[Freeipa-users] Kereberized IdM NFSv4 mounts login shares for Just One User, Permission Denied for Others
Hi! I am having trouble with setting up NFSv4 login for users on my IdM network. Normally all users should be able to ssh into the servers using keys, but this happens for only my user (an admin). And when I login and sudo as root, and then su - username, listing the contents of the user's directory, I see everything is owned by nobody:nobody I setup NFSv4 based on the instructions in this blog: http://blog.delouw.ch/2015/03/14/using-ipa-to-provide-automount-maps-for-nfsv4-home-directories/ In a nutshell, I setup like this: 1. Added service principals for the nfs server and a few clients with ipa-service-add, on my primary IPA server "ipa service-add nfs/nfs.mydomain.com" "ipa service-add nfs/atestclient.testing.mydomain.com" "ipa service-add nfs/aserver.mydomain.com" 2. Added the auto.home map (In my case, my users use /share, not /home, so I created an auto.share map instead) "ipa automountmap-add default auto.share" 3. Added the auto.share to auto.master "ipa automountkey-add default --key "/share" --info auto.share auto.master " 4. Added the key to the auto.share map ipa automountkey-add default --key "*" --info "-fstype=nfs4,rw,sec=krb5,soft,rsize=8192,wsize=8192 nfs.qrios.com:/share/&" auto.share" 5. Created Keytab on the NFS Server as described. "ipa-getkeytab -s ipa1.mydomain.com -p nfs/nfs.mydomain.com -k /etc/krb5.keytab" 6. Told the server to use secure NFS, created the share and started the service. 7. I also added each servers keytab onto it, and ran ipa-client-automount. But now, on each server, I can only login password-less with one account, other accounts demand passwords, and when the user logs in permissions are set to nobody:nobody. My /etc/exports: /share *(rw,sec=sys:krb5:krb5i:krb5p) I see no errors in the nfs server logs, and on the client. I am grateful for any guidance provided. Thank you! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart
Hi Martin I wasn't able to resolve it, so I destroyed and recreated the replica and its replication agreements. On Fri, Jul 24, 2015 at 8:37 AM, Martin Kosek mko...@redhat.com wrote: On 07/14/2015 02:47 PM, Sina Owolabi wrote: Hi Please, I would really need some help in troubleshooting one of my domain servers which I restarted the IPA services. Its an CentOS 7.1 server running ipa-4.1.0 [root@dc01 ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of dc to probe status! Configured hostname 'dc01.mydom.com' does not match any master server in LDAP: dc.mydom.com dc02.mydom.com dc01.mydom.com dc01.mydom.com Shutting down [root@dc01 ~]# Scooping through the freeipa-users posts, I see this was not replied to. Did you manage to resolve the issue? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * ; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti mba...@redhat.com wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thank you again. The configuration does conform. On Tue, Jul 14, 2015 at 1:47 PM, Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:44, Sina Owolabi wrote: Thanks Petr. Can I assume that any fresh clients added to the IDM domain, is going to have both its forward and reverse records populated? Yes, as long as your configuration conforms with https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR Please let us know if you encounter any problems. Petr^2 Spacek On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 10:28, Sina Owolabi wrote: Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) SyncPTR does something only when the data change. I.e. it will do nothing if your A/ records are up to date (even if clients send update). I'm afraid that there is no pre-made tool to do the mass update, sorry. You probably need to script something yourself. Petr^2 Spacek output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * ; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti mba...@redhat.com wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart
Hi Please, I would really need some help in troubleshooting one of my domain servers which I restarted the IPA services. Its an CentOS 7.1 server running ipa-4.1.0 [root@dc01 ~]# ipactl start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Failed to read data from service file: Failed to get list of dc to probe status! Configured hostname 'dc01.mydom.com' does not match any master server in LDAP: dc.mydom.com dc02.mydom.com dc01.mydom.com dc01.mydom.com Shutting down [root@dc01 ~]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Thanks Petr. Can I assume that any fresh clients added to the IDM domain, is going to have both its forward and reverse records populated? On Tue, Jul 14, 2015 at 1:10 PM, Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 10:28, Sina Owolabi wrote: Thanks Martin The expanded command shows all the output. Curiously, I still don't see any reverse addresses yet except on the reverse domain for this primary zone. Ive restarted the IPA servers in hopes of a Windows-y solution but it didn't help :-) SyncPTR does something only when the data change. I.e. it will do nothing if your A/ records are up to date (even if clients send update). I'm afraid that there is no pre-made tool to do the mass update, sorry. You probably need to script something yourself. Petr^2 Spacek output: ipa dnszone-show mydom.com --all dn: idnsname=mydom.com.,cn=dns,dc=mydom,dc=com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: dc.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436861122 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant mydom.COM krb5-self * A; grant mydom.COM krb5-self * ; grant mydom.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE arecord: pu.bl.ic.add mxrecord: 0 mail.mydom.com. nsrecord: dc02.mydom.com., dc01.mydom.com., dc.mydom.com. objectclass: idnszone, top, idnsrecord On Tue, Jul 14, 2015 at 8:46 AM, Martin Basti mba...@redhat.com wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; You must use option --all ipa dnszone-show mydom.com --all Martin On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
I removed the A record and restarted SSSD. The DNS record did not update. On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti mba...@redhat.com wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti Can you try to restart SSSD, or to remove the A record and then restart SSSD on the particular host? -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
I restarted network services on the host, then I restarted sssd again. The record appeared! On Tue, Jul 14, 2015 at 3:50 PM, Sina Owolabi notify.s...@gmail.com wrote: I removed the A record and restarted SSSD. The DNS record did not update. On Tue, Jul 14, 2015 at 2:20 PM, Martin Basti mba...@redhat.com wrote: On 13/07/15 19:58, Sina Owolabi wrote: Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti Can you try to restart SSSD, or to remove the A record and then restart SSSD on the particular host? -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Hi Martin Yes all my sssd configs are set ipa_dyndns_update = True I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them. I've tried to set it in the very first zone (setup during installation) but dnszone-mod complains: # ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE ipa: ERROR: no modifications to be performed But I don't see it in the show command: ipa dnszone-show mydom.com Zone name: mydom.com. Active zone: TRUE Authoritative nameserver: services.mydom.com. Administrator e-mail address: hostmaster.mydom.com. SOA serial: 1436799166 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote: On 12/07/15 10:05, Sina Owolabi wrote: Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Hello, do you have --allow-sync-ptr=True configured in zones where the particular A/ records are? SSSD is able to update records. Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa) -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Force IPA client Reverse Zone Dynamic Updates
