Re: [Freeipa-users] CentOS 6 -> 7 migration
Sounds feasable, however I'm not sure which solution entails the most work. In step 3 you loose all the extra functionalities( cups/squid/ntp ) as well, while these stay preserved by a p2v including a nice backup. You do need a backup of all the functions before proceeding with step3. Rob Verduijn 2017-02-26 14:40 GMT+01:00 Ian Pilcher <arequip...@gmail.com>: > On 02/26/2017 05:08 AM, Rob Verduijn wrote: > >> You should consider setting up a temporary vm to migrate from. >> On one of your client systems, I assume you got at least 1 ipa client >> >> Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your >> current system to a vm (side effect : instant full backup) >> >> When you got the vm up and running you can reinstall your main system >> with the new os and ipa. >> Then replicate the old ipa to the new one. >> > > Hmm. The system that runs IPA is the "network server" in my home > network. It runs various services -- DNS, NTP, CUPS, squid, etc. -- as > well as routing between various VLANs. So simply P2V'ing it would be > a major project in its own right. > > What about this, though ... > > 1. Set up a new CentOS 7 VM running IPA > > 2. Replicate the IPA data from the old CentOS 6 system to the VM. > > 3. Install CentOS 7 on the original system > > 4. Replicate the IPA data back from the VM > > Will this work? > > -- > > Ian Pilcher arequip...@gmail.com > "I grew up before Mark Zuckerberg invented friendship" > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 6 -> 7 migration
Upgrading centos6 to 7 is not a smart thing, unless you like to suffer a lot of issues. Then there are many comaptibility issues regarding the upgrade from ipa3.3 to 4.4 You should consider setting up a temporary vm to migrate from. On one of your client systems, I assume you got at least 1 ipa client Try looking at http://libguestfs.org/virt-p2v.1.html to migrate your current system to a vm (side effect : instant full backup) When you got the vm up and running you can reinstall your main system with the new os and ipa. Then replicate the old ipa to the new one. Rob Verduijn 2017-02-26 0:45 GMT+01:00 Ian Pilcher <arequip...@gmail.com>: > Is there any way to migrate an IPA server from 6 -> 7 without losing all > of the IPA configuration and data? All of the documentation I can find > involves setting up a replica, replicating the data over, and then > decommissioning the old system; not exactly an option with a single > system. > > -- > > Ian Pilcher arequip...@gmail.com > "I grew up before Mark Zuckerberg invented friendship" > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-dnskeysyncd not starting
2016-12-19 18:53 GMT+01:00 Martin Basti <mba...@redhat.com>: > > > On 19.12.2016 17:51, Rob Verduijn wrote: > > 2016-12-19 17:06 GMT+01:00 Martin Basti <mba...@redhat.com>: > >> >> >> On 19.12.2016 16:27, Rob Verduijn wrote: >> >> >> >> 2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: >> >>> >>> >>> >>> 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >>> >>>> On 19.12.2016 14:07, Rob Verduijn wrote: >>>> > Hello, >>>> > >>>> > I'm running ipa on centos 7.3 with the latest patches applied. >>>> > >>>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to >>>> start and >>>> > I keep seeing this message in my logs: >>>> > >>>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind... >>>> > python2[25663]: GSSAPI client step 1 >>>> > python2[25663]: GSSAPI client step 1 >>>> > ns-slapd[2569]: GSSAPI server step 1 >>>> > python2[25663]: GSSAPI client step 1 >>>> > ns-slapd[2569]: GSSAPI server step 2 >>>> > python2[25663]: GSSAPI client step 2 >>>> > ns-slapd[2569]: GSSAPI server step 3 >>>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process >>>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: >>>> INFO >>>> > Initial LDAP dump is done, sychronizing with ODS and BIND >>>> > python2[25674]: GSSAPI client step 1 >>>> > python2[25674]: GSSAPI client step 1 >>>> > ns-slapd[2569]: GSSAPI server step 1 >>>> > python2[25674]: GSSAPI client step 1 >>>> > ns-slapd[2569]: GSSAPI server step 2 >>>> > python2[25674]: GSSAPI client step 2 >>>> > ns-slapd[2569]: GSSAPI server step 3 >>>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last): >>>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", >>>> line 110, >>>> > in >>>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1, >>>> > msgid=ldap_search): >>>> > ipa-dnskeysyncd[25663]: File >>>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in >>>> > syncrepl_poll >>>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone() >>>> > ipa-dnskeysyncd[25663]: File >>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", >>>> line 115, >>>> > in syncrepl_refreshdone >>>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync() >>>> > ipa-dnskeysyncd[25663]: File >>>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", >>>> line 181, >>>> > in hsm_replica_sync >>>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) >>>> > ipa-dnskeysyncd[25663]: File >>>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, >>>> in run >>>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, >>>> arg_string, >>>> > str(output)) >>>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command >>>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit >>>> status 1 >>>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, >>>> > status=1/FAILURE >>>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. >>>> > systemd[1]: ipa-dnskeysyncd.service failed. >>>> > >>>> > for some reason the ipa-dnskeysyncd keeops crashing. >>>> > Anybody know where to start looking for this one ? >>>> >>>> Please raise the debug level so we can see something in the logs: >>>> >>>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras >>>> hes_or_returns_no_data >>>> >>>> -- >>>> Petr^2 Spacek >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> Hello, >>> >>> The file /etc/ipa/ipa.conf or the fi
Re: [Freeipa-users] ipa-dnskeysyncd not starting
2016-12-19 17:06 GMT+01:00 Martin Basti <mba...@redhat.com>: > > > On 19.12.2016 16:27, Rob Verduijn wrote: > > > > 2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > >> >> >> >> 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: >> >>> On 19.12.2016 14:07, Rob Verduijn wrote: >>> > Hello, >>> > >>> > I'm running ipa on centos 7.3 with the latest patches applied. >>> > >>> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start >>> and >>> > I keep seeing this message in my logs: >>> > >>> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind... >>> > python2[25663]: GSSAPI client step 1 >>> > python2[25663]: GSSAPI client step 1 >>> > ns-slapd[2569]: GSSAPI server step 1 >>> > python2[25663]: GSSAPI client step 1 >>> > ns-slapd[2569]: GSSAPI server step 2 >>> > python2[25663]: GSSAPI client step 2 >>> > ns-slapd[2569]: GSSAPI server step 3 >>> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process >>> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO >>> > Initial LDAP dump is done, sychronizing with ODS and BIND >>> > python2[25674]: GSSAPI client step 1 >>> > python2[25674]: GSSAPI client step 1 >>> > ns-slapd[2569]: GSSAPI server step 1 >>> > python2[25674]: GSSAPI client step 1 >>> > ns-slapd[2569]: GSSAPI server step 2 >>> > python2[25674]: GSSAPI client step 2 >>> > ns-slapd[2569]: GSSAPI server step 3 >>> > ipa-dnskeysyncd[25663]: Traceback (most recent call last): >>> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line >>> 110, >>> > in >>> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1, >>> > msgid=ldap_search): >>> > ipa-dnskeysyncd[25663]: File >>> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in >>> > syncrepl_poll >>> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone() >>> > ipa-dnskeysyncd[25663]: File >>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", >>> line 115, >>> > in syncrepl_refreshdone >>> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync() >>> > ipa-dnskeysyncd[25663]: File >>> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", >>> line 181, >>> > in hsm_replica_sync >>> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) >>> > ipa-dnskeysyncd[25663]: File >>> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in >>> run >>> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, >>> arg_string, >>> > str(output)) >>> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command >>> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit >>> status 1 >>> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, >>> > status=1/FAILURE >>> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. >>> > systemd[1]: ipa-dnskeysyncd.service failed. >>> > >>> > for some reason the ipa-dnskeysyncd keeops crashing. >>> > Anybody know where to start looking for this one ? >>> >>> Please raise the debug level so we can see something in the logs: >>> >>> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras >>> hes_or_returns_no_data >>> >>> -- >>> Petr^2 Spacek >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> Hello, >> >> The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist >> on my system. >> How to set debugging in this case ? >> >> Rob >> > > I've set the debug level in /etc/ipa/default.conf > > now I get this output > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, > status=1/FAILURE > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. > systemd[1]: ipa-dnskeysyncd.service failed. > systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart
Re: [Freeipa-users] ipa-dnskeysyncd not starting
2016-12-19 16:07 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > > > > 2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > >> On 19.12.2016 14:07, Rob Verduijn wrote: >> > Hello, >> > >> > I'm running ipa on centos 7.3 with the latest patches applied. >> > >> > It seem to run fine however the ipa-dnskeysyncd keeps failing to start >> and >> > I keep seeing this message in my logs: >> > >> > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind... >> > python2[25663]: GSSAPI client step 1 >> > python2[25663]: GSSAPI client step 1 >> > ns-slapd[2569]: GSSAPI server step 1 >> > python2[25663]: GSSAPI client step 1 >> > ns-slapd[2569]: GSSAPI server step 2 >> > python2[25663]: GSSAPI client step 2 >> > ns-slapd[2569]: GSSAPI server step 3 >> > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process >> > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO >> > Initial LDAP dump is done, sychronizing with ODS and BIND >> > python2[25674]: GSSAPI client step 1 >> > python2[25674]: GSSAPI client step 1 >> > ns-slapd[2569]: GSSAPI server step 1 >> > python2[25674]: GSSAPI client step 1 >> > ns-slapd[2569]: GSSAPI server step 2 >> > python2[25674]: GSSAPI client step 2 >> > ns-slapd[2569]: GSSAPI server step 3 >> > ipa-dnskeysyncd[25663]: Traceback (most recent call last): >> > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line >> 110, >> > in >> > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1, >> > msgid=ldap_search): >> > ipa-dnskeysyncd[25663]: File >> > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in >> > syncrepl_poll >> > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone() >> > ipa-dnskeysyncd[25663]: File >> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line >> 115, >> > in syncrepl_refreshdone >> > ipa-dnskeysyncd[25663]: self.hsm_replica_sync() >> > ipa-dnskeysyncd[25663]: File >> > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line >> 181, >> > in hsm_replica_sync >> > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) >> > ipa-dnskeysyncd[25663]: File >> > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in >> run >> > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, >> arg_string, >> > str(output)) >> > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command >> > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit >> status 1 >> > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, >> > status=1/FAILURE >> > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. >> > systemd[1]: ipa-dnskeysyncd.service failed. >> > >> > for some reason the ipa-dnskeysyncd keeops crashing. >> > Anybody know where to start looking for this one ? >> >> Please raise the debug level so we can see something in the logs: >> >> http://www.freeipa.org/page/Troubleshooting#ipa_command_cras >> hes_or_returns_no_data >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > Hello, > > The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist > on my system. > How to set debugging in this case ? > > Rob > I've set the debug level in /etc/ipa/default.conf now I get this output systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. systemd[1]: ipa-dnskeysyncd.service failed. systemd[1]: ipa-dnskeysyncd.service holdoff time over, scheduling restart. systemd[1]: Started IPA key daemon. systemd[1]: Starting IPA key daemon... ipa-dnskeysyncd[30568]: ipa : INFO LDAP bind... python2[30568]: GSSAPI client step 1 python2[30568]: GSSAPI client step 1 ns-slapd[26744]: GSSAPI server step 1 python2[30568]: GSSAPI client step 1 ns-slapd[26744]: GSSAPI server step 2 python2[30568]: GSSAPI client step 2 ns-slapd[26744]: GSSAPI server step 3 ipa-dnskeysyncd[30568]: ipa : INFO Commencing sync process ipa-dnskeysyncd[30568]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO Initia
Re: [Freeipa-users] ipa-dnskeysyncd not starting
2016-12-19 15:52 GMT+01:00 Petr Spacek <pspa...@redhat.com>: > On 19.12.2016 14:07, Rob Verduijn wrote: > > Hello, > > > > I'm running ipa on centos 7.3 with the latest patches applied. > > > > It seem to run fine however the ipa-dnskeysyncd keeps failing to start > and > > I keep seeing this message in my logs: > > > > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind... > > python2[25663]: GSSAPI client step 1 > > python2[25663]: GSSAPI client step 1 > > ns-slapd[2569]: GSSAPI server step 1 > > python2[25663]: GSSAPI client step 1 > > ns-slapd[2569]: GSSAPI server step 2 > > python2[25663]: GSSAPI client step 2 > > ns-slapd[2569]: GSSAPI server step 3 > > ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process > > ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO > > Initial LDAP dump is done, sychronizing with ODS and BIND > > python2[25674]: GSSAPI client step 1 > > python2[25674]: GSSAPI client step 1 > > ns-slapd[2569]: GSSAPI server step 1 > > python2[25674]: GSSAPI client step 1 > > ns-slapd[2569]: GSSAPI server step 2 > > python2[25674]: GSSAPI client step 2 > > ns-slapd[2569]: GSSAPI server step 3 > > ipa-dnskeysyncd[25663]: Traceback (most recent call last): > > ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line > 110, > > in > > ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1, > > msgid=ldap_search): > > ipa-dnskeysyncd[25663]: File > > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in > > syncrepl_poll > > ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone() > > ipa-dnskeysyncd[25663]: File > > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line > 115, > > in syncrepl_refreshdone > > ipa-dnskeysyncd[25663]: self.hsm_replica_sync() > > ipa-dnskeysyncd[25663]: File > > "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line > 181, > > in hsm_replica_sync > > ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) > > ipa-dnskeysyncd[25663]: File > > "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in > run > > ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, > arg_string, > > str(output)) > > ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command > > '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status > 1 > > systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, > > status=1/FAILURE > > systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. > > systemd[1]: ipa-dnskeysyncd.service failed. > > > > for some reason the ipa-dnskeysyncd keeops crashing. > > Anybody know where to start looking for this one ? > > Please raise the debug level so we can see something in the logs: > > http://www.freeipa.org/page/Troubleshooting#ipa_command_ > crashes_or_returns_no_data > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > Hello, The file /etc/ipa/ipa.conf or the file /etc/ipa/server.conf do not exist on my system. How to set debugging in this case ? Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-dnskeysyncd not starting
Hello, I'm running ipa on centos 7.3 with the latest patches applied. It seem to run fine however the ipa-dnskeysyncd keeps failing to start and I keep seeing this message in my logs: ipa-dnskeysyncd[25663]: ipa : INFO LDAP bind... python2[25663]: GSSAPI client step 1 python2[25663]: GSSAPI client step 1 ns-slapd[2569]: GSSAPI server step 1 python2[25663]: GSSAPI client step 1 ns-slapd[2569]: GSSAPI server step 2 python2[25663]: GSSAPI client step 2 ns-slapd[2569]: GSSAPI server step 3 ipa-dnskeysyncd[25663]: ipa : INFO Commencing sync process ipa-dnskeysyncd[25663]: ipa.ipapython.dnssec.keysyncer.KeySyncer: INFO Initial LDAP dump is done, sychronizing with ODS and BIND python2[25674]: GSSAPI client step 1 python2[25674]: GSSAPI client step 1 ns-slapd[2569]: GSSAPI server step 1 python2[25674]: GSSAPI client step 1 ns-slapd[2569]: GSSAPI server step 2 python2[25674]: GSSAPI client step 2 ns-slapd[2569]: GSSAPI server step 3 ipa-dnskeysyncd[25663]: Traceback (most recent call last): ipa-dnskeysyncd[25663]: File "/usr/libexec/ipa/ipa-dnskeysyncd", line 110, in ipa-dnskeysyncd[25663]: while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): ipa-dnskeysyncd[25663]: File "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 405, in syncrepl_poll ipa-dnskeysyncd[25663]: self.syncrepl_refreshdone() ipa-dnskeysyncd[25663]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 115, in syncrepl_refreshdone ipa-dnskeysyncd[25663]: self.hsm_replica_sync() ipa-dnskeysyncd[25663]: File "/usr/lib/python2.7/site-packages/ipapython/dnssec/keysyncer.py", line 181, in hsm_replica_sync ipa-dnskeysyncd[25663]: ipautil.run([paths.IPA_DNSKEYSYNCD_REPLICA]) ipa-dnskeysyncd[25663]: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run ipa-dnskeysyncd[25663]: raise CalledProcessError(p.returncode, arg_string, str(output)) ipa-dnskeysyncd[25663]: subprocess.CalledProcessError: Command '/usr/libexec/ipa/ipa-dnskeysync-replica' returned non-zero exit status 1 systemd[1]: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILURE systemd[1]: Unit ipa-dnskeysyncd.service entered failed state. systemd[1]: ipa-dnskeysyncd.service failed. for some reason the ipa-dnskeysyncd keeops crashing. Anybody know where to start looking for this one ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FYI incorrect configuration when using ipa-client-automount
Hello, I've was being bugged by a non functional automounter. So I tried a fresh centos7.3 install (minimal) with only the additional package ipa-client. I did the installation and update to latest patch level and reboot. Then ran ipa-client-install --enable-dns-updates Did the yes/admin account/auth And I had a fully functional freeipa-domain-client. Then I ran ipa-client-automount yes again. and no functional automounter. It appeared that the 'ipa-client-automount' tool did not adjust the /etc/nsswitch.conf file properly. In one occasion it replaced 'automount: files nisplus' with 'automount: files' in another it did not change it at all. After editing /etc/nsswitch.conf and setting it to 'automount: files sss' all was working as expected. Because there is not mention about centos on https://fedorahosted.org/freeipa/ and I'm used to seeing closed not supported on the redhat bugzilla when the word centos is mentioned I've posterd it in the centos buglist : https://bugs.centos.org/view.php?id=12415 Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade
