Re: [Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request
On 10/03/17 16:24, Rob Crittenden wrote: lejeczek wrote: On 06/03/17 20:11, Rob Crittenden wrote: lejeczek wrote: hi everyone I've seemingly finely working domain, I mean it all seem fine to me, except for: [04/Mar/2017:14:26:47.439218725 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:26:47.441155853 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.454016982 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.482477473 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.458508994 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.479878884 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.389700728 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.394379376 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) being logged quite frequently, as you can see. Setup: ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-client-common-4.4.0-14.el7.centos.4.noarch ipa-common-4.4.0-14.el7.centos.4.noarch ipa-python-compat-4.4.0-14.el7.centos.4.noarch ipa-server-4.4.0-14.el7.centos.4.x86_64 ipa-server-common-4.4.0-14.el7.centos.4.noarch ipa-server-dns-4.4.0-14.el7.centos.4.noarch Replication, users, logins, all seem normal. But above bothers me as I am afraid it may one day turn out critical and brake stuff down. This is on the first server that initiated the domain, long time ago. There is a second server which logs the same, but only a few entries then goes quiet. Third server's error log is completely free from this error. Would appreciate all help. The CA replication agreements are handled by ipa-csreplica-manage. You may have leftover agreements from previous installs there. rob I'm afraid I let over the years for some bits in the domain gone haywire. I found this: dn: cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ca objectClass: nsContainer objectClass: top dn: cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: certprofiles objectClass: nsContainer objectClass: top dn: cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: caacls objectClass: nsContainer objectClass: top dn: cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: cas objectClass: nsContainer objectClass: top dn: cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: cas objectClass: nsContainer objectClass: top dn: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x description: User profile that includes IECUserRoles extension from request ipaCertProfileStoreIssued: TRUE cn: IECUserRoles objectClass: ipacertprofile objectClass: top dn: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x description: Standard profile for network services ipaCertProfileStoreIssued: TRUE cn: caIPAserviceCert objectClass: ipacertprofile objectClass: top dn: ipaUniqueID=1ea0be16-fc01-11e5-a664-f04da240c1d2,cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x ipaUniqueID: 1ea0be16-fc01-11e5-a664-f04da240c1d2 ipaEnabledFlag: TRUE hostCategory: all objectClass: ipaassociation objectClass: ipacaacl cn: hosts_services_caIPAserviceCert serviceCategory: all dn: cn=ipa,cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ipa ipaCaId: 0725f730-9351-4115-aa68-ecb2f47dd805 ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x description: IPA CA dn: cn=ipa,cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ipa ipaCaId: ed1bbc62-45c5-4d4a-96fb-0c16129dbad0 ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x description: IPA CA is this the culprit? You have some replication conflict entries in there. I see no way how this could affect
[Freeipa-users] ldap tree: etc-location & ca-cas
hi everyone my domain seems ok but I've decided to watch it closely on more regular basis and am in a process of learning the tree. I found a few +nsuniqueid and I wonder: is there a relation (surely is, but how critical) between etc-location & ca-ca? Both, location and ca have the same +nsuniqueid=647ed0ab-b70911e6-b84df1c7-2176fa48. My question would be (if I cannot do that with IPA, which I probably cannot): do I clean manually both location & ca in one go? Or there is a sequence to it? And more importantly: what should also check in the tree in relation to these two DNs? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request
On 06/03/17 20:11, Rob Crittenden wrote: lejeczek wrote: hi everyone I've seemingly finely working domain, I mean it all seem fine to me, except for: [04/Mar/2017:14:26:47.439218725 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:26:47.441155853 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.454016982 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.482477473 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.458508994 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.479878884 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.389700728 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.394379376 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) being logged quite frequently, as you can see. Setup: ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-client-common-4.4.0-14.el7.centos.4.noarch ipa-common-4.4.0-14.el7.centos.4.noarch ipa-python-compat-4.4.0-14.el7.centos.4.noarch ipa-server-4.4.0-14.el7.centos.4.x86_64 ipa-server-common-4.4.0-14.el7.centos.4.noarch ipa-server-dns-4.4.0-14.el7.centos.4.noarch Replication, users, logins, all seem normal. But above bothers me as I am afraid it may one day turn out critical and brake stuff down. This is on the first server that initiated the domain, long time ago. There is a second server which logs the same, but only a few entries then goes quiet. Third server's error log is completely free from this error. Would appreciate all help. The CA replication agreements are handled by ipa-csreplica-manage. You may have leftover agreements from previous installs there. rob I'm afraid I let over the years for some bits in the domain gone haywire. I found this: dn: cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ca objectClass: nsContainer objectClass: top dn: cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: certprofiles objectClass: nsContainer objectClass: top dn: cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: caacls objectClass: nsContainer objectClass: top dn: cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: cas objectClass: nsContainer objectClass: top dn: cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: cas objectClass: nsContainer objectClass: top dn: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x description: User profile that includes IECUserRoles extension from request ipaCertProfileStoreIssued: TRUE cn: IECUserRoles objectClass: ipacertprofile objectClass: top dn: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x description: Standard profile for network services ipaCertProfileStoreIssued: TRUE cn: caIPAserviceCert objectClass: ipacertprofile objectClass: top dn: ipaUniqueID=1ea0be16-fc01-11e5-a664-f04da240c1d2,cn=caacls,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x ipaMemberCertProfile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x ipaUniqueID: 1ea0be16-fc01-11e5-a664-f04da240c1d2 ipaEnabledFlag: TRUE hostCategory: all objectClass: ipaassociation objectClass: ipacaacl cn: hosts_services_caIPAserviceCert serviceCategory: all dn: cn=ipa,cn=cas+nsuniqueid=647ed0b1-b70911e6-b84df1c7-2176fa48,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ipa ipaCaId: 0725f730-9351-4115-aa68-ecb2f47dd805 ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x description: IPA CA dn: cn=ipa,cn=cas,cn=ca,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x cn: ipa ipaCaId: ed1bbc62-45c5-4d4a-96fb-0c16129dbad0 ipaCaSubjectDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=PRIVATE.xx.xx.PRIVATE.xx.xx.x description: IPA CA is this the culprit? b.w. L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request
On 06/03/17 20:11, Rob Crittenden wrote: lejeczek wrote: hi everyone I've seemingly finely working domain, I mean it all seem fine to me, except for: [04/Mar/2017:14:26:47.439218725 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:26:47.441155853 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.454016982 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.482477473 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.458508994 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.479878884 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.389700728 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.394379376 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) being logged quite frequently, as you can see. Setup: ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-client-common-4.4.0-14.el7.centos.4.noarch ipa-common-4.4.0-14.el7.centos.4.noarch ipa-python-compat-4.4.0-14.el7.centos.4.noarch ipa-server-4.4.0-14.el7.centos.4.x86_64 ipa-server-common-4.4.0-14.el7.centos.4.noarch ipa-server-dns-4.4.0-14.el7.centos.4.noarch Replication, users, logins, all seem normal. But above bothers me as I am afraid it may one day turn out critical and brake stuff down. This is on the first server that initiated the domain, long time ago. There is a second server which logs the same, but only a few entries then goes quiet. Third server's error log is completely free from this error. Would appreciate all help. The CA replication agreements are handled by ipa-csreplica-manage. You may have leftover agreements from previous installs there. rob many thanks, should I be searching through ldap tree? If yes then where more less? $ ipa-csreplica-manage list shows only two servers, which would make sense, would add up, I think. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] consumer replica which does not show up in ruv list
On 07/03/17 16:48, Ludwig Krispenz wrote: On 03/07/2017 05:29 PM, lejeczek wrote: On 07/03/17 12:39, Martin Babinsky wrote: On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote: hi, I presume I need to use ldapmodify/delete? I found this(obfuscated by me): cn=dzien.priv.xx.xx.priv.xx.xx.x+nsuniqueid=9e47680e-296e11e6-83a59f45-6ec26a1e,cn=masters,cn=ipa,cn=etc,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x To confirm? Would removing it fix the problem? I'm probably missing something else, aren't I? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project That seems like a replication conflict. Consult the following guide to solve it: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I'm not sure whether I'm dealing with single or multi-valued DN and I should rename+keep original copy(following that doc) or simply remove that DN. this is something which cannot be generally answered, you need to look at the specific entries. In the case of conflicts you always have entries like cn=, and cn=+nsuniqueid=-nnn-nnn-nn,of dn> and usually they are created if the same entry is added at the same time on two replicas, then they are identical and you can just delete the conflict entry. Only if you want to keep both entries you need to rename the conflict. to confirm - I presume this should be a recursive deletion with '-r' , the whole lot, right? thx, L. Just a side question, how did you end up with such entry? Did you happen to upgrade multiple IPA masters at once? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] consumer replica which does not show up in ruv list
On 07/03/17 12:39, Martin Babinsky wrote: On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote: hi, I presume I need to use ldapmodify/delete? I found this(obfuscated by me): cn=dzien.priv.xx.xx.priv.xx.xx.x+nsuniqueid=9e47680e-296e11e6-83a59f45-6ec26a1e,cn=masters,cn=ipa,cn=etc,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x To confirm? Would removing it fix the problem? I'm probably missing something else, aren't I? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project That seems like a replication conflict. Consult the following guide to solve it: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I'm not sure whether I'm dealing with single or multi-valued DN and I should rename+keep original copy(following that doc) or simply remove that DN. Just a side question, how did you end up with such entry? Did you happen to upgrade multiple IPA masters at once? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] consumer replica which does not show up in ruv list
On 07/03/17 12:39, Martin Babinsky wrote: On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote: hi, I presume I need to use ldapmodify/delete? I found this(obfuscated by me): cn=dzien.priv.xx.xx.priv.xx.xx.x+nsuniqueid=9e47680e-296e11e6-83a59f45-6ec26a1e,cn=masters,cn=ipa,cn=etc,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x To confirm? Would removing it fix the problem? I'm probably missing something else, aren't I? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project That seems like a replication conflict. Consult the following guide to solve it: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html Just a side question, how did you end up with such entry? Did you happen to upgrade multiple IPA masters at once? I fear I was doing too few things at the same time: adding / removing replicas and at around the same time upgrading ipa*. Everything last evening. Many thanks for the pointer, I'll read through. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] consumer replica which does not show up in ruv list
hi, I presume I need to use ldapmodify/delete? I found this(obfuscated by me): cn=dzien.priv.xx.xx.priv.xx.xx.x+nsuniqueid=9e47680e-296e11e6-83a59f45-6ec26a1e,cn=masters,cn=ipa,cn=etc,dc=priv,dc=xx.dc=xx.dc=priv,dc=xx,dc=xx,dc=x To confirm? Would removing it fix the problem? I'm probably missing something else, aren't I? many thank, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request
