[Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Thanks. --David From: Rich Megginson rmegg...@redhat.com To: Ben Ho ben1...@hotmail.com Cc: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 5:33 PM Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be appreciated. What platform and what version of 389-ds-base and ipa-server for all of your servers? Thanks! -Ben ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D cn=directory manager -W -b dc=example,dc=com \ '((nsuniqueid=---)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## - ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D cn=directory manager -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee Thanks. --David From: Rich Megginson rmegg...@redhat.com To: Ben Ho ben1...@hotmail.com Cc: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 5:33 PM Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu (example1:389): Warning: unable to replicate schema: rc=1 [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Schema replication update failed: Type or value exists [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu (example2:389): Warning: unable to replicate schema: rc=1 Again, I am pretty new to this, so any help or tips would be
Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)
Ian Levesque wrote: Hi Rob, et al - I tried again, and am pasting all the output below. Is there something I'm missing? Drop the = with -w. You're passing the password as =foobar. Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? rob Cheers, Ian --- server --- [sbgrid-directory]# ipa host-del ian-ultra24-dmz.in.hwlab --- Deleted host ian-ultra24-dmz.in.hwlab [sbgrid-directory]# ipa host-find ian-ultra24-dmz.in.hwlab --- 0 hosts matched [sbgrid-directory]# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar - Added host ian-ultra24-dmz.in.hwlab - Host name: ian-ultra24-dmz.in.hwlab Keytab: False Password: True Managed by: ian-ultra24-dmz.in.hwlab --- client --- [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab -w=foobar \ --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: ian-ultra24-dmz.in.hwlab Realm: SBGRID.ORG DNS Domain: in.hwlab IPA Server: sbgrid-directory.in.hwlab BaseDN: dc=sbgrid,dc=org Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Joining realm failed: Incorrect password. Installation failed. Rolling back changes. [ian-ultra24-dmz]# ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: ian-ultra24-dmz.in.hwlab Realm: SBGRID.ORG DNS Domain: in.hwlab IPA Server: sbgrid-directory.in.hwlab BaseDN: dc=sbgrid,dc=org Continue to configure the system with these values? [no]: yes User authorized to enroll computers: ian Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for i...@sbgrid.org: Enrolled in IPA realm SBGRID.ORG Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm SBGRID.ORG SSSD enabled NTP enabled Client configuration complete. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)
On May 16, 2012, at 3:57 PM, Rob Crittenden wrote: Ian Levesque wrote: Hi Rob, et al - I tried again, and am pasting all the output below. Is there something I'm missing? Drop the = with -w. You're passing the password as =foobar. Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? rob Right you are! Thanks for your help, Rob - this will certainly help us with mass deployments. For the record, the winning combination: ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --password=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended Is this documented anywhere else other than on Fedora's site? The docs I linked to are just plain wrong... http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html says: /usr/sbin/ipa-client-install --domain=EXAMPLEDOMAIN --enable-dns-updates --mkomedir --principal=HOST/$(cat /tmp/hostname.txt) -w=secret --realm=EXAMPLEREALM --server=ipaserver.example.com --unattended Best, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Thanks. --David On a working master try re-creating the host and re-adding the services. You'll probably want to use the fqdn in places of ipareplica02 here. The case of the services is important. I'm assuming this master is not running dogtag or DNS. # ipa host-add ipareplica02 # ipa service-add ldap/ipareplica02 # ipa service-add HTTP/ipareplica02 # mkdir /tmp/ipareplica02 # ipa-getkeytab -s master -k /tmp/ipareplica02/ds.keytab -p ldap/ipareplica02 # ipa-getkeytab -s master -k /tmp/ipareplica02/ipa.keytab -p HTTP/ipareplica02 Copy these files to ipareplica02. ds.keytab goes in /etc/dirsrv/ ipa.keytab goes in /etc/httpd/conf/ I'd run restorecon on both. Perms should be 0600 dirsrv:dirsrv on ds.keytab 0600 root:root on ipa.keytab # ipactl restart You'll need to restart the dirsrv service (or ipactl restart) on all your other masters to pick up the new ldap service principal. In theory you should have a working system again. The only downside is the certs being used aren't reflected in your service entries any more. I don't believe this will affect automated renewal so if you don't care about that you're done. If you are using dogtag as your CA your SSL certs have been revoked though. To fix this we can try to get certmonger to refresh them. # ipa-getcert list find the ID for the /etc/dirsrv/slapd-YOURINSTANCE cert # ipa-getcert resubmit -i ID Run ipa-getcert list again to see the status. It should be MONITORING and the expires date should have changed. Assuming that worked do the same for the Apache cert (in /etc/httpd/alias). Restart dirsrv and httpd services or ipactl restart. We block deleting master hosts and services in FreeIPA 2.2. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)
