[Freeipa-users] ipa and cronjob
Hi all, I have a cronjob run daily by an ipa user, which accesses nfs mounted data on the nfs server (another machine in the realm). The problem is when the user was away for a few days, his credential expired and the cronjob did not run until he came back and logged on to the system again. Then all halted cronjob from the past days started to run, which is not desired because all of them were doing the same thing. My question is: Can we keep the cronjob running when the user's credential is expired? If we cannot, then can we skip or kill all of the old cronjobs but not the most recent one? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NFS on Mac
Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS on Mac
sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Monday, September 17, 2012 11:20 AM Subject: Re: [Freeipa-users] NFS on Mac On 09/17/2012 11:07 AM, george he wrote: Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Is this what you are looking for? http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Stale NFS file handle
Hello, My ipa server and my nfs server are the same machine running centos 6.3. The server was accidentally down and rebooted. But then I got authentication failsure on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got Stale NFS file handle. Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stale NFS file handle
I tried umount but without -l, it said drive busy. Next time I will try with -l. Thanks, George From: Natxo Asenjo natxo.ase...@gmail.com To: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 12, 2012 2:43 PM Subject: Re: [Freeipa-users] Stale NFS file handle On Wed, Sep 12, 2012 at 8:26 PM, george he george_...@yahoo.com wrote: Hello, My ipa server and my nfs server are the same machine running centos 6.3. try to separate those roles if you can. You can use vm's, it'll work great. The server was accidentally down and rebooted. But then I got authentication failsure on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got Stale NFS file handle. Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? you could try umounting the stale mount points in the clients with the -l switch (lazy). It works most of the time, sometimes rebooting or resetting is necessary. Do not change dir to the mount point because then your client will not respond :-) -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 9:49 PM Subject: Re: [Freeipa-users] ipa host-del george he wrote: both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation
Re: [Freeipa-users] ipa host-del
there are somethign like these: type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for pid=4243 comm=gdm name=arch dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for pid=4243 comm=gdm name=arch dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file and some others like these: type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for pid=17155 comm=java name=gridengine dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for pid=17155 comm=java name=gridengine dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir And yes, I did yum update recently. Where else should I look? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Ade Lee a...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 8:40 AM Subject: Re: [Freeipa-users] ipa host-del george he wrote: here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket Hmm. Is there any additional information in the debug log? Any AVCs in /var/log/audit/audit.log? Have you updated any packages recently? I'm not sure why dogtag would be throwing this exception. rob *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 9:49 PM *Subject:* Re: [Freeipa-users] ipa host-del george he wrote: both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Check the logs again. The service starting does not mean it kept running. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com *To:* george he george_...@yahoo.com mailto:george_...@yahoo.com *Cc:* John Dennis jden...@redhat.com mailto:jden...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Tuesday, September 4, 2012 4:20 PM *Subject:* Re: [Freeipa-users] ipa host-del
Re: [Freeipa-users] ipa host-del
This is a newly installed system. It does most of the things, but I just cannot del the host that I have uninstalled ipa-client, which prvents me from re-installing ipa-client. Here are the versions: pki-ca.noarch 9.0.3-24.el6 pki-common.noarch 9.0.3-24.el6 jss.x86_64 4.2.6-22.el6 nss.x86_64 3.13.5-1.el6_3 tomcat6.noarch 6.0.24-45.el6 java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6 java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2 java_cup.x86_64 1:0.10k-5.el6 Thanks for your help. George From: Ade Lee a...@redhat.com To: george he george_...@yahoo.com Cc: Rob Crittenden rcrit...