[Freeipa-users] Re: Route53 private dns zone, _srv_ lookup issue for failover

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 15 syys 2017, Wanderley Teixeira via FreeIPA-users wrote:

I am running into an issue with FreeIPA and DNS. Perhaps, you guys could
point me to a better realm/domain solution.

- I run a private DNS zone on AWS, called "int.example.com" (with ptr and
srv, etc)
- I have 3 master-master-master IPAs called ipa1, ipa2, and ip3
xxx.int.example.com
- Realm is EXAMPLE.COM
- Domain is example.com
- example.com records are hosted in a different service (i.e. hover or
godaddy)

When I try to install a client I get:

Discovery was successful!
Client hostname: ipaclient.int.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa2.int.example.com
BaseDN: dc=example,dc=com
…
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
...
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa2.int.example.com/ipa/json
Traceback (most recent call last):
 File "/sbin/ipa-client-install", line 3128, in 
   sys.exit(main())
...
 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in
create_connection
   raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639066): Cannot find
KDC for realm “EXAMPLE.COM"

Any idea how I can overcome this issue?

Add SRV records _kerberos._tcp.example.com, _kerberos._udp.example.com
in the external DNS to point to your servers in int.example.com.



I would like my LDAP basedn to be dc=example,dc=com. I don't want it to
take the value of dc=int,dc=example,dc=com if I used private domain
int.example.com instead of example.com

I was thinking of using a private zone just example.com instead of
int.example.com but I will have issues since my TLD is on an external
service (i.e. hover.com). In this case, I wouldn't be able to resolve
test.example.com within the private zone since AWS Route53 wouldn't resolve
outside the zone. I would need to install a DNS forwarder somewhere else
and I don't want to manage it.

Your clients will be resolving whatever records DNS server return.
External or internal does not matter, since DNS server does not resolve
those records for you, it just returns their content.



I can manually install the client and specify the domain and realm fine but
I am unable to use DNS _srv_ for failover if ipa1 goes down, for example.
Clients are unable to login with a similar KDC error. And even installing
is causing issues as the output show "Cannot find KDC for realm..."

The "cannot find KDC for realm" comes from the fact that it cannot
resolve those SRV records from example.com DNS domain because it
couldn't find any other way to find KDCs. Since this is happening at
install time, you cannot use krb5.conf's means to map DNS domains to
realms and say how to discover KDCs.

So just add required DNS SRV records. You can get a proper list of them
from

 ipa dns-update-system-records --dry-run

this will show you full list of system records IPA expects to exist. It
is a command that exists in FreeIPA 4.4+, I think.


--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Gady Notrica via FreeIPA-users 
I was able to resolve but some services are down. ntpd Service: STOPPED and smb 
Service: STOPPED

Please help


# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: STOPPED
pki-tomcatd Service: RUNNING
smb Service: STOPPED
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

But NTP is installed

# systemctl restart ntpd
Failed to restart ntpd.service: Unit is masked.

# yum install ntp
Loaded plugins: versionlock
Package ntp-4.2.6p5-25.el7.centos.2.x86_64 already installed and latest version
Nothing to do

Thanks,
Gady

-Original Message-
From: Jochen Hein [mailto:joc...@jochen.org] 
Sent: September 15, 2017 1:26 PM
To: Gady Notrica via FreeIPA-users 
Cc: Alexander Bokovoy ; Rob Crittenden 
; Gady Notrica 
Subject: Re: [Freeipa-users] Re: IPA Server down after system update

Gady Notrica via FreeIPA-users 
writes:

> But still having the same issue:

No, you don't.  Earlier it timed out waiting for dirsrv, but now it's dogtag 
(Port 8080, 8443):
>
> 2017-09-15T15:58:46Z DEBUG stderr= 2017-09-15T15:58:46Z DEBUG
> wait_for_open_ports: localhost [8080, 8443] timeout 300 
> 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect 
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.

Have a look at the dogtag logs and possibly 
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
 

For me another replica refreshed the certificate while ipaupgrade was running.  
Another possibility was failure to refresh the cert due to selinux. (Can't find 
the ticket now).

Jochen

--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Route53 private dns zone, _srv_ lookup issue for failover

2017-09-15 Thread Wanderley Teixeira via FreeIPA-users 
I am running into an issue with FreeIPA and DNS. Perhaps, you guys could
point me to a better realm/domain solution.

- I run a private DNS zone on AWS, called "int.example.com" (with ptr and
srv, etc)
- I have 3 master-master-master IPAs called ipa1, ipa2, and ip3
xxx.int.example.com
- Realm is EXAMPLE.COM
- Domain is example.com
- example.com records are hosted in a different service (i.e. hover or
godaddy)

When I try to install a client I get:

Discovery was successful!
Client hostname: ipaclient.int.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa2.int.example.com
BaseDN: dc=example,dc=com
…
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
...
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipa2.int.example.com/ipa/json
Traceback (most recent call last):
  File "/sbin/ipa-client-install", line 3128, in 
sys.exit(main())
...
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 931, in
create_connection
raise errors.KerberosError(message=unicode(krberr))
ipalib.errors.KerberosError: Major (851968): Unspecified GSS failure.
Minor code may provide more information, Minor (2529639066): Cannot find
KDC for realm “EXAMPLE.COM"

Any idea how I can overcome this issue?

