are able to see idnsZone objects in LDAP or not.

 --
 Petr^2 Spacek


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

You're right
duh I should read more carefully and not try to do to many things at once.

when using the dns principal and keytab the entries are not found.

How do i fix the access controll instructions ?
I can revert back easely and try a different aproach for the upgrade if you
know one
(I really started to appreciate snapshots with this upgrade :-)

Rob

2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 29.10.2014 14:32, Rob Verduijn wrote:

 I've checked and I see a lot of objects representing my dns entries.
 Still I get no answers if i try to resolve any of them :(


 Are you running ldapsearch with *exactly* same credentials as you have in
 /etc/named.conf?

 Could you post dynamic-db section from your named.conf?

 Petr^2 Spacek


  Rob

 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 28.10.2014 18:42, Rob Verduijn wrote:

  before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
 after the update its 6.0-5.fc20.x86_64.rpm from copr repo

 Regards
 Rob


 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com:

 On 28/10/14 16:10, Rob Verduijn wrote:


Hello all,

I've been digging into my problem of being unable to update from
 3.3.5
 to 4.1

First I add the repo from copr

Then  I used to update it by issueing 'yum update' which resulted
 in an
 update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
 yum update freeipa-server
 And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
 bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind
 utils
 from fedora.

So I first run 'yum update bind-utils -y'
 Then I ran yum update freeipa-server
 and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and installed
 the
 softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
 yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
 freeipa-server -y

However when restarting named-pkcs11 I can see in the system log
 that
 it
 has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN:
 loaded
 serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.127.in-addr.arpa/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 localhost.localdomain/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
 0.0.ip6.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
 instance
 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse zones
 in
 ipa

what could cause it not to load the zones that I defined in ipa ?


  This problem is usually caused by broken IPA upgrade which destroys
 ACIs
 in LDAP which allow access to DNS sub-tree.

 Please follow instructions on:

 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.
 NozonesfromLDAPareloaded

 ... and let us know if you are able to see idnsZone objects in LDAP or
 not.



 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

# ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
 fixes the problem.

I can resolv my internal dns zones again :-)

Many thanx.

Since this problem happened every time I tried to update the freeipa server.
I could re-run the update with some debug options if you like so you can
pinpoint what goes wrong with the update script if you like.

Rob

2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com:

  On 29/10/14 15:56, Martin Basti wrote:

 On 29/10/14 15:46, Rob Verduijn wrote:

 You're right
 duh I should read more carefully and not try to do to many things at once.

  when using the dns principal and keytab the entries are not found.

  How do i fix the access controll instructions ?
 I can revert back easely and try a different aproach for the upgrade if
 you know one
 (I really started to appreciate snapshots with this upgrade :-)

  Rob


 Please try first this:

 # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif

 It should repair privileges.

 Sorry I wrote you wrong file
 # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update


 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 29.10.2014 14:32, Rob Verduijn wrote:

 I've checked and I see a lot of objects representing my dns entries.
 Still I get no answers if i try to resolve any of them :(


  Are you running ldapsearch with *exactly* same credentials as you have
 in /etc/named.conf?

 Could you post dynamic-db section from your named.conf?

 Petr^2 Spacek


  Rob

 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 28.10.2014 18:42, Rob Verduijn wrote:

  before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
 after the update its 6.0-5.fc20.x86_64.rpm from copr repo

 Regards
 Rob


 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com:

 On 28/10/14 16:10, Rob Verduijn wrote:


Hello all,

I've been digging into my problem of being unable to update from
 3.3.5
 to 4.1

First I add the repo from copr

Then  I used to update it by issueing 'yum update' which resulted
 in an
 update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
 yum update freeipa-server
 And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
 bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind
 utils
 from fedora.

So I first run 'yum update bind-utils -y'
 Then I ran yum update freeipa-server
 and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and
 installed
 the
 softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
 yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
 freeipa-server -y

However when restarting named-pkcs11 I can see in the system log
 that
 it
 has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 0.in-addr.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN:
 loaded
 serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.127.in-addr.arpa/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 localhost.localdomain/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
 0.0.ip6.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
 instance
 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse
 zones in
 ipa

what could cause it not to load the zones that I defined in ipa ?


  This problem is usually caused by broken IPA upgrade which destroys
 ACIs
 in LDAP which allow access to DNS sub-tree.

 Please follow instructions on:

 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5
 .
 NozonesfromLDAPareloaded

 ... and let us know if you are able to see idnsZone objects in LDAP or
 not.



 --
 Petr^2 Spacek






 --
 Martin Basti





 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello again,

I jumped to early.
# ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work
but ipa-ldap-updater 
fixes the problem for me.

Rob

2014-10-29 16:55 GMT+01:00 Martin Basti mba...@redhat.com:

  On 29/10/14 16:46, Rob Verduijn wrote:

 Hello,

  # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
   fixes the problem.

  I can resolv my internal dns zones again :-)

  Many thanx.

  Since this problem happened every time I tried to update the freeipa
 server.
 I could re-run the update with some debug options if you like so you can
 pinpoint what goes wrong with the update script if you like.

  Rob


 We know where the problem is, and we though we fixed it, but obviously
 some parts of problem persist.

 Thank you for your patience :-)


 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com:

  On 29/10/14 15:56, Martin Basti wrote:

 On 29/10/14 15:46, Rob Verduijn wrote:

 You're right
 duh I should read more carefully and not try to do to many things at
 once.

  when using the dns principal and keytab the entries are not found.

  How do i fix the access controll instructions ?
 I can revert back easely and try a different aproach for the upgrade if
 you know one
 (I really started to appreciate snapshots with this upgrade :-)

  Rob


 Please try first this:

 # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif

 It should repair privileges.