Hi I have several dns zones defined in IPA. I noticed recently that the zone files are empty. I find this odd because I created them like the example below. Is it possible to force clients to auto-update reverse zones? Thanks in advance! How I created all the zones: ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000 --allow-sync-ptr=TRUE --dynamic-update Zone name: 0.14.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: services.ourdomain.com. Administrator e-mail address: hostmaster SOA serial: 1436688202 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3000 BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain
Odd, sssd sudo up and started working properly after I added debug to the clients I was interested in. I didnt see any errors in the logs at all. Very strange. Thanks everyone. On Thu, Jun 4, 2015 at 7:36 PM, Pavel Brezina pbrez...@redhat.com wrote: Hi, please put the following line to /etc/sudo.conf to obtain sudo logs and send us the file: Debug sudo /var/log/sudo_debug all@trace - Original Message - From: Martin Kosek mko...@redhat.com To: Sina Owolabi notify.s...@gmail.com Cc: Cory Carlton c...@pithoslabs.com, freeipa-users@redhat.com, Pavel Brezina pbrez...@redhat.com, Jakub Hrozek jhro...@redhat.com Sent: Thursday, June 4, 2015 5:15:04 PM Subject: Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain On 06/04/2015 05:13 PM, Sina Owolabi wrote: Hi Martin I have deleted everything in /var/lib/sss/db/ and restarted sssd, no luck. In that case, I am afraid you might need to enable sudo and SSSD debug (https://fedorahosted.org/sssd/wiki/Troubleshooting) and see where it hans. Also CCing sudo/sssd SMEs to be aware. On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek mko...@redhat.com wrote: On 06/04/2015 05:06 PM, Cory Carlton wrote: I would check for DNS resolution from the machine executing the sudo, to the IPA server. I would also suggest cleaning SSSD caches, since you reinstalled against the same domain, but actually different server (/var/lib/sss/db/) On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi notify.s...@gmail.com wrote: Hi I recently had to remove and reinstall a fresh IPA server. I am currently re-enrolling all the ipa clients to the recently refreshed domain (same name as the previous realm and domain). The new IPA master is RHEL7.1 with IPA 4.1.3. All client servers are running RHEL6.6. I also have sudorule that allows a group to have access to run all commands on all servers: Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: superusers Sudo Option: !authenticate I noticed that trying to run sudo on a few of the servers makes the command hang indefinitely. I am not sure what is the cause and where to look. Please what can I do to troubleshoot and fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain
Hi Martin I have deleted everything in /var/lib/sss/db/ and restarted sssd, no luck. On Thu, Jun 4, 2015 at 4:10 PM, Martin Kosek mko...@redhat.com wrote: On 06/04/2015 05:06 PM, Cory Carlton wrote: I would check for DNS resolution from the machine executing the sudo, to the IPA server. I would also suggest cleaning SSSD caches, since you reinstalled against the same domain, but actually different server (/var/lib/sss/db/) On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi notify.s...@gmail.com wrote: Hi I recently had to remove and reinstall a fresh IPA server. I am currently re-enrolling all the ipa clients to the recently refreshed domain (same name as the previous realm and domain). The new IPA master is RHEL7.1 with IPA 4.1.3. All client servers are running RHEL6.6. I also have sudorule that allows a group to have access to run all commands on all servers: Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: superusers Sudo Option: !authenticate I noticed that trying to run sudo on a few of the servers makes the command hang indefinitely. I am not sure what is the cause and where to look. Please what can I do to troubleshoot and fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain
Hi Cory, DNS is fine. The IPA server is the internal domains DNS server, and the affected servers use it as easily as the other ipa clients. On Thu, Jun 4, 2015 at 4:06 PM, Cory Carlton c...@pithoslabs.com wrote: I would check for DNS resolution from the machine executing the sudo, to the IPA server. On Thu, Jun 4, 2015 at 9:54 AM, Sina Owolabi notify.s...@gmail.com wrote: Hi I recently had to remove and reinstall a fresh IPA server. I am currently re-enrolling all the ipa clients to the recently refreshed domain (same name as the previous realm and domain). The new IPA master is RHEL7.1 with IPA 4.1.3. All client servers are running RHEL6.6. I also have sudorule that allows a group to have access to run all commands on all servers: Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: superusers Sudo Option: !authenticate I noticed that trying to run sudo on a few of the servers makes the command hang indefinitely. I am not sure what is the cause and where to look. Please what can I do to troubleshoot and fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain
Hi I recently had to remove and reinstall a fresh IPA server. I am currently re-enrolling all the ipa clients to the recently refreshed domain (same name as the previous realm and domain). The new IPA master is RHEL7.1 with IPA 4.1.3. All client servers are running RHEL6.6. I also have sudorule that allows a group to have access to run all commands on all servers: Rule name: All Enabled: TRUE Host category: all Command category: all User Groups: superusers Sudo Option: !authenticate I noticed that trying to run sudo on a few of the servers makes the command hang indefinitely. I am not sure what is the cause and where to look. Please what can I do to troubleshoot and fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Thanks Martin, Rob, but I think I am totally lost.. I was able to migrate-ds but I think along the way I broke the replica. Errors I am seeing in the ipa clients are like so: Jun 2 16:33:11 ipaclient1 [sssd[ldap_child[27865]]]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database Jun 2 16:33:57 ipaclient1 certmonger: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. Couldn't resolve host 'services01.mydom.com'). Jun 2 16:39:28 ipaclient1 certmonger: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). Jun 2 16:44:59 ipaclient1 certmonger: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Failed to initialize credentials using keytab [default]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection. Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Client 'host/ipaclient1.mydom@mydom.com' not found in Kerberos database I've been editing and trying to import data from the ldif I was able to export out of the CA-less replica. No luck so far. On Tue, Jun 2, 2015 at 1:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Martin Kosek wrote: On 06/01/2015 02:19 AM, Sina Owolabi wrote: Hi! I am still stumbling along with this, I have had my IPA domain destroyed and currently only a CA-less replica is left running the network. The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. I am trying to setup a fresh CA-master and I have exported the data in the replica into ldif and bak folders in /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. I have copied these files and folders to the fresh install, which is running RHEL7.1. If I can complete an install, I plan to destroy the existing replica and install from scratch 2 new ones just to be safe. Please can someone direct me in properly editing the ldif file or the bak archivedir to make it useful for the new CA master? I have already deleted the existing replication agreements between the CA-less replica and the lost CA master (the new fresh install is the same hostname). Importing data is successful, but then IPA refuses to run afterwords with different error messages. Thanks for any light shown my way. Let me reiterate to see if I understood your scenario correctly: - you had CA-powered FreeIPA infrastructure, with just one FreeIPA server with CA service running - the single FreeIPA+CA server was