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 10:46 AM Subject: Re: [Freeipa-users] ipa host-del The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Ade On Wed, 2012-09-05 at 06:41 -0700, george he wrote: there are somethign like these: type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for pid=4243 comm=gdm name=arch dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for pid=4243 comm=gdm name=arch dev=dm-0 ino=786829 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file and some others like these: type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for pid=17155 comm=java name=gridengine dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for pid=17155 comm=java name=gridengine dev=dm-0 ino=391879 scontext=unconfined_u:system_r:pki_ca_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir And yes, I did yum update recently. Where else should I look? Thanks, George __ From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Ade Lee a...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 8:40 AM Subject: Re: [Freeipa-users] ipa host-del george he wrote: here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException
Re: [Freeipa-users] ipa host-del
Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George From: John Dennis jden...@redhat.com To: a...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, September 5, 2012 2:04 PM Subject: Re: [Freeipa-users] ipa host-del On 09/05/2012 10:46 AM, Ade Lee wrote: The logs seem to show that the CA cannot find JSS. What versions of the following are on your system? pki-ca, pki-common, jss, nss, tomcat6, tomcat, java Is this a system that was working and now fails to work? Or is this a new instance? Let's verify the link to the jss4.jar is in place. Note this is an x86_64 system, Mathew did make some adjustments to where native (i.e. arch specific) jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. pki-create would have been modified to set up links to them on a new install but it's possible the links weren't updated on an existing install. Not sure, guessing at the moment but I think it's worth pursuing. Please do this, it will list all the jars which should be visible to the CA tomcat instance, the jss4.jar should have a link under /var/lib/pki-ca/common/lib. sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib We want to verify none of the symbolic links listed above are dangling (point to a non-existent file). Pay particular attention to /var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to it. Do thinks work now after restarting? John -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker Thanks for your help, George From: John Dennis jden...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 8:10 AM Subject: Re: [Freeipa-users] ipa host-del On 09/03/2012 06:00 PM, george he wrote: Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 I'm guessing the configuration option that specifies where to locate your CA was lost. Check and see if ca_host is defined in any of the .conf files under /etc/ipa, if so is it the correct host? If not then the server will assume it's co-located on the same machine. Is your CA on the same machine as your IPA server? One other thing to check, is the CA running? Do an ipactl status to verify or an ipactl restart. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a fault 4301 being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George From: John Dennis jden...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 8:53 AM Subject: Re: [Freeipa-users] ipa host-del On 09/04/2012 08:28 AM, george he wrote: There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker ajp worker threads are used by tomcat instances of which the CA is one example. It sounds like your CA has gotten into a funny state. I would do a ipactl stop to shut down all your services and then do a ps to look for any Java processes that are still running (I'm assuming the only Java you're running on this box would be for the CA). If you can identify a running Java process that you believe belongs to the CA then kill it and try starting IPA again (or you could use a big hammer and reboot). BTW, the ajp threads are the listeners on the CA communication ports, if those treads are not in the right state you could see the CA communication problems you reported. If that still does not work then my next suggestion would be to add this line to /etc/ipa/default.conf debug=True and restart IPA, that will cause verbose logging to be written to /var/log/httpd/error_log which may have more detailed messages indicating where things might be going wrong. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
both of the commands service dirsrv restart and service pki-cad restart reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: John Dennis jden...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 4:20 PM Subject: Re: [Freeipa-users] ipa host-del george he wrote: I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca The problem looks to be that the dogtag 389-ds instance is not started. I'd try: service dirsrv restart PKI-IPA Then service pki-cad restart rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot logon: system error?