I would like my LDAP basedn to be dc=example,dc=com. I don't want it to
take the value of dc=int,dc=example,dc=com if I used private domain
int.example.com instead of example.com

I was thinking of using a private zone just example.com instead of
int.example.com but I will have issues since my TLD is on an external
service (i.e. hover.com). In this case, I wouldn't be able to resolve
test.example.com within the private zone since AWS Route53 wouldn't resolve
outside the zone. I would need to install a DNS forwarder somewhere else
and I don't want to manage it.

I can manually install the client and specify the domain and realm fine but
I am unable to use DNS _srv_ for failover if ipa1 goes down, for example.
Clients are unable to login with a similar KDC error. And even installing
is causing issues as the output show "Cannot find KDC for realm..."

Any recommendation or help would be appreciated. I am not sure what is the
best solution.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread John R. Shannon via FreeIPA-users 
Attached

On 09/15/17 12:58, Alexander Bokovoy wrote:
> On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote:
>> John R. Shannon via FreeIPA-users wrote:
>>> Attached
>>
>> It is failing with "KerberosError: No valid Negotiate header in server
>> response"
>>
>> What package version of freeipa-server do you have?
>>
>> This seems like https://pagure.io/freeipa/issue/6773 which was fixed in
>> 4.5.1
> According to ipaserver-install.log, it is IPA version 4.5.3-1.fc26.
> 
> John, can we see /var/log/httpd/error_log?
> 
>>
>> rob
>>>
>>> On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote:
 John R. Shannon via FreeIPA-users wrote:
> Attached in gzip'd form

 We need /var/log/ipaclient-install.log

 rob

>
> On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote:
>> John R. Shannon via FreeIPA-users wrote:
>>> Running ipa-server-install I get:
>>>
>>> Configuring client side components
>>> Using existing certificate '/etc/ipa/ca.crt'.
>>> Client hostname: auth.test.internal.johnrshannon.com
>>> Realm: TEST.INTERNAL.JOHNRSHANNON.COM
>>> DNS Domain: test.internal.johnrshannon.com
>>> IPA Server: auth.test.internal.johnrshannon.com
>>> BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com
>>>
>>> Skipping synchronizing time with NTP server.
>>> New SSSD config will be created
>>> Configured sudoers in /etc/nsswitch.conf
>>> Configured /etc/sssd/sssd.conf
>>> trying https://auth.test.internal.johnrshannon.com/ipa/json
>>> [try 1]: Forwarding 'schema' to json server
>>> 'https://auth.test.internal.johnrshannon.com/ipa/json'
>>> No valid Negotiate header in server response
>>> The ipa-client-install command failed. See
>>> /var/log/ipaclient-install.log for more information
>>> ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
>>>
>>>    Configuration of client side components failed!
>>>
>>> The system is a fresh, up to date, Fedora 26:
>>>
>>> 4.12.12-300.fc26.x86_64
>>>
>>> configured to include the FREE-IPA repository. FREE-IPA was
>>> installed
>>> yesterday with:
>>>
>>> dnf install freeipa-*
>>>
>>> and running ipa-server-install. I'm not sure how to proceed. I
>>> want to
>>> use pkinit.
>>>
>>> The log file shows that an exception was raised during the
>>> execution of:
>>>
>>> 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install
>>> --on-master
>>> --unattended --domain test.internal.johnrshannon.com --server
>>> auth.test.internal.johnrshannon.com --realm
>>> TEST.INTERNAL.JOHNRSHANNON.COM --hostname
>>> auth.test.internal.johnrshannon.com
>>>
>>>
>>
>> We need to see /var/log/ipaclient-install.log (gzip if its huge).
>>
>> rob
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>>
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
>
 ___
 FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
 To unsubscribe send an email to
 freeipa-users-le...@lists.fedorahosted.org

>>>
>>>
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
> 

-- 

John R. Shannon
j...@johnrshannon.com
(208)522-4506
[Fri Sep 15 15:05:56.983931 2017] [lbmethod_heartbeat:notice] [pid 4879] 
AH02282: No slotmem from mod_heartmonitor
[Fri Sep 15 15:05:56.984010 2017] [http2:warn] [pid 4879] AH10034: The mpm 
module (prefork.c) is not supported by mod_http2. The mpm determines how things 
are processed in your server. HTTP/2 has more demands in this regard and the 
currently selected mpm will just not do. This is an advisory warning. Your 
server will continue to work, but the HTTP/2 protocol will be inactive.
[Fri Sep 15 15:05:56.984059 2017] [:warn] [pid 4879] NSSSessionCacheTimeout is 
deprecated. Ignoring.
[Fri Sep 15 15:05:56.996333 2017] [mpm_prefork:notice] [pid 4879] AH00163: 
Apache/2.4.27 (Fedora) mod_auth_gssapi/1.5.0 mod_nss/1.0.14 NSS/3.29.1 
mod_wsgi/4.5.15 Python/2.7 configured -- resuming normal operations
[Fri Sep 15 15:05:56.996391 2017] [core:notice] [pid 4879] AH00094: Command 
line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Sep 15 15:06:01.641362

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote:

John R. Shannon via FreeIPA-users wrote:

Attached


It is failing with "KerberosError: No valid Negotiate header in server
response"

What package version of freeipa-server do you have?

This seems like https://pagure.io/freeipa/issue/6773 which was fixed in
4.5.1

According to ipaserver-install.log, it is IPA version 4.5.3-1.fc26.

