Re: [Freeipa-users] Resynchronize Samba Passwort
On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: Hello together, we are running IPA on RHEL6.3 for quite some time. We are also using IPA to provide the LDAP backend for our samba configuration. Normally everything is running quite ok. But from time to time some people inform me that their samba password is not in sync with their password in IPA. Mostly this is working but a few different people are informing me about that. So is there a way to resync the password to the ones in LDAP (userPassword, sambaNTPassword)? We do not have code to do that now (although we have some code in 3.0 that is capable of doing that so it is technically possible), but this shouldn't happen in the first place. Do you have any information about how the password was changed by these users ? They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd. BTW: What would be the recommended way to re change their password afterwards again? Are you allowing samba to change the password ? Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. If so are you using the option 'ldap sync only = Only' ? If you do not use this setting that is most likely the problem. If you do then it may be a bug in samba. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. Have you given samba access for writing to the sambaNTPassword attribute ? (you shouldn't samba should be allowed only to read). Not that I know of. How can I do this? Simo. -- -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
Hi: I am using free-ipa 2.2 to manage LDAP/DNS for about a dozen CentOS 6.3 servers on a small network. I am having a problem where a user cannot log into a host even though ipa hbactest says the he is authorized. This user can log into other hosts where ipa hbactest says he is authorized. Here is the problem in a nutshell: # Works for host1 $ ssh user1@host1 user1@host1's password: top-secret Last login ... [user1@host1 ~] echo SUCCESS SUCCESS # Fails for host2 $ ssh user1@host2 Password: top-secret Permission denied (publickey, gssapi-keyex, gssapi-with-mic, keyboard-interactive). # hbactest $ ipa hbactest --user=user1 --host=host1 --service==sshd Access granted: True output snipped # hbactest $ ipa hbactest --user=user1 --host=host2 --service==sshd Access granted: True output snipped It seems that free-ipa thinks that everything is copacetic so there must be something different on the hosts. I looked at /etc/ssh/sshd.conf, /etc/nsswitch.conf and /etc/sssd/sssd.conf on both hosts but didn't see anything that looked out of whack. I also tried ssh -vvv but wasn't sure how to interpret the results. I am using an NFS automount /home setup so both are using the same ~/.ssh. I am not sure how to debug this. Do you know why the password prompt is different? That may be a clue. Can you suggest some other things that I can try? Any help would be greatly appreciated. Thank you. Regards, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote: I am not sure how to debug this. I would start with attaching the relevant contents of /var/log/secure. Do they differ on the host that succeeds vs the one that fails? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: Hello together, we are running IPA on RHEL6.3 for quite some time. We are also using IPA to provide the LDAP backend for our samba configuration. Normally everything is running quite ok. But from time to time some people inform me that their samba password is not in sync with their password in IPA. Mostly this is working but a few different people are informing me about that. So is there a way to resync the password to the ones in LDAP (userPassword, sambaNTPassword)? We do not have code to do that now (although we have some code in 3.0 that is capable of doing that so it is technically possible), but this shouldn't happen in the first place. Do you have any information about how the password was changed by these users ? They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd. BTW: What would be the recommended way to re change their password afterwards again? Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? Are you allowing samba to change the password ? Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. If so are you using the option 'ldap sync only = Only' ? If you do not use this setting that is most likely the problem. If you do then it may be a bug in samba. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) Have you given samba access for writing to the sambaNTPassword attribute ? (you shouldn't samba should be allowed only to read). Not that I know of. How can I do this? You can do it with a custom user and custom ACIs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others
