Re: [Freeipa-users] Managing Sudo through FreeIPA
Hi, caching capabilities were not optimal in the tech preview, but it was fully functional (or at least should be, I don't think anyone really tried it in production), unless sssd is configured with multiple domains. I looked at the 6.3 technical notes for sudo, sssd and ipa but couldn't see any reference to sudo support in IPA/SSSD natively (as opposed to LDAP integration) ... the Identity Management guide still refers to the old nslcd.conf file and not sudo-ldap.conf neveremind native integration... Do you have any details on how to go about testing this? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-install fails
On 12/11/2012 10:53 AM, Bret Wortman wrote: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl http://setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero exit status 1 [3/30]: adding default schema : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.damascusgrp.com http://ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication What could cause the DS setup to fail? SELinux policy for example, disk being out of space, previous install of DS that has not been properly cleaned, etc... And is the second error likely related as I believe it to be? Yes. Please look at the install logs, they might have more info about what is going on and why DS install failed. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Managing Sudo through FreeIPA
On Tue, Dec 11, 2012 at 11:25:57AM -0500, Dmitri Pal wrote: The native integration in SSSD was a tech preview in 6.3 and was pretty much broken. It wasn't a TP in 6.3 because the sudo 1.8 package wasn't in 6.3 all. It was rewritten after F-17, because its cache update mechanism was extremely inefficient, but I wouldn't call it broken. The code worked, just slow. If you are interested in SSSD+SUDO integration please see SSSD 1.9 It seems that the feature is not yet documented in the formal doc set. You can try sssd man pages. http://jhrozek.fedorapeople.org/sssd/1.9.3/man/sssd-sudo.5.html There are still couple of known bugs (see https://fedorahosted.org/sssd/report/3 and search for sudo, for instance), but in general the feature is working now. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-install fails
On 12/11/2012 05:25 PM, Dmitri Pal wrote: On 12/11/2012 10:53 AM, Bret Wortman wrote: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl http://setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero exit status 1 [3/30]: adding default schema : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.damascusgrp.com http://ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication What could cause the DS setup to fail? SELinux policy for example, disk being out of space, previous install of DS that has not been properly cleaned, etc... And is the second error likely related as I believe it to be? Yes. Please look at the install logs, they might have more info about what is going on and why DS install failed. I am not sure what version of IPA/DS you use, but if you are using Fedora 18, you may need to update your SELinux version. There was a relevant fix to the behavior you described. This is the most recent build available: http://koji.fedoraproject.org/koji/buildinfo?buildID=372172 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-install fails
I'm working through them and may simply abandon the idea of automating the replica install. On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal d...@redhat.com wrote: On 12/11/2012 12:09 PM, Bret Wortman wrote: On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal d...@redhat.com wrote: On 12/11/2012 10:53 AM, Bret Wortman wrote: My replica install fails to create a DS instance: : [2/30]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/ setup-ds.pl --silent --logfile - -f /tmp/tmpp80GFc' returned non-zero exit status 1 [3/30]: adding default schema : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipa.damascusgrp.com] reports: Update failed! Status: [-2 - System error] creation of replica failed: Failed to start replication What could cause the DS setup to fail? SELinux policy for example, disk being out of space, previous install of DS that has not been properly cleaned, etc... Please reply to the list. getenforce returns Disabled, the root filesystem has 3G free, and this was a fresh kickstarted cobbler/puppet install. It is true that it was running as an IPA client prior to installation of the IPA server package, but I don't think that would have resulted in a piece of DS laying around, would it? It would not. The system is a virt-manager VM, in case that's related. I'm using IPA-2.2.0 on F17, though I'm trying to get 3.1.0 to build. Have you looked into the logs as I suggested? And is the second error likely related as I believe it to be? Yes. Please look at the install logs, they might have more info about what is going on and why DS install failed. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v3.1.0 Release
On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: This appears to require dirsrv-1.3, which I assume is part of 389-base-devel. I don't see where 1.3 has been made available yet, or am I missing something? Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a little digging, I find tarballs for it after hitting the Developers page and following the Source link to http://directory.fedoraproject.org/wiki/Source I guess we don't have a final 1.3.0 yet. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v3.1.0 Release
On 12/11/2012 12:21 PM, Nalin Dahyabhai wrote: On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote: This appears to require dirsrv-1.3, which I assume is part of 389-base-devel. I don't see where 1.3 has been made available yet, or am I missing something? Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a little digging, I find tarballs for it after hitting the Developers page and following the Source link to http://directory.fedoraproject.org/wiki/Source I guess we don't have a final 1.3.0 yet. 1.3.0.a1 has been tested extensively by the freeipa team - I don't think I would recommend using an alpha version in production, but it should be fine for testing/pilot deployments. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-install fails
Hi,
I had this recently and it drove me nuts...might want to take more
knowledgeable ppls than me advice on the process below to make sure its sane/OK.
