[Freeipa-users] UNABLE TO SEARCH HBAC RULE
Hi, We have created a user with HBAC Admin permission which has below permission (Default as provided by IPA): System: Add HBAC Rule System: Add HBAC Service Groups System: Add HBAC Services System: Delete HBAC Rule System: Delete HBAC Service Groups System: Delete HBAC Services System: Manage HBAC Rule Membership System: Manage HBAC Service Group Membership System: Modify HBAC Rule When I try add below in a new RBAC, it denied the operation as it is already open for all. System: Read HBAC Rules System: Read HBAC Service Groups System: Read HBAC Services If we change it to permission, then login is failing. Please suggest what we need to do so that HBAC admin can search the HBAC rule in FreeIPA rule. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to search HBAC Rule
Hi Martin, FreeIPA version 4.1.0 Will look into the Workaround. Thanks *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Wed, Jan 20, 2016 at 7:04 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 20.01.2016 14:26, Yogesh Sharma wrote: > > Hi, > > We have created a user with HBAC Admin permission which has below > permission (Default as provided by IPA): > > System: Add HBAC Rule > System: Add HBAC Service Groups > System: Add HBAC Services > System: Delete HBAC Rule > System: Delete HBAC Service Groups > System: Delete HBAC Services > System: Manage HBAC Rule Membership > System: Manage HBAC Service Group Membership > System: Modify HBAC Rule > > When I try add below in a new RBAC, it denied the operation as it is > already open for all. > > System: Read HBAC Rules > System: Read HBAC Service Groups > System: Read HBAC Services > > > If we change it to permission, then login is failing. > > Please suggest what we need to do so that HBAC admin can search the HBAC > rule in FreeIPA rule. > > > Hello, which version of IPA do you use? > > This has been fixed (workaround). > https://fedorahosted.org/freeipa/ticket/5130 > > The proper fix requires changes in DS ACI evaluation that should be in > RHEL 7.3 > > Martin > > > *Best Regards,* > > *__ * > > *Yogesh Sharma * > *Email: <yks0...@gmail.com>yks0...@gmail.com <yks0...@gmail.com> | Web: > <http://www.initd.in/>www.initd.in <http://www.initd.in> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Users enable to run Cron
Team, None of the ipa-users are able to execute crons on any servers. If we create local user then we are able to do. There is no cron.allow and we do not have any user listed in cron.deny. Is there something from FreeIPA end which is blocking. Just a confirmation, as we continue to troubleshoot it further at our end. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Users enable to run Cron
HBAC has "Any Service" enabled, However, while doing HBAC Test, I am getting Access Denied. Checking it. Thanks for the suggestion. Any further suggestion would be helpful. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Mon, Jan 11, 2016 at 2:14 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Jan 11, 2016 at 02:06:01PM +0530, Yogesh Sharma wrote: > > Team, > > > > None of the ipa-users are able to execute crons on any servers. If we > > create local user then we are able to do. > > > > There is no cron.allow and we do not have any user listed in cron.deny. > > > > Is there something from FreeIPA end which is blocking. Just a > confirmation, > > as we continue to troubleshoot it further at our end. > > Does HBAC allow the cron services? > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Need Suggestion on Multi Realm Environment
List, I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*. We have few hosts/client in another domain *sd.int <http://sd.int>. *As the number of servers are very few we do not want to have a new FreeIPA server for same, and I think having a common will be easy to manage. I have create a separate forward and reverse zone for sd.int, and able to register the server successfully, but somehow, while registering a client, we noticed that the sd.int domain servers are still going in klikpay.int realm only. Further, they are not getting registered with DNS also. Below are the some test I executed: Test-1 *ipa-client-install --principal=admin --password=x --mkhomedir --no-ntp* DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): Test-2 *ipa-client-install --principal=admin --password=xxx --mkhomedir --no-ntp --domain=sd.int <http://sd.int>* Provide your IPA server name (ex: ipa.example.com): ipa-inf-prd-sg1-01.klikpay.int Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) Installation failed. Rolling back changes. IPA client is not configured on this system. However, I can confirm all ports are reachable *# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int <http://ipa-inf-prd-sg1-01.klikpay.int> $i;done* Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps] succeeded! Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd] succeeded! Test-3: *ipa-client-install --principal=admin --password=xxx --mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int> --nisdomain=sd.int <http://sd.int>* Discovery was successful! Hostname: imsadmin-app-prd-sg1-01.sd.int Realm: KLIKPAY.INT DNS Domain: klikpay.int IPA Server: ipa-inf-prd-ng2-02.klikpay.int BaseDN: dc=klikpay,dc=int Continue to configure the system with these values? [no]: yes Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=KLIKPAY.INT Issuer: CN=Certificate Authority,O=KLIKPAY.INT Valid From: Fri Aug 14 11:39:47 2015 UTC Valid Until: Tue Aug 14 11:39:47 2035 UTC *Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>* Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm KLIKPAY.INT trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml Forwarding 'env' to server u'https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' *Hostname (imsadmin-app-prd-sg1-01.sd.int <http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS* *Failed to update DNS records.* Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configuring sd.int as NIS domain Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. Would be helpful I can get some reference as how can we do it. *Best Regards,* *______* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Need Suggestion on Multi Realm Environment
This is fixed. Found an issue with BIND Update Policy and got some reference from " https://www.redhat.com/archives/freeipa-users/2015-May/msg00399.html; . Working fine now. grant KLIKPAY.INT krb5-self * A; grant KLIKPAY.INT krb5-self * ; grant KLIKPAY.INT krb5-self * SSHFP; *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Thu, Jan 7, 2016 at 5:13 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > List, > > I have a FreeIPA Server in domain/Realm *klikpay.int <http://klikpay.int>*. > We have few hosts/client in another domain *sd.int <http://sd.int>. *As > the number of servers are very few we do not want to have a new FreeIPA > server for same, and I think having a common will be easy to manage. > > I have create a separate forward and reverse zone for sd.int, and able to > register the server successfully, but somehow, while registering a client, > we noticed that the sd.int domain servers are still going in klikpay.int > realm only. Further, they are not getting registered with DNS also. > > > Below are the some test I executed: > > Test-1 > > *ipa-client-install --principal=admin --password=x --mkhomedir > --no-ntp* > DNS discovery failed to determine your DNS domain > Provide the domain name of your IPA server (ex: example.com): > > > Test-2 > > > *ipa-client-install --principal=admin --password=xxx > --mkhomedir --no-ntp --domain=sd.int <http://sd.int>* > Provide your IPA server name (ex: ipa.example.com): > ipa-inf-prd-sg1-01.klikpay.int > Failed to verify that ipa-inf-prd-sg1-01.klikpay.int is an IPA Server. > This may mean that the remote server is not up or is not reachable due to > network or firewall settings. > Please make sure the following ports are opened in the firewall settings: > TCP: 80, 88, 389 > UDP: 88 (at least one of TCP/UDP ports 88 has to be open) > Also note that following ports are necessary for ipa-client working > properly after enrollment: > TCP: 464 > UDP: 464, 123 (if NTP enabled) > Installation failed. Rolling back changes. > IPA client is not configured on this system. > > However, I can confirm all ports are reachable > > *# for i in 80 88 389 636 464;do nc -vz ipa-inf-prd-sg1-01.klikpay.int > <http://ipa-inf-prd-sg1-01.klikpay.int> $i;done* > Connection to ipa-inf-prd-sg1-01.klikpay.int 80 port [tcp/http] succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 88 port [tcp/kerberos] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 389 port [tcp/ldap] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 636 port [tcp/ldaps] > succeeded! > Connection to ipa-inf-prd-sg1-01.klikpay.int 464 port [tcp/kpasswd] > succeeded! > > > Test-3: > > *ipa-client-install --principal=admin --password=xxx > --mkhomedir --no-ntp --domain=klikpay.int <http://klikpay.int> > --nisdomain=sd.int <http://sd.int>* > Discovery was successful! > Hostname: imsadmin-app-prd-sg1-01.sd.int > Realm: KLIKPAY.INT > DNS Domain: klikpay.int > IPA Server: ipa-inf-prd-ng2-02.klikpay.int > BaseDN: dc=klikpay,dc=int > > Continue to configure the system with these values? [no]: yes > Synchronizing time with KDC... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=KLIKPAY.INT > Issuer: CN=Certificate Authority,O=KLIKPAY.INT > Valid From: Fri Aug 14 11:39:47 2015 UTC > Valid Until: Tue Aug 14 11:39:47 2035 UTC > > *Enrolled in IPA realm KLIKPAY.INT <http://KLIKPAY.INT>* > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm KLIKPAY.INT > trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml > Forwarding 'env' to server u' > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > *Hostname (imsadmin-app-prd-sg1-01.sd.int > <http://imsadmin-app-prd-sg1-01.sd.int>) not found in DNS* > *Failed to update DNS records.* > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Forwarding 'host_mod' to server u' > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > Could not update DNS SSHFP records
Re: [Freeipa-users] Two Factor = SSHKeys + OTP or Password
Thanks. After upgrading the openssh to 6.1 and using AuthenticationMethod, it works. -Yogesh Sharma (Sent from my HTC) On 22-Dec-2015 8:51 pm, "Sumit Bose" <sb...@redhat.com> wrote: > On Tue, Dec 22, 2015 at 06:51:25PM +0530, Yogesh Sharma wrote: > > Hi List, > > > > Did not see any options for SSH Keys + OTP or Password, However would > like > > to know if it is possible with FreeIPA user. > > > > With Generic SSH , We can use use AuthenticationMethods, but not sure > where > > to check in FreeIPA. > > I think there is nothing specific about FreeIPA here. If you set on a > IPA client 'AuthenticationMethods = publickey,password' in sshd_config, > sshd will check the ssh key first and then ask the user for a password. > > If the user is configured to use OTP on the IPA server then you have to > enter not only the password but the OTP token as well. > > HTH > > bye, > Sumit > > > > > > > > > > > *Best Regards,* > > > > *__* > > > > *Yogesh Sharma* > > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > > <http://www.initd.in/> * > > > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > > <https://twitter.com/checkwithyogesh> > > <http://google.com/+YogeshSharmaOnGooglePlus> > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Two Factor = SSHKeys + OTP or Password
Hi List, Did not see any options for SSH Keys + OTP or Password, However would like to know if it is possible with FreeIPA user. With Generic SSH , We can use use AuthenticationMethods, but not sure where to check in FreeIPA. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication not working for User and DNS
LDAPS is also fine: [root@ipa-inf-prd-ng2-02 ~]# ldapsearch -x -H ldaps:// ipa-inf-prd-ng2-01.klikpay.int -s base -b '' namingContexts # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: cn=changelog namingContexts: dc=klikpay,dc=int namingContexts: o=ipaca # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa-inf-prd-ng2-02 ~]# *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Mon, Nov 2, 2015 at 6:00 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 02.11.2015 08:01, Yogesh Sharma wrote: > > Listening: > > [root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 636 > Trying 172.16.32.10... > Connected to ipa-inf-prd-ng2-01.klikpay.int. > Escape character is '^]'. > > > Can you try also ldaps with ldapsearch? > > > *Best Regards,* > > *__ * > > *Yogesh Sharma * > *Email: <yks0...@gmail.com>yks0...@gmail.com <yks0...@gmail.com> | Web: > <http://www.initd.in/>www.initd.in <http://www.initd.in> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > > On Mon, Nov 2, 2015 at 12:23 PM, Alexander Bokovoy < <aboko...@redhat.com> > aboko...@redhat.com> wrote: > >> On Mon, 02 Nov 2015, Yogesh Sharma wrote: >> >>> Adding to this, I am able to do ldsearch from the server which I am >>> trying >>> to make replica. >>> >>> [root@ipa-inf-prd-ng2-02 ~]# ldapsearch -x -H ldap:// >>> ipa-inf-prd-ng2-01.klikpay.int -s base -b '' namingContexts >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <> with scope baseObject >>> # filter: (objectclass=*) >>> # requesting: namingContexts >>> # >>> >> What about port 636? Replica install requires LDAPS. >> >> -- >> / Alexander Bokovoy >> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication not working for User and DNS
