Re: [Freeipa-users] ipa-client install error
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability
Sorry about not supplying the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various documents and not had much luck. ThanksMatt Date: Wed, 2 May 2012 16:07:42 +0200 From: jhro...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability On Wed, May 02, 2012 at 09:52:50AM -0400, Matthew Davidson wrote: Greetings, Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. The first problem was at the install. yum install ipa-client ipa-admintools No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web. But I went ahead with the installation and I have joined RHEL5 to the domain. From the command line. kinit mdavidson will log in.klistTicket cache: FILE:/tmp/krb5cc_0Default principal: mdavid...@example.com Looks good but I cannot setup ssh and ssh is essential. I assume it’s because I cannot perform this part of the steps. http://bit.ly/Ivxxwj : Is your server IPAv1 or v2? The documentation link you provided points to v1 documentation. IIRC IPAv1 is not supported anymore.. Here is a link to the IPAv2 docs: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Run: klist -kt /etc/krb5.keytab to see what keys are available. It shows the master server and itself. When you ran ipa-client-install were any errors reported? None It appears that basic nss services aren't working. Can you do: id mdavidsonid: mdavidson: No such user getent passwd mdavidsonreturns nothing. ThanksMatt Date: Wed, 2 May 2012 10:17:02 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: Greetings, Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. The first problem was at the install. yum install ipa-client ipa-admintools *No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web.* There is no admin tools package for 5.x. Only a client enrollment script is availab.e But I went ahead with the installation and I have joined RHEL5 to the domain. From the command line. kinit mdavidson will log in. klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mdavid...@example.com mailto:mdavid...@example.com Looks good but I cannot setup ssh and ssh is essential. I assume it’s because I cannot perform this part of the steps. http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise Linux 5 IPA client for incoming SSH connections: The IPA client installation process configures the NTP service by default, but you should ensure that time on the IPA client and server is synchronized. If it is not, run the following commands on the IPA client: # service ntpd stop # ntpdate -s -p 8 -u ipaserver.example.com # service ntpd start Note The ntpdate command does not work if ntpd is running. Obtain a Kerberos ticket for the admin user. # kinit admin Add a host service principal on the IPA client. # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa: command not found)* Retrieve the keytab. # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)* These instructions are for IPA v1. I don't know why you get an error message about ipa not found when running ipa-something though. The client installer should have already created a host service principal. Run: klist -kt /etc/krb5.keytab to see what keys are available. When you ran ipa-client-install were any errors reported? It appears that basic nss services aren't working. Can you do: id mdavidson getent passwd mdavidson If these don't work then sssd won't either (nor anything else). rob From RHEL5 /var/log/secure: May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from 192.168.1.110 May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid user mdavidson May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 DNS works. ntpd is running. I checked all the configuration files. I have searched for ipa-admintools and I’m sure this is why I cannot run the ipa commands in step 1.5. What am I missing? Any thoughts or suggestions? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. thanks,Matt Date: Wed, 2 May 2012 10:17:02 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: Greetings, Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 server. The first problem was at the install. yum install ipa-client ipa-admintools *No ipa-admintools! The RHEL5 system is registered with Red Hat and I have searched the web.* There is no admin tools package for 5.x. Only a client enrollment script is availab.e But I went ahead with the installation and I have joined RHEL5 to the domain. From the command line. kinit mdavidson will log in. klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: mdavid...@example.com mailto:mdavid...@example.com Looks good but I cannot setup ssh and ssh is essential. I assume it’s because I cannot perform this part of the steps. http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise Linux 5 IPA client for incoming SSH connections: The IPA client installation process configures the NTP service by default, but you should ensure that time on the IPA client and server is synchronized. If it is not, run the following commands on the IPA client: # service ntpd stop # ntpdate -s -p 8 -u ipaserver.example.com # service ntpd start Note The ntpdate command does not work if ntpd is running. Obtain a Kerberos ticket for the admin user. # kinit admin Add a host service principal on the IPA client. # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa: command not found)* Retrieve the keytab. # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)* These instructions are for IPA v1. I don't know why you get an error message about ipa not found when running ipa-something though. The client installer should have already created a host service principal. Run: klist -kt /etc/krb5.keytab to see what keys are available. When you ran ipa-client-install were any errors reported? It appears that basic nss services aren't working. Can you do: id mdavidson getent passwd mdavidson If these don't work then sssd won't either (nor anything else). rob From RHEL5 /var/log/secure: May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from 192.168.1.110 May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid user mdavidson May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass; user unknown May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user mdavidson from 192.168.1.110 port 58959 ssh2 DNS works. ntpd is running. I checked all the configuration files. I have searched for ipa-admintools and I’m sure this is why I cannot run the ipa commands in step 1.5. What am I missing? Any thoughts or suggestions? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability
