[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
Thanks for the heads up. I was just changing the config manually. I’ve kind of stayed away from automount because i’ve had a lot of trouble wit it on Ubuntu boxes. Didn’t actually realize it modifies the idmapd config. No problem! I posted on Friday so I figured it might be a few days before someone even saw this. Thanks for answering. -Kevin > On Oct 7, 2019, at 2:19 PM, François Cami wrote: > > On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users > wrote: >> >> Ok thanks! I just tried it and that seems to do it! Just using the >> “example.com” domain in the idmapd.conf file that is. >> >> I’ll just need to modifying all of my clients idmapd config, which isn’t >> that big of deal. > > If you like, newer versions of ipa-client-automount have a new knob to > specify just that: > https://pagure.io/freeipa/issue/7918 > > Apologies for not seeing this thread earlier. > > François > >> Thanks for the help. >> >> -Kevin >> On Oct 7, 2019, at 12:13 PM, Simo Sorce wrote: >>> >>> Hi Kevin, >>> comments inline. >>> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: Thanks. So the clients have different host names depending on where they are located geographically. For example machines in CA have a FQDN of client1.ca.example.com machines in NY have a FQDN of client8.ny.example.com They both still belong to the same REALM of EXAMPLE.COM. >>> >>> Good, REALM an domain should be the same in your case IMO. >>> >>> Subdomains are just an organizational tool for you, the actual >>> authentication/identity domain is the same as the REALM. >>> In their idmapd.conf file the # Domain = hostname.local is commented out, and by default it uses the hostnames domain as the value. So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com. Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file? >>> >>> Don't think so >>> Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM? >>> >>> Yes, this is what you should do, IMO. >>> >>> Simo. >>> -Kevin >> On Oct 7, 2019, at 11:40 AM, Simo Sorce wrote: > > Note I assume that by "domains" you mean just DNS domains not separate > FreeIPA installs, if they are separate installs then it would be a lot > more complicated. > > Another way that you can handle auth sys is to configure the domain on > the server (as any of the domain strings you want) and then use the > same domain on all clients), that should make them work. > >> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: >> If you use krb5 authentication you should have no issues, are you using >> auth=sys instead ? >> >>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: >>> Hello, >>> >>> I’ve got FreeIPA setup where I have multiple domains for client >>> machines depending on their geography. >>> >>> For example, ca.example.com, and ny.example.com. >>> >>> I have a NFS server in nfs-server.ny.example.com and users mapping the >>> NFS server on their clients from ny.example.com and ca.example.com. >>> Users in ny.example.com show files owner:group just fine but users in >>> ca.example.com everything on the nfs server shows nobody:nogroup or >>> nobody: 4294967294 >>> >>> On the clients I’m seeing this issue on I see these error messages in >>> the log. >>> >>> Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name >>> ‘u...@ny.example.com' does not map into domain 'ca.example.com’ >>> >>> I did some googling and people are saying to add the domain to >>> /etc/idmapd.conf but since I already have multiple domains (3 actually) >>> I don’t see how this will work for all instances unless I can add >>> multiple domains. I don’t see an obvious way to add multiple domains. >>> >>> Is there a clean way to handle this? >>> >>> -Kevin >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> -- >> Simo Sorce >> RHEL Crypto Team >> Red Hat, Inc >> >> >> >> ___ >> FreeIPA-users mailing list --
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