2016-12-15 13:47 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>: > On 12/12/2016 08:53 PM, Rob Verduijn wrote: > > Hello, > > > > I've recently upgraded to centos 7.3. > > Didn't intend to so soon but should have checked the anounce lists before > > launching my ansible update playbook. > > > > Most of my servers came through, and mostly also the ipa server. > > There were duplicate rpms and a failed rpm upgrade. > > After some yum magic the rpm duplicates where gone and all the updates > installed. > > > > Manually running ipa-server-upgrade also seems to finish properly. > > > > However > > ipactl start keeps failing on the ntpd service. > > Not a big surprise since its running chronyd. > > > > I now start the ipa server with 'ipactl start --ignore-service-failure' > > > > Is there a way to explain the script that it should check for chronyd > instead of > > ntpd ? > > > > I also see this a lot in the logs: > > dns_rdatatype_fromtext() failed for attribute > > 'idnsTemplateAttribute;cnamerecord': unknown class/type > > > > Is that a serious error ? > > > > Rob Verduijn > > > > This looks like 7.3 update incorrectly added NTP service to IPA server > services (which is displayed as NTP role in `ipa server-show $server`). > > A workaround might be to disable the service or remove the service > entry. Disabling is IMHO safer. IPA CLI tools don't allow > enabling/disabling of services so it must be done by LDAP mod. > > It can be done by removing 'enabledService' config value from server's > service entry, e.g.: > > dn: cn=NTP,cn=$SERVER_FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX > changetype: modify > delete: ipaConfigString > ipaConfigString: enabledService > - > > Where $SERVER_FQDN is e.g. ipa.example.com and $SUFFIX is e.g. > dc=example,dc=com > > > Rob, have you originally installed the replica with NTPD and then later > switched manually to chrony? > > -- > Petr Vobornik > Hello, I can't remember if I installed and configured freeipa and then switched to chronyd or the other way around. I had my ntpd/ntpdate services masked because I got tired of stopping and disabling them all the time. It seems ipactl can't deal with that. Currently I unmasked the services and enabled them (disabling chronyd) so that the server boots properly. I will try your ldiff to see if I can switch back, since I do not use my ipa server as a time source for clients. I'll let you know the results. Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa fails to start after centos 7.3 upgrade
Hello, I've recently upgraded to centos 7.3. Didn't intend to so soon but should have checked the anounce lists before launching my ansible update playbook. Most of my servers came through, and mostly also the ipa server. There were duplicate rpms and a failed rpm upgrade. After some yum magic the rpm duplicates where gone and all the updates installed. Manually running ipa-server-upgrade also seems to finish properly. However ipactl start keeps failing on the ntpd service. Not a big surprise since its running chronyd. I now start the ipa server with 'ipactl start --ignore-service-failure' Is there a way to explain the script that it should check for chronyd instead of ntpd ? I also see this a lot in the logs: dns_rdatatype_fromtext() failed for attribute 'idnsTemplateAttribute;cnamerecord': unknown class/type Is that a serious error ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd
2016-12-01 19:44 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > > > 2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > >> Rob Verduijn wrote: >> > >> > >> > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com >> > <mailto:rcrit...@redhat.com>>: >> > >> > Rob Verduijn wrote: >> > > Hello, >> > > >> > > For some reason my ipa server no longer boots. >> > > It keeps trying to start pki-tomcat service. >> > > >> > > Does anybody know where I should start looking to get this fixed ? >> > > >> > > Rob Verduijn >> > > >> > > ipactl -d start gives this output: >> > > ipa: DEBUG: The CA status is: check interrupted due to error: >> Command >> > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> '--no-check-certificate' >> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus >> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'' >> returned >> > > non-zero exit status 8 >> > > ipa: DEBUG: Waiting for CA to start... >> > > ipa: DEBUG: Starting external process >> > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' >> > > '--no-check-certificate' >> > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus >> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>' >> > > ipa: DEBUG: Process finished, return code=8 >> > > ipa: DEBUG: stdout= >> > > ipa: DEBUG: stderr=--2016-12-01 11:06:12-- >> > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus >> > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus> >> > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... >> 172.16.1.13 >> > > Connecting to freeipa02.tjako.thuis >> > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected. >> > > HTTP request sent, awaiting response... >> > > HTTP/1.1 500 Internal Server Error >> > > Server: Apache-Coyote/1.1 >> > > Content-Type: text/html;charset=utf-8 >> > > Content-Language: en >> > > Content-Length: 2134 >> > > Date: Thu, 01 Dec 2016 10:06:13 GMT >> > > Connection: close >> > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error. >> > > >> > > There are also some java warnings in the logs, but its java and I >> can >> > > never tell if its a serious error when java gives a warning. >> > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM >> > > org.apache.catalina.startup.SetAllPropertiesRule begin >> > > Dec 1 09:53:59 freeipa02 server: WARNING: >> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > > 'serverCertNickFile' to >> > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a >> > > matching property. >> > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM >> > > org.apache.catalina.startup.SetAllPropertiesRule begin >> > > Dec 1 09:53:59 freeipa02 server: WARNING: >> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' >> did not >> > > find a matching property. >> > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM >> > > org.apache.catalina.startup.SetAllPropertiesRule begin >> > > Dec 1 09:53:59 freeipa02 server: WARNING: >> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > > 'passwordClass' to 'org.apache.tomcat.util.net >> > <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile' >> > > did not find a matching property. >> > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM >> > > org.apache.catalina.startup.SetAllPropertiesRule begin >> > > Dec 1 09:53:59 freeipa02 server: WARNING: >> > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property >> > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a >> matching >> > > property. >> > > Dec 1 09:53:59 freeipa02 server:
Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd
2016-12-01 17:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: > > > > > > 2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > Rob Verduijn wrote: > > > Hello, > > > > > > For some reason my ipa server no longer boots. > > > It keeps trying to start pki-tomcat service. > > > > > > Does anybody know where I should start looking to get this fixed ? > > > > > > Rob Verduijn > > > > > > ipactl -d start gives this output: > > > ipa: DEBUG: The CA status is: check interrupted due to error: > Command > > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > '--no-check-certificate' > > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>'' > returned > > > non-zero exit status 8 > > > ipa: DEBUG: Waiting for CA to start... > > > ipa: DEBUG: Starting external process > > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > > '--no-check-certificate' > > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus>' > > > ipa: DEBUG: Process finished, return code=8 > > > ipa: DEBUG: stdout= > > > ipa: DEBUG: stderr=--2016-12-01 11:06:12-- > > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > <https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus> > > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... > 172.16.1.13 > > > Connecting to freeipa02.tjako.thuis > > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected. > > > HTTP request sent, awaiting response... > > > HTTP/1.1 500 Internal Server Error > > > Server: Apache-Coyote/1.1 > > > Content-Type: text/html;charset=utf-8 > > > Content-Language: en > > > Content-Length: 2134 > > > Date: Thu, 01 Dec 2016 10:06:13 GMT > > > Connection: close > > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error. > > > > > > There are also some java warnings in the logs, but its java and I > can > > > never tell if its a serious error when java gives a warning. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'serverCertNickFile' to > > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a > > > matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' > did not > > > find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'passwordClass' to 'org.apache.tomcat.util.net > > <http://org.apache.tomcat.util.net>.jss.PlainPasswordFile' > > > did not find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.catalina.startup.SetAllPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a > matching > > > property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > > Dec 1 09:53:59 freeipa02 server: WARNING: > > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > > 'xmlValidation' to 'false' did not find a matching property. > > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > >
Re: [Freeipa-users] ipa fails to start hangs on pki-tomcatd
2016-12-01 15:41 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: > > Hello, > > > > For some reason my ipa server no longer boots. > > It keeps trying to start pki-tomcat service. > > > > Does anybody know where I should start looking to get this fixed ? > > > > Rob Verduijn > > > > ipactl -d start gives this output: > > ipa: DEBUG: The CA status is: check interrupted due to error: Command > > ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned > > non-zero exit status 8 > > ipa: DEBUG: Waiting for CA to start... > > ipa: DEBUG: Starting external process > > ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' > > '--no-check-certificate' > > 'https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus' > > ipa: DEBUG: Process finished, return code=8 > > ipa: DEBUG: stdout= > > ipa: DEBUG: stderr=--2016-12-01 11:06:12-- > > https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus > > Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13 > > Connecting to freeipa02.tjako.thuis > > (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected. > > HTTP request sent, awaiting response... > > HTTP/1.1 500 Internal Server Error > > Server: Apache-Coyote/1.1 > > Content-Type: text/html;charset=utf-8 > > Content-Language: en > > Content-Length: 2134 > > Date: Thu, 01 Dec 2016 10:06:13 GMT > > Connection: close > > 2016-12-01 11:06:13 ERROR 500: Internal Server Error. > > > > There are also some java warnings in the logs, but its java and I can > > never tell if its a serious error when java gives a warning. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'serverCertNickFile' to > > '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a > > matching property. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not > > find a matching property. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' > > did not find a matching property. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.catalina.startup.SetAllPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > > 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching > > property. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlValidation' to 'false' did not find a matching property. > > Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM > > org.apache.tomcat.util.digester.SetPropertiesRule begin > > Dec 1 09:53:59 freeipa02 server: WARNING: > > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property > > 'xmlNamespaceAware' to 'false' did not find a matching property. > > > > > > I'm running centos7.2 x86_64 with the latest patches applied. > > some package versions below > > rpm -qa|egrep "ipa|tomcat"|sort > > ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 > > ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64 > > libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > python-iniparse-0.4-9.el7.noarch > > python-libipa_hbac-1.13.0-40.el7_2.12.x86_64 > > sssd-ipa-1.13.0-40.el7_2.12.x86_64 > > tomcat-7.0.54-8.el7_2.noarch > > tomcat-el-2.2-api-7.0.54-8.el7_2.noarch > > tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch > > tomcatjss-7.1.2-1.el7.noarch > > tomcat-lib-7.0.54-8.el7_2.noarch > > to
[Freeipa-users] ipa fails to start hangs on pki-tomcatd
Hello, For some reason my ipa server no longer boots. It keeps trying to start pki-tomcat service. Does anybody know where I should start looking to get this fixed ? Rob Verduijn ipactl -d start gives this output: ipa: DEBUG: The CA status is: check interrupted due to error: Command ''/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' ' https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus'' returned non-zero exit status 8 ipa: DEBUG: Waiting for CA to start... ipa: DEBUG: Starting external process ipa: DEBUG: args='/usr/bin/wget' '-S' '-O' '-' '--timeout=30' '--no-check-certificate' ' https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus' ipa: DEBUG: Process finished, return code=8 ipa: DEBUG: stdout= ipa: DEBUG: stderr=--2016-12-01 11:06:12-- https://freeipa02.tjako.thuis:8443/ca/admin/ca/getStatus Resolving freeipa02.tjako.thuis (freeipa02.tjako.thuis)... 172.16.1.13 Connecting to freeipa02.tjako.thuis (freeipa02.tjako.thuis)|172.16.1.13|:8443... connected. HTTP request sent, awaiting response... HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2134 Date: Thu, 01 Dec 2016 10:06:13 GMT Connection: close 2016-12-01 11:06:13 ERROR 500: Internal Server Error. There are also some java warnings in the logs, but its java and I can never tell if its a serious error when java gives a warning. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.catalina.startup.SetAllPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'serverCertNickFile' to '/var/lib/pki/pki-tomcat/conf/serverCertNick.conf' did not find a matching property. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.catalina.startup.SetAllPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordFile' to '/var/lib/pki/pki-tomcat/conf/password.conf' did not find a matching property. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.catalina.startup.SetAllPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'passwordClass' to 'org.apache.tomcat.util.net.jss.PlainPasswordFile' did not find a matching property. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.catalina.startup.SetAllPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'certdbDir' to '/var/lib/pki/pki-tomcat/alias' did not find a matching property. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlValidation' to 'false' did not find a matching property. Dec 1 09:53:59 freeipa02 server: Dec 01, 2016 9:53:59 AM org.apache.tomcat.util.digester.SetPropertiesRule begin Dec 1 09:53:59 freeipa02 server: WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'xmlNamespaceAware' to 'false' did not find a matching property. I'm running centos7.2 x86_64 with the latest patches applied. some package versions below rpm -qa|egrep "ipa|tomcat"|sort ipa-admintools-4.2.0-15.0.1.el7.centos.19.x86_64 ipa-client-4.2.0-15.0.1.el7.centos.19.x86_64 ipa-python-4.2.0-15.0.1.el7.centos.19.x86_64 ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 ipa-server-dns-4.2.0-15.0.1.el7.centos.19.x86_64 libipa_hbac-1.13.0-40.el7_2.12.x86_64 python-iniparse-0.4-9.el7.noarch python-libipa_hbac-1.13.0-40.el7_2.12.x86_64 sssd-ipa-1.13.0-40.el7_2.12.x86_64 tomcat-7.0.54-8.el7_2.noarch tomcat-el-2.2-api-7.0.54-8.el7_2.noarch tomcat-jsp-2.2-api-7.0.54-8.el7_2.noarch tomcatjss-7.1.2-1.el7.noarch tomcat-lib-7.0.54-8.el7_2.noarch tomcat-servlet-3.0-api-7.0.54-8.el7_2.noarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sss / nsswitch
2016-09-23 10:27 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > On (13/09/16 16:18), Rob Verduijn wrote: > >2016-09-13 15:07 GMT+02:00 Lukas Slebodnik <lsleb...@redhat.com>: > > > >> On (13/09/16 10:39), Sumit Bose wrote: > >> >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: > >> >> Hi, > >> >> > >> >> Thanks that did it. > >> >> > >> >> Is there a less painfull way to be notified of these changes ? > >> >> > >> >> My nfs configuration gets broken much more than I like because of > >> changes > >> >> like these. > >> >> I know fedora is supposed to be testing grounds unstable software, > but I > >> >> would really like to hear a heads up more often. > >> > > >> >The change was mentioned in the upstream release notes of SSSD-1.14.1 > >> >https://fedorahosted.org/sssd/wiki/Releases/Notes-1.14.1 but of > course I > >> >cannot be expected to read all upstream release note before running > 'dnf > >> >update'. > >> > > >> >The change was necessary because before the plugin was in the > >> >sssd-common package and this caused that some nfs dependencies were > >> >pulled in even on systems where nfs is not needed at all. Since neither > >> >SSSD nor nfs-idmap strictly require the plugin the new package is not > >> >automatically installed during update. > >> > > >> > >> Sorry for troubles. We can add weak dependency info sssd-common on > >> sssd-nfs-idmap and it might be installed by default. > >> IIRC dnf does not inform about suggested packages; but recommends minght > >> work. Feel free ot file a BZ. > >> > >> The reason why it is in separate package is "container world". > >> You need to have install packge sssd-nfs-idmap on host > >> but sssd can be running in container. > >> > >> LS > >> > > > > > >I probably should've noticed that the version number went from 1.13.x to > >1.14.x which usually is something noteworthy. > >I'll just add the release notes from sssd to my list of must reads when > >there is an update. > > > The package sssd-nfs-idmap should be installed with sssd-1.14.1-3 > It needn't be due to weak dependencies. But recommended packages > are installed by default with dnf. > > rpm -q --recommends sssd-common-1.14.1-3 > libsss_autofs(x86-64) = 1.14.1-3.fc24 > libsss_sudo = 1.14.1-3.fc24 > sssd-nfs-idmap = 1.14.1-3.fc24 > > LS > Does this also apply when you run dnf update ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sss / nsswitch
Hi all, Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24. Then after the reboot the nfs-idmap service told me it couldn't start because it could not find method sss. So I filed a bug report and tried switching the method nsswitch. But now all files on my kerberos nfs4 shares belong to nobody:nobodyy again. Anybody who has a tip on how to work around this until they fix sssd ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?
hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real' path for the sudo rule : ALL=(ALL) /usr/bin/cat on centos6 which cat also says /bin/cat but since /bin is not a symlink it requires the sudo rule to be ALL=(ALL) /bin/cat so for the sudo to work on both centos6 and centos7 you would require 2 sudo rules. Ignore me if this is irrelevant. Just my 2 cents Rob 2016-07-14 10:38 GMT+02:00 Lukas Slebodnik: > On (14/07/16 10:09), Tomas Simecek wrote: > >Thanks all of you guys, > >I have updated to: > >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 > >sssd-1.13.3-22.el6_8.4.x86_64 > >sssd-ldap-1.13.3-22.el6_8.4.x86_64 > >sssd-client-1.13.3-22.el6_8.4.x86_64 > >sssd-ad-1.13.3-22.el6_8.4.x86_64 > >sssd-proxy-1.13.3-22.el6_8.4.x86_64 > >libsss_idmap-1.13.3-22.el6_8.4.x86_64 > >sssd-common-1.13.3-22.el6_8.4.x86_64 > >sssd-ipa-1.13.3-22.el6_8.4.x86_64 > >python-sssdconfig-1.13.3-22.el6_8.4.noarch > >sssd-krb5-1.13.3-22.el6_8.4.x86_64 > >sssd-common-pac-1.13.3-22.el6_8.4.x86_64 > >(there does not seem to be libsss_sudo in Centos as suggested by Danila). > >and restarted sssd. > > > >There are two rules enabled. One HBAC as I presented earlier: > > Rule name: Unixari na test servery > > Enabled: TRUE > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > Services: login, sshd, sudo, sudo-i, su, su-l > > > >and one sudo rule: > >Rule name: Pokusne > > Enabled: TRUE > > Command category: all > > User Groups: grpunixadmins > > Hosts: spcss-2t-www.linuxdomain.cz, zp-cml-test.linuxdomain.cz > > > >Default "all-access" rules are disabled. > > > >When I try to sudo as AD user (member of grpunixadmins) on Centos 6.6, I > >still get: > > > >[simecek.to...@sd-stc.cz@zp-cml-test ~]$ sudo cat /etc/nsswitch.conf > >[sudo] password for simecek.to...@sd-stc.cz: > >simecek.to...@sd-stc.cz is not in the sudoers file. This incident will > be > >reported. > > > >It works fine on Centos 7 (spcss-2t-www.linuxdomain.cz). > > > >sssd.conf: > >[domain/linuxdomain.cz] > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_domain = linuxdomain.cz > >id_provider = ipa > >krb5_realm = LINUXDOMAIN.CZ > >auth_provider = ipa > >access_provider = ipa > >ipa_hostname = zp-cml-test.linuxdomain.cz > >chpass_provider = ipa > >ipa_server = svlxxipap.linuxdomain.cz > >ldap_tls_cacert = /etc/ipa/ca.crt > >override_shell = /bin/bash > >sudo_provider = ipa > >ldap_uri = ldap://svlxxipap.linuxdomain.cz > >ldap_sudo_search_base = ou=sudoers,dc=linuxdomain,dc=cz > >ldap_sasl_mech = GSSAPI > >#ldap_sasl_authid = host/zp-cml-test.linuxdomain...@linuxdomain.cz > >ldap_sasl_authid = host/zp-cml-test.linuxdomain.cz > >ldap_sasl_realm = LINUXDOMAIN.CZ > >krb5_server = svlxxipap.linuxdomain.cz > >debug_level = 0x3ff0 > >[sssd] > >services = nss, sudo, pam, ssh > >config_file_version = 2 > >domains = linuxdomain.cz > >[nss] > >homedir_substring = /home > >[pam] > >[sudo] > >debug_level = 0x3ff0 > >[autofs] > >[ssh] > >[pac] > >[ifp] > > > > > >sssd_sudo.log from the moment I tried sudo: > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser= > >simecek.to...@sd-stc.cz)(sudoUser=#988604700)(sudoUser=%domain\ > >20us...@sd-stc.cz)(sudoUser=%unixadm...@sd-stc.cz > >)(sudoUser=%grpunixadmins)(sudoUser=%mfcr_...@sd-stc.cz)(sudoUser=% > >acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=+*))(&(dataExpireTimestamp<=1468482821)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_rules] (0x2000): > About > >to get sudo rules from cache > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sysdb_search_group_by_gid] > >(0x0400): No such entry > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] > >(0x0200): Searching sysdb with > >[(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser= > simecek.to...@sd-stc.cz > >)(sudoUser=#988604700)(sudoUser=%domain\20us...@sd-stc.cz)(sudoUser=% > >unixadm...@sd-stc.cz)(sudoUser=%grpunixadmins)(sudoUser=% > mfcr_...@sd-stc.cz > >)(sudoUser=%acco...@sd-stc.cz)(sudoUser=%wifiadm...@sd-stc.cz > >)(sudoUser=+*)))] > >(Thu Jul 14 09:53:41 2016) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > >(0x0400): Returning 0 rules for [simecek.to...@sd-stc.cz] > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_recv] (0x0200): Client > >disconnected! > >(Thu Jul 14 09:53:47 2016) [sssd[sudo]] [client_destructor] (0x2000): > >Terminated client [0x260b690][17] > >(Thu Jul 14 09:53:51 2016) [sssd[sudo]] [sbus_message_handler] (0x2000): > >Received SBUS method
Re: [Freeipa-users] what is the best way to create a search account
thanx 2016-06-30 13:59 GMT+02:00 Tomasz Torcz <to...@pipebreaker.pl>: > On Thu, Jun 30, 2016 at 01:22:34PM +0200, Rob Verduijn wrote: > > Hello, > > > > > > What would be the most appropriate way to create a search account so > that a > > third party tool (wildfly) can use it to search the ipa domain for > > credentials ? > > I guess http://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > > -- > Tomasz Torcz"Funeral in the morning, IDE hacking > xmpp: zdzich...@chrome.plin the afternoon and evening." - Alan Cox > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] what is the best way to create a search account
Hello, What would be the most appropriate way to create a search account so that a third party tool (wildfly) can use it to search the ipa domain for credentials ? Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
Hi, I avoided the slow filling group by using the AD-Group with spaces (was a tad more challenging for scipting) But here's the releases (some of them) ipa 4.2 and sssd 1.13 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-common-1.13.0-40.el7_2.2.x86_64 sssd-client-1.13.0-40.el7_2.2.x86_64 sssd-ad-1.13.0-40.el7_2.2.x86_64 Cheers Rob Verduijn 2016-05-04 18:06 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: >> to make sure I did the following on the ipa host >> >> systemctl stop sssd.service >> rm -f /var/lib/sss/db/* >> systemctl start sssd.service >> >> now there is no cheating from cach >> getent passwd u...@ad-domain.com works and gives userid >> id u...@ad-domain.com works fine and show all goups the user is a >> member of including ad_linux_administrators (ipa group) and 'linux >> administrat...@ad-domain.com' >> getent group ad_linux_administrators only shows the group ad, no >> members, these pop up after a very long time >> getent group 'linux administrat...@ad-domain.com' imediatly show all members > > Please note that getent group only works with very recent versions of > ipa and sssd. What version are you running. > >> >> weird >> >> Rob Verduijn >> >> 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: >> > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> >> This goes especially for ad groups that are bested in ipa_groups >> >> >> >> ie : >> >> microsft group is defined as an external group, >> >> and that external group is member of an ipa group >> >> and that ipa group takes forever. >> >> >> >> Regards >> >> Rob Verduijn >> > >> > All the work in this area is done by sssd on the server. The sssd there >> > runs a periodical task to re-fetch new external groups memberships every >> > 10 seconds. So I would expect the group memberships to turn up after 10 >> > seconds at worst. >> > >> > Are you sure (from sssd logs) that maybe sssd is not going into offline >> > state and just consults its cache? >> > >> >> >> >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: >> >> > Hello, >> >> > >> >> > I'm using a trust to microsoft active directory to allow users access >> >> > to linux servers. >> >> > >> >> > But when a user is added it takes a very long time for ipa to register >> >> > this. >> >> > And even more time for the ipa clients since they have to wait for the >> >> > ipa servers. >> >> > >> >> > Since I hate to tell the users to wait for a couple hours, and also I >> >> > do not like to clean up the sssd cache folder each time a new user >> >> > appears. >> >> > >> >> > Is there a way to tell ipa and all clients to refresh their cache ? >> >> > >> >> > Regards >> >> > Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
to make sure I did the following on the ipa host systemctl stop sssd.service rm -f /var/lib/sss/db/* systemctl start sssd.service now there is no cheating from cach getent passwd u...@ad-domain.com works and gives userid id u...@ad-domain.com works fine and show all goups the user is a member of including ad_linux_administrators (ipa group) and 'linux administrat...@ad-domain.com' getent group ad_linux_administrators only shows the group ad, no members, these pop up after a very long time getent group 'linux administrat...@ad-domain.com' imediatly show all members weird Rob Verduijn 2016-05-04 16:41 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: >> This goes especially for ad groups that are bested in ipa_groups >> >> ie : >> microsft group is defined as an external group, >> and that external group is member of an ipa group >> and that ipa group takes forever. >> >> Regards >> Rob Verduijn > > All the work in this area is done by sssd on the server. The sssd there > runs a periodical task to re-fetch new external groups memberships every > 10 seconds. So I would expect the group memberships to turn up after 10 > seconds at worst. > > Are you sure (from sssd logs) that maybe sssd is not going into offline > state and just consults its cache? > >> >> >> 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: >> > Hello, >> > >> > I'm using a trust to microsoft active directory to allow users access >> > to linux servers. >> > >> > But when a user is added it takes a very long time for ipa to register >> > this. >> > And even more time for the ipa clients since they have to wait for the >> > ipa servers. >> > >> > Since I hate to tell the users to wait for a couple hours, and also I >> > do not like to clean up the sssd cache folder each time a new user >> > appears. >> > >> > Is there a way to tell ipa and all clients to refresh their cache ? >> > >> > Regards >> > Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] get freeipa to update ad users and groups more often
This goes especially for ad groups that are bested in ipa_groups ie : microsft group is defined as an external group, and that external group is member of an ipa group and that ipa group takes forever. Regards Rob Verduijn 2016-05-04 16:10 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: > Hello, > > I'm using a trust to microsoft active directory to allow users access > to linux servers. > > But when a user is added it takes a very long time for ipa to register this. > And even more time for the ipa clients since they have to wait for the > ipa servers. > > Since I hate to tell the users to wait for a couple hours, and also I > do not like to clean up the sssd cache folder each time a new user > appears. > > Is there a way to tell ipa and all clients to refresh their cache ? > > Regards > Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] get freeipa to update ad users and groups more often
Hello, I'm using a trust to microsoft active directory to allow users access to linux servers. But when a user is added it takes a very long time for ipa to register this. And even more time for the ipa clients since they have to wait for the ipa servers. Since I hate to tell the users to wait for a couple hours, and also I do not like to clean up the sssd cache folder each time a new user appears. Is there a way to tell ipa and all clients to refresh their cache ? Regards Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa client deletes dns record from ipa domain
found it, I needed to set dyndns_iface to the proper device It was set to the original device which was bridged, so no ip address was assigned to it. After setting it to bridge0 the update went ok Rob Verduijn 2016-05-02 13:06 GMT+02:00 Rob Verduijn <rob.verdu...@gmail.com>: > debug logging from sssd is rather overwhelming, > What am I looking for in the logs ? > > Rob > > 2016-05-02 11:54 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: >> On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: >>> Hello, >>> >>> I'm a bit at loss here. >>> For some reason when I set 'dyndns_update = True' the system deletes >>> it's dns a record from the ipa domain. >>> >>> I have this with some systems not all, which makes it more confusing for me. >>> >>> I've deleted the sssd cache, triple checked all the configs and logs , >>> but I can't seem to find any errors or inconsystencies with the flawed >>> system or the ones that do work. >>> >>> Any ideas what could cause this ? >>> >>> I now have set it to false on the system that keeps deleting its >>> record, but I keep wondering what is causing this. >> >> I guess sssd logs would tell something. I thought we removed the old and >> re-added the new records within the same transaction, but I could be >> wrong.. >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa client deletes dns record from ipa domain
debug logging from sssd is rather overwhelming, What am I looking for in the logs ? Rob 2016-05-02 11:54 GMT+02:00 Jakub Hrozek <jhro...@redhat.com>: > On Mon, May 02, 2016 at 11:48:48AM +0200, Rob Verduijn wrote: >> Hello, >> >> I'm a bit at loss here. >> For some reason when I set 'dyndns_update = True' the system deletes >> it's dns a record from the ipa domain. >> >> I have this with some systems not all, which makes it more confusing for me. >> >> I've deleted the sssd cache, triple checked all the configs and logs , >> but I can't seem to find any errors or inconsystencies with the flawed >> system or the ones that do work. >> >> Any ideas what could cause this ? >> >> I now have set it to false on the system that keeps deleting its >> record, but I keep wondering what is causing this. > > I guess sssd logs would tell something. I thought we removed the old and > re-added the new records within the same transaction, but I could be > wrong.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa client deletes dns record from ipa domain
Hello, I'm a bit at loss here. For some reason when I set 'dyndns_update = True' the system deletes it's dns a record from the ipa domain. I have this with some systems not all, which makes it more confusing for me. I've deleted the sssd cache, triple checked all the configs and logs , but I can't seem to find any errors or inconsystencies with the flawed system or the ones that do work. Any ideas what could cause this ? I now have set it to false on the system that keeps deleting its record, but I keep wondering what is causing this. Regards Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
Howdy, out of curiousity any targetted release for UPN ? Cheers Rob 2016-03-10 15:15 GMT+01:00 Petr Spacek: > On 10.3.2016 13:34, Giulio Casella wrote: >> I've seen that howto, but it's not my case. I cannot establish a trust >> between >> IPA and AD, because AD domain involves additional UPNs (mydomain.com and >> another.mydomain.com) in addition to main domain foobar.local. This scenario >> is not supported by current version of FreeIPA (maybe in future releases). >> So: FreeIPA domain and AD domain have to be different. > > For the record, UPN support is soonish. > > Petr^2 Spacek > >> >> Giulio >> >> Il 10/03/2016 13:23, Justin Stephenson ha scritto: >>> Hello, >>> >>> Are you looking for this? This leverages the AD trust to allow samba >>> within IPA to resolve AD users from a trusted AD domain/forest >>> >>> *Howto/Integrating a Samba File Server With IPA* >>> >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>> >>> >>> -Justin >>> >>> On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio >>> >> > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] what is the sudo rule runasuser local user account
Hello, I've noticed that the sudorule-add-runasuser no longer has en --external option What is the current method to add a local service account to a sud rule list so that users may run sudo as that service account (ie apache or jboss) Cheers Rob Verudijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
On Centos7.2 all patches applied I used the command: ipa-client-install --enable-dns-updates Rob 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> Hello, >> >> I've noticed that the sudorule-add-runasuser no longer has en --external >> option >> >> What is the current method to add a local service account to a sud >> rule list so that users may run sudo as that service account (ie >> apache or jboss) >> >> Cheers >> Rob Verudijn > > I know I'm not answering your question but how did you configure the > client side earlier? Did you use the native/legacy sudo ldap driver? > > The reason I'm asking this is that sssd only supports users it handles, > so in the IPA case it only supports IPA users anyway.. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
That does seem to work for me as well, however I can only add the external user via the web-gui Any idea how to do this with the command line tools ? Rob Verduijn 2016-02-04 17:00 GMT+01:00 Baird, Josh <jba...@follett.com>: > Actually, I use local (external) users in my sudo rules in IPA 4.2 with no > problem. > > Example: > > Rule name: TestDBAs > Description: access for members of the TestDBAs group > Enabled: TRUE > Command category: all > User Groups: testdbas > Host Groups: corp_oracle > RunAs External User: oracle > > In this example, 'oracle' is a local user on the server (not in IPA). I hope > this functionality does not go away. > > Thanks, > > Josh > >> -Original Message- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Rob Verduijn >> Sent: Thursday, February 04, 2016 10:54 AM >> To: Jakub Hrozek >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] what is the sudo rule runasuser local user >> account >> >> On Centos7.2 all patches applied I used the command: >> ipa-client-install --enable-dns-updates >> >> Rob >> >> 2016-02-04 16:45 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: >> > On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote: >> >> Hello, >> >> >> >> I've noticed that the sudorule-add-runasuser no longer has en >> >> --external option >> >> >> >> What is the current method to add a local service account to a sud >> >> rule list so that users may run sudo as that service account (ie >> >> apache or jboss) >> >> >> >> Cheers >> >> Rob Verudijn >> > >> > I know I'm not answering your question but how did you configure the >> > client side earlier? Did you use the native/legacy sudo ldap driver? >> > >> > The reason I'm asking this is that sssd only supports users it >> > handles, so in the IPA case it only supports IPA users anyway.. >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] what is the sudo rule runasuser local user account
hi all, I tried and figured it out.. ipa sudorule-add-runasuser --users= Is the command syntax I was looking for. I guess that if the --users isn't an ipa user it is automatically flagged as an external user. Cheers Rob Verduijn 2016-02-04 17:33 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote: >> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no >> problem. >> >> Example: >> >> Rule name: TestDBAs >> Description: access for members of the TestDBAs group >> Enabled: TRUE >> Command category: all >> User Groups: testdbas >> Host Groups: corp_oracle >> RunAs External User: oracle > > ipaSudoRunAsExtUser, ipaSudoRunAsExtGroup and ipaSudoRunAsExtUserGroup > -- that's the user you want to run sudo as. That's still supported. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa replica is ad trust controller but refuses ad users
