Re: [Freeipa-users] Migration error?
Janelle wrote: Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and update some missing accounts that were added, now it no longer works and generates this error. I can't find anyway to get verbose information to found out what it is finding 2 of? Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] migrating 3.0 - 4.1: passwords not migrated?
On 06/10/2015 03:33 PM, Martin Kosek wrote: On 06/10/2015 03:18 PM, Tamas Papp wrote: hi, Currently there are CentOS 6.5 servers and IPA 3.0. The goal is migrating users to CentOS 7.1 and IPA 4.1. This is the command I use: $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat ~/.pw.manager Users are migrated successfully but password must be reset, otherwise they cannot logon. Any idea, what's going on? My guess is that their Kerberos key is also migrated. The key is not valid on the new installation as also Kerberos master key is different. So I would suggest stripping the users from their Kerberos attributes first. Some advise here: https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA I also have a bonus question. How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to export/import it as ldif and that's all? Hmm, this should be all. Except if the users were members of for examples roles or privileges, you would need to migrate that membership too as mere presence of memberOf attribute in the sys account will not be enough. hi, Eventually this still doesn't work as expected. After migrating users they cannot login to the webui. However after logging successfully in without kerberos, in other words in a service bound to the ldap server they can login fine on the webui too. It's enough in our case, but normally it's not OK, I guess. 10x tamas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migration error?
Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and update some missing accounts that were added, now it no longer works and generates this error. I can't find anyway to get verbose information to found out what it is finding 2 of? Any help is appreciated. ~Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] stickybits and freeipa
On Sun, 2015-06-14 at 20:53 +0200, richard wrote: Hi, We are about to implement freeipa in our environment. During some test so have we discovered problems when we are trying to run scripts with the suid bit set. It looks like the system is trying to authenticate the suid user against freeipa, but since suid user doesnt have a valid ticket, so will the script not run. I would need some help to get around this problem. Is it possible to configure a keytab for the suid user so that this user always have a valid ticket? Hi Richard, it is unclear to me what problem you are having. Can you provide some log or output you receive when running commands that do not work as you expect ? The kernel doesn't really care (nor try) to authenticate users when the suid bit is set, so there must be some other component involved that is causing you trouble. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. Hi again, I have been trying to follow this procedure for replication conflicts regarding nsds5ReplConflict, where I had the two account duplicates, but no matter what, I still get: modifying rdn of entry nsuniqueid=ffc68a41-86e71c6-71714816-fcf248a0+uid=janelle,cn=users,cn=accounts,dc=example,dc=com ldap_rename: Constraint violation additional info: Another entry with the same attribute value already exists (attribute: uid) When I am trying to run the modrdn (ldapmodify) command? Which simply refuses to work. I have been at it for over a week now with no luck. I think this is the last of my issues causing my replication problems. What caused this is that I do have multiple helpdesk personnel that had been updating user accounts. This process has been resolved, but we can't seem to remove the last few duplicates. Any suggestions? Is there a missing step in conflict resolution perhaps? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] direct ldap connect from dovecot
Günther J. Niederwimmer wrote: Hello, is it possible to connect direct to the ldap from a program like dovecot? I have big auth problems with my setup? with cn=admin,cn=users,cn=accounts,dc=,dc=x and password from admin this is not working I don't know the 386 server :-(, in the moment I have to learn much more ;-). When any can help, Thank you First, have you looked at http://www.freeipa.org/page/Dovecot_Integration ? If you've still having problems, a lot more information is necessary, like what does your dovecot configuration look like? What errors are you getting? What does the 389-ds access log say about the searches being done, etc. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] direct ldap connect from dovecot
Hello, is it possible to connect direct to the ldap from a program like dovecot? I have big auth problems with my setup? with cn=admin,cn=users,cn=accounts,dc=,dc=x and password from admin this is not working I don't know the 386 server :-(, in the moment I have to learn much more ;-). When any can help, Thank you -- mit freundlichen Grüssen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
On 6/15/15 6:36 AM, Rob Crittenden wrote: Janelle wrote: Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and update some missing accounts that were added, now it no longer works and generates this error. I can't find anyway to get verbose information to found out what it is finding 2 of? Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. rob I found the problem, but now when trying to re-init from a good server using ipa-replica-manage re-initialize, I get: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But how does THIS happen?? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration error?
Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Janelle wrote: Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and update some missing accounts that were added, now it no longer works and generates this error. I can't find anyway to get verbose information to found out what it is finding 2 of? Usually means there is a replication conflict entry. You may be able to get more details on what failed by looking at the LDAP access log of both LDAP servers, though I guess I'd expect this happened locally on the IPA box. rob I found the problem, but now when trying to re-init from a good server using ipa-replica-manage re-initialize, I get: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. But how does THIS happen?? ~J I don't know, I'd be curious to know if you can tell more context around where it failed (it may be opaque, or at least you'd have to dig carefully through both access logs to find it). The first thing that happens is the agreement is looked up on both sides, the both sides are enabled, then a force sync is done, then replication is reinitialized. It could blow up at any point. Given that it sounds like you are deploying multiple IPA installations, potentially with the same realm name, is it possible that you reinitialized from a master unknown to the server (e.g. in a different IPA install)? That or the 389-ds NSS database on one side or another was modified somehow. It must have worked at one time because TLS is used for replication during the installation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.x on CentOS 6?
On Sun, 14 Jun 2015, Rob Crittenden wrote: Janelle wrote: Hi everyone, Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not the server - just the client) on a CentOS 6.6 system? My guess is this is really just based on sssd, or am I missing something? I would like to get OTP on 6.6 system, just not sure if that is possible. Right, you really need a newer sssd and I don't know if that is possible. The ipa-client package is really just a small script to get the client system configured, sssd does all the heavy lifting after that. It is more than that, you have to have newer Kerberos libraries as well. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.x on CentOS 6?
On (13/06/15 16:04), Janelle wrote: Hi everyone, Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not the server - just the client) on a CentOS 6.6 system? My guess is this is really just based on sssd, or am I missing something? If you want newer version of sssd you can test backported version from fedora. Here is a COPR repo [1]. It is a stable branch sssd-1.12, so it contains many fixes for bugs in el 6.6. I would like to get OTP on 6.6 system, just not sure if that is possible. IIRC you would need a support or OTP in kerberos as well. So you would need to backport it yourself or to find newer packages somewhere. LS [1] https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is something.local hostname possible
On 12.6.2015 17:40, James Benson wrote:
Hi all,
I'm trying to duplicate freeIPA on a local host but I keep on getting errors,
primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone
tried this before and succeeded or have suggestions?
Thanks
Please do not use .local, it is reserved for multicast DNS.
General rules are described in Deployment Considerations for FreeIPA:
http://www.freeipa.org/page/Deployment_Recommendations#DNS
This is in line with other popular recommendations like e.g.
http://serverfault.com/questions/17255/top-level-domain-domain-suffix-for-private-network
If you need an 'internal' name and you own e.g. 'mydomain.example' then use
something like 'int.mydomain.example' and configure your DNS server to answer
for domain 'int.mydomain.example' only if clients are in the internal network.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is something.local hostname possible
On 06/12/2015 05:40 PM, James Benson wrote:
Hi all,
I'm trying to duplicate freeIPA on a local host but I keep on getting errors,
primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone
tried
this before and succeeded or have suggestions?
Thanks
James
What do you mean by duplicate freeIPA on a local host?
Any way, when I do tests, I rather use hostnames like ipa.f22.test, it is
also local.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