Ian Levesque wrote: On May 16, 2012, at 3:57 PM, Rob Crittenden wrote: Ian Levesque wrote: Hi Rob, et al - I tried again, and am pasting all the output below. Is there something I'm missing? Drop the = with -w. You're passing the password as =foobar. Do not use a = with single dash options, only double-dash ones. To make it more confusing you don't have to use an equals with double-dash options either but you can. Ain't unix cli options great? rob Right you are! Thanks for your help, Rob - this will certainly help us with mass deployments. For the record, the winning combination: ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar ipa-client-install --hostname=ian-ultra24-dmz.in.hwlab --domain=in.hwlab --password=foobar --realm=SBGRID.ORG --server=sbgrid-directory.in.hwlab --unattended Is this documented anywhere else other than on Fedora's site? The docs I linked to are just plain wrong... http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html says: /usr/sbin/ipa-client-install --domain=EXAMPLEDOMAIN --enable-dns-updates --mkomedir --principal=HOST/$(cat /tmp/hostname.txt) -w=secret --realm=EXAMPLEREALM --server=ipaserver.example.com --unattended Best, Ian Ouch, sorry about the bad docs. I've filed a bug to have that corrected, https://bugzilla.redhat.com/show_bug.cgi?id=822252 regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake
Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David From: JR Aquino jr.aqu...@citrix.com To: David Copperfield cao2...@yahoo.com Cc: FreeIPAUsers freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement. To clean up... 0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force -This will delete the replica agreement for the host. 1. $ ldapsearch -xLLL -D cn=directory manager -W -b dc=example,dc=com \ '((nsuniqueid=---)(objectclass=nstombstone))' Look for your your nsds50ruv that matches your ghost replica. 2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV Something like: $ cat cleanup.ldif dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: modify replace: nsds5task nsds5task: CLEANRUV## - ## == The ReplicaID number for the ghost replica. 3. Run on all of the remaining replicas: ldapmodify -x -D cn=directory manager -W -f fixed.ldif - This removes the ghost entry. 4. on the broken replica: ipa-server-install --uninstall 5. Follow the normal directions for 'installing a replica' - on master: ipa-replica-prepare ipareplica02.example.com - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com: ipareplica02.example.com.gpg - on replica: ipa-replica-install ipareplica02.example.com --whatever_options_you_used_previously 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc 7. Sigh and drink coffee Thanks. --David From: Rich Megginson rmegg...@redhat.com To: Ben Ho ben1...@hotmail.com Cc: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 5:33 PM Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 02:49 PM, Ben Ho wrote: This is the information I retrieved about my server. ipa-server-selinux-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 CentOS release 6.2 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 Thanks again. Is replication otherwise working? -Ben Date: Tue, 15 May 2012 13:15:46 -0600 From: rmegg...@redhat.com To: ben1...@hotmail.com CC: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Help with ipa-replica-manage On 05/15/2012 01:00 PM, Ben Ho wrote: Hello, I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command: ipa-replica-manage re-initialize --from example2.edu On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes. [15/May/2012:14:22:43 -0400]
Re: [Freeipa-users] howto modify krb principal attributes without kadmin.local
On Tue, May 15, 2012 at 3:24 PM, Simo Sorce s...@redhat.com wrote: On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote: So going through the documentation it's clearly laid out not to use kadmin or kadmin.local when using freeipa. I have been unable to find how to replace this functionality in the documentation. If I could use kadmin.local on my kdc I would like to run the following command modprinc +requires_hwauth user Am I going to need to extend/modify the krb5 schema to modify principals attributes in this way? For this specific change you can use kadmin.local, but the IPA UI will not report you anything about it. The flags part is still a weak point of the Web UI, if you want you can open a RFE ticket to ask for better support for these flags, we need to do it at some point we simply haven't yet as we concentrated on more important and pressing issue this far. Simo. -- Simo Sorce * Red Hat, Inc * New York The following errors lead me to believe I am missing something as kadmin.local appears to have access issues when trying to modify a principle. kadmin.local: modprinc +requires_hwauth user modify_principal: User modification failed: Insufficient access while modifying user. For good measure I've modified /var/kerberos/krb5kdc/kadm5. acl with the correct ACLs for the domain and still encounter the same errors. -ipa 2.1.3 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root@ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp 0 0 :::7389 :::* LISTEN 6550/ns-slapd tcp 0 0 :::7390 :::* LISTEN 6550/ns-slapd [root@ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David From: David Copperfield cao2...