Hello, I've set up an ipa-server with an one way trust to a windows 2012r2 controller. All works on this server. I can login with ad accounts on this server. I added an ipa replica, and checked it all worked. Now I tried ipa-trust-add --add-agents on the first ipa server. restarted ipa on both servers but this did not help then i did a ipa-adtrust-install on the second ipa server and a ipa trust-add --type=ad windows.domain all dns queries from the docs work https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration I get both ipa servers returned in the queries. On the windows server and the ipa server. On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user and get an answer On the second I get : unknown user What could be the cause of this, why does the second server not do ad-authentication ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa replica is ad trust controller but refuses ad users
hmmm It suddenly started to work.weird. On both servers I changed dns_lookup_realm = true (was false) stoped sssd and cleared the sssd cache rm /var/lib/sss/db/* started sssd and it works now But I find it hard to believe that was the cause. Is there a cache involved somewhere ? Rob Verduijn 2016-01-28 13:26 GMT+01:00 Rob Verduijn <rob.verdu...@gmail.com>: > Hello, > > I've set up an ipa-server with an one way trust to a windows 2012r2 > controller. > All works on this server. > I can login with ad accounts on this server. > > I added an ipa replica, and checked it all worked. > > Now I tried > ipa-trust-add --add-agents on the first ipa server. > restarted ipa on both servers > > but this did not help > then i did a > ipa-adtrust-install on the second ipa server > and a ipa trust-add --type=ad windows.domain > > all dns queries from the docs work > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#verify-dns-configuration > > I get both ipa servers returned in the queries. > On the windows server and the ipa server. > > On the first ipaserver I can issue : id WINDOWS.DOMAIN\\ad-user > and get an answer > On the second I get : unknown user > > What could be the cause of this, why does the second server not do > ad-authentication ? > > Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multimaster ad one way trust setup
Cool Thanx Rob Verduijn 2016-01-25 12:59 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Since the first option has less impact, that one sounds the most >> interesting. >> However, does this also remain functional when the first ipa server is >> taken offline ? > > Yes. What this option enables is to allow IPA master to become 'trust > agent' which means SSSD on that master will be able to use cross-forest > trust credentials to talk to AD for user/group information and > authentication purposes. It does not allow that master to *manage* the > trust itself. > >> >> Rob Verduijn >> >> 2016-01-25 12:41 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: >>> >>> On Mon, 25 Jan 2016, Rob Verduijn wrote: >>>> >>>> >>>> Hi all, >>>> >>>> When you have an ipa 4.2 server with an one way trust to the ad. >>>> What steps are needed to install a second ipa master that also has a >>>> one way trust to the ad ? >>> >>> >>> Depends on what you want to achieve. >>> >>> If you want second IPA master to be able to resolve AD users, just >>> install the master and run 'ipa-adtrust-install --add-agents' on the >>> *first* master. This will prompt you to be asked on adding the second >>> master to the list of hosts allowed to use cross-forest trust >>> credentials. >>> >>> If you want to use the second IPA master to *manage* trust, you'd need >>> to run 'ipa-adtrust-install' on the it. No need to specify >>> '--add-agents' because the master where 'ipa-adtrust-install' is being >>> run will be automatically added to the list. >>> -- >>> / Alexander Bokovoy >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
Maybe the difference was that I used a fresh demo installation from windows 2012r2 server. I only added the ad-controller, dns and ntp functionality for testing. (and all the patches...which literaly takes a day to complete on a system with 4 cores and 4G ram) I also found out that dnsseq is not default, so I disabled dnsseq validation on the ipa server in the named.conf. Because this already cost me a day's work debugging and not to mention lack of knowledge on how to do this in ad. Minor side note, according to : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings In the dns verification checks it tells you to verify the kerberos udp record dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com. This yields no response There is no udp record in the ad , but there is a tcp record. dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com. This gives a response I also validated the trust on the AD side, I'm not sure this is needed. After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and I get a response telling me the uid/gid/ad-id/ad-group etc. Rob Verduijn 2016-01-25 9:24 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote: >> Hi, >> >> H microsoft removes the UI, but leaves the schema extension. >> Does not really make sense, but after some googling this does seem to >> be the case. >> >> Your comment made me check google with some different keywords and I >> found that there was this irritation that was solved by somebody. (at >> microsoft) >> >> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx >> >> That explains why modifying the loginShell attribute did not work. >> >> I put the 'ldap_user_shell=msSFU30LoginShell' in the >> [domain/ipadomain] section from sssd.conf. >> This is required I guess on all ipa-clients that AD-accounts get access to. > > Hmm, is this really required? The thing is that the IPA clients get > their information through an extended operation and it's the SSSD on the > IPA server that does the heavy lifting and just passes the info to the > clients. > > I'll try to find some time later to test this.. > >> >> And now all users seem to get the /bin/bash that can be set in the >> AD-user attribute loginShell >> >> ( glad to see the keep their camel case in sync everywhere in the AD ) >> >> Thanks for thinking along on this one. >> Rob Verduijn >> >> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: >> > >> >> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verdu...@gmail.com> wrote: >> >> >> >> Hello, >> >> >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> >> >> So far I've managed to get the trust to work and I can login with an >> >> active directory user on the ipa clients. >> >> >> >> Now I see the default shell is set to /bin/sh. >> >> Since the preffered shel is bash for me I wish to change this. >> >> It doesn't help to set this in the ipa server config since these >> >> accounts are external ms accounts. >> >> >> >> In the goog old days we used to have posix attributes schemas in the >> >> AD one of them being the shell. >> >> >> >> Sadly this is a thing of the past. >> > >> > >> > Are you referring to IMU being deprecated? IIRC the attributes should >> > work..even though MS is deprecating the UI.. >> > >> > Alternatively, since the clients read the ID info via the server, >> > overrinding the shell in IPA server's sssd.conf should work as well. >> > >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> >> >> How do I define a new default shell for all ms-AD accounts in ipa ? >> >> >> >> Cheers >> >> Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] multimaster ad one way trust setup
Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Default shell for AD-domain accounts
Hello, I'm trying to get an ipa server to trust a microsoft AD-domain. So far I've managed to get the trust to work and I can login with an active directory user on the ipa clients. Now I see the default shell is set to /bin/sh. Since the preffered shel is bash for me I wish to change this. It doesn't help to set this in the ipa server config since these accounts are external ms accounts. In the goog old days we used to have posix attributes schemas in the AD one of them being the shell. Sadly this is a thing of the past. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html How do I define a new default shell for all ms-AD accounts in ipa ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
Doing this on a per user basis is nice when you have only a few users. Since I expect this to become a source of frustration in the future for new users., is there any way to automate this with a workaround ? ie somehow pull the groups from the ad and automagically create the user view override ? Cheers Rob Verduijn 2016-01-24 15:40 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > On Sun, 24 Jan 2016, Rob Verduijn wrote: >> >> Hello, >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> So far I've managed to get the trust to work and I can login with an >> active directory user on the ipa clients. >> >> Now I see the default shell is set to /bin/sh. >> Since the preffered shel is bash for me I wish to change this. >> It doesn't help to set this in the ipa server config since these >> accounts are external ms accounts. >> >> In the goog old days we used to have posix attributes schemas in the >> AD one of them being the shell. >> >> Sadly this is a thing of the past. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> How do I define a new default shell for all ms-AD accounts in ipa ? > > You can use ID overrides per user to add shell override. > > We don't have templated overrides, though, so these are individual, per > user. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
Hi, H microsoft removes the UI, but leaves the schema extension. Does not really make sense, but after some googling this does seem to be the case. Your comment made me check google with some different keywords and I found that there was this irritation that was solved by somebody. (at microsoft) http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx That explains why modifying the loginShell attribute did not work. I put the 'ldap_user_shell=msSFU30LoginShell' in the [domain/ipadomain] section from sssd.conf. This is required I guess on all ipa-clients that AD-accounts get access to. And now all users seem to get the /bin/bash that can be set in the AD-user attribute loginShell ( glad to see the keep their camel case in sync everywhere in the AD ) Thanks for thinking along on this one. Rob Verduijn 2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhro...@redhat.com>: > >> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verdu...@gmail.com> wrote: >> >> Hello, >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> So far I've managed to get the trust to work and I can login with an >> active directory user on the ipa clients. >> >> Now I see the default shell is set to /bin/sh. >> Since the preffered shel is bash for me I wish to change this. >> It doesn't help to set this in the ipa server config since these >> accounts are external ms accounts. >> >> In the goog old days we used to have posix attributes schemas in the >> AD one of them being the shell. >> >> Sadly this is a thing of the past. > > > Are you referring to IMU being deprecated? IIRC the attributes should > work..even though MS is deprecating the UI.. > > Alternatively, since the clients read the ID info via the server, overrinding > the shell in IPA server's sssd.conf should work as well. > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> How do I define a new default shell for all ms-AD accounts in ipa ? >> >> Cheers >> Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service account for ovirt
Hello, I've tested the solution you suggested it doesnt work I think ovirt-engine looks for the other users in the same context as the bind user, it will ofcourse find not many there, I can't get the seconf option with the keytab to work. So I'm stuck with the full blown user account for this. Here's what I did : The ovirt os is centos 6 x86_64 All the latest patches have been applied. It can be a member of the freeipa domain but this is not required for the ovirt-freeipa authentication to work. personally I think its nice to have the ovirt machine under freeipa supervision as wel. the freeipa os is centos7 x*6_64 All the latest patches have been applied. The ovirt environment is configured, up and running. There are two ways of single sign on for ovirt. see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html This howto is for the first option you require a search account in the freeipa domain. add a user account to the freeipa domain login with that account so it asks you to set a new password for it then reset the experation date for the password to somewhere in the far future with the procedure below # # Add the search account for ovirt to the freeipa domain. # # executed these commands on the freeipa server as root. # # first set the variables export SUFFIX='dc=example,dc=com' export OVIRT_SERVER=ovirt.example.com export FREEIPA_DOMAIN=EXAMPLE.COM export USERNAME=ovirt export YOUR_PASSWORD='top_secret_random_very_long_password' # create an ldif file cat > resetexperation.ldif << EOF dn: uid=$USERNAME,cn=users,cn=accounts,$SUFFIX changetype: modify replace: krbpasswordexpiration krbpasswordexpiration: 20380119031407Z EOF # apply the ldif file # the password requested is the directory admin password, this is NOT the same account as the freeipa admin ldapmodify -x -D "cn=directory manager" -W -vv -f resetexperation.ldif # for the second option also : # add the service for http to freeipa kinit admin ipa service-add HTTP/$OVIRT_SERVER@$FREEIPA_DOMAIN # # The following commands are executed as root on the ovirt-engine machine. # This is the example that allows single sign on from the portal to the vm's # Assuming the forementioned bindaccount exists in the freeipa domain # # # first install the required package : # yum install -y ovirt-engine-extension-aaa-ldap # # create the ovirt configuration files # examples can be found here : # /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/. # mkdir /etc/ovirt-engine/aaa mkdir /etc/ovirt-engine/extenstions.d # # set the vars again ( exports do not work between vm's) # export SUFFIX='dc=example,dc=com' export YOUR_PASSWORD='top_secret_random_very_long_password' export FREEIPA_SERVER=freeipa.example.com export PROFILE_NAME=profile1 # # create the config files # cat > /etc/ovirt-engine/aaa/$PROFILE_NAME.properties << EOF include = vars.server = $FREEIPA_SERVER vars.user = uid=ovirt,cn=users,cn=accounts,$SUFFIX vars.password = $YOUR_PASSWORD pool.default.serverset.single.server = \${global:vars.server} pool.default.auth.simple.bindDN = \${global:vars.user} pool.default.auth.simple.password = \${global:vars.password} EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authz.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF cat > /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties << EOF ovirt.engine.extension.name = $PROFILE_NAME-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = $PROFILE_NAME ovirt.engine.aaa.authn.authz.plugin = $PROFILE_NAME-authz config.profile.file.1 = ../aaa/$PROFILE_NAME.properties EOF # # change owner and permissions of the profile file # chown ovirt:ovirt /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties chmod 400 /etc/ovirt-engine/extensions.d/$PROFILE_NAME-authn.properties # # restart the ovirt engine # service ovirt-engine restart # # done you can now add freeipa users to the rhevm portal in the users menu # after the users have been added you can assign permissions for them on the vm's # Cheers Rob Verduijn 2015-11-18 20:34 GMT+01:00 Martin Kosek <mko...@redhat.com>: > On 11/18/2015 04:27 PM, Rob Verduijn wrote: >> >> 2015-11
Re: [Freeipa-users] service account for ovirt
2015-11-18 15:51 GMT+01:00 Martin Kosek <mko...@redhat.com>: > On 11/18/2015 08:23 AM, Rob Verduijn wrote: >> Hello all, >> >> I've read a lot regarding service accounts on this mailinglist in the past. >> But it's rather unclear to me what is the current preffered method to >> create a service account for a service running on a different machine. >> >> In this case it would be a service account for ovirt so that freeipa >> users can authenticate in the ovirt portal using their freeipa >> credentials. > > It sounds like that you do not want system user account, but you are OK with > service account so that you can get a keytab for your oVirt instance. In that > case, simple > > $ ipa service-add HTTP/frontend.ovirt.test > and > $ ipa-getkeytab ... > should be enough, right? > > Maybe I just do not understand the use case. > >> I could ofcourse create an account and then apply a ldf to set its >> password expiration to the next millennium to make sure the password >> does not expire. >> >> Anybody who has a good suggestion on how to deal with this ? >> >> Cheers >> Rob Verduijn >> > Hello, I think some more context should clear this up a bit. according to the rhev administrator guide: (ovirt referes to rhev manuals a lot) https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html It talks about two options as a single sign on solution. On have the single sign on work for the portal, but then it won't work for the vm's. ( something about not being able to pass a password since the portal won't have one to pass ) Or have the single sign on work for the vm's but than you have to sign in to the portal so it can pass on your credentials to the vm's. I guess there is some interesting technical challenge to deal with to merge those two cases. The first option requires privileges to browse the freeipa directory to look for user accounts. I do not know if that can be solved with something as simple as a keytab and a pricipal. My current working solution is an account with a very long password experation time in the freeipa directory ( a random 32 character/number password is being used for this ) However something tells me that there is a more elegant solution. And I was wondering if anyone knows one. Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] service account for ovirt
Hello all, I've read a lot regarding service accounts on this mailinglist in the past. But it's rather unclear to me what is the current preffered method to create a service account for a service running on a different machine. In this case it would be a service account for ovirt so that freeipa users can authenticate in the ovirt portal using their freeipa credentials. I could ofcourse create an account and then apply a ldf to set its password expiration to the next millennium to make sure the password does not expire. Anybody who has a good suggestion on how to deal with this ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?