I removed the host on ipa server (ipa host-del, which works for this client but not another one), reinstalled the system, and configured the client, it worked. Thanks, George From: Jakub Hrozek jhro...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, September 4, 2012 3:05 PM Subject: Re: [Freeipa-users] cannot logon: system error? On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote: Hi all, This is another issue I'm having with another ipa client. Both the sever and the client are centos 6.3 The client was configured all right. I was able to log on at a point. but then after the screen was auto-locked over the night, I cannot log on any more. If I try on the console, it says system error and return to the locked screen. If I try ssh myclient, it says Connection closed by myclient. This is what in /var/log/secure Sep 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal j...@psych.yale.edu (krb5_kuserok) Sep 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied for user jhe: 4 (System error) Sep 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by PAM account configuration System Error usually means an internal error in the SSSD. Please put debug_level = 8 into the [pam] and [domain] sections, restart the SSSD, re-run the login attempt and attach or copy the relevant sections of /var/log/sssd/sssd_pam.log and /var/log/sssd/sssd_$domain.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa host-del
Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
Thank you, Martin. This helps. George From: Martin Kosek mko...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, July 31, 2012 3:04 AM Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife On 07/30/2012 05:00 PM, george he wrote: Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 36 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even though ipa krbtpolicy-show MYUSERNAME returns Max life: 36 What am I missing? I'm using ipa2.2 on FC17. Thanks, George Hello George, I think there are 2 different things being mixed - maximal lifetime which can configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the lifetime of a ticket that is actually requested. The requested lifetime is by default 24h, as per krb5.conf man page: ticket_lifetime The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day (1d). If you change this default value in krb5.conf or specifically kinit with a chosen lifetime, you should get it: # ipa krbtpolicy-mod admin --maxlife 172800 Max life: 172800 # kinit -l 2d # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@redhat.com Valid starting Expires Service principal 07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat@redhat.com HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa krbtpolicy-mod --maxlife
Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 36 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even though ipa krbtpolicy-show MYUSERNAME returns Max life: 36 What am I missing? I'm using ipa2.2 on FC17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa samba win7
Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the passdb backend option? I guess I can set it to ldapsam, but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George From: Ondrej Valousek ondr...@s3group.cz To: freeipa-users@redhat.com Sent: Tuesday, July 10, 2012 9:12 AM Subject: Re: [Freeipa-users] ipa samba win7 Do you have an AD for the win7 machine or is it just standalone machine? Ondrej On 07/10/2012 03:01 PM, george he wrote: Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the passdb backend option? I guess I can set it to ldapsam, but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error yum install freeipa-server
Hello all, When I do yum install -y freeipa-server on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file or directory . . . /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or directory . . . /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error yum install freeipa-server
Hello Rob, These are printed to the command window after this line: Installing : pki-selinux-9.0.20-1.fc17.noarch 34/96 The files reported missing are not there after yum install completed. I turned selinux off (setenforce 0 and modified /etc/sysconfig/selinux) before installing freeipa-server. Don't know whether this caused the files not created by yum. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, July 5, 2012 11:27 AM Subject: Re: [Freeipa-users] error yum install freeipa-server george he wrote: Hello all, When I do yum install -y freeipa-server on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file or directory . . . /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or directory . . . /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George Where are you seeing these logged? Some of those files/directories don't exist yet, they are created by the install. It should be safe to proceed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] win7 client
Hello all, I'm trying to set up a win7 as a client of my freeipa server running on fc17. so I followed the instructions here: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html But then what? The win7 is currently in a workgroup. I tried to join the win7 to a domain with my ipa realm name, but it failed. Thanks in advance for your help, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] pam_systemd(sshd:session): Failed to create session
Hello all, I'm running out of time to figure out what was wrong with my replica set up, so I just went ahead and installed ipa-client on that machine. It seems the client was installed all right, except when I ssh to the new client from another client, I get this: Could not chdir to home directory /home/ghe: No such file or directory and then I was left at /. I don't remember what I did differently on the other client machines that would create /home/ghe for me the first time I log on. Here is the error message from /var/log/secure on the new client. pam_systemd(sshd:session): Failed to create session: No such file or directory How do I fix this problem? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session