@yahoo.com To: JR Aquino jr.aqu...@citrix.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David From: JR Aquino jr.aqu...@citrix.com To: David Copperfield cao2...@yahoo.com Cc: FreeIPAUsers freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02 slapd-EXAMPLE-COM]# On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error. What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02? BTW, it will be more than appreciated if the web UI could pop up a warning prompt when
Re: [Freeipa-users] howto modify krb principal attributes without kadmin.local
On Wed, 2012-05-16 at 18:15 -0400, Rob Crittenden wrote: Thomas Jackson wrote: kadmin.local: modprinc +requires_hwauth user modify_principal: User modification failed: Insufficient access while modifying user. What user's ticket do you have when trying to make this change? The error is coming from 389-ds, not from the KDC ACLs. For whatever it's worth I tried this in 2.2.0 and it worked. In 2.2 we do not restrict kadmin/kdc as much as we did in 2.1 Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problems replicating with Windows 2008 AD
Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect -winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On May 16, 2012, at 2:54 PM, David Copperfield wrote: Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it. On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons. [root@ipamaster slapd-EXAMPLE-COM]# kinit admin kinit: Generic error (see e-text) while getting initial credentials [root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns tcp0 0 :::7389 :::* LISTEN 6550/ns-slapd tcp0 0 :::7390 :::* LISTEN 6550/ns-slapd [root@ipamaster slapd-EXAMPLE-COM]# The error logs are pasted here too. [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth resumed Thanks. --David From: David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com To: JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com freeipa-users@redhat.commailto:freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 1:23 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Hi JR, Thanks a lot! It works perfectly. The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well. BTW, on 2.2.0 the two database backends still are separate, or merged into one? Thanks. --David From: JR Aquino jr.aqu...@citrix.commailto:jr.aqu...@citrix.com To: David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com Cc: FreeIPAUsers freeipa-users@redhat.commailto:freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 12:57 PM Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake On May 16, 2012, at 12:23 PM, David Copperfield wrote: Hi all, I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.comhttp://ipaclient02.example.com/, but accidentally the mouse moved to ipareplica02.example.comhttp://ipareplica02.example.com/ and the latter got removed without a prompt. I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning. [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error [root@ipareplica02
Re: [Freeipa-users] Problems replicating with Windows 2008 AD
On 05/16/2012 04:33 PM, Kline, Sara wrote: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect --winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D cn=freeipa,cn=users,dc=prod,dc=example,dc=com -w mypassword-s base -b 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Could that be because of removing ghost entries in CA database? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :( I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. At last I brought up the valid replica and it worked this time as well. Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth resumed --David From: JR Aquino jr.aqu...@citrix.com To: David Copperfield cao2...@yahoo.com Cc: JR Aquino jr.aqu...@citrix.com; Rob Crittenden rcrit...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, May 16, 2012 4:00 PM Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake Try: ipactl stop then ipactl start Doesn't look like dirsrv is running on 389 and 636 ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC
Re: [Freeipa-users] Still not working -- Re: What to do next???: IPA replica host entry is removed on web UI by mistake