8---
[21/30]: setting up initial replication Starting replication, please wait until
this has completed. [vuwunicoipam002.ods.vuw.ac.nz]
reports: Update failed! Status: [-2 - System error] creation of replica failed:
Failed to start replication Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@vuwunicoipam001
replica]#
The --uninstall seems to not clean up and remove some data in the ldap and a
new machine fails to re-join. Something to do with tombstone references and I
suppose other junk (to deep and techy for me).
So, run the IPA-server-install --uninstall twice or thrice.
Then look for ldap data on the problem replica (ipam001) server,
ldapmodify -x -D cn=directory manager -W EOF dn:
cn=meTovuwunicoipam001.ods.vuw.ac.nz,cn=replica,cn=dc\3Dods\2Cdc\3Dvuw\2Cdc\3Dac\2Cdc\3Dcom,cn=mapping
tree,cn=config changetype: delete EOF
I then did this and got all this cw*p...
8---
[root@vuwunicoipam002 jonesst1]# ldapsearch -xLLL -D cn=directory manager -W
-b dc=ods,dc=vuw,dc=ac,dc=nz
'((nsuniqueid=---)(objectclass=nstombstone))'
|grep ipam001
nsds50ruv: {replica 33 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 32 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 31 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 30 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 29 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 28 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 27 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 26 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 25 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
nsds50ruv: {replica 24 ldap://vuwunicoipam001.ods.vuw.ac.nz:389}
etc
etc
I then cleaned them out with,
ldapmodify -x -D cn=directory manager -W -f 0001-mod.ldif
more 0001-mod.ldif
dn: cn=replica,cn=dc\3Dods\2Cdc\3Dvuw\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping
tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV33
rinse and repeat 32 etc to all.
At that point I could get the ipa-replica command to work fine.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Bret Wortman [bret.wort...@damascusgrp.com]
Sent: Wednesday, 12 December 2012 8:12 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-replica-install fails
I'm working through them and may simply abandon the idea of automating the
replica install.
On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal
d...@redhat.commailto:d...@redhat.com wrote:
On 12/11/2012 12:09 PM, Bret Wortman wrote:
On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal
d...@redhat.commailto:d...@redhat.com wrote:
On 12/11/2012 10:53 AM, Bret Wortman wrote:
My replica install fails to create a DS instance:
:
[2/30]: creating directory server instance
ipa : CRITICAL failed to create ds instance Command
'/usr/sbin/setup-ds.plhttp://setup-ds.pl --silent --logfile - -f
/tmp/tmpp80GFc' returned non-zero exit status 1
[3/30]: adding default schema
:
:
[21/30]: setting up initial replication
Starting replication, please wait until this has completed.
[ipa.damascusgrp.comhttp://ipa.damascusgrp.com] reports: Update failed!
Status: [-2 - System error]
creation of replica failed: Failed to start replication
What could cause the DS setup to fail?
SELinux policy for example, disk being out of space, previous install of DS
that has not been properly cleaned, etc...
Please reply to the list.
getenforce returns Disabled, the root filesystem has 3G free, and this was a
fresh kickstarted cobbler/puppet install. It is true that it was running as an
IPA client prior to installation of the IPA server package, but I don't think
that would have resulted in a piece of DS laying around, would it?
It would not.
The system is a virt-manager VM, in case that's related. I'm using IPA-2.2.0 on
F17, though I'm trying to get 3.1.0 to build.
Have you looked into the logs as I suggested?