On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote: Sorry about not supplying the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various documents and not had much luck. ThanksMatt That's what I was suggesting. Your server is an IPAv2 server, but the documentation you were following was an IPAv1 document. Here is a link to the Identity Management Guide and the chapter that describes how to enroll a client in particular: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error in Installation - unable to create CA
shabahang elmian wrote: Hello, I would be thankful if some one can help me to resolve the problem. We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is. It would appear that the CA process didn't start. Details on your versions of ipa-server and pki-ca would be helpful too. rob Shabahang *From:* shabahang elmian eshabah...@yahoo.com *To:* Rob Crittenden rcrit...@redhat.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Sunday, April 29, 2012 12:21 PM *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA [2012-04-23 17:07:32] [debug] set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] Processing PKI security modules for '/var/lib/pki-ca' ... [2012-04-23 17:07:32] [debug] Attempting to add hardware security modules to system if applicable ... [2012-04-23 17:07:32] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] configuring SELinux ... [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9447. Port already defined otherwise. [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to run semanage. [2012-04-23 17:07:34] [debug] Running restorecon commands [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/java/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/lib/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/run/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/log/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /etc/pki-ca) [2012-04-23 17:07:34] [debug] Installation manifest: /var/lib/pki-ca/install_info [2012-04-23 17:07:34] [debug] The following was performed: Installed Files: /etc/pki-ca/CS.cfg ... . . /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar Removed Items: /etc/pki-ca/noise /etc/pki-ca/pfile [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart pki-cad@pki-ca.service) [2012-04-23 17:07:34] [error] FAILED run_command(/bin/systemctl restart pki-cad@pki-ca.service), exit status=1 output=Job failed. See system logs and 'systemctl status' for details. [2012-04-23 17:07:34] [log] Configuration Wizard listening on https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs [2012-04-23 17:07:34] [log] After configuration, the server can be operated by the command: /bin/systemctl restart pki-cad@pki-ca.service [root@ipa ~]# [root@ipa system]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server [root@ipa system]# [root@ipa system]# [root@ipa system]# /var/log/audit/audit.log [root@ipa system]# [root@ipa system]# [root@ipa system]# ipa-server-install --setup-dns The log file for this installation can be found in /var/log/ipaserver-install.log == This program will set up the FreeIPA Server. This
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.comDNS domain 'example.com' is not configured for automatic KDC address lookup.KDC address will be set to fixed value. Discovery was successful!Hostname: rhel6.example.comRealm: EXAMPLE.COMDNS Domain: EXAMPLE.COMIPA Server: rhel6.example.comBaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yesUser authorized to enroll computers: adminSynchronizing time with KDC...Password for ad...@example.com: Enrolled in IPA realm EXAMPLE.COMCreated /etc/ipa/default.confConfigured /etc/sssd/sssd.confConfigured /etc/krb5.conf for IPA realm EXAMPLE.COMSSSD enabledUnable to find 'admin' user with 'getent passwd admin'!Recognized configuration: SSSDChanged configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.comNTP enabledClient configuration complete. /var/log/secureMay 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidsonMay 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknownMay 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.comMay 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log(Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children(Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping!Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@example.com: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled *Unable to find 'admin' user with 'getent passwd admin'!* 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@example.com: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled *Unable to find 'admin' user with 'getent passwd admin'!* Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database This is the key. sssd can't connect to the IPA server due to this Kerberos error which is why the user information is unavailable. Am I right to to assume you have another Kerberos server (or AD) configured using the same realm name on your network? I have the feeling sssd is finding the wrong KDC. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Dmitri,1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit adminPassword for ad...@example.com: [root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: ad...@example.com Valid starting ExpiresService principal05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/example@example.com Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. ThanksMatt Date: Wed, 2 May 2012 13:51:15 -0400 From: d...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@example.com: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems.
