Re: [Freeipa-users] Do we need ipa-client-update script?
On 09/22/2012 01:22 AM, Sigbjorn Lie wrote: On 09/21/2012 10:45 AM, Petr Spacek wrote: Hello users, we have a question for client machine administrators: On 09/21/2012 10:12 AM, Martin Kosek wrote: snip ..., that it may be useful to implement a script like ipa-client-update which would be capable of updating client information (and could be entered in a cron for example) without a need to re-enroll client. Such script could for example: * update SSH keys of the client * update a list of IPA DNS servers in #3095 * ... Martin Would it be useful at all? What other information should updater maintain? Ad https://fedorahosted.org/freeipa/ticket/3095: IMHO DNS configuration on client side is job for DHCP or Puppet. Isn't it? A client update script for SSH keys setup etc has crossed my mind too. Such a script would be useful, however the various updates should be available as separate options to the command so the admin can choose between applying some options or all options. A --update-all could be used as a place holder for updating the whole collection of options. Right, this would be preferred way to implement the CLI. As far as #3095 goes, updating the DNS client configuration is a job for DHCP or Puppet/CFengine. SSSD is very much dependent on DNS to work. I don't see why SSSD should be able to change the systems DNS servers, possibly rendering itself useless. The idea was to implement a script that would could be used for example in cron on client machines, i.e. not related to sssd. The script would be able to pull a list of IPA DNS servers just by querying the LDAP. Though, you may be right that is would rather be a job for DHCP/Puppet/CFEngine. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudden ipa errors.
Hello Nathan, you can file the bug on Red Hat Bugzilla (bugzilla.redhat.com), you can use this link: https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%206 Thanks in advance! Martin On 09/21/2012 05:53 PM, Nathan Lager wrote: Sure thing, can you point me to where i'd do so? I usually have this sort of thing taken care of via a RedHat support ticket. And the support rep creates the bug report. On 09/21/2012 11:19 AM, Dmitri Pal wrote: That, might be worthy of a bug report. Can you please file one? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version
Hi Rich, Thanks for the help. We have tried your suggestion below, however the problem still persists: systemctl status dirsrv.service dirsrv.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [root@fileserver2 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Any other suggestions/advice would be greatly appreaciated. Thank you, -Ikaro On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson rmegg...@redhat.com wrote: On 09/20/2012 08:53 AM, Ikaro Silva wrote: Hi Rich, We did not upgrade from a previous version, this is our original master server (but we do have 2 other replications of this one). The architecture is Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 i686 i386 GNU/Linux ok - try this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line you will need to use db2ldif.pl -r to create a replica init ldif file from one of your good replicas, copy this file to the machine with the bad replica, and use ldif2db to reinitialize it. You use db2ldif.pl on the replica because you can perform this operation while the server is running. You use ldif2db on the bad replica because you can't start the server. Note that due to selinux restrictions, you have to use /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginsonrmegg...@redhat.com wrote: On 09/20/2012 08:10 AM, Ikaro Silva wrote: Hi Everyone, I am new to IPA and I am trying to start the IPA service but I get the following error message: ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Shutting down What platform? Did you upgrade from a previous version? Do you have another master that you could use to reinit this one from? When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the following messages: [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin dependencies [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version Replication is not started [20/Sep/2012:10:08:59 -0400] - Error: object plugin Legacy Replication Plugin is not started [20/Sep/2012:10:08:59 -0400] - Error: object plugin Multimaster Replication Plugin is not started Has anyone experienced similar problems or have suggestions on how to fix these errors ? Thank you, -Ikaro ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] errors when one ipa server down