On 04/03/17 14:47, lejeczek wrote: hi everyone I've seemingly finely working domain, I mean it all seem fine to me, except for: [04/Mar/2017:14:26:47.439218725 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:26:47.441155853 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.454016982 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.482477473 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.458508994 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.479878884 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.389700728 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.394379376 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) being logged quite frequently, as you can see. Setup: ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-client-common-4.4.0-14.el7.centos.4.noarch ipa-common-4.4.0-14.el7.centos.4.noarch ipa-python-compat-4.4.0-14.el7.centos.4.noarch ipa-server-4.4.0-14.el7.centos.4.x86_64 ipa-server-common-4.4.0-14.el7.centos.4.noarch ipa-server-dns-4.4.0-14.el7.centos.4.noarch Replication, users, logins, all seem normal. But above bothers me as I am afraid it may one day turn out critical and brake stuff down. This is on the first server that initiated the domain, long time ago. There is a second server which logs the same, but only a few entries then goes quiet. Third server's error log is completely free from this error. Would appreciate all help. L As I was afraid... more. I'm adding a replica, with arguments: --setup-dns --no-forwarders . This seems to have succeeded: ... Configured /etc/ssh/sshd_config Configuring private.ccnr.ceb.private.cam.ac.uk as NIS domain. Client configuration complete. but on the master(fist server in the domain) during replica installation I see: [06/Mar/2017:09:56:01.022636856 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [06/Mar/2017:09:56:01.900679757 +] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389)". [06/Mar/2017:09:56:05.287761359 +] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389)". Sent 799 entries. [06/Mar/2017:09:56:15.293584156 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contxx. LDAP server). Will retry later. [06/Mar/2017:09:56:19.220334467 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): Replication bind with SIMPLE auth resumed [06/Mar/2017:09:56:24.523570143 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [06/Mar/2017:09:56:46.295504003 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contxx. LDAP server) () ... [06/Mar/2017:09:57:57.620175772 +] NSMMReplicationPlugin - agmt="cn=meToswir.priv.xx.xx.priv.xx.xx.x. (swir:389): Replication bind with GSSAPI auth resumed [06/Mar/2017:10:01:46.442346796 +] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-swir.priv.xx.xx.priv.xx.xx.x.pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [06/Mar/2017:10:01:46.452580492 +] NSMMReplicationPlugin - agmt="cn=masterAgreement1-swir.priv.xx.xx.priv.xx.xx.x.pki-tomcat" (swir:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [06/Mar/2017:10:01:46.454557885 +] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager masterAg
[Freeipa-users] slapi_ldap_bind - Error: could not send startTLS request
hi everyone I've seemingly finely working domain, I mean it all seem fine to me, except for: [04/Mar/2017:14:26:47.439218725 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:26:47.441155853 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.454016982 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:31:47.482477473 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.458508994 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:36:46.479878884 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.389700728 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [04/Mar/2017:14:41:47.394379376 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) being logged quite frequently, as you can see. Setup: ipa-client-4.4.0-14.el7.centos.4.x86_64 ipa-client-common-4.4.0-14.el7.centos.4.noarch ipa-common-4.4.0-14.el7.centos.4.noarch ipa-python-compat-4.4.0-14.el7.centos.4.noarch ipa-server-4.4.0-14.el7.centos.4.x86_64 ipa-server-common-4.4.0-14.el7.centos.4.noarch ipa-server-dns-4.4.0-14.el7.centos.4.noarch Replication, users, logins, all seem normal. But above bothers me as I am afraid it may one day turn out critical and brake stuff down. This is on the first server that initiated the domain, long time ago. There is a second server which logs the same, but only a few entries then goes quiet. Third server's error log is completely free from this error. Would appreciate all help. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] unable to decode: {replica
On 01/03/17 08:05, Ludwig Krispenz wrote: On 02/28/2017 07:52 PM, lejeczek wrote: On 28/02/17 09:45, Petr Vobornik wrote: On 02/26/2017 11:35 AM, lejeczek wrote: hi everyone I first time see: unable to decode: {replica 60} 586eaffd000a003c 586eaffd000a003c Replica Update Vectors: on all four servers. What would be a correct troubleshooting and fixing this problem? many thanks, L. Hello, what is the version and OS of your IPA servers and DS? $ rpm -q ipa-server freeipa-server 389-ds-base well I run a Centos 7.x and ~]$ rpm -q ipa-server freeipa-server 389-ds-base ipa-server-4.4.0-14.el7.centos.4.x86_64 package freeipa-server is not installed 389-ds-base-1.3.5.10-15.el7_3.x86_64 I searched the net and archives but failed to find anything flagged as "solved". if you expect help, you should provide a bit more information than the snippet of an error message. As Petr pointed out this looks like a problem of a corrupted RUV, but we also haven't seen these for a long time. Could you describe your deployment, what changed recently (addigng/removing replicas, crashes, ) A mapping of servers and replica Ids, to which server does "60" refer? If I new what "60" referred to I'd have had not ask the question, most likely. I thought it something IPA itself cannot decode so how could I? I ran first - clean-dangling-ruv - which clean a lot, but during the cleanup it kept spitting out: unable to decode.. "replica 60" is nothing like a hostname or any other human, me, given reference. I thought it is obvious that these days people start with sroogle and later "mailing lists" are last resort and not the place to do shop talk, well, very rarely should be. But, I did NOT sroogle enough, I realize it now. this fails: ~]$ ipa-replica-manage clean-ruv 60 Directory Manager password: unable to decode: {replica 60} 586eaffd000a003c 586eaffd000a003c Replica ID 60 not found but this succeeds: ~]$ ldapmodify -p 389 -h $(hostname) -D "cn=directory manager" -Y GSSAPI -a SASL/GSSAPI authentication started SASL username: ad...@private.dom.my SASL SSF: 56 SASL data security layer installed. dn: cn=clean 60, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn: dc=private,dc=private,dc=my replica-id: 60 cn: clean 60 adding new entry "cn=clean 60, cn=cleanallruv, cn=tasks, cn=config" logs: 04/Mar/2017:11:59:44.643623797 +] NSMMReplicationPlugin - CleanAllRUV Task: launching cleanAllRUV thread... [04/Mar/2017:11:59:44.673317808 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Cleaning rid (60)... [04/Mar/2017:11:59:44.675400517 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Waiting to process all the updates from the deleted replica... [04/Mar/2017:11:59:44.677347412 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Waiting for all the replicas to be online... [04/Mar/2017:11:59:44.713849540 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Waiting for all the replicas to receive all the deleted replica updates... [04/Mar/2017:11:59:44.743398566 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Sending cleanAllRUV task to all the replicas... [04/Mar/2017:11:59:44.784880691 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Cleaning local ruv's... [04/Mar/2017:11:59:45.792197518 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Waiting for all the replicas to be cleaned... [04/Mar/2017:11:59:45.850641867 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Waiting for all the replicas to finish cleaning... [04/Mar/2017:11:59:45.881786089 +] NSMMReplicationPlugin - CleanAllRUV Task (rid 60): Successfully cleaned rid(60). and it is fixed. thanks! Check the ruvs for all suffixes on all servers. Try cleaning the RUV, if IPA command does not work do it by ldapmodify There have been many discussions on this topic in this mailing list, look for "cleanallruv", "haunted servers",.. Ludwig Similar issues happened last year, you can search the archives for "unable to decode" but a 389-ds fix improved the situation. So if you have older version then maybe update and then manual cleanup of RUVs might help. -- Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] unable to decode: {replica
On 28/02/17 09:45, Petr Vobornik wrote: On 02/26/2017 11:35 AM, lejeczek wrote: hi everyone I first time see: unable to decode: {replica 60} 586eaffd000a003c 586eaffd000a003c Replica Update Vectors: on all four servers. What would be a correct troubleshooting and fixing this problem? many thanks, L. Hello, what is the version and OS of your IPA servers and DS? $ rpm -q ipa-server freeipa-server 389-ds-base well I run a Centos 7.x and ~]$ rpm -q ipa-server freeipa-server 389-ds-base ipa-server-4.4.0-14.el7.centos.4.x86_64 package freeipa-server is not installed 389-ds-base-1.3.5.10-15.el7_3.x86_64 I searched the net and archives but failed to find anything flagged as "solved". Similar issues happened last year, you can search the archives for "unable to decode" but a 389-ds fix improved the situation. So if you have older version then maybe update and then manual cleanup of RUVs might help. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] unable to decode: {replica
hi everyone I first time see: unable to decode: {replica 60} 586eaffd000a003c 586eaffd000a003c Replica Update Vectors: on all four servers. What would be a correct troubleshooting and fixing this problem? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replica install - Insufficient 'add' privilege ?
hi everyone, I'm trying something mundane(can't think why, how my setup would be special/different) - replica installation - but I hit this: [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR Insufficient access: Insufficient 'add' privilege to add the entry 'cn=NTP,cn=work3.whale.private,cn=masters,cn=ipa,cn=etc,dc=whale,dc=private'. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information $and logs tail: 2017-02-10T12:20:46Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-WHALE-PRIVATE.socket conn= 2017-02-10T12:20:47Z DEBUG Destroyed connection context.ldap2_84192272 2017-02-10T12:20:47Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1714, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1425, in promote remote_api.env.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/ntpinstance.py", line 43, in ntp_ldap_enable ntp.ldap_enable('NTP', fqdn, None, base_dn) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 512, in ldap_enable self.admin_conn.add_entry(entry) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1492, in add_entry self.conn.add_s(str(entry.dn), list(attrs.items())) File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 971, in error_handler raise errors.ACIError(info=info) 2017-02-10T12:20:47Z DEBUG The ipa-replica-install command failed, exception: ACIError: Insufficient access: Insufficient 'add' privilege to add the entry
Re: [Freeipa-users] unable to delete a user - which has a double??
On 01/02/17 19:16, Martin Basti wrote: Hello, you have to use ldapdelete command and remove it manually Martin and the user's group? I'm using a gui and it protests: .. Deleting a managed entry is not allowed. It needs to be manually unlinked first.] .. I've already have the user removed. Would be great if coming new versions account for this situation and provide users/admin with tool(s) that can take care of. many thanks, L. On 01.02.2017 19:30, lejeczek wrote: hi all, take a look: $ ipa user-find --uid 3501 -- 1 user matched -- User login: appmgr First name: app Last name: developer Home directory: /home.sysops/appmgr Login shell: /bin/bash Principal alias: appmgr@PRIVATE Email address: appmgr@private UID: 3501 GID: 3501 Account disabled: False $ ipa user-find --uid 1104 -- 1 user matched -- User login: appmgr First name: app Last name: devel 1 Home directory: /home.sysops/appmgr Login shell: /bin/bash Principal alias: appmgr@PRIVATE Email address: appmgr@private UID: 1104 GID: 1104 Account disabled: False Number of entries returned 1 I think it had something to do with an initial(long time ago) migration. How to safely delete such a user? Or one of them? $ ipa user-del appmgr --no-preserve ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] unable to delete a user - which has a double??
On 01/02/17 19:12, Jochen Hein wrote: Hi lejeczek <pelj...@yahoo.co.uk> writes: I think it had something to do with an initial(long time ago) migration. How to safely delete such a user? Or one of them? $ ipa user-del appmgr --no-preserve ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. Did you try "--continue"? nope, --continue won't help, at least with 4.4 You can check both users with "ipa user-find ... --all" and look for the ipauniqueid. I think you'll can remove the user with ldapremove. Jochen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] unable to delete a user - which has a double??