  Sorry I wrote you wrong file
 # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update


 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 29.10.2014 14:32, Rob Verduijn wrote:

 I've checked and I see a lot of objects representing my dns entries.
 Still I get no answers if i try to resolve any of them :(


  Are you running ldapsearch with *exactly* same credentials as you have
 in /etc/named.conf?

 Could you post dynamic-db section from your named.conf?

 Petr^2 Spacek


  Rob

 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com:

  On 28.10.2014 18:42, Rob Verduijn wrote:

  before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates
 repo
 after the update its 6.0-5.fc20.x86_64.rpm from copr repo

 Regards
 Rob


 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com:

 On 28/10/14 16:10, Rob Verduijn wrote:


Hello all,

I've been digging into my problem of being unable to update from
 3.3.5
 to 4.1

First I add the repo from copr

Then  I used to update it by issueing 'yum update' which resulted
 in an
 update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
 yum update freeipa-server
 And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
 bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind
 utils
 from fedora.

So I first run 'yum update bind-utils -y'
 Then I ran yum update freeipa-server
 and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and
 installed
 the
 softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
 yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
 freeipa-server -y

However when restarting named-pkcs11 I can see in the system log
 that
 it
 has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 0.in-addr.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN:
 loaded
 serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.127.in-addr.arpa/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 localhost.localdomain/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
 0.0.ip6.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP
 instance
 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse
 zones in
 ipa

what could cause it not to load the zones that I defined in ipa ?


  This problem is usually caused by broken IPA upgrade which destroys
 ACIs
 in LDAP which allow access to DNS sub-tree.

 Please follow instructions on:

 https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5
 .
 NozonesfromLDAPareloaded

 ... and let us know if you are able to see idnsZone objects in LDAP or
 not.



 --
 Petr^2 Spacek






 --
 Martin Basti





   --
 Martin Basti




 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

I've tested the update again.

The bind-utils conflict is still there when I issue yum update
freeipa-server ( as indicated on the freeipa 4.1 download page
http://www.freeipa.org/page/Downloads#Upgrading )

'yum update' works fine

My internal zones didn't resolv after the update
ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it
ipa-ldap-updater did fix the 'access control instructions' and my internal
dns zones started to resolv again :-)

Cheers
Rob


2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com:

 On 29.10.2014 16:46, Rob Verduijn wrote:

 Hello,

 # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update
   fixes the problem.

 I can resolv my internal dns zones again:-)

 Many thanx.

 Since this problem happened every time I tried to update the freeipa
 server.
 I could re-run the update with some debug options if you like so you can
 pinpoint what goes wrong with the update script if you like.


 I have re-build some packages in mkosek's CORP so now you should not see
 encounter dependency problems. Simple 'yum upgrade' should give you all the
 required packages.

 We are looking at other problems in upgrade process right now so there is
 not much to test except package dependencies.

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello all,

I've been digging into my problem of being unable to update from 3.3.5 to
4.1

First I add the repo from copr

Then  I used to update it by issueing 'yum update' which resulted in an
update in which my local dns zone entries no longer resolved.

So i tried the instructions mentioned on the site :
yum update freeipa-server
And this failed with a conflict in

bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
bind-utils-32:9.9.4-15.P2.fc20.x86_64

I noticed the new bind comes from the copr repo and the old bind utils from
fedora.

So I first run 'yum update bind-utils -y'
Then I ran yum update freeipa-server
and see it fail with errors about softhsm

I remembered reading about package errors with softhsm and installed the
softhsm-devel package first.

so revert back the freeipa kvm snapshot to 3.3.5  and try again
yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
freeipa-server -y

However when restarting named-pkcs11 I can see in the system log that it
has 0 zones loaded

Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded
serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.127.in-addr.arpa/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
localhost.localdomain/IN: loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance
'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

It claims 0 zones loaded but I can see my forward and reverse zones in ipa

what could cause it not to load the zones that I defined in ipa ?
Rob


2014-10-27 23:05 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 sorry for the xml formatting didn't realize it would mess up some mail
 clients

 The last bit of the message again

  ipa-upgradeconfig  gives the following :
 [Verifying that root certificate is published]
 Failed to backup CS.cfg: no magic attribute 'dogtag'
 [Migrate CRL publish directory]
 CRL tree already moved
 [Verifying that CA proxy configuration is correct]
 [Verifying that KDC configuration is using ipa-kdb backend]
 [Fixing trust flags in /etc/httpd/alias]
 Trust flags already processed
 [Fix DS schema file syntax]
 Syntax already fixed
 [Removing RA cert from DS NSS database]
 RA cert already removed
 [Removing self-signed CA]
 [Checking for deprecated KDC configuration files]
 [Checking for deprecated backups of Samba configuration files]
 [Setting up Firefox extension]
 [Add missing CA DNS records]
 IPA CA DNS records already processed
 [Removing deprecated DNS configuration options]
 [Ensuring minimal number of connections]
 [Enabling serial autoincrement in DNS]
 [Updating GSSAPI configuration in DNS]
 [Updating pid-file configuration in DNS]
 [Masking named]
 Changes to named.conf have been made, restart named
 [Verifying that CA service certificate profile is updated]
 [Update certmonger certificate renewal configuration to version 2]
 [Enable PKIX certificate path discovery and validation]
 PKIX already enabled
 The ipa-upgradeconfig command was successful

 Any ideas ?
 I'm rather stuck now.
 Rob

 2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello,

 I'm rather at a loss here.
 Everything seems to be running
  ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful

 but the upgrade log is flooded with this error :
 2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:11Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:11Z DEBUG request body ''
 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:12Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:12Z DEBUG request body ''

 I've tried the url and it works fine.
 https://freeipa.x.x/ca/admin/ca/getStatus
 it gives the following xml:
 ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponse
 State1/StateTypeCA/TypeStatusrunning/StatusVersion
 10.2.0-3.fc20/Version/XMLResponse

 After I run ipa-upgradeconfig it complains about a missing magic dog tag
 attribute
 ipa-upgradeconfig [Verifying that root certificate is published]Failed
 to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish
 directory]CRL tree already moved[Verifying that CA proxy

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo
after the update its 6.0-5.fc20.x86_64.rpm from copr repo

Regards
Rob


2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com:

  On 28/10/14 16:10, Rob Verduijn wrote:

  Hello all,

  I've been digging into my problem of being unable to update from 3.3.5
 to 4.1

  First I add the repo from copr

  Then  I used to update it by issueing 'yum update' which resulted in an
 update in which my local dns zone entries no longer resolved.

