date:20120925

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rob Crittenden


Steven Jones wrote:

Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return of objects 
from a search inside the AD gui but that might be specific to that view tool.  
That is 2000 by default, Ive set 4, I am testing it now, if that doesn't 
work

Our best AD person is currently researching to see if its even possible to 
alter that hard code in AD.  The only way he can see is using a  windows/ad 
specific command line command to modify the internals of AD but he's never seen 
or read about doing it for this attribute.


Rich knows more about this than me, so maybe he knows what value you're 
changing, but I don't. Where exactly in the AD gui are you changing the 
value to 40k?


regards

rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 26 September 2012 1:31 p.m.
To: Rich Megginson
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Rich Megginson wrote:

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no
difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does "filter size" mean?  To me, it means "the size of an LDAP
search filter in an LDAP search request" not "the maximum number of
entries returned by a search".


The more details you can provide on what you did the better. This might
include the exact ldapmodify command, where you entered it in AD, the
attribute names, whichever is applicable.

regards

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Steven Jones

Hi,

I dont have a ldapmodify command for changing something in AD.

I have increased the only scope I/we know about which is the return of objects 
from a search inside the AD gui but that might be specific to that view tool.  
That is 2000 by default, Ive set 4, I am testing it now, if that doesn't 
work

Our best AD person is currently researching to see if its even possible to 
alter that hard code in AD.  The only way he can see is using a  windows/ad 
specific command line command to modify the internals of AD but he's never seen 
or read about doing it for this attribute.  

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 26 September 2012 1:31 p.m.
To: Rich Megginson
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Rich Megginson wrote:
> On 09/25/2012 03:34 PM, Steven Jones wrote:
>> Hi,
>>
>> I have set the filter size as 2 for the user and it makes no
>> difference.
> Where did you set this?  In IPA?  In AD?  If so, where? How?
> What does "filter size" mean?  To me, it means "the size of an LDAP
> search filter in an LDAP search request" not "the maximum number of
> entries returned by a search".

The more details you can provide on what you did the better. This might
include the exact ldapmodify command, where you entered it in AD, the
attribute names, whichever is applicable.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rob Crittenden


Rich Megginson wrote:

On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no
difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does "filter size" mean?  To me, it means "the size of an LDAP
search filter in an LDAP search request" not "the maximum number of
entries returned by a search".


The more details you can provide on what you did the better. This might 
include the exact ldapmodify command, where you entered it in AD, the 
attribute names, whichever is applicable.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Apache, autofs and userdir

2012-09-25 Thread Sigbjorn Lie


On 09/26/2012 12:21 AM, James James wrote:
Hi, I don't know if this is the right place to ask this question but I 
will try.


I have  :

- a freeipa server + autofs maps
- a nfsv4 server
- a web server

from the webserver I can mount my nfs4 exported home dir. Everything 
works well.


I want to acces to my public_html directory from the web server. From 
my browser, when I try to reach http://myweserver/~user 
, I've got 403 Forbidden and the logs give 
me :


Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
krb5 context for user with uid 48 for server nfs-server.example.com 


Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 
'mech=krb5 uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall 
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: 
service is ''
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for 
client with uid 48 for server nfs-server.example.com 

Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm 
'EXAMPLE.COM '
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file 
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
being considered, with preferred realm 'EXAMPLE.COM '
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' 
owned by 0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create 
krb5 context for user with uid 48 for server nfs-server.example.com 




Apache user id is 48.

Thanks for any help.

James


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



Are you using nfs4 + krb5 as auth for your home directories?

If so, what it's telling you is that it's unable to retreive kerberos 
credentials for the apache user (uid 48). I believe you have to create a 
user account for apache in IPA, initiate credentials for this user (and 
renew them when they expire), and set the KRB5CCNAME environment 
variable to point to the credendials cache in the startup script for 
httpd. A cronjob or similar would be required to keep renewing the 
credentials, I have not looked into this myself yet so I cannot give 
exact feedback for this.


Make sure the IPA user account that you provide credentials for have 
access to read the users public_html directory and list the users home 
directory.


Let me know how you get on. I haven't tested this myself yet but it's 
been on my mind.



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Apache, autofs and userdir

2012-09-25 Thread James James

Hi, I don't know if this is the right place to ask this question but I will
try.