John, can we see /var/log/httpd/error_log?



rob


On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote:

John R. Shannon via FreeIPA-users wrote:

Attached in gzip'd form


We need /var/log/ipaclient-install.log

rob



On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote:

John R. Shannon via FreeIPA-users wrote:

Running ipa-server-install I get:

Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: auth.test.internal.johnrshannon.com
Realm: TEST.INTERNAL.JOHNRSHANNON.COM
DNS Domain: test.internal.johnrshannon.com
IPA Server: auth.test.internal.johnrshannon.com
BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://auth.test.internal.johnrshannon.com/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://auth.test.internal.johnrshannon.com/ipa/json'
No valid Negotiate header in server response
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
   Configuration of client side components failed!

The system is a fresh, up to date, Fedora 26:

4.12.12-300.fc26.x86_64

configured to include the FREE-IPA repository. FREE-IPA was installed
yesterday with:

dnf install freeipa-*

and running ipa-server-install. I'm not sure how to proceed. I want to
use pkinit.

The log file shows that an exception was raised during the execution of:

2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install --on-master
--unattended --domain test.internal.johnrshannon.com --server
auth.test.internal.johnrshannon.com --realm
TEST.INTERNAL.JOHNRSHANNON.COM --hostname
auth.test.internal.johnrshannon.com




We need to see /var/log/ipaclient-install.log (gzip if its huge).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org





___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread John R. Shannon via FreeIPA-users 
freeipa-server-4.5.3-1.fc26.x86_64

On 09/15/17 12:49, Rob Crittenden wrote:
> John R. Shannon via FreeIPA-users wrote:
>> Attached
> 
> It is failing with "KerberosError: No valid Negotiate header in server
> response"
> 
> What package version of freeipa-server do you have?
> 
> This seems like https://pagure.io/freeipa/issue/6773 which was fixed in
> 4.5.1
> 
> rob
>>
>> On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote:
>>> John R. Shannon via FreeIPA-users wrote:
 Attached in gzip'd form
>>>
>>> We need /var/log/ipaclient-install.log
>>>
>>> rob
>>>

 On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote:
> John R. Shannon via FreeIPA-users wrote:
>> Running ipa-server-install I get:
>>
>> Configuring client side components
>> Using existing certificate '/etc/ipa/ca.crt'.
>> Client hostname: auth.test.internal.johnrshannon.com
>> Realm: TEST.INTERNAL.JOHNRSHANNON.COM
>> DNS Domain: test.internal.johnrshannon.com
>> IPA Server: auth.test.internal.johnrshannon.com
>> BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com
>>
>> Skipping synchronizing time with NTP server.
>> New SSSD config will be created
>> Configured sudoers in /etc/nsswitch.conf
>> Configured /etc/sssd/sssd.conf
>> trying https://auth.test.internal.johnrshannon.com/ipa/json
>> [try 1]: Forwarding 'schema' to json server
>> 'https://auth.test.internal.johnrshannon.com/ipa/json'
>> No valid Negotiate header in server response
>> The ipa-client-install command failed. See
>> /var/log/ipaclient-install.log for more information
>> ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
>>Configuration of client side components failed!
>>
>> The system is a fresh, up to date, Fedora 26:
>>
>> 4.12.12-300.fc26.x86_64
>>
>> configured to include the FREE-IPA repository. FREE-IPA was installed
>> yesterday with:
>>
>> dnf install freeipa-*
>>
>> and running ipa-server-install. I'm not sure how to proceed. I want to
>> use pkinit.
>>
>> The log file shows that an exception was raised during the execution of:
>>
>> 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install --on-master
>> --unattended --domain test.internal.johnrshannon.com --server
>> auth.test.internal.johnrshannon.com --realm
>> TEST.INTERNAL.JOHNRSHANNON.COM --hostname
>> auth.test.internal.johnrshannon.com
>>
>>
>
> We need to see /var/log/ipaclient-install.log (gzip if its huge).
>
> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>



 ___
 FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
 To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>>
>>
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
> 

-- 

John R. Shannon
j...@johnrshannon.com
(208)522-4506
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread John R. Shannon via FreeIPA-users 
Attached

On 09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote:
> John R. Shannon via FreeIPA-users wrote:
>> Attached in gzip'd form
> 
> We need /var/log/ipaclient-install.log
> 
> rob
> 
>>
>> On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote:
>>> John R. Shannon via FreeIPA-users wrote:
 Running ipa-server-install I get:

 Configuring client side components
 Using existing certificate '/etc/ipa/ca.crt'.
 Client hostname: auth.test.internal.johnrshannon.com
 Realm: TEST.INTERNAL.JOHNRSHANNON.COM
 DNS Domain: test.internal.johnrshannon.com
 IPA Server: auth.test.internal.johnrshannon.com
 BaseDN: dc=test,dc=internal,dc=johnrshannon,dc=com

 Skipping synchronizing time with NTP server.
 New SSSD config will be created
 Configured sudoers in /etc/nsswitch.conf
 Configured /etc/sssd/sssd.conf
 trying https://auth.test.internal.johnrshannon.com/ipa/json
 [try 1]: Forwarding 'schema' to json server
 'https://auth.test.internal.johnrshannon.com/ipa/json'
 No valid Negotiate header in server response
 The ipa-client-install command failed. See
 /var/log/ipaclient-install.log for more information
 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR
Configuration of client side components failed!

