[Freeipa-users] ipa-replica-manage re-initialize and database size
Hello all, I am running two ipa3.3.3 instances in a replication on Centos 7 servers. Last day the rootpartition went full (where the dirsrv databases are stored), because of a big changelog-db. dirsrv managed to do a graceful shutdown. Luckily, the second master was still working properly, so i could recover the first one from it. I resized the partition, booted up again and ran 'ipa-replica-manage re-initialize --from ipa02.internal' Everything seemed to ran fine except for one warnig regarding an issue with the changelog db, heres the log portion of the log /var/log/dirsrv/slapd-INTERNAL/errors on recieving (first) IPA master: [...] [23/Apr/2015:10:41:46 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is going offline; disabling replication [23/Apr/2015:10:41:47 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers finished; cleaning up... [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers cleaned up. [23/Apr/2015:10:41:55 +0200] - import userRoot: Indexing complete. Post-processing... [23/Apr/2015:10:41:55 +0200] - import userRoot: Generating numSubordinates complete. [23/Apr/2015:10:41:55 +0200] - import userRoot: Flushing caches... [23/Apr/2015:10:41:55 +0200] - import userRoot: Closing files... [23/Apr/2015:10:41:55 +0200] - import userRoot: Import complete. Processed 9983 entries in 8 seconds. (1247.88 entries/sec) [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is coming online; enabling replication [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=internal does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [...] I am no expert in LDAP or Directory Server, but i noticed a significant size difference of files in /var/lib/dirsrv/slapd-INTERNAL/cldb/: root@ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578.sema 24M /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578_546f45150004.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578.sema 6,8M /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578_547485400060.db 4,0K/var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 30Mtotal root@ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc.sema 4,7G /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc_546f45150004.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc.sema 3,7M /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc_547485400060.db 4,0K/var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 4,7Gtotal Also, i noticed a difference in the actual database size on both servers: root@ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K/var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,3M/var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K/var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M/var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,4M/var/lib/dirsrv/slapd-INTERNAL/db/ipaca 2,2M/var/lib/dirsrv/slapd-INTERNAL/db/log.124384 101M/var/lib/dirsrv/slapd-INTERNAL/db/userRoot 115Mtotal root@ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K/var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,7M/var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K/var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M/var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,3M/var/lib/dirsrv/slapd-INTERNAL/db/ipaca 4,3M/var/lib/dirsrv/slapd-INTERNAL/db/log.074356 175M/var/lib/dirsrv/slapd-INTERNAL/db/userRoot 193Mtotal Besides from that, everything seems to be working fine again, including the replication. No errors or warnings regarding this issue are stated in dirsrv-logs. So I'm a bit confused right know wether to believe everything worked fine or not. Is this behaviour of IPA/Directory Server normal? Many thanks in advance! Greetings and a nice day, Dominik Korittki -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-manage re-initialize and database size
On 04/24/2015 09:26 AM, Dominik Korittki wrote: Hello all, I am running two ipa3.3.3 instances in a replication on Centos 7 servers. Last day the rootpartition went full (where the dirsrv databases are stored), because of a big changelog-db. dirsrv managed to do a graceful shutdown. Luckily, the second master was still working properly, so i could recover the first one from it. I resized the partition, booted up again and ran 'ipa-replica-manage re-initialize --from ipa02.internal' Everything seemed to ran fine except for one warnig regarding an issue with the changelog db, heres the log portion of the log /var/log/dirsrv/slapd-INTERNAL/errors on recieving (first) IPA master: [...] [23/Apr/2015:10:41:46 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is going offline; disabling replication [23/Apr/2015:10:41:47 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers finished; cleaning up... [23/Apr/2015:10:41:55 +0200] - import userRoot: Workers cleaned up. [23/Apr/2015:10:41:55 +0200] - import userRoot: Indexing complete. Post-processing... [23/Apr/2015:10:41:55 +0200] - import userRoot: Generating numSubordinates complete. [23/Apr/2015:10:41:55 +0200] - import userRoot: Flushing caches... [23/Apr/2015:10:41:55 +0200] - import userRoot: Closing files... [23/Apr/2015:10:41:55 +0200] - import userRoot: Import complete. Processed 9983 entries in 8 seconds. (1247.88 entries/sec) [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=internal is coming online; enabling replication [23/Apr/2015:10:41:55 +0200] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=internal does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. [...] this shouold be normal. at the moment of initialization, a server has a database and a changelog. The datavase is recreated by initialization and when replication plugin starts it detects that changelog and db no longer match and recreates the changelog. I am no expert in LDAP or Directory Server, but i noticed a significant size difference of files in /var/lib/dirsrv/slapd-INTERNAL/cldb/: root@ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578.sema 24M /var/lib/dirsrv/slapd-INTERNAL/cldb/61e65983-718611e4-8059dc1c-48160578_546f45150004.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578.sema 6,8M /var/lib/dirsrv/slapd-INTERNAL/cldb/9b310907-74a711e4-8059dc1c-48160578_547485400060.db 4,0K/var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 30Mtotal root@ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/cldb/* 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc.sema 4,7G /var/lib/dirsrv/slapd-INTERNAL/cldb/98ceaf89-74a711e4-910b9512-1512b1dc_546f45150004.db 0 /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc.sema 3,7M /var/lib/dirsrv/slapd-INTERNAL/cldb/9cfacd4b-74a711e4-910b9512-1512b1dc_547485400060.db 4,0K/var/lib/dirsrv/slapd-INTERNAL/cldb/DBVERSION 4,7Gtotal Also, i noticed a difference in the actual database size on both servers: root@ipa01:~ > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K/var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,3M/var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K/var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M/var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,4M/var/lib/dirsrv/slapd-INTERNAL/db/ipaca 2,2M/var/lib/dirsrv/slapd-INTERNAL/db/log.124384 101M/var/lib/dirsrv/slapd-INTERNAL/db/userRoot 115Mtotal root@ipa02:/var/log > du -sch /var/lib/dirsrv/slapd-INTERNAL/db/* 4,0K/var/lib/dirsrv/slapd-INTERNAL/db/DBVERSION 1,7M/var/lib/dirsrv/slapd-INTERNAL/db/__db.001 544K/var/lib/dirsrv/slapd-INTERNAL/db/__db.002 9,6M/var/lib/dirsrv/slapd-INTERNAL/db/__db.003 1,3M/var/lib/dirsrv/slapd-INTERNAL/db/ipaca 4,3M/var/lib/dirsrv/slapd-INTERNAL/db/log.074356 175M/var/lib/dirsrv/slapd-INTERNAL/db/userRoot 193Mtotal Besides from that, everything seems to be working fine again, including the replication. No errors or warnings regarding this issue are stated in dirsrv-logs. So I'm a bit confused right know wether to believe everything worked fine or not. Is this behaviour of IPA/Directory Server normal? Many thanks in advance! Greetings and a nice day, Dominik Korittki -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Unable to Rebuid Replica
Hi! I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'services.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@exampl.com password: Execute check on remote master Check connection from master to remote replica 'services01.exampl.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: CalledProcessError: Command '/usr/bin/pkicreate -pki_instance_root /var/lib -pki_instance_name pki-ca -subsystem_type ca -agent_secure_port 9443 -ee_secure_port 9444 -admin_secure_port 9445 -ee_secure_client_auth_port 9446 -unsecure_port 9180 -tomcat_server_port 9701 -redirect conf=/etc/pki-ca -redirect logs=/var/log/pki-ca -enable_proxy' returned non-zero exit status 255 >From the ipa-replica-install.log: 2015-04-24T09:01:57Z DEBUG /usr/sbin/ipa-replica-install was invoked with argument "/var/lib/ipa/replica-info-services01.qrios.com.gpg" and options: {'no_forwarders': False, 'conf_ssh': True, 'conf_sshd': True, 'ui_redirect': True, 'reverse_zone': None, 'trust_sshfp': False, 'unattended': False, 'no_host_dns': False, 'ip_address': None, 'no_reverse': False, 'setup_dns': True, 'create_sshfp': True, 'setup_ca': True, 'forwarders': [CheckedIPAddress('8.8.8.8'), CheckedIPAddress('8.8.4.4')], 'debug': False, 'conf_ntp': True, 'skip_conncheck': False} 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-24T09:01:57Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2015-04-24T09:01:57Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS 2015-04-24T09:01:57Z DEBUG stdout=VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: _default_:8443 services01.qrios.com (/etc/httpd/conf.d/nss.conf:84) 2015-04-24T09:01:57Z DEBUG stderr=Syntax OK 2015-04-24T09:02:04Z DEBUG args=/usr/bin/gpg --batch --homedir /tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg --passphrase-fd 0 --yes --no-tty -o /tmp/tmpo2Cx3jipa/files.tar -d /var/lib/ipa/replica-info-services01.qrios.com.gpg 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr=gpg: WARNING: unsafe permissions on homedir `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg' gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/secring.gpg' created gpg: keyring `/tmp/tmpo2Cx3jipa/ipa-8QrzAR/.gnupg/pubring.gpg' created gpg: 3DES encrypted data gpg: encrypted with 1 passphrase gpg: WARNING: message was not integrity protected 2015-04-24T09:02:04Z DEBUG args=tar xf /tmp/tmpo2Cx3jipa/files.tar -C /tmp/tmpo2Cx3jipa 2015-04-24T09:02:04Z DEBUG stdout= 2015-04-24T09:02:04Z DEBUG stderr= 2015-04-24T09:0
Re: [Freeipa-users] Unable to Rebuid Replica
Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with "--setup-ca", otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Rebuid Replica
Thanks Daniel! Please what are the downsides of installing without --setup-ca? And how do I make certain both servers have the same number of modules? On Fri, Apr 24, 2015 at 10:44 AM, wrote: > Sina, > > On Fri, 24 Apr 2015, Sina Owolabi wrote: > >> I noticed that my IPA domain masters were out of sync, with users having >> to login with different passwords depending on the IPA client they were >> connected to. I noticed it was the replica that was the problem, and I took >> it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted >> all the folders based on >> Adam Young's blog >> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and >> tried to create replica again. It repeatedly fails, and I am hoping for some >> insight on how to fix this. Please can anyone help? I'm running this on >> RHEL6.6 and I just updated the entire machine. >> >> Installation logs: >> [...] > > > you may have run into this issue: > > https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html > > In short: You may be missing some Apache modules on the IPA master. This > problem occurs only, if you attempt to install your replica with > "--setup-ca", otherwise installation will work. > > > Mit freundlichen Gruessen/With best regards, > > --Daniel. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Rebuid Replica
Sina, On Fri, 24 Apr 2015, Sina Owolabi wrote: Please what are the downsides of installing without --setup-ca? I don't know exactly, sorry. If you install with "--setup-ca" an IPA replica and master only differ in two details: https://www.redhat.com/archives/freeipa-users/2014-July/msg00115.html And how do I make certain both servers have the same number of modules? You have most likely installed all required modules on both machines. You may not have, however, activated the required Apache modules on the master - at least that was my mistake in the past. Check https://www.redhat.com/archives/freeipa-users/2015-February/msg00041.html for details. --- apachectl -t -D DUMP_MODULES --- shows the active modules of your running Apache on the IPA master. Apache modules are usually enabled/disabled in the Apache configuration file in /etc/httpd. Please be aware that this _may_ be the cause of your problem. There may be a different cause as well. On Fri, Apr 24, 2015 at 10:44 AM, wrote: On Fri, 24 Apr 2015, Sina Owolabi wrote: I noticed that my IPA domain masters were out of sync, with users having to login with different passwords depending on the IPA client they were connected to. I noticed it was the replica that was the problem, and I took it down, uninstalled IPA with a "ipa-server-install --uninstall -U", deleted all the folders based on Adam Young's blog (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) and tried to create replica again. It repeatedly fails, and I am hoping for some insight on how to fix this. Please can anyone help? I'm running this on RHEL6.6 and I just updated the entire machine. Installation logs: [...] you may have run into this issue: https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html In short: You may be missing some Apache modules on the IPA master. This problem occurs only, if you attempt to install your replica with "--setup-ca", otherwise installation will work. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to Rebuid Replica