  So i tried the instructions mentioned on the site :
 yum update freeipa-server
 And this failed with a conflict in

  bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and
 bind-utils-32:9.9.4-15.P2.fc20.x86_64

  I noticed the new bind comes from the copr repo and the old bind utils
 from fedora.

  So I first run 'yum update bind-utils -y'
 Then I ran yum update freeipa-server
 and see it fail with errors about softhsm

  I remembered reading about package errors with softhsm and installed the
 softhsm-devel package first.

  so revert back the freeipa kvm snapshot to 3.3.5  and try again
 yum update bind-utils -y ;  yum install softhsm-devel -y ; yum update
 freeipa-server -y

  However when restarting named-pkcs11 I can see in the system log that it
 has 0 zones loaded

  Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded
 serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.127.in-addr.arpa/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 localhost.localdomain/IN: loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone
 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
 loaded serial 0
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running
 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance
 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load)

  It claims 0 zones loaded but I can see my forward and reverse zones in
 ipa

  what could cause it not to load the zones that I defined in ipa ?
  Rob


 2014-10-27 23:05 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 sorry for the xml formatting didn't realize it would mess up some mail
 clients

  The last bit of the message again

   ipa-upgradeconfig  gives the following :
  [Verifying that root certificate is published]
  Failed to backup CS.cfg: no magic attribute 'dogtag'
 [Migrate CRL publish directory]
 CRL tree already moved
 [Verifying that CA proxy configuration is correct]
 [Verifying that KDC configuration is using ipa-kdb backend]
 [Fixing trust flags in /etc/httpd/alias]
 Trust flags already processed
 [Fix DS schema file syntax]
 Syntax already fixed
 [Removing RA cert from DS NSS database]
 RA cert already removed
 [Removing self-signed CA]
 [Checking for deprecated KDC configuration files]
 [Checking for deprecated backups of Samba configuration files]
 [Setting up Firefox extension]
 [Add missing CA DNS records]
 IPA CA DNS records already processed
 [Removing deprecated DNS configuration options]
 [Ensuring minimal number of connections]
 [Enabling serial autoincrement in DNS]
 [Updating GSSAPI configuration in DNS]
 [Updating pid-file configuration in DNS]
 [Masking named]
 Changes to named.conf have been made, restart named
 [Verifying that CA service certificate profile is updated]
 [Update certmonger certificate renewal configuration to version 2]
 [Enable PKIX certificate path discovery and validation]
 PKIX already enabled
 The ipa-upgradeconfig command was successful

  Any ideas ?
 I'm rather stuck now.
  Rob

 2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello,

  I'm rather at a loss here.
 Everything seems to be running
   ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful

  but the upgrade log is flooded with this error :
  2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:11Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:11Z DEBUG request body ''
 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:12Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:12Z DEBUG request body ''

  I've tried the url and it works fine.
 https://freeipa.x.x/ca/admin/ca/getStatus
  it gives the following xml:

  ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponse
 State1/StateTypeCA/TypeStatusrunning/StatusVersion
 10.2.0

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

, in update
updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
line 131, in update
ld.update_from_dict(updates)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 889, in update_from_dict
self._run_updates(updates)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 799, in _run_updates
self._update_record(update)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 661, in _update_record
e = self._get_entry(new_entry.dn)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 544, in _get_entry
return self.conn.get_entries(dn, scope, searchfilter, sattrs)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1421,
in get_entries
base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1527,
in find_entries
break
  File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1206,
in error_handler
error=info)
NetworkError: cannot connect to
'ldapi://%2fvar%2frun%2fslapd-X-X.socket':



2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com:

 Rob Verduijn wrote:
  h
 
  after some more digging (monitoring the upgrade more closely.)
  I saw that the upgrade kept waiting for the ca to start, which it did
  not do.
  and after 5 minutes the upgrade gave up with the following errors in the
  ipaupgrade log :
 
  at 85% it says :
  2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
  url=ldapi://%2fvar%2frun%2fslapd--.socket
  conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0
  2014-10-26T15:04:35Z DEBUG Starting external process
  2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
  '/etc/httpd/alias' '-L'
  2014-10-26T15:04:35Z DEBUG Process finished, return code=0
  2014-10-26T15:04:35Z DEBUG stdout=
  Certificate Nickname Trust
  Attributes
 
   SSL,S/MIME,JAR/XPI
 
  Signing-Cert u,u,u
  . IPA CA   CT,C,C
  ipaCert  u,u,u
  Server-Cert  u,u,u
 
  2014-10-26T15:04:35Z DEBUG stderr=
  2014-10-26T15:04:35Z DEBUG Starting external process
  2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
  '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
  2014-10-26T15:04:35Z DEBUG Process finished, return code=0
  2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE-
   certificate-removed 
  -END CERTIFICATE-
  2014-10-26T15:04:35Z DEBUG stderr=
  2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
  'ldapi://%2fvar%2frun%2fslapd--.socket':\

 This has nothing to do with the CA, the LDAP server didn't come up. I'd
 start with those logs or look earlier in ipaupgrade.log

 The CA requires 389-ds to be running so if it isn't up, then it will
 fail to start too.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello,

