Re: [Freeipa-users] Alternatives to freeipa
On Thu, 2011-07-07 at 23:50 +, Steven Jones wrote: > 8><. > > I thought there was a better alternative to authconfig-tui... > > 6>< > > I normally type setup, which gives you a splash popup that takes you to > the auth config tool, but that dies silently.doing authconfig-tui > shows you the python failuresat least I assume that's what the > tracbacks ending in "py" are > > However if I dont blindly follow supports advice they wash their hands > of the call.so I have to do it their way. Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
Hi! Why do you think winbind is broken? It works fine on my machines… -of Von: ondr...@s3group.cz [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Ondrej Valousek Gesendet: Freitag, 08. Juli 2011 14:30 An: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Alternatives to freeipa Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
https://bugzilla.redhat.com/show_bug.cgi?id=652609 On 08.07.2011 14:35, Oliver Falk wrote: Hi! Why do you think winbind is broken? It works fine on my machines… -of *Von:*ondr...@s3group.cz [mailto:freeipa-users-boun...@redhat.com] *Im Auftrag von *Ondrej Valousek *Gesendet:* Freitag, 08. Juli 2011 14:30 *An:* freeipa-users@redhat.com *Betreff:* Re: [Freeipa-users] Alternatives to freeipa Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
On Fri, 2011-07-08 at 14:29 +0200, Ondrej Valousek wrote: > Authconfig will definitely help you to configure nsswitch.conf and > Kerberos (i.e. the easy bits), but the hard work with configuring > winbind or ldap library has to be done manually anyway (assuming > winbind is working correctly - unfortunately winbind is hopelessly > broken in the last versions of Samba and none seems to care). What is broken ? I certainly do care. Please reply privately, as this is not the right place to discuss other projects bugs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
OK… Since winbind is somewhat off topic here, I’ve commented in the bugreport. -of Von: Ondrej Valousek [mailto:ondr...@s3group.cz] Gesendet: Freitag, 08. Juli 2011 14:51 An: Oliver Falk Cc: freeipa-users@redhat.com Betreff: Re: AW: [Freeipa-users] Alternatives to freeipa https://bugzilla.redhat.com/show_bug.cgi?id=652609 On 08.07.2011 14:35, Oliver Falk wrote: Hi! Why do you think winbind is broken? It works fine on my machines… -of Von: ondr...@s3group.cz [mailto:freeipa-users-boun...@redhat.com] Im Auftrag von Ondrej Valousek Gesendet: Freitag, 08. Juli 2011 14:30 An: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] Alternatives to freeipa Authconfig will definitely help you to configure nsswitch.conf and Kerberos (i.e. the easy bits), but the hard work with configuring winbind or ldap library has to be done manually anyway (assuming winbind is working correctly - unfortunately winbind is hopelessly broken in the last versions of Samba and none seems to care). Ondrej On 08.07.2011 14:18, Stephen Gallagher wrote: Last I heard, authconfig-tui was deprecated and could be expected not to work with SSSD (aka for freeipa-client). What you want to use is either authconfig-gtk (if you need a graphical interface) or just use authconfig from the command-line and pass it the appropriate arguments. See 'authconfig --help' for details. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Alternatives to freeipa
On Fri, 2011-07-08 at 14:50 +0200, Ondrej Valousek wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=652609 Last comment, as this is totally OT. Winbindd has been *designed* to use the users primary SID as the primary GID, there are reasons as to why that's needed for CIFS* You may argue you don't like the behavior, you can try to ask upstream to change it (unlikely to happen but hey), but it is not broken. It works as advertised (ie primary gidnumber is ignored on user entries, please do not spread FUD. Simo. *For the same reason we ignore the old primary group Sid ldap attribute on samba DCs with an ldap backend and instead force to use the primary gid to determine the primary group sid. The reason is that we cannot handle properly when admins mess up and put a primary sid and a primary gid that do not translate into each other. So the only reasonable thing to do in this case to avoid problems is to just ignore the 'non-authoritative' setting on the backend being used. On a Samba server with LDAP the authoritative id the gidNumber. On AD (obviously) the authoritative one is the primary group Sid, so gidNumber is ignored. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2
When joining a client to a FreeIPA server installed on F15, I get the error quoted in the subject. The install of the server went well with no errors during the process. I've been looking all over and I can't seem to find anything related to this on the forums and I haven't heard back from anyone yet in IRC. Is this a known issue? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2