On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote: On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[2] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[2] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in [/var/lib/sss/pubconf/kdcinfo.MPLS.LOCAL]. [sssd_krb5_locator] sssd_realm[MPLS.LOCAL] requested realm[MPLS.LOCAL] family[0] socktype[1] locate_service[1] [sssd_krb5_locator] addr[172.16.112.8:88] family[2] socktype[1] [sssd_krb5_locator] [172.16.112.8] used [sssd_krb5_locator] sssd_krb5_locator_close called kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while getting initial credentials Jakub, does this make sense to you? As stated elsewhere in this thread, bare kinit does not contact the SSSD at all. You want to go through the PAM stack (with su - mike or ssh mike@ipaclient) in order to contact the SSSD so that the SSSD refreshes the file. Does using su - mike refresh the file? When performing an 'su - mike' I will occasionally see a short delay (~2 seconds) when bringing the interfaces up and down on the servers. e.g. [root@ipaclient sssd]# su - mike ^^ Sorry, but can you re-run the test again and either su from another non-root user or ssh into the client for instance? The reason is that performing su as root would not contact the SSSD at all either. The default PAM configuration for su includes pam_rootok.so which just returns PAM_SUCCESS if the user who performs su has UID=0. Hello, [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password:# NOTE: there is a delay here, ~5 seconds [eric@ipaclient ~]$ exit logout [root@ipaserver ~]ifup eth0 [root@ipaserver2 ~]ifdown eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$exit logout [root@ipaserver ~]ifdown eth0 [root@ipaserver2 ~]ifup eth0 [mike@ipaclient ~]$ su - eric Password: # NOTE: no delay [eric@ipaclient ~]$ exit logout There does not appear to be any problems when doing an su -. I agree. I think that the SSSD fails over just fine. An addition note is that the ipaclient system had been sitting idle all night. Right before starting this test, I had to unlock the workstation. The unlock (if perfomed through GDM at least) would trigger an auth and by extension going online/offline. What I suspect was happening is that the kinit just contacted a KDC that was present in the kdcinfo files, but down without the Kerberos libraries knowing it was down -- and without a mechanism to tell the SSSD to go and try another server. We're tracking this as a future enhancement.. Do you have a ticket handy? We discussed doing it as part of https://fedorahosted.org/sssd/ticket/941 which might add a new responder. Thank you for testing, Mike! -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version
On Mon, 24 Sep 2012, Ikaro Silva wrote: Hi Rich, Thanks for the help. We have tried your suggestion below, however the problem still persists: systemctl status dirsrv.service There is no dirsrv.service. dirsrv instances are arranged in following setup: - there is dirsrv.target that is used to start and stop all instances at the same time - there are dirsrv@INSTANCE-NAME.service services for specific instances where INSTANCE-NAME is REALM with dots replaced by -. IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you want to start/stop them all, use systemctl stop dirsrv.target systemctl start dirsrv.target For status you need to check specific instances. systemctl status dirsrv@REALM.service # systemctl status dirsrv@IPA-LOCAL.service dirsrv@IPA-LOCAL.service - 389 Directory Server IPA-LOCAL. Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Mon, 24 Sep 2012 11:53:04 +0300; 5h 31min ago Process: 684 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 688 (ns-slapd) CGroup: name=systemd:/system/dirsrv@.service/IPA-LOCAL └ 688 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-IPA-LOCAL -i /var/run/dirsrv/slapd-IPA-LOCAL.pid -w /var/run/dirs... dirsrv.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) [root@fileserver2 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Any other suggestions/advice would be greatly appreaciated. Thank you, -Ikaro On Thu, Sep 20, 2012 at 10:59 AM, Rich Megginson rmegg...@redhat.com wrote: On 09/20/2012 08:53 AM, Ikaro Silva wrote: Hi Rich, We did not upgrade from a previous version, this is our original master server (but we do have 2 other replications of this one). The architecture is Linux 3.4.9-2.fc16.i686.PAE #1 SMP Thu Aug 23 18:41:34 UTC 2012 i686 i686 i386 GNU/Linux ok - try this: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Initializing_Consumers.html#Initializing_Consumers-Manual_Consumer_Initialization_Using_the_Command_Line you will need to use db2ldif.pl -r to create a replica init ldif file from one of your good replicas, copy this file to the machine with the bad replica, and use ldif2db to reinitialize it. You use db2ldif.pl on the replica because you can perform this operation while the server is running. You use ldif2db on the bad replica because you can't start the server. Note that due to selinux restrictions, you have to use /var/lib/dirsrv/slapd-DOMAIN/ldif as the export and import directory. On Thu, Sep 20, 2012 at 10:16 AM, Rich Megginsonrmegg...@redhat.com wrote: On 09/20/2012 08:10 AM, Ikaro Silva wrote: Hi Everyone, I am new to IPA and I am trying to start the IPA service but I get the following error message: ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused Shutting down What platform? Did you upgrade from a previous version? Do you have another master that you could use to reinit this one from? When I cat the /var/log/dirsrv/slapd-ECG-MIT-EDU/errors I get the following messages: [20/Sep/2012:10:08:53 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up [20/Sep/2012:10:08:54 -0400] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [20/Sep/2012:10:08:57 -0400] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which should be added before the CoS Definition. [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:58 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:58 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - cl5Open: failed to open changelog [20/Sep/2012:10:08:59 -0400] NSMMReplicationPlugin - changelog program - changelog5_init: failed to start changelog at /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb [20/Sep/2012:10:08:59 -0400] - Failed to start object plugin Multimaster Replication Plugin [20/Sep/2012:10:08:59 -0400] - Error: Failed to resolve plugin dependencies [20/Sep/2012:10:08:59 -0400] - Error: preoperation plugin IPA Version Replication is not