 The system is a fresh, up to date, Fedora 26:

 4.12.12-300.fc26.x86_64

 configured to include the FREE-IPA repository. FREE-IPA was installed
 yesterday with:

 dnf install freeipa-*

 and running ipa-server-install. I'm not sure how to proceed. I want to
 use pkinit.

 The log file shows that an exception was raised during the execution of:

 2017-09-15T14:52:27Z DEBUG args=/usr/sbin/ipa-client-install --on-master
 --unattended --domain test.internal.johnrshannon.com --server
 auth.test.internal.johnrshannon.com --realm
 TEST.INTERNAL.JOHNRSHANNON.COM --hostname
 auth.test.internal.johnrshannon.com


>>>
>>> We need to see /var/log/ipaclient-install.log (gzip if its huge).
>>>
>>> rob
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>>
>>
>>
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 

-- 

John R. Shannon
j...@johnrshannon.com


ipaclient-install.log.gz
Description: application/gzip
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Gady Notrica via FreeIPA-users 
I enabled IPv6 as you can see below:

Int1: flags=4163  mtu 1500
inet 10.0.120.200  netmask 255.255.255.0  broadcast 10.0.120.255
inet6 fe80::250:56ff:fe81:c4ba  prefixlen 64  scopeid 0x20
ether 00:50:56:81:c4:ba  txqueuelen 1000  (Ethernet)
RX packets 148560  bytes 12827163 (12.2 MiB)
RX errors 0  dropped 50  overruns 0  frame 0
TX packets 46268  bytes 16994535 (16.2 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Int2: flags=4163  mtu 1500
inet 192.168.1.200  netmask 255.255.255.0  broadcast 192.168.1.255
inet6 fe80::250:56ff:fe81:4615  prefixlen 64  scopeid 0x20
ether 00:50:56:81:46:15  txqueuelen 1000  (Ethernet)
RX packets 3831  bytes 278364 (271.8 KiB)
RX errors 0  dropped 50  overruns 0  frame 0
TX packets 12  bytes 760 (760.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

But still having the same issue:

2017-09-15T15:58:46Z DEBUG stderr=
2017-09-15T15:58:46Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 
300 2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-15T16:03:46Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1913, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1652, in upgrade_configuration
ca.start('pki-tomcat')
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
401, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
211, in start
instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
300, in start
self.wait_for_open_ports(self.service_instance(instance_name))
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
270, in wait_for_open_ports
self.api.env.startup_timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in 
wait_for_open_ports
raise socket.timeout("Timeout exceeded")

2017-09-15T16:03:46Z DEBUG The ipa-server-upgrade command failed, exception: 
timeout: Timeout exceeded 2017-09-15T16:03:46Z ERROR Timeout exceeded 
2017-09-15T16:03:46Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: September 15, 2017 12:26 PM
To: FreeIPA users list 
Cc: Rob Crittenden ; Gady Notrica 
Subject: Re: [Freeipa-users] Re: IPA Server down after system update

On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote:
>I am going to try now. Any workaround for people that don't want to have IPv6? 
>On IPA servers?
IPA masters must have IPv6 stack enabled in the kernel. You may opt to not 
assigning IP addresses to the interfaces but we do rely on availability of IPv6 
stack in IPA and it is an absolute requirement to be enabled.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prerequisites
(in 2.1.2).


>
>Thanks,
>
>-Original Message-
>From: Rob Crittenden [mailto:rcrit...@redhat.com]
>Sent: September 15, 2017 11:44 AM
>To: FreeIPA users list 
>Cc: Gady Notrica 
>Subject: Re: [Freeipa-users] IPA Server down after system update
>
>Gady Notrica via FreeIPA-users wrote:
>> Hello,
>>
>> Please HELP
>>
>> After upgrading my server, IPA is not running any more. Here is the error I 
>> am getting and I can't seem to find any solution on the web.
>>
>> All services are stopped except the directory service
>>
>> # ipactl status
>> Directory Service: RUNNING
>> krb5kdc Service: STOPPED
>> kadmin Service: STOPPED
>> named Service: STOPPED
>> httpd Service: STOPPED
>> ipa-custodia Service: STOPPED
>> ntpd Service: STOPPED
>> pki-tomcatd Service: STOPPED
>> ipa-otpd Service: STOPPED
>> ipa-dnskeysyncd Service: STOPPED
>> ipa: INFO: The ipactl command was successful
>>
>> And here is the error from /var/log/ipaupgrade.log
>>
>> 2017-09-15T15:30:22Z DEBUG stderr=
>> 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] 
>> timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect 
>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>

[Freeipa-users] Re: Radius authentication trouble

2017-09-15 Thread Charles Hedrick via FreeIPA-users 
It’s not entirely clear to me what the configuration is. You say “second 
factor.” If you’re using 2FA, things that normally work no longer do.

If you’re putting Freeradius in front of IPA, neither of the ways Freeradius 
would talk to IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP 
server doesn’t know about 2FA except the builtin FreeOTP support. The 
Freeradius Kerberos support won’t work for any 2FA, even FreeOTP, because their 
Kerberos code doesn’t use the API’s necessary to support 2FA.

in https://github.com/clhedrick/kerberos, you’ll find radius-wrap, which can be 
used with Freeradius’ Kerberos module to make it work with 2FA. The code works, 
but if someone is gong to use it in production I’d do something to make it more 
convenient to use. I’ve chosen to use LD_PRELOAD to wrap the existing code, 
rather than supplying a fixed version of the Kerberos module, because I thought 
it might make updating to new versions easier.

