[Freeipa-users] Options for remote home directories
Trying to find the best option for me for better “shared” “/home” directories. I ideally would like to give everyone a network based /home directory so I could quota the folders so people would quit filling up every severs /home directory. We have two major use cases, the first isn’t much of a problem, but combined with the second it makes a problem. * We have servers that people login to with their LDAP that are always connected to our NFS server. * We also have laptops that users login with their LDAP account and connect to the network via VPN. I realize I can force everyone’s home directory to like /nfshome/ in freeIPA, but the problem with this is if they are remote on the laptop it causes all kinds of issues when they aren’t on the VPN. What are my options for handling this? Should I just quota everyone on the severs and tell everyone to use /nfshome/ and then leave the laptops alone? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
On 21-10-2022 16:10, Alexander Bokovoy wrote: On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? No, I didn't know that was necessary. I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm Thanks for the pointer. I've done ipa-client-samba. To make it run I had to delete the already existing cifs/ service for this host. It was created at the time in CentOS7. Things aren't working yet. I'm now seeing NT_STATUS_NO_MEMORY errors in the samba logs for the connecting windows client. Oh, and selinux is still "permissive" so that can't be a problem (yet). -- Kees ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: CentOS 7 ipa-client-install issues
Hello, You hit it, 88 seems to be the one causing troubles: [root@newclient:/root]$ telnet freeipa1.example.com 88 Trying 1192.168.1.2... telnet: connect to address 1192.168.1.2: Connection refused [root@newclient:/root]$ telnet freeipa1.example.com 464 Trying 1192.168.1.2... Connected to freeipa1.example.com. Escape character is '^]'. As soon as I turn off the local firewall: [root@newclient:/root]$ telnet freeipa1.example.com 88 Trying 192.168.1.2... Connected to freeipa1.example.com. Escape character is '^]'. And the installation completes as expected: Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring a2noc.net as NIS domain. Client configuration complete. The ipa-client-install command was successful Port is in the firewall configuration but will have to figure out why it's problematic because as soon as the firewall is restarted it starts to crawl again for the same reasons. Thank you ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
On pe, 21 loka 2022, Kees Bakker via FreeIPA-users wrote: It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. I think this was fixed with https://bugzilla.redhat.com/show_bug.cgi?id=2096521 in Fedora and CentOS 9 Stream. Coming back to your original task. You should not use ipasam outside of IPA trust controllers at all. Instead, please follow the RHEL IdM guide which literally wants you to install ipa-client-samba package and run ipa-client-samba installer to generate proper configuration for a Samba server on IPA client. Have you tried that? I am linking to RHEL IdM in RHEL 8 guide because RHEL 9 guides are not fully published yet. It is the same story there: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/setting-up-samba-on-an-idm-domain-member_configuring-and-managing-idm -- Kees On 17-10-2022 11:45, Kees Bakker via FreeIPA-users wrote: Hi, This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it. One on it's main tasks is to be a Samba server. I completely reinstalled and set up Samba. I used ipasam before and it was working. I copied the smb.conf from the old system. But now it gives me a fatal error. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615001, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend ipasam:ldaps://rotte.example.com did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493 (4.16.4) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493): pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4 Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack frames: Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2 /lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3 /lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4 /usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c) [0x559ea4bee03c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6 /usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7 /usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8
[Freeipa-users] Need Information regarding "ipa host-del" command
