Re: [Freeipa-users] Do clients have to be in teh same DNS zone / FQDN as the IPA servers / Kerberos Realm?
but Im getting hammered by my management for instant answers...they asked last night and expect an answer this morning.and I'm expected to catch up and deploy several important solutions/projects all hinging on IPA ASAP... 2.2 isnt in RHEL6.3 though? Are you using fedora, centos or rhel? The last bit implies rhel but then you seem to desire an SLA and a response on the upstream users' mailing list Although there are a large number of people here using IPA along with redhat developers might I suggest for a critical thing where you need an answer within 24 hours you are better off following the standard support channels of your RHEL contract? If you don't have a support contract now could be a good time to explain to management that if they require quick answers then they need to pay for them... if they do things on the cheap then they require patience... ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Joining realm failed: Host is already joined
Hello all, When I do ipa-client-install on a client with previous unsuccessful installation, I get this error message: Joining realm failed: Host is already joined. Installation failed. Rolling back changes. IPA client is not configured on this system. How do I clean up the machine for a clean installation? I tried ipa-client-install --uninstall but get this: IPA client is not configured on this system. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden rcrit...@redhat.com wrote: Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: Host is already joined
Hello Rob, Here is what I get by running the commands: # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM realm not found # I thought the commands didn't solve the problem, but when I run ipa-client-install again, it says at the end Client configuration complete. and it was found on the server by ipa host-find. So I guess the problem is gone. Your help is very appreciated. George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 11:18 AM Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined george he wrote: Thanks Petr, Now it says: Failed to obtain host TGT. Installation failed. Rolling back changes. I did the manual installation on this machine when the ipa-client-install script failed. I guess there's a lot to clean up :( /var/log/ipaclient-install.log may have more details on the failure. It could be that you have a lingering host principal. Run klist -kt /etc/krb5.keytab. To remove all principals for your realm from this keytab run: # ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa user-add
Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
Maciej Sawicki wrote: On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittendenrcrit...@redhat.com wrote: Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki It won't re-migrate a group once it is added. Did you remove the group in IPA before trying again? I did a quickie test using a current build from master (what will become 3.0) and it worked ok. We haven't done any migration changes since 2.2 so it should be the same code. What version and platform are you using? The command-line I used was: # ipa migrate-ds ldap://pogo.example.com:3389 --schema=RFC2307 --with- compat My data was: dn: uid=user1,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user1 uidnumber: 1 gidnumber: 10001 loginshell: /bin/sh homedirectory: /home/user1 cn: Test User dn: uid=user2,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user2 uidnumber: 10003 gidnumber: 10004 loginshell: /bin/sh homedirectory: /home/user2 cn: Test User 2 dn: uid=user3,ou=People,dc=greyoak,dc=com objectclass: top objectclass: posixaccount objectclass: inetorgperson sn: User givenname: test uid: user3 uidnumber: 10005 gidnumber: 10006 loginshell: /bin/sh homedirectory: /home/user3 cn: Test User 3 dn: cn=schema,ou=Groups,dc=greyoak,dc=com objectClass: top objectClass: groupOfUniqueNames objectClass: posixgroup cn: schema ou: groups gidnumber: 10004 description: People who can manage engineer entries memberUid: user1 memberUid: user2 memberUid: user3 # ipa group-show schema Group name: schema Description: People who can manage engineer entries GID: 10004 Member users: user1, user2, user3 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
it's x86_64 2.2.0-1.fc17. Thanks, George From: Rob Crittenden rcrit...@redhat.com To: Rich Megginson rmegg...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:54 PM Subject: Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: Host is already joined
On 06/21/2012 11:43 AM, george he wrote: Hello Rob, Here is what I get by running the commands: # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM realm not found # I thought the commands didn't solve the problem, but when I run ipa-client-install again, it says at the end Client configuration complete. and it was found on the server by ipa host-find. So I guess the problem is gone. Your help is very appreciated. George *From:* Rob Crittenden rcrit...@redhat.com *To:* george he george_...@yahoo.com *Cc:* Petr Viktorin pvikt...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Thursday, June 21, 2012 11:18 AM *Subject:* Re: [Freeipa-users] Joining realm failed: Host is already joined george he wrote: Thanks Petr, Now it says: Failed to obtain host TGT. Installation failed. Rolling back changes. I did the manual installation on this machine when the ipa-client-install script failed. I guess there's a lot to clean up :( /var/log/ipaclient-install.log may have more details on the failure. It could be that you have a lingering host principal. Run klist -kt /etc/krb5.keytab. To remove all principals for your realm from this keytab run: # ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rob, IMO for cases like this we should have a page about how to wipe out the client manually. In the past I ran the uninstall several times in a row and sometimes it helped. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
