[Freeipa-users] custom LDAP schemas
Hi all, I'm very interested by migrating my openLDAP servers to freeIPA, the only problem is that I have some custom LDAP schemas in my present configuration. Is there a way to add some custom LDAP schemas to ipa-server? If it's possible, where can I find some documentation about adding those custom schemas. Thanks for your help ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Latest FreeIPA update causing problems
Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Latest FreeIPA update causing problems
On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Thanks, Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Latest FreeIPA update causing problems
Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginson rmegg...@redhat.com wrote: On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Results: [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com Enter LDAP Password: No such object (32) Matched DN: dc=example,dc=com [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory manager -W -s
Re: [Freeipa-users] Latest FreeIPA update causing problems
On 02/16/2012 09:12 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Results: [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com Enter LDAP Password: No such object (32) Matched DN: dc=example,dc=com [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment
Re: [Freeipa-users] Latest FreeIPA update causing problems
Hi, On Thu, Feb 16, 2012 at 11:56, Rich Megginson rmegg...@redhat.com wrote: On 02/16/2012 09:12 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Results: [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com Enter LDAP
Re: [Freeipa-users] Latest FreeIPA update causing problems
On Thu, Feb 16, 2012 at 14:24, Rich Megginson rmegg...@redhat.com wrote: On 02/16/2012 10:40 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 11:56, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 09:12 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Results:
Re: [Freeipa-users] Latest FreeIPA update causing problems
On 02/16/2012 01:12 PM, Dan Scott wrote: On Thu, Feb 16, 2012 at 14:24, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 10:40 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 11:56, Rich Megginsonrmegg...@redhat.comwrote: On 02/16/2012 09:12 AM, Dan Scott wrote: Hi, On Thu, Feb 16, 2012 at 10:37, Rich Megginsonrmegg...@redhat.com wrote: On 02/16/2012 08:26 AM, Dan Scott wrote: Hi, I have recently upgraded one of my FreeIPA servers (Fedora 16) with the latest package versions: Feb 15 14:10:19 Updated: libselinux-2.1.6-6.fc16.x86_64 Feb 15 14:10:20 Updated: krb5-libs-1.9.2-6.fc16.x86_64 Feb 15 14:10:21 Updated: systemd-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: systemd-units-37-13.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:22 Updated: device-mapper-1.02.65-6.fc16.x86_64 Feb 15 14:10:23 Updated: rpm-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: rpm-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:24 Updated: device-mapper-event-libs-1.02.65-6.fc16.x86_64 Feb 15 14:10:26 Updated: freeipa-python-2.1.4-5.fc16.x86_64 Feb 15 14:10:26 Updated: systemd-sysv-37-13.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: krb5-server-ldap-1.9.2-6.fc16.x86_64 Feb 15 14:10:27 Updated: device-mapper-event-1.02.65-6.fc16.x86_64 Feb 15 14:10:28 Updated: lvm2-libs-2.02.86-6.fc16.x86_64 Feb 15 14:10:28 Updated: rpm-build-libs-4.9.1.2-5.fc16.x86_64 Feb 15 14:10:28 Updated: mod_auth_kerb-5.4-8.fc16.x86_64 Feb 15 14:10:28 Updated: 389-ds-base-libs-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:30 Updated: 389-ds-base-1.2.10-0.10.rc1.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-pkinit-openssl-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: krb5-workstation-1.9.2-6.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-client-2.1.4-5.fc16.x86_64 Feb 15 14:10:31 Updated: freeipa-admintools-2.1.4-5.fc16.x86_64 Feb 15 14:11:47 Updated: freeipa-server-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: freeipa-server-selinux-2.1.4-5.fc16.x86_64 Feb 15 14:15:19 Updated: rpm-python-4.9.1.2-5.fc16.x86_64 Feb 15 14:15:20 Updated: lvm2-2.02.86-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-python-2.1.6-6.fc16.x86_64 Feb 15 14:15:20 Updated: libselinux-utils-2.1.6-6.fc16.x86_64 Feb 15 14:15:21 Updated: alsa-lib-1.0.25-1.fc16.x86_64 Feb 15 14:15:30 Installed: kernel-3.2.6-3.fc16.x86_64 I am having major problems with freeipa services (I replaced my real domain with example.com): [root@fileserver3 ~]# ipactl status Directory Service: STOPPED Unknown error when retrieving list of services from LDAP: [Errno 111] Connection refused [root@fileserver3 ~]# ipactl start Starting Directory Service Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'fileserver3.example.