Re: [Freeipa-users] Postfix IPA
free...@noboost.org wrote: Hi All, Server: ipa-server-2.1.3-9.el6.x86_64 sssd-1.5.1-66.el6_2.3 Client: ipa-client-2.1.3-9.el6.x86_64 I've got Postfix working with IPA and to be honest it was actually very easy. I simply setup a standard postfix server, configured the IPA client and when mail was delivered, postfix detected the UID's from IPA and delivered the mail. So I thought to myself, this is one of the most important services we have. What would happen if the SSSD client failed for some reason on the postfix server? As expected the postfix server bounces the email back to it's sender. - This is the mail system at host pan.example.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system (expanded from ): host safevm-craig.example.com[192.168.0.28] said: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table (in reply to RCPT TO command) - Before I start investigating backup mail servers, different posfix queues. Just thought I'd ask if anyone else has setup their one solution to ensure the safety of mail delivery with IPA? I think this would apply to any non-file-based nss provider (ldap, nis, etc). What does your nsswitch.conf look like? I wonder if something clever can be done like [!UNAVAIL=return]. My nss knowledge is limited though so I'm not sure what gets returned to the lookup call though, whether it is distinguishable from a notfound. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix IPA
On Tue, 2012-07-03 at 18:15 +0530, M.R Niranjan wrote: > > On 07/03/2012 11:14 AM, free...@noboost.org wrote: > > Hi All, > > > > Server: > > ipa-server-2.1.3-9.el6.x86_64 > > sssd-1.5.1-66.el6_2.3 > > > > Client: > > ipa-client-2.1.3-9.el6.x86_64 > > > > > > I've got Postfix working with IPA and to be honest it was actually > very > > easy. I simply setup a standard postfix server, configured the IPA > > client and when mail was delivered, postfix detected the UID's from > IPA > > and delivered the mail. > > > > So I thought to myself, this is one of the most important services > we > > have. What would happen if the SSSD client failed for some reason on > the > > postfix server? > > > > By sssd client failing do you mean sssd not able to reach ldap servers > or sssd service crashing ? > > If sssd parent crashes then i think not much you could do but if the > child services of sssd doesn't respond sssd does restart the child > services automatically . > > Refer: > http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store > Also we still keep serving users out of the sssd cache as long as sssd_nss process is running. And with the memory cache we have in 1.9.0 you may still get users from the cache directly even if the whole sssd dies. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error yum install freeipa-server
Hello Rob, These are printed to the command window after this line: Installing : pki-selinux-9.0.20-1.fc17.noarch 34/96 The files reported missing are not there after yum install completed. I turned selinux off ("setenforce 0" and modified /etc/sysconfig/selinux) before installing freeipa-server. Don't know whether this caused the files not created by yum. Thanks, George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Thursday, July 5, 2012 11:27 AM >Subject: Re: [Freeipa-users] error yum install freeipa-server > >george he wrote: >> Hello all, >> >> When I do "yum install -y freeipa-server" on a newly installed FC17 >> system, I get a lot of errors like this: >> >> /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory >> /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory >> /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file >> or directory >> /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file >> or directory >> . >> . >> . >> /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such >> file or directory >> /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or >> directory >> . >> . >> . >> /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file >> or directory >> /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file >> or directory >> >> It seems to me these missing files are supposed to be installed by this >> yum install command. >> With these errors, can I still go ahead and set up the ipa-server? >> >> Thanks, >> George > >Where are you seeing these logged? Some of those files/directories don't >exist yet, they are created by the install. It should be safe to proceed. > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] hostgroups/netgroups
On 07/04/2012 02:58 AM, Natxo Asenjo wrote: > hi, > > I just wanted to say: awesome! > > Without using the NIS compatibility layer, I just create a hostgroup, > fill it in with hosts. Then I add that hostgroup to a netgroup. That's > all I need to automagically create classes our cfengine setup can use > to distribute policies accross the hosts. > BTW by default there should be a netgroup with the same name as a host group created every time you create a host group so you might even not have to do step 2. > You guys just made my day and I just wanted to share it. > > Thanks! > -- > Groeten, > natxo > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] win7 client