Tried to re-enroll the replica however, getting the same error, though I am able to connect to server. = Starting replication, please wait until this has completed. [ipa-inf-prd-ng2-01.klikpay.int] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] [error] RuntimeError: Failed to start replication = [root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 389 Trying 172.16.32.10... Connected to ipa-inf-prd-ng2-01.klikpay.int. Escape character is '^]'. ^] telnet> quit Connection closed. [root@ipa-inf-prd-ng2-02 ~]# *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Fri, Oct 30, 2015 at 7:05 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Yogesh Sharma wrote: > > Team, > > > > Noticed that user created on IPA Master are not replicating on Replica. > > > > Also, we create a new Zone in Master, However we do not see the same in > > replica server. > > You need to figure out why ipa-inf-prd-ng2-01.klikpay.int can't contact > port 389 on ipa-inf-prd-ng2-02.klikpay.int. It may be someone threw up a > firewall without telling you, or someone tweaked the rules on either of > those boxes. > > Doing re-init, force-sync, etc is always going to fail if one can't talk > to the other. > > rob > > > > > > > Below is the information: > > > > From Master: > > > > [root@ipa-inf-prd-ng2-01 ~]# ipa-replica-manage list -v > > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int> > > Directory Manager password: > > > > ipa-inf-prd-ng2-02.klikpay.int <http://ipa-inf-prd-ng2-02.klikpay.int>: > > replica > > last init status: None > > last init ended: None > > last update status: -1 Unable to acquire replicaLDAP error: Can't > > contact LDAP server > > last update ended: None > > [root@ipa-inf-prd-ng2-01 ~]# > > > > > > > > From Replica: > > > > > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage list -v > > ipa-inf-prd-ng2-02.klikpay.int <http://ipa-inf-prd-ng2-02.klikpay.int> > > Directory Manager password: > > > > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int>: > > replica > > last init status: None > > last init ended: None > > last update status: 0 Replica acquired successfully: Incremental > > update succeeded > > last update ended: 2015-10-30 10:36:25+00:00 > > [root@ipa-inf-prd-ng2-02 ~]# > > > > > > Though it says it is replicated (last update ended), We are not seeing > > new users and the new DNS Zone which we created > > > > > > I also tried force replication, though I can not see the new Changes: > > > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage force-sync --from > > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int> > > Directory Manager password: > > > > ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int > > <http://meToipa-inf-prd-ng2-02.klikpay.int > >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > > tree,cn=config schedule to 2358-2359 0 to force synch > > ipa: INFO: Deleting schedule 2358-2359 0 from agreement > > cn=meToipa-inf-prd-ng2-02.klikpay.int > > <http://meToipa-inf-prd-ng2-02.klikpay.int > >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > > tree,cn=config > > [root@ipa-inf-prd-ng2-02 ~]# > > > > > > Once I do re-initialization, it gives "Can't Contact LDAP Server" > > > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage re-initialize --from > > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int> > > Directory Manager password: > > > > ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int > > <http://meToipa-inf-prd-ng2-02.klikpay.int > >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > > tree,cn=config schedule to 2358-2359 0 to force synch > > ipa: INFO: Deleting schedule 2358-2359 0 from agreement > > cn=meToipa-inf-prd-ng2-02.klikpay.int > > <http://meToipa-inf-prd-ng2-02.klikpay.int > >,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > > tree,cn=config > > > > [ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int>] > > reports: Update failed
Re: [Freeipa-users] IPA Replication not working for User and DNS
Adding to this, I am able to do ldsearch from the server which I am trying to make replica. [root@ipa-inf-prd-ng2-02 ~]# ldapsearch -x -H ldap:// ipa-inf-prd-ng2-01.klikpay.int -s base -b '' namingContexts # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: cn=changelog namingContexts: dc=klikpay,dc=int namingContexts: o=ipaca # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa-inf-prd-ng2-02 ~]# *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Mon, Nov 2, 2015 at 11:24 AM, Yogesh Sharma <yks0...@gmail.com> wrote: > Tried to re-enroll the replica however, getting the same error, though I > am able to connect to server. > > = > > Starting replication, please wait until this has completed. > > [ipa-inf-prd-ng2-01.klikpay.int] reports: Update failed! Status: [-1 - > LDAP error: Can't contact LDAP server] > > [error] RuntimeError: Failed to start replication > > = > > > [root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 389 > Trying 172.16.32.10... > Connected to ipa-inf-prd-ng2-01.klikpay.int. > Escape character is '^]'. > ^] > telnet> quit > Connection closed. > [root@ipa-inf-prd-ng2-02 ~]# > > > > *Best Regards,* > > *__* > > *Yogesh Sharma* > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in/> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > > On Fri, Oct 30, 2015 at 7:05 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Yogesh Sharma wrote: >> > Team, >> > >> > Noticed that user created on IPA Master are not replicating on Replica. >> > >> > Also, we create a new Zone in Master, However we do not see the same in >> > replica server. >> >> You need to figure out why ipa-inf-prd-ng2-01.klikpay.int can't contact >> port 389 on ipa-inf-prd-ng2-02.klikpay.int. It may be someone threw up a >> firewall without telling you, or someone tweaked the rules on either of >> those boxes. >> >> Doing re-init, force-sync, etc is always going to fail if one can't talk >> to the other. >> >> rob >> >> > >> > >> > Below is the information: >> > >> > From Master: >> > >> > [root@ipa-inf-prd-ng2-01 ~]# ipa-replica-manage list -v >> > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int> >> > Directory Manager password: >> > >> > ipa-inf-prd-ng2-02.klikpay.int <http://ipa-inf-prd-ng2-02.klikpay.int>: >> > replica >> > last init status: None >> > last init ended: None >> > last update status: -1 Unable to acquire replicaLDAP error: Can't >> > contact LDAP server >> > last update ended: None >> > [root@ipa-inf-prd-ng2-01 ~]# >> > >> > >> > >> > From Replica: >> > >> > >> > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage list -v >> > ipa-inf-prd-ng2-02.klikpay.int <http://ipa-inf-prd-ng2-02.klikpay.int> >> > Directory Manager password: >> > >> > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int>: >> > replica >> > last init status: None >> > last init ended: None >> > last update status: 0 Replica acquired successfully: Incremental >> > update succeeded >> > last update ended: 2015-10-30 10:36:25+00:00 >> > [root@ipa-inf-prd-ng2-02 ~]# >> > >> > >> > Though it says it is replicated (last update ended), We are not seeing >> > new users and the new DNS Zone which we created >> > >> > >> > I also tried force replication, though I can not see the new Changes: >> > >> > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage force-sync --from >> > ipa-inf-prd-ng2-01.klikpay.int <http://ipa-inf-prd-ng2-01.klikpay.int> >> > Directory Manager password: >> > >> > ipa: INF
Re: [Freeipa-users] IPA Replication not working for User and DNS
Listening: [root@ipa-inf-prd-ng2-02 ~]# telnet ipa-inf-prd-ng2-01.klikpay.int 636 Trying 172.16.32.10... Connected to ipa-inf-prd-ng2-01.klikpay.int. Escape character is '^]'. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Mon, Nov 2, 2015 at 12:23 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Mon, 02 Nov 2015, Yogesh Sharma wrote: > >> Adding to this, I am able to do ldsearch from the server which I am trying >> to make replica. >> >> [root@ipa-inf-prd-ng2-02 ~]# ldapsearch -x -H ldap:// >> ipa-inf-prd-ng2-01.klikpay.int -s base -b '' namingContexts >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope baseObject >> # filter: (objectclass=*) >> # requesting: namingContexts >> # >> > What about port 636? Replica install requires LDAPS. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple Reverse (PTR) Zone
Thanks it is resolved. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Thu, Oct 29, 2015 at 8:07 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > Sure Petr. Will go through it. Thanks for Sharing. > > *Best Regards,* > > *__* > > *Yogesh Sharma* > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in/> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > > On Thu, Oct 29, 2015 at 5:33 PM, Petr Spacek <pspa...@redhat.com> wrote: > >> On 29.10.2015 11:33, Yogesh Sharma wrote: >> > Hi, >> > >> > We are working on to create another DC and extending our existing >> FreeIPA. >> > >> > Our current environment has subnet as 172.16.32.0/16. In another DC we >> have >> > 10.242.96.0/20. >> > >> > On FreeIPA master I have created a PTR Zone with 242.10.in-addr.arpa. , >> > However, on registering the DC2 Client with FreeIPA Master it says >> > "Hostname not found in DNS" >> >> This message tells you that "hostname" (i.e. what you see in output of >> command >> "hostname") does not have A/ record in DNS. It has nothing to do with >> PTR >> records. >> >> Message "Failed to update DNS records." is usually caused by >> misconfigured DNS >> zones. >> >> Please see >> https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR >> for advice how to configure DNS zones to accept dynamic updates. >> >> I hope this helps. >> Petr^2 Spacek >> >> > Our Domain is same across DC, the only change is Subnet. >> > >> > Forward Zone is working fine. >> > >> > >> > Below are Regestration Logs: >> > >> > [root@dr-ipadns-1002 ~]# ipa-client-install --mkhomedir --no-ntp >> > Discovery was successful! >> > Hostname: dr-ipadns-1002.klikpay.int >> > Realm: KLIKPAY.INT >> > DNS Domain: klikpay.int >> > IPA Server: ipa-inf-prd-ng2-02.klikpay.int >> > BaseDN: dc=klikpay,dc=int >> > >> > Continue to configure the system with these values? [no]: yes >> > User authorized to enroll computers: admin >> > Synchronizing time with KDC... >> > Password for ad...@klikpay.int: >> > Successfully retrieved CA cert >> > Subject: CN=Certificate Authority,O=KLIKPAY.INT >> > Issuer: CN=Certificate Authority,O=KLIKPAY.INT >> > Valid From: Fri Aug 14 11:39:47 2015 UTC >> > Valid Until: Tue Aug 14 11:39:47 2035 UTC >> > >> > Enrolled in IPA realm KLIKPAY.INT >> > Attempting to get host TGT... >> > Created /etc/ipa/default.conf >> > New SSSD config will be created >> > Configured sudoers in /etc/nsswitch.conf >> > Configured /etc/sssd/sssd.conf >> > Configured /etc/krb5.conf for IPA realm KLIKPAY.INT >> > trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml >> > Forwarding 'env' to server u' >> https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' >> > *Hostname (dr-ipadns-1002.klikpay.int < >> http://dr-ipadns-1002.klikpay.int>) >> > not found in DNS* >> > Failed to update DNS records. >> > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub >> > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub >> > Forwarding 'host_mod' to server u' >> > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' >> > SSSD enabled >> > Configuring klikpay.int as NIS domain >> > Configured /etc/openldap/ldap.conf >> > Configured /etc/ssh/ssh_config >> > Configured /etc/ssh/sshd_config >> > Client configuration complete. >> > >> > [root@dr-ipadns-1002 ~]# ip r >> > 10.242.96.0/20 dev eth0 proto kernel scope link src 10.242.96.3 >> > 169.254.0.0/16 dev eth0 scope link metric 1002 >> > default via 10.242.96.1 dev eth0 >> > [root@dr-ipadns-1002 ~]# >> > >> > >> >>From IPA: >> > >> > [root@ipa-inf-prd-ng2-01 ~]# ipa dnszone-show 242.10.in-addr.arpa >> > Zone name: 242.10.in-addr.arpa. >> > Active zone: TRUE >> > Authoritative nameserver: ipa-inf-prd-ng2-01.klikpay.int. >> > Administrator e-mail address: hostmaster >> > SOA serial: 1446111284 >> > SOA refresh: 3600 >> > SOA retry: 900 >> > SOA expire: 1209600 >> > SOA minimum: 3600 >> > Allow query: any; >> > Allow transfer: none; >> > [root@ipa-inf-prd-ng2-01 ~]# >> > >> > >> > >> > Please suggest as what I am missing. >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Replication not working for User and DNS
Team, Noticed that user created on IPA Master are not replicating on Replica. Also, we create a new Zone in Master, However we do not see the same in replica server. Below is the information: >From Master: [root@ipa-inf-prd-ng2-01 ~]# ipa-replica-manage list -v ipa-inf-prd-ng2-01.klikpay.int Directory Manager password: ipa-inf-prd-ng2-02.klikpay.int: replica last init status: None last init ended: None last update status: -1 Unable to acquire replicaLDAP error: Can't contact LDAP server last update ended: None [root@ipa-inf-prd-ng2-01 ~]# >From Replica: [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage list -v ipa-inf-prd-ng2-02.klikpay.int Directory Manager password: ipa-inf-prd-ng2-01.klikpay.int: replica last init status: None last init ended: None last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2015-10-30 10:36:25+00:00 [root@ipa-inf-prd-ng2-02 ~]# Though it says it is replicated (last update ended), We are not seeing new users and the new DNS Zone which we created I also tried force replication, though I can not see the new Changes: [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage force-sync --from ipa-inf-prd-ng2-01.klikpay.int Directory Manager password: ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn= meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping tree,cn=config [root@ipa-inf-prd-ng2-02 ~]# Once I do re-initialization, it gives "Can't Contact LDAP Server" [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage re-initialize --from ipa-inf-prd-ng2-01.klikpay.int Directory Manager password: ipa: INFO: Setting agreement cn=meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn= meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping tree,cn=config [ipa-inf-prd-ng2-01.klikpay.int] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] *Best Regards,* *______* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication not working for User and DNS