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=example,dc=com', 'desc': 'No such object'} Shutting down [root@fileserver3 ~]# None of the IPA processes will start. The dirsrv error log shows: [16/Feb/2012:10:20:23 -0500] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=example,dc=com [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com) [16/Feb/2012:10:20:23 -0500] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [16/Feb/2012:10:20:23 -0500] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/Feb/2012:10:20:23 -0500] - Listening on All Interfaces port 636 for LDAPS requests [16/Feb/2012:10:20:23 -0500] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/Feb/2012:10:20:23 -0500] - slapd shutting down - signaling operation threads [16/Feb/2012:10:20:23 -0500] - slapd shutting down - closing down internal subsystems and plugins [16/Feb/2012:10:20:24 -0500] - Waiting for 4 database threads to stop [16/Feb/2012:10:20:24 -0500] - All database threads now stopped [16/Feb/2012:10:20:24 -0500] - slapd stopped. Can someone help? start your directory server - systemctl start dirsrv.target do a search for the dna entries: ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=dna,cn=ipa,cn=etc,dc=example,dc=com and ldapsearch -xLLL -D cn=directory manager -W -s one -b cn=distributed numeric assignment plugin,cn=plugins,cn=config Results: [root@fileserver3 ~]# ldapsearch -xLLL -D cn=directory
Re: [Freeipa-users] Replicas in a state of confusion
On 02/16/2012 12:38 PM, Ian Levesque wrote: On Feb 15, 2012, at 7:22 PM, Rich Megginson wrote: Sorry for not getting back to you sooner. I can't say for sure, but it does look like you are running into some of the tombstone issues we have fixed in 1.2.10.1-1 (now in updates-testing) OK, are these errors anything to worry about in a production replicated environment? id2entry - str2entry returned NULL for id 12, string=rdn _entry_set_tombstone_rdn - Failed to convert DN automountmapname=auto.direct to RDN yes - there seems to be a problem with orphan tombstone entries https://fedorahosted.org/389/ticket/298 we are working on a patch that we will likely release in 1.2.10.2 if you want to remove the orphan tombstone entries and just start from scratch, you will have to export your database to LDIF and re-import it. Do this on your primary master. You will then have to re-initialize all replicas from this master. NOTE: The following documentation refers to scripts such as db2bak, db2ldif, etc. In an IPA installation, these scripts are found in /var/lib/dirsrv/scripts-DOMAIN Step 1) make a backup of your database files http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Backing_Up_and_Restoring_Data.html#Backing_Up_and_Restoring_Data-Backing_Up_All_Databases Step 2) export your userRoot (-n userRoot) database to LDIF http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html Step 3) import your LDIF file into your userRoot database http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases.html#Populating_Directory_Databases-Importing_Data use ipa-replica-manage to initialize your replicas from this server In addition, if you are getting this: NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica - err 20 https://fedorahosted.org/389/ticket/282 You may have deleted and re-added replicas - in that case, you may want to follow the cleanruv procedure here - http://directory.fedoraproject.org/wiki/Howto:CLEANRUV I did indeed have about 13 replica configs in the RUV. After cleaning per the instructions, that error above has gone away. Thanks! Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] custom LDAP schemas
On Thu, 2012-02-16 at 13:34 +0100, Vincent Zakofski wrote: Hi all, I'm very interested by migrating my openLDAP servers to freeIPA, the only problem is that I have some custom LDAP schemas in my present configuration. Is there a way to add some custom LDAP schemas to ipa-server? If it's possible, where can I find some documentation about adding those custom schemas. You can read up about how to extended the Directory schema here: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Extending_the_Directory_Schema.html If you are planning on extending objects that are managed by FreeIPA as opposed to just add new objects in a custom subtree, you may need to change the way the UI manages these objects by telling it what mandatory attributes you need to add. We do not have a clearly documented procedure for this yet I think, but it is not too difficult to do. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] user unable to change password after admin resets pw