On Mon, Oct 7, 2019 at 8:39 PM Kevin Vasko via FreeIPA-users wrote: > > Ok thanks! I just tried it and that seems to do it! Just using the > “example.com” domain in the idmapd.conf file that is. > > I’ll just need to modifying all of my clients idmapd config, which isn’t that > big of deal. If you like, newer versions of ipa-client-automount have a new knob to specify just that: https://pagure.io/freeipa/issue/7918 Apologies for not seeing this thread earlier. François > Thanks for the help. > > -Kevin > > > On Oct 7, 2019, at 12:13 PM, Simo Sorce wrote: > > > > Hi Kevin, > > comments inline. > > > >> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: > >> Thanks. > >> > >> So the clients have different host names depending on where they are > >> located geographically. > >> > >> For example > >> > >> machines in CA have a FQDN of client1.ca.example.com > >> > >> machines in NY have a FQDN of client8.ny.example.com > >> > >> They both still belong to the same REALM of EXAMPLE.COM. > > > > Good, REALM an domain should be the same in your case IMO. > > > > Subdomains are just an organizational tool for you, the actual > > authentication/identity domain is the same as the REALM. > > > >> In their idmapd.conf file the > >> > >> # Domain = hostname.local > >> > >> is commented out, and by default it uses the hostnames domain as the value. > >> > >> So client1 Domain value by default would be set to ca.example.com and > >> client8 would be set to ny.example.com. > >> > >> Should I be listing both ca.example.com AND ny.example.com in their > >> idmapd.conf file? > > > > Don't think so > > > >> Based off what you are saying I should just be able to get away with > >> listing “Domain = example.com” which is the REALM? > > > > Yes, this is what you should do, IMO. > > > > Simo. > > > >> > >> -Kevin > >> > On Oct 7, 2019, at 11:40 AM, Simo Sorce wrote: > >>> > >>> Note I assume that by "domains" you mean just DNS domains not separate > >>> FreeIPA installs, if they are separate installs then it would be a lot > >>> more complicated. > >>> > >>> Another way that you can handle auth sys is to configure the domain on > >>> the server (as any of the domain strings you want) and then use the > >>> same domain on all clients), that should make them work. > >>> > On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: > If you use krb5 authentication you should have no issues, are you using > auth=sys instead ? > > > On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > > Hello, > > > > I’ve got FreeIPA setup where I have multiple domains for client > > machines depending on their geography. > > > > For example, ca.example.com, and ny.example.com. > > > > I have a NFS server in nfs-server.ny.example.com and users mapping the > > NFS server on their clients from ny.example.com and ca.example.com. > > Users in ny.example.com show files owner:group just fine but users in > > ca.example.com everything on the nfs server shows nobody:nogroup or > > nobody: 4294967294 > > > > On the clients I’m seeing this issue on I see these error messages in > > the log. > > > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name > > ‘u...@ny.example.com' does not map into domain 'ca.example.com’ > > > > I did some googling and people are saying to add the domain to > > /etc/idmapd.conf but since I already have multiple domains (3 actually) > > I don’t see how this will work for all instances unless I can add > > multiple domains. I don’t see an obvious way to add multiple domains. > > > > Is there a clean way to handle this? > > > > -Kevin > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- > Simo Sorce > RHEL Crypto Team > Red Hat, Inc > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>> > >>> -- > >>> Simo Sorce > >>> RHEL Crypto Team > >>> Red Hat, Inc > >>> > >>> > >>> >
[Freeipa-users] Re: Enabling more FreeIPA CA servers
Dear Rob, Well, all IPA masters are equals more or less. It would be sort of a stigma to mark one as a replica forever, for the only reason that it wasn't installed first. This would be particularly confusing if the first master was removed. A good point thanks, in which case may I suggest for clarity simply revising my suggested name from ipa-ca-install-replica to ipa-ca-install-additional-master helping to indicate exactly what this will do, i.e. any other CA servers will be safe and not at risk from this. It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg. Which is indeed present on our second server. My guess is someone tried to install a CA at some point in the past and it failed and they just left it. The installer is not idempotent and there is no CA-specific uninstall so the only way around it is to fully uninstall the master and try again. Having had a look around, found the initial install from Sep 2016 (probably F24 release as I have the upgrade to F26 in there), and indeed I did miss out --setup-ca option at the very start. Meanwhile returning to CA on this our second server it does indeed appear to be partially installed, URL to server:8080/ca/admin/ca/getStatus reports This XML file does not appear to have any style information associated with it. The document tree is shown below. 