2015-10-30 20:14 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Rob Verduijn wrote: >> Hello all, >> >> It has been a while since I asked this before. >> >> Multitenancy was put in the freezer back then in favor of this nice project : >> https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2 >> Darn...I failed to pay attention a little and suddenly 1.1.1 is >> peeking around the corner already. >> >> Now that ipsilon has reached 1.0.0, is there a change regarding the >> possibility for multitenancy ? >> http://www.freeipa.org/page/V3/Multitenancy > > I'm not sure how Ipsilon releases and IPA multitenancy are inter-related. > > rob > The answer from Dimitri in this mailthread from some time ago is why I thought so. https://www.redhat.com/archives/freeipa-users/2015-February/msg00339.html Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] could anybody give an update on the multitenancy status for freeipa ?
Hello all, It has been a while since I asked this before. Multitenancy was put in the freezer back then in favor of this nice project : https://fedorahosted.org/ipsilon/wiki/Releases/v1.0.0 e 1.0.2 Darn...I failed to pay attention a little and suddenly 1.1.1 is peeking around the corner already. Now that ipsilon has reached 1.0.0, is there a change regarding the possibility for multitenancy ? http://www.freeipa.org/page/V3/Multitenancy Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] certificate alert
Hello, Is there an easy way to get alerts for soon to expire certificates in freeipa ? Because the day you forget to do the checks via the gui or cli is the day you will be regretting. Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] indirect automount offsets
Hello, It indeed works --key=* --info='/ -rw nfs.example.com:/homes/ /subdir -rw nfs2.example.com:/subdir' however the directory is not mounted. I know it works because when running automount in debug mode I see mounted nfs.example.com:/homes/test on /home/test and then it tries to mount the subdir do_mount_autofs_offset: mount offset /home/test/subdir at /home/test however it fails with the error mount_autofs_offset: can't create mount directory: /home/test/subdir, Permission denied failed to mount offset as a test I set an acl on the /exports/homes dir on the fileserver. setfacl -R -m other:rwx /exports/homes setfacl -R -m d:other:rwx /eports/homes and created the mountpoint in the home directory (it failed when it does not exist do to root squash I guess) mkdir /exports/homes/test/subdir and the offset subdir mount is mounted by autofs on the client. any ideas on how to set the privileges in such a way that not everybody requires access to the exports ? Rob Verduijn 2015-04-16 5:36 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: Hello, I'm trying to figure out how to use automounts in freeipa with offsets. currently I have this: the default location containing 3 maps auto.direct auto.home auto.master auto.direct is empty auto.home contains: key : * mount information : -rw nfs.example.com:/homes/ auto.master contains key : /- mount-information : auto.direct key: /home mount information : auto.home in autofs file this would be : auto.master : /- /etc/auto.direct /home /etc/auto.home and auto.home would contain: test -rw nfs.example.com:/homes/ now I would like to do the automount indirect offset like this : test / -rw nfs.example.com:/homes/test \ /newfolder nfs2.example.com:/newfolder \ /anotherfolder nfs3.example.com:/anotherfolder \ /anotherfolder/2deep nfs4.example.com:/2deep which would automount the newfolder like this : /home/test/newfolder and anotherfolder like this /home/test/anotherfolder and 2deep like this /home/test/anotherfolder/2deep is this possible in freeipa ? Rob If it's possible with LDAP-stored autofs it should be possible with IPA. I've typically used much simpler configurations with automount. Theoreticaly it should work just the way you'd set it in a file, as you've posted. Did you try it? You'd set --key=test --info='/ -rw ...' rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] indirect automount offsets
Hello, I'm trying to figure out how to use automounts in freeipa with offsets. currently I have this: the default location containing 3 maps auto.direct auto.home auto.master auto.direct is empty auto.home contains: key : * mount information : -rw nfs.example.com:/homes/ auto.master contains key : /- mount-information : auto.direct key: /home mount information : auto.home in autofs file this would be : auto.master : /- /etc/auto.direct /home /etc/auto.home and auto.home would contain: test -rw nfs.example.com:/homes/ now I would like to do the automount indirect offset like this : test / -rw nfs.example.com:/homes/test \ /newfolder nfs2.example.com:/newfolder \ /anotherfolder nfs3.example.com:/anotherfolder \ /anotherfolder/2deep nfs4.example.com:/2deep which would automount the newfolder like this : /home/test/newfolder and anotherfolder like this /home/test/anotherfolder and 2deep like this /home/test/anotherfolder/2deep is this possible in freeipa ? Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP and cached credentials
For which sssd release is this feature targetted ? Rob Verduijn 2015-03-12 23:26 GMT+01:00 Dmitri Pal d...@redhat.com: On 03/12/2015 04:59 PM, Jakub Hrozek wrote: On 12 Mar 2015, at 21:32, Rob Verduijn rob.verdu...@gmail.com wrote: Hello, I was looking into otp authentication and found some articles on how to enable this in freeipa. I can't seem to figure out how this is going to deal with cashed credentials on a laptop that is not able to connect the ipa server. How is this going to work out when 'native OTP' is being used ? I'm sorry, but currently it doesn't as with the current (sssd-1.12.x) version we treat the long and one-time part as a single blob, so we can't cache it. In the next version, we'll work on prompting for and handling the short and long term parts of the authtok separately, so we'll be able to cache credentials. Yes. Please do not use current version for laptops. See the warning: https://access.redhat.com/documentation/en-US/Red_Hat_ Enterprise_Linux/7/html-single/System-Level_Authentication_Guide/index. html#otp -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OTP and cached credentials
Hello, I was looking into otp authentication and found some articles on how to enable this in freeipa. I can't seem to figure out how this is going to deal with cashed credentials on a laptop that is not able to connect the ipa server. How is this going to work out when 'native OTP' is being used ? Or with a radius proxy ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multi-tenancy status
Now that sounds like an interesting project :-) besides the following links any other places where I can read up about it ? https://fedorahosted.org/ipsilon/ http://www.freeipa.org/page/Web_App_Authentication http://en.wikipedia.org/wiki/Identity_provider http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] multi-tenancy status
Thanx, That all sounds very interesting, I've got some reading up to do. I'm going to point this out to some people :-) Rob 2015-02-24 20:55 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: Now that sounds like an interesting project :-) besides the following links any other places where I can read up about it ? https://fedorahosted.org/ipsilon/ http://www.freeipa.org/page/Web_App_Authentication http://en.wikipedia.org/wiki/Identity_provider http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language For more details on SAML2 than you'll even want, see https://wiki.oasis-open.org/security/FrontPage mod_auth_mellon is an SP for Apache that is compatible with Ipsilon. There is also https://shibboleth.net/ Devs hang out in #ipsilon on freenode Ipsilon will be one of the changes in F-22: http://fedoraproject.org/wiki/Releases/22/ChangeSet#Ipsilon A test day is planned for March 12 (assuming approved by FESCO). rob Cheers Rob 2015-02-24 19:48 GMT+01:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 02/24/2015 12:34 PM, Rob Verduijn wrote: Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Unscheduled. Too much work to implement as proposed. We will go with IPA to IPA trusts and SAML based federation (project Ipsilon) first. Cheers Rob Verduijn -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] multi-tenancy status
Hello, I'm interested in setting up ipa with multiple tenancies. However I can only find this document about the subject: http://www.freeipa.org/page/V3/Multitenancy What is the status of the implementation of multiple tenancies. Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DS failed after upgrade
Hi all, Either I was to worn out last night, or another update has happened. This morning the directory server did start after the update. local dns zones however where not available again after the update ipa-ldap-updater did not help to fix it. The are again only 7 DNS aci objects are still in the ds.( same as before when it failed ) I also noticed that there are also quite a lot lower case dns aci objects. Rob 2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com: Changed subject. Rob CCed On 07/11/14 09:52, Martin Basti wrote: Forward message back to list Original Message Subject: Re: [Freeipa-users] dns stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com To: Martin Basti mba...@redhat.com mba...@redhat.com Hi again, I tried the update to 4.1.1 It didn't went well, actually it went worse than to 4.1. Now the directory service went down and was no longer able to start. Some part of the logs is below. Besides the warnings about a weak cipher there was not much in the journalctl. It's getting late overhere, I'll dig into the logs tomorrow. Rob Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory Server TJAKO-THUIS Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory Server TJAKO-THUIS.. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please replace the value of allowWeakCipher with off in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring fortezza_rc4_128_sha Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null is not available in NSS 3.17. Ignoring fortezza_null Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled since allowWeakCipher is on (default setting for the backward compatibility). We strongly recommend to set it to off. Please
Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)
Hello, Yes this time there are This section : 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config SNIP 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-11-07T13:10:03Z ERROR Update failed: Operations error: and this one 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis snip 2014-11-07T13:10:18Z ERROR Add failure and this one: (but since I do not have AD it's kinda logical) 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis snip 2014-11-07T13:10:19Z ERROR Upgrade failed with 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py, line 152, in __upgrade self.modified = (ld.update(self.files, ordered=True) or File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 874, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 123, in update (restart, apply_now, res) = self.run(update.name, **kw) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 146, in run return self.Updater[method](**kw) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1399, in __call__ return self.execute(**options) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py, line 89, in execute api.Command.dnszone_mod(zone[u'idnsname'][0], **update) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 2528, in execute result = super(dnszone_mod, self).execute(*keys, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1385, in execute dn = self.obj.get_dn(*keys, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 1784, in get_dn assert zone.is_absolute() AssertionError snip 2014-11-07T13:10:23Z ERROR IPA upgrade failed. 2014-11-07T13:10:23Z DEBUG File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py, line 151, in run raise admintool.ScriptError('IPA upgrade failed.', 1) 2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed. 2014-11-07T13:10:23Z ERROR IPA upgrade failed. 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True} 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20 and another 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config snip 2014-11-07T13:10:03Z DEBUG Live 1, updated 1 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-11-07T13:10:03Z ERROR Update failed: Operations error: That's it Rob 2014-11-07 13:56 GMT+01:00 Martin Basti mba...@redhat.com: On 07/11/14 13:52, Rob Verduijn wrote: Hi all, Either I was to worn out last night, or another update has happened. This morning the directory server did start after the update. local dns zones however where not available again after the update ipa-ldap-updater did not help to fix it. The are again only 7 DNS aci objects are still in the ds.( same as before when it failed ) I also noticed that there are also quite a lot lower case dns aci objects. Rob Hi, do you have any errors in /var/log/ipaupgrade.log ? 2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com: Changed subject. Rob CCed On 07/11/14 09:52, Martin Basti wrote: Forward message back to list Original Message Subject: Re: [Freeipa-users] dns stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com To: Martin Basti mba...@redhat.com mba...@redhat.com Hi again, I tried the update to 4.1.1 It didn't went well, actually it went worse than to 4.1. Now the directory service went down and was no longer able to start. Some part of the logs is below. Besides the warnings about a weak cipher there was not much in the journalctl. It's getting late overhere, I'll dig into the logs tomorrow. Rob Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory Server TJAKO-THUIS Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory Server TJAKO-THUIS.. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100
Re: [Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)
Yup that solved it. Everything looks ok now :-) Thank you for you great effort. Rob 2014-11-07 14:55 GMT+01:00 Martin Basti mba...@redhat.com: On 07/11/14 14:26, Rob Verduijn wrote: Hello, Yes this time there are This section : 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config SNIP 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-11-07T13:10:03Z ERROR Update failed: Operations error: and this one 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis snip 2014-11-07T13:10:18Z ERROR Add failure Known issues and this one: (but since I do not have AD it's kinda logical) 2014-11-07T13:10:18Z INFO New entry: cn=ADTrust Agents,cn=privileges,cn=pbac,dc=tjako,dc=thuis snip 2014-11-07T13:10:19Z ERROR Upgrade failed with 2014-11-07T13:10:19Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py, line 152, in __upgrade self.modified = (ld.update(self.files, ordered=True) or File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 874, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 123, in update (restart, apply_now, res) = self.run(update.name, **kw) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 146, in run return self.Updater[method](**kw) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 1399, in __call__ return self.execute(**options) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py, line 89, in execute api.Command.dnszone_mod(zone[u'idnsname'][0], **update) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in run return self.execute(*args, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 2528, in execute result = super(dnszone_mod, self).execute(*keys, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py, line 1385, in execute dn = self.obj.get_dn(*keys, **options) File /usr/lib/python2.7/site-packages/ipalib/plugins/dns.py, line 1784, in get_dn assert zone.is_absolute() AssertionError This is the problem, it is new bug. The workaround is replace the code in: /usr/lib/python2.7/site-packages/ipaserver/install/plugins/dns.py:68 - zones = api.Command.dnszone_find(all=True)['result'] + zones = api.Command.dnszone_find(all=True, raw=True)['result'] (I didn't test it) and run ipa-ldap-updater --upgrade Thank you for patience. snip 2014-11-07T13:10:23Z ERROR IPA upgrade failed. 2014-11-07T13:10:23Z DEBUG File /usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in execute return_value = self.run() File /usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py, line 151, in run raise admintool.ScriptError('IPA upgrade failed.', 1) 2014-11-07T13:10:23Z DEBUG The ipa-ldap-updater command failed, exception: ScriptError: IPA upgrade failed. 2014-11-07T13:10:23Z ERROR IPA upgrade failed. 2014-11-07T13:10:23Z DEBUG /usr/sbin/ipa-upgradeconfig was invoked with options: {'debug': False, 'quiet': True} 2014-11-07T13:10:23Z DEBUG IPA version 4.1.1-1.fc20 and another 2014-11-07T13:10:03Z INFO Updating existing entry: cn=referential integrity postoperation,cn=plugins,cn=config snip 2014-11-07T13:10:03Z DEBUG Live 1, updated 1 2014-11-07T13:10:03Z DEBUG Unhandled LDAPError: OPERATIONS_ERROR: {'desc': 'Operations error'} 2014-11-07T13:10:03Z ERROR Update failed: Operations error: That's it Rob 2014-11-07 13:56 GMT+01:00 Martin Basti mba...@redhat.com: On 07/11/14 13:52, Rob Verduijn wrote: Hi all, Either I was to worn out last night, or another update has happened. This morning the directory server did start after the update. local dns zones however where not available again after the update ipa-ldap-updater did not help to fix it. The are again only 7 DNS aci objects are still in the ds.( same as before when it failed ) I also noticed that there are also quite a lot lower case dns aci objects. Rob Hi, do you have any errors in /var/log/ipaupgrade.log ? 2014-11-07 10:25 GMT+01:00 Martin Basti mba...@redhat.com: Changed subject. Rob CCed On 07/11/14 09:52, Martin Basti wrote: Forward message back to list Original Message Subject: Re: [Freeipa-users] dns stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob Verduijn rob.verdu...@gmail.com rob.verdu...@gmail.com To: Martin Basti mba
[Freeipa-users] missing package in 4.1.1 repo
