Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way it is now, obviously not.bugger. 8- The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob thanks... regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Steven Jones wrote: Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way it is now, obviously not.bugger. Thanks for confirming. I've opened this ticket to track the issue, we should try to detect it https://fedorahosted.org/freeipa/ticket/1035 regards rob 8- The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob thanks... regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setup windows AD Sync Failure
Sayid Munawar wrote:
Dear,
I have successfully installed freeipa-server 2 rc2. and create some test
user and tested machine enrollment. now, what i want to do next is sync
all my windows 2008r2 AD accounts. i've got already get the cert needed,
and tested it with ldapsearch tools in the same host as the
freeipa-server. so i assume that AD connection is ok. but when i did
ipa-manage-replica, it complaints about Can't connect LDAP server.
here it is:
[root@yk ~]# ipa-replica-manage connect --winsync --binddn cn=Fedora
DS,ou=JogjaCamp,dc=dot,dc=jc --bindpw somesecret --cacert
/root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p
anothersecret DC1.DOT.JC
Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate
database for yk.nix.jc
ipa: INFO: Failed to connect to AD server dc1.dot.jc
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f
13', 'desc': Can't contact LDAP server}
ipa: INFO: Continuning ...
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 No
replication sessions started since server startup: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Can't contact LDAP server
[root@yk ~]#
- I have no idea why AD connection is fail here, while it was ok with
ldapsearch tool. any clue ?
- and one more question: what is --passsync argument for? is it for foce
setting a new password for passsync user, or we have to first define a
password for passsync user ?
TIA
Sayid Munawar
Passsync is a service that needs to run on all of your AD servers. It is
a windows service that intercepts password requests and sends them along
to IPA (over SSL). We need to have the password in the clear in order to
generate Kerberos key material.
A special LDAP user is used for authentication to the Passsync service,
the --passsync option sets the password for that account.
Make sure your CA was installed as an Enterprise CA (apparently it is
the only kind that sets up a pure SSL LDAP port as opposed to using TLS
over 389).
We discovered several winsync issues shortly after RC 2 was released.
They are fixed now, you can take a look at them here:
https://fedorahosted.org/freeipa/ticket/1006
https://fedorahosted.org/freeipa/ticket/1015
https://fedorahosted.org/freeipa/ticket/1020
https://fedorahosted.org/freeipa/ticket/1021
https://fedorahosted.org/freeipa/ticket/1022
We discovered these while fixing this:
https://fedorahosted.org/freeipa/ticket/266
regards
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replication setup failure
Steven Jones wrote: 8 starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [21/27]: adding replication acis [22/27]: initializing group membership [23/27]: adding master entry [24/27]: configuring Posix uid/gid generation [25/27]: enabling compatibility plugin [26/27]: tuning directory server [27/27]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication creation of replica failed: list index out of range Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fed14-64-ipam002 ~]# messages log == Mar 3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]: segfault at 0 ip 7f e9a7fd5de4 sp 7fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000 +5000] == Replica install log == 8 2011-03-03 00:12:14,977 INFO Changing agreement cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore original schedule -2359 0123456 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110302111214Z: end: 20110302111214Z 2011-03-03 00:12:16,048 DEBUG list index out of range File /usr/sbin/ipa-replica-install, line 507, inmodule main() File /usr/sbin/ipa-replica-install, line 468, in main install_krb(config, setup_pkinit=options.setup_pkinit) File /usr/sbin/ipa-replica-install, line 216, in install_krb setup_pkinit, pkcs12_info) File /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py, line 211, in create _replica self.start_creation(Configuring Kerberos KDC, 30) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 283, in start_crea tion method() File /usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py, line 556, in __conv ert_to_gssapi_replication r_bindpw=self.dm_password) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 688, in conver t_to_gssapi_replication self.gssapi_update_agreements(self.conn, r_conn) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 458, in gssapi _update_agreements self.setup_krb_princs_as_replica_binddns(a, b) File /usr/lib/python2.7/site-packages/ipaserver/install/replication.py, line 451, in setup_ krb_princs_as_replica_binddns mod = [(ldap.MOD_ADD, nsds5replicabinddn, a_pn[0].dn)] So how to fix? regards Steven Ok, this is a new one and may be similar to other hostname issues you've run into. Can you give me the output of this search: ldapsearch -x -b 'dc=example,dc=com' 'krbprincipalname=ldap/*' dn I would expect the same results from both your new replica and your existing master but if they're different that would be good to know. I'm going to guess that either we stored a non-fqdn or we're searching for a non-fqdn (we'll have to infer that, I think, if you have the fqdn stored in LDAP). We are doing a very specific search for the principal for the hostnames on each side of the replication agreement, I'm guessing that we're not finding one of them and we haven't taken that into consideration. I filed https://fedorahosted.org/freeipa/ticket/1044 for this. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