hi all, take a look: $ ipa user-find --uid 3501 -- 1 user matched -- User login: appmgr First name: app Last name: developer Home directory: /home.sysops/appmgr Login shell: /bin/bash Principal alias: appmgr@PRIVATE Email address: appmgr@private UID: 3501 GID: 3501 Account disabled: False $ ipa user-find --uid 1104 -- 1 user matched -- User login: appmgr First name: app Last name: devel 1 Home directory: /home.sysops/appmgr Login shell: /bin/bash Principal alias: appmgr@PRIVATE Email address: appmgr@private UID: 1104 GID: 1104 Account disabled: False Number of entries returned 1 I think it had something to do with an initial(long time ago) migration. How to safely delete such a user? Or one of them? $ ipa user-del appmgr --no-preserve ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and DNS reverse subnets
On 30/01/17 19:32, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 07:12:10PM +, lejeczek wrote: On 30/01/17 18:28, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Here you got it wrong. IPv4 reverses are split at octet boundary, you cannot have greater granularity. And for sure you cannot mix CIDR addressing (/28) and netblock type. On top of that, “/” is not correct character in DNS. how about this - http://www.zytrax.com/books/dns/ch9/reverse.html - would this not work? Wow. This is first time in my life I see this notation. Nevertheless, I was wrong with my previous email. Having read your link, I found http://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation Is this helpful? meanwhile I had it working partially, delegation to subnets works but not everything. More tampering to do, I'll post more findings later, hopefully. thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and DNS reverse subnets
On 30/01/17 18:28, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Here you got it wrong. IPv4 reverses are split at octet boundary, you cannot have greater granularity. And for sure you cannot mix CIDR addressing (/28) and netblock type. On top of that, “/” is not correct character in DNS. how about this - http://www.zytrax.com/books/dns/ch9/reverse.html - would this not work? Your reverse zone is 10.5.10.in-addr.arpa. (IPv6 reverses are split at nibble boundary, FWIW). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and DNS reverse subnets
hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: whale.private. Active zone: TRUE Authoritative nameserver: work1.whale.private. Administrator e-mail address: hostmaster.whale.private. SOA serial: 1485797688 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Active zone: TRUE Authoritative nameserver: work1.whale.private. Administrator e-mail address: hostmaster SOA serial: 1485790340 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; but: ~]$ host 10.5.10.55 Host 55.10.5.10.in-addr.arpa. not found: 3(NXDOMAIN) and when I try to install a replica: ~]$ ipa-replica-install --setup-dns --no-forwarders --setup-ca Password for admin@WHALE.PRIVATE: ipa : ERRORReverse DNS resolution of address 10.5.10.55 (work1.whale.private) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) I understand it's all in DNS, so.. how to tweak it, to fix it? many thank, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa.p11-kit: Permission denied
hi all I see this when I restart httpd: [Tue Dec 13 10:26:06.945668 2016] [core:notice] [pid 47548] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied p11-kit: couldn't open and map file: /etc/pki/ca-trust/source/ipa.p11-kit: Permission denied ... and I wonder if it has something to do with IPA? And if yes then is it critical? IPA seems to work normal. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error; Allocation of a new value
On 25/11/16 12:02, Martin Babinsky wrote: On 11/25/2016 12:48 PM, lejeczek wrote: On 25/11/16 07:52, Martin Babinsky wrote: On 11/24/2016 07:30 PM, lejeczek wrote: On 24/11/16 17:14, lejeczek wrote: hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1144915091-2252175215-702530032 Range type: Active Directory domain range Range name: xx.xx.xx.xx.x_id_range First Posix ID of the range: 187500 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 some time ago when I first set up IPA I migrated users from samba3's ldap backend. Since then until today there was no new users I needed to add but now I do. First on the list range I think it is a remnant of AD trust which does not exists any more (should it be removed?). I'm not sure how to read those ranges info, one thing I notice is that UIDs from migration are probably between 500 & 2000 and now if I supply uid manually to user-add and gid (which is old Samba's domain users group) then creation of new user succeeds. Is this normal, expected? mthx, L ok, solution(ldapmodify) to the problem: https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html but could some experts shed more light on it - I see that some time ago(after migration/import) I actually created manually a user: $ id netdevadmin uid=187506(netdevadmin) gid=187506(netdevadmin) groups=187506(netdevadmin) today, after ldapmodify I create a new user but uids seem to come from (what?) a different range?? $ id appmgr uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr) what's is happening? regards L You are seeing this because you probably set s too low (5000 or so) and, as tha name of the attribute implies, it sets the maximum UID/GID for the range assigned by the plugin. By default, the local IPA ID ranges are set to huge numbers (on my test VMs I have dnaMaxValue 24179) to aviod collisions with UIDs/GIDs of local users which are typically in the range of thousands/tens of thousands). However, the changes done directly in the DNA plugin configuration are not reflected in ID range objects, that's why you may observe the disparity between ID range characteristics and actual UIDs/GIDs provisioned. can you guess what changed those dnaMaxValue after initial setup/installation (soon after I created 187506(netdevadmin), UID was assigned by IPA)? It certainly was not me. Well, you wrote: > ok, solution(ldapmodify) to the problem: > https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html so I guess you indeed changed the value by running ldapmodify? well, I did but only now, hoping to fix: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. and before I did, those values were: # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaMaxValue: 1100 dnaNextValue: 1101 dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject Should I worry about these disparities? Should I be setting dnaMaxValue(and any relavent) to correspond to idrange(s)? I general, I would not meddle with DNA plugin settings unless something is seriously wrong (like a replica that did not receive any DNA range block before the master was decomissioned, se [1]), and even then I would be extra careful to set the DNA plugin ranges to correspond to the actual IPA ID ranges to avoid any UID/GID collisions (which can get nasty very quickly). so, would you say what should be the value of dnaMaxValue in case of that rage my IPA shows? Lastly, I see my IPA has two ranges, one is from AD trust which has been removed, is it ok to leave/keep that range? The leftover range from AD does no harm, you can safely remove it just to avoid confusion. mthx, L. [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error; Allocation of a new value
On 25/11/16 07:52, Martin Babinsky wrote: On 11/24/2016 07:30 PM, lejeczek wrote: On 24/11/16 17:14, lejeczek wrote: hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1144915091-2252175215-702530032 Range type: Active Directory domain range Range name: xx.xx.xx.xx.x_id_range First Posix ID of the range: 187500 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 some time ago when I first set up IPA I migrated users from samba3's ldap backend. Since then until today there was no new users I needed to add but now I do. First on the list range I think it is a remnant of AD trust which does not exists any more (should it be removed?). I'm not sure how to read those ranges info, one thing I notice is that UIDs from migration are probably between 500 & 2000 and now if I supply uid manually to user-add and gid (which is old Samba's domain users group) then creation of new user succeeds. Is this normal, expected? mthx, L ok, solution(ldapmodify) to the problem: https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html but could some experts shed more light on it - I see that some time ago(after migration/import) I actually created manually a user: $ id netdevadmin uid=187506(netdevadmin) gid=187506(netdevadmin) groups=187506(netdevadmin) today, after ldapmodify I create a new user but uids seem to come from (what?) a different range?? $ id appmgr uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr) what's is happening? regards L You are seeing this because you probably set s too low (5000 or so) and, as tha name of the attribute implies, it sets the maximum UID/GID for the range assigned by the plugin. By default, the local IPA ID ranges are set to huge numbers (on my test VMs I have dnaMaxValue 24179) to aviod collisions with UIDs/GIDs of local users which are typically in the range of thousands/tens of thousands). However, the changes done directly in the DNA plugin configuration are not reflected in ID range objects, that's why you may observe the disparity between ID range characteristics and actual UIDs/GIDs provisioned. can you guess what changed those dnaMaxValue after initial setup/installation (soon after I created 187506(netdevadmin), UID was assigned by IPA)? It certainly was not me. Should I worry about these disparities? Should I be setting dnaMaxValue(and any relavent) to correspond to idrange(s)? Lastly, I see my IPA has two ranges, one is from AD trust which has been removed, is it ok to leave/keep that range? mthx, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] error; Allocation of a new value
On 24/11/16 17:14, lejeczek wrote: hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1144915091-2252175215-702530032 Range type: Active Directory domain range Range name: xx.xx.xx.xx.x_id_range First Posix ID of the range: 187500 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 some time ago when I first set up IPA I migrated users from samba3's ldap backend. Since then until today there was no new users I needed to add but now I do. First on the list range I think it is a remnant of AD trust which does not exists any more (should it be removed?). I'm not sure how to read those ranges info, one thing I notice is that UIDs from migration are probably between 500 & 2000 and now if I supply uid manually to user-add and gid (which is old Samba's domain users group) then creation of new user succeeds. Is this normal, expected? mthx, L ok, solution(ldapmodify) to the problem: https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html but could some experts shed more light on it - I see that some time ago(after migration/import) I actually created manually a user: $ id netdevadmin uid=187506(netdevadmin) gid=187506(netdevadmin) groups=187506(netdevadmin) today, after ldapmodify I create a new user but uids seem to come from (what?) a different range?? $ id appmgr uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr) what's is happening? regards L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] error; Allocation of a new value
hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1144915091-2252175215-702530032 Range type: Active Directory domain range Range name: xx.xx.xx.xx.x_id_range First Posix ID of the range: 187500 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 2 some time ago when I first set up IPA I migrated users from samba3's ldap backend. Since then until today there was no new users I needed to add but now I do. First on the list range I think it is a remnant of AD trust which does not exists any more (should it be removed?). I'm not sure how to read those ranges info, one thing I notice is that UIDs from migration are probably between 500 & 2000 and now if I supply uid manually to user-add and gid (which is old Samba's domain users group) then creation of new user succeeds. Is this normal, expected? mthx, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] can(should) IPA issue/manage certificates...
.. for entities outside of it's own domain? Would you use IPA this way? I'm thinking - it would be nice that have one central point(console) and manage all my "virtual" domains certification, but, I'm not an expert on the subject. And if yes then what would be the steps? mthx, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] where to put computer accounts... ?
On 24/11/16 15:10, Simo Sorce wrote: On Thu, 2016-11-24 at 12:59 +, lejeczek wrote: .. in order to satisfy classic Samba (which still uses openldap for user db backend but needs computer unix account) which complains: Failed to find a Unix account for yourcomp$ ? If this is on a client machine for its own computer account I would think of adding it to the local user database, if you have to distribute it via LDAP you'll have to create actual user accounts ion the directory I guess. Simo. yes distributed, yes but where, just where all users go: cn=users,cn=accounts or some other container perhaps? I don't suppose ipa host* tool would be the means to put these computers where "regular" hosts go? mthx. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] where to put computer accounts... ?
.. in order to satisfy classic Samba (which still uses openldap for user db backend but needs computer unix account) which complains: Failed to find a Unix account for yourcomp$ ? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] slapi_ldap_bind - Error: could not bind id ....
hello you IPA addicts.. with a hope driven by previous (extremely) positive experience I'd like to ask for some help with: [10/Nov/2016:16:54:53 +] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager masterAgreement1-swir.xx.xx.xx.xx.x-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) this is one server (out of four) that logs it. I thinks it has to do with replication? This entry gets logged ~every few minutes. Servers seems to work, but how to look for some more obvious symptoms of something being wrong/broken? many thanks. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 10/11/16 10:44, Petr Spacek wrote: This is non-standard situation so it asks for non-standard commands. I would try: $ ipa privilege-mod 'DNS Servers' --addattr=member=krbprincipalname=DNS/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x' $ ipa privilege-mod 'DNS Servers' --addattr=member=krbprincipalname=ipa-dnskeysyncd/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x' Be very careful when constructing these DNs, --addattr do not validate the input! well, I realize these can be trivial trifles, but man, you saved the... week! And to finish (hopefully) - maybe even more of a puzzle: how it happened? This box member was fine, suddenly (I was recovering/reconnecting replication agreements), maybe not suddenly, but when I noticed at some point, it did that. It lost those ldap bits? many! thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 10/11/16 06:51, Petr Spacek wrote: On 9.11.2016 16:57, lejeczek wrote: On 09/11/16 14:35, Martin Basti wrote: On 09.11.2016 15:33, lejeczek wrote: On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 14:35, Martin Basti wrote: On 09.11.2016 15:33, lejeczek wrote: On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the only domain with is dnsfor
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. I'm lost now, I don't understand you, you told me that resolving on 'rider' server doesn't work, then you write me that it is expected because you have fowardzone set, but you cannot have forwardzone and master zone for the same domain, IPA doesn't allow it, so I have no idea what is not working for you. (You didn't make it easier by obfuscating output) Martin no no, sorry, I mean - it forwards whereas is should be authoritative for it's own FQDN. I realize it is not obvious after I obfuscated the output, but here: ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 this looks like the only domain with is dnsforwardzone, everything else is dnszone parent.xx.xx. - is the only forward private.m
Re: [Freeipa-users] SRV (mixed?) records
On 09/11/16 12:43, Martin Basti wrote: On 09.11.2016 12:15, lejeczek wrote: On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. What dig @rider command returns for SRV queries? don't mind SRV records for now, it returns no record at all, it forwards and caches but not for the domain itself. on rider (suffice I point to other member server and records are there) $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x. @10.5.6.100 ;; global options: +cmd ;; Sending: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.xx.xx..xx.xx.x. IN ANY ;; AUTHORITY SECTION: .xx.xx.x. 3600 IN SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070 1800 900 604800 3600 ;; Query time: 5 msec ;; SERVER: 10.5.6.100#53(10.5.6.100) ;; WHEN: Wed Nov 09 12:56:16 GMT 2016 ;; MSG SIZE rcvd: 120 I obfuscated FQDNs but it seems like it forwards to a parent domain (to which it's supposed, by dnsforwardzone) And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SRV (mixed?) records
On 08/11/16 19:37, Martin Basti wrote: On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. Hello, if server work5 is uninstalled, then work5 SRV records should be removed. Martin Martin, would you be able suggest a way to troubleshoot that problem that one (only) server (rider) seems to present no data for the whole domain? Remaining servers correctly respond to any queries. One curious thing is that I $rndc trace 6; and (I see debug level changed in journalctl) I do not see anything in the logs when I query. Zone allows any to query it. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SRV (mixed?) records
hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records, to dig/host/etc. presents nothing, empty responses!?? $ ipa dnsrecord-find xx.xx.xx.xx.x. Record name: @ NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x., dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x. Record name: _kerberos TXT record: .xx.xx..xx.xx.x Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _ldap._tcp.dc._msdcs SRV record: 0 100 389 rider, 0 100 389 work5 Record name: _kerberos._udp.dc._msdcs SRV record: 0 100 88 rider, 0 100 88 work5 Record name: _kerberos._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._tcp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._tcp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ldap._tcp SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100 389 rider Record name: _kerberos._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kerberos-master._udp SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100 88 swir Record name: _kpasswd._udp SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100 464 whale Record name: _ntp._udp SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0 100 123 swir thanks. L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CSN not found
On 03/11/16 19:58, Mark Reynolds wrote: dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb >results of above scan do not look like that CSN form reported in >dirsrv's error log, it is: >.. >=116156 >=116157 >=116158 >.. That doesn't look quite right, Just to confirm you should be doing something like dbscan -f /var/lib/dirsrv/slapd-master_1/db/changelogdb/fe665489-a13011e6-acbab8c1-43b12a38_581a3c410001.db | grep 581b120f00050004 I don't see any xx.db in /var/lib/dirsrv/slapd-master_1/db/changelogdb but there are these: 16c9da9e-a54611e6-80ab82b9-81e5c5a8_574596220060.db 16c9da9e-a54611e6-80ab82b9-81e5c5a8.sema DBVERSION e71ad28c-a54511e6-80ab82b9-81e5c5a8_574595c80004.db e71ad28c-a54511e6-80ab82b9-81e5c5a8.sema in /var/lib/dirsrv/slapd-master_1/cldb and if I scant those: cldb]$ for _F in .db; do dbscan -f $_F | grep 57480d6d0025; done there is nothing (on the replica that complains but also nothing on all members) cldb]$ ll ../db/changelog/ total 2260 -rw---. 1 dirsrv dirsrv 16384 Nov 8 00:02 aci.db -rw---. 1 dirsrv dirsrv 40960 Nov 8 15:52 ancestorid.db -rw---. 1 dirsrv dirsrv 40960 Nov 8 15:52 changenumber.db -rw---. 1 dirsrv dirsrv 16384 Nov 8 00:02 cn.db -rw---. 1 dirsrv dirsrv 51 Nov 8 00:02 DBVERSION -rw---. 1 dirsrv dirsrv 303104 Nov 8 15:52 entryrdn.db -rw---. 1 dirsrv dirsrv 40960 Nov 8 15:52 entryusn.db -rw---. 1 dirsrv dirsrv 1523712 Nov 8 15:52 id2entry.db -rw---. 1 dirsrv dirsrv 90112 Nov 8 15:52 nsuniqueid.db -rw---. 1 dirsrv dirsrv 16384 Nov 8 15:52 numsubordinates.db -rw---. 1 dirsrv dirsrv 90112 Nov 8 15:52 objectclass.db -rw---. 1 dirsrv dirsrv 40960 Nov 8 15:52 parentid.db -rw---. 1 dirsrv dirsrv 16384 Nov 8 00:02 seeAlso.db -rw---. 1 dirsrv dirsrv 65536 Nov 8 15:52 targetuniqueid.db it's centOS 7 with IPA ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 >> >>What about the access logs? Do you see the CSN there? Did you check the DS access logs?? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] attrlist_replace - attr_replace : failed
hi everyone I have a three servers which seemingly!? work but all three log: attrlist_replace - attr_replace (nsslapd-referral, ldap://swir.xx.xx and swir.xx.xx is the server which ipa-replica-prepared and on it I see: attrlist_replace - attr_replace (nsslapd-referral, ldap://whale.xx.xx ... Error: could not bind id [cn=Replication Manager masterAgreement1-swir.xx.xx-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) where is it going wrong? many thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] system to pick up pa user-mod --uid change - how long?