1 CA running 10.3.5-12.fc26 The install log file is also there, starting with: 2018-09-28T06:40:20Z DEBUG /usr/sbin/ipa-ca-install was invoked with options: {'external_cert_files': None, 'skip_schema_check': False, 'external_ca_type': None, 'unattended': False, 'no_host_dns': False, 'ca_signing_algorithm': None, 'debug': False, 'external_ca': False, 'skip_conncheck': False},None With highlights including Connection from master to replica is OK. Still goes well Loading deployment configuration from /tmp/tmpIR6kRz. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Importing certificates from /tmp/ca.p12: 2018-09-28T06:42:47Z DEBUG stderr= 2018-09-28T06:42:47Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2018-09-28T06:42:49Z DEBUG Waiting until the CA is running which seems to be the problem: 2018-09-28T06:42:54Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 2018-09-28T06:42:54Z DEBUG Waiting for CA to start... 2018-09-28T06:42:55Z DEBUG request POST URL left out 2018-09-28T06:42:55Z DEBUG request body '' 2018-09-28T06:42:55Z DEBUG response status 500 and ending after five minutes of trying this with: 2018-09-28T06:47:48Z DEBUG The CA status is: check interrupted due to error: Retrieving CA status failed with status 500 2018-09-28T06:47:48Z DEBUG Waiting for CA to start... 2018-09-28T06:47:49Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", line 194, in start_instance self.start('pki-tomcat') File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 346, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 218, in start self.wait_until_running() File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 212, in wait_until_running raise RuntimeError('CA did not start in %ss' % timeout) RuntimeError: CA did not start in 300.0s 2018-09-28T06:47:49Z CRITICAL Failed to restart the Dogtag instance.See the installation log for details. 2018-09-28T06:47:49Z DEBUG duration: 302 seconds 2018-09-28T06:47:49Z DEBUG [16/26]: importing CA chain to RA certificate database 2018-09-28T06:47:49Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2018-09-28T06:47:49Z DEBUG Starting external process 2018-09-28T06:47:49Z DEBUG args=/usr/bin/certutil -d /etc/httpd/alias -L 2018-09-28T06:47:49Z DEBUG Process finished, return code=0 2018-09-28T06:47:49Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI .. IPA CACT,C,C ipaCert u,u,u Server-Cert u,u,u 2018-09-28T06:47:49Z DEBUG stderr= 2018-09-28T06:47:49Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, in run_step
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
Ok thanks! I just tried it and that seems to do it! Just using the “example.com” domain in the idmapd.conf file that is. I’ll just need to modifying all of my clients idmapd config, which isn’t that big of deal. Thanks for the help. -Kevin > On Oct 7, 2019, at 12:13 PM, Simo Sorce wrote: > > Hi Kevin, > comments inline. > >> On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: >> Thanks. >> >> So the clients have different host names depending on where they are located >> geographically. >> >> For example >> >> machines in CA have a FQDN of client1.ca.example.com >> >> machines in NY have a FQDN of client8.ny.example.com >> >> They both still belong to the same REALM of EXAMPLE.COM. > > Good, REALM an domain should be the same in your case IMO. > > Subdomains are just an organizational tool for you, the actual > authentication/identity domain is the same as the REALM. > >> In their idmapd.conf file the >> >> # Domain = hostname.local >> >> is commented out, and by default it uses the hostnames domain as the value. >> >> So client1 Domain value by default would be set to ca.example.com and >> client8 would be set to ny.example.com. >> >> Should I be listing both ca.example.com AND ny.example.com in their >> idmapd.conf file? > > Don't think so > >> Based off what you are saying I should just be able to get away with listing >> “Domain = example.com” which is the REALM? > > Yes, this is what you should do, IMO. > > Simo. > >> >> -Kevin >> On Oct 7, 2019, at 11:40 AM, Simo Sorce wrote: >>> >>> Note I assume that by "domains" you mean just DNS domains not separate >>> FreeIPA installs, if they are separate installs then it would be a lot >>> more complicated. >>> >>> Another way that you can handle auth sys is to configure the domain on >>> the server (as any of the domain strings you want) and then use the >>> same domain on all