[Freeipa-users] Migration from OpenLDAP to IPA: reset expired password in IPA UI
Using https://IPA/ipa/migration, users can migrate their password to their Kerberos principals successfully, a subsequent login to /ui gives them interface to change attrs to their account. But if their LDAP password is shorter than the default policy of 8 letter (IPA migrate the password but set it as expired,) they have no chance to reset it to meet the policy through the UI. I had to help them login in with a ssh session to a IPA client machine to do this, although the majority of my users do not need the ability to have interactive ssh sessions. Is there a possibility to enable users to change or reset expired password in the UI? Thanks, Qing Chang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration from OpenLDAP to IPA: reset expired password in IPA UI
On 09/24/2012 02:51 PM, Qing Chang wrote: Using https://IPA/ipa/migration, users can migrate their password to their Kerberos principals successfully, a subsequent login to /ui gives them interface to change attrs to their account. But if their LDAP password is shorter than the default policy of 8 letter (IPA migrate the password but set it as expired,) they have no chance to reset it to meet the policy through the UI. I had to help them login in with a ssh session to a IPA client machine to do this, although the majority of my users do not need the ability to have interactive ssh sessions. Is there a possibility to enable users to change or reset expired password in the UI? This is coming in IPA 3.0. Thanks, Qing Chang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Easy deployment
Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients Any hints is welcome ... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Easy deployment
Hi, I did a while back ask if this could be automated in some way into RH satellite. So future roadmap thing. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of James James [jre...@gmail.com] Sent: Tuesday, 25 September 2012 10:17 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Easy deployment Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients Any hints is welcome ... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Easy deployment
Ok Thanks .. 2012/9/25 Steven Jones steven.jo...@vuw.ac.nz Hi, I did a while back ask if this could be automated in some way into RH satellite. So future roadmap thing. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 -- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of James James [jre...@gmail.com] *Sent:* Tuesday, 25 September 2012 10:17 a.m. *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Easy deployment Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients Any hints is welcome ... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Easy deployment
On 09/24/2012 06:17 PM, James James wrote: Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret This was exactly intended for the bulk provisioning. The idea was that you execute this command and then have kickstart files seeded or parameterized with this password so you will have 150 kickstart files that differ in the password value fanned out or you have one kickstart file and the password is passed as a parameter. This was the vision. It definitely require some collaboration with tools like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but hope that those projects would be able to use parametarized or seeded kickstart files. But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients Any hints is welcome ... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
Hi, I am trying to run this and getting search exceeded. ldapsearch -xLLL -D winsync_binddn -w passwd -h AD_host -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn ad.dns.txt Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rich Megginson [rmegg...@redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: On 09/21/2012 11:07 AM, Rich Megginson wrote: On 09/21/2012 09:04 AM, Dmitri Pal wrote: On 09/21/2012 09:23 AM, Rich Megginson wrote: On 09/21/2012 05:21 AM, Martin Kosek wrote: When using bare ldapsearch, you are hitting 389-ds limits - in your case nsslapd-sizelimit. This can be increased either globally or (this seems as a more secure solution) for a user you bind as: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html Steven, are you saying that winsync only pulled over 2000 out of 5700 users from AD into IPA? If so, then that's a limit on the winsync user that must be increased in AD. Rich, it seems that it might make sense to file an RFE for the winsync to support paging control. AD supports the paging control? And this allows you to get around the search limit? http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 Martin On 09/21/2012 04:43 AM, Steven Jones wrote: Hi, It seems IPA has some sort of limit of searching it will only show the first 2k of user entries? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, 21 September 2012 11:38 a.m. *To:* Steven Jones *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 03:52 PM, Steven Jones wrote: Hi, I have imported users, but there are 5700 of them but I only have 2000 which corresponds to the view that AD gives you by default. This makes me think that that limit is all the AD is allowing the query to see? You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test what winsync sees when it searches. Is there a way to expand it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] *Sent:* Friday, 21 September 2012 8:44 a.m. *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Easy deployment
Hi, So maybe I should or would you like me to raise this as a feature request for Satellite? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 25 September 2012 10:50 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Easy deployment On 09/24/2012 06:17 PM, James James wrote: Hi guys, we are planning to install 150 freeipa clients and I was wondering if there is a way to easily install (from kickstart) nfsv4 client. I can add host with # ipa host-add --password=secret This was exactly intended for the bulk provisioning. The idea was that you execute this command and then have kickstart files seeded or parameterized with this password so you will have 150 kickstart files that differ in the password value fanned out or you have one kickstart file and the password is passed as a parameter. This was the vision. It definitely require some collaboration with tools like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but hope that those projects would be able to use parametarized or seeded kickstart files. But to get the keytab (host and service), I have to log into the machine, launch kinit and get the keytab. This will be very painful for 150 clients Any hints is welcome ... ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement wipes IPA users
Hi, Im confused here, has no one tried to winsync 2000+ users before? Are there any docs on working around this limit? Ive up'd the user to 2 but that seems to have had no effectmy AD ppl dont know of any other way to increase that at present. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 25 September 2012 3:17 p.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users Hi, I am trying to run this and getting search exceeded. ldapsearch -xLLL -D winsync_binddn -w passwd -h AD_host -s sub -b OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz cn=* dn ad.dns.txt Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they also lose their IPA groups which is a bit of a bummer. :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rich Megginson [rmegg...@redhat.com] Sent: Saturday, 22 September 2012 3:46 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement wipes IPA users On 09/21/2012 09:18 AM, Dmitri Pal wrote: On 09/21/2012 11:07 AM, Rich Megginson wrote: On 09/21/2012 09:04 AM, Dmitri Pal wrote: On 09/21/2012 09:23 AM, Rich Megginson wrote: On 09/21/2012 05:21 AM, Martin Kosek wrote: When using bare ldapsearch, you are hitting 389-ds limits - in your case nsslapd-sizelimit. This can be increased either globally or (this seems as a more secure solution) for a user you bind as: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html Steven, are you saying that winsync only pulled over 2000 out of 5700 users from AD into IPA? If so, then that's a limit on the winsync user that must be increased in AD. Rich, it seems that it might make sense to file an RFE for the winsync to support paging control. AD supports the paging control? And this allows you to get around the search limit? http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx The default usually 2K BTW. https://fedorahosted.org/389/ticket/472 Martin On 09/21/2012 04:43 AM, Steven Jones wrote: Hi, It seems IPA has some sort of limit of searching it will only show the first 2k of user entries? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Friday, 21 September 2012 11:38 a.m. *To:* Steven Jones *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users On 09/20/2012 03:52 PM, Steven Jones wrote: Hi, I have imported users, but there are 5700 of them but I only have 2000 which corresponds to the view that AD gives you by default. This makes me think that that limit is all the AD is allowing the query to see? You can use https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test what winsync sees when it searches. Is there a way to expand it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 --- *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] *Sent:* Friday, 21 September 2012 8:44 a.m. *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users I have hundreds of disable users in IPA now transferred from AD, is there a quick/clean way to purge them from IPA? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com