I have  :

- a freeipa server + autofs maps
- a nfsv4 server
- a web server

from the webserver I can mount my nfs4 exported home dir. Everything works
well.

I want to acces to my public_html directory from the web server. From my
browser, when I try to reach http://myweserver/~user, I've got 403
Forbidden and the logs give me :

Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: doing error downcall
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling gssd upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: handle_gssd_upcall: 'mech=krb5
uid=48 enctypes=18,17,16,23,3,1,2 '
Sep 25 23:18:21 web-server rpc.gssd[4522]: handling krb5 upcall
(/var/lib/nfs/rpc_pipefs/nfs/clnte2)
Sep 25 23:18:21 web-server rpc.gssd[4522]: process_krb5_upcall: service is
''
Sep 25 23:18:21 web-server rpc.gssd[4522]: getting credentials for client
with uid 48 for server nfs-server.example.com
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' being considered, with preferred realm '
EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file
'/tmp/krb5cc_797200160_Aqx6OL' owned by 797200160, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' being
considered, with preferred realm 'EXAMPLE.COM'
Sep 25 23:18:21 web-server rpc.gssd[4522]: CC file '/tmp/krb5cc_0' owned by
0, not 48
Sep 25 23:18:21 web-server rpc.gssd[4522]: WARNING: Failed to create krb5
context for user with uid 48 for server nfs-server.example.com


Apache user id is 48.

Thanks for any help.

James
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rich Megginson


On 09/25/2012 03:34 PM, Steven Jones wrote:

Hi,

I have set the filter size as 2 for the user and it makes no difference.

Where did you set this?  In IPA?  In AD?  If so, where? How?
What does "filter size" mean?  To me, it means "the size of an LDAP 
search filter in an LDAP search request" not "the maximum number of 
entries returned by a search".


So unless its somewhere else configurable it cant be easily done.

via adsi edit? and if so what is the value called?

I would like to know the answers to these questions, but I do not.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 26 September 2012 7:39 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/24/2012 11:49 PM, Steven Jones wrote:

Hi,

Im confused here, has no one tried to winsync 2000+ users before?

Are there any docs on working around this limit?

Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 25 September 2012 3:17 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -D  -w  -h  -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn>  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:

On 09/21/2012 11:07 AM, Rich Megginson wrote:

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your
case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.

AD supports the paging control?  And this allows you to get around the
search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.

https://fedorahosted.org/389/ticket/472

Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Steven Jones

Hi,

I have set the filter size as 2 for the user and it makes no difference.

So unless its somewhere else configurable it cant be easily done.

via adsi edit? and if so what is the value called?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 26 September 2012 7:39 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/24/2012 11:49 PM, Steven Jones wrote:
> Hi,
>
> Im confused here, has no one tried to winsync 2000+ users before?
>
> Are there any docs on working around this limit?
>
> Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
> dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
> Sent: Tuesday, 25 September 2012 3:17 p.m.
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> I am trying to run this and getting search exceeded.
>
> ldapsearch -xLLL -D  -w  -h  -s sub -b 
> OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt
>
> Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
> also lose their IPA groups which is a bit of a bummer.
>
> :(
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Rich Megginson [rmegg...@redhat.com]
> Sent: Saturday, 22 September 2012 3:46 a.m.
> To: d...@redhat.com
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/21/2012 09:18 AM, Dmitri Pal wrote:
>> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>> case
>> nsslapd-sizelimit. This can be increased either globally or (this
>> seems as a
>> more secure solution) for a user you bind as:
>>
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>
>>
> Steven, are you saying that winsync only pulled over 2000 out of 5700
> users from AD into IPA? If so, then that's a limit on the winsync user
> that must be increased in AD.
>
 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
>>> AD supports the paging control?  And this allows you to get around the
>>> search limit?
>>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
>> The default usually 2K BTW.
> https://fedorahosted.org/389/ticket/472
>> Martin
>>
>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>> Hi,
>>>
>>> It seems IPA has some sort of limit of searching it will only show
>>> the first 2k
>>> of user entries?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ---
>>>
>>>
>>> *From:* Rich Megginson [rmegg...@redhat.com]
>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users@redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
>>> You can use
>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>> what winsync sees w

Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version

2012-09-25 Thread Rich Megginson


On 09/25/2012 11:39 AM, Dan Scott wrote:

Hi,

We've tried starting the service properly - the dirsrv process still
won't start properly:

[25/Sep/2012:13:28:10 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:28:10 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:28:42 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:28:42 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:28:48 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which
should be added before the CoS Definition.
[25/Sep/2012:13:29:01 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:29:02 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:29:03 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:29:03 -0400] - Error: Failed to resolve plugin dependencies
[25/Sep/2012:13:29:03 -0400] - Error: preoperation plugin IPA Version
Replication is not started
[25/Sep/2012:13:29:03 -0400] - Error: object plugin Legacy Replication
Plugin is not started
[25/Sep/2012:13:29:03 -0400] - Error: object plugin Multimaster
Replication Plugin is not started
[25/Sep/2012:13:37:37 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:37:37 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:37:40 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which
should be added before the CoS Definition.
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:37:42 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:37:43 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:37:43 -0400] - Error: Failed to resolve plugin dependencies
[25/Sep/2012:13:37:43 -0400] - Error: preoperation plugin IPA Version
Replication is not started
[25/Sep/2012:13:37:43 -0400] - Error: object plugin Legacy Replication
Plugin is not started
[25/Sep/2012:13:37:43 -0400] - Error: object plugin Multimaster
Replication Plugin is not started

We've been through Rich's suggested procedure to manually initialize
the consumer, but still get the message above.

Any ideas?

Assuming the directory server is not running, do this:
rm -rf /var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
then follow the ldif2db procedure
then start the directory server


Thanks,

Dan


On Mon, Sep 24, 2012 at 10:26 AM, Alexander Bokovoy  wrote:

On Mon, 24 Sep 2012, Ikaro Silva wrote:

Hi Rich,

Thanks for the help. We have tried  your suggestion below, however the
problem still persists:

systemctl status dirsrv.service

There is no dirsrv.service. dirsrv instances are arranged in
following setup:

- there is dirsrv.target that is used to start and stop all instances at
   the same time

- there are dirsrv@INSTANCE-NAME.service services for specific instances
   where INSTANCE-NAME is REALM with dots replaced by -.

IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you
want to
start/stop them all, use

systemctl stop dirsrv.target
systemctl start dirsrv.target

For status you need to check specific instances.

systemctl status dirsrv@.service

# systemctl status dirsrv@IPA-LOCAL.service
dirsrv@IPA-LOCAL.service - 389 Directory Server IPA-LOCAL.
   Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled)

Re: [Freeipa-users] Easy deployment

2012-09-25 Thread Sigbjorn Lie


On 09/25/2012 12:17 AM, James James wrote:

Hi guys,

we are planning to install 150 freeipa clients and I was wondering if 
there is a way to easily install (from kickstart) nfsv4 client.


I can add host with

# ipa host-add --password=secret

But to get the keytab (host and service), I have to log into the 
machine, launch kinit and get the keytab.


This will be very painful for 150 clients 

Any hints is welcome ...


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Hi,

I am working on integrating what you are asking for into OneClickKick. 
OneClickKick which is a web based GUI for managing DHCP server and PXE 
booting. The current version can read the host objects from IPA's LDAP, 
and you can use these to generate PXE boot files for kickstarting 
RHEL/Fedora, preseeding Debian/Ubuntu installations, do BIOS upgrades, 
run LIVE environments, etc.


What I have done in the past is to add a line like this to the post 
section of the kickstart:
/usr/sbin/ipa-client-install --domain="ix.test.com" 
--principal="ipajoinuser" --password="somepassword" -U -f


This is not ideal even though the kickstart is saved in a database and 
only made available dynamically trough a php script to the host that's 
enabled for kickstarting. It is not saved in a text file on the disk. 
The next version will include tighter integration with IPA where a One 
Time Password is set for the host being kickstarted at the time it's 
enabled for kickstarting, and this password is seeded dynamically when 
the host is served it's kickstart file.


The next version will also have the PXE Enrollment boot image updated to 
supporting adding new hosts directly into IPA. The PXE Enrollment is 
support for adding a new host simply to PXE booting it, logging on, and 
giving it a hostname and assigning it with a kickstart profile to load 
the machine directly from the console of the new machine.