In the same place you’ll find ldap-proxy. This is instructions to set up 
Openldap in front of IPA’s LDAP. It does Kerberos authentication with 2FA 
support, and thus can handle all types of authentication that IPA can handle. I 
supply an overlay (i.e. a plugin) for Openldap to do Kerberos authentication 
with proper 2FA support.

Jakub: I’d really, really, like to see LDAP in Freeipa support 2FA. Having to 
put a proxy in front of IPA just to handle IPA’s authentication seems silly, 
and an unnecessary piece of software to support (particularly since RHEL 8 is 
apparently gong to drop support for openlap).

On Aug 24, 2017, at 2:53 PM, Jakub Hrozek via FreeIPA-users 
>
 wrote:

On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote:
We are running FreeIPA 4.4 on Centos 7 and trying to use radius
authentication.

Using radtest and radclient work fine and we can authenticate a user.

The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any
host.

When I do " su -l rsa-user", I'm requested for the first and second
factors.  After I enter them, I get "su: Authentication failure".  Using a
non-radius user works fine.

The sssd_pam log has

[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
user credentials)][idm.bbn.com]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]:
Failure setting user credentials.

Unchecking the radius checkbox and the account works fine.

Any ideas what to try or look at next?

I've never set up this configuration but I would look at the domain log
and krb5_child.log next.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Alexander Bokovoy via FreeIPA-users 

On pe, 15 syys 2017, Gady Notrica via FreeIPA-users wrote:

I am going to try now. Any workaround for people that don't want to have IPv6? 
On IPA servers?

IPA masters must have IPv6 stack enabled in the kernel. You may opt to
not assigning IP addresses to the interfaces but we do rely on
availability of IPv6 stack in IPA and it is an absolute requirement to
be enabled.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prerequisites
(in 2.1.2).




Thanks,

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: September 15, 2017 11:44 AM
To: FreeIPA users list 
Cc: Gady Notrica 
Subject: Re: [Freeipa-users] IPA Server down after system update

Gady Notrica via FreeIPA-users wrote:

Hello,

Please HELP

After upgrading my server, IPA is not running any more. Here is the error I am 
getting and I can't seem to find any solution on the web.

All services are stopped except the directory service

# ipactl status
Directory Service: RUNNING
krb5kdc Service: STOPPED
kadmin Service: STOPPED
named Service: STOPPED
httpd Service: STOPPED
ipa-custodia Service: STOPPED
ntpd Service: STOPPED
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful

And here is the error from /var/log/ipaupgrade.log

2017-09-15T15:30:22Z DEBUG stderr=
2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389]
timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-15T15:35:23Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1913, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1585, in upgrade_configuration
ds.start(ds_serverid)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 
627, in start
super(DsInstance, self).start(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
401, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
157, in start
instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
300, in start
self.wait_for_open_ports(self.service_instance(instance_name))
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
270, in wait_for_open_ports
self.api.env.startup_timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in 
wait_for_open_ports
raise socket.timeout("Timeout exceeded")

2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed,
exception: timeout: Timeout exceeded 2017-09-15T15:35:23Z ERROR
Timeout exceeded 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade
command failed. See /var/log/ipaupgrade.log for more information



Enable IPv6 and re-run ipa-server-upgrade.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Gady Notrica via FreeIPA-users 
I enabled IPv6 as you can see below:

Int1: flags=4163  mtu 1500
inet 10.0.120.200  netmask 255.255.255.0  broadcast 10.20.10.255
inet6 fe80::250:56ff:fe81:c4ba  prefixlen 64  scopeid 0x20
ether 00:50:56:81:c4:ba  txqueuelen 1000  (Ethernet)
RX packets 148560  bytes 12827163 (12.2 MiB)
RX errors 0  dropped 50  overruns 0  frame 0
TX packets 46268  bytes 16994535 (16.2 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Int2: flags=4163  mtu 1500
inet 192.168.1.200  netmask 255.255.255.0  broadcast 192.168.110.255
inet6 fe80::250:56ff:fe81:4615  prefixlen 64  scopeid 0x20
ether 00:50:56:81:46:15  txqueuelen 1000  (Ethernet)
RX packets 3831  bytes 278364 (271.8 KiB)
RX errors 0  dropped 50  overruns 0  frame 0
TX packets 12  bytes 760 (760.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Still having the same issue

2017-09-15T15:58:46Z DEBUG stderr=
2017-09-15T15:58:46Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 
300
2017-09-15T16:03:46Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-09-15T16:03:46Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run
server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1913, in upgrade
upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1652, in upgrade_configuration
ca.start('pki-tomcat')
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
401, in start
self.service.start(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
211, in start
instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
300, in start
self.wait_for_open_ports(self.service_instance(instance_name))
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
270, in wait_for_open_ports
self.api.env.startup_timeout)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in 
wait_for_open_ports
raise socket.timeout("Timeout exceeded")

2017-09-15T16:03:46Z DEBUG The ipa-server-upgrade command failed, exception: 
timeout: Timeout exceeded
2017-09-15T16:03:46Z ERROR Timeout exceeded
2017-09-15T16:03:46Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information

-Original Message-
From: Gady Notrica via FreeIPA-users 
[mailto:freeipa-users@lists.fedorahosted.org] 
Sent: September 15, 2017 11:57 AM
To: Rob Crittenden ; FreeIPA users list 

Cc: Gady Notrica 
Subject: [Freeipa-users] Re: IPA Server down after system update

I am going to try now. Any workaround for people that don't want to have IPv6? 
On IPA servers?