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
On 05/02/2012 02:50 PM, Matthew Davidson wrote: Dmitri, 1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit admin Password for ad...@example.com: [root@rhel5 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/example@example.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. Thanks Matt Date: Wed, 2 May 2012 13:51:15 -0400 From: d...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@example.com: mailto:ad...@example.com: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled *Unable to find 'admin' user with 'getent passwd admin'!* 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com mailto:rcrit...@redhat.com To: m...@mldserviceslex.com mailto:m...@mldserviceslex.com CC: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
Re: [Freeipa-users] Error in Installation - unable to create CA
On 05/02/2012 11:34 AM, Rob Crittenden wrote: shabahang elmian wrote: Hello, I would be thankful if some one can help me to resolve the problem. We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is. It would appear that the CA process didn't start. Details on your versions of ipa-server and pki-ca would be helpful too. rob https://bugzilla.redhat.com/show_bug.cgi?id=818123 Might be related. Please see comments there and requests for additional logs. Shabahang *From:* shabahang elmian eshabah...@yahoo.com *To:* Rob Crittenden rcrit...@redhat.com *Cc:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Sunday, April 29, 2012 12:21 PM *Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA [2012-04-23 17:07:32] [debug] set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser) [2012-04-23 17:07:32] [debug] Processing PKI security modules for '/var/lib/pki-ca' ... [2012-04-23 17:07:32] [debug] Attempting to add hardware security modules to system if applicable ... [2012-04-23 17:07:32] [debug] module name: lunasa lib: /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] module name: nfast lib: /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST! [2012-04-23 17:07:32] [debug] configuring SELinux ... [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9180. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9701. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9443. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9444. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9446. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9445. Port already defined otherwise. [2012-04-23 17:07:34] [error] Failed setting selinux context pki_ca_port_t for 9447. Port already defined otherwise. [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to run semanage. [2012-04-23 17:07:34] [debug] Running restorecon commands [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/java/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /usr/share/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/lib/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/run/pki) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /var/log/pki-ca) [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R /etc/pki-ca) [2012-04-23 17:07:34] [debug] Installation manifest: /var/lib/pki-ca/install_info [2012-04-23 17:07:34] [debug] The following was performed: Installed Files: /etc/pki-ca/CS.cfg ... . . /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar Removed Items: /etc/pki-ca/noise /etc/pki-ca/pfile [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart pki-cad@pki-ca.service) [2012-04-23 17:07:34] [error] FAILED run_command(/bin/systemctl restart pki-cad@pki-ca.service), exit status=1 output=Job failed. See system logs and 'systemctl status' for details. [2012-04-23 17:07:34] [log] Configuration Wizard listening on https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs [2012-04-23 17:07:34] [log] After configuration, the server can be operated by the command: /bin/systemctl restart pki-cad@pki-ca.service [root@ipa ~]# [root@ipa system]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: y Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Unconfiguring CA directory server [root@ipa system]# [root@ipa system]# [root@ipa system]# /var/log/audit/audit.log [root@ipa system]#
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Is this from the client or from the server? I bet on the server. That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files. thanksMatt Date: Wed, 2 May 2012 14:57:24 -0400 From: d...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 02:50 PM, Matthew Davidson wrote: Dmitri, 1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit admin Password for ad...@example.com: [root@rhel5 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/example@example.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. Thanks Matt Date: Wed, 2 May 2012 13:51:15 -0400 From: d...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for ad...@example.com: Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM SSSD enabled Unable to find 'admin' user with 'getent passwd admin'! 1) Do you have admin account on IPA side? 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? Recognized configuration: SSSD Changed configuration of /etc/ldap.conf to use hardcoded server name: rhel6.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252
Re: [Freeipa-users] red hat 5 and red hat 6 compatability
Matthew Davidson wrote: Is this from the client or from the server? I bet on the server. That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files. We recommend using a different realm name for the IPA realm, it makes life much simpler. You can try disabling DNS lookups for the KDC in /etc/krb5.conf and defining a KDC. You may also need to tell the sssd locator, configured in /var/lib/sss/pubconf/kdcinfo.$REALM. IPA and AD both attempt to use the same DNS SRV records for autodiscovery. What is happening is your client is getting the AD information and trying to authenticate against it. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10
): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com To: m...@mldserviceslex.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html -- Message: 2 Date: Wed, 02 May 2012 14:57:24 -0400 From: Dmitri Pal d...@redhat.com To: Matthew Davidson m...@mldserviceslex.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Message-ID: 4fa18394.7080...@redhat.com Content-Type: text/plain; charset=iso-8859-1 On 05/02/2012 02:50 PM, Matthew Davidson wrote: Dmitri, 1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit admin Password for ad...@example.com: [root@rhel5 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 05/02/12 14:47:40 05/03/12 14:47:36 krbtgt/example@example.com Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached Is this from the client or from the server? I bet on the server. Rob might be right that the client fails to find the right authentication server due to the DNS configuration. 2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via the FW? No firewall. shut those down at the first sign of trouble. Thanks Matt Date: Wed, 2 May 2012 13:51:15 -0400 From: d...@redhat.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm: EXAMPLE.COM DNS Domain: EXAMPLE.COM IPA Server: rhel6.example.com BaseDN: dc=example,dc=com Continue
Re: [Freeipa-users] ipa-client install error
Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
What is the impact of IPA not working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them Right, this is why we fixed the bug. also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. It will be fixed to work in 6.3 GA. The client enrollment will succeed but you won't get the 6.3 features (like SSH host keys uploaded). The ipa tool is not downward compatible, so a 6.3 ipa tool will not work with a 6.2 server but the reverse WILL work. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10
.example.com NTP enabled Client configuration complete. /var/log/secure May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5 May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user mdavidson May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user unknown May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com http://rhel6.example.com May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error retrieving information about user mdavidson May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 192.168.1.5 port 52511 ssh2 /var/log/sssd/ldap_child.log (Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database (Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not found in Kerberos database /var/log/sssd/sssd.log (Tue May 1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children (Wed May 2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received Terminated: terminating children thanks for helping! Matt Date: Wed, 2 May 2012 11:30:52 -0400 From: rcrit...@redhat.com mailto:rcrit...@redhat.com To: m...@mldserviceslex.com mailto:m...@mldserviceslex.com CC: freeipa-users@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an attempt to fix my problem before reaching out for help. A host service principal is created during enrollment so no additional work should be needed for SSH to work. The problem you're having is related to the fact that user lookup services are failing. Can you look in /var/log/secure and/or /var/log/sssd/* to see if there are any errors reported regarding sssd? What options did you pass to ipa-client-install? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html -- Message: 2
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:28 PM, Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2? It would be proper to only upgrade one IPA at a time in case the upgrade buggered IPAotherwise I have to do all at once...and if it goes wrong I'm left with nothing.. The issue affects client to server authentication not server to server replication so 6.3 and 6.2 should work fine for several days while you are migrating servers from 6.2 to 6.3. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:28 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way. Yes this is a serious problem. Thank you for uncovering it. Current plan is to: provide a fix for the older clients to be able to connect to 2.2 via errata. Make sure that the 2.2 client can connect to the 2.1 server. Thanks Dmitri I am working on a patch for ipa-client-install which should make it capable of joining an older IPA server. BTW, I always thought that the proper upgrade scenario is to upgrade the servers to the new version first and then upgrade the clients. The issue here is that the new IPA clients won't be able to use ipa command to control the old server because they have a higher API version and the old server would not support it. The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2) should be OK as we maintain backwards compatibility. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of properly but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
[Freeipa-users] Replication status
Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, Sorry, I used IPA I should have used lower case eg, But ipa command still won't work properly as its API is higher that the server's. The way I read that is a client will have limited command line capability? that would be Ok over say some weeks while we upgraded. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 3 May 2012 9:40 a.m. To: Steven Jones Cc: Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of properly but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall back into offline mode in which case individual workstations will still operate but networked authentication/identity will fail. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client install error
Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Thursday, 3 May 2012 9:45 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this package on the client side to be higher version than on the server. We are currently fixing the issue for the client enrollment to work even if you try to enroll later version of the ipa client with the earlier version of the server but for ipa-admintools the general rule: upgrade server first and then the client ipa-admintools package should continue to apply. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote: Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No, that's not the problem at all. Enrolled clients will work as expected. New 6.3 clients can enroll with a 6.3 server. Based on the log it looks like a 6.3 client can't enroll with a 6.2 server but I'm still investigating. We'll fix it if needed. rob I just sent a patch for this issue to freeipa-devel list. The problem was in the TGT forwarding as mentioned earlier in this thread. The patched client can now join an older IPA server. But ipa command still won't work properly as its API is higher that the server's. Martin regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 2 May 2012 1:19 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client install error Steven Jones wrote: I made a slight oops, I just upgraded a long un-used vm on my desktop from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway since our satellite is down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and I get an error. == [root@rhel664ws01 ~]# ipa-client-install --mkhomedir Discovery was successful! Hostname: rhel664ws01.ods.vuw.ac.nz Realm: ODS.VUW.AC.NZ DNS Domain: ods.vuw.ac.nz IPA Server: vuwunicoipam002.ods.vuw.ac.nz BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admjonesst1 Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admjones...@ods.vuw.ac.nz: Enrolled in IPA realm ODS.VUW.AC.NZ Created /etc/ipa/default.conf Unable to activate the SSH service in SSSD config. Please make sure you have SSSD built with SSH support installed. Configure SSH support manually in /etc/sssd/sssd.conf. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 1534, inmodule sys.exit(main()) File /usr/sbin/ipa-client-install, line 1521, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 1358, in install api.Backend.xmlclient.connect() File /usr/lib/python2.6/site-packages/ipalib/backend.py, line 63, in connect conn = self.create_connection(*args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 410, in create_connection raise errors.KerberosError(major=str(krberr), minor='') ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos credentials/ [root@rhel664ws01 ~]# === Is this expected when trying to connect 6.3beta? ie its simply not compatible? The newer 2.2 client cannot connect to an older 2.1 server because it isn't going to send the TGT that the 2.1 server requires. We should handle this better, I've opened a ticket to track this: https://fedorahosted.org/freeipa/ticket/2697 rob
Re: [Freeipa-users] Replication status
Hi, I'm definitely interested in this too. You can use ipa-replica-manage -v list $HOSTNAME to get detailed status information. I also found this: http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring But I believe that it needs to have the Directory Manager password hardcoded. Let me know if you figure out a nice solution. Thanks, Dan On Wed, May 2, 2012 at 5:46 PM, Ian Levesque i...@crystal.harvard.edu wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
On 05/02/2012 05:46 PM, Ian Levesque wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? Cheers, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users http://port389.org/wiki/Howto:ReplicationMonitoring -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
On 05/02/2012 04:11 PM, Ian Levesque wrote: On May 2, 2012, at 5:56 PM, Dmitri Pal wrote: I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's running on). It would be great if our nagios could monitor the replica status - anyone here have any ideas? http://port389.org/wiki/Howto:ReplicationMonitoring Thanks for the reply, but storing the directory manager password in plain text defies any sort of paranoia that should be fundamental to an IPA admin. I find it hard to believe it's even recommended at all! Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV tombstone entry at the base of each suffix. Thanks, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
On 05/02/2012 07:36 PM, Ian Levesque wrote: On May 2, 2012, at 6:48 PM, Rich Megginson wrote: Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV tombstone entry at the base of each suffix. Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any pointers? Cheers, Ian http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication status
Rich Megginson wrote: On 05/02/2012 07:36 PM, Ian Levesque wrote: On May 2, 2012, at 6:48 PM, Rich Megginson wrote: Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV tombstone entry at the base of each suffix. Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any pointers? Cheers, Ian http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html We already have some delegated permissions for replication but none granting only read access. Off the cuff, something like this might work: dn: cn=$SUFFIX,cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter=(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)))(version 3.0; aci permission:Read Replication Agreements; allow (read, search, compare) groupdn = ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX;) dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: top objectClass: groupofnames objectClass: ipapermission cn: Read Replication Agreements ipapermissiontype: SYSTEM Note that you'll need to replace $SUFFIX with your base dn (dc=example,dc=com). This is untested so YMMV. If you find that it works and is useful please let us know, maybe we can add this for everyone to enjoy :-) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users