Adding of machines directly to IPA from the web UI will also be 
available in the next version. This allows you to do everything from 
adding the host, to selecting the kickstart profile group, and enabling 
for PXE installation/kickstart in 1 step.


It can also search trough the /var/log/messages file to find new hosts 
that's unknown to it's naming sources and directly add these.


You can also select a group of machine to install, so if you have your 
150 machines in one group you can select the entire group for installation.



See the project website or contact me for more information:
http://sourceforge.net/projects/oneclickkick/



Regards,
Siggi

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Dmitri Pal

On 09/24/2012 11:49 PM, Steven Jones wrote:
> Hi,
>
> Im confused here, has no one tried to winsync 2000+ users before?  
>
> Are there any docs on working around this limit?   
>
> Ive up'd the user to 2 but that seems to have had no effectmy AD ppl 
> dont know of any other way to increase that at present.

According to our gurus:

The limit is in AD, which has a sizelimit of 2000 by default.  There are
two ways around this:
1) Go into AD and set the sizelimit for the sync user to be greater than
the number of entries.
2) Have DS winsync use simple paged results - this is a code change on
our side and we are tracking it for one of the upcoming releases
https://fedorahosted.org/389/ticket/472

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
> Sent: Tuesday, 25 September 2012 3:17 p.m.
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> Hi,
>
> I am trying to run this and getting search exceeded.
>
> ldapsearch -xLLL -D  -w  -h  -s sub -b 
> OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn > ad.dns.txt
>
> Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
> also lose their IPA groups which is a bit of a bummer.
>
> :(
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Rich Megginson [rmegg...@redhat.com]
> Sent: Saturday, 22 September 2012 3:46 a.m.
> To: d...@redhat.com
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] winsync agreement wipes IPA users
>
> On 09/21/2012 09:18 AM, Dmitri Pal wrote:
>> On 09/21/2012 11:07 AM, Rich Megginson wrote:
>>> On 09/21/2012 09:04 AM, Dmitri Pal wrote:
 On 09/21/2012 09:23 AM, Rich Megginson wrote:
> On 09/21/2012 05:21 AM, Martin Kosek wrote:
>> When using bare ldapsearch, you are hitting 389-ds limits - in your
>> case
>> nsslapd-sizelimit. This can be increased either globally or (this
>> seems as a
>> more secure solution) for a user you bind as:
>>
>> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html
>>
>>
> Steven, are you saying that winsync only pulled over 2000 out of 5700
> users from AD into IPA? If so, then that's a limit on the winsync user
> that must be increased in AD.
>
 Rich, it seems that it might make sense to file an RFE for the winsync
 to support paging control.
>>> AD supports the paging control?  And this allows you to get around the
>>> search limit?
>>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
>> The default usually 2K BTW.
> https://fedorahosted.org/389/ticket/472
>> Martin
>>
>> On 09/21/2012 04:43 AM, Steven Jones wrote:
>>> Hi,
>>>
>>> It seems IPA has some sort of limit of searching it will only show
>>> the first 2k
>>> of user entries?
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> ---
>>>
>>>
>>> *From:* Rich Megginson [rmegg...@redhat.com]
>>> *Sent:* Friday, 21 September 2012 11:38 a.m.
>>> *To:* Steven Jones
>>> *Cc:* freeipa-users@redhat.com
>>> *Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users
>>>
>>> On 09/20/2012 03:52 PM, Steven Jones wrote:
 Hi,

 I have imported users, but there are 5700 of them but I only have
 2000 which
 corresponds to the view that AD gives you by default.  This makes
 me think
 that that limit is all the AD is allowing the query to see?
>>> You can use
>>> https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
>>> what winsync sees when it searches.
 Is there a way to expand it?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 ---


 *From:* freeipa-users-boun...@redhat.com
 [freeipa-users-boun...@redhat.com]
 on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
 *Sent:* Friday, 21 September 2012 8:44 a.m.
 *Cc:* freeipa-users@re

Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version

2012-09-25 Thread Dan Scott

Hi,

We've tried starting the service properly - the dirsrv process still
won't start properly:

[25/Sep/2012:13:28:10 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:28:10 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:28:42 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:28:42 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:28:48 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which
should be added before the CoS Definition.
[25/Sep/2012:13:29:01 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:29:02 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:29:02 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:29:03 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:29:03 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:29:03 -0400] - Error: Failed to resolve plugin dependencies
[25/Sep/2012:13:29:03 -0400] - Error: preoperation plugin IPA Version
Replication is not started
[25/Sep/2012:13:29:03 -0400] - Error: object plugin Legacy Replication
Plugin is not started
[25/Sep/2012:13:29:03 -0400] - Error: object plugin Multimaster
Replication Plugin is not started
[25/Sep/2012:13:37:37 -0400] - 389-Directory/1.2.10.14 B2012.201.358 starting up
[25/Sep/2012:13:37:37 -0400] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Sep/2012:13:37:40 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ecg,dc=mit,dc=edu--no CoS Templates found, which
should be added before the CoS Definition.
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:37:41 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:37:42 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- cl5DBData2Entry: invalid data version
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- cl5Open: failed to open changelog
[25/Sep/2012:13:37:43 -0400] NSMMReplicationPlugin - changelog program
- changelog5_init: failed to start changelog at
/var/lib/dirsrv/slapd-ECG-MIT-EDU/cldb
[25/Sep/2012:13:37:43 -0400] - Failed to start object plugin
Multimaster Replication Plugin
[25/Sep/2012:13:37:43 -0400] - Error: Failed to resolve plugin dependencies
[25/Sep/2012:13:37:43 -0400] - Error: preoperation plugin IPA Version
Replication is not started
[25/Sep/2012:13:37:43 -0400] - Error: object plugin Legacy Replication
Plugin is not started
[25/Sep/2012:13:37:43 -0400] - Error: object plugin Multimaster
Replication Plugin is not started

We've been through Rich's suggested procedure to manually initialize
the consumer, but still get the message above.

Any ideas?

Thanks,

Dan


On Mon, Sep 24, 2012 at 10:26 AM, Alexander Bokovoy  wrote:
> On Mon, 24 Sep 2012, Ikaro Silva wrote:
>>
>> Hi Rich,
>>
>> Thanks for the help. We have tried  your suggestion below, however the
>> problem still persists:
>>
>> systemctl status dirsrv.service
>
> There is no dirsrv.service. dirsrv instances are arranged in
> following setup:
>
> - there is dirsrv.target that is used to start and stop all instances at
>   the same time
>
> - there are dirsrv@INSTANCE-NAME.service services for specific instances
>   where INSTANCE-NAME is REALM with dots replaced by -.
>
> IPA currently operates on two dirsrv instances (PKI-CA and REALM). If you
> want to
> start/stop them all, use
>
> systemctl stop dirsrv.target
> systemctl start dirsrv.target
>
> For status you need to check specific instances.
>
> systemctl status dirsrv@.service
>
> # systemctl status dirsrv@IPA-LOCAL.service
> dirsrv@IPA-LOCAL.service - 389 Directory Server IPA-LOCAL.
>   Loaded: loaded (/lib/systemd/system/dirsrv@.service; enabled)
>   Active: active (running) since Mon, 24 Sep 2012 11:53:04 +0300; 5h
> 31min ago
>  Process: 684 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slap

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-25 Thread Rich Megginson


On 09/24/2012 09:49 PM, Steven Jones wrote:

Hi,

Im confused here, has no one tried to winsync 2000+ users before?


You are the first one to run into this problem.



Are there any docs on working around this limit?


In AD?



Ive up'd the user to 2


How?  What exactly did you do?


but that seems to have had no effectmy AD ppl dont know of any other way to 
increase that at present.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 25 September 2012 3:17 p.m.
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

Hi,

I am trying to run this and getting search exceeded.

ldapsearch -xLLL -D  -w  -h  -s sub -b 
OU=VUW_Staff,DC=staff,DC=vuw,DC=ac,DC=nz "cn=*" dn>  ad.dns.txt

Looks like I have 5900 AD users buy only 4300 are transferred to IPA...they 
also lose their IPA groups which is a bit of a bummer.