hello I've changed an uid of a.user but system: $ id a.user - still shows old id. When is the system supposed to notice that change? thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CSN not found
On 03/11/16 14:16, Mark Reynolds wrote: On 11/03/2016 09:42 AM, lejeczek wrote: hi everybody my three IPAs have gone haywire, two things I recall: one - one server was on ScientificL with slightly lower minor version of IPA, two - another server (of the two identical CEntOSes) had skewed time. Not all there servers are in time-sync and all run same version of IPA here I meant: Now all there but replication broke with errors like: $ ipa-replica-manage re-initialize --from rider --force .. [03/Nov/2016:13:21:08 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x does not exist [03/Nov/2016:13:21:08 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x does not exist [03/Nov/2016:13:21:09 +] agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389) - Can't locate CSN 581b120f00050004 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - changelog program - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): CSN 581b120f00050004 not found, we aren't as up to date, or we purged [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Data required to update replica has been purged. The replica must be reinitialized. [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Incremental update failed and requires administrator action I did dbscan -f /var.../cb941db on all three servers and greped but cannot see that 581b120f00050004 where to troubleshoot? What version of 389 do you have: rpm -qa | grep 389-ds-base Did you check the changelog database for 581b120f00050004: dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb results of above scan do not look like that CSN form reported in dirsrv's error log, it is: .. =116156 =116157 =116158 .. What about the access logs? Do you see the CSN there? I've seen this issue before where a CSN is missing, which breaks the replication agreements, but the CSN does get added to the changelog after a few seconds. The only way to fix replication is to restart the server, or disable/enable the replication agreements(basically restart them). restarting is not possible for the systemctl start ipa fails, though system start dirsrv@... succeeds what would be correct process of removing repl agreements? I'm trying disconnect/del but am not sure if this is the way. Thanks, Mark many thanks. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CSN not found
hi everybody my three IPAs have gone haywire, two things I recall: one - one server was on ScientificL with slightly lower minor version of IPA, two - another server (of the two identical CEntOSes) had skewed time. Not all there servers are in time-sync and all run same version of IPA but replication broke with errors like: $ ipa-replica-manage re-initialize --from rider --force .. [03/Nov/2016:13:21:08 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x does not exist [03/Nov/2016:13:21:08 +] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=dc=xx,dc=xx,dc=dc=xx,dc=xx,dc=x does not exist [03/Nov/2016:13:21:09 +] agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389) - Can't locate CSN 581b120f00050004 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - changelog program - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): CSN 581b120f00050004 not found, we aren't as up to date, or we purged [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Data required to update replica has been purged. The replica must be reinitialized. [03/Nov/2016:13:21:09 +] NSMMReplicationPlugin - agmt="cn=meToswir.xx.xx.xx.xx.x" (swir:389): Incremental update failed and requires administrator action I did dbscan -f /var.../cb941db on all three servers and greped but cannot see that 581b120f00050004 where to troubleshoot? many thanks. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
On 19/09/16 08:49, Martin Babinsky wrote: On 09/17/2016 12:43 PM, lejeczek wrote: On 15/09/16 22:37, Rob Crittenden wrote: What do you mean control? If you don't want ipactl to manage the smb service, look for an entry in cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it. rob all I find there is: objectClass: nsContainer objectClass: top cn: masters does the same pertain winbind? Does IPA need/use winbind if Samba under IPA is not the case? You must perform subtree search and search for the entry named 'cn=ADTRUST', like so: """ ldapsearch -Y GSSAPI -b 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test' '(cn=ADTRUST)' SASL/GSSAPI authentication started SASL username: ad...@ipa.test SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] rpm dependencies
On 27/10/16 09:28, Alexander Bokovoy wrote: # rpm -q --requires freeipa-server|grep ^lib|xargs -n1 rpm -q --whatprovides|sort -u glibc-2.23.1-10.fc24.x86_64 krb5-libs-1.14.4-4.fc24.x86_64 libcom_err-1.42.13-4.fc24.x86_64 libgcc-6.2.1-2.fc24.x86_64 libsss_nss_idmap-1.14.2-1.fc24.x86_64 libtalloc-2.1.6-1.fc24.x86_64 libtevent-0.9.28-1.fc24.x86_64 libunistring-0.9.4-3.fc24.x86_64 libuuid-2.28.2-1.fc24.x86_64 libverto-0.2.6-6.fc24.x86_64 nspr-4.13.1-1.fc24.x86_64 nss-3.27.0-1.1.fc24.x86_64 nss-util-3.27.0-1.0.fc24.x86_64 openldap-2.4.44-1.fc24.x86_64 openssl-libs-1.0.2j-1.fc24.x86_64 samba-client-libs-4.4.6-1.fc24.x86_64 You cannot remove samba-client-libs due to this. We also do not support downgrading Samba. ough, this is not good this Siamese-twins type of existence. AD easy integration is very nice thing to have but admins/users should also be able to equally easy disintegrate. It to me goes way too weird - sssd won't exist (according to rpm deps logic) without sssd-ad and then IPA follows. We should have IPA which does not depend on Samba. I myself am in a sticky wicket situation right now - my BDC Samba 4.2.x on Centos 7 is not happy with userdb multi-master ldap backend, PDC which is Centos 6.8 with 3.6.23-36.el6_8 has ruled that little domain fine for many years and win clients, etc are a OK. But Samba 4.2.x fails. I believe it might be a bug - I have even submitted a report: https://bugzilla.redhat.com/show_bug.cgi?id=1388589 - but I'm stuck!! I cannot try (at least not in orderly manner) any Samba 3 version which I believe would be quick & nice fix to my problem. I'm stuck between these Siamese twins. hmm...kupa. L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] rpm dependencies
hi all quick question - does IPA rpms depend on samaba's? I'm hoping I can remove samba-common but dnf fies a 46 packages long list of dependencies - is it somehow broken? If is not and that is 100% correct long chain of deps - then can samba be safely downgraded to 3.6.x ? given that IPA does not integrate samba in my configuration. many thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??
On 21/10/16 14:11, Sumit Bose wrote: On Fri, Oct 21, 2016 at 01:55:19PM +0100, lejeczek wrote: hi all I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) I realize that to assume versions differences cause it is bit silly but nothing changed except update of boxB's IPA a day before the problem occur. Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so boxB == boxC IPA-wise) which does ssh in fine. Other way around, boxB to boxA ssh works. Logs are pretty quiet, I merely see: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 and that I'm not sure appears at the time of login attempt. I do: boxA$ ssh boxB Connection closed by UNKNOWN ps. boxA is not banned nor block by any tcp/ip means. many! thanks for any help Which version of SSSD is running? Do you have user certificates stored in IPA? In this case you might hit all three boxes run - sssd-1.13.0-40.el7_2.12.x86_64 but there is something weird going on with boxA ipa-server-4.2.0-15.sl7_2.19.x86_64 for a while when IPA started all seems ok but later, actually quiet soon $ ipa dnszone-find ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/ and I realize dirsrv "crashes" earlier slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) errno 0 (Success) slapi_ldap_bind - Error: could not perform interactive bind for id [] authentication mechanism [GSSAPI]: error 49 (Invalid credentials) NSMMReplicationPlugin - agmt="cn=meTodzien.private..xxx.private.xxx.xx.xx" (dzien:389): Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) (SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context) NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Replica not online (agmt="cn=meTodzien.private..xxx.private.xxx.xx.xx" (dzien:389)) NSMMReplicationPlugin - CleanAllRUV Task (rid 38): Not all replicas online, retrying in 20 seconds... which is that boxB ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64 but I can query that boxB from boxA manually $ ldapsearch -LLL -D "cn=directory manager" -b cn=config -p 389 -h boxB -W = results OK. whats wrong with boxA ? https://bugzilla.redhat.com/show_bug.cgi?id=1372042 https://fedorahosted.org/sssd/ticket/2977 If there are no updates with a fix available you might want to set ldap_user_certificate = noSuchSttribute in the [domain/...] section of sssd.conf to tell SSSD to not read the certificates from the server. As an alternative you can all CA certificates needed to validate the user certificates properly to /etc/pki/nssdb. HTH bye, Sumit L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] cannot ssh in (sss_ssh_authorizedkeys returned status 1) ??
hi all I cannot ssh from a boxA (ipa-server-4.2.0-15.sl7_2.19.x86_64) to a boxB (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) I realize that to assume versions differences cause it is bit silly but nothing changed except update of boxB's IPA a day before the problem occur. Also, there is a boxC (ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64) (so boxB == boxC IPA-wise) which does ssh in fine. Other way around, boxB to boxA ssh works. Logs are pretty quiet, I merely see: error: AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys returned status 1 and that I'm not sure appears at the time of login attempt. I do: boxA$ ssh boxB Connection closed by UNKNOWN ps. boxA is not banned nor block by any tcp/ip means. many! thanks for any help L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
thanks a lot! On 19/09/16 08:49, Martin Babinsky wrote: ipaConfigString: enabledService -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SELinux is preventing /usr/sbin/krb5kdc from write access on the sock_file /var/lib/sss/pipes/pac.
