Re: [Freeipa-users] How to handle users with multiple homedirs on different machines?

2015-06-04 Thread swartz 
On Wed, Jun 3, 2015 at 12:29 AM, Lukas Slebodnik lsleb...@redhat.com
wrote:

 However sssd is available just on linux (or FreeBSD)
 I'm not sure which clients do you use on Solaris or other

Solaris would be configured via LDAP. RedHat appears to have a pretty good
guide for doing this.
Same goes for any other systems lacking sssd client or so I hope.



 As an example, I have user Bob.
 On a Linux box Bob has homedir at /home/b/bob
  ^
 Unfortunatelly, there's no way how to say
 sssd to use just first letter from name.

Hmmm. Is time for a feature request? Should this be directed to SSSD or
FreeIPA group?
override_homedir appears to have plenty of substitution options. This
wouldn't be a major change request.
For more flexibility, I think it would be nice to refer to an output of a
script for determining homedir overrides.


 On a Solaris this is likely /export/home/bob
 While on some other odd system it could be /mnt/nas/users/bob
 Different prefix for homedir /export/home, /home, /mnt/nas/users
 could be addresed with the option homedir_substring in sssd conf.
 https://fedorahosted.org/sssd/ticket/1853

So you could store %H in ldap attribute,
 but clients need to understand such value.
 (sssd = 1.11.6). I'm not sure about other clients.

As there is no sssd client for Solaris, I think I may have found a
workaround via automounter as suggested by Coy Hile.
But that only solves the Solaris specific homdir paths. In any case, I'm
further today than I was yesterday. Thank you.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] How to handle users with multiple homedirs on different machines?

2015-06-02 Thread swartz 
I have a environment that spans across multiple physical locations where
there is a mix of Linux and Solaris workstations/servers. So far we've been
managing accounts (/etc/password) via Puppet.

Problem: FreeIPA allows to store only one homedir path.
Q: Is there a way to store/set a different home path based on the system
that the user is logged into?

As an example, I have user Bob.
On a Linux box Bob has homedir at /home/b/bob
On a Solaris this is likely /export/home/bob
While on some other odd system it could be /mnt/nas/users/bob

The contents in each of the above locations differs for Bob.

There are NAS boxes that hold data for specific groups that are mounted on
few machines only. We can't use NAS as central homedir storage for number
of reasons. Mounting exported filesystems as subdirs under main homedir
isn't an option either. Many odd-ball systems don't export their
filesystems. Mounting all homedirs locations isn't necessary on all
machines. Performance issues over network., etc, etc.

Is there a way to handle such scenario as outline above? I would welcome
any input/ideas.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-24 Thread swartz 

On 9/24/2014 9:05 AM, Ade Lee wrote:

Forwarding to a couple of colleagues of mine who will be taking point on
this.

 From what I can see, the CS.cfg is truncated.  Fortunately, I believe it
is reparable.

Ade


I've been in contact with Endi and Ade. It was a truncated config file 
as per msg above.

Endi had emailed me a restored config.

I can happily say that my IPA instance is back in operation.

Thank you all.

For anyone else reading this:
For me this config truncation happened after a 'yum update'.
Perhaps shutting down the IPA stack before doing package updates might 
be more advisable.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-23 Thread swartz 

On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?
I'd have to say no. It doesn't look truncated to me. At least there are 
no obvious signs. But then again I don't know everything that is suppose 
to be there. I know that the line starting  with 
pkicreate.unsecure_port= isn't there, that's for sure. Hence why init 
script fails to start PKI-CA.




If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

Sadly there were no backups. This was a test/dev VM with no backup policy.

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*
I've replied to you directly with all CS.cfg* files I could find. Most 
appear to be templates and not backups as per your message.



Also, do you have a replica CA?
Yes and no.  The master was originally configured with a replica but the 
test replica VM was not used after that and was shutdown and removed.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-23 Thread swartz 

On 9/22/2014 7:59 PM, Ade Lee wrote:

If you scroll to the end of the CS.cfg, does it look like it has been
truncated?
I'd have to say no. It doesn't look truncated to me. At least there are 
no obvious signs. But then again I don't know everything that is suppose 
to be there. I know that the line starting  with 
pkicreate.unsecure_port= isn't there, that's for sure. Hence why init 
script fails to start PKI-CA.




If you have backups of the CS.cfg, that will help.  Also, you could look
for backups that we have created:

Sadly there were no backups. This was a test/dev VM with no backup policy.

find /var/lib/pki-ca -name CS.cfg*
find /var/log -name CS.cfg*
I've replied to you directly with all CS.cfg* files I could find. Most 
appear to be templates and not backups as per your message.



Also, do you have a replica CA?
Yes and no.  The master was originally configured with a replica but the 
test replica VM was not used after that and was shutdown and removed.


PS. I replied to the wrong email. Ooops, sorry.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-22 Thread swartz 


On 9/22/2014 9:14 AM, Ade Lee wrote:
Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? 

ls -l /etc/pki-ca/CS.cfg
-rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg

I know that I did NOT change the configs myself. But something certainly 
did during 'yum update'.
There are no .rpmsave or .rpmnew files that would typically be created 
if configs are properly marked in RPM spec file.


There are two other files that exist though:
-rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21
-rw-rw. 1 pkiuser pkiuser 65955 Sep  5  2013 CS.cfg.in.p33

However, they are not usable either in place of current CS.cfg.



There have been no updates recently on rhel 6 to the pki packages.
There has, however, been an update to tomcat - which broke dogtag
startups.

What version of tomcat6 is on your system?

rpm -qa tomcat6
tomcat6-6.0.24-78.el6_5.noarch


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] PKI-CA fails to start (broken config after update?)

2014-09-19 Thread swartz 

Hello,

Encountered same issue as described here:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html
https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html

Plain vanilla IPA setup. No changes, no customizations.
Recently IPA fails to start. Error happened right after a 'yum update' 
and reboot.


---
Starting pki-ca:   [  OK  ]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
...
Failed to start CA Service
Shutting down


Digging into the matter further...
The line that causes the error above is in 
/usr/share/pki/scripts/functions (which is loaded by pki-ca init script):

netstat -antl | grep ${port}  /dev/null

The $port variable is blank so call to grep is without a search 
parameter. Hence invalid call to grep and subsequent error msg I'm 
seeing as above.


$port is defined just a few lines above as
port=`grep '^pkicreate.unsecure_port=' 
${pki_instance_configuration_file} | cut -b25- -`


BUT! For whatever reason there is no line that starts with 
pkicreate.unsecure_port in $pki_instance_configuration_file 
(/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for 
use in grep.


Why there is no such line in config file where one is expected is 
unknown to me...


Versions currently installed
ipa-server-3.0.0-37.el6.x86_64
pki-ca-9.0.3-32.el6.noarch

Did updates to pki packages clobber the configs? What got broken? How do 
I resolve it?


Thank you.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project