On 06/21/2012 03:10 PM, george he wrote: it's x86_64 2.2.0-1.fc17. Thanks, George You are looking at the private group feature. By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. The value of this is that the files on the file system can be owned just by the user. It is a good practice. To turn it off there is a utility to turn the managed entries creation. Please do not use LDAP directly (at least yet). There is another feature that allows one to specify a criteria for placing users or hosts into groups. Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. *From:* Rob Crittenden rcrit...@redhat.com *To:* Rich Megginson rmegg...@redhat.com *Cc:* george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Thursday, June 21, 2012 2:54 PM *Subject:* Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Dmitri, OK, I can accept the good practice of using private groups, then I need to delete the left over group. The instructions in the document failed as stated in my original email. Any suggestions how to delete the private group whose user has been deleted? Thanks, George From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Thursday, June 21, 2012 3:47 PM Subject: Re: [Freeipa-users] ipa user-add On 06/21/2012 03:10 PM, george he wrote: it's x86_64 2.2.0-1.fc17. Thanks, George You are looking at the private group feature. By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. The value of this is that the files on the file system can be owned just by the user. It is a good practice. To turn it off there is a utility to turn the managed entries creation. Please do not use LDAP directly (at least yet). There is another feature that allows one to specify a criteria for placing users or hosts into groups. Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. From: Rob Crittenden rcrit...@redhat.com To: Rich Megginson rmegg...@redhat.com Cc: george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:54 PM Subject: Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
george he wrote: Hello Dmitri, OK, I can accept the good practice of using private groups, then I need to delete the left over group. The instructions in the document failed as stated in my original email. Any suggestions how to delete the private group whose user has been deleted? You first should upgrade 389-ds-base. Otherwise I guarantee you'll see this problem again. Then run the steps Rich provided. There is no ipa command to delete a dangling managed entry because it should never happen. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] replica installation clean up
Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
george he wrote: Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
On 06/21/2012 01:10 PM, george he wrote: it's x86_64 2.2.0-1.fc17. rpm -qi 389-ds-base Thanks, George *From:* Rob Crittenden rcrit...@redhat.com *To:* Rich Megginson rmegg...@redhat.com *Cc:* george he george_...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com *Sent:* Thursday, June 21, 2012 2:54 PM *Subject:* Re: [Freeipa-users] ipa user-add Rich Megginson wrote: On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? It would help to know what version and platform of IPA you are using. The method differs by version. I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Add attributes to default user schema
Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? Regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add attributes to default user schema
On 06/21/2012 05:06 PM, James James wrote: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? Any specific reason for this specific attribute. See some old DS discussion here http://www.redhat.com/archives/fedora-directory-users/2006-April/msg00205.html Can you use some other attribute that already exists in the schema for the same purpose? Regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add attributes to default user schema
On Thu, Jun 21, 2012 at 2:06 PM, James James jre...@gmail.com wrote: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? That particular attribute is included in the schema (objectclass=mailRecipient) so it is easy to add using the ipa user-mod --addattr command. I then followed Adam Young's instructions to change the interface such that we could view/edit the new attribute in the UI: 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to include the new field 2. Add an entry to /usr/share/ipa/ui/user.js for the new value 3. Don't forget to restart httpd and refresh your browser cache to pick up the new fields We needed that instead of using the multi-valued mail attribute because there are circumstances where we need to differentiate between the master email address and aliases. It's easy to add though and works great. I certainly wouldn't want to be in the position of adding lots of attributes not already included in IPA, but a one or two-off seems pretty reasonable to manage. I don't know if it's still in the I'm sure *very* future plans for IPA, but I remember seeing some application (MTA, mail store) support mentioned at one time. These sorts of attributes might be nice to have if and when that happens. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Add attributes to default user schema