Hello Dan, Many thanks. It worked. Now I remember this was done by default on my other clients... don't know why. George From: Dan Scott danieljamessc...@gmail.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 29, 2012 9:51 AM Subject: Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session Hi, I don't know if this is done by the default IPA install, but you need to configure it to auto create home directories: authconfig --update --enablemkhomedir You may need the oddjob-mkhomedir package installed too. Thanks, Dan On Fri, Jun 29, 2012 at 9:42 AM, george he george_...@yahoo.com wrote: Hello all, I'm running out of time to figure out what was wrong with my replica set up, so I just went ahead and installed ipa-client on that machine. It seems the client was installed all right, except when I ssh to the new client from another client, I get this: Could not chdir to home directory /home/ghe: No such file or directory and then I was left at /. I don't remember what I did differently on the other client machines that would create /home/ghe for me the first time I log on. Here is the error message from /var/log/secure on the new client. pam_systemd(sshd:session): Failed to create session: No such file or directory How do I fix this problem? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nfs server
Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /tmp/krb5.keytab on the ipa-server, and ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu-k my.ipaserver.edu:/tmp/krb5.keytab on the nfs-server? where /tmp/krb5.keytab is the key generated on the ipa-server for nfs. Thanks, George From: Simo Sorce s...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 29, 2012 10:24 AM Subject: Re: [Freeipa-users] nfs server On Fri, 2012-06-29 at 07:18 -0700, george he wrote: Hello all, Now I have an ipa server and a few ipa clients set up, I need to set up an nfs server on one of the ipa-clients. I'm following the instructions here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html where at 8.c and 8.d, it says scp /tmp/krb5.keytab r...@nfs.example.com:/etc/krb5.keytab and scp /tmp/krb5.keytab r...@client.example.com:/etc/krb5.keytab But the file /etc/krb5.keytab already exists on both of the ipa-server and the nfs-server. Should I just over-write the existing keytabs? No, you should not overwrite them if they contain the host keytab. If they are ipa clients and you can install admin tools you can simply run the ipa-getkeytab command on the right machine directly. if you can't for whatever reason you should copy the new keytab to the machine in a temporary (but protected) location like /root/nfs.keytab Then use the ktutil tool to merge the 2 keytab files into /etc/krb5.keytab ktutil is not the most intuitive tool, but the documentation should be good enough to sort out what you need to do. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] rpcgssd
Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. # systemctl status rpcgssd.service rpcgssd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rpcgssd
Hello Rob, It is fedora 17. I did systemctl start nfs-secure.service on the nfs-server. No error message. What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). I tried mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ on the client, which happens to be the ipa-server, and get mount.nfs4: mount(2): Permission denied Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 29, 2012 1:41 PM Subject: Re: [Freeipa-users] rpcgssd george he wrote: Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. # systemctl status rpcgssd.service rpcgssd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) You don't say what Fedora release you're using but I'm going to assume Fedora 17. Try starting nfs-secure.service rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rpcgssd
Hello all, nfs-secure.service is running on the client, but I still get mount.nfs4: mount(2): Permission denied and there's no message in /var/log/. Any help? Thanks, George From: george he george_...@yahoo.com To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 29, 2012 1:52 PM Subject: Re: [Freeipa-users] rpcgssd Hello Rob, It is fedora 17. I did systemctl start nfs-secure.service on the nfs-server. No error message. What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). I tried mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ on the client, which happens to be the ipa-server, and get mount.nfs4: mount(2): Permission denied Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 29, 2012 1:41 PM Subject: Re: [Freeipa-users] rpcgssd george he wrote: Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. # systemctl status rpcgssd.service rpcgssd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) You don't say what Fedora release you're using but I'm going to assume Fedora 17. Try starting nfs-secure.service rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello, I think it might be easier to just re-install FC17 on my machine since it's brand new and I won't loss any data. Now I want to backup a few folders where some files are changed during ipa installation, so that if I mess up again, I only need to copy the original folder over. For this purpose, is the following list sufficient? /boot /etc /home /root /usr /var I think I probably don't need /boot /home /root either, but these are small. Thanks for your advice. George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Friday, June 22, 2012 4:23 PM Subject: Re: [Freeipa-users] replica installation clean up george he wrote: Hello, Since I didn't get any reply on this, I just went ahead and did /ipa-server-install --uninstall to clean up and did ipa-replica-manage del myreplica --force on mymaster After these I did ipa-replica-install again but this time I get ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 Any suggestions on this? It depends on why it failed. When there is an installation error I recommend you start by looking at /var/log/ipa-server-install.log or /var/log/ipareplica-install.log as needed. This error would suggest that something was not removed from LDAP when the last replica was deleted. This may ok. You'll need to use ldapsearch to verify that cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX and dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX has a memberPrincipal for the service principal of your replica. something like: ldapsearch -LLL -x -b cn=s4u2proxy,cn=etc,dc=example,d=com rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa and gdm
