Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On 08/20/2012 12:09 PM, Lucas Yamanishi wrote: On 08/20/2012 08:44 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/17/2012 08:38 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 - 2.1.3-9.el6.x86_64 - 2.2.0-16.el6.x86_64 2.2.0-16.el6.x86_64 Can you verify that managed entries are configured: # ipa-managed-entries -l It should return: UPG Definition NGP Definition This enables user-private groups and netgroup-private groups. rob Yes. That returned as expected. The why and how of this aside, is there any easy way to repopulate all my private groups? -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: On 08/20/2012 12:09 PM, Lucas Yamanishi wrote: On 08/20/2012 08:44 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/17/2012 08:38 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 - 2.1.3-9.el6.x86_64 - 2.2.0-16.el6.x86_64 2.2.0-16.el6.x86_64 Can you verify that managed entries are configured: # ipa-managed-entries -l It should return: UPG Definition NGP Definition This enables user-private groups and netgroup-private groups. rob Yes. That returned as expected. The why and how of this aside, is there any easy way to repopulate all my private groups? You'll need to use ldapmodify to achieve this, and add the missing values to each user and group separately. This should be relatively easily scriptable. Here is what it looks like to convert a single user/group. I created it by adding the user with --gid=### and --noprivate, then creating a group of the same name and with the gid of the user. $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data security layer installed. dn: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com changetype: modify replace: objectclass objectclass: top objectclass: posixgroup objectclass: ipaobject objectclass: mepManagedEntry - add: mepmanagedby mepmanagedby: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com modifying entry cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com $ ldapmodify -Y GSSAPI SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data security layer installed. dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com changetype: modify add: objectclass objectclass: mepOriginEntry - add: mepmanagedentry mepmanagedentry: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com modifying entry uid=tuser1,cn=users,cn=accounts,dc=example,dc=com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: On 08/17/2012 08:38 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 - 2.1.3-9.el6.x86_64 - 2.2.0-16.el6.x86_64 2.2.0-16.el6.x86_64 Can you verify that managed entries are configured: # ipa-managed-entries -l It should return: UPG Definition NGP Definition This enables user-private groups and netgroup-private groups. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? If the IPA provider is offline, we never remove anything from the cache, so indefinitely. If the provider is online, we cache for 90 minutes by default, then refresh the entry. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On 08/17/2012 08:38 AM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? I don't know, what have you done to date, including versions? rob I've been following the stable Scientific Linux releases since 6.1. Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now 2.2.0-16.el6.x86_64. So... 2.0.0-23.el6.x86_64 - 2.1.3-9.el6.x86_64 - 2.2.0-16.el6.x86_64 2.2.0-16.el6.x86_64 -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On Fri, 2012-08-17 at 11:42 +0200, Jakub Hrozek wrote: On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? If the IPA provider is offline, we never remove anything from the cache, so indefinitely. One exception: if you've opted to use the offline_credentials_expiration option in sssd.conf, then after the specified number of days, the user's cached password (but none of his other information) will be removed from the client. If the provider is online, we cache for 90 minutes by default, then refresh the entry. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sssd client cache timer and merging IPA domains
Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463 * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon. rob - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon. rob - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon. rob - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sssd client cache timer and merging IPA domains
On 08/16/2012 05:39 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: On 08/16/2012 05:32 PM, Rob Crittenden wrote: Lucas Yamanishi wrote: I just migrated my IPA instance from one to another a couple days ago to recover after a lost CA and failed yum upgrade. The ipa migrate-ds tool works very well, though I am having a few very minor issues. On the upside, as far as I can tell, you can skip the steps about Kerberos key generation as outlined in the documentation. I've been able to kinit just fine with my migrated users. Below are the few errors I've noticed. * When I ssh into an enrolled host using a migrated user's credentials I get this error: id: cannot find name for group ID 10463\ Does a group exist with that GID? You can try something like: $ ipa group-find --gid=10463 The group doesn't exist. The GID is the counterpart to my UID. Try adding --private. rob Nope. It doesn't exist. Other groups migrated. Why would the private groups fail? * I see this error in my dirsrv-EXAMPLE/errors log after changing a password: [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file ipapwd_common.c, line 926]: failed to generate new password history! It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon. rob - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/16/2012 05:00 PM, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? Is there any practical way to take the user info from one ipa instance/domain and import it into another? I know the client machines will have to have ipa un-installed and resetting users passwords are not biggees I'd just not rather have to input all the groups and hbac rules by hand. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