On 07/08/2011 02:21 PM, McDougall, Ryan P. [mcry0...@stcloudstate.edu] wrote: > > When joining a client to a FreeIPA server installed on F15, I get the > error quoted in the subject. The install of the server went well with > no errors during the process. I've been looking all over and I can't > seem to find anything related to this on the forums and I haven't > heard back from anyone yet in IRC. Is this a known issue? > > > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I just started yesterday. Libcurl upgrade broke IPA. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2
McDougall, Ryan P. [mcry0...@stcloudstate.edu] wrote: When joining a client to a FreeIPA server installed on F15, I get the error quoted in the subject. The install of the server went well with no errors during the process. I’ve been looking all over and I can’t seem to find anything related to this on the forums and I haven’t heard back from anyone yet in IRC. Is this a known issue? This is caused by a recent update to libcurl that removed its ability to delegate tickets. Bugs have been opened against curl to add support for delegation and a bug against xmlrpc-c to take advantage of this new API. There is currently on ETA on a fix. The only workaround I've come up with so far is: - On the server: manually add a host entry for your client: ipa host-add client.example.com - Add the --force flag to ipa-client-install. This will allow it to continue past the enrolment failure - On the client: kinit admin - On the client: ipa-getkeytab -s ipa.example.com -p client.example@example.com -k /etc/krb5.keytab - On the client: service sssd restart There will be no SSL server cert in /etc/pki/nssdb because certmonger can't communicate with the IPA backend. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2
On 07/08/2011 02:45 PM, Rob Crittenden wrote: > McDougall, Ryan P. [mcry0...@stcloudstate.edu] wrote: >> When joining a client to a FreeIPA server installed on F15, I get the >> error quoted in the subject. The install of the server went well with no >> errors during the process. I’ve been looking all over and I can’t seem >> to find anything related to this on the forums and I haven’t heard back >> from anyone yet in IRC. Is this a known issue? > > This is caused by a recent update to libcurl that removed its ability > to delegate tickets. Bugs have been opened against curl to add support > for delegation and a bug against xmlrpc-c to take advantage of this > new API. > > There is currently on ETA on a fix. > > The only workaround I've come up with so far is: > > - On the server: manually add a host entry for your client: ipa > host-add client.example.com > - Add the --force flag to ipa-client-install. This will allow it to > continue past the enrolment failure > - On the client: kinit admin > - On the client: ipa-getkeytab -s ipa.example.com -p > client.example@example.com -k /etc/krb5.keytab > - On the client: service sssd restart > > There will be no SSL server cert in /etc/pki/nssdb because certmonger > can't communicate with the IPA backend. > I wonder is there an option to roll back libcurl... > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" FreIPA V2
On Fri, 2011-07-08 at 14:45 -0400, Rob Crittenden wrote: > McDougall, Ryan P. [mcry0...@stcloudstate.edu] wrote: > > When joining a client to a FreeIPA server installed on F15, I get the > > error quoted in the subject. The install of the server went well with no > > errors during the process. I’ve been looking all over and I can’t seem > > to find anything related to this on the forums and I haven’t heard back > > from anyone yet in IRC. Is this a known issue? > > This is caused by a recent update to libcurl that removed its ability to > delegate tickets. Bugs have been opened against curl to add support for > delegation and a bug against xmlrpc-c to take advantage of this new API. > > There is currently on ETA on a fix. > > The only workaround I've come up with so far is: > > - On the server: manually add a host entry for your client: ipa host-add > client.example.com > - Add the --force flag to ipa-client-install. This will allow it to > continue past the enrolment failure > - On the client: kinit admin > - On the client: ipa-getkeytab -s ipa.example.com -p > client.example@example.com -k /etc/krb5.keytab > - On the client: service sssd restart > > There will be no SSL server cert in /etc/pki/nssdb because certmonger > can't communicate with the IPA backend. The other option is to downgrade curl to a previously working version, although the upgrade was supposedly a security fix and the fix was to remove this functionality ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users