clients), that should make them work. >>> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: If you use krb5 authentication you should have no issues, are you using auth=sys instead ? > On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’ve got FreeIPA setup where I have multiple domains for client machines > depending on their geography. > > For example, ca.example.com, and ny.example.com. > > I have a NFS server in nfs-server.ny.example.com and users mapping the > NFS server on their clients from ny.example.com and ca.example.com. Users > in ny.example.com show files owner:group just fine but users in > ca.example.com everything on the nfs server shows nobody:nogroup or > nobody: 4294967294 > > On the clients I’m seeing this issue on I see these error messages in the > log. > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name > ‘u...@ny.example.com' does not map into domain 'ca.example.com’ > > I did some googling and people are saying to add the domain to > /etc/idmapd.conf but since I already have multiple domains (3 actually) I > don’t see how this will work for all instances unless I can add multiple > domains. I don’t see an obvious way to add multiple domains. > > Is there a clean way to handle this? > > -Kevin > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >>> -- >>> Simo Sorce >>> RHEL Crypto Team >>> Red Hat, Inc >>> >>> >>> >>> > > -- > Simo Sorce > RHEL Crypto Team > Red Hat, Inc > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
Hi Kevin, comments inline. On Mon, 2019-10-07 at 11:50 -0500, Kevin Vasko wrote: > Thanks. > > So the clients have different host names depending on where they are located > geographically. > > For example > > machines in CA have a FQDN of client1.ca.example.com > > machines in NY have a FQDN of client8.ny.example.com > > They both still belong to the same REALM of EXAMPLE.COM. Good, REALM an domain should be the same in your case IMO. Subdomains are just an organizational tool for you, the actual authentication/identity domain is the same as the REALM. > In their idmapd.conf file the > > # Domain = hostname.local > > is commented out, and by default it uses the hostnames domain as the value. > > So client1 Domain value by default would be set to ca.example.com and client8 > would be set to ny.example.com. > > Should I be listing both ca.example.com AND ny.example.com in their > idmapd.conf file? Don't think so > Based off what you are saying I should just be able to get away with listing > “Domain = example.com” which is the REALM? Yes, this is what you should do, IMO. Simo. > > -Kevin > > > On Oct 7, 2019, at 11:40 AM, Simo Sorce wrote: > > > > Note I assume that by "domains" you mean just DNS domains not separate > > FreeIPA installs, if they are separate installs then it would be a lot > > more complicated. > > > > Another way that you can handle auth sys is to configure the domain on > > the server (as any of the domain strings you want) and then use the > > same domain on all clients), that should make them work. > > > > > On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: > > > If you use krb5 authentication you should have no issues, are you using > > > auth=sys instead ? > > > > > > > On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > > > > Hello, > > > > > > > > I’ve got FreeIPA setup where I have multiple domains for client > > > > machines depending on their geography. > > > > > > > > For example, ca.example.com, and ny.example.com. > > > > > > > > I have a NFS server in nfs-server.ny.example.com and users mapping the > > > > NFS server on their clients from ny.example.com and ca.example.com. > > > > Users in ny.example.com show files owner:group just fine but users in > > > > ca.example.com everything on the nfs server shows nobody:nogroup or > > > > nobody: 4294967294 > > > > > > > > On the clients I’m seeing this issue on I see these error messages in > > > > the log. > > > > > > > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name > > > > ‘u...@ny.example.com' does not map into domain 'ca.example.com’ > > > > > > > > I did some googling and people are saying to add the domain to > > > > /etc/idmapd.conf but since I already have multiple domains (3 actually) > > > > I don’t see how this will work for all instances unless I can add > > > > multiple domains. I don’t see an obvious way to add multiple domains. > > > > > > > > Is there a clean way to handle this? > > > > > > > > -Kevin > > > > ___ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > To unsubscribe send an email to > > > > freeipa-users-le...@lists.fedorahosted.org > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > -- > > > Simo Sorce > > > RHEL Crypto Team > > > Red Hat, Inc > > > > > > > > > > > > ___ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- > > Simo Sorce > > RHEL Crypto Team > > Red Hat, Inc > > > > > > > > -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