I think one case it when I sudo not much there really, building up an semodule out of the alerts would end up in: allow krb5kdc_t sssd_var_lib_t:sock_file write; On 17/09/16 12:59, Lukas Slebodnik wrote: On (17/09/16 12:02), lejeczek wrote: before I drop above onto SELinux team - do you guys think SE should be doing that? Does it impair IPA in some ways? It would be god to see more details. Do you know which action trigger AVCs? Could you also provide detail about AVC? ausearch -m avc -i ts recent LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] SELinux is preventing /usr/sbin/krb5kdc from write access on the sock_file /var/lib/sss/pipes/pac.
before I drop above onto SELinux team - do you guys think SE should be doing that? Does it impair IPA in some ways? many thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
On 15/09/16 22:37, Rob Crittenden wrote: What do you mean control? If you don't want ipactl to manage the smb service, look for an entry in cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it. rob all I find there is: objectClass: nsContainer objectClass: top cn: masters -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
gee... I'd like to think that I'm not the only one who at some point, for whatever reason there might decide to have Samba freed from IPA. For me it's because I want my Samba to be a slave to AD and inter-domain trusts are impossible to use for administrative, bureaucratic reasons, but I absolutely need IPA (for it's great (piece of work)) (both software on the same box). On 16/09/16 16:05, Petr Vobornik wrote: Out of curiosity: is there a partial broader use case behind this feature request? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
I appreciate the fact that it might be a complex task, however a supported(CLI) way to if not revert it all back to pre-install state but at least to take samba out of IPA's hands would be nice to have. Would it be ok to leave IPA+ds389 part as is and only change, reconfigure Samba - I believe so - if yes then a CLI option to achieve this would be very desired. Rob's workaround only... "built-in". many thanks On 16/09/16 05:57, Alexander Bokovoy wrote: So we decided to not perform 'ipa-adtrust-install --uninstall' as it makes no sense. If somebode is willing to uninstall 'ipa-adtrust-install', then need to realize what they are doing as it would need to remove certain configuration in IPA LDAP because there are actual 389-ds plugins that depend on the configuration and work jointly with ipasam module in Samba to provide common setup. If 'ipasam' is missing, those modules also become useless. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to revert ipa-adtrust-install...
is there any way to tell IPA not to control smb.service? On 15/09/16 20:17, Alexander Bokovoy wrote: On Thu, 15 Sep 2016, lejeczek wrote: ... in a sense so IPA would keep away from local smb services? Not supported. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to revert ipa-adtrust-install...
... in a sense so IPA would keep away from local smb services? many thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ERROR CA configuration failed. - again
fortunately that was a VM and with libvirt+qemu snaphost feature I reverted filesystem to some older(prior to IPA) state, and yes... that was that only system'slocal problem. On 09/09/16 18:49, Rob Crittenden wrote: lejeczek wrote: hi everybody, looking at ipareplica-install.log: raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG [error] RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute then at /var/log/pki/pki-tomcat/ca/system I'd suggest looking at the debug log for more details. 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value I cannot find anything more telling in the logs. Does it have anything to do with what's in: /etc/httpd/alias/ ? No. I yum removed `rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server krb5-workstation pki-tomcat certmonger rm dirs + reinstalled, yet I cannot find the the root cause of this mess. I seriously doubt the problem is local to the box. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ERROR CA configuration failed. - again
hi everybody, looking at ipareplica-install.log: raise RuntimeError("%s configuration failed." % self.subsystem) RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG [error] RuntimeError: CA configuration failed. 2016-09-09T16:23:17Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute then at /var/log/pki/pki-tomcat/ca/system 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate 0.localhost-startStop-1 - [09/Sep/2016:16:04:22 BST] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value I cannot find anything more telling in the logs. Does it have anything to do with what's in: /etc/httpd/alias/ ? I yum removed `rpm -qa ipa* 389*` pki-base krb5-pkinit krb5-server krb5-workstation pki-tomcat certmonger rm dirs + reinstalled, yet I cannot find the the root cause of this mess. best regards L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA's samba and samba non-domain clients
dear all I'd like to ask you if it's possible to allow windows boxes and are not members of domain to access samba shares? I see regular domain\users + password do no work. I'd have to do it even if it is not recommend and loosens up security. I realize it should be all AD and trusts but for now it is what it is. many thanks. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] dns zone forward - no valid signature found
hi everybody I think this was working some time ago, but for while queries IPA's DNS forwards wound up like this: validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.dom/DS) error (broken trust chain) resolving 'swir.my.dom/A/IN': 192.168.2.100#53 dig at IPA DNS and nothing, logs: validating @0x7f85e0134880: my.dom SOA: no valid signature found validating @0x7f85e0134880: my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: no valid signature found validating @0x7f85e0134880: swir.my.dom NSEC: bad cache hit (swir.my.dom/DS) I dig +dnssec directly at the receiving server and result seems normal, no errors. IPA's dns is not dnsseced, is this the root of the problem? Or what else might be? bw. L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa server(master) and alternative name
On 06/07/16 13:57, Rob Crittenden wrote: lejeczek wrote: hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I don't see why not, they are just certs after all. You would need to be careful to get the certmonger tracking right but it should be doable. I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) For what purpose, to make it easier for users to find the IPA server? not, IPA, simplest thing I'd like have to use same apache IPA on all serves use - a local yum repos to be served from/via dns roundrobin. but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) I assume you've already played with the certificates? The DNS change you made wouldn't cause this error. no, actually I have not, I did not add a host nor a service nor a cert, there is no trace of "linux" anywhere, only dns A record - to get rid of the error I have to remove that new host & restart IPA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 05/07/16 18:20, Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 04 Jul 2016, lejeczek wrote: On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. Your IPA masters hold passwords and keys to your company's infrastructure. We recommend to avoid sharing the servers used for running IPA masters with any other applications because any compromise of those applications can and will be used for taking over your infrastructure as you have so nicely given the keys to its heart by co-sharing the same system. It is up to you on how you make up your system defense. We as FreeIPA upstream developers put considerate effort in ensuring our default setup is secure enough to avoid such breaches. If you want to co-locate other applications, you need to understand what you are doing and how that affects your security. Effectively, you are on your own on this path. FTR, I think this is mostly controlled in ipa-rewrite.conf. If the requested host is not the IPA host or the port is not 443 or the request is for / then ALL requests are redirected to the https://IPAHOST/ipa/ui This file should have enough comments to figure out what part is doing what if you wanted to tweak it. I have to agree with Alexander though. Running multiple services on what should be the core of your infrastructure isn't recommended. rob I know chaps, yes, safety is when paranoia next to it, together does look like normal wording, I understand. yes, that I think is the config and seems that to control this behaviour is that one rewrite rule. However, you must also realize that fIPA admins rarely do install on a separate, dedicated boxes, instead I believe these are "heavy, bulky" and fast and multi-role/connected systems. So having an easy way to control fIPA webui config as an option(if not as default) is great, and it seems it's there. thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa server(master) and alternative name
hi users, I'd like to ask if it possible to add (after deployment is finished) an AltSubjectName to fIPA master? I shall say what I'm hoping to achieve - having 3 servers I hope to have in IPA's DNS a host, A record that will be resolving to three server's IPs. Like eg. ipa-ca which seems to hold all servers IPs. I started with: $ ipa dnsrecord-add private.my.dom.priv linux --a-ip-address 10.5.6.100(which is master's IP) but I feel I got of the wrong foot there, I see with ipa command: ipa: ERROR: cert validation failed for... ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) can this be done? many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] +dnssec in vendor repos - when?
seems like official repos, centos at least lags a bit behind, currently it's 4.2.0 - question - does this support fully secure dns ? if not would devel know when we might be able to feed new/latest stable off the official repos? many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 04/07/16 07:59, Petr Spacek wrote: On 1.7.2016 16:29, lejeczek wrote: On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? I'm still trying to understand your use-case. Why exactly you need to limit the web UI to one 'host name' while keeping it on the same box? I'm sorry I cannot explain this better, I my mind it's really simple, if I installed an instance of IPA on a ipa.my.dom.local and the system is a multi-homed/IP host I'd like webui to run only on that host/IP This should not even be a matter of "image a situation where" but rather assume that IPA's are deployed on such installations and then - why would fIPA have to monopolize all the IP's/IFs there are? Me, I'd like to be able to use httpd under a root of host's other FQHN/IPs with other things. thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to make fIPA stick to only...
On 01/07/16 12:41, Petr Vobornik wrote: On 06/30/2016 04:56 PM, lejeczek wrote: ... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. Hi L. Could you describe your environment and use case in more details. It is not clear to me what you are trying to achieve or what doesn't work for you. Thank you gee, I though my scenario would be quite common among users, take a box with more then one net ifs, or even multiple IPs - what would be nice to have is fIPA webui resides/runs only on that FQHN and that IP to which hostname resolves. Eg, here is one single system: box1.my.dom.local 10.10.1.1 (eg, I go to https://10.10.1.1/) ipa.my.dom.local 10.10.1.2 currently I get fIPA's webui everywhere, but I'd like it to be only at ipa.my.dom.local 10.10.1.2 (either if I URL via hostname or IP) I think it would be great to have included (maybe as comments/options) this in Apache's configs of IPA furure releases, if possible. Is it possible to construct such rules? Or there is different, simpler way? thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to make fIPA stick to only...