On 06/21/2012 05:44 PM, Stephen Ingram wrote: On Thu, Jun 21, 2012 at 2:06 PM, James James jre...@gmail.com wrote: Hi everybody, Is it possible to have a procedure to add new attributes like mailAlternateAddress in the default user schema ? That particular attribute is included in the schema (objectclass=mailRecipient) so it is easy to add using the ipa user-mod --addattr command. I then followed Adam Young's instructions to change the interface such that we could view/edit the new attribute in the UI: 1. Edit the /usr/lib/python2.7/site-packages/ipalib/plugins/user.py to include the new field 2. Add an entry to /usr/share/ipa/ui/user.js for the new value 3. Don't forget to restart httpd and refresh your browser cache to pick up the new fields We needed that instead of using the multi-valued mail attribute because there are circumstances where we need to differentiate between the master email address and aliases. It's easy to add though and works great. I certainly wouldn't want to be in the position of adding lots of attributes not already included in IPA, but a one or two-off seems pretty reasonable to manage. I don't know if it's still in the I'm sure *very* future plans for IPA, but I remember seeing some application (MTA, mail store) support mentioned at one time. These sorts of attributes might be nice to have if and when that happens. Steve Is there any chance you can submit what you have done in the form of a ticket with attached patches? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello, I used --force to delete myreplica from mymaster. And then runipa-replica-install on the myreplica again. This time everything seems ok until it comes to the end: Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server creation of replica failed: Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. And this is the error message at the end of /var/log/ipareplica-install.log: 2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl status' for details. 2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service' returned non-zero exit status 1 File /sbin/ipa-replica-install, line 494, in module main() File /sbin/ipa-replica-install, line 488, in main ipaservices.knownservices.ipa.enable() File /usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py, line 101, in enable self.restart(instance_name) File /usr/lib/python2.7/site-packages/ipapython/platform/systemd.py, line 85, in restart ipautil.run([/bin/systemctl, restart, self.service_instance(instance_name)], capture_output=capture_output) File /usr/lib/python2.7/site-packages/ipapython/ipautil.py, line 304, in run raise CalledProcessError(p.returncode, args) Should I run ipa-server-install --uninstall on myreplica now? Thanks, George From: Rob Crittenden rcrit...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 4:35 PM Subject: Re: [Freeipa-users] replica installation clean up george he wrote: Hi, after ipa-replica-install and ipa-replica-install --uninstall, now I get [root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg . . . Connection check OK The host myreplica already exists on the master server. Depending on your configuration, you may perform the following: Remove the replication agreement, if any: % ipa-replica-manage del myreplica Remove the host entry: % ipa host-del myreplica If I run this on myreplica: [root@myreplica ~]# ipa-replica-manage del myreplica IPA is not configured on this system. [root@myreplica ~]# ipa host-del myreplica ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Cannot find KDC for requested realm', -1765328230) If I un this on mymaster: [root@mymaster ~]# ipa-replica-manage del myreplica Unable to delete replica myreplica: {'desc': Can't contact LDAP server} [root@mymaster ~]# ipa host-del myreplica ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled How do I clean up the unsuccessful installation - uninstallation of a replica? Ideally you remove the agreement before deleting the replica, hence the LDAP error. Add the --force flag: # ipa-replica-manage del myreplica.fqdn --force Then you should be able to delete the host entry. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Rich, Thanks for the help. This does remove the group so I can add the user back. But when I try to ssh, as that user, to the machines that the user logged on before ipa user-del, I get permission denied. I removed the user's home directory because it still belongs to the deleted UID:GID. After that I still get permission denied. Any suggestions? Thanks again, George From: Rich Megginson rmegg...@redhat.com To: george he george_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Sent: Thursday, June 21, 2012 2:43 PM Subject: Re: [Freeipa-users] ipa user-add On 06/21/2012 12:25 PM, george he wrote: Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though ipa config-show --all shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using ipa user-del myname, but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? What is your platform and 389-ds-base version? I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: assuming you have done kinit admin: 1) ldapsearch -LLL -Y GSSAPI cn=myname dn This will give you the DN of the group - ignore any entries in the compat tree 2) ldapmodify -Y GSSAPI EOF dn: DN of the group from ldapsearch changetype: modify delete: objectclass objectclass: mepManagedEntry - delete: mepManagedBy - dn: DN of the group from ldapsearch changetype: delete EOF This will remove the private group. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users