dbisc...@hrz.uni-kassel.de wrote: > Sina, > > On Fri, 24 Apr 2015, Sina Owolabi wrote: > >> I noticed that my IPA domain masters were out of sync, with users >> having to login with different passwords depending on the IPA client >> they were connected to. I noticed it was the replica that was the >> problem, and I took it down, uninstalled IPA with a >> "ipa-server-install --uninstall -U", deleted all the folders based on >> Adam Young's blog >> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/) >> and tried to create replica again. It repeatedly fails, and I am >> hoping for some insight on how to fix this. Please can anyone help? >> I'm running this on RHEL6.6 and I just updated the entire machine. >> >> Installation logs: >> [...] > > you may have run into this issue: > > https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html > > In short: You may be missing some Apache modules on the IPA master. This > problem occurs only, if you attempt to install your replica with > "--setup-ca", otherwise installation will work. Well, he said he had it working at one point so I'm not sure this applies, assuming of course the previous install had a CA. The current problem you're seeing is related to the fact that sometimes when the CA fails to install it isn't marked as having tried in the IPA state tracker so when you uninstall it does nothing with this half-installed CA instance which causes all future install attempts to fail because of this left-over stuff. To remove this pki instance: # /usr/sbin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force Then re-run ipa-server-install --uninstall just to be sure Then try the install again. And before you do any of this, when you deleted this master did you remove the replication agreements first using ipa-replica-manage? If not I'd check to be sure there isn't an existing agreement, and the same with ipa-csreplica-manage. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Ticket delegation
Hello, I'm on F21 and if I login to my workstation I can then sso using ssh to host X. But then I'm also able to sso from x -> y. If I'm on x and issue klist I see this: klist: No credentials cache found (ticket cache FILE:/tmp/krb5 Should I really be able to do this? --- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4 JSON API documentation
Where can I find a clear documentation on JSON RPC API to Free IPA latest version (4.x.x)? http://www.freeipa.org/page/Documentation has nothing such as code samples for authenticating, adding or updating users in Linux. I think this cannot be the only documentation available in internet: http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-cur l/ Can anyone share a document or draft containing methods and arguments of FreeIPA API? regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ticket delegation
John Obaterspok wrote: > Hello, > > I'm on F21 and if I login to my workstation I can then sso using ssh to > host X. But then I'm also able to sso from x -> y. > > If I'm on x and issue klist I see this: > klist: No credentials cache found (ticket cache FILE:/tmp/krb5 > > Should I really be able to do this? > > --- john > > Did you add your ssh pubkey? ssh -vv will show you the auth method that it is using. FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it should be using KEYRING:persistent:: rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 4 JSON API documentation
Wanderley Mayhé wrote: > Where can I find a clear documentation on JSON RPC API to Free IPA > latest version (4.x.x)? > > > > http://www.freeipa.org/page/Documentation has nothing such as code > samples for authenticating, adding or updating users in Linux. > > > > I think this cannot be the only documentation available in internet: > http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > > > > Can anyone share a document or *draft* containing methods and arguments > of FreeIPA API? It is being worked onhttps://fedorahosted.org/freeipa/ticket/3129 The API is fairly easy to deduce from the cli using -vv: $ ipa -vv user-show admin ipa: INFO: trying https://gyre.example.com/ipa/json ipa: INFO: Forwarding 'user_show' to json server 'https://gyre.example.com/ipa/json' ipa: INFO: Request: { "id": 0, "method": "user_show", "params": [ [ "admin" ], { "all": false, "no_members": false, "raw": false, "rights": false, "version": "2.114" } ] } ipa: INFO: Response: { "error": null, "id": 0, ... snip rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web UI: Migrated Admins missing action buttons
Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://:389 When I log into the 4.1.0 Web UI, with the default "admin" user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. thanks Chris Lamb p.s. it would be great if the syntax for an IPA "old" to IPA "new" migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Web UI behind proxy