I'm rather at a loss here.
Everything seems to be running
 ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

but the upgrade log is flooded with this error :
2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
2014-10-27T21:52:11Z DEBUG request '
https://freeipa.x.x:443/ca/admin/ca/getStatus'
2014-10-27T21:52:11Z DEBUG request body ''
2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
2014-10-27T21:52:12Z DEBUG request '
https://freeipa.x.x:443/ca/admin/ca/getStatus'
2014-10-27T21:52:12Z DEBUG request body ''

I've tried the url and it works fine.
https://freeipa.x.x/ca/admin/ca/getStatus
it gives the following xml:
?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState1
/StateTypeCA/TypeStatusrunning/StatusVersion10.2.0-3.fc20
/Version/XMLResponse

After I run ipa-upgradeconfig it complains about a missing magic dog tag
attribute
ipa-upgradeconfig [Verifying that root certificate is published]Failed to
backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL
tree already moved[Verifying that CA proxy configuration is correct][Verifying
that KDC configuration is using ipa-kdb backend][Fixing trust flags in
/etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax
already fixed[Removing RA cert from DS NSS database]RA cert already
removed[Removing
self-signed CA][Checking for deprecated KDC configuration files][Checking
for deprecated backups of Samba configuration files][Setting up Firefox
extension][Add missing CA DNS records]IPA CA DNS records already
processed[Removing
deprecated DNS configuration options][Ensuring minimal number of
connections][Enabling serial autoincrement in DNS][Updating GSSAPI
configuration in DNS][Updating pid-file configuration in DNS][Masking
named]Changes
to named.conf have been made, restart named[Verifying that CA service
certificate profile is updated][Update certmonger certificate renewal
configuration to version 2][Enable PKIX certificate path discovery and
validation]PKIX already enabledThe ipa-upgradeconfig command was successful

But my local dns zone does no longer resolve :(

reverting back to the 3.3 snapshot again :(

Please help
Rob

2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com:

 Rob Verduijn wrote:
  h
 
  after some more digging (monitoring the upgrade more closely.)
  I saw that the upgrade kept waiting for the ca to start, which it did
  not do.
  and after 5 minutes the upgrade gave up with the following errors in the
  ipaupgrade log :
 
  at 85% it says :
  2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
  url=ldapi://%2fvar%2frun%2fslapd--.socket
  conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0
  2014-10-26T15:04:35Z DEBUG Starting external process
  2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
  '/etc/httpd/alias' '-L'
  2014-10-26T15:04:35Z DEBUG Process finished, return code=0
  2014-10-26T15:04:35Z DEBUG stdout=
  Certificate Nickname Trust
  Attributes
 
   SSL,S/MIME,JAR/XPI
 
  Signing-Cert u,u,u
  . IPA CA   CT,C,C
  ipaCert  u,u,u
  Server-Cert  u,u,u
 
  2014-10-26T15:04:35Z DEBUG stderr=
  2014-10-26T15:04:35Z DEBUG Starting external process
  2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
  '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
  2014-10-26T15:04:35Z DEBUG Process finished, return code=0
  2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE-
   certificate-removed 
  -END CERTIFICATE-
  2014-10-26T15:04:35Z DEBUG stderr=
  2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
  'ldapi://%2fvar%2frun%2fslapd--.socket':\

 This has nothing to do with the CA, the LDAP server didn't come up. I'd
 start with those logs or look earlier in ipaupgrade.log

 The CA requires 389-ds to be running so if it isn't up, then it will
 fail to start too.

 rob


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

sorry for the xml formatting didn't realize it would mess up some mail
clients

The last bit of the message again

 ipa-upgradeconfig  gives the following :
[Verifying that root certificate is published]
Failed to backup CS.cfg: no magic attribute 'dogtag'
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that CA proxy configuration is correct]
[Verifying that KDC configuration is using ipa-kdb backend]
[Fixing trust flags in /etc/httpd/alias]
Trust flags already processed
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Removing self-signed CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
[Setting up Firefox extension]
[Add missing CA DNS records]
IPA CA DNS records already processed
[Removing deprecated DNS configuration options]
[Ensuring minimal number of connections]
[Enabling serial autoincrement in DNS]
[Updating GSSAPI configuration in DNS]
[Updating pid-file configuration in DNS]
[Masking named]
Changes to named.conf have been made, restart named
[Verifying that CA service certificate profile is updated]
[Update certmonger certificate renewal configuration to version 2]
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
The ipa-upgradeconfig command was successful

Any ideas ?
I'm rather stuck now.
Rob

2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello,

 I'm rather at a loss here.
 Everything seems to be running
  ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 ipa_memcached Service: RUNNING
 httpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful

 but the upgrade log is flooded with this error :
 2014-10-27T21:52:10Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:11Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:11Z DEBUG request body ''
 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted
 2014-10-27T21:52:11Z DEBUG Waiting for CA to start...
 2014-10-27T21:52:12Z DEBUG request '
 https://freeipa.x.x:443/ca/admin/ca/getStatus'
 2014-10-27T21:52:12Z DEBUG request body ''

 I've tried the url and it works fine.
 https://freeipa.x.x/ca/admin/ca/getStatus
 it gives the following xml:
 ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState
 1/StateTypeCA/TypeStatusrunning/StatusVersion10.2.0-3.fc20
 /Version/XMLResponse

 After I run ipa-upgradeconfig it complains about a missing magic dog tag
 attribute
 ipa-upgradeconfig [Verifying that root certificate is published]Failed to
 backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL
 tree already moved[Verifying that CA proxy configuration is correct][Verifying
 that KDC configuration is using ipa-kdb backend][Fixing trust flags in
 /etc/httpd/alias]Trust flags already processed[Fix DS schema file 
 syntax]Syntax
 already fixed[Removing RA cert from DS NSS database]RA cert already
 removed[Removing self-signed CA][Checking for deprecated KDC
 configuration files][Checking for deprecated backups of Samba
 configuration files][Setting up Firefox extension][Add missing CA DNS
 records]IPA CA DNS records already processed[Removing deprecated DNS
 configuration options][Ensuring minimal number of connections][Enabling
 serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating
 pid-file configuration in DNS][Masking named]Changes to named.conf have
 been made, restart named[Verifying that CA service certificate profile is
 updated][Update certmonger certificate renewal configuration to version 
 2][Enable
 PKIX certificate path discovery and validation]PKIX already enabledThe
 ipa-upgradeconfig command was successful