lost (I would suggest having more of those in the future or using backup (snapshot or ipa-backup)) - you now want to install a brand new FreeIPA server and add data from the old FreeIPA installation. This is quite tricky, you can just add data from old FreeIPA server to the new server - the new FreeIPA server will have different Kerberos master key, different CA key. All this and derived data would be invalid. If you backed up the FreeIPA+CA master, I assume the PKI could be recreated, but it does not seem as the case. In that case, I am afraid you would need to start a new infrastructure and migrate old data, I put short description on how to migrate one FreeIPA to other FreeIPA on the wiki: https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA I guess it depends on what data you want/need to preserve from the original IPA installation and calculate which is more time consuming: crafting an LDIF to import or re-adding the data manually. If you want to import from an LDIF, in general you need to: - exclude any IPA master information (hosts, services, cn=masters,etc). - exclude the admin user - exclude any krbPrincipalKey values - exclude any userCertificate values You'll need to enable migration mode so your users can generate their Kerberos principal keys. Also consider the UID range. If you installed the new master using the same range you'll probably want to modify the DNA range to mask out the already-assigned values. If you used
[Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Hi! I am still stumbling along with this, I have had my IPA domain destroyed and currently only a CA-less replica is left running the network. The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. I am trying to setup a fresh CA-master and I have exported the data in the replica into ldif and bak folders in /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories. I have copied these files and folders to the fresh install, which is running RHEL7.1. If I can complete an install, I plan to destroy the existing replica and install from scratch 2 new ones just to be safe. Please can someone direct me in properly editing the ldif file or the bak archivedir to make it useful for the new CA master? I have already deleted the existing replication agreements between the CA-less replica and the lost CA master (the new fresh install is the same hostname). Importing data is successful, but then IPA refuses to run afterwords with different error messages. Thanks for any light shown my way. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica
Hi Martin I actually mean restore. It's a complicated situation... There once was a primary and it's CA replica. The primary got hosed and was cloned a few years ago from the replica. Then the replica got hosed a few times too, saved by the primary, only now it wouldn't install a CA during replica setup. Now the cloned primary got hosed (it sees itself as a clone and being a the only CA, has nowhere to go to renew certs). We opted to reinstall a fresh primary and now we are looking for how to copy existing data from the standing CA-less replica (everything is the same, realms, DNS hosts, HBAC, sudo rules, etc ) to the freshly installed CA primary. This would be amazing if we could or we'll have to setup the entire network and rules from scratch. I would really appreciate some example commands we could run to import data into the new primary. We've already run db2bak and db2ldif on the replica to export from a helpful script we found in a thread. I hope you can help us! On Tue, May 26, 2015, 7:42 AM Martin Kosek mko...@redhat.com wrote: On 05/25/2015 05:46 PM, Sina Owolabi wrote: Hi! Please how do I restore data to a freshly reinstalled IPA server from an existing CA-less replica that has had replication agreements removed? By restore, you mean actually migrate? We have a pending RFE for this: https://fedorahosted.org/freeipa/ticket/3656 Migration of users/groups can be done via migrate-ds command. Migration of SUDO/HBAC/automount/... can be done by LDIF export and import (with some changes realms, etc.). But we have no automated way how to migrate Kerberos keys or certificates as the underlying keys are different. Both servers are running rhel 6.6 with ipa-server versions 3.0.0 ( For some reason the IPA servers do not upgrade beyond this version). If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x. RHEL-7.1 has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we recommend for new deployments anyway. I have been searching for information from RHEL knowledgebase and from the FreeIPA site but I do not find information that exactly matches my situation. I am grateful for any assistance in this. Thanks! HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica
Hi! Please how do I restore data to a freshly reinstalled IPA server from an existing CA-less replica that has had replication agreements removed? Both servers are running rhel 6.6 with ipa-server versions 3.0.0 ( For some reason the IPA servers do not upgrade beyond this version). I have been searching for information from RHEL knowledgebase and from the FreeIPA site but I do not find information that exactly matches my situation. I am grateful for any assistance in this. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Rob And thanks for the new instructions. However, right out of the gate: $ ipa-csreplica-manage set-renewal-master Usage: ipa-csreplica-manage [options] ipa-csreplica-manage: error: must provide a command [force-sync | disconnect | list | del | connect | re-initialize] Are there any RHEL6 specific instructions I can follow to the promised land? On Wed, May 20, 2015 at 8:30 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi Rob This is the only CA master. The one I cloned it from was decommissioned, reinstalled and then made to be a replica of this server. Looks like I'm really stuck. How do I export the data out so I can reinstall from scratch, if possible? There are a lot of rules and configuration data I'd really like to keep. So in this case you have no master managing the renewal. Take a look at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0 starting at the step Reconfigure a CA as the new master Since at least one certificate has expired you'll need to go back in time to get this working. Be sure to restart IPA after going back to ensure that the CA is up. You'll eventually want to do the CRL changes as well. rob On Wed, May 20, 2015, 2:32 PM Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Sina Owolabi wrote: Another key difference I noticed is that the problematic certs have CA:IPA in them, while the working certs have CA: dogtag-ipa-retrieve-agent-submit. Ok, the full output is really helpful. First an explanation of CA subsystem renewal. CA clones are just that, exact clones of each other, which means they use the same subsystem certificates for OCSP, audit, etc. This also means that at renewal time they need to be renewed on only one master and then somehow shared with the ohter clones. The initially-installed CA is designated as the renewal master by default. It configures certmonger to renew the CA subsytem certificates and put the new public cert into a shared area in IPA that will be replicated to the other masters. The non-renewal masters are configured with a special CA, dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an updated certificate and when available, it installs it. So the issue is that it isn't seeing this updated certificate, hence CA_WORKING. The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate that IPA uses to talk to the CA expired on 04/29. So the steps you need to take are: 1. Check your other CA masters and see if they have been renewed properly (getcert list will tell you, look for expiration in 2017). 2. If they have, see if the data was pushed to LDAP $ kinit admin $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com See if there are certificate entries there. Check on multiple masters to see if there is a replication issue. If the certs are there you can try restarting certmonger to kickstart the request. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Rob This is the only CA master. The one I cloned it from was decommissioned, reinstalled and then made to be a replica of this server. Looks like I'm really stuck. How do I export the data out so I can reinstall from scratch, if possible? There are a lot of rules and configuration data I'd really like to keep. On Wed, May 20, 2015, 2:32 PM Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Another key difference I noticed is that the problematic certs have CA:IPA in them, while the working certs have CA: dogtag-ipa-retrieve-agent-submit. Ok, the full output is really helpful. First an explanation of CA subsystem renewal. CA clones are just that, exact clones of each other, which means they use the same subsystem certificates for OCSP, audit, etc. This also means that at renewal time they need to be renewed on only one master and then somehow shared with the ohter clones. The initially-installed CA is designated as the renewal master by default. It configures certmonger to renew the CA subsytem certificates and put the new public cert into a shared area in IPA that will be replicated to the other masters. The non-renewal masters are configured with a special CA, dogtag-ipa-retrieve-agent-submit, that looks in this shared area for an updated certificate and when available, it installs it. So the issue is that it isn't seeing this updated certificate, hence CA_WORKING. The CA_UNREACHABLE are due to the fact that the IPA RA agent certificate that IPA uses to talk to the CA expired on 04/29. So the steps you need to take are: 1. Check your other CA masters and see if they have been renewed properly (getcert list will tell you, look for expiration in 2017). 2. If they have, see if the data was pushed to LDAP $ kinit admin $ ldapsearch -Y GSSAPI -b cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com See if there are certificate entries there. Check on multiple masters to see if there is a replication issue. If the certs are there you can try restarting certmonger to kickstart the request. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Rob Thanks! I noticed that the problematic records have their expiration in the future! And I also do not have pki-tomcatd, it's pki-cad. From getcert list, the troublesome IDs are: Request ID '20130524104828': status: CA_UNREACHABLE ca-error: Server at https://dc.mydom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=dc.mydom.com,O=MYDOM.COM expires: 2015-05-25 10:12:32 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130524104917': status: CA_UNREACHABLE ca-error: Server at https://dc.mydom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=dc.mydom.com,O=MYDOM.COM expires: 2015-05-25 10:12:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi Rob Ive been to the URL but its a little difficult applying these commands to RHEL6 systems. For instance there is no /etc/pki-tomcat directory in RHEL6, and I cannot find the ipa.crt Im sure as a noob I am overlooking some very obvious stuff, but could you please guide me on what to do? Sorry, I think I pointed you at the wrong page. Check out http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Your CA subsystem are expired, or nearly expired. They are valid for two years. Based on the request ID in the snippet you posted at least some are valid for another few days. What I'd suggest is to send the machine back in time and restart the services. This should bring things up so that certmonger can do the renewal: # ipactl stop # /sbin/service ntpd stop # date 0501hhm where hhmm are the current hour and minute # ipactl start Hopefully ntpd isn't started by ipactl. If it is then it will undo your going back in time, and you'll need to start the services manually: # service dirsrv@YOURREALM start # service krb5kdc # service httpd start # service pki-tomcatd start Restart certmonger # service certmonger restart Wait a bit # getcert list Watch the status. They should go to MODIFIED Once done: # ipactl stop Return date to present, either by restarting ntpd or date or whatever method you'd like. I'm taking a completely wild guess on the date to go back to. The expiration date is listed in the getcert output. I'd go back a week before the oldest expiration. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
:12:32 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130524104917': status: CA_UNREACHABLE ca-error: Server at https://dc.mydom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=dc.mydom.com,O=MYDOM.COM expires: 2015-05-25 10:12:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130524105011': status: CA_WORKING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=IPA RA,O=MYDOM.COM expires: 2015-04-29 23:49:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes On Tue, May 19, 2015 at 10:52 PM, Sina Owolabi notify.s...@gmail.com wrote: Hi Rob Thanks! I noticed that the problematic records have their expiration in the future! And I also do not have pki-tomcatd, it's pki-cad. From getcert list, the troublesome IDs are: Request ID '20130524104828': status: CA_UNREACHABLE ca-error: Server at https://dc.mydom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053] (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=dc.mydom.com,O=MYDOM.COM expires: 2015-05-25 10:12:32 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130524104917': status: CA_UNREACHABLE ca-error: Server at https://dc.mydom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MYDOM.COM subject: CN=dc.mydom.com,O=MYDOM.COM expires: 2015-05-25 10:12:33 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi Rob Ive been to the URL but its a little difficult applying these commands to RHEL6 systems. For instance there is no /etc/pki-tomcat directory in RHEL6, and I cannot find the ipa.crt Im sure as a noob I am overlooking some very obvious stuff, but could you please guide me on what to do? Sorry, I think I pointed you at the wrong page. Check out http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Your CA subsystem are expired, or nearly expired. They are valid for two years. Based on the request ID in the snippet you posted at least some
Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot
Hi Martin And thanks for getting back, greatly appreciated. I tore down the replica and reinstalled from scratch, using an old replica-info file I had on the primary. Im not sure if this is a good thing to do, but I would appreciate if you could point me to the logs you'd be interested in seeing. I had to reinstall the replica without CA before it would complete, too. Thanks again for your precious time. On Mon, May 18, 2015 at 10:15 AM, Martin Kosek mko...@redhat.com wrote: On 05/16/2015 12:19 PM, Sina Owolabi wrote: Please help me. I am in dire straits, this is the linchpin of our network and we are suffering. I am sorry for delay in answering, but not many people here show up on the weekend. Comments below. On Sat, May 16, 2015 at 6:00 AM, Sina Owolabi notify.s...@gmail.com wrote: Hi! I am running an IPA domain with two servers, one is a replica. Red Hat 6.6, with the following versions: libipa_hbac-1.11.6-30.el6_6.4.x86_64 ipa-server-selinux-3.0.0-42.el6.x86_64 libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 ipa-admintools-3.0.0-42.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-42.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch device-mapper-multipath-libs-0.4.9-80.el6_6.3.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-server-3.0.0-42.el6.x86_64 ipa-python-3.0.0-42.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 I noticed the replica did not seem to be in sync with the primary IPA server, as login requests to ipa clients using the replica for domain authentication failed with Too many authentication failures for user UNKNOWN. I forced a sync with the primary server and rebooted the replica afterwards. Now the replica is back up, but when I run ipactl status, only dirsrv is running: # ipactl status Directory Service: RUNNING This is strange, try # ipactl restart see which services fail to start and see the logs they produce. No other service shows up. I also tried editing /etc/krb5.conf to change the [realms] information to point to the primary server, but while I can now kinit admin, nothing else works. Please how can I fix this problem? Please what can I do fix this? First things first. You need to first see if all service start and operate properly, if not, we need to see their logs in order to help or advise. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Yes CA is running, and it's on the same machine. [root@dc ~]# ipa-replica-prepare dc01.ourdom.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for dc01.ourdom.com from dc.ourdom.com Creating SSL certificate for the Directory Server Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root@dc ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@dc ~]# On Mon, May 18, 2015, 10:19 AM Martin Kosek mko...@redhat.com wrote: On 05/16/2015 12:18 PM, Sina Owolabi wrote: Hi Group, I'm attempting again to rebuild and reinstall a troublesome replica. I have two freshly upgraded RHEL6.6 IdM servers. Problem is when I try to run createreplica I have this output: ipa-replica-prepare services01.ours.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for services01.ours.com from services.ours.com Creating SSL certificate for the Directory Server Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) It looks like CA is not reachable. Is CA on the machine where you run ipa-replica-manage? Or other machine? Is the CA running? (ipactl status) I have check the different threads where I find this same error but all symlinks are correctly defined. Please can someone kindly guide a noob in the right path? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. May 24, 2013 12:17:01 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@7e8905bd]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Also running getcert list tells me there are two expired certs: Request ID '20130524104636': status: CA_UNREACHABLE ca-error: Server at https://dc.ourdom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no Request ID '20130524104828': status: CA_UNREACHABLE ca-error: Server at https://dc.ourdom.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://dc.ourdom.com:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no I'd be grateful to know what to do. On Mon, May 18, 2015 at 3:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Yes CA is running, and it's on the same machine. [root@dc ~]# ipa-replica-prepare dc01.ourdom.com http://dc01.ourdom.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for dc01.ourdom.com http://dc01.ourdom.com from dc.ourdom.com http://dc.ourdom.com Creating SSL certificate for the Directory Server Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root@dc ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@dc ~]# This suggests that while the process is running the CA isn't actually operational. You'll need to poke through the logs in /var/log/pki* to see if there are any errors. I'd also see if the certificates are expired by running `getcert list` as root. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot
Please help me. I am in dire straits, this is the linchpin of our network and we are suffering. On Sat, May 16, 2015 at 6:00 AM, Sina Owolabi notify.s...@gmail.com wrote: Hi! I am running an IPA domain with two servers, one is a replica. Red Hat 6.6, with the following versions: libipa_hbac-1.11.6-30.el6_6.4.x86_64 ipa-server-selinux-3.0.0-42.el6.x86_64 libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 ipa-admintools-3.0.0-42.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-42.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch device-mapper-multipath-libs-0.4.9-80.el6_6.3.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-server-3.0.0-42.el6.x86_64 ipa-python-3.0.0-42.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 I noticed the replica did not seem to be in sync with the primary IPA server, as login requests to ipa clients using the replica for domain authentication failed with Too many authentication failures for user UNKNOWN. I forced a sync with the primary server and rebooted the replica afterwards. Now the replica is back up, but when I run ipactl status, only dirsrv is running: # ipactl status Directory Service: RUNNING No other service shows up. I also tried editing /etc/krb5.conf to change the [realms] information to point to the primary server, but while I can now kinit admin, nothing else works. Please how can I fix this problem? Please what can I do fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Hi Group, I'm attempting again to rebuild and reinstall a troublesome replica. I have two freshly upgraded RHEL6.6 IdM servers. Problem is when I try to run createreplica I have this output: ipa-replica-prepare services01.ours.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for services01.ours.com from services.ours.com Creating SSL certificate for the Directory Server Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) I have check the different threads where I find this same error but all symlinks are correctly defined. Please can someone kindly guide a noob in the right path? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot
Hi! I am running an IPA domain with two servers, one is a replica. Red Hat 6.6, with the following versions: libipa_hbac-1.11.6-30.el6_6.4.x86_64 ipa-server-selinux-3.0.0-42.el6.x86_64 libipa_hbac-python-1.11.6-30.el6_6.4.x86_64 ipa-admintools-3.0.0-42.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-42.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch device-mapper-multipath-libs-0.4.9-80.el6_6.3.x86_64 device-mapper-multipath-0.4.9-80.el6_6.3.x86_64 ipa-server-3.0.0-42.el6.x86_64 ipa-python-3.0.0-42.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch sssd-ipa-1.11.6-30.el6_6.4.x86_64 I noticed the replica did not seem to be in sync with the primary IPA server, as login requests to ipa clients using the replica for domain authentication failed with Too many authentication failures for user UNKNOWN. I forced a sync with the primary server and rebooted the replica afterwards. Now the replica is back up, but when I run ipactl status, only dirsrv is running: # ipactl status Directory Service: RUNNING No other service shows up. I also tried editing /etc/krb5.conf to change the [realms] information to point to the primary server, but while I can now kinit admin, nothing else works. Please how can I fix this problem? Please what can I do fix this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Rebuid Replica
Thanks Daniel! Please what are the downsides of installing without --setup-ca? And how do I make certain both servers have the same number of modules? On Fri, Apr 24, 2015 at 10:44 AM, dbisc...@hrz.uni-kassel.de wrote: Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with --setup-ca, otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to Rebuid Replica
Hi! I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a ipa-server-install --uninstall -U, deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'services.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@exampl.com password: Execute check on remote master Check connection from master to remote replica 'services01.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255 From the ipa-replica-install.log: 2015-04-24T09:01:57Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument /var/lib/ipa/replica-info-services01.qrios.com.gpg and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True, 'setup_ca': True, 'forwarders': [CheckedIPAddress('8.8.8.8'), CheckedIPAddress('8.8.4.4')], 'debug': False, 'conf_ntp': True, 'skip_conncheck': False} 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-04-24T09:01:57Z DEBUG stdout=VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:8443 services01.qrios.com (/etc/httpd/conf.d/nss.conf:84) 2015-04-24T09:01:57Z DEBUG stderr=Syntax OK 2015-04-24T09:02:04Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpo2Cx3jipa/files.tar -d /var/lib/ipa/replica-info-services01.qrios.com.gpg 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg' gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2015-04-24T09:02:04Z DEBUG args=tar xf /tmp/tmpo2Cx3jipa/files.tar -C /tmp/tmpo2Cx3jipa 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=
