[Freeipa-users] is not an IPA v2 Server.
Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
george he wrote: Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George If you look in /var/log/ipaclient-install.log it may have more details. Some possible problems: - It found SRV records for your domain that point to an AD server - Ports 80, 389 and 443 are not open on your IPA server - DNS resolution issues rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George From: george he george_...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Saturday, June 16, 2012 4:02 PM Subject: is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George From: Petr Viktorin pvikt...@redhat.com To: freeipa-users@redhat.com freeipa-users@redhat.com Cc: george he george_...@yahoo.com Sent: Monday, June 18, 2012 10:06 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George *From:* Petr Viktorin pvikt...@redhat.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Cc:* george he george_...@yahoo.com *Sent:* Monday, June 18, 2012 10:06 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' http://myserver/ipa/config/ca.crt%27 returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com mailto:george_...@yahoo.com *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr³ -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Petr, Yes, I still get the failed: No route to host error. and I cannot connect to the webUI from the client, but I can open the web UI on myserver. Thanks, George From: Petr Viktorin pvikt...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 10:47 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George *From:* Petr Viktorin pvikt...@redhat.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Cc:* george he george_...@yahoo.com *Sent:* Monday, June 18, 2012 10:06 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' http://myserver/ipa/config/ca.crt%27 returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com mailto:george_...@yahoo.com *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ http://server.my.edu/ is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
Re: [Freeipa-users] FreeIPA in a locked down Active Directory environment
On 06/18/2012 08:49 AM, Brian Wheeler wrote: Hello I'm a sysadmin at a smallish department at my university. We're investigating FreeIPA to replace our homegrown openldap/perl script user management stuff. The difficulty we're facing is that university has standardized on Active Directory and they've got it pretty well locked down. We currently use the university's kerberos for authentication and our openldap instance to store user/group data. When we create a new user a perl script copies the relevant data from AD via an authenticated ldap bind since they do not support anonymous binds. For groups we just maintain the ones within our ldap environment (AD groups are never copied). For hosts we have a private network that we use nss_ldap to look up hosts and then fall back to the university's DNS. All of the documentation that I've been able to find on FreeIPA seem to assume that the people setting up FreeIPA have full access to AD and can modify the structure/security settings. Not exactly. What documentation are you talking about? For IPA Windows Sync, IPA needs to be able to use the DirSync control provided by AD. http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx IPA needs the Bind DN and password of an AD user with the rights specified in that document. For IPA to get passwords sync'd from AD, you need to install the PassSync.msi on all of your domain controllers. This is not the case for us since a different group handles it and due to the vastness of the university they are reluctant to make any changes. Is there any way to integrate FreeIPA into an environment such as ours or am I going to have to continue with my homegrown way of doing things? Thanks! Brian Wheeler System Administrator Digital Library Program Indiana University ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your browser. Or you can use form-based authentication. but I can use the form based authentication sometimes, not always. Thanks, George From: Petr Viktorin pvikt...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 10:47 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. Hi, If you run the wget manually (downloading to an existing directory instead of /tmp/tmpjibrhe), do you get the same error? Can you connect to the web UI from the client? On 06/18/2012 04:12 PM, george he wrote: Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George *From:* Petr Viktorin pvikt...@redhat.com *To:* freeipa-users@redhat.com freeipa-users@redhat.com *Cc:* george he george_...@yahoo.com *Sent:* Monday, June 18, 2012 10:06 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. On 06/18/2012 03:44 PM, george he wrote: Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' http://myserver/ipa/config/ca.crt%27 returned non-zero exit status 4 Seems like a routing issue. Can you ping myserver from the client machine? but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George *From:* george he george_...@yahoo.com mailto:george_...@yahoo.com *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Sent:* Saturday, June 16, 2012 4:02 PM *Subject:* is not an IPA v2 Server. Hello all, I'm trying to install freeipa for a small lab with 10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: server.my.edu http://server.my.edu/ http://server.my.edu/
Re: [Freeipa-users] Password pass-through to an existing LDAP server?