Whew, glad to hear you got through it! The 389 ds crew is working on making the cleanruv into an internal automated process. I empathize completely. The gssapi errors are generally benign. They come up because ldap starts before the kdc. Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 jr.aqu...@citrix.commailto:jr.aqu...@citrix.com http://www.citrixonline.com On May 16, 2012, at 4:29 PM, David Copperfield cao2...@yahoo.commailto:cao2...@yahoo.com wrote: Could that be because of removing ghost entries in CA database? Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is: I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :( I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying. After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. At last I brought up the valid replica and it worked this time as well. Now it was time to reinstall the failed IPA replica and it was installed and up and running well. After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure: [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition. [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/ipamaster.example@example.commailto:ldap/ipamaster.example@example.com] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found)) [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica01.example.com (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt=cn=meToipareplica02.example.com (ipareplica02:389): Replication bind with GSSAPI auth resumed [16/May/2012:16:18:39 -0700]
Re: [Freeipa-users] Problems replicating with Windows 2008 AD
I found the issue, it had to do with what Windows set the cn to, as opposed to what I thought the CN was. Once I figured out where that was set at I was able to fix it. Cn's for us are usually the user id so that was where the disconnect was. Once I fixed that issue however I got another error. I am logged in as root on the FreeIPA server. When I run the ipa-manage-replica command I get: Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate database for oly-infra-ldap1.prod.tnsi.com INFO:root:AD Suffix is: DC=prod,DC=example,DC=com Insufficient access I am not sure I understand why this is not working. Thanks, Sara Kline From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Wednesday, May 16, 2012 4:12 PM To: Kline, Sara Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Problems replicating with Windows 2008 AD On 05/16/2012 04:33 PM, Kline, Sara wrote: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect -winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D cn=freeipa,cn=users,dc=prod,dc=example,dc=com -w mypassword -s base -b 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problems replicating with Windows 2008 AD
On 05/16/2012 06:04 PM, Kline, Sara wrote: I found the issue, it had to do with what Windows set the cn to, as opposed to what I thought the CN was. Once I figured out where that was set at I was able to fix it. Cn's for us are usually the user id so that was where the disconnect was. Once I fixed that issue however I got another error. I am logged in as root on the FreeIPA server. When I run the ipa-manage-replica command I get: Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate database for oly-infra-ldap1.prod.tnsi.com INFO:root:AD Suffix is: DC=prod,DC=example,DC=com Insufficient access I am not sure I understand why this is not working. You have to set permissions for your AD user in order to use the DirSync control. See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx To use the DirSync control, caller must have the directory get changes right assigned on the root of the partition being monitored. By default, this right is assigned to the Administrator and LocalSystem accounts on domain controllers. The caller must also have the *DS-Replication-Get-Changes* http://msdn.microsoft.com/en-us/library/ms684354%28v=vs.85%29.aspx extended control access right. For more information about implementing a change-tracking mechanism for applications that must run under an account that does not have this right, see Polling for Changes Using USNChanged http://msdn.microsoft.com/en-us/library/ms677627%28v=vs.85%29.aspx. For more information about privileges, see Privileges http://msdn.microsoft.com/en-us/library/aa379306%28v=vs.85%29.aspx. Thanks, Sara Kline *From:*Rich Megginson [mailto:rmegg...@redhat.com] *Sent:* Wednesday, May 16, 2012 4:12 PM *To:* Kline, Sara *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD On 05/16/2012 04:33 PM, Kline, Sara wrote: Hey all, FreeIPA has been very simple to setup so far, I have been able to follow along with the documentation every step of the way. I am running into an issue however when trying to set up replication between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 server running Active Directory. I created the replication user like the instructions say and gave it the necessary permissions, however when I try to set up the agreement, it tells me I am using invalid credentials. I am unsure of what I should do at this point? SSL Certs are installed on both and trusted on both, the servers are connected and both are synced to the same time source. Can anyone think of anything else? I am using the command as follows: Ipa-replica-manage connect --winsync --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com --bindpw mypassword --passsync mypassword --cacert /etc/openldap/cacerts/winadcert.cer oly-infra-ldap2.prod.example.com You can use ldapsearch to test the connection with AD: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H ldap://oly-infra-ldap2.prod.example.com -ZZ -D cn=freeipa,cn=users,dc=prod,dc=example,dc=com -w mypassword -s base -b 'objectclass=*' namingcontexts This assumes 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD 3) mypassword is the correct password and doesn't need to be quoted for the shell Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495 This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install hangs on Centos 5.2x64