Thanks,

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: September 15, 2017 11:44 AM
To: FreeIPA users list 
Cc: Gady Notrica 
Subject: Re: [Freeipa-users] IPA Server down after system update

Gady Notrica via FreeIPA-users wrote:
> Hello,
> 
> Please HELP
> 
> After upgrading my server, IPA is not running any more. Here is the error I 
> am getting and I can't seem to find any solution on the web.
> 
> All services are stopped except the directory service
> 
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: STOPPED
> kadmin Service: STOPPED
> named Service: STOPPED
> httpd Service: STOPPED
> ipa-custodia Service: STOPPED
> ntpd Service: STOPPED
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa-dnskeysyncd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> 
> And here is the error from /var/log/ipaupgrade.log
> 
> 2017-09-15T15:30:22Z DEBUG stderr=
> 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] 
> timeout 300 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect 
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2017-09-15T15:35:23Z DEBUG   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in 
> execute
> return_value = self.run()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
> line 46, in run
> server.upgrade()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
> 1913, in upgrade
> upgrade_configuration()
>   File 
>

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Rob Crittenden via FreeIPA-users 
Gady Notrica via FreeIPA-users wrote:
> Hello,
> 
> Please HELP
> 
> After upgrading my server, IPA is not running any more. Here is the error I 
> am getting and I can't seem to find any solution on the web.
> 
> All services are stopped except the directory service
> 
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: STOPPED
> kadmin Service: STOPPED
> named Service: STOPPED
> httpd Service: STOPPED
> ipa-custodia Service: STOPPED
> ntpd Service: STOPPED
> pki-tomcatd Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa-dnskeysyncd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> 
> And here is the error from /var/log/ipaupgrade.log
> 
> 2017-09-15T15:30:22Z DEBUG stderr=
> 2017-09-15T15:30:22Z DEBUG wait_for_open_ports: localhost [389] timeout 300
> 2017-09-15T15:35:23Z ERROR IPA server upgrade failed: Inspect 
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2017-09-15T15:35:23Z DEBUG   File 
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in 
> execute
> return_value = self.run()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
> line 46, in run
> server.upgrade()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
> 1913, in upgrade
> upgrade_configuration()
>   File 
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 
> 1585, in upgrade_configuration
> ds.start(ds_serverid)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", 
> line 627, in start
> super(DsInstance, self).start(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
> 401, in start
> self.service.start(instance_name, capture_output=capture_output, 
> wait=wait)
>   File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", 
> line 157, in start
> instance_name, capture_output=capture_output, wait=wait)
>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
> 300, in start
> self.wait_for_open_ports(self.service_instance(instance_name))
>   File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 
> 270, in wait_for_open_ports
> self.api.env.startup_timeout)
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1227, in 
> wait_for_open_ports
> raise socket.timeout("Timeout exceeded")
> 
> 2017-09-15T15:35:23Z DEBUG The ipa-server-upgrade command failed, exception: 
> timeout: Timeout exceeded
> 2017-09-15T15:35:23Z ERROR Timeout exceeded
> 2017-09-15T15:35:23Z ERROR The ipa-server-upgrade command failed. See 
> /var/log/ipaupgrade.log for more information
> 

Enable IPv6 and re-run ipa-server-upgrade.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Problem with ipa restore

2017-09-15 Thread Rob Crittenden via FreeIPA-users 
xattab--- via FreeIPA-users wrote:
> 
> Hi. I have tried to restore freeipa. But all time have an error ERROR
> 
> Command ''tar' '--xattrs' '--selinux' '-xzf'
> '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.''
> returned non-zero exit status 2
> 
> My actions :
> 
> 1. run ipa-backup
> 
> 2 Copy backup to another server
> 
> 3. Install freeipa  as yum install freeipa-*
> 
> 4 then  ipa-restore  backup dir
> 
> 
> My environment :
> 
> Fedora 21
> 
> freeipa 4.1.4
> 
> In log i sow message like "Cannot write: No space left on device"  but i
> have enough space
> 
> All untar backup near 20 GB  on device near 100 GB
> 
> Can you help me ) ?

/tmp is used as a staging area and that is the FS that probably doesn't
have enough space. You can try setting the environment variable TMPDIR
to point to a filesystem with adequate space before calling ipa-restore.
 That might work, I just haven't tested it.

I'm assuming you know that Fedora 21 is no longer supported.