On 10/11/2012 05:56 AM, Jakub Hrozek wrote: On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote: I am not sure how to debug this. I would start with attaching the relevant contents of /var/log/secure. Do they differ on the host that succeeds vs the one that fails? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users May be host resolves itself to a different name than you expect/provide in the hbactest? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd. BTW: What would be the recommended way to re change their password afterwards again? Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? No they are integrated in the Kerberos Domain of IPA but not joined to the samba domain. Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? Not that I know of. How can I do this? You can do it with a custom user and custom ACIs. Further testing. I have a user called tuser. 1. Reset the password: ipaserver1 # ipa passwd tuser New Password: Enter New Password again to verify: Changed password for tu...@cl.atix 2. Login to another server via ssh: $ ssh tuser@methusalix2 tuser@methusalix2's password: Password expired. Change your password now. Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. $ ssh tuser@methusalix2 tuser@methusalix2's password: Permission denied, please try again. tuser@methusalix2's password: Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 -bash-4.1$ = SSH Login works (Kerberos PW is set). 3. Let's browse Samba: $ smbclient -U tuser -L methusalix2 Enter tuser's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE Any ideas what's going wrong? Thanks Marc. -- -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd. BTW: What would be the recommended way to re change their password afterwards again? Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? No they are integrated in the Kerberos Domain of IPA but not joined to the samba domain. Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? Yes, you should use ldap passwd sync = only Not that I know of. How can I do this? You can do it with a custom user and custom ACIs. Further testing. I have a user called tuser. 1. Reset the password: ipaserver1 # ipa passwd tuser New Password: Enter New Password again to verify: Changed password for tu...@cl.atix 2. Login to another server via ssh: $ ssh tuser@methusalix2 tuser@methusalix2's password: Password expired. Change your password now. Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. $ ssh tuser@methusalix2 tuser@methusalix2's password: Permission denied, please try again. tuser@methusalix2's password: Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 -bash-4.1$ = SSH Login works (Kerberos PW is set). 3. Let's browse Samba: $ smbclient -U tuser -L methusalix2 Enter tuser's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE Any ideas what's going wrong? Uhmm seem one of the samba attributes has not been properly changed ... This is IPA on RHEL6.3 ? Can you check if the use has the attribute sambaPwdMustChange set ? Apparently the IPA passoword plugin does not touch it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cleaning a host that is both present not found
I've got a host that's showing as both there not there. I've checked both the gui cli, and here's the result. --- [root@ops01 ~]# ipa host-find mdb09.ayisnap.com -- 1 host matched -- Host name: mdb09.ayisnap.com Principal name: host/mdb09.ayisnap@ayisnap.com Password: False Keytab: False Managed by: mdb09.ayisnap.com Number of entries returned 1 [root@ops01 ~]# ipa host-del mdb09.ayisnap.com ipa: ERROR: mdb09.ayisnap.com: host not found --- I suspect it's only exiting in some of the LDAP tables, but I can't tell enough about the structure to delete it from IPA, and then we can just re-add it. Anyone have any suggestions on what to do to clean this up? Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
On 10/11/2012 10:29 AM, Matthew Barr wrote: I've got a host that's showing as both there not there. I've checked both the gui cli, and here's the result. --- [root@ops01 ~]# ipa host-find mdb09.ayisnap.com -- 1 host matched -- Host name: mdb09.ayisnap.com Principal name: host/mdb09.ayisnap@ayisnap.com Password: False Keytab: False Managed by: mdb09.ayisnap.com Number of entries returned 1 [root@ops01 ~]# ipa host-del mdb09.ayisnap.com ipa: ERROR: mdb09.ayisnap.com: host not found --- I suspect it's only exiting in some of the LDAP tables, but I can't tell enough about the structure to delete it from IPA, and then we can just re-add it. Anyone have any suggestions on what to do to clean this up? rpm -q 389-ds-base ldapsearch -xLLL -D cn=directory manager -W fqdn=mdb09.ayisnap.com Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