And Simo Sorce writes: the underlying 389ds have a way to do that, but we do not expose it in IPA as it would make little sense there. That said we have plans to allow having 'branch office replicas' where only a subset of users is replicated to that branch replica. But these are future plans, it will take a few minor versions after 3.0 at least. Oh well. Won't work for our needs, but good to know there are future plans. Thanks! -- Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-getkeytab and mandatory password change
Just experienced some weird behaviour on my Fedora 17 installation, just wanted to check if this was expected. I have the default config that requires a user to change their password the first time they run kinit. However I created a user and immediately used ipa-getkeytab as this user will be a non-interactive process, despite the ipa-getkeytab resetting the secret for the user the first attempt at authentication failed as the user was still told to change their password. My expectation would have been that any update to the secret should meet the requirement for the user to change their password. Regards, Darran Lofthouse. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 11:51 AM Subject: Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions https://cns2.psych.yale.edu/ipa/config/unauthorized.html to configure your browser. Or you can use form-based authentication https://cns2.psych.yale.edu/ipa/ui/#. but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce s...@redhat.com wrote: On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? I think its rfc2307: maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki@lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorces...@redhat.com wrote: On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? I think its rfc2307: maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki@lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 If you could provide an ldif for one of the groups to be migrated we can tell you. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
george he wrote: Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. A fair bit of javascript is loaded the very first time you visit IPA, that can be slow. Otherwise it should be relatively quick. Not minutes anyway. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Different ports and that isn't the client talking to the server, it is you talking to the client and to the server. This is definitely some sort of networking problem, though no route to host is rather odd since you can ping. You might also look at the iptables configuration on the client. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, June 18, 2012 11:51 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions https://cns2.psych.yale.edu/ipa/config/unauthorized.html to configure your browser. Or you can use form-based authentication https://cns2.psych.yale.edu/ipa/ui/#. but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Rob, I was just thinking it's very unlikely the university would block http connections from inside, but not ssh from outside. but I'll contact our ITS anyways. BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps outlined here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html There may be some steps that are obvious to people know these things and they are not listed in the document, then I could have missed them. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, June 18, 2012 1:28 PM Subject: Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. A fair bit of javascript is loaded the very first time you visit IPA, that can be slow. Otherwise it should be relatively quick. Not minutes anyway. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Different ports and that isn't the client talking to the server, it is you talking to the client and to the server. This is definitely some sort of networking problem, though no route to host is rather odd since you can ping. You might also look at the iptables configuration on the client. rob Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Monday, June 18, 2012 11:51 AM *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. george he wrote: Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions https://cns2.psych.yale.edu/ipa/config/unauthorized.html to configure your browser. Or you can use form-based authentication https://cns2.psych.yale.edu/ipa/ui/#. but I can use the form based authentication sometimes, not always. You need to configure the browser to do Kerberos single sign-on. There should be a link in the failure message to take you to a page to help you configure this. You also need to have done a kinit. I'm not sure why forms-based auth work work only sometimes, additional details would be needed. I'm not sure why the server would be pingable from your client but HTTP doesn't work. There may be another firewall blocking the packets on your network. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa installation problem
Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hi, Installing the original master should be nothing more than that command. With some flags though maybe so my command was, ipa-server-install -a secret123 -p 123Secret -domain=unix.vuw.ac.nz -realm=UNIX.VUW.AC.NZ --setup-dns –forwarder=130.195.85.25 –forwarder=130.195.98.151 --no-reverse –selfsign So my master DNS zone is a Microsoft AD as vuw.ac.nz with 2 DNS servers hence forwarder twice. The MS AD servers treat unix.vuw.ac.nz as a stub zone delegationthey retain the ptr zone hence --no-reverseso I have to add that manually. check the rpm versions of the server and client...they should be identical. is not an IPA v2 Server Just double check you have not made a typo..I put in vyw and not vuw while doing the client install and got thatthe other possibility is iptablesor a firewall blocking..Ive had that same error and found it was the cisco FWSM. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of george he [george_...@yahoo.com] Sent: Tuesday, 19 June 2012 10:26 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] ipa installation problem Hello all, While waiting for more suggestions on my thread is not an IPA v2 Server, I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was Connection refused. Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