Hi, Does anybody have any experience putting the IPA web UI behind a reverse proxy? In an attempt to allow our users to access the UI without browser warnings and without having to add the root CA certificate to their trusted store (there was some resistance to that idea), I set up an nginx server as a simple reverse proxy. Every request returns an "Unable to verify your Kerberos credentials" error page. The headers returned: $ http -h GET https://proxy/ipa HTTP/1.1 401 Unauthorized Accept-Ranges: bytes Connection: keep-alive Content-Length: 1474 Content-Type: text/html; charset=UTF-8 Date: Fri, 24 Apr 2015 18:43:06 GMT Last-Modified: Thu, 19 Mar 2015 18:38:36 GMT Server: nginx/1.4.6 (Ubuntu) WWW-Authenticate: Negotiate I saw this thread from 2013: https://www.redhat.com/archives/freeipa-users/2013-August/thread.html#00065 I'm sending the proper Host and Referer headers by the proxy as specified, and I modified the Apache rewriting rules to not redirect to the hostname of the backend IPA server. Any ideas how this can be done? Thanks, -- Benjamen Keroack *Infrastructure/DevOps Engineer* benja...@dollarshaveclub.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ticket delegation
2015-04-24 17:47 GMT+02:00 Rob Crittenden : > John Obaterspok wrote: > > Hello, > > > > I'm on F21 and if I login to my workstation I can then sso using ssh to > > host X. But then I'm also able to sso from x -> y. > > > > If I'm on x and issue klist I see this: > > klist: No credentials cache found (ticket cache FILE:/tmp/krb5 > > > > Should I really be able to do this? > > > > --- john > > > > > > Did you add your ssh pubkey? ssh -vv will show you the auth method that > it is using. > Of course, I just forgot about it :) For the record, gssapi-with-mic was the auth method. > FILE:/tmp/krb5 is a rather odd place to store the ccache too. On F21 it > should be using KEYRING:persistent:: The host that I ssh'ed into had F20. Thanks Rob! -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
On 04/24/2015 12:58 PM, Christopher Lamb wrote: Hi I am in the process of setting up and configuring a FreeIPA Server 4.1.0. I have successfully migrated all the users from an existing FreeIPA Server 3.0.0 with the following command: ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://:389 When I log into the 4.1.0 Web UI, with the default "admin" user, on the Identity/Users overview page, I have buttons for Delete, Add, Enable, Disable etc. If I log in with an imported admin user, these buttons are missing. If I log into the old 3.0.0 Web UI, these buttons are available with both users. This is most likely because the permissions changed in 4.0 and old admin does not have the privileges that are now default in 4.1. thanks Chris Lamb p.s. it would be great if the syntax for an IPA "old" to IPA "new" migration using ipa migrate-ds was included in the IPA documentation. I had to dig deep in the migration.py script to find the accepted format . -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons
Dmitri Pal wrote: > On 04/24/2015 12:58 PM, Christopher Lamb wrote: >> Hi >> >> I am in the process of setting up and configuring a FreeIPA Server 4.1.0. >> >> I have successfully migrated all the users from an existing FreeIPA >> Server >> 3.0.0 with the following command: >> >> ipa migrate-ds --group-overwrite-gid >> --user-container='cn=users,cn=accounts' >> --group-container='cn=groups,cn=accounts' ldap://> server>:389 >> >> When I log into the 4.1.0 Web UI, with the default "admin" user, on the >> Identity/Users overview page, I have buttons for Delete, Add, Enable, >> Disable etc. >> >> If I log in with an imported admin user, these buttons are missing. >> >> If I log into the old 3.0.0 Web UI, these buttons are available with both >> users. > > This is most likely because the permissions changed in 4.0 and old admin > does not have the privileges that are now default in 4.1. He migrated rather than upgrading so this doesn't apply. So the question is: why did you migrate and not create a replica with 4.x and migrate that way? One needs to be a member of the admins group to be an admin, I'd start there. >> p.s. it would be great if the syntax for an IPA "old" to IPA "new" >> migration using ipa migrate-ds was included in the IPA documentation. >> I had >> to dig deep in the migration.py script to find the accepted format . There is a ticket for this but the expected upgrade path is to install a replica on the new version and once things are confirmed to be working, decommission the older ones. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] problem with reinstall ipa client
hi i REMOVE server ipa-server (3.0.0 centos 6.5) with HOSTNAME (ipasrv.linux) and REINSTALL server ipa with same hostname and OS (centos 6.5) server IPA integrate with AD windows (2008) and on Clients first Uninstall IPa-Client with Command ipa-client-install --uninstall but when i want INSTALL ipa-client -install --mkhomedir get ERROR LDAP Error: Connect error: TLS error -8054:You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. thnks every body -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project