Hi, There is a dependency error in the updated repo. I did a yum clean all then a yum update. I got this error: Error: Package: freeipa-server-4.1.1-1.fc20.x86_64 (mkosek-freeipa) Requires: slapi-nis = 0.54.1-1 Removing: slapi-nis-0.52-1.fc20.x86_64 (@private.updates) slapi-nis = 0.52-1.fc20 Updated By: slapi-nis-0.54-1.fc20.x86_64 (mkosek-freeipa) slapi-nis = 0.54-1.fc20 Available: slapi-nis-0.50-1.fc20.x86_64 (fedora) slapi-nis = 0.50-1.fc20 yum list --show-duplicates slapi-nis Installed Packages slapi-nis.x86_64 0.54-1.fc20 @mkosek-freeipa Available Packages slapi-nis.x86_64 0.50-1.fc20 private.base slapi-nis.x86_64 0.52-1.fc20 private.updates slapi-nis.x86_64 0.54-1.fc20 mkosek-freeipa there is no 0.54.1-1.fc20 version of slapi-nis Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello again, I don't know about foreman upstream, the current version that I am using included in the katello installation is 1.6 And the foreman manpage still requires the configuration of the realm-smart-proxy. http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm About the snapshot: I removed all the katello entries from my current freeipa installation ( I peeked in the script to see what it did ) - user (foreman-realm) - role (Smart Host Proxy Manager) - privilege (Smart Host Proxy Management) - 3 custom permissions ( modify host password, write host certificate, modify host userclass ) applied the update to freeipa 4.1. my local dns zones did not resolv again running the ipa-ldap-updater did not fix it So I guess that it is not due to the katello integration or the realm-smart-proxy script. Rob 2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 17:15, Rob Verduijn wrote: The problem with 'foreman-prepare-realm' and freeipa was that it claimed that a few o thef permissions required did not exist when it tried to add them to the 'smart proxy host management' privilege. I think it was because the permissions were all in lower case without the 'System: ' prefix. This is just an assumption since I did not get to work even after adding them manually. So I figured to try it again after reverting back to 3.3.5. After downgrading I learned that it did not work due to a bug in a ruby script. (fixed by commenting out line 505-506 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see https://bugs.ruby-lang.org/issues/8182 and https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) After which I tried the upgrade again. regarding https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I did look again using the kredentials as mentioned in step 4. and saw only 3 objects (1x idnsConfigObject 2x nsContainer) When using admin credentials I saw all the dns zone entries. I can see the zone entries in the ipa gui. Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) Anyway, back to your DNS problem. Did it worked before you installed Foreman proxy? Or not? I.e. is it working when you revert the snapshot? Do you have other replicas in the replication topology? Please keep in mind that changes in LDAP (including changes to permissions) are replicated so reverting one VM and not others is not necessarily enough. Petr^2 Spacek 2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 15:27, Rob Verduijn wrote: Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in katello it automagically gets created in the freeipa realm , certs, otp,dns all working great. however, to obtain all this integration greatness I had to downgrade my freeipa to 3.3.5 again (revert snapshot) because the katello realm integration tool (foreman-prepare-realm) is not capable of dealing with 4.X versions of freeipa. It would be nice if you could get tell us more details about the problem you had with Katello, AFAIK we are not aware of any. And now the named-pkcs11 again does not see my internal zones. This page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks I should contact the freeipa-users list Do I understand correctly that you did all the steps 0-4 successfully and then you found out that you can't see DNS objects in LDAP (step 5) when using ldapsearch with DNS principal? Can you see the objects in IPA web UI or CLI? If it is the case then we will need help from LDAP ACI expert (pviktori? :-). Petr^2 Spacek The command 'ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. and the command 'ipa-ldap-updater' didn't fix it either. So I am now stuck at freeipa 3.3.5 again (with a working katello integration, so I got some mixed emotions about it) Any ideas anyone ? Rob 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I've tested the update again. The bind-utils conflict is still there when I issue yum update freeipa-server ( as indicated on the freeipa 4.1 download page http://www.freeipa.org/page/Downloads#Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap
Re: [Freeipa-users] dns stops working after upgrade
Hello, I use only a single freeipa server (so no replica to bother) Internal zones worked before the update After the update, internal zones no longer worked. After reverting back the snapshot the internal zones worked again, no additional actions were needed. Rob 2014-11-05 16:11 GMT+01:00 Petr Spacek pspa...@redhat.com: Hello, Rob V., you did not answered to my question when DNS worked for you last time. Did it work right after reverting the snapshot? Petr^2 Spacek On 5.11.2014 16:09, Rob Verduijn wrote: Hello again, I don't know about foreman upstream, the current version that I am using included in the katello installation is 1.6 And the foreman manpage still requires the configuration of the realm-smart-proxy. http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm About the snapshot: I removed all the katello entries from my current freeipa installation ( I peeked in the script to see what it did ) - user (foreman-realm) - role (Smart Host Proxy Manager) - privilege (Smart Host Proxy Management) - 3 custom permissions ( modify host password, write host certificate, modify host userclass ) applied the update to freeipa 4.1. my local dns zones did not resolv again running the ipa-ldap-updater did not fix it So I guess that it is not due to the katello integration or the realm-smart-proxy script. Rob 2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 17:15, Rob Verduijn wrote: The problem with 'foreman-prepare-realm' and freeipa was that it claimed that a few o thef permissions required did not exist when it tried to add them to the 'smart proxy host management' privilege. I think it was because the permissions were all in lower case without the 'System: ' prefix. This is just an assumption since I did not get to work even after adding them manually. So I figured to try it again after reverting back to 3.3.5. After downgrading I learned that it did not work due to a bug in a ruby script. (fixed by commenting out line 505-506 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see https://bugs.ruby-lang.org/issues/8182 and https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) After which I tried the upgrade again. regarding https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I did look again using the kredentials as mentioned in step 4. and saw only 3 objects (1x idnsConfigObject 2x nsContainer) When using admin credentials I saw all the dns zone entries. I can see the zone entries in the ipa gui. Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) Anyway, back to your DNS problem. Did it worked before you installed Foreman proxy? Or not? I.e. is it working when you revert the snapshot? Do you have other replicas in the replication topology? Please keep in mind that changes in LDAP (including changes to permissions) are replicated so reverting one VM and not others is not necessarily enough. Petr^2 Spacek 2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 15:27, Rob Verduijn wrote: Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in katello it automagically gets created in the freeipa realm , certs, otp,dns all working great. however, to obtain all this integration greatness I had to downgrade my freeipa to 3.3.5 again (revert snapshot) because the katello realm integration tool (foreman-prepare-realm) is not capable of dealing with 4.X versions of freeipa. It would be nice if you could get tell us more details about the problem you had with Katello, AFAIK we are not aware of any. And now the named-pkcs11 again does not see my internal zones. This page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks I should contact the freeipa-users list Do I understand correctly that you did all the steps 0-4 successfully and then you found out that you can't see DNS objects in LDAP (step 5) when using ldapsearch with DNS principal? Can you see the objects in IPA web UI or CLI? If it is the case then we will need help from LDAP ACI expert (pviktori? :-). Petr^2 Spacek The command 'ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. and the command 'ipa-ldap-updater' didn't fix it either. So I am now stuck at freeipa 3.3.5 again (with a working katello integration, so I got some mixed emotions about it) Any ideas anyone ? Rob 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I've tested the update again. The bind-utils conflict
Re: [Freeipa-users] dns stops working after upgrade
Hello, Yes I noticed the name change it took me a while to realise it was a known ruby bug in katello that caused the real problem. I also checked after I updated the 'katello integrated' update from 3.3.5 to 4.1 and the permissions were neatly renamed to their new counterparts. However the internal dns no longer worked :( Rob 2014-11-05 16:17 GMT+01:00 Stephen Benjamin step...@redhat.com: On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote: Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) I believe he's referring to the native smart proxy here. It includes a script to setup permissions. I guess it hasn't been tested against a 4.x IPA master. The permissions have changed names in FreeIPA 4.0, which means the script won't work. I've tested this one against 4.1 on F21 and it works: https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm There's an open pull request against foreman's Smart Proxy to include that in the next release: https://github.com/theforeman/smart-proxy/pull/231 -- Stephen Benjamin __ Red Hat GmbH | http://de.redhat.com/ | Sitz: Grasbrunn Handelsregister: Amtsgericht München, HRB 153243 Geschäftsführer: Charles Cachera, Michael Cunningham, Michael O'Neill, Charles Peters -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Great news about the script. I will as soon as I get the upgrade to 4.1 to work with internal dns support. yup 12 default permissions + 3 custom permissions in the smart-host-proxy-management privilege I guessed I leave those 12 default permissions since I expect it might break things when I remove those :P Rob 2014-11-05 16:20 GMT+01:00 Stephen Benjamin step...@redhat.com: On Wed, Nov 05, 2014 at 04:09:18PM +0100, Rob Verduijn wrote: Hello again, I don't know about foreman upstream, the current version that I am using included in the katello installation is 1.6 And the foreman manpage still requires the configuration of the realm-smart-proxy. http://www.theforeman.org/manuals/1.6/index.html#4.3.9Realm About the snapshot: I removed all the katello entries from my current freeipa installation ( I peeked in the script to see what it did ) - user (foreman-realm) - role (Smart Host Proxy Manager) - privilege (Smart Host Proxy Management) - 3 custom permissions ( modify host password, write host certificate, modify host userclass ) applied the update to freeipa 4.1. my local dns zones did not resolv again running the ipa-ldap-updater did not fix it It's more like 12 permissions for that privilege, the complaints of missing permissions you saw is because they've changed names in FreeIPA 4, you can try this script instead: https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/sbin/foreman-prepare-realm So I guess that it is not due to the katello integration or the realm-smart-proxy script. Rob 2014-11-05 14:39 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 17:15, Rob Verduijn wrote: The problem with 'foreman-prepare-realm' and freeipa was that it claimed that a few o thef permissions required did not exist when it tried to add them to the 'smart proxy host management' privilege. I think it was because the permissions were all in lower case without the 'System: ' prefix. This is just an assumption since I did not get to work even after adding them manually. So I figured to try it again after reverting back to 3.3.5. After downgrading I learned that it did not work due to a bug in a ruby script. (fixed by commenting out line 505-506 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see https://bugs.ruby-lang.org/issues/8182 and https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) After which I tried the upgrade again. regarding https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I did look again using the kredentials as mentioned in step 4. and saw only 3 objects (1x idnsConfigObject 2x nsContainer) When using admin credentials I saw all the dns zone entries. I can see the zone entries in the ipa gui. Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) Anyway, back to your DNS problem. Did it worked before you installed Foreman proxy? Or not? I.e. is it working when you revert the snapshot? Do you have other replicas in the replication topology? Please keep in mind that changes in LDAP (including changes to permissions) are replicated so reverting one VM and not others is not necessarily enough. Petr^2 Spacek 2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 15:27, Rob Verduijn wrote: Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in katello it automagically gets created in the freeipa realm , certs, otp,dns all working great. however, to obtain all this integration greatness I had to downgrade my freeipa to 3.3.5 again (revert snapshot) because the katello realm integration tool (foreman-prepare-realm) is not capable of dealing with 4.X versions of freeipa. It would be nice if you could get tell us more details about the problem you had with Katello, AFAIK we are not aware of any. And now the named-pkcs11 again does not see my internal zones. This page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks I should contact the freeipa-users list Do I understand correctly that you did all the steps 0-4 successfully and then you found out that you can't see DNS objects in LDAP (step 5) when using ldapsearch with DNS principal? Can you see the objects in IPA web UI or CLI? If it is the case then we will need help from LDAP ACI expert (pviktori? :-). Petr^2 Spacek The command 'ipa-ldap-updater /usr/share/ipa/updates/55
Re: [Freeipa-users] dns stops working after upgrade
I saw in the upstream foreman-prepare-realm script that the new permission names should include a prefix System: That Prefix is not there, what did change was that some permissions where no longer lower case only. ie in 3.3.5 the permission is 'write dns configuration' and in 4.1 it becomes 'Write DNS Configuration' Rob 2014-11-05 16:25 GMT+01:00 Petr Spacek pspa...@redhat.com: On 5.11.2014 16:20, Rob Verduijn wrote: Hello, Yes I noticed the name change it took me a while to realise it was a known ruby bug in katello that caused the real problem. I also checked after I updated the 'katello integrated' update from 3.3.5 to 4.1 and the permissions were neatly renamed to their new counterparts. However the internal dns no longer worked :( So the permissions broke after upgrade to 4.1, right? pviktori, can you give us some advice? Thanks! Petr^2 Spacek Rob 2014-11-05 16:17 GMT+01:00 Stephen Benjamin step...@redhat.com: On Wed, Nov 05, 2014 at 09:41:59AM -0500, Rob Crittenden wrote: Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. AFAIK the foreman proxy is not necessary (and not supported) with IPA 4.x because it was obsoleted by 'native' proxy delivered by Foreman upstream. Am I right, Rob (Crittenden)? :-) I believe he's referring to the native smart proxy here. It includes a script to setup permissions. I guess it hasn't been tested against a 4.x IPA master. The permissions have changed names in FreeIPA 4.0, which means the script won't work. I've tested this one against 4.1 on F21 and it works: https://raw.githubusercontent.com/stbenjam/smart-proxy/8278/ sbin/foreman-prepare-realm There's an open pull request against foreman's Smart Proxy to include that in the next release: https://github.com/theforeman/smart-proxy/pull/231-- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in katello it automagically gets created in the freeipa realm , certs, otp,dns all working great. however, to obtain all this integration greatness I had to downgrade my freeipa to 3.3.5 again (revert snapshot) because the katello realm integration tool (foreman-prepare-realm) is not capable of dealing with 4.X versions of freeipa. And now the named-pkcs11 again does not see my internal zones. This page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks I should contact the freeipa-users list The command 'ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. and the command 'ipa-ldap-updater' didn't fix it either. So I am now stuck at freeipa 3.3.5 again (with a working katello integration, so I got some mixed emotions about it) Any ideas anyone ? Rob 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I've tested the update again. The bind-utils conflict is still there when I issue yum update freeipa-server ( as indicated on the freeipa 4.1 download page http://www.freeipa.org/page/Downloads#Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. I have re-build some packages in mkosek's CORP so now you should not see encounter dependency problems. Simple 'yum upgrade' should give you all the required packages. We are looking at other problems in upgrade process right now so there is not much to test except package dependencies. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