I suspect it's only exiting in some of the LDAP tables, but I can't tell enough about the structure to delete it from IPA, and then we can just re-add it. Anyone have any suggestions on what to do to clean this up? rpm -q 389-ds-base ldapsearch -xLLL -D cn=directory manager -W fqdn=mdb09.ayisnap.com I was actually able to find a decent ldap browser, which was able to show me what was going on. There was a record under accounts,computers that was named oddly, which had the internal attributes of mdb09. I deleted that, and it fixed the issue. Exactly what you recommended, but I didn't have the cli ldap skills :) Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = case number is 00716456, if you have RH support maybe link it? so if its a clear bug it gets addressed. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Matthew Barr [mb...@snap-interactive.com] Sent: Friday, 12 October 2012 5:29 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Cleaning a host that is both present not found I've got a host that's showing as both there not there. I've checked both the gui cli, and here's the result. --- [root@ops01 ~]# ipa host-find mdb09.ayisnap.com -- 1 host matched -- Host name: mdb09.ayisnap.com Principal name: host/mdb09.ayisnap@ayisnap.com Password: False Keytab: False Managed by: mdb09.ayisnap.com Number of entries returned 1 [root@ops01 ~]# ipa host-del mdb09.ayisnap.com ipa: ERROR: mdb09.ayisnap.com: host not found --- I suspect it's only exiting in some of the LDAP tables, but I can't tell enough about the structure to delete it from IPA, and then we can just re-add it. Anyone have any suggestions on what to do to clean this up? Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
Hi, My outputs are (RHEL6.3 64bit), [root@vuwunicoipam001 etc]# rpm -q 389-ds-base 389-ds-base-1.2.10.2-18.el6_3.x86_64 [root@vuwunicoipam001 etc]# == ipa host-del --updatedns vuwunicosldedt1.ods.vuw.ac.nz ipa: ERROR: vuwunicosldedt1.ods.vuw.ac.nz: host not found [root@vuwunicoipam001 sssd]# ldapsearch -LL -Y GSSAPI -b dc=ods,dc=vuw,dc=ac,dc=nz |grep sld SASL/GSSAPI authentication started SASL username: ipajones...@ods.vuw.ac.nz SASL SSF: 56 SASL data security layer installed. dn: cn=ug-slde-admins,cn=groups,cn=compat,dc=ods,dc=vuw,dc=ac,dc=nz cn: ug-slde-admins dn: cn=hg-slde-admins,cn=ng,cn=compat,dc=ods,dc=vuw,dc=ac,dc=nz nisNetgroupTriple: (vuwunicosldedt2.ods.vuw.ac.nz,-,ods.vuw.ac.nz) cn: hg-slde-admins sudoUser: %ug-slde-admins sudoHost: vuwunicosldedt2.ods.vuw.ac.nz memberOf: cn=ug-slde-admins,cn=groups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz memberUser: cn=ug-slde-admins,cn=groups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz memberOf: cn=ug-slde-admins,cn=groups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz memberOf: cn=hg-slde-admins,cn=hostgroups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=n memberOf: cn=hg-slde-admins,cn=ng,cn=alt,dc=ods,dc=vuw,dc=ac,dc=nz cn: vuwunicosldedt2.ods.vuw.ac.nz fqdn: vuwunicosldedt2.ods.vuw.ac.nz managedBy: fqdn=vuwunicosldedt2.ods.vuw.ac.nz,cn=computers,cn=accounts,dc=ods, krbPrincipalName: host/vuwunicoslded! t2.ods.vuw.ac...@ods.vuw.ac.nz serverHostName: vuwunicosldedt2 dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac idnsName: vuwunicosldedt2 dn: cn=hg-slde-admins,cn=hostgroups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz memberOf: cn=hg-slde-admins,cn=ng,cn=alt,dc=ods,dc=vuw,dc=ac,dc=nz mepManagedEntry: cn=hg-slde-admins,cn=ng,cn=alt,dc=ods,dc=vuw,dc=ac,dc=nz cn: hg-slde-admins dn: cn=hg-slde-admins,cn=ng,cn=alt,dc=ods,dc=vuw,dc=ac,dc=nz cn: hg-slde-admins memberHost: cn=hg-slde-admins,cn=hostgroups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc description: ipaNetgroup hg-slde-admins mepManagedBy: cn=hg-slde-admins,cn=hostgroups,cn=accounts,dc=ods,dc=vuw,dc=ac, dn: cn=ug-slde-admins,cn=groups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz cn: ug-slde-admins description: ug-slde-admins memberHost: cn=hg-slde-admins,cn=hostgroups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc memberUser: cn=ug-slde-admins,cn=groups,cn=accounts,dc=ods,dc=vuw,dc=ac,dc=nz cn: hb-slde-admins cn: vuwunicosld! edt1.ods.vuw.ac.nz fqdn: vuwunicosldedt1.ods.vuw.ac.nz managedBy: fqdn =vuwunicosldedt1.ods.vuw.ac.nz,cn=computers,cn=accounts,dc=ods, krbPrincipalName: host/vuwunicosldedt1.ods.vuw.ac...@ods.vuw.ac.nz serverHostName: vuwunicosldedt1 [root@vuwunicoipam001 sssd]# ipa host-del --updatedns vuwunicosldedt2.ods.vuw.ac.nz ipa: ERROR: vuwunicosldedt2.ods.vuw.ac.nz: host not found [root@vuwunicoipam001 sssd]# = regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rich Megginson [rmegg...@redhat.com] Sent: Friday, 12 October 2012 5:44 a.m. To: Matthew Barr Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On 10/11/2012 10:29 AM, Matthew Barr wrote: I've got a host that's showing as both there not there. I've checked both the gui cli, and here's the result. --- [root@ops01 ~]# ipa host-find mdb09.ayisnap.com -- 1 host matched -- Host name: mdb09.ayisnap.com Principal name: host/mdb09.ayisnap@ayisnap.com Password: False Keytab: False Managed by: mdb09.ayisnap.com Number of entries returned 1 [root@ops01 ~]# ipa host-del mdb09.ayisnap.com ipa: ERROR: mdb09.ayisnap.com: host not found --- I suspect it's only exiting in some of the LDAP tables, but I can't tell enough about the structure to delete it from IPA, and then we can just re-add it. Anyone have any suggestions on what to do to clean this up? rpm -q 389-ds-base ldapsearch -xLLL -D cn=directory manager -W fqdn=mdb09.ayisnap.com Matthew Barr Technical Architect E: mb...@snap-interactive.com AIM: matthewbarr1 c: (646) 727-0535 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