Thanks. So the clients have different host names depending on where they are located geographically. For example machines in CA have a FQDN of client1.ca.example.com machines in NY have a FQDN of client8.ny.example.com They both still belong to the same REALM of EXAMPLE.COM. In their idmapd.conf file the # Domain = hostname.local is commented out, and by default it uses the hostnames domain as the value. So client1 Domain value by default would be set to ca.example.com and client8 would be set to ny.example.com. Should I be listing both ca.example.com AND ny.example.com in their idmapd.conf file? Based off what you are saying I should just be able to get away with listing “Domain = example.com” which is the REALM? -Kevin > On Oct 7, 2019, at 11:40 AM, Simo Sorce wrote: > > Note I assume that by "domains" you mean just DNS domains not separate > FreeIPA installs, if they are separate installs then it would be a lot > more complicated. > > Another way that you can handle auth sys is to configure the domain on > the server (as any of the domain strings you want) and then use the > same domain on all clients), that should make them work. > >> On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: >> If you use krb5 authentication you should have no issues, are you using >> auth=sys instead ? >> >>> On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: >>> Hello, >>> >>> I’ve got FreeIPA setup where I have multiple domains for client machines >>> depending on their geography. >>> >>> For example, ca.example.com, and ny.example.com. >>> >>> I have a NFS server in nfs-server.ny.example.com and users mapping the NFS >>> server on their clients from ny.example.com and ca.example.com. Users in >>> ny.example.com show files owner:group just fine but users in ca.example.com >>> everything on the nfs server shows nobody:nogroup or nobody: 4294967294 >>> >>> On the clients I’m seeing this issue on I see these error messages in the >>> log. >>> >>> Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name >>> ‘u...@ny.example.com' does not map into domain 'ca.example.com’ >>> >>> I did some googling and people are saying to add the domain to >>> /etc/idmapd.conf but since I already have multiple domains (3 actually) I >>> don’t see how this will work for all instances unless I can add multiple >>> domains. I don’t see an obvious way to add multiple domains. >>> >>> Is there a clean way to handle this? >>> >>> -Kevin >>> ___ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> -- >> Simo Sorce >> RHEL Crypto Team >> Red Hat, Inc >> >> >> >> ___ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- > Simo Sorce > RHEL Crypto Team > Red Hat, Inc > > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
Note I assume that by "domains" you mean just DNS domains not separate FreeIPA installs, if they are separate installs then it would be a lot more complicated. Another way that you can handle auth sys is to configure the domain on the server (as any of the domain strings you want) and then use the same domain on all clients), that should make them work. On Mon, 2019-10-07 at 12:37 -0400, Simo Sorce via FreeIPA-users wrote: > If you use krb5 authentication you should have no issues, are you using > auth=sys instead ? > > On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > > Hello, > > > > I’ve got FreeIPA setup where I have multiple domains for client machines > > depending on their geography. > > > > For example, ca.example.com, and ny.example.com. > > > > I have a NFS server in nfs-server.ny.example.com and users mapping the NFS > > server on their clients from ny.example.com and ca.example.com. Users in > > ny.example.com show files owner:group just fine but users in ca.example.com > > everything on the nfs server shows nobody:nogroup or nobody: 4294967294 > > > > On the clients I’m seeing this issue on I see these error messages in the > > log. > > > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name > > ‘u...@ny.example.com' does not map into domain 'ca.example.com’ > > > > I did some googling and people are saying to add the domain to > > /etc/idmapd.conf but since I already have multiple domains (3 actually) I > > don’t see how this will work for all instances unless I can add multiple > > domains. I don’t see an obvious way to add multiple domains. > > > > Is there a clean way to handle this? > > > > -Kevin > > ___ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > -- > Simo Sorce > RHEL Crypto Team > Red Hat, Inc > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA with multiple domains not mappings ids correctly on NFS