... its own FQHN and its IP ? hi users, I'm fiddling with rewrites but being an amateur cannot figure it out, it's on a multi/home-IP box. Is it possible? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On 10/06/16 11:23, Alexander Bokovoy wrote: On Fri, 10 Jun 2016, lejeczek wrote: On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote: On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > hi everyone > > there is a master IPA which in some weird way puts AD users into > its ldap > catalog. I say weird cause there is no trust nor other sync > established, > there was a trust agreement, one way type, but now 'trust-find' > shows > nothing, that trust was removed. > > but still when I create a user @AD DS a second later I see it in > IPA's ldap, > eg. > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private > ,dc=c > cnr,dc=aaa,dc=private,dc=dom > > how to trace the culprit config responsible for this? Check the DN, this is not the IPA tree (cn=account), but the compat tree (cn=compat) populated by the slapi-nis plugin. The intent is to make the AD users available to non-SSSD clients that can only use LDAP as an interface. any chance this plugin gets included without user/admin intention, eg. during migrate-ds ? The slapi-nis plugin is enabled by default when IPA is installed because ou=sudoers tree is emulated by the slapi-nis. is ipa toolkit or I have to go directly to ldap to de/activate plugin(s) ? See ipa-compat-manage I've set up another replica, configuration on sssd and kdc site virtually identical, nsswith too, ipa-compat-manage etc. No trusts traces on both ends. Master still(after reboot and sss_cache cleanup) receives, or rather pulls AD's users, whereas replica(s) don't. This is hilarious, but how is this possible? I add a user @AD DC and on master I ldapsearch and first few lines are: dn: cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: extensibleObject cn: compat dn: cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: extensibleObject cn: users dn: uid=bootc...@ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: ccnr boot gidNumber: 1952400513 gecos: ccnr boot ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT ExMzQ= uidNumber: 1952401134 loginShell: /bin/bash homeDirectory: /home/bootc...@ccnr.priv.my.dom.local uid: bootc...@ccnr.priv.my.dom.local dn: uid=testc...@ccnr.priv.my.dom.local,cn=users,cn=compat,dc=private,dc=ccnr,dc=priv,dc=my,dc=dom,dc=local objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: ccnr tester gidNumber: 1952400513 gecos: ccnr tester ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0xMTQ0OTE1MDkxLTIyNTIxNzUyMTUtNzAyNTMwMDMyLT ExMzM= uidNumber: 1952401133 loginShell: /bin/bash homeDirectory: /home/testc...@ccnr.priv.my.dom.local uid: testc...@ccnr.priv.my.dom.local could it be that "compat" part happens only on master? I mean - should only happen on master?(even though replicas use ipa-compat-manage) regards, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On Fri, 2016-06-10 at 11:08 +0200, Sumit Bose wrote: > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > hi everyone > > > > there is a master IPA which in some weird way puts AD users into > > its ldap > > catalog. I say weird cause there is no trust nor other sync > > established, > > there was a trust agreement, one way type, but now 'trust-find' > > shows > > nothing, that trust was removed. > > > > but still when I create a user @AD DS a second later I see it in > > IPA's ldap, > > eg. > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private > > ,dc=c > > cnr,dc=aaa,dc=private,dc=dom > > > > how to trace the culprit config responsible for this? > > > > and funny(?) thing is that these users do not get replicated to IPA > > replicas. > > Did you remove the trust on the AD side as well. If not SSSD running > on > the IPA server might still have valid credentials in a keytab in > /var/lib/sss/db and is able to read the user data from AD. nope, not agreements left @AD, I tried: $ sss_cache -E -d ad.domain but it segfaulted: [1316003.857780] sss_cache[31028]: segfault at 0 ip 7fab730f434c sp 7fffbf576c10 error 4 in libsss_util.so[7fab730c8000+68000] so that would be sssd actually pulling and inserting these entries in IPA's ldap? many thanks, L > HTH > > bye, > Sumit > > > > > > > > many thanks, > > > > L > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On Fri, 2016-06-10 at 15:34 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: > > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > > > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > > > hi everyone > > > > > > > > > > there is a master IPA which in some weird way puts AD users > > > > > into > > > > > its ldap > > > > > catalog. I say weird cause there is no trust nor other sync > > > > > established, > > > > > there was a trust agreement, one way type, but now 'trust- > > > > > find' > > > > > shows > > > > > nothing, that trust was removed. > > > > > > > > > > but still when I create a user @AD DS a second later I see it > > > > > in > > > > > IPA's ldap, > > > > > eg. > > > > > > > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=p > > > > > riva > > > > > te,dc=c > > > > > cnr,dc=aaa,dc=private,dc=dom > > > > > > > > > > how to trace the culprit config responsible for this? > > > > > > > > Check the DN, this is not the IPA tree (cn=account), but the > > > > compat > > > > tree > > > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > > > make the > > > > AD users available to non-SSSD clients that can only use LDAP > > > > as an > > > > interface. > > > > > > Yes. If you enabled slapi-nis on IPA master but didn't establish > > > actual > > > trust to AD and instead added an SSSD configuration to lookup AD > > > users > > > directly, then slapi-nis will happily ask SSSD for whatever users > > > with @ > > > in the name were requested by the LDAP clients and SSSD would > > > look > > > them > > > up in AD. > > but would entries from AD wound up in IPA's ldap? > > I'm poking around and still am puzzled, I believe I've enabled nis > > on a > > replica but it's not doing it there, those AD users are not in IPA > > replica ldap whereas they exist on the master. > They wouldn't be in LDAP tree. > > cn=compat is purely virtual and is not replicated. The tree is > populated > on demand and if your replica is configured differently to the master > w.r.t. AD trust or SSSD, you'll get different results. so it's a square one then, I forget IPA replicas for now, only master, while I'm looking at https://git.fedorahosted.org/cgit/slapi-nis.git/pl ain/doc/nis-getting-started.txt before I use ipa-compat-manage (to disable to test) - where in ldap config (or anywhere) it says this plugin is on & working so I can be sure? And flat configs for sssd & krb are virtually identical on both IPA master & replica, I just copied those manually to be sure, replica still has no AD users entries. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > hi everyone > > > > > > there is a master IPA which in some weird way puts AD users into > > > its ldap > > > catalog. I say weird cause there is no trust nor other sync > > > established, > > > there was a trust agreement, one way type, but now 'trust-find' > > > shows > > > nothing, that trust was removed. > > > > > > but still when I create a user @AD DS a second later I see it in > > > IPA's ldap, > > > eg. > > > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=priva > > > te,dc=c > > > cnr,dc=aaa,dc=private,dc=dom > > > > > > how to trace the culprit config responsible for this? > > > > Check the DN, this is not the IPA tree (cn=account), but the compat > > tree > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > make the > > AD users available to non-SSSD clients that can only use LDAP as an > > interface. > > Yes. If you enabled slapi-nis on IPA master but didn't establish > actual > trust to AD and instead added an SSSD configuration to lookup AD > users > directly, then slapi-nis will happily ask SSSD for whatever users > with @ > in the name were requested by the LDAP clients and SSSD would look > them > up in AD. but would entries from AD wound up in IPA's ldap? I'm poking around and still am puzzled, I believe I've enabled nis on a replica but it's not doing it there, those AD users are not in IPA replica ldap whereas they exist on the master. > Not sure how useful is that at all but yes, this is a side-effect of > slapi-nis features. > > -- > / Alexander Bokovoy > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On Fri, 2016-06-10 at 13:24 +0300, Alexander Bokovoy wrote: > On Fri, 10 Jun 2016, lejeczek wrote: > > On Fri, 2016-06-10 at 12:12 +0300, Alexander Bokovoy wrote: > > > On Fri, 10 Jun 2016, Jakub Hrozek wrote: > > > > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > > > > hi everyone > > > > > > > > > > there is a master IPA which in some weird way puts AD users > > > > > into > > > > > its ldap > > > > > catalog. I say weird cause there is no trust nor other sync > > > > > established, > > > > > there was a trust agreement, one way type, but now 'trust- > > > > > find' > > > > > shows > > > > > nothing, that trust was removed. > > > > > > > > > > but still when I create a user @AD DS a second later I see it > > > > > in > > > > > IPA's ldap, > > > > > eg. > > > > > > > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=p > > > > > riva > > > > > te,dc=c > > > > > cnr,dc=aaa,dc=private,dc=dom > > > > > > > > > > how to trace the culprit config responsible for this? > > > > > > > > Check the DN, this is not the IPA tree (cn=account), but the > > > > compat > > > > tree > > > > (cn=compat) populated by the slapi-nis plugin. The intent is to > > > > make the > > > > AD users available to non-SSSD clients that can only use LDAP > > > > as an > > > > interface. > > > > > > Yes. If you enabled slapi-nis on IPA master but didn't establish > > > actual > > > trust to AD and instead added an SSSD configuration to lookup AD > > > users > > > directly, then slapi-nis will happily ask SSSD for whatever users > > > with @ > > > in the name were requested by the LDAP clients and SSSD would > > > look > > > them > > > up in AD. > > > > > > Not sure how useful is that at all but yes, this is a side-effect > > > of > > > slapi-nis features. > > > > > this is very freaking useful :) I was wondering how to get my > > radius > > there... and, ups, just like that, it was there, so thanks! > There are no passwords in that tree. maybe it's not slapi-nis then? radius definitely works and checks/validates passwords. I'm looking at https://docs.fedoraproject.org/en-US/Fedora/17/html/Free IPA_Guide/migrating-from-nis.html trying to have this working on a replica now and I think it could have not been nis plugin. Having it enabled first IPA fails to start for 587 is already in use and master IPA also uses that port, also master does not show ypserv in rpcinfo. How to be 100% sure it's slapi-nis ? And if it is not then what else gets those AD users? many thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] it's a weird one - how AD users get into IPA ?
On Fri, 2016-06-10 at 11:01 +0200, Jakub Hrozek wrote: > On Fri, Jun 10, 2016 at 09:54:19AM +0100, lejeczek wrote: > > hi everyone > > > > there is a master IPA which in some weird way puts AD users into > > its ldap > > catalog. I say weird cause there is no trust nor other sync > > established, > > there was a trust agreement, one way type, but now 'trust-find' > > shows > > nothing, that trust was removed. > > > > but still when I create a user @AD DS a second later I see it in > > IPA's ldap, > > eg. > > > > dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private > > ,dc=c > > cnr,dc=aaa,dc=private,dc=dom > > > > how to trace the culprit config responsible for this? > > Check the DN, this is not the IPA tree (cn=account), but the compat > tree > (cn=compat) populated by the slapi-nis plugin. The intent is to make > the > AD users available to non-SSSD clients that can only use LDAP as an > interface. > any chance this plugin gets included without user/admin intention, eg. during migrate-ds ? is ipa toolkit or I have to go directly to ldap to de/activate plugin(s) ?-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] it's a weird one - how AD users get into IPA ?
hi everyone there is a master IPA which in some weird way puts AD users into its ldap catalog. I say weird cause there is no trust nor other sync established, there was a trust agreement, one way type, but now 'trust-find' shows nothing, that trust was removed. but still when I create a user @AD DS a second later I see it in IPA's ldap, eg. dn: uid=ccnrt...@ccnr.aaa.private.dom,cn=users,cn=compat,dc=private,dc=c cnr,dc=aaa,dc=private,dc=dom how to trace the culprit config responsible for this? and funny(?) thing is that these users do not get replicated to IPA replicas. many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA stack startup time - expected values?
hi users I wonder if on a very minimal installation, still fresh with only ~20 test users and no other app/services using IPA we have a time in mind that IPA stack should take no longer than, to start? I know it varies and may depend on quite a few variables. Reason I wonder is because I have three replicas run on a similar, modern hardware and on one of them freeRadius fails(unless I tell it to start after IPA) whereas on the others there is no problem. In other words one IPA takes longer, so it appears - unless it's freeRadius that should have no problem starting even if one of its backend is not available? many thanks, L -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA to supply radius with a special user name - how?
hi users, some network devices need and look up a special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs, eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full support for radius attributes, right? or --addattr=STR is something for that? How does one create radius typical user? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA to supply radius with a special user name - how?