Re: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask
Thank you! Everything is bash-ful again. On Thu Jan 22 2015 at 12:12:35 PM Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 22 Jan 2015, Sina Owolabi wrote: Sorry I was misunderstood. The umm.../bin/sh? Was me being sheepish after causing all the ruckus this morning. -sh-4.1$ getent passwd sina sina:*:39210:39210:Sina Owolabi:/home/sina:/bin/sh How do I change the default to /bin/bash? If it is IPA user, do following: $ kinit sina $ ipa user-mod sina --shell=/bin/bash The default is to have the shell set to /bin/sh because bash isn't available on all platforms by default and OpenSSH will refuse to log in a user which uses non-existing shell. /bin/sh is guaranteed to exist in all POSIX-compatible environments. You can change defaults via $ kinit admin $ ipa config-mod --defaultshell=/bin/bash The defaults will only apply to users that will be created after the change. On Thu Jan 22 2015 at 11:37:03 AM Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 22 Jan 2015, Sina Owolabi wrote: Umm... /bin/sh? Yes, POSIX shell. So, what do you get as an output with $ getent passwd sina ? Bash emulates POSIX shell with a specific behavior (you can read bash manual page, chapter INVOCATION, starting with If bash is invoked with the name sh, it tries to mimic the startup behavior of historical versions of sh as closely as possible. In such case bash doesn't read own profile files and sets PS1 to something close to \s-\v\$ which is what you get in your sessions below: [root@node5 ~]# su - hofozor -sh-4.1$ su - sina Password: -sh-4.1$ -sh-4.1$ pwd /home/sina -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask
Hi List I'm at a client who has no support subscriptions, using Red Hat IdM on RHEL 6.3 64-bit servers with ipa-server-3.0.0-37.el6.x86_64 and ipa-client-3.0.0-42.el6.x86_64 . I've been playing around with autocreating user homedirs with the recommended incantations in the ipa-client-install and restarting oddjobd afterwards. I noticed that logging in on the clients as an IPA user creates the user homedir as: [root@node5 ~]# su - sina Creating home directory for sina. -sh-4.1$ I changed permissions on the user folder but it doesnt change anything, I changed the mask in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf to 0077 as advised after doing some googling. But nothing changes. Please does anyone know why this is happening, and what can be done to fix? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask
Umm... /bin/sh? On Thu Jan 22 2015 at 11:27:36 AM Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 22 Jan 2015, Sina Owolabi wrote: Hi And thanks for the replies.. The default bash files are represented in the user's home: [root@node5 ~]# ls -la /home/sina/ total 24 drwx--. 2 sina sina 4096 Jan 22 09:24 . drwxr-xr-x. 8 root root 4096 Jan 22 09:23 .. -rw---. 1 sina sina5 Jan 22 09:24 .bash_history -rw---. 1 sina sina 18 Jan 22 09:23 .bash_logout -rw---. 1 sina sina 176 Jan 22 09:23 .bash_profile -rw---. 1 sina sina 124 Jan 22 09:23 .bashrc And yes, it does ask for a password if I try to login as another non-priviledged user. [root@node5 ~]# su - hofozor -sh-4.1$ su - sina Password: -sh-4.1$ -sh-4.1$ pwd /home/sina I think this is correct behavior for a /bin/sh. What is your user's shell? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Creating Home directories still presents as -sh-4.1$ after changing oddjob mask
Sorry I was misunderstood. The umm.../bin/sh? Was me being sheepish after causing all the ruckus this morning. -sh-4.1$ getent passwd sina sina:*:39210:39210:Sina Owolabi:/home/sina:/bin/sh How do I change the default to /bin/bash? On Thu Jan 22 2015 at 11:37:03 AM Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 22 Jan 2015, Sina Owolabi wrote: Umm... /bin/sh? Yes, POSIX shell. So, what do you get as an output with $ getent passwd sina ? Bash emulates POSIX shell with a specific behavior (you can read bash manual page, chapter INVOCATION, starting with If bash is invoked with the name sh, it tries to mimic the startup behavior of historical versions of sh as closely as possible. In such case bash doesn't read own profile files and sets PS1 to something close to \s-\v\$ which is what you get in your sessions below: [root@node5 ~]# su - hofozor -sh-4.1$ su - sina Password: -sh-4.1$ -sh-4.1$ pwd /home/sina -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
Thanks Tomas. List, please how do I get rid of this error: ipa-client-install --uninstall *Disabling client Kerberos and LDAP configurations* *Failed to remove krb5/LDAP configuration: * After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej tba...@redhat.com wrote: On 01/15/2015 03:34 AM, Sina Owolabi wrote: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. This will provide setup instructions to run on the client. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
How do I strace this, please? On Sat Jan 17 2015 at 10:59:22 AM Brian Topping brian.topp...@gmail.com wrote: Did you try strace to see what files it is choking on? Sent from my iPhone On Jan 17, 2015, at 15:49, Sina Owolabi notify.s...@gmail.com wrote: Thanks Tomas. List, please how do I get rid of this error: ipa-client-install --uninstall *Disabling client Kerberos and LDAP configurations* *Failed to remove krb5/LDAP configuration: * After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej tba...@redhat.com wrote: On 01/15/2015 03:34 AM, Sina Owolabi wrote: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. This will provide setup instructions to run on the client. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
I think I've made a go of it! I was able to uninstall freeipa-client, and it complained about some leftover files, like so Removing freeipa-client ... dpkg: warning: while removing freeipa-client, directory '/var/lib/ipa-client/sysrestore' not empty so not removed I deleted and reinstalled, no problem. I now followed the instructions over at this helpful site: http://nadirlatif.me/installing-freeipa-client-debian/ And now I'm joined to the domain! Of course this does not mean all my troubles are over, trying to login as an IPA user drops a permission denied error: Creating directory '/share/user'. Unable to create and initialize directory '/user'. Permission denied What can I do to fix that? What am I missing? On Sat Jan 17 2015 at 11:31:23 AM Sina Owolabi notify.s...@gmail.com wrote: Hi I cant make head or tail of the output, but here it is attached. :-) Sorry about the how do I trace. I RTFM'ed myself. On Sat Jan 17 2015 at 11:23:00 AM Sina Owolabi notify.s...@gmail.com wrote: How do I strace this, please? On Sat Jan 17 2015 at 10:59:22 AM Brian Topping brian.topp...@gmail.com wrote: Did you try strace to see what files it is choking on? Sent from my iPhone On Jan 17, 2015, at 15:49, Sina Owolabi notify.s...@gmail.com wrote: Thanks Tomas. List, please how do I get rid of this error: ipa-client-install --uninstall *Disabling client Kerberos and LDAP configurations* *Failed to remove krb5/LDAP configuration: * After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej tba...@redhat.com wrote: On 01/15/2015 03:34 AM, Sina Owolabi wrote: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. This will provide setup instructions to run on the client. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