Thanks Rob & Martin. I will check in Logs. However when I checked last time I noticed that "pki-tomcat" service was not present in ipactl status output on replica server. Connectivity between master (ipa-inf-prd-ng2-01) and slave (02) is their , able to do telnet/nc on 389 686 from slave to master and vice versa. -Yogesh Sharma (Sent from my HTC) On 30-Oct-2015 7:06 pm, "Rob Crittenden" <rcrit...@redhat.com> wrote: > Martin Basti wrote: > > > > > > On 30.10.2015 11:54, Yogesh Sharma wrote: > >> Additionally, On Replica UI, I am getting below Error Message: > >> > >> > >> IPA Error 4301: CertificateOperationError > >> > >> Certificate operation cannot be completed: Unable to communicate with > >> CMS (Not Found) > >> > > Hello, can you check /var/log/httpd/error_log if there is a detailed > info? > > Apache proxies CA requests. Not Found generally means that the CA is not > running or the CA web app wasn't registered. Check the pki logs in > /var/log/pki. > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Replication not working for User and DNS
Additionally, On Replica UI, I am getting below Error Message: IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Fri, Oct 30, 2015 at 4:16 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > Team, > > Noticed that user created on IPA Master are not replicating on Replica. > > Also, we create a new Zone in Master, However we do not see the same in > replica server. > > > Below is the information: > > From Master: > > [root@ipa-inf-prd-ng2-01 ~]# ipa-replica-manage list -v > ipa-inf-prd-ng2-01.klikpay.int > Directory Manager password: > > ipa-inf-prd-ng2-02.klikpay.int: replica > last init status: None > last init ended: None > last update status: -1 Unable to acquire replicaLDAP error: Can't > contact LDAP server > last update ended: None > [root@ipa-inf-prd-ng2-01 ~]# > > > > From Replica: > > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage list -v > ipa-inf-prd-ng2-02.klikpay.int > Directory Manager password: > > ipa-inf-prd-ng2-01.klikpay.int: replica > last init status: None > last init ended: None > last update status: 0 Replica acquired successfully: Incremental update > succeeded > last update ended: 2015-10-30 10:36:25+00:00 > [root@ipa-inf-prd-ng2-02 ~]# > > > Though it says it is replicated (last update ended), We are not seeing new > users and the new DNS Zone which we created > > > I also tried force replication, though I can not see the new Changes: > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage force-sync --from > ipa-inf-prd-ng2-01.klikpay.int > Directory Manager password: > > ipa: INFO: Setting agreement > cn=meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > tree,cn=config schedule to 2358-2359 0 to force synch > ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn= > meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > tree,cn=config > [root@ipa-inf-prd-ng2-02 ~]# > > > Once I do re-initialization, it gives "Can't Contact LDAP Server" > > [root@ipa-inf-prd-ng2-02 ~]# ipa-replica-manage re-initialize --from > ipa-inf-prd-ng2-01.klikpay.int > Directory Manager password: > > ipa: INFO: Setting agreement > cn=meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > tree,cn=config schedule to 2358-2359 0 to force synch > ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn= > meToipa-inf-prd-ng2-02.klikpay.int,cn=replica,cn=dc\=klikpay\,dc\=int,cn=mapping > tree,cn=config > > [ipa-inf-prd-ng2-01.klikpay.int] reports: Update failed! Status: [-1 - > LDAP error: Can't contact LDAP server] > > > > > *Best Regards,* > > *__* > > *Yogesh Sharma* > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in/> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Multiple Reverse (PTR) Zone
Sure Petr. Will go through it. Thanks for Sharing. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Thu, Oct 29, 2015 at 5:33 PM, Petr Spacek <pspa...@redhat.com> wrote: > On 29.10.2015 11:33, Yogesh Sharma wrote: > > Hi, > > > > We are working on to create another DC and extending our existing > FreeIPA. > > > > Our current environment has subnet as 172.16.32.0/16. In another DC we > have > > 10.242.96.0/20. > > > > On FreeIPA master I have created a PTR Zone with 242.10.in-addr.arpa. , > > However, on registering the DC2 Client with FreeIPA Master it says > > "Hostname not found in DNS" > > This message tells you that "hostname" (i.e. what you see in output of > command > "hostname") does not have A/ record in DNS. It has nothing to do with > PTR > records. > > Message "Failed to update DNS records." is usually caused by misconfigured > DNS > zones. > > Please see > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR > for advice how to configure DNS zones to accept dynamic updates. > > I hope this helps. > Petr^2 Spacek > > > Our Domain is same across DC, the only change is Subnet. > > > > Forward Zone is working fine. > > > > > > Below are Regestration Logs: > > > > [root@dr-ipadns-1002 ~]# ipa-client-install --mkhomedir --no-ntp > > Discovery was successful! > > Hostname: dr-ipadns-1002.klikpay.int > > Realm: KLIKPAY.INT > > DNS Domain: klikpay.int > > IPA Server: ipa-inf-prd-ng2-02.klikpay.int > > BaseDN: dc=klikpay,dc=int > > > > Continue to configure the system with these values? [no]: yes > > User authorized to enroll computers: admin > > Synchronizing time with KDC... > > Password for ad...@klikpay.int: > > Successfully retrieved CA cert > > Subject: CN=Certificate Authority,O=KLIKPAY.INT > > Issuer: CN=Certificate Authority,O=KLIKPAY.INT > > Valid From: Fri Aug 14 11:39:47 2015 UTC > > Valid Until: Tue Aug 14 11:39:47 2035 UTC > > > > Enrolled in IPA realm KLIKPAY.INT > > Attempting to get host TGT... > > Created /etc/ipa/default.conf > > New SSSD config will be created > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm KLIKPAY.INT > > trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml > > Forwarding 'env' to server u' > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > > *Hostname (dr-ipadns-1002.klikpay.int <http://dr-ipadns-1002.klikpay.int > >) > > not found in DNS* > > Failed to update DNS records. > > Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub > > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > > Forwarding 'host_mod' to server u' > > https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' > > SSSD enabled > > Configuring klikpay.int as NIS domain > > Configured /etc/openldap/ldap.conf > > Configured /etc/ssh/ssh_config > > Configured /etc/ssh/sshd_config > > Client configuration complete. > > > > [root@dr-ipadns-1002 ~]# ip r > > 10.242.96.0/20 dev eth0 proto kernel scope link src 10.242.96.3 > > 169.254.0.0/16 dev eth0 scope link metric 1002 > > default via 10.242.96.1 dev eth0 > > [root@dr-ipadns-1002 ~]# > > > > > >>From IPA: > > > > [root@ipa-inf-prd-ng2-01 ~]# ipa dnszone-show 242.10.in-addr.arpa > > Zone name: 242.10.in-addr.arpa. > > Active zone: TRUE > > Authoritative nameserver: ipa-inf-prd-ng2-01.klikpay.int. > > Administrator e-mail address: hostmaster > > SOA serial: 1446111284 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > Allow query: any; > > Allow transfer: none; > > [root@ipa-inf-prd-ng2-01 ~]# > > > > > > > > Please suggest as what I am missing. > > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Multiple Reverse (PTR) Zone
Hi, We are working on to create another DC and extending our existing FreeIPA. Our current environment has subnet as 172.16.32.0/16. In another DC we have 10.242.96.0/20. On FreeIPA master I have created a PTR Zone with 242.10.in-addr.arpa. , However, on registering the DC2 Client with FreeIPA Master it says "Hostname not found in DNS" Our Domain is same across DC, the only change is Subnet. Forward Zone is working fine. Below are Regestration Logs: [root@dr-ipadns-1002 ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: dr-ipadns-1002.klikpay.int Realm: KLIKPAY.INT DNS Domain: klikpay.int IPA Server: ipa-inf-prd-ng2-02.klikpay.int BaseDN: dc=klikpay,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@klikpay.int: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=KLIKPAY.INT Issuer: CN=Certificate Authority,O=KLIKPAY.INT Valid From: Fri Aug 14 11:39:47 2015 UTC Valid Until: Tue Aug 14 11:39:47 2035 UTC Enrolled in IPA realm KLIKPAY.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm KLIKPAY.INT trying https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml Forwarding 'env' to server u'https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' *Hostname (dr-ipadns-1002.klikpay.int <http://dr-ipadns-1002.klikpay.int>) not found in DNS* Failed to update DNS records. Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server u' https://ipa-inf-prd-ng2-02.klikpay.int/ipa/xml' SSSD enabled Configuring klikpay.int as NIS domain Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@dr-ipadns-1002 ~]# ip r 10.242.96.0/20 dev eth0 proto kernel scope link src 10.242.96.3 169.254.0.0/16 dev eth0 scope link metric 1002 default via 10.242.96.1 dev eth0 [root@dr-ipadns-1002 ~]# >From IPA: [root@ipa-inf-prd-ng2-01 ~]# ipa dnszone-show 242.10.in-addr.arpa Zone name: 242.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.klikpay.int. Administrator e-mail address: hostmaster SOA serial: 1446111284 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; [root@ipa-inf-prd-ng2-01 ~]# Please suggest as what I am missing. *Best Regards,* *__________* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable
Even the users details are not coming: [root@btservice-mysql-prd-ng2-01 sssd]# id vg4381 id: vg4381: No such user [root@btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381 [root@btservice-mysql-prd-ng2-01 sssd]# *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > Hi, > > We are getting below error while user try to do sudo, while it work for > old users. > > > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client > disconnected! > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): > Client connected! > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting default options for [vg4381] from [] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40bc10:3:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400): > Creating request for [klikpay.int][3][1][name=vg4381] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] > (0x0020): Unable to get information from Data Provider > Error: 1, 11, Offline > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): > Returning info for user [vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): > Retrieving default options for [vg4381] from [klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x407380:0:1:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): > Creating SUDOers request for [klikpay.int][7][vg4381][1] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] > (0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x40bc10:3:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information > from Data Provider > Error: 1, 11, Resource temporarily unavailable > Will try to return what we have in cache > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] > [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with > [(&(objectClass=sudoRule)(|(name=defaults)))] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] > (0x0400): Returning 0 rules for [@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): > Deleting request: [0x407380:0:1:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] > (0x0200): name 'vg4381' matched without domain, user is vg4381 > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] > (0x0200): Requesting rules for [vg4381] from [] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): > Requesting info about [vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): > Issuing request for [0x40bc10:3:vg4...@klikpay.int] > (Tue Sep 1 17:00:01 2015) [ss
Re: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable
Hi, This is fixed. On digging more found that my resolv.conf was updated and it was not able to find the domain. Fixing the resolv.conf with right nameserver, fixed the issue. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> On Tue, Sep 1, 2015 at 5:54 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > Even the users details are not coming: > > [root@btservice-mysql-prd-ng2-01 sssd]# id vg4381 > id: vg4381: No such user > [root@btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381 > [root@btservice-mysql-prd-ng2-01 sssd]# > > > *Best Regards,* > > *__* > > *Yogesh Sharma* > *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in > <http://www.initd.in/> * > > *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* > > <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> > <https://twitter.com/checkwithyogesh> > <http://google.com/+YogeshSharmaOnGooglePlus> > > On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma <yks0...@gmail.com> wrote: > >> Hi, >> >> We are getting below error while user try to do sudo, while it work for >> old users. >> >> >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client >> disconnected! >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400): >> Client connected! >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Received client version [1]. >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200): >> Offered version [1]. >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains] >> (0x0200): name 'vg4381' matched without domain, user is vg4381 >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done] >> (0x0200): Requesting default options for [vg4381] from [] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x40bc10:3:vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] >> (0x0400): Creating request for [klikpay.int][3][1][name=vg4381] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] >> (0x0020): Unable to get information from Data Provider >> Error: 1, 11, Offline >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200): >> Requesting info about [vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400): >> Returning info for user [vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400): >> Retrieving default options for [vg4381] from [klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400): >> Issuing request for [0x407380:0:1:vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] >> (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] >> (0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): >> Deleting request: [0x40bc10:3:vg4...@klikpay.int] >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information >> from Data Provider >> Error: 1, 11, Resource temporarily unavailable >> Will try to return what we have in cache >> (Tue Sep 1 17:00:01 2015) [sssd[sudo]] >> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with >> [(&(objectClass=sudoRu
[Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable
do]] [sss_dp_issue_request] (0x0400): Issuing request for [0x407380:0:1:vg4...@klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send] (0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40bc10:3:vg4...@klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information from Data Provider Error: 1, 11, Resource temporarily unavailable Will try to return what we have in cache (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*)))] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 1 rules for [vg4...@klikpay.int] (Tue Sep 1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x407380:0:1:vg4...@klikpay.int] *Best Regards,* *______* *Yogesh Sharma* *Email: yks0...@gmail.com <yks0...@gmail.com> | Web: www.initd.in <http://www.initd.in/> * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* <https://www.fb.com/yks> <http://in.linkedin.com/in/yks> <https://twitter.com/checkwithyogesh> <http://google.com/+YogeshSharmaOnGooglePlus> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue
Thanks Simo and Jakub. -Yogesh Sharma (Sent from my HTC) On 31-Aug-2015 5:10 pm, "Jakub Hrozek" <jhro...@redhat.com> wrote: > On Tue, Aug 25, 2015 at 09:42:44AM -0400, Simo Sorce wrote: > > On Tue, 2015-08-25 at 15:30 +0530, Yogesh Sharma wrote: > > > Hi Simo, > > > > > > We are using"session optional *pam_oddjob_mkhomedir*.so > > > umask=0077" > > > > > > and included in > > > password-auth-ac and password-auth > > > > I guess you should read the pam_oddjob_mkhomedir manpage which will tell > > you that the way you are specifying the umask is incorrect :-) > > Hint: see oddjob-mkhomedir.conf > > > > HTH, > > Simo. > > Also please note: > https://bugzilla.redhat.com/show_bug.cgi?id=995097 > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue
Hi Simo, We are usingsession optional *pam_oddjob_mkhomedir*.so umask=0077 *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Mon, Aug 24, 2015 at 12:21 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2015-08-23 at 12:06 +0530, Yogesh Sharma wrote: Typo: Umask set is 0077, then the permission should be 700, though we are getting 755. Where are you setting this mask ? And what pam helper do you use to create the home dirs ? pam_mkhomedir ? ot pam_oddjob_mkhomedir ? Simo. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Sun, Aug 23, 2015 at 12:00 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, FreeIPA users are getting their home directory with default permission of 755 instead of 700. I have checked the pam.d configuration and the umask set there for mkhomedir.so is 0700, however home dir permission are not according to this. Is there somewhere else we need to add the umask to make it 700. Please suggest. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue
Hi Simo, We are usingsession optional *pam_oddjob_mkhomedir*.so umask=0077 and included in password-auth-ac and password-auth *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Tue, Aug 25, 2015 at 3:29 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi Simo, We are usingsession optional *pam_oddjob_mkhomedir*.so umask=0077 *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Mon, Aug 24, 2015 at 12:21 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2015-08-23 at 12:06 +0530, Yogesh Sharma wrote: Typo: Umask set is 0077, then the permission should be 700, though we are getting 755. Where are you setting this mask ? And what pam helper do you use to create the home dirs ? pam_mkhomedir ? ot pam_oddjob_mkhomedir ? Simo. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Sun, Aug 23, 2015 at 12:00 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, FreeIPA users are getting their home directory with default permission of 755 instead of 700. I have checked the pam.d configuration and the umask set there for mkhomedir.so is 0700, however home dir permission are not according to this. Is there somewhere else we need to add the umask to make it 700. Please suggest. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA user Home Directory Permission Issue
Hi, FreeIPA users are getting their home directory with default permission of 755 instead of 700. I have checked the pam.d configuration and the umask set there for mkhomedir.so is 0700, however home dir permission are not according to this. Is there somewhere else we need to add the umask to make it 700. Please suggest. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user Home Directory Permission Issue
Typo: Umask set is 0077, then the permission should be 700, though we are getting 755. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Sun, Aug 23, 2015 at 12:00 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, FreeIPA users are getting their home directory with default permission of 755 instead of 700. I have checked the pam.d configuration and the umask set there for mkhomedir.so is 0700, however home dir permission are not according to this. Is there somewhere else we need to add the umask to make it 700. Please suggest. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication
Thanks Alex for your Inputs. On my point 2, it happens for freeipa (ldap) users only. If I create a local user, it works perfectly. Will dig more into this. -Yogesh Sharma (Sent from my HTC) On 20-Aug-2015 7:05 pm, Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 20 Aug 2015, Yogesh Sharma wrote: Hi, I was reading this slide https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf to troubleshoot an issue which we are facing while IPA to allow user using public Key authentication and had few questions: 1. Where does IPA stores the User Public Keys, I can fetch them using sss_ssh_authorizedkeys but would be good if I we can know from where it fetches the keys. Is it in LDAP DB. They are stored in the user entry in LDAP. Use 'ipa user-show user --raw --all' to see it. 2. When I registered new users with PubKey Authentication, some of them are working fine and some got prompted for Password (this also happen when we update their public key). This usually happens when either SSH is not able to pick the private key (id_rsa) or if there is some permission issue with .ssh or authorized_keys file. I am trying to find this in IPA environment as why this is happening for certain users only though it is picking the right private_key and client side. SSSD logs and secure logs does not have much to say except authentication failed. private keys are used by SSH client, so you can enable debugging output when using SSH client to see if it has issues with file system access. This has nothing to do with FreeIPA at all. 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server has this Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h This part is automatically configured if you choose to configure SSSD and SSSD has support for knownhostsproxy. See ipa-client/ipa-install/ipa-client-install:configure_ssh_config() (or directly in /sbin/ipa-client-install). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Registering Amazon Linux instance remotely
FreeIPA in Amazon Linux is a pain as they donot support, we have also raised a feature request with Amazon Linux and as per them it will be available in next amazon linux release though no ETA yet. Per your concern, it seems your script is able to register the client but cocern here is only to add client in specfic IPA hostgroup, if so then you can add automember rules in ipa server. You donot need to worry about it at the time of enrolling, if automember rule is their it will land in specific hostgroup based on your regex which you have specified. On your concern, about running the script remotely, its better to add your script in User Data, so that it will be executed automatically once your instance get provisioned or use any cms tool like chef, puppet to do this. Also, it recommeded to use private ip instead of public ip or eip as they are static, though depends on your use case. -Yogesh Sharma (Sent from my HTC) On 22-Aug-2015 10:03 pm, NitrouZ dewangg...@xtremenitro.org wrote: Hello! Have you assign security groups to your ipa server and client? By default, Amazon will accept only ssh (port 22) and icmp. And if you want static public IP address, go to Elastic IP and assign each of them to your vm's. Hope it helps :) On Saturday, August 22, 2015, Supratik Goswami supratiksek...@gmail.com wrote: Hello, My environment is completely in Amazon AWS and in my environment I have a FreeIPA setup 4.1.0-18.el7. I am using auto scaling feature of Amazon AWS which dynamically creats systems from a AMI. The currently running machines in that group are Amazon Linux. I can not install ipa-client in those machines because Amazon does not support that yet but I have installed SSSD in those machines. The IP's of the machines are dynamically assigned at the time of the launch. I want to run a setup script at the time of launch and register the client machines. Unfortunately I don't have any clue of what commands I should use to register the client machine remotely under a particular host group at the time of launch. Please help. Thanks. -- Warm Regards Supratik -- Sent from iDewangga Device -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Question on FreeIPA OpenSSH PubKey Authentication
Hi, I was reading this slide https://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf; to troubleshoot an issue which we are facing while IPA to allow user using public Key authentication and had few questions: 1. Where does IPA stores the User Public Keys, I can fetch them using sss_ssh_authorizedkeys but would be good if I we can know from where it fetches the keys. Is it in LDAP DB. 2. When I registered new users with PubKey Authentication, some of them are working fine and some got prompted for Password (this also happen when we update their public key). This usually happens when either SSH is not able to pick the private key (id_rsa) or if there is some permission issue with .ssh or authorized_keys file. I am trying to find this in IPA environment as why this is happening for certain users only though it is picking the right private_key and client side. SSSD logs and secure logs does not have much to say except authentication failed. 3. I have checked the sshd config and does not seems to be an issue. KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys 4. As per the above slide, OpenSSH Integration with SSSD Slide 2 says, that add know_hosts file with SSSD, However, Neither IPA Client nor IPA Server has this Configure ssh in /etc/ssh/ssh_config Get known_hosts from SSSD GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h A suggestion can really help us moving forward. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Public Key Authentication Failing
Re-Enrolling the server has fixed it, but what has caused this, is still an issue. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma yks0...@gmail.com wrote: Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma yks0...@gmail.com wrote: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381@172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com ,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2
Re: [Freeipa-users] Public Key Authentication Failing + Failed to Authenticate New User with Public Key
Any suggestion please. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:37 PM, Yogesh Sharma yks0...@gmail.com wrote: Re-Enrolling the server has fixed it, but what has caused this, is still an issue. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma yks0...@gmail.com wrote: Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma yks0...@gmail.com wrote: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381@172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com, ssh-ed25519-cert-...@openssh.com,ssh-dss-cert-...@openssh.com, ssh-dss-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac
[Freeipa-users] Public Key Authentication Failing
: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 78:1f:15:bf:d3:fb:1a:49:44:8c:3a:28:b0:1f:6b:15 debug1: Host '172.16.32.24' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2258 debug2: bits set: 1553/3072 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f646fa5b830), explicit debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug2: we did not send a packet, disable method debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug2: we did not send a packet, disable method debug1: Next authentication method: password *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Public Key Authentication Failing
Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma yks0...@gmail.com wrote: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381@172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com, ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com ,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com, umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com ,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com, hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com, hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com, umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr
Re: [Freeipa-users] IPA User Group Auto membership
Same is working when I use userclass instead of title as because options to set title is available only after creating user where as we can set the userclass while creating user from UI. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Sat, Aug 15, 2015 at 8:52 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi Rob, My concern was for new entries only. -Yogesh Sharma (Sent from my HTC) On 15-Aug-2015 7:40 pm, Rob Crittenden rcrit...@redhat.com wrote: Yogesh Sharma wrote: Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping Type: group --- 1 rules matched --- Description: DBA Auto membership Automember Rule: dbausers Inclusive Regex: title=(.*)((?i)(DBA))(.*) Number of entries returned 1 [root@ipa-inf-prd-ng2-02 ~]# We are setting Job Title as Sr. DBA Mgr , DBA II etc, However it is not working. We have tested the regex, and it seems to be working while testing it. The rules only apply to new entries. In order to apply rules to existing entries run: ipa automember-rebuild --type=group rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA User Group Auto membership
Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping Type: group --- 1 rules matched --- Description: DBA Auto membership Automember Rule: dbausers Inclusive Regex: title=(.*)((?i)(DBA))(.*) Number of entries returned 1 [root@ipa-inf-prd-ng2-02 ~]# We are setting Job Title as Sr. DBA Mgr , DBA II etc, However it is not working. We have tested the regex, and it seems to be working while testing it. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA User Group Auto membership
Hi Rob, My concern was for new entries only. -Yogesh Sharma (Sent from my HTC) On 15-Aug-2015 7:40 pm, Rob Crittenden rcrit...@redhat.com wrote: Yogesh Sharma wrote: Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping Type: group --- 1 rules matched --- Description: DBA Auto membership Automember Rule: dbausers Inclusive Regex: title=(.*)((?i)(DBA))(.*) Number of entries returned 1 [root@ipa-inf-prd-ng2-02 ~]# We are setting Job Title as Sr. DBA Mgr , DBA II etc, However it is not working. We have tested the regex, and it seems to be working while testing it. The rules only apply to new entries. In order to apply rules to existing entries run: ipa automember-rebuild --type=group rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
Please find the output: ipa dnszone-show initd.int --all dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo Rule Not working with UserGroup
Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Client Unattended Registration Issue
Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
Thanks Jakub. From your answer 2, would both DNS will work as Master if we use IPA DNS. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 1:54 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Aug 13, 2015 at 09:46:42PM +0530, Yogesh Sharma wrote: Hi, I am working to setup a IPA Env in our Infra. 1 . I would like to how IPA handles failover if Master Node goes down. Is sssd manage it? Yes. See man sssd-ipa, section failover. 2. While the Master Node is down, can I register a client to replica server i.e. via AutoDiscovery as IPA does. Maybe the IPA developers would answer the other questions better, but my understanding is that since all IPA servers are masters, then this should be fine as long as you prevent replication conflicts. 3. What if my Master Node does not came up ever due to system crash. In this case, if I create a new node , can I make it as master, if so what would happen to client which were already registered. The data is replicated..so yes, the clients are also replicated to other IPA servers.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo Rule Not working with UserGroup
It has started working. Not sure what happened, but seems to be issue with cache time out again. Thanks Jakub. I will update more if I am able to replicate the issue again. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 7:12 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Aug 14, 2015 at 07:05:48PM +0530, Yogesh Sharma wrote: Hi, We have moved to next step and working to configuring the Sudo Rule. When we add individual users to sudo rules, it works perfectly. However as soon as we add usergroup to sudo rules, It stop working. I'm sorry, but it's not possible to help without seeing the logs. In this case, the sudo logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Server Replication Info
Okay. So both the DNS is Master. Thanks Jakub, this can be closed. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 7:17 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Aug 14, 2015 at 02:11:10PM +0530, Yogesh Sharma wrote: Thanks Jakub. From your answer 2, would both DNS will work as Master if we use IPA DNS. Well, you need to configure /etc/resolv.conf to point to the replica as well. btw resolv.conf typically supports up to three nameservers. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PTR record not adding to IPA DNS
Thanks Martin. Redhat Rock :) *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:52 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 01:13 PM, Yogesh Sharma wrote: Please find the output: ipa dnszone-show initd.int --all dn: idnsname=initd.int.,cn=dns,dc=initd,dc=int Zone name: initd.int. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439547047 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-self * A; grant initd.INT krb5-self * ; grant initd.INT krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord I don't see this line in output of initd.int Allow PTR sync: TRUE Didi you enabled synchronization of ptr records? ipa dnszone-mod initd.int --allow-sync-ptr=TRUE http://initd.int/ Martin http://initd.int/ dn: idnsname=32.16.172.in-addr.arpa.,cn=dns,dc=initd,dc=int Zone name: 32.16.172.in-addr.arpa. Active zone: TRUE Authoritative nameserver: ipa-inf-prd-ng2-01.initd.int. Administrator e-mail address: hostmaster.initd.int. SOA serial: 1439543674 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant initd.INT krb5-subdomain 32.16.172.in-addr.arpa. PTR; Dynamic update: TRUE Allow query: any; Allow transfer: none; nsrecord: ipa-inf-prd-ng2-01.initd.int. objectclass: idnszone, top, idnsrecord *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.in/www.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 4:30 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 12:57 PM, Yogesh Sharma wrote: Forward zone: initd.int Reverse: 32.16.172.in-addr.arpa. https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. CIDR of our DHCP: 172.16.32.0/20 Please paste here output of following commands: ipa dnszone-show initd.int --all ipa dnszone-show 32.16.172.in-addr.arpa --all https://ipa-inf-prd-ng2-01.klikpay.int/ipa/ui/#32.16.172.in-addr.arpa. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 3:45 PM, Martin Basti mba...@redhat.com mba...@redhat.com wrote: On 08/14/2015 12:07 PM, Yogesh Sharma wrote: Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus Hello, Please provide more info about configuration of zones. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
Thanks Martin, This works and apologies for not confirming the solution. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 5:20 PM, Martin Basti mba...@redhat.com wrote: Please provide feedback if this (and which) solution works for you, this may help for other users too. Martin On 08/14/2015 11:02 AM, Martin Basti wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Unattended Registration Issue
Thanks Martin, It worked. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Fri, Aug 14, 2015 at 2:32 PM, Martin Basti mba...@redhat.com wrote: On 08/14/2015 10:54 AM, Martin Basti wrote: On 08/14/2015 10:12 AM, Yogesh Sharma wrote: Hi, We use Chef to perform the basic system setup once we launch new server. We are updating our cookbook to include ipa-client-install once we run our base cookbook via chef-client. For unattended ipa-client installation, we are passing below parameters: *ipa-client-install --server=ipa.initd.int http://ipa.initd.int --domain=initd.int http://initd.int --realm=INITD.INT http://INITD.INT --password=xx --mkhomedir --no-ntp --unattended* However, we always get password incorrect error, though we are sure it is correct: Joining realm failed: Incorrect password. Installation failed. Rolling back changes. IPA client is not configured on this system. Hello, please add --principal option probably --principal admin --pasword without --principal option requires bulk password (ipa-client-install -h) HTH Martin Or if you want to use bulk password, you must add host with bulk password before [ipaserver]$ ipa host-add client.initd.int --password=bulkpassword [client.initd.int]$ ipa-client-install --password=bulkpassword HTH Martin *Best Regards,* *__ * *Yogesh Sharma * *Email: yks0...@gmail.comyks0...@gmail.com yks0...@gmail.com | Web: http://www.initd.inwww.initd.in http://www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PTR record not adding to IPA DNS
Hi, Upon client registration , PTR records are not getting added to reverse Zone in IPA DNS. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error while Enrolling Client
Thanks Jakub/Lukas, Setting the right cache timeout fix the issue. man sssd-sudo really helped us. Thanks again for the suggestion. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 12, 2015 at 11:22 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (11/08/15 20:53), Jakub Hrozek wrote: On Tue, Aug 11, 2015 at 09:29:46PM +0530, Yogesh Sharma wrote: Yes Jakub...That was the issue. We have fixed it and update to List. Thanks Jakub. Would like to have one suggestion. We have implemented sudo, but every time we need to restart sssd to take the changes. We have try implementing the cache timeout also, but not working as expected. Any other config changes required? No, this is not expected. Can you get logs after you've added the sudo rule but before the client is restarted in order to capture the issue? It would be best to add debug_level=7 to sudo, nss and domain sections. I thought it is an side effect of sudo rule caching mechanism and periodic tasks. So it might be an expected behaviour. Periodic task are fired few seconds after start of sssd. It might explain why restarting sssd works. @see more details in man sssd-sudo - THE SUDO RULE CACHING MECHANISM LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Error while Enrolling Client
Hi Team, While registering to IPA Server we are getting below error. Any suggestion Please. [root@client ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: client.domain.int Realm: domain.INT DNS Domain: domain.int IPA Server: ldap.domain.int BaseDN: dc=domain,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@domain.int: Enrolled in IPA realm domain.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm domain.INT trying https://ldap.domain.int/ipa/xml Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2567, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2553, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2346, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1076, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 772, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 731, in forward raise error(message=e.faultString) ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Error while Enrolling Client
Yes Jakub...That was the issue. We have fixed it and update to List. Thanks Jakub. Would like to have one suggestion. We have implemented sudo, but every time we need to restart sssd to take the changes. We have try implementing the cache timeout also, but not working as expected. Any other config changes required? *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Tue, Aug 11, 2015 at 9:21 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Aug 11, 2015 at 08:43:49PM +0530, Yogesh Sharma wrote: Hi Team, While registering to IPA Server we are getting below error. Any suggestion Please. [root@client ~]# ipa-client-install --mkhomedir --no-ntp Discovery was successful! Hostname: client.domain.int Realm: domain.INT DNS Domain: domain.int IPA Server: ldap.domain.int BaseDN: dc=domain,dc=int Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Password for ad...@domain.int: Enrolled in IPA realm domain.INT Attempting to get host TGT... Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm domain.INT trying https://ldap.domain.int/ipa/xml Forwarding 'env' to server u'https://ldap.domain.int/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2567, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2553, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2346, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 438, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1076, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 772, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 731, in forward raise error(message=e.faultString) ipalib.errors.ACIError: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) Check the time on your machines.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Yes Petr. Support Case has already been opened with them. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Tue, Mar 31, 2015 at 12:20 PM, Petr Spacek pspa...@redhat.com wrote: On 30.3.2015 11:23, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. BTW if you want FreeIPA support in Amazon Linux then please contact Amazon support and tell them about your request. It will make life easier for you and everyone else too (in long-term). Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Sure. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 3:05 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote: Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. Then I wonder if it would be more useful to add a repo that already contains the package, from CentOS maybe? You'll get the updates for free.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Client using Source Code
Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Hi Jakub: FreeIPA package is not available in Amazon Linux running on EC2 Instance. We tried to install individually packages but it is breaking at many place. It is not 1.x. We had a directory with this name and I extracted the tar in same folder hence showing like this :). We are using 3.0.2 as of now. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 2:39 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. Why? While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP-g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ libpopt-devel is missing. The easiest way to fetch them all is with yum-builddeps. compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' ~ Whoa, are you sure? ipa 1.x? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client using Source Code
Thanks Sir. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 30, 2015 at 8:34 PM, Gonzalo Fernandez Ordas g.fer.or...@unicyber.co.uk wrote: You need the development package. that should be popt-devel If you are still using amazon you have to modify the sources to include the devel Otherwise if you feel very crafty you can get to a site such us: http://rpm.pbone.net/ and look for the relevant development package which got the same version as your existing binaries.. On 30/03/2015 01:48, Yogesh Sharma wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it. I will update if I found anything. gcc -DHAVE_CONFIG_H -I. -I. -I. -DPREFIX=\/usr/local\ -DBINDIR=\/usr/local/bin\ -DLIBDIR=\/usr/local/lib\ -DLIBEXECDIR=\/usr/local/libexec\ -DDATADIR=\/usr/local/share\ -I/usr/include/mozldap -I/usr/include/nspr4 -I/usr/include/nss3 -DWITH_MOZLDAP -g -O2 -MT ipa-getkeytab.o -MD -MP -MF .deps/ipa-getkeytab.Tpo -c -o ipa-getkeytab.o ipa-getkeytab.c ipa-getkeytab.c:41:18: fatal error: popt.h: No such file or directory #include popt.h ^ compilation terminated. make[2]: *** [ipa-getkeytab.o] Error 1 make[2]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/freeipa-1.2.1/ipa-client' make: *** [all] Error 2 / Best Regards, __ / /Yogesh Sharma / /Email: yks0...@gmail.com mailto:yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ RHCE, VCE-CIA, RackSpace Cloud U My LinkedIn Profile http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Client Install on Amazon Linux
Thanks Gonzalo. Appreciate your help here, Let me try this. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Sat, Mar 28, 2015 at 11:23 PM, Gonzalo Fernandez Ordas g.fer.or...@unicyber.co.uk wrote: Yogesh you do not need to explain me anything. Most people around here are on the same boat and working on this stuff already for quite awhile. I forgot to mention this is for a PROPER sssd run, still you will need all those below as you will get some issues sorted (specially sudo related) So...you need the following If I remember well..: system-arch -- system Architecture libipa_hbac-1.9.2-129.el6.-system_arch-.rpm sssd-client-1.9.2-129.el6.-system_arch-.rpm sssd-1.9.2-129.el6_5.4.-system_arch-.rpm sudo-1.8.6p3-12.el6.-system_arch- I haven't installed the freeIPA client but I have run sssd successfully for a 389-ds server and the above combination worked all right, specially the sudo bit which was a bit of a hell. To get to that point I spent a number of fun days thanks to the limitations provided by amazon on their packages. Do not forget to install the epel and try to look for either ipa or ipa-server as I doubt that will be called freeipa at all.(I haven't tested that though.) Gonzalo On 27/03/2015 01:03, Yogesh Sharma wrote: Gonzalo, We have some running servers on Amazon Linux and it would be difficult to migrate all those to CentOS or RHEL as of now. Hence If you can provide the package's version then it would really help us till the time we do migration. For sure all over new Servers are going to be CentOS or RHEL. * Best Regards, __ * *Yogesh Sharma * *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Fri, Mar 27, 2015 at 1:03 PM, Gonzalo Fernandez Ordas g.fer.or...@unicyber.co.uk wrote: Yogesh My personal experience using AWS Linux and LDAP is not a good one and mostly an utter nightmare in relation to packages. Personally I would recommend you to keep away from AWS Linux and get a Centos, Fedora or Redhat. Still, if you want to go ahead, I can give you the right versions for a couple of packages as the default sudo given by Amazon simply DOES NOT work (no idea what they have done to it..) Thanks On 27/03/2015 00:03, Yogesh Sharma wrote: Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. * Best Regards, __ * *Yogesh Sharma * -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
(Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 16684 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [ad...@sd.int] (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_SETCRED (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: sd.int (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): user: admin (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 16684 (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [be_pam_handler] (0x0100): Got request with the following data (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): domain: sd.int (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): user: admin (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): service: sshd (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): tty: ssh (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): ruser: (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): authtok type: 0 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): priv: 0 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): cli_pid: 16684 (Fri Mar 27 10:23:52 2015) [sssd[be[sd.int]]] [be_pam_handler] (0x0100): Sending result [0][sd.int] (Fri Mar 27 10:23:52 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][sd.int] Apologies of using bold letters. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 8:45 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 26, 2015 at 08:05:03PM +0530, Yogesh Sharma wrote: Hi Jakub, SSSD prompted to change the password. After changing the password, when we try to ssh again using the new password, it failed. And what do the logs say then, with the new password? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
No. This is the second attempt after changing the password on first login. If you want I can re-send you the logs but this is the second login logs of this user. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Fri, Mar 27, 2015 at 12:32 PM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Mar 27, 2015 at 10:28:13AM +0530, Yogesh Sharma wrote: Hi Jakub, Please find the logs for the user test created in IPA. (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [t...@sd.int] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [1][1][name=test] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Mar 27 10:19:52 2015) [sssd[be[sd.int]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging sd.int (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Fri Mar 27 10:19:56 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Fri Mar 27 10:19:56 2015) [sssd] [ping_check] (0x0100): Service sd.int replied to ping (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Fri Mar 27 10:19:57 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
[Freeipa-users] IPA Client Install on Amazon Linux
Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. *Best Regards,__* *Yogesh Sharma* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Not able to SSH with User Created in IPA Server
suid=74 rport=50263 laddr=20.0.0.159 lport=22 exe=/usr/sbin/sshd hostname=? addr=61.16.237.50 terminal=? res=success' type=USER_ERR msg=audit(1427364618.993:2630): user pid=11569 uid=0 auid=500 ses=328 msg='op=PAM:bad_ident acct=? exe=/usr/sbin/sshd hostname=61.16.237.50 addr=61.16.237.50 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1427364618.993:2631): user pid=11569 uid=0 auid=500 ses=328 msg='op=destroy kind=server fp=05:d1:fd:ee:1a:64:fd:6b:ec:a5:ac:66:34:6f:61:e7 direction=? spid=11569 suid=0 exe=/usr/sbin/sshd hostname=? addr=61.16.237.50 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1427364618.993:2632): user pid=11569 uid=0 auid=500 ses=328 msg='op=destroy kind=server fp=91:ae:3f:fc:6e:5e:ec:76:8f:00:50:ee:c0:1d:c4:dc direction=? spid=11569 suid=0 exe=/usr/sbin/sshd hostname=? addr=61.16.237.50 terminal=? res=success' type=USER_LOGIN msg=audit(1427364618.994:2633): user pid=11569 uid=0 auid=500 ses=328 msg='op=login acct=cm8158 exe=/usr/sbin/sshd hostname=? addr=61.16.237.50 terminal=ssh res=failed' Secure log: Mar 26 10:11:58 ldap-inf-stg-sg1-01 sshd[11575]: reverse mapping checking getaddrinfo for del-static-50-237-16-61.direct.net.in [61.16.237.50] failed - POSSIBLE BREAK-IN ATTEMPT! Mar 26 10:11:58 ldap-inf-stg-sg1-01 sshd[11576]: Connection closed by 61.16.237.50 *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
Hi Jakub, SSSD prompted to change the password. After changing the password, when we try to ssh again using the new password, it failed. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:55 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote: Once I manually initialize the user Ticket on IPA Server using kinit username, I am able to login with and without FQDN. It's expected that IPA users are created with expired password. But SSSD should have prompted you for a password change if you logged in the first time you logged in with the expired password...as seen from the krb5_child.log, it got the correct response from the KDC.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
This message is coming as user is trying to login for first time. IPA Admin has set a password and when user try to login it will prompt to change. sssd log it as password expired. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:55 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625 [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Thu Mar 26 19:30:55 2015) [[sssd[krb5_child[13625 [map_krb5_error] (0x0020): 1043: [-1765328360][Preauthentication failed] password expired? -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
I have tried with FQDN of host also as registered, but error remain same: (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer] (0x0100): cmd [241] uid [131284] gid [131284] validate [true] enterprise principal [false] offline [false] UPN [te...@sd.int] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_131284_XX] keytab: [/etc/krb5.keytab] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Thu Mar 26 19:43:01 2015) [[sssd[krb5_child[13730 [k5c_setup_fast] (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/ dns-inf-stg-sg1-01.sd@sd.int] (Thu Mar 26 19:43:02 2015) [[sssd[krb5_child[13730 [get_and_save_tgt] (0x0020): 981: [-1765328361][Password has expired] (Thu Mar 26 19:43:06 2015) [[sssd[krb5_child[13730 [map_krb5_error] (0x0020): 1043: [-1765328360][Preauthentication failed] (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [child_sig_handler] (0x0100): child [13730] finished successfully. (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [ipa_get_migration_flag_done] (0x0100): Password migration is not enabled. (Thu Mar 26 19:43:06 2015) [sssd[be[sd.int]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 17, NULL) [Success] Once I manually initialize the user Ticket on IPA Server using kinit username, I am able to login with and without FQDN. [root@ldap-inf-stg-sg1-01 lib]# kinit test1 Password for te...@sd.int: Password expired. You must change it now. Enter new password: Enter it again: Password change rejected: Password is too short Password not changed.. Please try again. Enter new password: Enter it again: root@yogesh-ubuntu-pc:/home/yogesh# ssh te...@dns-inf-stg-sg1-01.sd.int te...@dns-inf-stg-sg1-01.sd.int's password: Last login: Thu Mar 26 19:45:36 2015 from 125.63.90.34 -sh-4.1$ logout Connection to dns-inf-stg-sg1-01.sd.int closed. root@yogesh-ubuntu-pc:/home/yogesh# ssh test1@52.74.84.94 test1@52.74.84.94's password: Last login: Thu Mar 26 19:45:55 2015 from 125.63.90.34 -sh-4.1$ *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:42 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. === TEST user Login Logs: (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=test] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSIDString] attribute while id-mapping. [0][Success] (Thu Mar 26 19:30:51 2015) [sssd[be[sd.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [test] from [ALL] (Thu Mar 26 19:30:51 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [t...@sd.int] (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): user: test (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Mar 26 19:30:51 2015) [sssd[pam]] [pam_print_data
Re: [Freeipa-users] Not able to SSH with User Created in IPA Server
