Re: [Freeipa-users] help! IPA server she explode!
On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote: I have an internal ajax error! :( the logs say, Ping me later on IRC, I'd like you to run some commands, and it will be easier done interactively. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] /var/log/dirsrv/slapd-* permissions
Yep it's a user called dirsrv and another pkisrv. Pretty sure it was all running, I imagine it just wasn't logging properly. I changed the ownership of the files a while ago so it's started logging properly again but trawling through the error logfiles we've got LOGINFO: Unable to open access file:/var/log/dirsrv/slapd-TEST-NET/access Which is funny cause somehow it still managed to write the error into the error log. On Fri, May 13, 2011 at 4:37 PM, Adam Young ayo...@redhat.com wrote: On 05/13/2011 06:11 AM, Charlie Derwent wrote: Hi First time posting on the mailing list so go easy on me :-) I've installed freeipa on our network and noticed that no real user owns the folders /var/log/dirsrv/slapd-PKI-IPA and /var/log/dirsrv/slapd-TEST-NET. Isn't this going to cause logrotate errors? I have a feeling this came about because I installed freeipa then had to uninstall it, then re-installed it again and the UID and GID's I'm seeing may have been the previous pkisrv and dirsrv users/groups. If this is true can I just manually chown the directories and if so what permissions should I set? That is not the normal state of things. They should be owned by the dirsrv user and group. Since the dirsrv user is responsible for writing to these files, creating the directories etc, I would not think you would have a usable install if this is not set up correctly. id you do ps -ef | grep dirsrv, what user is running those processes? Thanks Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] help! IPA server she explode!
Steven Jones wrote: I have an internal ajax error! :( the logs say, [Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations jonesst1 [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm') jonesst1 [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm') jonesst1 [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ jonesst1 [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/top-bg.png, referer: https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ipa.css jonesst1 [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico jonesst1 [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico jonesst1 [Thu May 19 10:04:43 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1917): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'. jonesst1 [Thu May 19 10:04:45 2011] [error] [client 130.195.81.236] File does not exist: /usr/share/ipa/ui/favicon.ico jonesst1 [Thu May 19 10:05:09 2011] [error] [client 130.195.81.236] mod_wsgi (pid=1916): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI application 'application'. jonesst1 [root@vuwunicoipamt01 httpd]# regards The key bit in the log is: Failed to start IPA: Unable to retrieve LDAP schema. Error initializing principal HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in /etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for requested realm') Without the schema the framework can't do much of anything useful so it just punts. Some things to try in no particular order: - /sbin/service httpd restart, perhaps dirsrv was down when httpd started - on IPA server kinit admin to ensure things are working - ensure that dirsrv is running (krb5kdc running w/o dirsrv is bound to fail) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa and AD
is this how ipa works? End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. My understanding is its simpler.just a password sync? which I guess is achieved by that password sync. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and AD
On 05/19/2011 06:06 PM, Steven Jones wrote: is this how ipa works? End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. This is what we are building now. My understanding is its simpler.just a password sync? which I guess is achieved by that password sync. User synch from AD and password synch from in both directions is what it is capable of now. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and AD
So this will be freeipa 3.0? or 4.0? ie I assume its not 2.0.xxx? about how far away is it? 2 years? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 20 May 2011 10:27 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa and AD On 05/19/2011 06:06 PM, Steven Jones wrote: is this how ipa works? End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. This is what we are building now. My understanding is its simpler.just a password sync? which I guess is achieved by that password sync. User synch from AD and password synch from in both directions is what it is capable of now. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and Universties shiboleth/federation
On 05/19/2011 07:19 PM, Steven Jones wrote: Hi Has anyone been near this? My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not think we ever got to trying it. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and Universties shiboleth/federation
oh lucky me then regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 20 May 2011 11:27 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa and Universties shiboleth/federation On 05/19/2011 07:19 PM, Steven Jones wrote: Hi Has anyone been near this? My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not think we ever got to trying it. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users