Hi all, I am trying to roll out ipa as our central authentication system, and am running into problems with password changes on CentOS 5. Scenario: Admin user resets a user's password. The user, on a non-IPA-managed system, logs into a CentOS 5 server (IPA-managed) via ssh. The temporary password is accepted and the user is immediately prompted to change the password, but the password change fails with the message 'System is offline, password change not possible'. $ ssh kelvin@testhost kelvin@testhost's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Thu Feb 16 21:54:59 2012 from vpn WARNING: Your password has expired. You must change your password now and login again! Changing password for user kelvin. Current Password: New UNIX password: Retype new UNIX password: System is offline, password change not possible Warning: Your password will expire in less than one hour. Warning: Your password will expire in less than one hour. passwd: Authentication token manipulation error Connection to testhost closed. What am I missing? Can someone please help me get this working? Thanks, Kelvin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] user unable to change password after admin resets pw
Firewall issue? Maybe do a tcpdump on one of the machines while trying this? On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: Hi all, I am trying to roll out ipa as our central authentication system, and am running into problems with password changes on CentOS 5. Scenario: Admin user resets a user's password. The user, on a non-IPA-managed system, logs into a CentOS 5 server (IPA-managed) via ssh. The temporary password is accepted and the user is immediately prompted to change the password, but the password change fails with the message 'System is offline, password change not possible'. $ ssh kelvin@testhost kelvin@testhost's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Thu Feb 16 21:54:59 2012 from vpn WARNING: Your password has expired. You must change your password now and login again! Changing password for user kelvin. Current Password: New UNIX password: Retype new UNIX password: System is offline, password change not possible Warning: Your password will expire in less than one hour. Warning: Your password will expire in less than one hour. passwd: Authentication token manipulation error Connection to testhost closed. What am I missing? Can someone please help me get this working? Thanks, Kelvin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] user unable to change password after admin resets pw
I had sworn that I had faithfully followed the firewall configs, but this was it; thanks! Off to tcpdump to see which port I missed. Kelvin On 12-02-16 10:21 PM, Brian Topping topp...@codehaus.org wrote: Firewall issue? Maybe do a tcpdump on one of the machines while trying this? On Feb 16, 2012, at 10:10 PM, Kelvin Edmison wrote: Hi all, I am trying to roll out ipa as our central authentication system, and am running into problems with password changes on CentOS 5. Scenario: Admin user resets a user's password. The user, on a non-IPA-managed system, logs into a CentOS 5 server (IPA-managed) via ssh. The temporary password is accepted and the user is immediately prompted to change the password, but the password change fails with the message 'System is offline, password change not possible'. $ ssh kelvin@testhost kelvin@testhost's password: Warning: Your password will expire in less than one hour. Password expired. Change your password now. Last login: Thu Feb 16 21:54:59 2012 from vpn WARNING: Your password has expired. You must change your password now and login again! Changing password for user kelvin. Current Password: New UNIX password: Retype new UNIX password: System is offline, password change not possible Warning: Your password will expire in less than one hour. Warning: Your password will expire in less than one hour. passwd: Authentication token manipulation error Connection to testhost closed. What am I missing? Can someone please help me get this working? Thanks, Kelvin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users