Newbie here. I have a use-case where I need to delete host principals only when no service principals exist on the host. Does "ipa host-del" perform this check? If No, then when I run this command would it delete the host principal and along with it delete all the service principals associated ? I tried to run the command on a host but got the following error: ipa: ERROR: Insufficient access: Insufficient 'delete' privilege to delete the entry What privileges are needed to run this command ? I was already kinit as an admin. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipasam failure with BACKTRACE
It turns out to be caused by missing SELinux permissions. As soon as I set selinux to permissive it started to work. Now, I've solved a few fcontext issues. samba-dcerpcd does not crash anymore. Still there are more things blocked by selinux, which I'm investigatign right now. -- Kees On 17-10-2022 11:45, Kees Bakker via FreeIPA-users wrote: Hi, This weekend I installed CentOS 9 stream on a server that had CentOS 7 on it. One on it's main tasks is to be a Samba server. I completely reinstalled and set up Samba. I used ipasam before and it was working. I copied the smb.conf from the old system. But now it gives me a fatal error. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.614868, 0] ipa_sam.c:5174(pdb_init_ipasam) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: Failed to get base DN. Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615001, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: pdb backend ipasam:ldaps://rotte.example.com did not correctly init (error was NT_STATUS_UNSUCCESSFUL) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615111, 0] ../../lib/util/fault.c:172(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615185, 0] ../../lib/util/fault.c:173(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: INTERNAL ERROR: pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in pid 271493 (4.16.4) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615268, 0] ../../lib/util/fault.c:177(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615322, 0] ../../lib/util/fault.c:182(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: === Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615373, 0] ../../lib/util/fault.c:183(smb_panic_log) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: PANIC (pid 271493): pdb_get_methods: failed to get pdb methods for backend ipasam:ldaps://rotte.example.com Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: in 4.16.4 Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.615940, 0] ../../lib/util/fault.c:287(log_stack_trace) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: BACKTRACE: 13 stack frames: Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #0 /lib64/libsamba-util.so.0(log_stack_trace+0x34) [0x7f2c94aebd74] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #1 /lib64/libsamba-util.so.0(smb_panic+0xd) [0x7f2c94aebfcd] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #2 /lib64/libsamba-passdb.so.0(+0x1c6df) [0x7f2c94a8f6df] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #3 /lib64/libsamba-passdb.so.0(pdb_get_aliasinfo+0x16) [0x7f2c94a8ff86] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #4 /usr/libexec/samba/samba-dcerpcd(finalize_local_nt_token+0x16a) [0x559ea4bed72a] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #5 /usr/libexec/samba/samba-dcerpcd(create_local_nt_token_from_info3+0x30c) [0x559ea4bee03c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #6 /usr/libexec/samba/samba-dcerpcd(+0x175f3) [0x559ea4bf05f3] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #7 /usr/libexec/samba/samba-dcerpcd(+0x1f42c) [0x559ea4bf842c] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #8 /usr/libexec/samba/samba-dcerpcd(init_guest_session_info+0x21) [0x559ea4beaa71] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #9 /usr/libexec/samba/samba-dcerpcd(main+0x54a) [0x559ea4be5dba] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #10 /lib64/libc.so.6(+0x3feb0) [0x7f2c94333eb0] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #11 /lib64/libc.so.6(__libc_start_main+0x80) [0x7f2c94333f60] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: #12 /usr/libexec/samba/samba-dcerpcd(_start+0x25) [0x559ea4be78e5] Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: [2022/10/17 09:23:21.616354, 0] ../../source3/lib/dumpcore.c:317(dump_core) Oct 17 09:23:21 waal.example.com samba-dcerpcd[271493]: coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern The versions of some
[Freeipa-users] Re: CentOS 7 ipa-client-install issues