rob

> 
> Log   iparestore.log
> 
> 2017-09-15T13:04:02Z DEBUG Logging to /var/log/iparestore.log
> 2017-09-15T13:04:02Z DEBUG ipa-restore was invoked with arguments
> ['/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/'] and options:
> {'log_file': None, 'data_only': False, 'verbose': False, 'gpg_keyring':
> None, 'quiet': False, 'instance': None, 'no_logs': False, 'online':
> False, 'password': None, 'unattended': False, 'backend': None}
> 2017-09-15T13:04:02Z DEBUG IPA version 4.1.4-1.fc21
> 2017-09-15T13:04:02Z INFO Preparing restore from
> /var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ on ldap.sf
> 2017-09-15T13:04:02Z INFO Performing FULL restore from FULL backup
> 2017-09-15T13:04:02Z DEBUG group dirsrv exists
> 2017-09-15T13:04:02Z DEBUG user dirsrv exists
> 2017-09-15T13:04:02Z DEBUG Starting external process
> 2017-09-15T13:04:02Z DEBUG args='tar' '--xattrs' '--selinux' '-xzf'
> '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'
> 2017-09-15T13:04:51Z DEBUG Process finished, return code=2
> 2017-09-15T13:04:51Z DEBUG stdout=
> 2017-09-15T13:04:51Z DEBUG stderr=tar: ./SF/changelog/id2entry.db: Wrote
> only 7168 of 10240 bytes
> tar: ./SF/changelog/targetuniqueid.db: Cannot write: No space left on device
> tar: ./SF/changelog/member.db: Cannot write: No space left on device
> tar: ./SF/changelog/numsubordinates.db: Cannot write: No space left on
> device
> tar: ./SF/changelog/uniquemember.db: Cannot write: No space left on device
> tar: ./SF/changelog/aci.db: Cannot write: No space left on device
> tar: ./SF/changelog/objectclass.db: Cannot write: No space left on device
> tar: ./SF/changelog/DBVERSION: Cannot write: No space left on device
> tar: ./SF/changelog/parentid.db: Cannot write: No space left on device
> tar: ./SF/changelog/cn.db: Cannot write: No space left on device
> tar: ./SF/changelog/nsuniqueid.db: Cannot write: No space left on device
> tar: ./SF/changelog/ancestorid.db: Cannot write: No space left on device
> tar: ./SF/changelog/seeAlso.db: Cannot write: No space left on device
> tar: ./SF/changelog/entryrdn.db: Cannot write: No space left on device
> tar: ./SF/changelog/changenumber.db: Cannot write: No space left on device
> tar: ./SF/changelog/entryusn.db: Cannot write: No space left on device
> tar: ./SF/dse_index.ldif: Cannot write: No space left on device
> tar: ./SF/log.095525: Cannot write: No space left on device
> tar: ./SF/userRoot/sourcehost.db: Cannot write: No space left on device
> tar: ./SF/userRoot/krbPrincipalName.db: Cannot write: No space left on
> device
> tar: ./SF/userRoot/ipakrbprincipalalias.db: Cannot write: No space left
> on device
> tar: ./SF/userRoot/macAddress.db: Cannot write: No space left on device
> tar: ./SF/userRoot/id2entry.db: Cannot write: No space left on device
> tar: ./SF/userRoot/memberOf.db: Cannot write: No space left on device
> tar: ./SF/userRoot/member.db: Cannot write: No space left on device
> tar: ./SF/userRoot/mail.db: Cannot write: No space left on device
> tar: ./SF/userRoot/memberHost.db: Cannot write: No space left on device
> tar: ./SF/userRoot/numsubordinates.db: Cannot write: No space left on device
> tar: ./SF/userRoot/uniquemember.db: Cannot write: No space left on device
> tar: ./SF/userRoot/managedby.db: Cannot write: No space left on device
> tar: ./SF/userRoot/ipasudorunas.db: Cannot write: No space left on device
> tar: ./SF/userRoot/givenName.db: Cannot write: No space left on device
> tar: ./SF/userRoot/uidnumber.db: Cannot write: No space left on device
> tar: ./SF/userRoot/uid.db: Cannot write: No space left on device
> tar: ./SF/userRoot/automountkey.db: Cannot write: No space left on device
> tar: ./SF/userRoot/aci.db: Cannot write: No space left on device
> tar: ./SF/userRoot/owner.db: Cannot write: No space left on device
> tar: ./SF/userRoot/ipaassignedidview.db: Cannot write: No space left on
> device
> tar: ./SF/userRoot/manager.db: Cannot write: No space left on device
> tar: ./SF/userRoot/displayname.db:

[Freeipa-users] Problem with ipa restore

2017-09-15 Thread xattab--- via FreeIPA-users 

Hi. I have tried to restore freeipa. But all time have an error ERROR

Command ''tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.''
returned non-zero exit status 2

My actions :

1. run ipa-backup

2 Copy backup to another server

3. Install freeipa  as yum install freeipa-*

4 then  ipa-restore  backup dir


My environment :

Fedora 21

freeipa 4.1.4

In log i sow message like "Cannot write: No space left on device"  but i
have enough space

All untar backup near 20 GB  on device near 100 GB

Can you help me ) ?