Hi Everyone, Server: RHEL 6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Client: CentOS release 5.2 (Final) x86_64 Kernel: 2.6.18-92.1.18.el5 ipa-client-2.1.3-1.el5 sssd-client-1.5.1-49.el5_8.1 sssd-1.5.1-49.el5_8.1 Error: During the ipa-client-install, the client just hangs with no explanation. I've been trying to debug the log file (shown before), I figure being an older CentOS, that the IPA client must need new versions of it's dependencies? Debug Log: 2012-05-16 18:04:28,487 DEBUG /usr/sbin/ipa-client-install was invoked with options: {'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': None, 'permit': False, 'server': None, 'prompt_password': False, 'mkhomedir': False, 'dns_updates': False, 'preserve_sssd': False, 'debug': False, 'on_master': False, 'ntp_server': None, 'realm_name': None, 'unattended': None, 'principal': None} 2012-05-16 18:04:28,487 DEBUG missing options might be asked for interactively later 2012-05-16 18:04:28,487 DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-05-16 18:04:28,499 DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2012-05-16 18:04:28,536 DEBUG [ipadnssearchldap(example.com)] 2012-05-16 18:04:28,537 DEBUG [ipadnssearchkrb] 2012-05-16 18:04:28,538 DEBUG [ipacheckldap] 2012-05-16 18:04:28,604 DEBUG args=/usr/bin/wget -O /tmp/tmpdbXm98/ca.crt -T 15 -t 2 http://sysvm-ipa.example.com/ipa/config/ca.crt 2012-05-16 18:04:28,604 DEBUG stdout= 2012-05-16 18:04:28,605 DEBUG stderr=--18:04:28-- http://sysvm-ipa.example.com/ipa/config/ca.crt Resolving sysvm-ipa.example.com... 192.168.0.214 Connecting to sysvm-ipa.example.com|192.168.0.214|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1353 (1.3K) [application/x-x509-ca-cert] Saving to: `/tmp/tmpdbXm98/ca.crt' 0K . 100% 215M=0s 18:04:28 (215 MB/s) - `/tmp/tmpdbXm98/ca.crt' saved [1353/1353] 2012-05-16 18:04:28,605 DEBUG Init ldap with: ldap://sysvm-ipa.example.com:389 2012-05-16 18:04:28,664 DEBUG Search LDAP server for IPA base DN 2012-05-16 18:04:28,666 DEBUG Check if naming context 'dc=example,dc=com' is for IPA 2012-05-16 18:04:28,667 DEBUG Naming context 'dc=example,dc=com' is a valid IPA context 2012-05-16 18:04:28,667 DEBUG Search for (objectClass=krbRealmContainer) in dc=example,dc=com(sub) 2012-05-16 18:04:28,668 DEBUG Found: [('cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com', {'krbSubTrees': ['dc=example,dc=com'], 'cn': ['EXAMPLE.COM'], 'krbDefaultEncSaltTypes': ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special', 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer', 'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge': ['604800']})] 2012-05-16 18:04:28,668 DEBUG will use domain: example.com 2012-05-16 18:04:28,668 DEBUG will use server: sysvm-ipa.example.com 2012-05-16 18:04:28,669 DEBUG will use cli_realm: EXAMPLE.COM 2012-05-16 18:04:28,669 DEBUG will use cli_basedn: dc=example,dc=com 2012-05-16 18:04:32,172 DEBUG will use principal: admin 2012-05-16 18:04:32,237 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://sysvm-ipa.example.com/ipa/config/ca.crt 2012-05-16 18:04:32,237 DEBUG stdout= 2012-05-16 18:04:32,237 DEBUG stderr=--18:04:32-- http://sysvm-ipa.example.com/ipa/config/ca.crt Resolving sysvm-ipa.example.com... 192.168.0.214 Connecting to sysvm-ipa.example.com|192.168.0.214|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1353 (1.3K) [application/x-x509-ca-cert] Saving to: `/etc/ipa/ca.crt' 0K . 100% 215M=0s 18:04:32 (215 MB/s) - `/etc/ipa/ca.crt' saved [1353/1353] 2012-05-16 18:04:32,256 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,256 DEBUG stdout= 2012-05-16 18:04:32,256 DEBUG stderr= 2012-05-16 18:04:32,264 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,265 DEBUG stdout= 2012-05-16 18:04:32,265 DEBUG stderr= 2012-05-16 18:04:32,275 DEBUG args=/usr/sbin/ntpdate -U ntp -s -b sysvm-ipa.example.com 2012-05-16 18:04:32,276 DEBUG stdout= 2012-05-16 18:04:32,276 DEBUG stderr= 2012-05-16 18:04:32,285 DEBUG
[Freeipa-users] Custom ACI entries
Hi everybody, I've added some custom schema to my directory, but it's useless to me if if I can't control read permissions on it. This is obviously a little tricky since (Free)IPA allows everybody to ready everything by default. With that, what's the best way to restrict access to user attributes? Is there anything like this in the roadmap? For the interim I've crafted some custom aci entries. Where should I put them? Will they work? Here they are: aci: (targetattr = attribute1 || attribute2 || attribute3) (version 3.0; acl custom attributes base; deny (all) (userdn = ldap:///anyone; and userdn != ldap:///self; and groupdn != ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com);) aci: (targetattr = attribute1 || attribute2 || attribute3) (version 3.0; acl custom attributes update; allow (add, read, write, search, delete) (userdn = ldap:///self; or groupdn = ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com);) -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users