]]] [pam_print_data] (0x0100): tty: ssh (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): ruser: (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): rhost: 125.63.90.34 (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): authtok type: 0 (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): priv: 0 (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [pam_print_data] (0x0100): cli_pid: 13648 (Thu Mar 26 19:33:45 2015) [sssd[be[sd.int]]] [be_pam_handler] (0x0100): Sending result [0][sd.int] (Thu Mar 26 19:33:45 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][sd.int] (Thu Mar 26 19:33:46 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [ALL] (Thu Mar 26 19:33:46 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [ad...@sd.int] (Thu Mar 26 19:33:46 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [1312800...@sd.int] (Thu Mar 26 19:33:46 2015) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [131280] *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Thu, Mar 26, 2015 at 7:10 PM, Simo Sorce s...@redhat.com wrote: On Thu, 2015-03-26 at 15:42 +0530, Yogesh Sharma wrote: Hi, We are getting error while trying to ssh using users created in IPA server. root@yogesh-ubuntu-pc:~# ssh -vvv cm8158@52.74.84.94 You should use the machine's fully qualified name if you want to login using GSSAPI/Krb5, an IP address cannot be resolved to a proper key as keys are registerd into the KDC as host/machine.fully.qualified.name@REALM. It's the same thing as with HTTPS, the client need to know the name of the server in order to be able to properly communicate with it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Configuration of client side components failed! on IPA Server
Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). ** *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* **Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn uid=admin,cn=users,cn=accounts,dc=sd,dc=int* *2015-03-25T06:39:59Z DEBUG stdout=* *2015-03-25T06:39:59Z DEBUG stderr=* *2015-03-25T06:39:59Z DEBUG ldappasswd done* *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int* *2015-03-25T06:40:10Z DEBUG stdout=* *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int is an IPA Server.* *This may mean that the remote server is not up or is not reachable due to network or firewall settings.* *Please make sure the following ports are opened in the firewall settings:* * TCP: 80, 88, 389* * UDP: 88 (at least one of TCP/UDP ports 88 has to be open)* *Also note that following ports are necessary for ipa-client working properly after enrollment:* * TCP: 464* * UDP: 464, 123 (if NTP enabled)* *Installation failed. Rolling back changes.* *Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1* *Removing Kerberos service principals from /etc/krb5.keytab* *Disabling client Kerberos and LDAP configurations* *Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted* *nscd daemon is not installed, skip configuration* *nslcd daemon is not installed, skip configuration* *Client uninstall complete.* *2015-03-25T06:40:10Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script* *return_value = main_function()* * File /usr/sbin/ipa-server-install, line 1103, in main* *sys.exit(Configuration of client side components failed!\nipa-client-install returned: + str(e))* *2015-03-25T06:40:10Z INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* ** This server is on AWS and I can confirm that all above ports are opened. Also as it is installing on same server where IPA Server is being installed, Port should not be an issue. Am I missing anything here. *Best Regards,__* *Yogesh Sharma* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
I have checked , there is no default.conf. Please suggest. [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/ total 8.0K drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/ total 28K -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html -rw-r--r-- 1 root root 521 Oct 16 15:03 ipa_error.css -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html [root@ldap-inf-stg-sg1-01 ipa]# *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn uid=admin,cn=users,cn=accounts,dc=sd,dc=int* *2015-03-25T06:39:59Z DEBUG stdout=* *2015-03-25T06:39:59Z DEBUG stderr=* *2015-03-25T06:39:59Z DEBUG ldappasswd done* *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int* *2015-03-25T06:40:10Z DEBUG stdout=* *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int is an IPA Server.* *This may mean that the remote server is not up or is not reachable due to network or firewall settings.* *Please make sure the following ports are opened in the firewall settings:* * TCP: 80, 88, 389* * UDP: 88 (at least one of TCP/UDP ports 88 has to be open)* *Also note that following ports are necessary for ipa-client working properly after enrollment:* * TCP: 464* * UDP: 464, 123 (if NTP enabled)* *Installation failed. Rolling back changes.* *Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1* *Removing Kerberos service principals from /etc/krb5.keytab* *Disabling client Kerberos and LDAP configurations* *Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted* *nscd daemon is not installed, skip configuration* *nslcd daemon is not installed, skip configuration* *Client uninstall complete.* *2015-03-25T06:40:10Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script* *return_value = main_function()* * File /usr/sbin/ipa-server-install, line 1103, in main* *sys.exit(Configuration of client side components failed!\nipa-client-install returned: + str(e))* *2015-03-25T06:40:10Z INFO The ipa-server-install command failed, exception: SystemExit: Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* This server is on AWS and I can confirm that all above ports are opened. Also as it is installing on same server where IPA Server is being installed, Port should not be an issue. Am I missing anything here. *Best Regards,__* *Yogesh Sharma* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
While restarting using ipactl . It is stopping. Any suggestion. [root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Stopping CA Service pki-tomcatd: unrecognized service Failed to stop CA Service Stopping HTTP Service Stopping httpd:[FAILED] Stopping MEMCACHE Service Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [FAILED] Stopping KDC Service Stopping Kerberos 5 KDC: [FAILED] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] [root@ldap-inf-stg-sg1-01 ys7673]# ipactl start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service pki-tomcatd: unrecognized service Failed to start CA Service *Shutting down* *Stopping Kerberos 5 KDC: [ OK ]* *Stopping Kerberos 5 Admin Server: [ OK ]* *Stopping ipa_memcached:[ OK ]* *Stopping httpd:[ OK ]* *pki-tomcatd: unrecognized service* *Shutting down dirsrv: * *PKI-IPA... [ OK ]* *SD-INT... [ OK ]* *Aborting ipactl* [root@ldap-inf-stg-sg1-01 ys7673] *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma yks0...@gmail.com wrote: I have checked , there is no default.conf. Please suggest. [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/ total 8.0K drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/ total 28K -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html -rw-r--r-- 1 root root 521 Oct 16 15:03 ipa_error.css -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html [root@ldap-inf-stg-sg1-01 ipa]# *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn uid=admin,cn=users,cn=accounts,dc=sd,dc=int* *2015-03-25T06:39:59Z DEBUG stdout=* *2015-03-25T06:39:59Z DEBUG stderr=* *2015-03-25T06:39:59Z DEBUG ldappasswd done* *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int* *2015-03-25T06:40:10Z DEBUG stdout=* *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int is an IPA Server.* *This may mean that the remote server is not up or is not reachable due to network or firewall settings.* *Please make sure the following ports are opened in the firewall settings:* * TCP: 80, 88, 389* * UDP: 88
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
Any suggestion Please. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 1:20 PM, Yogesh Sharma yks0...@gmail.com wrote: While restarting using ipactl . It is stopping. Any suggestion. [root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Stopping CA Service pki-tomcatd: unrecognized service Failed to stop CA Service Stopping HTTP Service Stopping httpd:[FAILED] Stopping MEMCACHE Service Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [FAILED] Stopping KDC Service Stopping Kerberos 5 KDC: [FAILED] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] [root@ldap-inf-stg-sg1-01 ys7673]# ipactl start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service pki-tomcatd: unrecognized service Failed to start CA Service *Shutting down* *Stopping Kerberos 5 KDC: [ OK ]* *Stopping Kerberos 5 Admin Server: [ OK ]* *Stopping ipa_memcached:[ OK ]* *Stopping httpd:[ OK ]* *pki-tomcatd: unrecognized service* *Shutting down dirsrv: * *PKI-IPA... [ OK ]* *SD-INT... [ OK ]* *Aborting ipactl* [root@ldap-inf-stg-sg1-01 ys7673] *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma yks0...@gmail.com wrote: I have checked , there is no default.conf. Please suggest. [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/ total 8.0K drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/ total 28K -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html -rw-r--r-- 1 root root 521 Oct 16 15:03 ipa_error.css -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html [root@ldap-inf-stg-sg1-01 ipa]# *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn uid=admin,cn=users,cn=accounts,dc=sd,dc=int* *2015-03-25T06:39:59Z DEBUG stdout=* *2015-03-25T06:39:59Z DEBUG stderr=* *2015-03-25T06:39:59Z DEBUG ldappasswd done* *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
Hi Martin, Finally, the issue has resolved. :) Is there RPM available to install latest IPA version in CentOS or at least 4.0.2 version. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek mko...@redhat.com wrote: Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket: https://fedorahosted.org/freeipa/ticket/ Please let us know if the DNS update fixed the error. Martin On 03/25/2015 02:11 PM, Yogesh Sharma wrote: I think I got the issue. Realm Name Entry in DNS is added in lower case rather than UPPER. 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT http://sd.int/ ,cn=kerberos,dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int Will try changing the Realm and see if it resovled. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi Martin, Please find the client logs: 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server': None, 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False, 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'nisdomain': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2015-03-25T12:29:49Z DEBUG missing options might be asked for interactively later 2015-03-25T12:29:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-25T12:29:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-03-25T12:29:49Z DEBUG [IPA Discovery] 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int, servers=['ldap-inf-stg-sg1-01.sd.int'], hostname= ldap-inf-stg-sg1-01.sd.int 2015-03-25T12:29:49Z DEBUG Server and domain forced 2015-03-25T12:29:49Z DEBUG [Kerberos realm search] 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _ kerberos.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_ kerberos.sd.int.,type:16,class:1,rdata={data:sd.int} 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._ udp.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._ udp.sd.int .,type:33,class:1,rdata={priority:0,port:88,weight:100,server: ldap-inf-stg-sg1-01.sd.int.} 2015-03-25T12:29:49Z DEBUG [LDAP server check] 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int (realm sd.int) is an IPA server 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap:// ldap-inf-stg-sg1-01.sd.int:389 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for IPA 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA context 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in dc=sd,dc=int (sub) 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Validated servers: 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int 2015-03-25T12:29:49Z DEBUG IPA Server not found 2015-03-25T12:29:49Z DEBUG [IPA Discovery] 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int, servers=['ldap-inf-stg-sg1-01.sd.int'], hostname= ldap-inf-stg-sg1-01.sd.int 2015-03-25T12:29:49Z DEBUG Server and domain forced 2015-03-25T12:29:49Z DEBUG [Kerberos realm search] 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _ kerberos.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_ kerberos.sd.int.,type:16,class:1,rdata={data:sd.int} 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._ udp.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._ udp.sd.int .,type:33,class:1,rdata={priority:0
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