Log   iparestore.log

2017-09-15T13:04:02Z DEBUG Logging to /var/log/iparestore.log
2017-09-15T13:04:02Z DEBUG ipa-restore was invoked with arguments
['/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/'] and options:
{'log_file': None, 'data_only': False, 'verbose': False, 'gpg_keyring':
None, 'quiet': False, 'instance': None, 'no_logs': False, 'online':
False, 'password': None, 'unattended': False, 'backend': None}
2017-09-15T13:04:02Z DEBUG IPA version 4.1.4-1.fc21
2017-09-15T13:04:02Z INFO Preparing restore from
/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ on ldap.sf
2017-09-15T13:04:02Z INFO Performing FULL restore from FULL backup
2017-09-15T13:04:02Z DEBUG group dirsrv exists
2017-09-15T13:04:02Z DEBUG user dirsrv exists
2017-09-15T13:04:02Z DEBUG Starting external process
2017-09-15T13:04:02Z DEBUG args='tar' '--xattrs' '--selinux' '-xzf'
'/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'
2017-09-15T13:04:51Z DEBUG Process finished, return code=2
2017-09-15T13:04:51Z DEBUG stdout=
2017-09-15T13:04:51Z DEBUG stderr=tar: ./SF/changelog/id2entry.db: Wrote
only 7168 of 10240 bytes
tar: ./SF/changelog/targetuniqueid.db: Cannot write: No space left on device
tar: ./SF/changelog/member.db: Cannot write: No space left on device
tar: ./SF/changelog/numsubordinates.db: Cannot write: No space left on
device
tar: ./SF/changelog/uniquemember.db: Cannot write: No space left on device
tar: ./SF/changelog/aci.db: Cannot write: No space left on device
tar: ./SF/changelog/objectclass.db: Cannot write: No space left on device
tar: ./SF/changelog/DBVERSION: Cannot write: No space left on device
tar: ./SF/changelog/parentid.db: Cannot write: No space left on device
tar: ./SF/changelog/cn.db: Cannot write: No space left on device
tar: ./SF/changelog/nsuniqueid.db: Cannot write: No space left on device
tar: ./SF/changelog/ancestorid.db: Cannot write: No space left on device
tar: ./SF/changelog/seeAlso.db: Cannot write: No space left on device
tar: ./SF/changelog/entryrdn.db: Cannot write: No space left on device
tar: ./SF/changelog/changenumber.db: Cannot write: No space left on device
tar: ./SF/changelog/entryusn.db: Cannot write: No space left on device
tar: ./SF/dse_index.ldif: Cannot write: No space left on device
tar: ./SF/log.095525: Cannot write: No space left on device
tar: ./SF/userRoot/sourcehost.db: Cannot write: No space left on device
tar: ./SF/userRoot/krbPrincipalName.db: Cannot write: No space left on
device
tar: ./SF/userRoot/ipakrbprincipalalias.db: Cannot write: No space left
on device
tar: ./SF/userRoot/macAddress.db: Cannot write: No space left on device
tar: ./SF/userRoot/id2entry.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberOf.db: Cannot write: No space left on device
tar: ./SF/userRoot/member.db: Cannot write: No space left on device
tar: ./SF/userRoot/mail.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberHost.db: Cannot write: No space left on device
tar: ./SF/userRoot/numsubordinates.db: Cannot write: No space left on device
tar: ./SF/userRoot/uniquemember.db: Cannot write: No space left on device
tar: ./SF/userRoot/managedby.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipasudorunas.db: Cannot write: No space left on device
tar: ./SF/userRoot/givenName.db: Cannot write: No space left on device
tar: ./SF/userRoot/uidnumber.db: Cannot write: No space left on device
tar: ./SF/userRoot/uid.db: Cannot write: No space left on device
tar: ./SF/userRoot/automountkey.db: Cannot write: No space left on device
tar: ./SF/userRoot/aci.db: Cannot write: No space left on device
tar: ./SF/userRoot/owner.db: Cannot write: No space left on device
tar: ./SF/userRoot/ipaassignedidview.db: Cannot write: No space left on
device
tar: ./SF/userRoot/manager.db: Cannot write: No space left on device
tar: ./SF/userRoot/displayname.db: Cannot write: No space left on device
tar: ./SF/userRoot/fqdn.db: Cannot write: No space left on device
tar: ./SF/userRoot/objectclass.db: Cannot write: No space left on device
tar: ./SF/userRoot/telephoneNumber.db: Cannot write: No space left on device
tar: ./SF/userRoot/DBVERSION: Cannot write: No space left on device
tar: ./SF/userRoot/title.db: Cannot write: No space left on device
tar: ./SF/userRoot/memberallowcmd.db: Cannot write: No space left on device
tar: ./SF/userRoot/parentid.db: Cannot write: No space left on device
tar:

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-15 Thread Mark Haney via FreeIPA-users 

On 09/14/2017 09:41 AM, Alexander Bokovoy wrote:

On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:

Sigh.  As I said, I edited the repo to point DIRECTLY to 6.9 and got the
same result.  Care to explain that with some other policy?  Even then,
DOWNLOADING the RPM still will not install.  Is there a policy for that
too?

Well, I only pointed out that update repos for older releases stop being
updated in CentOS after some time. Why local system does not update when
you point directly to a supported release is a different story. Perhaps,
you have some yum plugins that prevent that upgrade? Check /etc/yum/*
configuration.


Well, after three days, I finally got sudo updated.  And that fixed the 
problem I was having.


Turns out someone, in their infinite wisdom, had excluded sudo from 
being updated.  No one in their right mind should ever need to exclude 
that significant a package, so I failed to check for exclusion.  I'm 
really embarrassed for whoever did something that moronic, but that's 
probably why they are no longer here.



--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: AIX 7.1 as IPA Client

2017-09-15 Thread Harald Dunkel via FreeIPA-users 
On Thu, 14 Sep 2017 11:09:22 +0200
Ronald Wimmer via FreeIPA-users  wrote:

> Does anyone have AIX 7 IPA Clients? Is there also an IPA client 
> installer around or do I have to go through this:
> 
> https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients
> 

These links might be helpful:

https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.security/ldap_client_setup.htm
https://www.ibm.com/developerworks/community/blogs/paixperiences/entry/aix_ldap_quick_n_dirty?lang=en


Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org