Hello, I have a server and a few client set up. I can ssh to the server or clients. But there's no entry on the console gdm for ipa user, and I cannot login by choosing others either. What do I need to set up for gdm log on? I searched the docs but didn't find any... Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, I already have a home directory which was created the first time I ssh in. Now when I click on sign in, nothing happens... Thanks, George From: Stephen Gallagher sgall...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 25, 2012 1:30 PM Subject: Re: [Freeipa-users] freeipa and gdm On Mon, 2012-06-25 at 10:25 -0700, george he wrote: Hello Stephen, this is what in the log file: Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=jhe Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=jhe According to that, SSSD successfully authenticated the user, but you still didn't get logged in? I'll bet that means you don't have your system set up to create home directories on first login automatically. If you run ipa-client-install with the --mkhomedir option when configuring the client, it will set this up for you. If you want to change it after the fact, do this: authconfig --update --enable-mkhomedir That should do the trick. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, selinux was set to permissive before I installed the client. ( I modified the file /etc/sysconfig/selinex) So It cannot be the reason. Thanks, George From: Stephen Gallagher sgall...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 25, 2012 1:42 PM Subject: Re: [Freeipa-users] freeipa and gdm On Mon, 2012-06-25 at 10:41 -0700, george he wrote: Hi Stephen, I already have a home directory which was created the first time I ssh in. Now when I click on sign in, nothing happens... Just to experiment, try 'setenforce 0' as root and then try to log in. SELinux could be denying you. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, Here are the lines from /var/log/messages. it seems there's some info, but I don't understand it... Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus-daemon[775]: Launching FprintObject Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: entering main loop Jun 25 13:54:08 mz dbus-daemon[775]: ** Message: No devices in use, exit Jun 25 14:03:53 mz dbus-daemon[775]: dbus[775]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.0 (uid=0 pid=728 comm=/usr/lib/systemd/systemd-logind ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.21 (uid=42 pid=1183 comm=/usr/bin/gnome-session -f ) Jun 25 14:03:53 mz dbus[775]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.0 (uid=0 pid=728 comm=/usr/lib/systemd/systemd-logind ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.21 (uid=42 pid=1183 comm=/usr/bin/gnome-session -f ) Your help is appreciated. George From: Stephen Gallagher sgall...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 25, 2012 1:58 PM Subject: Re: [Freeipa-users] freeipa and gdm On Mon, 2012-06-25 at 10:55 -0700, george he wrote: Hi Stephen, selinux was set to permissive before I installed the client. ( I modified the file /etc/sysconfig/selinex) Modifying that file without a reboot does not change the current state. That only tells the kernel whether to boot with SELinux enabled. I suggest looking at /var/log/messages for other possible failures as well. From /var/log/secure, SSSD is authenticating successfully, so the failure is happening in GDM somewhere. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Yes! reboot works. Thanks a lot. George From: Simo Sorce s...@redhat.com To: george he george_...@yahoo.com Cc: Stephen Gallagher sgall...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 25, 2012 2:39 PM Subject: Re: [Freeipa-users] freeipa and gdm On Mon, 2012-06-25 at 10:41 -0700, george he wrote: Hi Stephen, I already have a home directory which was created the first time I ssh in. Now when I click on sign in, nothing happens... I've encountered this recently as well, apparently GDM uses some service that misbehaves when nsswitch.conf is changed. It used to be simple to fix that by forcing a restart of GDM (I used to ctrl+alt+backspace once after install of sssd/ipa), but on my recent F17 it didn't work. I suspect soem stuff has been moved to a helper that is not restarted when gdm restart. A reboot fixed it for me. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello, Since I didn't get any reply on this, I just went ahead and did /ipa-server-install --uninstall to clean up and did ipa-replica-manage del myreplica --force on mymaster After these I did ipa-replica-install again but this time I get ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 Any suggestions on this? Thanks, George From: george he george_...@yahoo.com To: Rob Crittenden rcrit...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 10:28 PM Subject: Re: [Freeipa-users] replica installation clean up Hello, I used --force to delete myreplica from mymaster. And then runipa-replica-install on the myreplica again. This time everything seems ok until it comes to the end: Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server creation of replica failed: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. And this is the error message at the end of /var/log/ipareplica-install.log: 2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl status' for details. 2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 File /sbin/ipa-replica-install, line 494, in module main() File /sbin/ipa-replica-install, line 488, in main ipaservices.knownservices.ipa.enable() File /usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py, line 101, in enable self.restart(instance_name) File /usr/lib/python2.7/site-packages/ipapython/platform/systemd.py, line 85, in restart ipautil.run([/bin/systemctl, restart, self.service_instance(instance_name)], capture_output=capture_output) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 304, in run raise CalledProcessError(p.returncode, args) Should I run ipa-server-install --uninstall on myreplica now? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 4:35 PM Subject: Re: [Freeipa-users] replica installation clean up george he wrote: Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Joining realm failed: Host is already joined