hi users, some network devices need and look up special type of a user, in my case it's dell powerconnect switch which - when uses radius - needs,eg: $enable5$. I this something that IPA will be ok with? will have no problems if I create such a user? I don't suppose IPA have full support for radius attributes, right? or --addattr=STR is something for that? How does one create radius typical user? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 06/06/16 12:42, Alexander Bokovoy wrote: On Mon, 06 Jun 2016, lejeczek wrote: SMB services with Kerberos require use of cifs/ service principal. Your keytab only has host/ keys, and your AD machine account for the does not have 'cifs/' SPN defined. The latter is what causes smbclient -k to fail -- AD DC doesn't know about 'cifs/' and refuses to issue a service ticket even before smbclient contacts Samba server. Alexander, thanks! yes, cifs needs to be in keytab file, smbclient to itself(on smb server locally) works now with -k. I wonder - should it also work with only passwords? It does not, for me. Users mapping concept (which I do not grasp completely yet) - when an AD client (win10) now gets to samba shares okey it is done with AD user credentials, win client sees share like: u...@my.dom which user is not IPA's user (there are no trusts no syncing). I don't know details of what you have configured. For IPA with trusts both Kerberos and passwords should work when Samba is running on IPA master. For IPA client, we have procedure defined for SSSD+Samba. For anything else only Kerberos would work. I emailed (this thread) most of the configs, if not all, ~two emails ago, last Friday. Now, when you say mapping - this would be winbind/smb translating/mapping AD's SIDs to match IPA's UIDs - which is/would be different from syncying users from AD => IPA ,correct? SIDs to UID/GID on the system. You seem to confuse a lot in your emails -- you are claiming that there is no IPA trust or sync in place yet you expect somehow things to magically work, I simply don't understand your situation to comment on it. not magically, no, it's the same one box, IPA server and at the same time samba(non-IPA, might be why smbclient without kerberos does Not work) + sssd to an AD. And now after fixing keytabs all seems to work ok, and no winbind yet - thus my only question now is more about concepts, which - yes - I don't grasp fully. Yes I confuse, the way I understand is: my linux box now has two separate user db backends, two different users catalogs, first one is IPA's and the second is AD's via sssd(which samba being an AD's client also uses) with no winbind at this point. Last thing I wonder is that SIDs/UIDs mapping - one: do I want/need it? and if one then two: how to achieve it running setup like mine? Another thing, not having winbind in nsswitch (or not having it at all), but still having sssd using AD - should I be able to access linux+sssd=>AD box with means like ssh? eg. ssh m...@my.dom@swir.private.my.dom (I think I had it worked with windbind in nsswitch) SSSD client as IPA client will work with passwords in AD but only if trust is established between IPA and AD. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE Do you run winbindd? samba in RHEL 7.2 as of now has a regression that if you don't run winbindd, current code forbids establishing anonymous secure channel connections to AD DCs as part of Badlock fixes. The regression is fixed upstream and RHEL 7.2 packages are currently being tested by Red Hat QE team. If you start winbindd, this should not affect you -- if the machine is enrolled into Active Directory domain. However, the Kerberos error below makes me thinking you have some problems on AD side as well. no winbind, I hope to completely relay on sssd. I should mentioned that I'm fiddling with my sssd so it engages two providers, AD and IPA - and it seems to work, like a I tried to describe, only that samba smbclient to itself is not working. thanks! and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] The statement above says your KDC for PRIVATE.DOM does not know anything about cifs/swir.private.dom principal. Fix that problem and Kerberos authentication will be working. SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a bit off topic- samba + sssd => AD
On 03/06/16 15:11, Sumit Bose wrote: On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] Which realm is PRIVATE.DOM? What does $ klist -k -t /etc/krb5.swir.ccnr.keytab return? $ klist -k -t /etc/krb5.swir.ccnr.keytab Keytab name: FILE:/etc/krb5.swir.ccnr.keytab KVNO Timestamp Principal - 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom 4 01/01/70 01:00:00 host/swir.private.ccnr@ccnr.dom and swir runs samba, but I'm trying to sssd together AD & IPA, I should have mentioned. From DNS perspective it's AD = ccnr.dom and IPA = private.ccnr.dom, everything seems to resolve OK, both @AD and @IPA ends. And my sssd.conf: ipa_hostname = swir.private.ccnr.dom chpass_provider = ipa ipa_server = swir.private.ccnr.dom ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt #krb5_keytab = /etc/krb5.private.ccnr.keytab [domain/ccnr.dom] ad_domain = ccnr.dom krb5_realm = CCNR.DOM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad auth_provider = ad krb5_keytab = /etc/krb5.swir.ccnr.keytab [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = private.ccnr.dom, ccnr.dom [nss] memcache_timeout = 600 homedir_substring = /home -- AD DC (to which shares smbclient @swir can get to) shows: C:\Users\Administrator.CCNR-WINSRV1>setspn -L swir Registered ServicePrincipalNames for CN=SWIR,OU=private,DC=ccnr,DC=dom: cifs/swir.private.ccnr@ccnr.dom host/swir.private.ccnr.dom host/swir.private.ccnr@ccnr.dom HOST/SWIR like I said, getnet and id see both domains If I $ kinit m...@ccnr.dom $ klist Ticket cache: KEYRING:persistent:0:krb_ccache_xoHU5iW Default principal: m...@ccnr.dom Valid starting ExpiresService principal 03/06/16 16:37:06 04/06/16 02:37:06 krbtgt/ccnr@ccnr.dom $ smbclient -L //$(hostname) -U m...@ccnr.dom -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private.ccnr@private.ccnr.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR what I see in last one above is - cifs/swir.private.ccnr@private.ccnr.dom I've just realized, for some reason, and maybe a valid one, smbclient don't do - cifs/swir.private.ccnr@ccnr.dom which is in the keytabs. but smbclient fails without -k which I understand should then use a password and should be sufficient to authenticate. many thanks Sumit, L. bye, Sumit SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for mo
[Freeipa-users] a bit off topic- samba + sssd => AD
hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words - to itself - fails session setup failed: NT_STATUS_LOGON_FAILURE and with smbclient -k gss_init_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Server cifs/swir.private@private.dom not found in Kerberos database] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR here is a snippet from smb.conf which I thought has relevance, I set it up following samba sssd wiki. security = ads realm = CCNR.DOM workgroup = CCNR kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.swir.ccnr.keytab client signing = auto client use spnego = yes encrypt passwords = yes password server = ccnr-winsrv1.ccnr.dom netbios name = SWIR template shell = /bin/bash template homedir = /home/%D/%U preferred master = no dns proxy = no wins server = ccnr-winsrv1.ccnr.dom wins proxy = no inherit acls = Yes map acl inherit = Yes acl group control = yes and in samba log: domain_client_validate: Domain password server not available. I've tried samba user list, dead silence. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA's own ptr record - unresolvable ?
On 03/06/16 08:06, Petr Spacek wrote: On 2.6.2016 18:30, lejeczek wrote: hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer .. I do: $ ipa dnsrecord-find 5.10.in-addr.arpa Record name: @ NS record: rider.private.dom., swir.private.dom., work5.private.dom. Record name: 19.10 PTR record: work1.private.dom. Record name: 23.10 PTR record: work5.private.dom. Record name: 100.6 PTR record: rider.private.dom. Record name: 17.6 PTR record: dzien.private.dom. Record name: 32.6 PTR record: swir.private.dom. Number of entries returned 6 dig also find these records. this is probably why replica fails with: ipa.ipapython.install.cli.install_tool(Replica): ERRORUnable to resolve the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name resolution must be something trivial? Likely :-) It could have multiple reasons. E.g. DNS delegation from parent domain could be broken which could cause this etc. Please try commands $ dig -x PTR and $ dig -x SOA and post their output, preferably without redacting it because the attempt to hind real names often hide the root cause. I will have a look. hi Petr I have to redact, but I do it programmaticaly. I think it happened after addition of second(last) replica, I initially installed server with 5.10.in-addr.arpa. Now I do: $ ipa dnszone-find Zone name: 5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: rider.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464884896 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 10.5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: work5.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464489313 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 6.5.10.in-addr.arpa. Active zone: TRUE Authoritative nameserver: swir.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464880660 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: private.dom. Active zone: TRUE Authoritative nameserver: rider.private.dom. Administrator e-mail address: hostmaster.private.dom. SOA serial: 1464884764 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Number of entries returned 4 and I dag "any" type of record and misread it, there is no ptr record returned, I could not get how delegation can be involved here. It's IPA(rider is the first server) own 5.10.in-addr.arpa. And rider sees 10.5.6.32 10.5.6.17 etc. but not it's own record, which according to: $ ipa dnsrecord-find 5.10.in-addr.arpa exists: Record name: 100.6 PTR record: rider.private.dom. $ dig -x 10.5.6.100 +qr soa ;; QUESTION SECTION: ;100.6.5.10.in-addr.arpa. IN SOA ;; AUTHORITY SECTION: 6.5.10.in-addr.arpa. 0 IN SOA rider.private.dom. hostmaster.private.dom. 1464880660 3600 900 1209600 3600 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 $ dig -x 10.5.6.100 +qr ptr ;; QUESTION SECTION: ;100.6.5.10.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 6.5.10.in-addr.arpa. 3600 IN SOA rider.private.dom. hostmaster.private.dom. 1464880660 3600 900 1209600 3600 ;; Query time: 1 msec -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA's own ptr record - unresolvable ?
hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer .. I do: $ ipa dnsrecord-find 5.10.in-addr.arpa Record name: @ NS record: rider.private.dom., swir.private.dom., work5.private.dom. Record name: 19.10 PTR record: work1.private.dom. Record name: 23.10 PTR record: work5.private.dom. Record name: 100.6 PTR record: rider.private.dom. Record name: 17.6 PTR record: dzien.private.dom. Record name: 32.6 PTR record: swir.private.dom. Number of entries returned 6 dig also find these records. this is probably why replica fails with: ipa.ipapython.install.cli.install_tool(Replica): ERROR Unable to resolve the IP address 10.5.6.100 to a host name, check /etc/hosts and DNS name resolution must be something trivial? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 20:27, Rob Crittenden wrote: lejeczek wrote: On 25/05/16 16:46, Rob Crittenden wrote: lejeczek wrote: On 25/05/16 14:19, Rob Crittenden wrote: lejeczek wrote: hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. more from log: 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1015, in __import_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 997, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute what might be the problem? It is failing getting the CA chain from dogtag. It uses port 8080 by default. I'd check your firewall and that the remote CA is up. thanks Rob, I opened 8080/tcp (it was closed) but still a failure I get, different error though: [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. I noticed - /var/log/pki-ca-install.log does NOT exist and log file: Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-05-25T14:12:21Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I nsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is s trongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: ERROR... server failed to restart 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' ' CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 2016-05-25T14:12:21Z CRITICAL See the installation logs and the following files/directories for mor e information: You need to look in those files/directories for more details. Dogtag doesn't return much on failures and we display what we have but all the real meat is in those logs. can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - why does installer complain about it being used and I have to change the port for installer to start? Because there is no easy way to determine what is using that port. If it is mod_ssl or some other web server instead then things go sideways pretty fast. but will it all not brake precisely because I have to change port? I then take a glance and see https:/// only and installer it not take that port into account, so how will whole IPA work if nss listens on non-standard port? I'm not sure I follow. The installer will (or should) change nss.conf to listen on 443. The default is 8443. If you take a vanilla instance and install mod_ssl and mod_nss on it then Apache will listen on ports 443 and 8443. IPA requires mod_nss to listen on 443 so the install will fail. This is what we are trying to prevent. It isn't a mod_nss or mod_ssl issue but only one thing can listen on any given port. The installer looks at things just enough to detect that something might be wrong and it blows up so it can be manually addressed because whatever we did automatically would be wrong and potentially catastrophic for somebody's use case. rob when it fails with: [1/24]: creating certificate server user [2/24]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s'
[Freeipa-users] where the hell is that CA?
hi everybody I'm trying to set up a replica but process fails: [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). ipa.ipapython.install.cli.install_tool(Replica): ERRORA CA is already configured on this system. I've even removed all the .rpm I thought were relevant, reinstalled but problem persists. many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ?
hi people I've noticed that --uninstall leaves httpd unable to restart. I think it's what was not cleaned up in /etc/httpd/alias I logs I see: [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization failed. Certificate database: /etc/httpd/alias. [Thu May 26 11:03:43.318113 2016] [:error] [pid 6930] SSL Library Error: -8177 The security password entered is incorrect am I correct? Should the process not take care of that db? regards L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 16:46, Rob Crittenden wrote: lejeczek wrote: On 25/05/16 14:19, Rob Crittenden wrote: lejeczek wrote: hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. more from log: 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1015, in __import_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 997, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute what might be the problem? It is failing getting the CA chain from dogtag. It uses port 8080 by default. I'd check your firewall and that the remote CA is up. thanks Rob, I opened 8080/tcp (it was closed) but still a failure I get, different error though: [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. I noticed - /var/log/pki-ca-install.log does NOT exist and log file: Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-05-25T14:12:21Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I nsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is s trongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: ERROR... server failed to restart 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' ' CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 2016-05-25T14:12:21Z CRITICAL See the installation logs and the following files/directories for mor e information: You need to look in those files/directories for more details. Dogtag doesn't return much on failures and we display what we have but all the real meat is in those logs. can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - why does installer complain about it being used and I have to change the port for installer to start? Because there is no easy way to determine what is using that port. If it is mod_ssl or some other web server instead then things go sideways pretty fast. but will it all not brake precisely because I have to change port? I then take a glance and see https:/// only and installer it not take that port into account, so how will whole IPA work if nss listens on non-standard port? regards rob I'm surprised the port checker didn't discover this if it is a firewall issue and that would be a bug (either the port not being checked or not using the proxy). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
On 25/05/16 14:19, Rob Crittenden wrote: lejeczek wrote: hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. more from log: 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1015, in __import_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 997, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute what might be the problem? It is failing getting the CA chain from dogtag. It uses port 8080 by default. I'd check your firewall and that the remote CA is up. thanks Rob, I opened 8080/tcp (it was closed) but still a failure I get, different error though: [2/23]: configuring certificate server instance ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki-ca-install.log ipa.ipaserver.install.cainstance.CAInstance: CRITICAL /var/log/pki/pki-tomcat [error] RuntimeError: CA configuration failed. I noticed - /var/log/pki-ca-install.log does NOT exist and log file: Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2016-05-25T14:12:21Z DEBUG stderr=/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: I nsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is s trongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html InsecureRequestWarning) pkispawn: ERROR... server failed to restart 2016-05-25T14:12:21Z CRITICAL Failed to configure CA instance: Command ''/usr/sbin/pkispawn' '-s' ' CA' '-f' '/tmp/tmpY2oGh1'' returned non-zero exit status 1 2016-05-25T14:12:21Z CRITICAL See the installation logs and the following files/directories for mor e information: can I ask a question? - my nss.conf is pretty plain-vanilla, uses :443 - why does installer complain about it being used and I have to change the port for installer to start? I'm surprised the port checker didn't discover this if it is a firewall issue and that would be a bug (either the port not being checked or not using the proxy). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain
hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. more from log: 2016-05-25T12:38:31Z DEBUG [10/23]: importing CA chain to RA certificate database 2016-05-25T12:38:31Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 418, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 408, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1015, in __import_ca_chain chain = self.__get_ca_chain() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 997, in __get_ca_chain raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG [error] RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused 2016-05-25T12:38:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute what might be the problem? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD membership realmd way + samba?