On 07/03/2012 05:28 PM, Rob Crittenden wrote: > george he wrote: >> Hello all, >> I'm trying to set up a win7 as a client of my freeipa server running on >> fc17. so I followed the instructions here: >> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html >> >> But then what? The win7 is currently in a "workgroup". I tried to join >> the win7 to a domain with my ipa realm name, but it failed. >> > > IPA is not an AD replacement, you can't join any Windows machine to it. > > The instructions you referenced are for installing the MIT Kerberos > package in Windows. This just lets you get a ticket from the IPA KDC > that may be usable by various applications (e.g. Firefox) but it isn't > a way to provide domain login. > > Our plan for that is to do cross-realm trust with AD, see the 3.0 beta > released yesterday. Windows clients generally require a lot more from the domain controller than IPA can provide. And most of the operations are done over the custom MSFT protocols. There might be a way to make the Windows workstation to work with IPA to some extent. My dream is to allow the following use case: Win7 is joined into and AD domain using AD native tools and then via a credential provider is configured to authenticate against IPA. If there is a trust between AD and IPA there should (hopefully) be a way to place the TGT that is acquired by user auth against IPA into some place where MSFT kerberos library would think that this is a TGT for a user who came from a different forest and would use cross realm exchange is user tries to access resources in the AD domain behind the scenes. If that made possible it would really create a set of interesting opportunities as IPA some time in the future would natively support 2FA over Kerberos for login. > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Chaining and FreeIPA Directory Server
Phyo Kyaw wrote: Dear all, server ipa-server-2.1.3-9.el6.x86_64 This is probably a question for to Directory 389 users, but.. I would like to chain (not master to master replication) users of two or more IPA servers. The first thing I did was trying to chain the IPA 389-ds servers by setting up chaining entries. The chaining entries work out the box on standard 389-DS, but on IPA 389-ds it won't start after adding ldap suffixes. The 389-ds error log only shows [05/Jul/2012:15:00:33 +] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. Suffix entry dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass:nsMappingTree objectClass:extensibleObject objectClass:top cn:cn=dc=example,dc=com cn:"cn=dc=example,dc=com" nsslapd-backend:testusers nsslapd-state:backend Just wondering if FreeIPA has some other configuration or plugin that prevents/conflicts 389-DS to start. I am guess chaining is something if we have two or more IPAs in one infrastructure. I don't know why this would cause the server to not start but IPA doesn't support read-only replicas at this time. What is it you are trying to achieve? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error yum install freeipa-server
george he wrote: Hello all, When I do "yum install -y freeipa-server" on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file or directory . . . /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or directory . . . /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George Where are you seeing these logged? Some of those files/directories don't exist yet, they are created by the install. It should be safe to proceed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error yum install freeipa-server
Hello all, When I do "yum install -y freeipa-server" on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file or directory . . . /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or directory . . . /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Chaining and FreeIPA Directory Server
Dear all, server ipa-server-2.1.3-9.el6.x86_64 This is probably a question for to Directory 389 users, but.. I would like to chain (not master to master replication) users of two or more IPA servers. The first thing I did was trying to chain the IPA 389-ds servers by setting up chaining entries. The chaining entries work out the box on standard 389-DS, but on IPA 389-ds it won't start after adding ldap suffixes. The 389-ds error log only shows [05/Jul/2012:15:00:33 +] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. Suffix entry dn:cn=cn\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config objectClass:nsMappingTree objectClass:extensibleObject objectClass:top cn:cn=dc=example,dc=com cn:"cn=dc=example,dc=com" nsslapd-backend:testusers nsslapd-state:backend Just wondering if FreeIPA has some other configuration or plugin that prevents/conflicts 389-DS to start. I am guess chaining is something if we have two or more IPAs in one infrastructure. Many thanks Phyo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Postfix IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/03/2012 11:14 AM, free...@noboost.org wrote: > Hi All, > > Server: > ipa-server-2.1.3-9.el6.x86_64 > sssd-1.5.1-66.el6_2.3 > > Client: > ipa-client-2.1.3-9.el6.x86_64 > > > I've got Postfix working with IPA and to be honest it was actually very > easy. I simply setup a standard postfix server, configured the IPA > client and when mail was delivered, postfix detected the UID's from IPA > and delivered the mail. > > So I thought to myself, this is one of the most important services we > have. What would happen if the SSSD client failed for some reason on the > postfix server? > By sssd client failing do you mean sssd not able to reach ldap servers or sssd service crashing ? If sssd parent crashes then i think not much you could do but if the child services of sssd doesn't respond sssd does restart the child services automatically . Refer: http://freeipa.org/page/Service_Controller_Daemon#Configuration_Store > As expected the postfix server bounces the email back to it's sender. > - > This is the mail system at host pan.example.com. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. > > For further assistance, please send mail to postmaster. > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > >The mail system > > (expanded from > ): host > safevm-craig.example.com[192.168.0.28] said: 550 5.1.1 > : Recipient address rejected: > User > unknown in local recipient table (in reply to RCPT TO command) > - > > Before I start investigating backup mail servers, different posfix > queues. Just thought I'd ask if anyone else has setup their one solution > to ensure the safety of mail delivery with IPA? > > cya > > Craig > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > - -- Regards M.R.Niranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/y6UwACgkQLu3FX2BHx8enSACePeiIfGU6DlGMsA4mSrm4mfo4 wYAAnRAA6zyXQ02mM6S3AMCyr5eLAY9w =aICl -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users