The problem with 'foreman-prepare-realm' and freeipa was that it claimed that a few o thef permissions required did not exist when it tried to add them to the 'smart proxy host management' privilege. I think it was because the permissions were all in lower case without the 'System: ' prefix. This is just an assumption since I did not get to work even after adding them manually. So I figured to try it again after reverting back to 3.3.5. After downgrading I learned that it did not work due to a bug in a ruby script. (fixed by commenting out line 505-506 in /usr/share/ruby/xmlrpc/client.rb on the katello host, see https://bugs.ruby-lang.org/issues/8182 and https://bugzilla.redhat.com/show_bug.cgi?id=1071187 ) After which I tried the upgrade again. regarding https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I did look again using the kredentials as mentioned in step 4. and saw only 3 objects (1x idnsConfigObject 2x nsContainer) When using admin credentials I saw all the dns zone entries. I can see the zone entries in the ipa gui. Also when I look at the permissions in ipa there are no longer any permissions that have the 'System: ' prefix. Rob 2014-11-04 15:52 GMT+01:00 Petr Spacek pspa...@redhat.com: On 4.11.2014 15:27, Rob Verduijn wrote: Hello again, I've managed to integrate my katello configuration with freeipa. Now I not only use freeipa authentication in katello but also when a host is defined in katello it automagically gets created in the freeipa realm , certs, otp,dns all working great. however, to obtain all this integration greatness I had to downgrade my freeipa to 3.3.5 again (revert snapshot) because the katello realm integration tool (foreman-prepare-realm) is not capable of dealing with 4.X versions of freeipa. It would be nice if you could get tell us more details about the problem you had with Katello, AFAIK we are not aware of any. And now the named-pkcs11 again does not see my internal zones. This page https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart thinks I should contact the freeipa-users list Do I understand correctly that you did all the steps 0-4 successfully and then you found out that you can't see DNS objects in LDAP (step 5) when using ldapsearch with DNS principal? Can you see the objects in IPA web UI or CLI? If it is the case then we will need help from LDAP ACI expert (pviktori? :-). Petr^2 Spacek The command 'ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update' didn't fix it. and the command 'ipa-ldap-updater' didn't fix it either. So I am now stuck at freeipa 3.3.5 again (with a working katello integration, so I got some mixed emotions about it) Any ideas anyone ? Rob 2014-10-29 22:14 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I've tested the update again. The bind-utils conflict is still there when I issue yum update freeipa-server ( as indicated on the freeipa 4.1 download page http://www.freeipa.org/page/Downloads#Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. I have re-build some packages in mkosek's CORP so now you should not see encounter dependency problems. Simple 'yum upgrade' should give you all the required packages. We are looking at other problems in upgrade process right now so there is not much to test except package dependencies. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5. NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5. NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again :-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. Rob 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5 . NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello again, I jumped to early. # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work but ipa-ldap-updater fixes the problem for me. Rob 2014-10-29 16:55 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again :-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. Rob We know where the problem is, and we though we fixed it, but obviously some parts of problem persist. Thank you for your patience :-) 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5 . NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Martin Basti -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, I've tested the update again. The bind-utils conflict is still there when I issue yum update freeipa-server ( as indicated on the freeipa 4.1 download page http://www.freeipa.org/page/Downloads#Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. I have re-build some packages in mkosek's CORP so now you should not see encounter dependency problems. Simple 'yum upgrade' should give you all the required packages. We are looking at other problems in upgrade process right now so there is not much to test except package dependencies. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? Rob 2014-10-27 23:05 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: sorry for the xml formatting didn't realize it would mess up some mail clients The last bit of the message again ipa-upgradeconfig gives the following : [Verifying that root certificate is published] Failed to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful Any ideas ? I'm rather stuck now. Rob 2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I'm rather at a loss here. Everything seems to be running ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful but the upgrade log is flooded with this error : 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... 2014-10-27T21:52:11Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:11Z DEBUG request body '' 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... 2014-10-27T21:52:12Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:12Z DEBUG request body '' I've tried the url and it works fine. https://freeipa.x.x/ca/admin/ca/getStatus it gives the following xml: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponse State1/StateTypeCA/TypeStatusrunning/StatusVersion 10.2.0-3.fc20/Version/XMLResponse After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute ipa-upgradeconfig [Verifying that root certificate is published]Failed to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL tree already moved[Verifying that CA proxy
Re: [Freeipa-users] dns stops working after upgrade
before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? Rob 2014-10-27 23:05 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: sorry for the xml formatting didn't realize it would mess up some mail clients The last bit of the message again ipa-upgradeconfig gives the following : [Verifying that root certificate is published] Failed to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful Any ideas ? I'm rather stuck now. Rob 2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I'm rather at a loss here. Everything seems to be running ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful but the upgrade log is flooded with this error : 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... 2014-10-27T21:52:11Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:11Z DEBUG request body '' 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... 2014-10-27T21:52:12Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:12Z DEBUG request body '' I've tried the url and it works fine. https://freeipa.x.x/ca/admin/ca/getStatus it gives the following xml: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponse State1/StateTypeCA/TypeStatusrunning/StatusVersion 10.2.0
Re: [Freeipa-users] dns stops working after upgrade
, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 131, in update ld.update_from_dict(updates) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 889, in update_from_dict self._run_updates(updates) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 799, in _run_updates self._update_record(update) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 661, in _update_record e = self._get_entry(new_entry.dn) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 544, in _get_entry return self.conn.get_entries(dn, scope, searchfilter, sattrs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1421, in get_entries base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1527, in find_entries break File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1206, in error_handler error=info) NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-X-X.socket': 2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: h after some more digging (monitoring the upgrade more closely.) I saw that the upgrade kept waiting for the ca to start, which it did not do. and after 5 minutes the upgrade gave up with the following errors in the ipaupgrade log : at 85% it says : 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd--.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u . IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE- certificate-removed -END CERTIFICATE- 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to 'ldapi://%2fvar%2frun%2fslapd--.socket':\ This has nothing to do with the CA, the LDAP server didn't come up. I'd start with those logs or look earlier in ipaupgrade.log The CA requires 389-ds to be running so if it isn't up, then it will fail to start too. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, I'm rather at a loss here. Everything seems to be running ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful but the upgrade log is flooded with this error : 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... 2014-10-27T21:52:11Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:11Z DEBUG request body '' 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... 2014-10-27T21:52:12Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:12Z DEBUG request body '' I've tried the url and it works fine. https://freeipa.x.x/ca/admin/ca/getStatus it gives the following xml: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState1 /StateTypeCA/TypeStatusrunning/StatusVersion10.2.0-3.fc20 /Version/XMLResponse After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute ipa-upgradeconfig [Verifying that root certificate is published]Failed to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL tree already moved[Verifying that CA proxy configuration is correct][Verifying that KDC configuration is using ipa-kdb backend][Fixing trust flags in /etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax already fixed[Removing RA cert from DS NSS database]RA cert already removed[Removing self-signed CA][Checking for deprecated KDC configuration files][Checking for deprecated backups of Samba configuration files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS records already processed[Removing deprecated DNS configuration options][Ensuring minimal number of connections][Enabling serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating pid-file configuration in DNS][Masking named]Changes to named.conf have been made, restart named[Verifying that CA service certificate profile is updated][Update certmonger certificate renewal configuration to version 2][Enable PKIX certificate path discovery and validation]PKIX already enabledThe ipa-upgradeconfig command was successful But my local dns zone does no longer resolve :( reverting back to the 3.3 snapshot again :( Please help Rob 2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: h after some more digging (monitoring the upgrade more closely.) I saw that the upgrade kept waiting for the ca to start, which it did not do. and after 5 minutes the upgrade gave up with the following errors in the ipaupgrade log : at 85% it says : 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd--.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u . IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE- certificate-removed -END CERTIFICATE- 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to 'ldapi://%2fvar%2frun%2fslapd--.socket':\ This has nothing to do with the CA, the LDAP server didn't come up. I'd start with those logs or look earlier in ipaupgrade.log The CA requires 389-ds to be running so if it isn't up, then it will fail to start too. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
sorry for the xml formatting didn't realize it would mess up some mail clients The last bit of the message again ipa-upgradeconfig gives the following : [Verifying that root certificate is published] Failed to backup CS.cfg: no magic attribute 'dogtag' [Migrate CRL publish directory] CRL tree already moved [Verifying that CA proxy configuration is correct] [Verifying that KDC configuration is using ipa-kdb backend] [Fixing trust flags in /etc/httpd/alias] Trust flags already processed [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Removing self-signed CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] [Setting up Firefox extension] [Add missing CA DNS records] IPA CA DNS records already processed [Removing deprecated DNS configuration options] [Ensuring minimal number of connections] [Enabling serial autoincrement in DNS] [Updating GSSAPI configuration in DNS] [Updating pid-file configuration in DNS] [Masking named] Changes to named.conf have been made, restart named [Verifying that CA service certificate profile is updated] [Update certmonger certificate renewal configuration to version 2] [Enable PKIX certificate path discovery and validation] PKIX already enabled The ipa-upgradeconfig command was successful Any ideas ? I'm rather stuck now. Rob 2014-10-27 22:59 GMT+01:00 Rob Verduijn rob.verdu...@gmail.com: Hello, I'm rather at a loss here. Everything seems to be running ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful but the upgrade log is flooded with this error : 2014-10-27T21:52:10Z DEBUG Waiting for CA to start... 2014-10-27T21:52:11Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:11Z DEBUG request body '' 2014-10-27T21:52:11Z DEBUG The CA status is: check interrupted 2014-10-27T21:52:11Z DEBUG Waiting for CA to start... 2014-10-27T21:52:12Z DEBUG request ' https://freeipa.x.x:443/ca/admin/ca/getStatus' 2014-10-27T21:52:12Z DEBUG request body '' I've tried the url and it works fine. https://freeipa.x.x/ca/admin/ca/getStatus it gives the following xml: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseState 1/StateTypeCA/TypeStatusrunning/StatusVersion10.2.0-3.fc20 /Version/XMLResponse After I run ipa-upgradeconfig it complains about a missing magic dog tag attribute ipa-upgradeconfig [Verifying that root certificate is published]Failed to backup CS.cfg: no magic attribute 'dogtag'[Migrate CRL publish directory]CRL tree already moved[Verifying that CA proxy configuration is correct][Verifying that KDC configuration is using ipa-kdb backend][Fixing trust flags in /etc/httpd/alias]Trust flags already processed[Fix DS schema file syntax]Syntax already fixed[Removing RA cert from DS NSS database]RA cert already removed[Removing self-signed CA][Checking for deprecated KDC configuration files][Checking for deprecated backups of Samba configuration files][Setting up Firefox extension][Add missing CA DNS records]IPA CA DNS records already processed[Removing deprecated DNS configuration options][Ensuring minimal number of connections][Enabling serial autoincrement in DNS][Updating GSSAPI configuration in DNS][Updating pid-file configuration in DNS][Masking named]Changes to named.conf have been made, restart named[Verifying that CA service certificate profile is updated][Update certmonger certificate renewal configuration to version 2][Enable PKIX certificate path discovery and validation]PKIX already enabledThe ipa-upgradeconfig command was successful But my local dns zone does no longer resolve :( reverting back to the 3.3 snapshot again :( Please help Rob 2014-10-26 21:38 GMT+01:00 Rob Crittenden rcrit...@redhat.com: Rob Verduijn wrote: h after some more digging (monitoring the upgrade more closely.) I saw that the upgrade kept waiting for the ca to start, which it did not do. and after 5 minutes the upgrade gave up with the following errors in the ipaupgrade log : at 85% it says : 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd--.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u . IPA CA
Re: [Freeipa-users] dns stops working after upgrade
h after some more digging (monitoring the upgrade more closely.) I saw that the upgrade kept waiting for the ca to start, which it did not do. and after 5 minutes the upgrade gave up with the following errors in the ipaupgrade log : at 85% it says : 2014-10-26T15:04:35Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd--.socket conn=ldap.ldapobject.SimpleLDAPObject instance at 0x2b18cb0 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u . IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:35Z DEBUG Starting external process 2014-10-26T15:04:35Z DEBUG args='/usr/bin/certutil' '-d' '/etc/httpd/alias' '-L' '-n' 'TJAKO.THUIS IPA CA' '-a' 2014-10-26T15:04:35Z DEBUG Process finished, return code=0 2014-10-26T15:04:35Z DEBUG stdout=-BEGIN CERTIFICATE- certificate-removed -END CERTIFICATE- 2014-10-26T15:04:35Z DEBUG stderr= 2014-10-26T15:04:36Z ERROR Upgrade failed with cannot connect to 'ldapi://%2fvar%2frun%2fslapd--.socket': 2014-10-26T15:04:36Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py, line 152, in __upgrade self.modified = (ld.update(self.files, ordered=True) or File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 874, in update updates = api.Backend.updateclient.update(POST_UPDATE, self.dm_password, self.ldapi, self.live_run) File /usr/lib/python2.7/site-packages/ipaserver/install/plugins/updateclient.py, line 131, in update ld.update_from_dict(updates) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 889, in update_from_dict self._run_updates(updates) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 799, in _run_updates self._update_record(update) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 661, in _update_record e = self._get_entry(new_entry.dn) File /usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py, line 544, in _get_entry return self.conn.get_entries(dn, scope, searchfilter, sattrs) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1421, in get_entries base_dn=base_dn, scope=scope, filter=filter, attrs_list=attrs_list) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1527, in find_entries break File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1206, in error_handler error=info) NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd--.socket': and in the end it says : 2014-10-26T14:46:13Z DEBUG The CA status is: check interrupted 2014-10-26T14:46:13Z DEBUG Waiting for CA to start... 2014-10-26T14:46:14Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /usr/sbin/ipa-upgradeconfig, line 1457, in main ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 282, in restart self.service.restart(instance_name, capture_output=capture_output, wait=wait) File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 209, in restart self.wait_until_running() File /usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py, line 197, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) 2014-10-26T14:46:14Z DEBUG The ipa-upgradeconfig command failed, exception: RuntimeError: CA did not start in 300.0s I guess its something with the update for the ca certificate server that failed. Any clues on how to proceed ? Rob 2014-10-26 11:39 GMT+01:00 John Obaterspok john.obaters...@gmail.com: Hello Rob, Did systemd report any failed services? (systemctl --failed) -- john 2014-10-25 16:40 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: Hello all, I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main dns server. I've tried the upgrade to 4.1 using the copr repositorie. I performed the following steps: 1 apply latest fedora updates 2 shutdown system 3 create a snapshot from the freeipa vm as a backup (which is why I'm back at 3.3) 4 added the copr repo to my repositories 5 issue 'yum update' and grab a coffee 6 see