Hello all, When I do ipa-client-install on a client with previous unsuccessful installation, I get this error message: Joining realm failed: Host is already joined. Installation failed. Rolling back changes. IPA client is not configured on this system. How do I clean up the machine for a clean installation? I tried ipa-client-install --uninstall but get this: IPA client is not configured on this system. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: Host is already joined
Hello Rob, Here is what I get by running the commands: # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM realm not found # I thought the commands didn't solve the problem, but when I run ipa-client-install again, it says at the end Client configuration complete. and it was found on the server by ipa host-find. So I guess the problem is gone. Your help is very appreciated. George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 11:18 AM Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined george he wrote: Thanks Petr, Now it says: Failed to obtain host TGT. Installation failed. Rolling back changes. I did the manual installation on this machine when the ipa-client-install script failed. I guess there's a lot to clean up :( /var/log/ipaclient-install.log may have more details on the failure. It could be that you have a lingering host principal. Run klist -kt /etc/krb5.keytab. To remove all principals for your realm from this keytab run: # ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa user-add
Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
it's x86_64 2.2.0-1.fc17. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: Rich Megginson rmegg...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:54 PM Subject: Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Dmitri, OK, I can accept the good practice of using private groups, then I need to delete the left over group. The instructions in the document failed as stated in my original email. Any suggestions how to delete the private group whose user has been deleted? Thanks, George From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Thursday, June 21, 2012 3:47 PM Subject: Re: [Freeipa-users] ipa user-add On 06/21/2012 03:10 PM, george he wrote: it's x86_64 2.2.0-1.fc17. Thanks, George You are looking at the private group feature. By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. The value of this is that the files on the file system can be owned just by the user. It is a good practice. To turn it off there is a utility to turn the managed entries creation. Please do not use LDAP directly (at least yet). There is another feature that allows one to specify a criteria for placing users or hosts into groups. Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. From: Rob Crittenden rcrit...@redhat.com To: Rich Megginson rmegg...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:54 PM Subject: Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] replica installation clean up
Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello, I used --force to delete myreplica from mymaster. And then runipa-replica-install on the myreplica again. This time everything seems ok until it comes to the end: Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server creation of replica failed: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. And this is the error message at the end of /var/log/ipareplica-install.log: 2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl status' for details. 2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 File /sbin/ipa-replica-install, line 494, in module main() File /sbin/ipa-replica-install, line 488, in main ipaservices.knownservices.ipa.enable() File /usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py, line 101, in enable self.restart(instance_name) File /usr/lib/python2.7/site-packages/ipapython/platform/systemd.py, line 85, in restart ipautil.run([/bin/systemctl, restart, self.service_instance(instance_name)], capture_output=capture_output) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 304, in run raise CalledProcessError(p.returncode, args) Should I run ipa-server-install --uninstall on myreplica now? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 4:35 PM Subject: Re: [Freeipa-users] replica installation clean up george he wrote: Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Rich, Thanks for the help. This does remove the group so I can add the user back. But when I try to ssh, as that user, to the machines that the user logged on before ipa user-del, I get permission denied. I removed the user's home directory because it still belongs to the deleted UID:GID. After that I still get permission denied. Any suggestions? Thanks again, George From: Rich Megginson rmegg...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:43 PM Subject: Re: [Freeipa-users] ipa user-add On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem -- 2