Hi, On Thu, Oct 20, 2022 at 2:34 PM Mark Johanson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > Having an issue with our CentOS 7 boxes joining FreeIPA. When I run the > ipa-client-install command It does its thing up to a point. At which point > the server slows to a dead crawl: > > Discovery was successful! > Client hostname: newclient.test.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: freeipa2.example.com > BaseDN: dc=example,dc=com > > Skipping synchronizing time with NTP server. > Successfully retrieved CA cert > Subject: CN=Certificate Authority,O=EXAMPLE.COM > Issuer: CN=Certificate Authority,O=EXAMPLE.COM > Valid From: 2020-12-04 02:53:05 > Valid Until: 2040-12-04 02:53:05 > > Enrolled in IPA realm EXAMPLE.COM > Created /etc/ipa/default.conf > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > Configured /etc/krb5.conf for IPA realm EXAMPLE.COM > trying https://freeipa2.example.com/ipa/json > [try 1]: Forwarding 'schema' to json server ' > https://freeipa2.example.com/ipa/json' > trying https://freeipa2.example.com/ipa/session/json > [try 1]: Forwarding 'ping' to json server ' > https://freeipa2.example.com/ipa/session/json' > [try 1]: Forwarding 'ca_is_enabled' to json server ' > https://freeipa2.example.com/ipa/session/json' > Systemwide CA database updated. > Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub > Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub > Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub > [try 1]: Forwarding 'host_mod' to json server ' > https://freeipa2.example.com/ipa/session/json' > Could not update DNS SSHFP records. > SSSD enabled > Configured /etc/openldap/ldap.conf > > At this point we are now just hanging. > > In trying to debug the issue, I start the client install and with sssctl I > increase the debug to 10 and when it reaches the point of hanging, I found > the following in the logs: > > sssd_example.com.log: > > (2022-10-19 10:18:37): [be[example.com]] [request_watch_destructor] > (0x0400): Deleting request watch > (2022-10-19 10:18:37): [be[example.com]] [set_server_common_status] > (0x0100): Marking server 'freeipa1.example.com' as 'name resolved' > (2022-10-19 10:18:37): [be[example.com]] [be_resolve_server_process] > (0x0200): Found address for server freeipa1.example.com: [192.168.1.1] > TTL 193 > (2022-10-19 10:18:37): [be[example.com]] [ipa_resolve_callback] (0x0400): > Constructed uri 'ldap://freeipa1.example.com' > (2022-10-19 10:18:37): [be[example.com]] > [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already > available for service [IPA]. > (2022-10-19 10:18:37): [be[example.com]] [unique_filename_destructor] > (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_70orma] > (2022-10-19 10:18:37): [be[example.com]] [unlink_dbg] (0x2000): File > already removed: [/var/lib/sss/pubconf/.krb5info_dummy_70orma] > (2022-10-19 10:18:37): [be[example.com]] [sdap_kinit_kdc_resolved] > (0x1000): KDC resolved, attempting to get TGT... > (2022-10-19 10:18:37): [be[example.com]] [create_tgt_req_send_buffer] > (0x0400): buffer size: 60 > (2022-10-19 10:18:37): [be[example.com]] [child_handler_setup] (0x2000): > Setting up signal handler up for pid [16003] > (2022-10-19 10:18:37): [be[example.com]] [child_handler_setup] (0x2000): > Signal handler set up for pid [16003] > (2022-10-19 10:18:37): [be[example.com]] [set_tgt_child_timeout] > (0x0400): Setting 6 seconds timeout for TGT child > (2022-10-19 10:18:37): [be[example.com]] [write_pipe_handler] (0x0400): > All data has been sent! > (2022-10-19 10:18:43): [be[example.com]] [get_tgt_timeout_handler] > (0x4000): timeout for sending SIGTERM to TGT child [16003] reached. > (2022-10-19 10:18:43): [be[example.com]] [get_tgt_timeout_handler] > (0x0400): Setting 2 seconds timeout for sending SIGKILL to TGT child > (2022-10-19 10:18:43): [be[example.com]] [read_pipe_handler] (0x0400): > EOF received, client finished > (2022-10-19 10:18:43): [be[example.com]] [child_sig_handler] (0x1000): > Waiting for child [16003]. > (2022-10-19 10:18:43): [be[example.com]] [child_sig_handler] (0x0020): > child [16003] failed with status [7]. > (2022-10-19 10:18:43): [be[example.com]] [child_callback] (0x0020): LDAP > child was terminated due to timeout > (2022-10-19 10:18:43): [be[example.com]] [sdap_kinit_done] (0x0080): > Communication with KDC timed out, trying the next one > (2022-10-19 10:18:43): [be[example.com]] [_be_fo_set_port_status] > (0x8000): Setting status: PORT_NOT_WORKING. Called from: > src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1242 > (2022-10-19 10:18:43): [be[example.com]] [fo_set_port_status] (0x0100): > Marking port 389 of server 'freeipa1.example.com' as 'not working' > (2022-10-19 10:18:43): [be[example.com]] [fo_set_port_status] (0x0400): > Marking port 389 of duplicate server 'freeipa1.example.com' as 'not