:(

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rich Megginson [rmegg...@redhat.com]
Sent: Saturday, 22 September 2012 3:46 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/21/2012 09:18 AM, Dmitri Pal wrote:

On 09/21/2012 11:07 AM, Rich Megginson wrote:

On 09/21/2012 09:04 AM, Dmitri Pal wrote:

On 09/21/2012 09:23 AM, Rich Megginson wrote:

On 09/21/2012 05:21 AM, Martin Kosek wrote:

When using bare ldapsearch, you are hitting 389-ds limits - in your
case
nsslapd-sizelimit. This can be increased either globally or (this
seems as a
more secure solution) for a user you bind as:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html



Steven, are you saying that winsync only pulled over 2000 out of 5700
users from AD into IPA? If so, then that's a limit on the winsync user
that must be increased in AD.


Rich, it seems that it might make sense to file an RFE for the winsync
to support paging control.

AD supports the paging control?  And this allows you to get around the
search limit?


http://msdn.microsoft.com/en-us/library/windows/desktop/aa367011%28v=vs.85%29.aspx
The default usually 2K BTW.

https://fedorahosted.org/389/ticket/472

Martin

On 09/21/2012 04:43 AM, Steven Jones wrote:

Hi,

It seems IPA has some sort of limit of searching it will only show
the first 2k
of user entries?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Friday, 21 September 2012 11:38 a.m.
*To:* Steven Jones
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

On 09/20/2012 03:52 PM, Steven Jones wrote:

Hi,

I have imported users, but there are 5700 of them but I only have
2000 which
corresponds to the view that AD gives you by default.  This makes
me think
that that limit is all the AD is allowing the query to see?

You can use
https://github.com/richm/scripts/blob/master/dirsyncctrl.py to test
what winsync sees when it searches.

Is there a way to expand it?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

---


*From:* freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com]
on behalf of Steven Jones [steven.jo...@vuw.ac.nz]
*Sent:* Friday, 21 September 2012 8:44 a.m.
*Cc:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] winsync agreement wipes IPA users

I have hundreds of disable users in IPA now transferred from AD, is
there a
quick/clean way to purge them from IPA?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Fre

Re: [Freeipa-users] Easy deployment

2012-09-25 Thread Rob Crittenden


Dmitri Pal wrote:

On 09/24/2012 06:17 PM, James James wrote:

Hi guys,

we are planning to install 150 freeipa clients and I was wondering if
there is a way to easily install (from kickstart) nfsv4 client.

I can add host with

# ipa host-add --password=secret


This was exactly intended for the bulk provisioning.

The idea was that you execute this command and then have kickstart files
seeded or parameterized with this password so you will have 150
kickstart files that differ in the password value fanned out or you have
one kickstart file and the password is passed as a parameter.

This was the vision. It definitely require some collaboration with tools
like Satellite, Cobbler, Foreman, etc. We are not tried it ourselves but
hope that those projects would be able to use parametarized or seeded
kickstart files.


I'm having a hard time following what you are trying to do.

Are you not enrolling the host using ipa-client-install? Or are you just 
adding the host and manually getting the keytab?


The password option on a host is specifically to do kickstart 
enrollment. The idea is you pass it into the ipa-client-install script 
and the host enrolls itself.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Easy deployment

2012-09-25 Thread Christian Horn

Hi,

On Tue, Sep 25, 2012 at 12:17:47AM +0200, James James wrote:
> 
> we are planning to install 150 freeipa clients and I was wondering if there
> is a way to easily install (from kickstart) nfsv4 client.
> 
> I can add host with
> 
> # ipa host-add --password=secret
> 
> But to get the keytab (host and service), I have to log into the machine,
> launch kinit and get the keytab.

I am probably missing something.. but what prevents you from directly
on a single system (might be an IPA server itself) to get the keytab
and then deliver it to the client, i.e. using scp?

Christian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] Apache, autofs and userdir

[Freeipa-users] Apache, autofs and userdir

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version

Re: [Freeipa-users] Easy deployment

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] NSMMReplicationPlugin - changelog program - cl5DBData2Entry: invalid data version

Re: [Freeipa-users] winsync agreement wipes IPA users

Re: [Freeipa-users] Easy deployment

Re: [Freeipa-users] Easy deployment

14 matches

Site Navigation

Mail list logo

Footer information