 But my local dns zone does no longer resolve :(

 reverting back to the 3.3 snapshot again :(

 Please help
 Rob

 2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com:

 Rob Verduijn wrote:
  h
 
  after some more digging (monitoring the upgrade more closely.)
  I saw that the upgrade kept waiting for the ca to start, which it did
  not do.
  and after 5 minutes the upgrade gave up with the following errors in the
  ipaupgrade log :
 
  at 85% it says :
  2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
  url=ldapi://%2fvar%2frun%2fslapd--.socket
  conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0
  2014-10-26T15:04:35Z DEBUG Starting external process
  2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d'
  '/etc/httpd/alias' '-L'
  2014-10-26T15:04:35Z DEBUG Process finished, return code=0
  2014-10-26T15:04:35Z DEBUG stdout=
  Certificate Nickname Trust
  Attributes
 
   SSL,S/MIME,JAR/XPI
 
  Signing-Cert u,u,u
  . IPA CA

Re: [Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

h

after some more digging (monitoring the upgrade more closely.)
I saw that the upgrade kept waiting for the ca to start, which it did not
do.
and after 5 minutes the upgrade gave up with the following errors in the
ipaupgrade log :

at 85% it says :
2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd--.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0
2014-10-26T15:04:35Z DEBUG Starting external process
2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias'
'-L'
2014-10-26T15:04:35Z DEBUG Process finished, return code=0
2014-10-26T15:04:35Z DEBUG stdout=
Certificate Nickname Trust
Attributes

 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
. IPA CA   CT,C,C
ipaCert  u,u,u
Server-Cert  u,u,u

2014-10-26T15:04:35Z DEBUG stderr=
2014-10-26T15:04:35Z DEBUG Starting external process
2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias'
'-L' '-n' 'TJAKO.THUIS IPA CA' '-a'
2014-10-26T15:04:35Z DEBUG Process finished, return code=0
2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE-
 certificate-removed 
-END CERTIFICATE-
2014-10-26T15:04:35Z DEBUG stderr=
2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to
'ldapi://%2fvar%2frun%2fslapd--.socket':
2014-10-26T15:04:36Z DEBUG Traceback (most recent call last):
  File
/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py,
line 152, in __upgrade
self.modified = (ld.update(self.files, ordered=True) or
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 874, in update
updates = api.Backend.updateclient.update(POST_UPDATE,
self.dm_password, self.ldapi, self.live_run)
  File
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py,
line 131, in update
ld.update_from_dict(updates)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 889, in update_from_dict
self._run_updates(updates)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 799, in _run_updates
self._update_record(update)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 661, in _update_record
e = self._get_entry(new_entry.dn)
  File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py,
line 544, in _get_entry
return self.conn.get_entries(dn, scope, searchfilter, sattrs)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1421,
in get_entries
base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1527,
in find_entries
break
  File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1206,
in error_handler
error=info)
NetworkError: cannot connect to
'ldapi://%2fvar%2frun%2fslapd--.socket':

and in the end it says :

2014-10-26T14:46:13Z DEBUG The CA status is: check interrupted
2014-10-26T14:46:13Z DEBUG Waiting for CA to start...
2014-10-26T14:46:14Z DEBUG   File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
646, in run_script
return_value = main_function()

  File /usr/sbin/ipa-upgradeconfig, line 1457, in main
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)

  File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 282, in restart
self.service.restart(instance_name, capture_output=capture_output,
wait=wait)

  File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py,
line 209, in restart
self.wait_until_running()

  File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py,
line 197, in wait_until_running
raise RuntimeError('CA did not start in %ss' % timeout)

2014-10-26T14:46:14Z DEBUG The ipa-upgradeconfig command failed, exception:
RuntimeError: CA did not start in 300.0s


I guess its something with the update for the ca certificate server that
failed.

Any clues on how to proceed ?

Rob


2014-10-26 11:39 GMT+01:00 John Obaterspok john.obaters...@gmail.com:

 Hello Rob,

 Did systemd report any failed services? (systemctl --failed)


 -- john

 2014-10-25 16:40 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com:

 Hello all,

 I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main
 dns server.

 I've tried the upgrade to 4.1 using the copr repositorie.

 I performed the following steps:

 1 apply latest fedora updates
 2 shutdown system
 3 create a snapshot from the freeipa vm as a backup (which is why I'm
 back at 3.3)
 4 added the copr repo to my repositories
 5 issue 'yum update' and grab a coffee
 6 see

[Freeipa-users] dns stops working after upgrade

[Rob Verduijn]

Hello all,

I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main
dns server.

I've tried the upgrade to 4.1 using the copr repositorie.

I performed the following steps:

1 apply latest fedora updates
2 shutdown system
3 create a snapshot from the freeipa vm as a backup (which is why I'm back
at 3.3)
4 added the copr repo to my repositories
5 issue 'yum update' and grab a coffee
6 see the update complete and start to check if everything still works.
all authentication seems to work fine, however all my local dns enties no
longer work.
all internet dns queries work fine, just not my own entries.
they are all still there.

so I shutdown my freeipa vm and reverted the snapshot, everything is back
up and running again with 3.3.0

I've digged through my logs but see no errors whatsoever.

Did I miss something that needs to be done when doing an upgrade ?