[Freeipa-users] dns stops working after upgrade
Hello all, I'm running freeipa 3.3.0 on fedora 20 x86_65 and it is set up as my main dns server. I've tried the upgrade to 4.1 using the copr repositorie. I performed the following steps: 1 apply latest fedora updates 2 shutdown system 3 create a snapshot from the freeipa vm as a backup (which is why I'm back at 3.3) 4 added the copr repo to my repositories 5 issue 'yum update' and grab a coffee 6 see the update complete and start to check if everything still works. all authentication seems to work fine, however all my local dns enties no longer work. all internet dns queries work fine, just not my own entries. they are all still there. so I shutdown my freeipa vm and reverted the snapshot, everything is back up and running again with 3.3.0 I've digged through my logs but see no errors whatsoever. Did I miss something that needs to be done when doing an upgrade ? Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Hello all, I've managed to get the gssproxy to work on my installation. I can now mount my apache document root using sec=krb5p and apache automagically mounts the share when needed. However I noticed that now all nfs credentials are going through gssproxy. Is there a way to disable this for regular users (or only enable it for apache) Below is the gssproxy.conf I used Cheers Rob [gssproxy] [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/etc/gssproxy/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 2014-09-17 9:15 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: 2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS bnordg...@fs.fed.us: Also opened https://fedorahosted.org/freeipa/ticket/4544 Tried to summarize this thread on that ticket. Back to the OP's concern, whenever I use NFS as a documentroot for apache (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys, set all-squash, and specify the webserver's IP. It's not like individual user accounts need a presence on the filesystem. Do you need encryption for your application or is apache just going to spray the content out across the commodity internet via un-encrypted http? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Hello, I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys) It's not sensitive data and it's also internal, so it will do fine for now as a workaround. But there is going to be a situation that apache requires access to a document root containing sensitive data, in that case I would prefer a more secure method. I've been reading up a little on the gss-proxy, which would be the prefered way on the obtaining of the credentials from a keytab. Have gss-proxy do it or have gss-proxy use s4u2proxy to fetch the keytab ? (which might also solve some of my ssh anoyances but that's a bit off topic) Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Hi again, Thank you for the quick response. I've removed the credstore entries that are not necessary for the nfs access. Now the users no longer go through gssproxy, but apache does. I've googled around quite a bit and and it seems that your presentation on youtube and the gssproxy page together with a bit on the fedora site are about it concerning documentation. The below gssproxy.conf works fine for apache accessing a kerberized nfs share without having to authenticate against ipa. If I were to create another share for say an tftp directory do I need to create another entry like the one below or can I simply say : euid = 48,1,2,3,4 Or maybe this if you won't mind that any service with a keytab gets nfs access. euid = %U Thanx for the quick help. [gssproxy] [service/nfs-client] mechs = krb5 cred_store = client_keytab:/etc/gssproxy/%U.keytab cred_usage = initiate allow_any_uid = no trusted = yes euid = 48 2014-09-20 18:15 GMT+02:00 Simo Sorce s...@redhat.com: On Sat, 20 Sep 2014 16:53:48 +0200 Rob Verduijn rob.verdu...@gmail.com wrote: Hello all, I've managed to get the gssproxy to work on my installation. I can now mount my apache document root using sec=krb5p and apache automagically mounts the share when needed. However I noticed that now all nfs credentials are going through gssproxy. Is there a way to disable this for regular users (or only enable it for apache) Below is the gssproxy.conf I used I assume you mean that gssproxy is used for all users when rpc.gssd is used ? You cannot pick and choose this way, but gss-proxy can be configured to user regular user's caches so that it preserve proper authorization for access. Cheers Rob [gssproxy] [service/nfs-client] mechs = krb5 cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U cred_store = client_keytab:/etc/gssproxy/%U.keytab cred_usage = initiate allow_any_uid = yes trusted = yes euid = 0 You do not need allow_any_uid in your case as rpc.gssd always runs as root. You can also remove the keytab:/etc/krb5.keytab option as you are only going to initiate with explicit client keytabs. If you only have the apache keytab in /etc/gssproxy then for any other user will fall back to local resolution. You may also experiment with setting ccache to the default for your system so that gss-proxy can find actual user's ccaches, though that may comport some minor risk and will force you to run gss-proxy as root. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
2014-09-16 20:57 GMT+02:00 Nordgren, Bryce L -FS bnordg...@fs.fed.us: Also opened https://fedorahosted.org/freeipa/ticket/4544 Tried to summarize this thread on that ticket. Back to the OP's concern, whenever I use NFS as a documentroot for apache (even a WebDAV server), I make a separate mountpoint, fall back to sec=sys, set all-squash, and specify the webserver's IP. It's not like individual user accounts need a presence on the filesystem. Do you need encryption for your application or is apache just going to spray the content out across the commodity internet via un-encrypted http? Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Hello, I've already implemented the share as 1.2.3.4(ro,sync,all-squash,sec=sys) It's not sensitive data and it's also internal, so it will do fine for now as a workaround. But there is going to be a situation that apache requires access to a document root containing sensitive data, in that case I would prefer a more secure method. I've been reading up a little on the gss-proxy, which would be the prefered way on the obtaining of the credentials from a keytab. Have gss-proxy do it or have gss-proxy use s4u2proxy to fetch the keytab ? (which might also solve some of my ssh anoyances but that's a bit off topic) Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] apache kerberized nfs4 /var/www/html access denied for apache user
Hello, I've got a webserver whose default export is on a kerberized nfs4 export. The export works fine for regular ipa users However the apache user is not allowed to read anything from the export. What would be the best practice to allow the apache user access to the nfs4 export without switching to sec=sys ? Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] sudo without the !authenticate
Hello, I've a freeipa running on fedora 20 with fedora 20 clients. When I configure sudo with the !authenticate option, everything works fine. ie 'sudo journalctl' works fine, you get to see the logs However when I remove the !authenticate option the sudo command asks for a password but it always fails. In the logs it says that authentication succes but it is followed by the line access denied. What could be causing this ? Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo without the !authenticate
2014-09-01 18:47 GMT+02:00 Dmitri Pal d...@redhat.com: On 09/01/2014 06:17 PM, Rob Verduijn wrote: Hello, I've a freeipa running on fedora 20 with fedora 20 clients. When I configure sudo with the !authenticate option, everything works fine. ie 'sudo journalctl' works fine, you get to see the logs However when I remove the !authenticate option the sudo command asks for a password but it always fails. In the logs it says that authentication succes but it is followed by the line access denied. What could be causing this ? Rob Probably access control. Do you have HBAC rules defined? Do they allow user to do sudo operations? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Hello, That was indeed preventing the access without the !noathenticate. I've added sudo to the hbac and now it works. Thanx. Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPIDelegateCredentials yes
Hello, Sorry for the delay, I was rather busy the past few days. Well I must say it sounds interesting, I will need to read up on s4u2proxy, but I'm very interested to see where this leads to. Rob 2014-07-11 22:39 GMT+02:00 Dmitri Pal d...@redhat.com: On 07/05/2014 05:12 PM, Simo Sorce wrote: On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or in the /etc/ssh. My issue is that Host *.some.domain GSSAPIDelegateCredentials yes In the user config or even in the global config is not a very clever thing to do since that would imply that the kerberos credentials would be provided to every system that the user would ssh to in the some.domain network. Is there a clever way to do this in freeipa like an adition to host based access, ie send the GSSAPIDelegateCredentials only for these hosts when using ssh? Unfortunately there is not. Simo. What potentially can be done in this case is: 1) Use GSSAPI to log into this host. 2) Identify which kerberized services user needs to be able to use once he logs into the system (NFS, ldap, cups, etc.) 3) Use GSSAPI for access to these services (if possible) 4) Configure GSS proxy to be used on the client side of these connections 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket 6) Configure constrained delegation on the server side (IPA) to allow s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap. There will be dragons as I doubt this has been done but the long term plan is to make it possible. By trying and reporting issues you would help us to make it possible sooner. If you are interested we can drill down into more details. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] GSSAPIDelegateCredentials yes
Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or in the /etc/ssh. My issue is that Host *.some.domain GSSAPIDelegateCredentials yes In the user config or even in the global config is not a very clever thing to do since that would imply that the kerberos credentials would be provided to every system that the user would ssh to in the some.domain network. Is there a clever way to do this in freeipa like an adition to host based access, ie send the GSSAPIDelegateCredentials only for these hosts when using ssh? Cheers Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
err http://www.freeipa.org/docs/master/html-desktop/index.html#Preparing_for_an_IPA_Installation ofcourse Rob 2014-06-24 21:12 GMT+02:00 Rob Verduijn rob.verdu...@gmail.com: I saw this in your log : snip Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files snip Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek pspa...@redhat.com: Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Having difficulty installing on Fedora 20
I saw this in your log : snip Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files snip Did you install bind and bind-dyndb-ldap ? http://www.freeipa.org/docs/master/html-desktop/index.html#installing-replica Just meddling around with ipa myself Rob 2014-06-24 19:11 GMT+02:00 Petr Spacek pspa...@redhat.com: Hello! That is interesting. Do you have latest updates? Please see http://www.freeipa.org/page/Troubleshooting On 24.6.2014 18:41, Carl Perry wrote: Unexpected error - see /var/log/ipaserver-install.log for details: If the web page doesn't cover your case please send us the log file mentioned in the the error message. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] issues with nfs4 privileges.
Hello, I'm a bit at loss with my freeipa kerberized nfs4 shares. the nfs4 shares mount fine and users can read and write their files. However pulse audio does not work properly, and some programs fail to start. When logging in with a local account using a local homedrive pulseaudio works, and the programs also work. Also oddjob is not capable of creating a home dir for a new user. root is not allowed to write in the home mount on the client (mkdir test and touch test get a Permission denied) I don't think its selinux, because setenforce 0 on the nfs-server and setenforce 0 on the nfs client did not help. freeipa policies seem to be working fine, sudo rules are applied the way I expect them. Logging in on all the machines works, automounting works like a charm, except for the situations described above. server details are below Anybody who can tell me what I've missed ? Rob the freeipa server is a dedicated fedora20 x86_64 machine with the latest updates applied the nfs-server is a fedora20 x86_64 machine with the latest updates applied these booleans have been applied on the nfs server nfs_export_all_ro -- on nfs_export_all_rw -- on The exports are : /exports *(rw,no_root_squash,crossmnt,fsid=0,sec=krb5p) /exports/homes *(rw,no_root_squash,no_subtree_check,sec=krb5p) /exports/homes is a bind mount from : /data3/homes selinux contexts of the dirs: ls -dalsZ /data3/homes drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /data3/homes ls -dalsZ /exports/homes drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /exports/homes /exportes/homes is automounted by systemd using this unit file: cat /etc/systemd/system/exports-homes.automount [Unit] Description=/exports/homes Directory Automount Point Wants=network.target statd.service After=network.target statd.service [Automount] Where=/exports/homes [Install] WantedBy=multi-user.target and the matching unit mount: cat /etc/systemd/system/exports-homes.mount [Unit] Description=Exports Homes Directory Wants=network.target statd.service After=network.target statd.service [Mount] What=/data3/homes Where=/exports/homes Type=none Options=bind DirectoryMode=0755 the nfs client is a fedora20 x86_64 machine with al the latest patches applied This boolean has been set: use_nfs_home_dirs -- on ls -dalsZ /home/ drwxr-xr-x. root root system_u:object_r:user_home_t:s0 /home/ the home folder is automounted by systemd using this unit file : cat /etc/systemd/system/home.automount [Unit] Description=Home Directory Automount Point Wants=network.target statd.service After=network.target statd.service [Automount] Where=/home [Install] WantedBy=multi-user.target and the matching unit mount cat /etc/systemd/system/home.mount [Unit] Description=Home Directory Wants=network.target statd.service After=network.target statd.service [Mount] What=172.16.1.1:/homes Where=/home Type=nfs4 Options=timeo=14,noatime,timeo=14,soft,sec=krb5p,context=system_u:object_r:user_home_t:s0 DirectoryMode=0750 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] issues with nfs4 privileges.
Hi Simo, Thanx for the quick answer, i will consider the root implications. However, what about pulse audio not working ? The logs complain about that one not beeing able to write in home as well. Rob 2014-06-20 18:27 GMT+02:00 Simo Sorce s...@redhat.com: On Fri, 2014-06-20 at 18:02 +0200, Rob Verduijn wrote: Hello, I'm a bit at loss with my freeipa kerberized nfs4 shares. the nfs4 shares mount fine and users can read and write their files. However pulse audio does not work properly, and some programs fail to start. When logging in with a local account using a local homedrive pulseaudio works, and the programs also work. Also oddjob is not capable of creating a home dir for a new user. root is not allowed to write in the home mount on the client (mkdir test and touch test get a Permission denied) I don't think its selinux, because setenforce 0 on the nfs-server and setenforce 0 on the nfs client did not help. Indeed it is not selinux nor anything client related, when you use kerberized NFSv4 *all* accesses including root must be authenticated. When your local root user tries to access the mount point, either it cannot authenticate or it uses the system keytab to authenticate, in both cases, w/o further configuration on the server these accesses are mapped to the nobody user or refused outright. If you really want to trust *every* client to have full *root* access on your server then you need to make sure the client is using the host keytab when acting as root (default unless you pass -n to rpc.gssd) then you need to map explicitly the client's hosts keys to the root account on the server. add: host/client.host.name@YOUR.REALM = root in the [static] section of idmapd.conf See idmapd.conf(5) for details. freeipa policies seem to be working fine, sudo rules are applied the way I expect them. Logging in on all the machines works, automounting works like a charm, except for the situations described above. server details are below Anybody who can tell me what I've missed ? What you've missed is simply that clients are not allowed to act as root on NFS mounts by default, it's a security issue, because a compromised client can then do what it want's with all NFS shared data regardless of user permissions. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] issues with nfs4 privileges.
Hi, I have not touched pulse audio configuration, it's set to default, I can see in the logs the pulseaudio daemon assumes the user id. rtkit-daemon[697]: Successfully made thread 3299 of process 3299 (/usr/bin/pulseaudio) owned by '4701' high priority at nice level -11. rtkit-daemon[697]: Supervising 5 threads of 2 processes of 2 users. pulseaudio[3299]: [pulseaudio] core-util.c: Failed to create secure directory (/home/rob/.config/pulse): Permission denied The directory already exists, I tried removing it, which did not help. Rob 2014-06-20 19:14 GMT+02:00 Simo Sorce s...@redhat.com: On Fri, 2014-06-20 at 18:57 +0200, Rob Verduijn wrote: Hi Simo, Thanx for the quick answer, i will consider the root implications. However, what about pulse audio not working ? The logs complain about that one not beeing able to write in home as well. Is it running as the pulse user ? If so it would be the same issue, but I thought pulseaudio runs as the user by default, have you changed its configuration to run one instance per system by chance ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] issues with nfs4 privileges.
Considering the root immplications. Handing out root to all nfs clients is indeed something that is undesirable. However personally I believe manually creating homedirs to be a procedure from the previous millenium. Can I get freeipa to do this automatically the right way ? (respecting security) Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project