Thanks Martin for the help. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 7:07 PM, Martin Kosek mko...@redhat.com wrote: This should be in the official RHEL-7.1/CentOS-7.1 repos. Or you can try our upstream CentOS-7 based Copr repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa/ On 03/25/2015 02:30 PM, Yogesh Sharma wrote: Hi Martin, Finally, the issue has resolved. :) Is there RPM available to install latest IPA version in CentOS or at least 4.0.2 version. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek mko...@redhat.com wrote: Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket: https://fedorahosted.org/freeipa/ticket/ Please let us know if the DNS update fixed the error. Martin On 03/25/2015 02:11 PM, Yogesh Sharma wrote: I think I got the issue. Realm Name Entry in DNS is added in lower case rather than UPPER. 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT http://sd.int/ ,cn=kerberos,dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int Will try changing the Realm and see if it resovled. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi Martin, Please find the client logs: 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server': None, 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False, 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True, 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'nisdomain': None, 'prompt_password': False, 'permit': False, 'debug': False, 'preserve_sssd': False, 'uninstall': False} 2015-03-25T12:29:49Z DEBUG missing options might be asked for interactively later 2015-03-25T12:29:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-25T12:29:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-03-25T12:29:49Z DEBUG [IPA Discovery] 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int, servers=['ldap-inf-stg-sg1-01.sd.int'], hostname= ldap-inf-stg-sg1-01.sd.int 2015-03-25T12:29:49Z DEBUG Server and domain forced 2015-03-25T12:29:49Z DEBUG [Kerberos realm search] 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _ kerberos.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_ kerberos.sd.int.,type:16,class:1,rdata={data:sd.int} 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._ udp.sd.int. 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._ udp.sd.int .,type:33,class:1,rdata={priority:0,port:88,weight:100,server: ldap-inf-stg-sg1-01.sd.int.} 2015-03-25T12:29:49Z DEBUG [LDAP server check] 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int (realm sd.int) is an IPA server 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap:// ldap-inf-stg-sg1-01.sd.int:389 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for IPA 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA context 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in dc=sd,dc=int (sub) 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None, domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int 2015-03-25T12:29:49Z DEBUG Validated servers: 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int 2015-03-25T12:29:49Z DEBUG IPA Server not found 2015-03-25T12:29:49Z DEBUG [IPA Discovery] 2015-03-25T12:29:49Z DEBUG
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
I have tried on multiple Platform. Setup the nisdomain and it is resolving, though it is getting the same error. Any help would be helpful. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 3:42 PM, Yogesh Sharma yks0...@gmail.com wrote: Any suggestion Please. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 1:20 PM, Yogesh Sharma yks0...@gmail.com wrote: While restarting using ipactl . It is stopping. Any suggestion. [root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Stopping CA Service pki-tomcatd: unrecognized service Failed to stop CA Service Stopping HTTP Service Stopping httpd:[FAILED] Stopping MEMCACHE Service Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [FAILED] Stopping KDC Service Stopping Kerberos 5 KDC: [FAILED] Stopping Directory Service Shutting down dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] [root@ldap-inf-stg-sg1-01 ys7673]# ipactl start Starting Directory Service Starting dirsrv: PKI-IPA... [ OK ] SD-INT... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] Starting CA Service pki-tomcatd: unrecognized service Failed to start CA Service *Shutting down* *Stopping Kerberos 5 KDC: [ OK ]* *Stopping Kerberos 5 Admin Server: [ OK ]* *Stopping ipa_memcached:[ OK ]* *Stopping httpd:[ OK ]* *pki-tomcatd: unrecognized service* *Shutting down dirsrv: * *PKI-IPA... [ OK ]* *SD-INT... [ OK ]* *Aborting ipactl* [root@ldap-inf-stg-sg1-01 ys7673] *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma yks0...@gmail.com wrote: I have checked , there is no default.conf. Please suggest. [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/ total 8.0K drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/ total 28K -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html -rw-r--r-- 1 root root 521 Oct 16 15:03 ipa_error.css -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html [root@ldap-inf-stg-sg1-01 ipa]# *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma yks0...@gmail.com wrote: Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS
Re: [Freeipa-users] Configuration of client side components failed! on IPA Server
Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-03-25T12:29:49Z DEBUG args=ipa-client-automount --uninstall --debug 2015-03-25T12:29:49Z DEBUG stdout= 2015-03-25T12:29:49Z DEBUG stderr=IPA client is not configured on this system. 2015-03-25T12:29:49Z ERROR Unconfigured automount client failed: Command 'ipa-client-automount --uninstall --debug' returned non-zero exit status 1 2015-03-25T12:29:49Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-03-25T12:29:49Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2015-03-25T12:29:49Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA CA 2015-03-25T12:29:49Z DEBUG stdout= 2015-03-25T12:29:49Z DEBUG stderr=certutil: Could not find cert: IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found 2015-03-25T12:29:49Z DEBUG args=/sbin/service messagebus start 2015-03-25T12:29:49Z DEBUG stdout=Starting system message bus: 2015-03-25T12:29:49Z DEBUG stderr= 2015-03-25T12:29:49Z DEBUG args=/sbin/service messagebus status 2015-03-25T12:29:49Z DEBUG stdout=messagebus (pid 1151) is running... 2015-03-25T12:29:49Z DEBUG stderr= 2015-03-25T12:29:49Z DEBUG args=/sbin/service certmonger start 2015-03-25T12:29:49Z DEBUG stdout= 2015-03-25T12:29:49Z DEBUG stderr= 2015-03-25T12:29:49Z DEBUG args=/sbin/service certmonger status 2015-03-25T12:29:49Z DEBUG stdout=certmonger (pid 13244) is running... 2015-03-25T12:29:49Z DEBUG stderr= 2015-03-25T12:29:57Z DEBUG args=/usr/bin/certutil -L -d /etc/pki/nssdb -n IPA Machine Certificate - ldap-inf-stg-sg1-01.sd.int 2015-03-25T12:29:57Z DEBUG stdout= 2015-03-25T12:29:57Z DEBUG stderr=certutil: Could not find cert: IPA Machine Certificate - ldap-inf-stg-sg1-01.sd.int : PR_FILE_NOT_FOUND_ERROR: File not found 2015-03-25T12:29:57Z DEBUG args=/sbin/service certmonger stop 2015-03-25T12:29:57Z DEBUG stdout=Stopping certmonger: [ OK ] 2015-03-25T12:29:57Z DEBUG stderr= 2015-03-25T12:29:59Z DEBUG args=/sbin/chkconfig certmonger off 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr= 2015-03-25T12:29:59Z INFO Removing Kerberos service principals from /etc/krb5.keytab 2015-03-25T12:29:59Z DEBUG args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r SD.INT 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr=Removing principal host/ ldap-inf-stg-sg1-01.sd@sd.int 2015-03-25T12:29:59Z INFO Disabling client Kerberos and LDAP configurations 2015-03-25T12:29:59Z DEBUG args=/usr/sbin/authconfig --disablekrb5 --disablesssd --update --disablemkhomedir --disableldap --disablesssdauth 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr= 2015-03-25T12:29:59Z DEBUG Error while moving /etc/sssd/sssd.conf to /etc/sssd/sssd.conf.deleted 2015-03-25T12:29:59Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted 2015-03-25T12:29:59Z DEBUG args=/sbin/service sssd stop 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr= 2015-03-25T12:29:59Z DEBUG args=/sbin/chkconfig sssd off 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr= 2015-03-25T12:29:59Z DEBUG args=/sbin/service nscd status 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr=nscd: unrecognized service 2015-03-25T12:29:59Z INFO nscd daemon is not installed, skip configuration 2015-03-25T12:29:59Z DEBUG args=/sbin/service nslcd status 2015-03-25T12:29:59Z DEBUG stdout= 2015-03-25T12:29:59Z DEBUG stderr=nslcd: unrecognized service 2015-03-25T12:29:59Z INFO nslcd daemon is not installed, skip configuration 2015-03-25T12:29:59Z INFO Client uninstall complete. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Wed, Mar 25, 2015 at 6:10 PM, Martin Kosek mko...@redhat.com wrote: On 03/25/2015 07:46 AM, Yogesh Sharma wrote: Hi, We are getting below error while we are installing IPA Server (ipa-server-install --no-ntp). ** *Configuration of client side components failed!* *ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain sd.int http://sd.int --server ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int --realm SD.INT http://SD.INT --hostname ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int' returned non-zero exit status 1* **Logs indicate below errors: *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h ldap-inf-stg-sg1-01.sd.int http://ldap-inf-stg-sg1-01.sd.int -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn uid=admin,cn=users,cn=accounts,dc=sd,dc=int* *2015-03-25T06:39:59Z DEBUG stdout=* *2015-03-25T06:39:59Z DEBUG stderr=* *2015-03-25T06:39:59Z DEBUG ldappasswd done* *2015-03-25T06:40:10Z DEBUG args=/usr
[Freeipa-users] Is it possible to Disable BAD Password from IPA Configs
Hi, Is there any way that we can configure IPA server not to do Strict Checking for Password. For EG: *BAD PASSWORD: The password is too similar to the old one* *New password: * *BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word* We tried removing use_authtok from below but no luck. passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok system-auth password config: [root@cipa vagrant]# cat /etc/pam.d/system-auth | grep password | grep -v grep *passwordrequisite pam_pwquality.so try_first_pass retry=3 type=* *passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok* *passwordsufficientpam_sss.so use_authtok* *passwordrequired pam_deny.so* [root@cipa vagrant]# *Best Regards,__* *Yogesh Sharma* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SUDO with HostGroup and UserGroup not working
Seeing a strange behavior. I deleted all Host Members from NetGroup and it was reflected in Client: [root@cipa ~]# getent netgroup stg.initd.com stg.initd.com then I added one hostgroup *cipa * and it was successfully quried in getent on IPA Server [root@mipa ~]# getent netgroup stg.initd.com stg.initd.com (cipa.stg.initd.com,-,stg.initd.com) However, when adding another hostgroup in Netgroup , I am not able to see that in getent though ipa command list it. [root@mipa ~]# ipa netgroup-show stg.initd.com Netgroup name: stg.initd.com Description: s NIS domain name: stg.initd.com Member Group: admins, ipausers, masteruser, trust admins, webuser Member Hostgroup: cipa-servers, sipa-servers [root@mipa ~]# My Client is also unaware of changes. [root@cipa ~]# getent netgroup stg.initd.com stg.initd.com [root@cipa ~]# Is it network issue or sssd caching problem. Restart of SSSD also does not fix the problem. Should I share my SSSD logs of IPA server or Client or Both. Please suggest. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 23, 2015 at 2:59 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 23, 2015 at 02:23:52PM +0530, Yogesh Sharma wrote: Sure Jakub. ++FreeIPA-Users getent netgroup not working on IPA Server [root@mipa ~]# getent netgroup stg.initd.com [root@mipa ~]# [root@mipa ~]# ipa hostgroup-show cipa-servers Host-group: cipa-servers Description: cipa Member hosts: cipa.stg.initd.com Member of netgroups: stg.initd.com [root@mipa ~]# ipa netgroup-show stg.initd.com Netgroup name: stg.initd.com Description: ss NIS domain name: stg.initd.com Member Group: admins, ipausers, masteruser, trust admins, webuser Member Hostgroup: sipa-servers, cipa-servers However, I re-register the IPA Client and I am able to query netgroup, Though it does not shows cipa.stg.initd.com whereas IPA Server query ipa netgroup-show stg.initd.com has it in list. [root@cipa ~]# getent passwd admin admin:*:117040:117040:Administrator:/home/admin:/bin/bash [root@cipa ~]# getent netgroup stg.initd.com stg.initd.com (sipa.stg.initd.com,-,stg.initd.com) [root@cipa ~]# OK, then we need to see the SSSD logs, but if the client suddently started working, then I suspect some networking issues. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SUDO with HostGroup and UserGroup not working
Sure Jakub. ++FreeIPA-Users getent netgroup not working on IPA Server [root@mipa ~]# getent netgroup stg.initd.com [root@mipa ~]# [root@mipa ~]# ipa hostgroup-show cipa-servers Host-group: cipa-servers Description: cipa Member hosts: cipa.stg.initd.com Member of netgroups: stg.initd.com [root@mipa ~]# ipa netgroup-show stg.initd.com Netgroup name: stg.initd.com Description: ss NIS domain name: stg.initd.com Member Group: admins, ipausers, masteruser, trust admins, webuser Member Hostgroup: sipa-servers, cipa-servers However, I re-register the IPA Client and I am able to query netgroup, Though it does not shows cipa.stg.initd.com whereas IPA Server query ipa netgroup-show stg.initd.com has it in list. [root@cipa ~]# getent passwd admin admin:*:117040:117040:Administrator:/home/admin:/bin/bash [root@cipa ~]# getent netgroup stg.initd.com stg.initd.com (sipa.stg.initd.com,-,stg.initd.com) [root@cipa ~]# *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile] http://in.linkedin.com/in/yks On Mon, Mar 23, 2015 at 1:21 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Mar 23, 2015 at 12:29:03PM +0530, Yogesh Sharma wrote: Thanks Jakub for the reply. Please find the details: Please keep the replies on the list, if possible. Other users might run into the same problem and then the archives become really useful. It shows nisdomain but not netgroup: [root@cipa ~]# nisdomainname $NISDOMAINNAME_VALUE [root@cipa ~]# getent netgroup cipa-servers [root@cipa ~]# However , From IPA Server, I am able to query host under netgroup Can you query the netgroup on the IPA server using getent netgroup? Can you query users on the IPA client? (getent passwd admin) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SUDO with HostGroup and UserGroup not working
Hello Team, We are doing POC to use IPA server in our Env. When we try to add individual host and user in Sudo Rule it work fine whereas we need use HostGroup and Usergroup it is not working. We have been restricted to use NIS due to others issue with NIS. Please suggest a way to fix this. *Best Regards,__* *Yogesh Sharma* -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project