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Rob Verduijn]

Hello all,

I've managed to get the gssproxy to work on my installation.
I can now mount my apache document root using sec=krb5p and apache
automagically mounts the share when needed.

However I noticed that now all nfs credentials are going through gssproxy.
Is there a way to disable this for regular users (or only enable it for
apache)

Below is the gssproxy.conf I used

Cheers
Rob



[gssproxy]

[service/nfs-client]
  mechs = krb5
  cred_store = keytab:/etc/krb5.keytab
  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
  cred_store = client_keytab:/etc/gssproxy/%U.keytab
  cred_usage = initiate
  allow_any_uid = yes
  trusted = yes
  euid = 0



2014-09-17 9:15 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com:



 2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS bnordg...@fs.fed.us:


  Also opened https://fedorahosted.org/freeipa/ticket/4544

 Tried to summarize this thread on that ticket.

 Back to the OP's concern, whenever I use NFS as a documentroot for apache
 (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys,
 set all-squash, and specify the webserver's IP. It's not like individual
 user accounts need a presence on the filesystem. Do you need encryption for
 your application or is apache just going to spray the content out across
 the commodity internet via un-encrypted http?

 Bryce






 This electronic message contains information generated by the USDA solely
 for the intended recipients. Any unauthorized interception of this message
 or the use or disclosure of the information it contains may violate the law
 and subject the violator to civil or criminal penalties. If you believe you
 have received this message in error, please notify the sender and delete
 the email immediately.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project



 Hello,

 I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys)
 It's not sensitive data and it's also internal, so it will do fine for now
 as a workaround.
 But there is going to be a situation that apache requires access to a
 document root containing sensitive data, in that case I would prefer a more
 secure method.

 I've been reading up a little on the gss-proxy, which would be the
 prefered way on the obtaining of the credentials from a keytab.
 Have gss-proxy do it or have gss-proxy use  s4u2proxy to fetch the keytab
 ? (which might also solve some of my ssh anoyances but that's a bit off
 topic)

 Rob Verduijn


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Rob Verduijn]

Hi again,

Thank you for the quick response.
I've removed the credstore entries that are not necessary for the nfs
access.
Now the users no longer go through gssproxy, but apache does.

I've googled around quite a bit and and it seems that your presentation on
youtube and the gssproxy page together with a bit on the fedora site are
about it concerning documentation.

The below gssproxy.conf works fine for apache accessing  a kerberized nfs
share without having to authenticate against ipa.

If I were to create another share for say an tftp directory do I need to
create another entry like the one below or can I simply say :
euid =  48,1,2,3,4

Or maybe this if you won't mind that any service with a keytab gets nfs
access.
euid = %U

Thanx for the quick help.


[gssproxy]

[service/nfs-client]
  mechs = krb5
  cred_store = client_keytab:/etc/gssproxy/%U.keytab
  cred_usage = initiate
  allow_any_uid = no
  trusted = yes
  euid = 48



2014-09-20 18:15 GMT+02:00 Simo Sorce s...@redhat.com:

 On Sat, 20 Sep 2014 16:53:48 +0200
 Rob Verduijn rob.verdu...@gmail.com wrote:

  Hello all,
 
  I've managed to get the gssproxy to work on my installation.
  I can now mount my apache document root using sec=krb5p and apache
  automagically mounts the share when needed.
 
  However I noticed that now all nfs credentials are going through
  gssproxy. Is there a way to disable this for regular users (or only
  enable it for apache)
 
  Below is the gssproxy.conf I used

 I assume you mean that gssproxy is used for all users when rpc.gssd is
 used ? You cannot pick and choose this way, but gss-proxy can be
 configured to user regular user's caches so that it preserve proper
 authorization for access.

  Cheers
  Rob
 
 
 
  [gssproxy]
 
  [service/nfs-client]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
cred_store = client_keytab:/etc/gssproxy/%U.keytab
cred_usage = initiate
allow_any_uid = yes
trusted = yes
euid = 0

 You do not need allow_any_uid in your case as rpc.gssd always runs as
 root.

 You can also remove the keytab:/etc/krb5.keytab option as you are only
 going to initiate with explicit client keytabs.

 If you only have the apache keytab in /etc/gssproxy then for any other
 user will fall back to local resolution.

 You may also experiment with setting ccache to the default for your
 system so that gss-proxy can find actual user's ccaches, though that
 may comport some minor risk and will force you to run gss-proxy as root.


 HTH,
 Simo.


 --
 Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Rob Verduijn]

2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS bnordg...@fs.fed.us:


  Also opened https://fedorahosted.org/freeipa/ticket/4544

 Tried to summarize this thread on that ticket.

 Back to the OP's concern, whenever I use NFS as a documentroot for apache
 (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys,
 set all-squash, and specify the webserver's IP. It's not like individual
 user accounts need a presence on the filesystem. Do you need encryption for
 your application or is apache just going to spray the content out across
 the commodity internet via un-encrypted http?

 Bryce






 This electronic message contains information generated by the USDA solely
 for the intended recipients. Any unauthorized interception of this message
 or the use or disclosure of the information it contains may violate the law
 and subject the violator to civil or criminal penalties. If you believe you
 have received this message in error, please notify the sender and delete
 the email immediately.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project



Hello,

I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys)
It's not sensitive data and it's also internal, so it will do fine for now
as a workaround.
But there is going to be a situation that apache requires access to a
document root containing sensitive data, in that case I would prefer a more
secure method.

I've been reading up a little on the gss-proxy, which would be the prefered
way on the obtaining of the credentials from a keytab.
Have gss-proxy do it or have gss-proxy use  s4u2proxy to fetch the keytab ?
(which might also solve some of my ssh anoyances but that's a bit off topic)

Rob Verduijn
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user

[Rob Verduijn]

Hello,

I've got a webserver whose default export is on a kerberized nfs4 export.