On Oct 11, 2012, at 3:50 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = ldapdelete would have worked, but I ended up using jxplorer to do it. Much easier for me at the time :) (i'm on a VPN link into the DC, and had access to the ldap port directly, so I could do that. Their advise does look correct, though, and matches where I found the problem.) Matthew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
Steven Jones wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = case number is 00716456, if you have RH support maybe link it? so if its a clear bug it gets addressed. The second entry he suggests deleting is your DNS entry, that does not need to be touched. This looks like a replication conflict. The same host must have been created on two separate masters while replication was down. This will result in the nsuniqueid entry. You need to manually resolve the differences between the two but as of yet IPA doesn't provide any tools to help manage this process. Basically you'll want to merge any values from the entry whose dn is nsuniqueid=...,cn=computers to the equivalen fqdn=...,cn=computers entry. This is if you want to preserve any existing keytabs, certificates, etc. I may be fine to just remove both entries and start over. Note that you need to be careful not to orphan any service entries that may be associated with the host. You'll want to base your searches on cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz to get only the matching host(s). The delete is failing because we expect only one host to be found but two are so we throw our hands up. A better error message would make this clearer. If you look in the Apache error log you may see it returns SingleMatchExpected. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
Hi, yes I have xplorer, maybe I'll do it that way as I cant figure out the ldapdelete command... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Matthew Barr [mb...@snap-interactive.com] Sent: Friday, 12 October 2012 9:25 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On Oct 11, 2012, at 3:50 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = ldapdelete would have worked, but I ended up using jxplorer to do it. Much easier for me at the time :) (i'm on a VPN link into the DC, and had access to the ldap port directly, so I could do that. Their advise does look correct, though, and matches where I found the problem.) Matthew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
The web ui is still failing :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 12 October 2012 10:13 a.m. To: Steven Jones Cc: Matthew Barr; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On 10/11/2012 03:07 PM, Steven Jones wrote: Hi, yes I have xplorer, maybe I'll do it that way as I cant figure out the ldapdelete command... man ldapdelete ldapdelete -x -D cn=directory manager -W idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz or, to use your kerberos credentials ldapdelete -Y GSSAPI idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Matthew Barr [mb...@snap-interactive.com] Sent: Friday, 12 October 2012 9:25 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On Oct 11, 2012, at 3:50 PM, Steven Jonessteven.jo...@vuw.ac.nz wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = ldapdelete would have worked, but I ended up using jxplorer to do it. Much easier for me at the time :) (i'm on a VPN link into the DC, and had access to the ldap port directly, so I could do that. Their advise does look correct, though, and matches where I found the problem.) Matthew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
