Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way it is now, obviously not.bugger. 8- The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob thanks... regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Steven Jones wrote: Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way it is now, obviously not.bugger. Thanks for confirming. I've opened this ticket to track the issue, we should try to detect it https://fedorahosted.org/freeipa/ticket/1035 regards rob 8- The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob thanks... regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setup windows AD Sync Failure
Sayid Munawar wrote: Dear, I have successfully installed freeipa-server 2 rc2. and create some test user and tested machine enrollment. now, what i want to do next is sync all my windows 2008r2 AD accounts. i've got already get the cert needed, and tested it with ldapsearch tools in the same host as the freeipa-server. so i assume that AD connection is ok. but when i did ipa-manage-replica, it complaints about Can't connect LDAP server. here it is: [root@yk ~]# ipa-replica-manage connect --winsync --binddn cn=Fedora DS,ou=JogjaCamp,dc=dot,dc=jc --bindpw somesecret --cacert /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p anothersecret DC1.DOT.JC Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate database for yk.nix.jc ipa: INFO: Failed to connect to AD server dc1.dot.jc ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': Can't contact LDAP server} ipa: INFO: Continuning ... The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Can't contact LDAP server [root@yk ~]# - I have no idea why AD connection is fail here, while it was ok with ldapsearch tool. any clue ? - and one more question: what is --passsync argument for? is it for foce setting a new password for passsync user, or we have to first define a password for passsync user ? TIA Sayid Munawar Passsync is a service that needs to run on all of your AD servers. It is a windows service that intercepts password requests and sends them along to IPA (over SSL). We need to have the password in the clear in order to generate Kerberos key material. A special LDAP user is used for authentication to the Passsync service, the --passsync option sets the password for that account. Make sure your CA was installed as an Enterprise CA (apparently it is the only kind that sets up a pure SSL LDAP port as opposed to using TLS over 389). We discovered several winsync issues shortly after RC 2 was released. They are fixed now, you can take a look at them here: https://fedorahosted.org/freeipa/ticket/1006 https://fedorahosted.org/freeipa/ticket/1015 https://fedorahosted.org/freeipa/ticket/1020 https://fedorahosted.org/freeipa/ticket/1021 https://fedorahosted.org/freeipa/ticket/1022 We discovered these while fixing this: https://fedorahosted.org/freeipa/ticket/266 regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replication setup failure
Steven Jones wrote: 8 starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding master entry [24/27]: configuring Posix uid/gid generation [25/27]: enabling compatibility plugin [26/27]: tuning directory server [27/27]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fed14-64-ipam002 ~]# messages log == Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]: segfault at 0 ip 7f e9a7fd5de4 sp 7fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000 +5000] == Replica install log == 8 2011-03-03 00:12:14,977 INFO Changing agreement cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore original schedule -2359 0123456 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110302111214Z: end: 20110302111214Z 2011-03-03 00:12:16,048 DEBUG list index out of range File /usr/sbin/ipa-replica-install, line 507, inmodule main() File /usr/sbin/ipa-replica-install, line 468, in main install_krb(config, setup_pkinit=options.setup_pkinit) File /usr/sbin/ipa-replica-install, line 216, in install_krb setup_pkinit, pkcs12_info) File /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py, line 211, in create _replica self.start_creation(Configuring Kerberos KDC, 30) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 283, in start_crea tion method() File /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py, line 556, in __conv ert_to_gssapi_replication r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 688, in conver t_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 458, in gssapi _update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 451, in setup_ krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, nsds5replicabinddn, a_pn[0].dn)] So how to fix? regards Steven Ok, this is a new one and may be similar to other hostname issues you've run into. Can you give me the output of this search: ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn I would expect the same results from both your new replica and your existing master but if they're different that would be good to know. I'm going to guess that either we stored a non-fqdn or we're searching for a non-fqdn (we'll have to infer that, I think, if you have the fqdn stored in LDAP). We are doing a very specific search for the principal for the hostnames on each side of the replication agreement, I'm guessing that we're not finding one of them and we haven't taken that into consideration. I filed https://fedorahosted.org/freeipa/ticket/1044 for this. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users