Hi Rob, Client configuration complete. but it says Failed to upload host SSH public keys. Hope it's OK. Thanks a lot, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, June 20, 2012 4:24 PM Subject: Re: [Freeipa-users] ipa installation problem -- 2 george he wrote: Hello all, My first problem was related to firewall, the command iptables -A INPUT -p tcp --dport 80 -j ACCEPT opened port 80 after this line in iptables thus the problem I had. REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Now I have another problem when I run ipa-client-install on the client (after it asked for admin password): Joining realm failed: HTTP response code is 400, not 200 Here are the related lines in /var/log/ipaclient-install.log 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu 2012-06-20T19:46:53Z DEBUG stdout= 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 Try updating mod_nss to mod_nss.x86_64 0:1.0.8-17.fc17. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the usual way and they both run with no problem. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, June 19, 2012 9:32 AM Subject: Re: [Freeipa-users] ipa installation problem george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things like this: httpd 4206 apache 5u IPv6 846355 TCP *:http (LISTEN) is the IPv6 here a problem? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, June 19, 2012 10:43 AM Subject: Re: [Freeipa-users] ipa installation problem george he wrote: Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the usual way and they both run with no problem. I don't know what to tell you. This problem is independent of IPA. It means that the client doesn't know how to get to the server (no route to host) Connection refused would suggest that the server isn't accepting connections. You could use netstat to confirm that it is listening on ports 80 and 443, I think you'll find it is. IPA doesn't do anything particularly clever with the web server, just configures it to use mod_nss as an SSL listener. Since wget is using port 80 you aren't even using any changes made by IPA. And no route to host suggests it isn't even getting that far. You might try shutting down iptables on the server and client and try that. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Tuesday, June 19, 2012 9:32 AM *Subject:* Re: [Freeipa-users] ipa installation problem george he wrote: Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. This is unrelated to IPA. We do no network configuration changes, only start services. The client is doing a simple wget which just issues an HTTP request. The network stack is saying it can't talk to the IPA server so I'd start there. wireshark might be helpful. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] is not an IPA v2 Server.
Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George From: george he george_...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Saturday, June 16, 2012 4:02 PM Subject: is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George From: Petr Viktorin pvikt...@redhat.com To: freeipa-users@redhat.com freeipa-users@redhat.com Cc: george he george_...@yahoo.com Sent: Monday, June 18, 2012 10:06 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Petr, Yes, I still get the failed: No route to host error. and I cannot connect to the webUI from the client, but I can open the web UI on myserver. Thanks, George From: Petr Viktorin pvikt...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 10:47 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George *From:* Petr Viktorin pvikt...@redhat.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Cc:* george he george_...@yahoo.com *Sent:* Monday, June 18, 2012 10:06 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' http://myserver/ipa/config/ca.crt%27 returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com mailto:george_...@yahoo.com *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your browser. Or you can use form-based authentication. but I can use the form based authentication sometimes, not always. Thanks, George From: Petr Viktorin pvikt...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 10:47 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George *From:* Petr Viktorin pvikt...@redhat.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Cc:* george he george_...@yahoo.com *Sent:* Monday, June 18, 2012 10:06 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' http://myserver/ipa/config/ca.crt%27 returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com mailto:george_...@yahoo.com *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ http://server.my.edu
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 11:51 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions https://cns2.psych.yale.edu/ipa/config/unauthorized.html to configure your browser. Or you can use form-based authentication https://cns2.psych.yale.edu/ipa/ui/#. but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Rob, I was just thinking it's very unlikely the university would block http connections from inside, but not ssh from outside. but I'll contact our ITS anyways. BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps outlined here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html There may be some steps that are obvious to people know these things and they are not listed in the document, then I could have missed them. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 1:28 PM Subject: Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. A fair bit of javascript is loaded the very first time you visit IPA, that can be slow. Otherwise it should be relatively quick. Not minutes anyway. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Different ports and that isn't the client talking to the server, it is you talking to the client and to the server. This is definitely some sort of networking problem, though no route to host is rather odd since you can ping. You might also look at the iptables configuration on the client. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, June 18, 2012 11:51 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions https://cns2.psych.yale.edu/ipa/config/unauthorized.html to configure your browser. Or you can use form-based authentication https://cns2.psych.yale.edu/ipa/ui/#. but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa installation problem
Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users