Apparently I had to manually create the nfs4 mountpoint (/share) that kereberized nfs uses before the user's share would mount. I can login as the ipa user now. Thanks everyone. On Sat Jan 17 2015 at 11:51:27 AM Sina Owolabi notify.s...@gmail.com wrote: I think I've made a go of it! I was able to uninstall freeipa-client, and it complained about some leftover files, like so Removing freeipa-client ... dpkg: warning: while removing freeipa-client, directory '/var/lib/ipa-client/sysrestore' not empty so not removed I deleted and reinstalled, no problem. I now followed the instructions over at this helpful site: http://nadirlatif.me/installing-freeipa-client-debian/ And now I'm joined to the domain! Of course this does not mean all my troubles are over, trying to login as an IPA user drops a permission denied error: Creating directory '/share/user'. Unable to create and initialize directory '/user'. Permission denied What can I do to fix that? What am I missing? On Sat Jan 17 2015 at 11:31:23 AM Sina Owolabi notify.s...@gmail.com wrote: Hi I cant make head or tail of the output, but here it is attached. :-) Sorry about the how do I trace. I RTFM'ed myself. On Sat Jan 17 2015 at 11:23:00 AM Sina Owolabi notify.s...@gmail.com wrote: How do I strace this, please? On Sat Jan 17 2015 at 10:59:22 AM Brian Topping brian.topp...@gmail.com wrote: Did you try strace to see what files it is choking on? Sent from my iPhone On Jan 17, 2015, at 15:49, Sina Owolabi notify.s...@gmail.com wrote: Thanks Tomas. List, please how do I get rid of this error: ipa-client-install --uninstall *Disabling client Kerberos and LDAP configurations* *Failed to remove krb5/LDAP configuration: * After I've deleted everything I can think of? Uninstalling freeipa doesn't help, and I can't reinstall the server. On Thu Jan 15 2015 at 6:07:06 PM Tomas Babej tba...@redhat.com wrote: On 01/15/2015 03:34 AM, Sina Owolabi wrote: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! If you're SSSD version is less than 1.9, you could try running ipa-advise config-generic-linux-sssd-before-1-9 on the IPA server. This will provide setup instructions to run on the client. HTH, -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation
I've run ipa-dns-install after the fact now, and named is setup. Strange, it used to work without me having to do this manually (whenever I needed to take down a replica). However when I ran dnsconfig-mod on the new replica, I get: ipa dnsconfig-mod ipa: ERROR: cert validation failed for CN=services01.mydom.com,O=MYDOM.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cert validation failed for CN=services.mydom.com,O=MYDOM.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml, https://services.mydom.com/ipa/xml On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi notify.s...@gmail.com wrote: I did run it with --setup-dns. [root@services01 ~]# ipa-replica-install --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 replica-info-services01.mydom.com.gpg How can I fix this, please? On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Bind is an optional service. You can either configure it at the time you install replica using the --setup-dns option or afterward using ipa-dns-install. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation
I did run it with --setup-dns. [root@services01 ~]# ipa-replica-install --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 replica-info-services01.mydom.com.gpg How can I fix this, please? On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Bind is an optional service. You can either configure it at the time you install replica using the --setup-dns option or afterward using ipa-dns-install. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Yes, I've had this installed more than three years, and I upgrade from time to time, not frequently because I don't want to break anything. I just did an upgrade to the latest RHEL version about a week ago, when the replica started acting up. Directory services would hang indefinitely, and nothing else would function. So I took it down and reinstalled ipa and resynced. Is there a fix I can apply? On Jan 10, 2015 10:42 PM, Dmitri Pal d...@redhat.com wrote: On 01/10/2015 04:41 AM, Sina Owolabi wrote: I've run ipa-dns-install after the fact now, and named is setup. Strange, it used to work without me having to do this manually (whenever I needed to take down a replica). However when I ran dnsconfig-mod on the new replica, I get: ipa dnsconfig-mod ipa: ERROR: cert validation failed for CN=services01.mydom.com,O=MYDOM.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cert validation failed for CN=services.mydom.com,O=MYDOM.COM ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://services01.mydom.com/ipa/xml, https://services.mydom.com/ipa/xml Can it be that your certs have expired and were not properly renewed? How long have you been running this setup? More than two years? Have you been upgrading since early versions? On Sat, Jan 10, 2015 at 10:22 AM, Sina Owolabi notify.s...@gmail.com wrote: I did run it with --setup-dns. [root@services01 ~]# ipa-replica-install --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 replica-info-services01.mydom.com.gpg How can I fix this, please? On Fri, Jan 9, 2015 at 8:33 PM, Rob Crittenden rcrit...@redhat.com wrote: Sina Owolabi wrote: Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Bind is an optional service. You can either configure it at the time you install replica using the --setup-dns option or afterward using ipa-dns-install. rob -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Replica Server's ipactl does not control named after reinstallation
Hi List, I've seen this happen on two occasions, now, in two different environments, one with RHEL6.6 and RHEL 6.3. I have issues with a replica sever, I delete the replication agreement, remove the server from ipa dns, run ipa-server-install --uninstall -U. Reboot the server, create new replication settings from the existing master, and restore the replica. Running ipactl status, I see: ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING No DNS service listed. Named is not running. ipactl restart Restarting Directory Service Shutting down dirsrv: MYDOM-COM...[ OK ] Starting dirsrv: MYDOM-COM...[ OK ] Restarting KDC Service Stopping Kerberos 5 KDC: [ OK ] Starting Kerberos 5 KDC: [ OK ] Restarting KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Starting Kerberos 5 Admin Server: [ OK ] Restarting MEMCACHE Service Stopping ipa_memcached:[ OK ] Starting ipa_memcached:[ OK ] Restarting HTTP Service Stopping httpd:[ OK ] Starting httpd:[ OK ] Checking on named: service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped # service named start Starting named:[ OK ] # service named status version: 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 CPUs found: 2 worker threads: 2 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 25017) is running... But it does not resolve. Please what is happening and how can I fix this? I don't know what logs to provide, but please let me know what is necessary and I'll make them available. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Commands and groups confusion
Thank you so very much for the replies. What I did actually worked, but not on two of the servers I was testing with. (adding command groups to a sudorule). It worked so well that I did it twice again :-) What I'm curious about is the two servers that still ask for sudo password. One of them brings out long output when I try (debug is set to 1). Unfortunately they are business critical and can't be rebooted if I want to live to see tomorrow :-) What do you think?: [oowolabi@waphost ~]$ sudo service httpd status sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=SUDOers,dc=qrios,dc=com sudo: ldap search '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#72189)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#72180)(sudoUser=%#72186)(sudoUser=%#72188)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for oowolabi: oowolabi is not allowed to run sudo on waphost. This incident will be reported. On Wed, Jun 12, 2013 at 8:48 AM, Matt . yamakasi@gmail.com wrote: Hi, A lot of people seem to have problem with Sudo and FreeIPA. How to enable sudo is described here: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf The problem we are facing, also discussed on IRC is that there is looked in the local sudoers file of the client if the loggedin user may sudo. Of course the username is not known there. The workaround for now seems to be adding the username to the local sudoers file and comment the following lines on the local client: # cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so This is not what we want with a centralized auth and policy system so I hope we can fix this bug soon. Ideas are welcome! Cheers, Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- best regards, Sina