hi users/devs I've poked around samba list but was suggested to ask sssd people, I thought IPA's might know as well. Having joined AD with realm - can samba take advantage of this membership? And if so then to what extent? many thanks, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] authconfig vs ipa-client-install
hi evebody I'd like to ask how does, what ipa installation does ot a box, relate to authconfig? I am specifically thinking of the fact that authconfig does not indicate that IPAv2 is used, on a box which is IPA member/client. Is it because it is for some older IPA, that "v2"? If yes, then should authconf not reflect somehow that IPA is configured and used? many thanks. L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Tue, 2016-05-17 at 09:19 -0400, Simo Sorce wrote: > On Tue, 2016-05-17 at 09:27 +0100, lejeczek wrote: > > On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > > > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > > > .. if possible, would you know? > > > > hi everybody, > > > > I'm trying, and hoping it is possible to realm join an AD but > > > > is > > > > such a > > > > way so I tap my IPA into specific OU within that AD. > > > > > > I'm not exactly sure what you mean here. Do you want to join a > > > computer > > > which is already a client in an IPA domain to AD as well? If this > > > is > > > the > > > case I would recommend to consider the IPA trust feature. Joining > > > 2 > > > domain is in general possible with SSSD but has to be done with > > > very > > > great care, e.g. by using different keytabs for each domain. > > Can IPA domain establish a trust between win AD if IPA admin only > > has > > admin control over an OU in win AD ? > > No, you need to be a Domain Admin with full privileges. many thanks Simo, when I try user who only has delegated admin/management over a OU I see: Active Directory domain administrator's password: ipa: ERROR: Insufficient access: CIFS server denied your credentials. Would joining an IPA server to winAD with realmd be kind of one way trust? Is it even possible(with no reasons against doing so) to join IPA server/domain to AD? I mean I did that and I could get AD users IDs but there was some problem with krb5, config got messed up and daemon would not start. > > > > I know very little about AD and only started with IPA - I don't suppose > > control of OU delegated to a user makes that user AD admin. > > > > > It doesn't. > > > > > > I guess what I'm thinking, asking, is - what would be the correct > > possible way to plug in, connect IPA domain to win AD when one has > > admin control only over a OU in win AD? > > > > > Not sure you can even do sync, there isn't really much you can do with > those privileges, you are basically just allowed to administer a > "group". > > Simo. > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] win2012 r2 and trust type = realm
On Tue, 2016-05-17 at 17:10 +0300, Alexander Bokovoy wrote: > On Tue, 17 May 2016, lejeczek wrote: > > hi users/devs > > > > I've used wiki pages to set AD - IPA trust, and it always end up > > being > > realm type of trust (@ AC DC end) whereas wiki shows forest type. > > What am I doing wrong? > Probably because you are choosing wrong type of trust on AD side. > > Remove any trust with the same name as IPA on AD side and try to > create > the trust using 'ipa trust-add' command, as described in the wiki or > in > the documentation. > but ipa trust-add renders one-way type of trust, at least here for me, is this correct? I go to AD DC and see only one-way trust. > > > > I think I must be doing something wrong for having that trust > > established (or I least I think I have it) when @IPA end I do: > > > > $ kinit Administrator@ad_dom > > Password for Administrator@ad_dom: > > kinit: KDC reply did not match expectations while getting initial > > credentials > > > > This is unrelated. In Kerberos realm is supposed to be in UPPER CASE. If > you specified it in lower case, AD DC would accept that and would issue > a ticket with corrected principal name but 'kinit' utility would not > accept the changed principal. > > kinit Administrator@AD_DOM is what would you need to try. However, being > able to kinit as AD user from IPA machine has nothing to do with IPA - > AD trust. > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] win2012 r2 and trust type = realm
hi users/devs I've used wiki pages to set AD - IPA trust, and it always end up being realm type of trust (@ AC DC end) whereas wiki shows forest type. What am I doing wrong? I think I must be doing something wrong for having that trust established (or I least I think I have it) when @IPA end I do: $ kinit Administrator@ad_dom Password for Administrator@ad_dom: kinit: KDC reply did not match expectations while getting initial credentials regards L.##SELECTION_END##-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On Fri, 2016-05-13 at 15:14 +0200, Sumit Bose wrote: > On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: > > .. if possible, would you know? > > hi everybody, > > I'm trying, and hoping it is possible to realm join an AD but is > > such a > > way so I tap my IPA into specific OU within that AD. > > I'm not exactly sure what you mean here. Do you want to join a > computer > which is already a client in an IPA domain to AD as well? If this is > the > case I would recommend to consider the IPA trust feature. Joining 2 > domain is in general possible with SSSD but has to be done with very > great care, e.g. by using different keytabs for each domain. Can IPA domain establish a trust between win AD if IPA admin only has admin control over an OU in win AD ? I know very little about AD and only started with IPA - I don't suppose control of OU delegated to a user makes that user AD admin. I guess what I'm thinking, asking, is - what would be the correct possible way to plug in, connect IPA domain to win AD when one has admin control only over a OU in win AD? many thanks L. > > > > The thing is - I'm thinking it would make user access control ideal > > from the start as I need only users from that OU, but also because I'm > > only granted access to the user/group who has control over that OU. > > I'm trying that but I see: > > > > ! The computer account RIDER already exists, but is not in the desired > > organizational unit. > > adcli: joining domain ccc.bb.aa failed: The computer account RIDER > > already exists, > > > > > Computer account names in AD must be unique even if they are added to > different OUs. So if there is already a computer called RIDER joined to > AD and it is not your computer you have to rename your computer to join. > If it is your computer and you want to create it in a different OU you > have to delete to old computer object first and then do a fresh join. > > HTH > > bye, > Sumit > > > > > > ! Failed to join the domain > > > > I'm doing this: > > $ realm join ccc.bb.aa --user=private-user --computer-ou=private > > > > and computer is in OU=private of ccc.bb.aa > > so is the user private-user > > > > many thanks. > > L##SELECTION_END## > > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > for more info on the project > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA as subdomain, part of AD ?
hi users/devel I'm trying to grasp the concepts - can IPA be plugged into AD domain, be part of it as a subdomain? I'm guessing it'd be quite common scenario, I see wiki describes opposite arrangement, but how##SELECTION_END## how to have IPA as ipa.activedir.local whereas activedir.local is top domain of an enterprise? Would this still be - setting cross-domain trust? many thanks L.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] a user delegated to control a OU and realmd join - how..
On 13/05/16 14:14, Sumit Bose wrote: On Wed, May 11, 2016 at 05:17:03PM +0100, lejeczek wrote: .. if possible, would you know? hi everybody, I'm trying, and hoping it is possible to realm join an AD but is such a way so I tap my IPA into specific OU within that AD. I'm not exactly sure what you mean here. Do you want to join a computer which is already a client in an IPA domain to AD as well? If this is the case I would recommend to consider the IPA trust feature. Joining 2 domain is in general possible with SSSD but has to be done with very great care, e.g. by using different keytabs for each domain. The thing is - I'm thinking it would make user access control ideal from the start as I need only users from that OU, but also because I'm only granted access to the user/group who has control over that OU. I'm trying that but I see: ! The computer account RIDER already exists, but is not in the desired organizational unit. adcli: joining domain ccc.bb.aa failed: The computer account RIDER already exists, Computer account names in AD must be unique even if they are added to different OUs. So if there is already a computer called RIDER joined to AD and it is not your computer you have to rename your computer to join. If it is your computer and you want to create it in a different OU you have to delete to old computer object first and then do a fresh join. hi Sumit, for me it did not work because of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1258488 HTH bye, Sumit ! Failed to join the domain I'm doing this: $ realm join ccc.bb.aa --user=private-user --computer-ou=private and computer is in OU=private of ccc.bb.aa so is the user private-user many thanks. L##SELECTION_END## -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] a user delegated to control a OU and realmd join - how..
.. if possible, would you know? hi everybody, I'm trying, and hoping it is possible to realm join an AD but is such a way so I tap my IPA into specific OU within that AD. The thing is - I'm thinking it would make user access control ideal from the start as I need only users from that OU, but also because I'm only granted access to the user/group who has control over that OU. I'm trying that but I see: ! The computer account RIDER already exists, but is not in the desired organizational unit. adcli: joining domain ccc.bb.aa failed: The computer account RIDER already exists, ! Failed to join the domain I'm doing this: $ realm join ccc.bb.aa --user=private-user --computer-ou=private and computer is in OU=private of ccc.bb.aa so is the user private-user many thanks. L##SELECTION_END##-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] service cert to a host/member/service
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote: > lejeczek wrote: > > hi users, > > > > as one follows official docs and issues a certificate for a > > service/host, one wonders what is the correct way to move such a > > certificate to a host(which is domain member) ? > > I understand certificates issued with: > > > > $ ipa cert-request -add --principal > > > > are stored in ldap backend, (yet I don't quite get the difference > > between that tool and ipa-certget). > > The first uses the IPA command-line to get a cert directly. ipa- > getcert > uses certmonger. > > If you are getting a certificate for another host, particularly if > that > host isn't an IPA client, then the first form is the way to go. > > > How do I get such a certificate off the server and to a host-not- > > server? > > $ ipa cert-show <serial#> --out cert.pem > > > In my case I'm hoping to use this certificate in apache+nss. > > I realize I also will need CA certificate on that host, which I got > > hold > > of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's > > the > > right way? > > So in this case you'd want to generate the CSR on the host-not- > server > using certutil. You'd take that CSR to the enrolled host and run ipa > cert-request ... > > Get a copy of the cert and get that and /etc/ipa/ca.crt to the Is this the only place where IPA' CA cert resides? I thought that that cert will be in /etc/dirsrv/slapd-MY-DOMAIN $ certutil -d /etc/dirsrv/slapd-MY.. gets me: MY-DOMAIN IPA CACT,C,C Server-Cert u,u,u what is that IPA CA then? I also see the same with: $ certutil -d /etc/httpd/alias -L Is this the same one certificate? (including /etc/ipa/ca.crt) I get these with: ipa-getcert list I'm guessing these are set up by installer and to be managed by certmonger, for DS and web server for certificates auto management purposes? many thanks. > host-not-server. > > Use certutil to add both to your NSS database. > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] service cert to a host/member/service
hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-request -add --principal are stored in ldap backend, (yet I don't quite get the difference between that tool and ipa-certget). How do I get such a certificate off the server and to a host-not- server? In my case I'm hoping to use this certificate in apache+nss. I realize I also will need CA certificate on that host, which I got hold of with certutil operated on /etc/dirsrv/slapd-MY-DOMAIN - if it's the right way?##SELECTION_END## many thanks. L-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] does ptr records an admin have to take care of manually?
hi, regular server install with --setup-dns then clients to follow, but I see there: Missing reverse record(s) for address(es): does that mean that by default server install process does not include reverse zones? These need to be set up manually/independently ? many thanks##SELECTION_END##-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] certutil - how to delete an orphan key..
On 09/04/16 01:18, Fraser Tweedale wrote: On Fri, Apr 08, 2016 at 03:39:49PM -0400, Rob Crittenden wrote: Pawel Eljasz wrote: .. would anybody know? I realize this might be not the ideal place for such a question, sorry. thanks L I don't know that there is a way using a tool to delete a key from an NSS database. Why do you want to? It won't hurt anything. rob According to man page, to list contents of key database: certutil ... -K and to delete a particular key: certutil ... -F -n $KEY_ID well... https://bugzilla.redhat.com/show_bug.cgi?id=1144186 Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project