And is the second error likely related as I believe it to be?
Yes.
Please look at the install logs, they might have more info about what is going
on and why DS install failed.
--
Bret Wortman
The Damascus Group
Fairfax, VA
http://bretwortman.com/
http://twitter.com/BretWortman
___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
[Freeipa-users] Announcing FreeIPA v3.0.2 Release
The FreeIPA team is proud to announce version FreeIPA v3.0.2. It can be downloaded from http://www.freeipa.org/page/Downloads. == Highlights in 3.0.2 == * WebUI: Change of default value of type of new group back to POSIX. * Lookup the user SID in external group as well. * Include sssd-managed domain/realm mapping file managed in krb5.conf. * Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631. == Upgrading == An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance. Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish. If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded. Downgrading a server once upgraded is not supported. Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested. An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys. == Feedback == Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel == Detailed Changelog since 3.0.1 == Alexander Bokovoy (3): * ipasam: better Kerberos error handling in ipasam * trusts: replace use of python-crypto by m2crypto * Propagate kinit errors with trust account Jakub Hrozek (4): * Make enabling the autofs service more robust * ipachangeconf: allow specifying non-default delimeter for options * Specify includedir in krb5.conf on new installs * Add the includedir to krb5.conf on upgrades John Dennis (1): * Compliant client side session cookie behavior Lubomir Rintel (1): * Drop unused readline import Martin Kosek (5): * Prepare spec file for Fedora 18 * Filter suffix in replication management tools * Change network configuration file * Improve ipa-replica-prepare error message * Fix sshd feature check Petr Viktorin (2): * Provide explicit user name for Dogtag installation scripts * Add Lubomir Rintel to Contributors.txt Petr Vobornik (4): * WebUI: Change of default value of type of new group back to POSIX * Editable sshkey, mac address field after upgrade * Better licensing information of 3rd party code * Better error message for login of users from other realms Rob Crittenden (5): * Honor the kdb options disabling KDC writes in ipa_lockout plugin * Only update the list of running services in the installer or ipactl. * Set min for selinux-policy to 3.11.1-60 * Reorder XML-RPC initialization in ipa-join to avoid segfault. * Become IPA 3.0.2 Simo Sorce (1): * MS-PAC: Special case NFS services Sumit Bose (3): * Lookup the user SID in external group as well * Restart sssd after authconfig update * Do not recommend how to configure DNS in error message Tomas Babej (1): * Add detection for users from trusted/invalid realms ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing freeipa.
Hi, 1) In /etc/sysconfig/network have the fully qualified domain name of the host, and not just its short name. 2) In hosts file have the IP, then FQDN then short name on a new line. 3) Turn NetworkManager off and network on 4) reboot regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of victor nunes [victor.re...@gmail.com] Sent: Wednesday, 12 December 2012 3:01 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Installing freeipa. Hello, I am trying to install FreeIPA ipa-server-install, but when the question appears, I type and the following error appears. Enter the fully qualified domain name of the computer Which you're setting up on server software. Using the form hostname. domainname Example: master.example.comhttp://master.example.com. Server host name [localhost]: localhost.tcc.teste. The host name does not match localhost.tcc.teste the primary host name localhost. Please check / etc / hosts or DNS name resolution my /etc/hosts: 127.0.0.1 localhost localhost My /etc/ host.conf: order bind, order And I setup a dns server on the machine yet. see the result of nslookup command: nslookup localhost.tcc.teste Server: 127.0.0.1 Address: 127.0.0.1 # 53 Name: localhost.tcc.teste Address: 127.0.0.1 That is, I do not see why the error provided by FreeIPA. Anyone have any tips? -- “Encarada do ponto de vista da juventude, a vida parece um futuro indefinidamente longo, ao passo que, na velhice, ela parece um passado deveras curto. Assim, a vida no seu início se apresenta do mesmo modo que as coisas quando as olhamos através de um binóculo usado ao contrário; mas, ao seu final, ela se parece com as coisas tal qual são vistas quando o binóculo é usado de modo normal. Um homem precisa ter envelhecido e vivido bastante para perceber como a vida é curta”. (Poema de Arthur Schopenhauer) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