Re: [Freeipa-users] Sudo Commands and groups confusion
Thank you for the reply Alex, though I'm a little confused that I am answering the correct email. I have taken a look at the example sssd.conf you advised, and I'm a little curious if the configuration supports having multiple IPA servers? I have a multi-master setup with two servers. I tried to add both servers to the ldap uri and to the krb5 section byt the service refused to start. Also I have to note that this not being able to sudo only seems to affect physical servers, and not the virtual machines I have applied it against. Also unfortunately, this didnt work either.. I guess I will try a reboot first if I can. sudo debug: [root@waphost IPA-configs]# su - oowolabi [oowolabi@waphost ~]$ sudo service httpd status sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=SUDOers,dc=qrios,dc=com sudo: ldap search '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#72189)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#72180)(sudoUser=%#72186)(sudoUser=%#72188)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for oowolabi: oowolabi is not allowed to run sudo on waphost. This incident will be reported. [oowolabi@waphost ~]$ exit On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 12 Jun 2013, Matt . wrote: Hi, A lot of people seem to have problem with Sudo and FreeIPA. How to enable sudo is described here: http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_** Integration.pdfhttp://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf The problem we are facing, also discussed on IRC is that there is looked in the local sudoers file of the client if the loggedin user may sudo. Of course the username is not known there. Not sure what exactly is your problem? Could you please rephrase and show it with logs again? If you are using SSSD's sudo integration against IPA server, then here is what you need to get it working on Fedora 18/19 and RHEL 6.4: 1. install libsss_sudo package 2. Add/change following line to /etc/nsswitch.conf sudoers: files sss 3. Make sure your /etc/sssd/sssd.conf looks like this example: http://abbra.fedorapeople.org/**.paste/sssd.conf.examplehttp://abbra.fedorapeople.org/.paste/sssd.conf.example 4. Restart sssd These are the only actions I needed to get sudo working for IPA users on Fedora 19 and RHEL 6.4. Please note thatsudoers: files sss gives you chance to have local users configured in local sudoers. If you don't want them to be able to use sudo, just change the line in /etc/nsswitch.conf to sudoers: sss -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- best regards, Sina Owolabi +2348034022578 +2348176469061 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sudo Commands and groups confusion
I rebooted one of the servers and it worked! Thanks a lot On Wed, Jun 12, 2013 at 6:29 PM, Sina Owolabi shinacaly...@gmail.comwrote: Thank you for the reply Alex, though I'm a little confused that I am answering the correct email. I have taken a look at the example sssd.conf you advised, and I'm a little curious if the configuration supports having multiple IPA servers? I have a multi-master setup with two servers. I tried to add both servers to the ldap uri and to the krb5 section byt the service refused to start. Also I have to note that this not being able to sudo only seems to affect physical servers, and not the virtual machines I have applied it against. Also unfortunately, this didnt work either.. I guess I will try a reboot first if I can. sudo debug: [root@waphost IPA-configs]# su - oowolabi [oowolabi@waphost ~]$ sudo service httpd status sudo: ldap_set_option: debug - 0 sudo: ldap_set_option: tls_checkpeer - 1 sudo: ldap_set_option: tls_cacertfile - /etc/ipa/ca.crt sudo: ldap_set_option: tls_cacert - /etc/ipa/ca.crt sudo: ldap_set_option: ldap_version - 3 sudo: ldap_set_option: timelimit - 15 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: no default options found in ou=SUDOers,dc=qrios,dc=com sudo: ldap search '(|(sudoUser=oowolabi)(sudoUser=%oowolabi)(sudoUser=%#72189)(sudoUser=%admins)(sudoUser=%employees)(sudoUser=%qrios)(sudoUser=%#72180)(sudoUser=%#72186)(sudoUser=%#72188)(sudoUser=ALL))' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(sudoUser=+*)' sudo: searching from base 'ou=SUDOers,dc=qrios,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 [sudo] password for oowolabi: oowolabi is not allowed to run sudo on waphost. This incident will be reported. [oowolabi@waphost ~]$ exit On Wed, Jun 12, 2013 at 10:10 AM, Alexander Bokovoy aboko...@redhat.comwrote: On Wed, 12 Jun 2013, Matt . wrote: Hi, A lot of people seem to have problem with Sudo and FreeIPA. How to enable sudo is described here: http://www.freeipa.org/images/**7/77/Freeipa30_SSSD_SUDO_** Integration.pdfhttp://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf The problem we are facing, also discussed on IRC is that there is looked in the local sudoers file of the client if the loggedin user may sudo. Of course the username is not known there. Not sure what exactly is your problem? Could you please rephrase and show it with logs again? If you are using SSSD's sudo integration against IPA server, then here is what you need to get it working on Fedora 18/19 and RHEL 6.4: 1. install libsss_sudo package 2. Add/change following line to /etc/nsswitch.conf sudoers: files sss 3. Make sure your /etc/sssd/sssd.conf looks like this example: http://abbra.fedorapeople.org/**.paste/sssd.conf.examplehttp://abbra.fedorapeople.org/.paste/sssd.conf.example 4. Restart sssd These are the only actions I needed to get sudo working for IPA users on Fedora 19 and RHEL 6.4. Please note thatsudoers: files sss gives you chance to have local users configured in local sudoers. If you don't want them to be able to use sudo, just change the line in /etc/nsswitch.conf to sudoers: sss -- / Alexander Bokovoy __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- best regards, Sina Owolabi +2348034022578 +2348176469061 -- best regards, Sina Owolabi +2348034022578 +2348176469061 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sudo Commands and groups confusion
Hi Please help me understand what I am doing wrong: Im using two RHEL6.4 ipa servers in a multi-master configuration Instead of creating multiple sudocmdgroups and sudo rules, I tried to subset what I could see in the /etc/sudoers files and have nested command groups and rules, to be applied to certain users and hostgroups as needed. I have a hostgroup called allservers, which applies to all servers. The allservers hostgroup is a member of sudo rule admin-commands, which I created for specific users to be able to run admin commands on all servers. I have added as members, multiple sudogroups, each of which have a number of commands inside of them. Despite this, I find that sudo does not allow me to run any command as the users added to the admin-command rule. Please help me see where my logic is broken, and what to do to fix. Thanks a lot in advance. My sudo-ldap.conf is correctly configured, and so is nsswitch.conf. Output is below: sudo service httpd status [sudo] password for tuser: tuser is not allowed to run sudo on waphost. This incident will be reported. ipa sudorule-find admin-commands --- 1 Sudo Rule matched --- Rule name: admin-commands Enabled: TRUE Users: tuser Host Groups: allservers Sudo Allow Command Groups: locate, networking, rooting, services, software, storage Sudo Option: !authenticate Number of entries returned 1 -- best regards, Sina Owolabi +2348034022578 +2348176469061 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users