On 10/11/2012 04:16 PM, Steven Jones wrote: Even after running, == [root@vuwunicoipam002 ~]# kinit ipajonesst1 Password for ipajones...@ods.vuw.ac.nz: [root@vuwunicoipam002 ~]# ldapdelete -Y GSSAPI idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz SASL/GSSAPI authentication started SASL username: ipajones...@ods.vuw.ac.nz SASL SSF: 56 SASL data security layer installed. ldap_delete: No such object (32) matched DN: idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac,dc=nz [root@vuwunicoipam002 ~]# ldapdelete -Y GSSAPI idnsName=vuwunicosldedt1,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz SASL/GSSAPI authentication started SASL username: ipajones...@ods.vuw.ac.nz SASL SSF: 56 SASL data security layer installed. ldap_delete: No such object (32) matched DN: idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac,dc=nz [root@vuwunicoipam002 ~]# == Ok, then I'm not sure why the RH support guy told you to delete an entry that doesn't exist. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 12 October 2012 11:10 a.m. To: Rich Megginson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found The web ui is still failing :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 12 October 2012 10:13 a.m. To: Steven Jones Cc: Matthew Barr; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On 10/11/2012 03:07 PM, Steven Jones wrote: Hi, yes I have xplorer, maybe I'll do it that way as I cant figure out the ldapdelete command... man ldapdelete ldapdelete -x -D cn=directory manager -W idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz or, to use your kerberos credentials ldapdelete -Y GSSAPI idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Matthew Barr [mb...@snap-interactive.com] Sent: Friday, 12 October 2012 9:25 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On Oct 11, 2012, at 3:50 PM, Steven Jonessteven.jo...@vuw.ac.nz wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = ldapdelete would have worked, but I ended up using jxplorer to do it. Much easier for me at the time :) (i'm on a VPN link into the DC, and had access to the ldap port directly, so I could do that. Their advise does look correct, though, and matches where I found the problem.) Matthew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cleaning a host that is both present not found
On 10/11/2012 06:16 PM, Steven Jones wrote: Even after running, == [root@vuwunicoipam002 ~]# kinit ipajonesst1 Password for ipajones...@ods.vuw.ac.nz: [root@vuwunicoipam002 ~]# ldapdelete -Y GSSAPI idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz SASL/GSSAPI authentication started SASL username: ipajones...@ods.vuw.ac.nz SASL SSF: 56 SASL data security layer installed. ldap_delete: No such object (32) matched DN: idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac,dc=nz [root@vuwunicoipam002 ~]# ldapdelete -Y GSSAPI idnsName=vuwunicosldedt1,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz SASL/GSSAPI authentication started SASL username: ipajones...@ods.vuw.ac.nz SASL SSF: 56 SASL data security layer installed. ldap_delete: No such object (32) matched DN: idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac,dc=nz [root@vuwunicoipam002 ~]# == From the command line do a search for all entries in your environment and dump them into a file (may take a while). Then you can open the file and search for vuwunicosldedt string and see what entries it can be found in. That will give a hint what is going on and what to do next. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 12 October 2012 11:10 a.m. To: Rich Megginson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found The web ui is still failing :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 12 October 2012 10:13 a.m. To: Steven Jones Cc: Matthew Barr; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On 10/11/2012 03:07 PM, Steven Jones wrote: Hi, yes I have xplorer, maybe I'll do it that way as I cant figure out the ldapdelete command... man ldapdelete ldapdelete -x -D cn=directory manager -W idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz or, to use your kerberos credentials ldapdelete -Y GSSAPI idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Matthew Barr [mb...@snap-interactive.com] Sent: Friday, 12 October 2012 9:25 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Cleaning a host that is both present not found On Oct 11, 2012, at 3:50 PM, Steven Jonessteven.jo...@vuw.ac.nz wrote: HI, Looks like I have this at present as well. The advice off RH support is to run an ldapdelete but Im waiting on the complete syntax off them and why its happened. Meantime I have 2 machines in this state, no one can login. :/ So what they have said is, == Hello Steven, I am still going through all the data available in this case, but it looks like you should be able to fix this problem by deleting the following two entries using ldapdelete: dn: nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz dn: idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac ,dc=nz = ldapdelete would have worked, but I ended up using jxplorer to do it. Much easier for me at the time :) (i'm on a VPN link into the DC, and had access to the ldap port directly, so I could do that. Their advise does look correct, though, and matches where I found the problem.) Matthew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users