The export works fine for regular ipa users

However the apache user is not allowed to read anything from the export.

What would be the best practice to allow the apache user access to the nfs4
export without switching to sec=sys ?

Cheers
Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] sudo without the !authenticate

[Rob Verduijn]

Hello,

I've a freeipa running on fedora 20 with fedora 20 clients.

When I configure sudo with the !authenticate option, everything works fine.
ie 'sudo journalctl' works fine, you get to see the logs

However when I remove the !authenticate option the sudo command asks for a
password but it always fails.

In the logs it says that authentication succes
but it is followed by the line access denied.

What could be causing this ?

Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo without the !authenticate

[Rob Verduijn]

2014-09-01 18:47 GMT+02:00 Dmitri Pal d...@redhat.com:

  On 09/01/2014 06:17 PM, Rob Verduijn wrote:

 Hello,

  I've a freeipa running on fedora 20 with fedora 20 clients.

  When I configure sudo with the !authenticate option, everything works
 fine.
 ie 'sudo journalctl' works fine, you get to see the logs

  However when I remove the !authenticate option the sudo command asks for
 a password but it always fails.

  In the logs it says that authentication succes
 but it is followed by the line access denied.

  What could be causing this ?

  Rob



  Probably access control. Do you have HBAC rules defined? Do they allow
 user to do sudo operations?

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.


 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project


Hello,

That was indeed preventing the access without the !noathenticate.

I've added sudo to the hbac and now it works.

Thanx.
Rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] GSSAPIDelegateCredentials yes

[Rob Verduijn]

Hello,

Sorry for the delay, I was rather busy the past few days.

Well I must say it sounds interesting, I will need to read up on
s4u2proxy, but I'm very interested to see where this leads to.

Rob

2014-07-11 22:39 GMT+02:00 Dmitri Pal d...@redhat.com:
 On 07/05/2014 05:12 PM, Simo Sorce wrote:

 On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote:

 Hello,

 I've set up host that mounts a kerberized nfs4 homedrive.
 This all works fine, however when logging in remotely with a user
 using ssh the kerberos ticket is not set for that user.
 This requires either manually doing kinit or setting the
 GSSAPIDelegateCredentials yes in either .ssh config or in the
 /etc/ssh.

 My issue is that
 Host  *.some.domain
 GSSAPIDelegateCredentials yes

 In the user config or even in the global config is not a very clever
 thing to do since that would imply that the kerberos credentials would
 be provided to every  system that the user would ssh to in the
 some.domain network.

 Is there a clever way to do this in freeipa
 like an adition to host based access, ie send the
 GSSAPIDelegateCredentials only for these hosts when using ssh?

 Unfortunately there is not.

 Simo.

 What potentially can be done in this case is:

 1) Use GSSAPI to log into this host.
 2) Identify which kerberized services user needs to be able to use once he
 logs into the system (NFS, ldap, cups, etc.)
 3) Use GSSAPI for access to these services (if possible)
 4) Configure GSS proxy to be used on the client side of these connections
 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket
 6) Configure constrained delegation on the server side (IPA) to allow
 s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap.

 There will be dragons as I doubt this has been done but the long term plan
 is to make it possible.
 By trying and reporting issues you would help us to make it possible sooner.
 If you are interested we can drill down into more details.

 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IdM portfolio
 Red Hat, Inc.

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] GSSAPIDelegateCredentials yes

[Rob Verduijn]

Hello,

I've set up host that mounts a kerberized nfs4 homedrive.
This all works fine, however when logging in remotely with a user
using ssh the kerberos ticket is not set for that user.
This requires either manually doing kinit or setting the
GSSAPIDelegateCredentials yes in either .ssh config or in the
/etc/ssh.

My issue is that
Host  *.some.domain
   GSSAPIDelegateCredentials yes

In the user config or even in the global config is not a very clever
thing to do since that would imply that the kerberos credentials would
be provided to every  system that the user would ssh to in the
some.domain network.

Is there a clever way to do this in freeipa
like an adition to host based access, ie send the
GSSAPIDelegateCredentials only for these hosts when using ssh?

Cheers
Rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Having difficulty installing on Fedora 20

[Rob Verduijn]

err
http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation
ofcourse

Rob

2014-06-24 21:12 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com:
 I saw this in your log :

 snip
 Global DNS configuration in LDAP server is empty
 You can use 'dnsconfig-mod' command to set global DNS options that
 would override settings in local named.conf files
 snip

 Did you install bind and bind-dyndb-ldap ?
 http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica

 Just meddling around with ipa myself
 Rob

 2014-06-24 19:11 GMT+02:00 Petr Spacek pspa...@redhat.com:
 Hello!

 That is interesting. Do you have latest updates?

 Please see
 http://www.freeipa.org/page/Troubleshooting



 On 24.6.2014 18:41, Carl Perry wrote:
 Unexpected error - see /var/log/ipaserver-install.log for details:

 If the web page doesn't cover your case please send us the log file
 mentioned in the the error message.

 Have a nice day!

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Having difficulty installing on Fedora 20

[Rob Verduijn]

I saw this in your log :

snip
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files
snip

Did you install bind and bind-dyndb-ldap ?
http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica

Just meddling around with ipa myself
Rob

2014-06-24 19:11 GMT+02:00 Petr Spacek pspa...@redhat.com:
 Hello!

 That is interesting. Do you have latest updates?

 Please see
 http://www.freeipa.org/page/Troubleshooting



 On 24.6.2014 18:41, Carl Perry wrote:
 Unexpected error - see /var/log/ipaserver-install.log for details:

 If the web page doesn't cover your case please send us the log file
 mentioned in the the error message.

 Have a nice day!