If you use krb5 authentication you should have no issues, are you using auth=sys instead ? On Fri, 2019-10-04 at 17:10 -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’ve got FreeIPA setup where I have multiple domains for client machines > depending on their geography. > > For example, ca.example.com, and ny.example.com. > > I have a NFS server in nfs-server.ny.example.com and users mapping the NFS > server on their clients from ny.example.com and ca.example.com. Users in > ny.example.com show files owner:group just fine but users in ca.example.com > everything on the nfs server shows nobody:nogroup or nobody: 4294967294 > > On the clients I’m seeing this issue on I see these error messages in the log. > > Oct 4 16:53:14 aiml1 nfsidmap[7867]: nss_getpwnam: name > ‘u...@ny.example.com' does not map into domain 'ca.example.com’ > > I did some googling and people are saying to add the domain to > /etc/idmapd.conf but since I already have multiple domains (3 actually) I > don’t see how this will work for all instances unless I can add multiple > domains. I don’t see an obvious way to add multiple domains. > > Is there a clean way to handle this? > > -Kevin > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org -- Simo Sorce RHEL Crypto Team Red Hat, Inc ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Enabling more FreeIPA CA servers
Stuart McRobert wrote: > Dear Rob, > > Earlier you commented: > >> You can run ipa-ca-install at any time to add a CA to an existing master. > > Indeed, however if I may suggest it might be useful to also have an alias > > ipa-ca-install-replica > > to clearly indicate it is safe to use this command and it will *not* end > up replacing your current (possibly only) active CA. Experienced admins > may know this couldn't happen, but others may not. I read and searched > for examples first, but one tends to be rather cautious especially once > you realise you only have a single CA installed. Well, all IPA masters are equals more or less. It would be sort of a stigma to mark one as a replica forever, for the only reason that it wasn't installed first. This would be particularly confusing if the first master was removed. > > Alas in my case I see > >> [root@freeipa02 ~]# ipa-ca-install >> CA is already installed on this host. > > yet > > ipa server-role-find --role "CA server" > > indicates for this server it has status absent, which ties up with other > warnings about there only being one. It looks for the existence of /etc/pki/pki-tomcat/ca/CS.cfg. >> Server name: freeipa02... >> Role name: CA server >> Role status: absent > > I've not worked out why yet. Wondered if it might be installed but not > enabled, and if so, would it have up to date information. Puzzled. My guess is someone tried to install a CA at some point in the past and it failed and they just left it. The installer is not idempotent and there is no CA-specific uninstall so the only way around it is to fully uninstall the master and try again. > > > Dear Satish, > >> All i would say please run multiple CA servers in your ldap >> infrastructure, otherwise you will be in very big trouble like i was >> in... > > Thanks and sorry to hear about the trouble you experienced, clearly I > would like to avoid this happening here too. > > When I installed the FreeIPA servers a few years' ago I honestly didn't > realise the CA hadn't been replicated along with everything else. Then > in a newer version I happened to notice the warning via the web > interface, only one CA server, although it might be useful to also > include how to fix such an omission with the warning. > > As soon as I (and more experienced experts reading) can work out how to > get CA replication operational in this case, I will sleep easier. I > have already noticed the significant impact to services when freeipa01, > our complete server, is even briefly down, which really wasn't my > intention. > > Thanks to all. > > Best wishes > > Stuart ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org