 --
 Petr^2 Spacek

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hello,

I'm a bit at loss with my freeipa kerberized nfs4 shares.

the nfs4 shares mount fine and users can read and write their files.
However pulse audio does not work properly, and some programs fail to start.
When logging in with a local account using a local homedrive
pulseaudio works, and the programs also work.
Also oddjob is not capable of creating a home dir for a new user.

root is not allowed to write in the home mount on the client (mkdir
test and touch test get a Permission denied)

I don't think its selinux, because setenforce 0 on the nfs-server and
setenforce 0 on the nfs client did not help.

freeipa policies seem to be working fine, sudo rules are applied the
way I expect them.
Logging in on all the machines works, automounting works like a charm,
except for the situations described above.

server details are below

Anybody who can tell me what I've missed ?
Rob

the freeipa server is a dedicated fedora20 x86_64 machine with the
latest updates applied

the nfs-server is a fedora20 x86_64 machine with the latest updates applied

these booleans have been applied on the nfs server
nfs_export_all_ro -- on
nfs_export_all_rw -- on

The exports are :
/exports *(rw,no_root_squash,crossmnt,fsid=0,sec=krb5p)
/exports/homes *(rw,no_root_squash,no_subtree_check,sec=krb5p)

/exports/homes is a bind mount from :
/data3/homes

selinux contexts of the dirs:
ls -dalsZ /data3/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /data3/homes
ls -dalsZ /exports/homes
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /exports/homes

/exportes/homes is automounted by systemd using this unit file:
cat /etc/systemd/system/exports-homes.automount
[Unit]
Description=/exports/homes Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/exports/homes

   [Install]
WantedBy=multi-user.target

and the matching unit mount:
cat /etc/systemd/system/exports-homes.mount
[Unit]
Description=Exports Homes Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=/data3/homes
Where=/exports/homes
Type=none
Options=bind
DirectoryMode=0755

the nfs client is a fedora20 x86_64 machine with al the latest patches applied
This boolean has been set:
use_nfs_home_dirs -- on

ls -dalsZ /home/
drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /home/

the home folder is automounted by systemd using this unit file :
cat /etc/systemd/system/home.automount
[Unit]
Description=Home Directory Automount Point
Wants=network.target statd.service
After=network.target statd.service
[Automount]
Where=/home
[Install]
WantedBy=multi-user.target

and the matching unit mount
cat /etc/systemd/system/home.mount
[Unit]
Description=Home Directory
Wants=network.target statd.service
After=network.target statd.service
[Mount]
What=172.16.1.1:/homes
Where=/home
Type=nfs4
Options=timeo=14,noatime,timeo=14,soft,sec=krb5p,context=system_u:object_r:user_home_t:s0
DirectoryMode=0750

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hi Simo,

Thanx for the quick answer, i will consider the root implications.
However, what about pulse audio not working ?
The logs complain about that one not beeing able to write in home as well.

Rob

2014-06-20 18:27 GMT+02:00 Simo Sorce s...@redhat.com:
 On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote:
 Hello,

 I'm a bit at loss with my freeipa kerberized nfs4 shares.

 the nfs4 shares mount fine and users can read and write their files.
 However pulse audio does not work properly, and some programs fail to start.
 When logging in with a local account using a local homedrive
 pulseaudio works, and the programs also work.
 Also oddjob is not capable of creating a home dir for a new user.

 root is not allowed to write in the home mount on the client (mkdir
 test and touch test get a Permission denied)

 I don't think its selinux, because setenforce 0 on the nfs-server and
 setenforce 0 on the nfs client did not help.

 Indeed it is not selinux nor anything client related, when you use
 kerberized NFSv4 *all* accesses including root must be authenticated.

 When your local root user tries to access the mount point, either it
 cannot authenticate or it uses the system keytab to authenticate, in
 both cases, w/o further configuration on the server these accesses are
 mapped to the nobody user or refused outright.

 If you really want to trust *every* client to have full *root* access on
 your server then you need to make sure the client is using the host
 keytab when acting as root (default unless you pass -n to rpc.gssd) then
 you need to map explicitly the client's hosts keys to the root account
 on the server.
 add:
  host/client.host.name@YOUR.REALM = root
 in the [static] section of idmapd.conf

 See idmapd.conf(5) for details.

 freeipa policies seem to be working fine, sudo rules are applied the
 way I expect them.
 Logging in on all the machines works, automounting works like a charm,
 except for the situations described above.

 server details are below

 Anybody who can tell me what I've missed ?

 What you've missed is simply that clients are not allowed to act as root
 on NFS mounts by default, it's a security issue, because a compromised
 client can then do what it want's with all NFS shared data regardless of
 user permissions.

 HTH,
 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Hi,

I have not touched pulse audio configuration, it's set to default, I
can see in the logs the pulseaudio daemon assumes the user id.
rtkit-daemon[697]: Successfully made thread 3299 of process 3299
(/usr/bin/pulseaudio) owned by '4701' high priority at nice level
-11.
rtkit-daemon[697]: Supervising 5 threads of 2 processes of 2 users.
pulseaudio[3299]: [pulseaudio] core-util.c: Failed to create secure
directory (/home/rob/.config/pulse): Permission denied

The directory already exists, I tried removing it, which did not help.

Rob

2014-06-20 19:14 GMT+02:00 Simo Sorce s...@redhat.com:
 On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote:
 Hi Simo,

 Thanx for the quick answer, i will consider the root implications.
 However, what about pulse audio not working ?
 The logs complain about that one not beeing able to write in home as well.

 Is it running as the pulse user ?
 If so it would be the same issue, but I thought pulseaudio runs as the
 user by default, have you changed its configuration to run one instance
 per system by chance ?

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] issues with nfs4 privileges.

[Rob Verduijn]

Considering the root immplications.

Handing out root to all nfs clients is indeed something that is undesirable.
However personally I believe manually creating homedirs to be a
procedure from the previous millenium.

Can I get freeipa to do this automatically the right way ? (respecting security)

Rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project