[Freeipa-users] Unable to install clien
Hi, I am trying to install client on one of the machine I'm getting following error: Cannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. I am able to install same on other clients. Output of running in debug - /usr/sbin/ipa-client-install was invoked with options: {'domain': 'EXAMPLE.COM', 'force': False, 'krb5_offline_passwords': True, 'primary': True, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True, 'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server': None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended': None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'realm_name': None, 'conf_ssh': True, 'server': ['ipa1.example.com', 'ipa2.example.com'], 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=EXAMPLE.COM, server=['ipa1.example.com', 'ipa2.example.com'], hostname=perf-fe1.example.com Server and domain forced [Kerberos realm search] Search DNS for TXT record of _kerberos.EXAMPLE.COM. No DNS record found [LDAP server check] Verifying that ipa1.example.com (realm None) is an IPA server Init LDAP connection with: ldap://ipa1.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com Discovery result: Success; server=ipa1.example.com, domain=EXAMPLE.COM, ipa=None, basedn=dc=example,dc=com will use discovered domain: EXAMPLE.COM Using servers from command line, disabling DNS discovery will use provided server: ipa1.example.com, ipa2.example.com Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes will use discovered realm: EXAMPLE.COM will use discovered basedn: dc=example,dc=com [IPA Discovery] Starting IPA discovery with domain=EXAMPLE.COM, server=ipa2.example.com, hostname=perf-fe1.example.com Server and domain forced [Kerberos realm search] Search DNS for TXT record of _kerberos.EXAMPLE.COM. No DNS record found [LDAP server check] Verifying that ipa2.example.com (realm None) is an IPA server Init LDAP connection with: ldap://ipa2.example.com:389 Search LDAP server for IPA base DN Check if naming context 'dc=example,dc=com' is for IPA Naming context 'dc=example,dc=com' is a valid IPA context Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub) Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com Discovery result: Success; server=ipa2.example.com, domain=EXAMPLE.COM, ipa=None, basedn=dc=example,dc=com Hostname: perf-fe1.example.com Hostname source: Machine's FQDN Realm: EXAMPLE.COM Realm source: Discovered from LDAP DNS records in ipa1.example.com DNS Domain: EXAMPLE.COM DNS Domain source: Forced IPA Server: ipa1.example.com, ipa2.example.com IPA Server source: Provided as option BaseDN: dc=example,dc=com BaseDN source: From IPA server ldap://ipa1.example.com:389 Continue to configure the system with these values? [no]: yes args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM stdout= stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory User authorized to enroll computers: admin Synchronizing time with KDC... Search DNS for SRV record of _ntp._udp.EXAMPLE.COM. No DNS record found args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com stdout= stderr= Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Writing Kerberos configuration to /tmp/tmpune77A: #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_ipa = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] EXAMPLE.COM = { ipa = ipa1.example.com:88 master_ipa = ipa1.example.com:88 admin_server = ipa1.example.com:749 ipa = ipa2.example.com:88 master_ipa = ipa2.example.com:88
[Freeipa-users] memberOf
hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 12:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Are you using ipa migrate-ds command? Were your groups migrated? If there are no groups then the membership will not be migrated. Memeberof is enabled by default so there might be something wrong with how the migration happened. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 06:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 12:32 PM, Tamas Papp wrote: On 10/07/2013 06:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) With anonymous bind you do not see any data. With GSSAPI you authenticate and thus entitled to see what you are looking for. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
On 10/07/2013 08:59 PM, Dmitri Pal wrote: On 10/07/2013 12:32 PM, Tamas Papp wrote: On 10/07/2013 06:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) With anonymous bind you do not see any data. With GSSAPI you authenticate and thus entitled to see what you are looking for. I see, that's true. Although I don't understand why memberOf not works if every other information available? ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore all information is available, just not showed up right. Am I wrong? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] memberOf
Tamas Papp wrote: On 10/07/2013 08:59 PM, Dmitri Pal wrote: On 10/07/2013 12:32 PM, Tamas Papp wrote: On 10/07/2013 06:06 PM, Tamas Papp wrote: hi All, I have a fedora directory server with memberOf attributes. I'm able to migrate users to Freeipa, but I can see there are no such attributes at the new place. If I understand correctly, a memberOf plugin should be enabled. How can I do that? I wasn't correct here. This works: # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l 2424 This not: # ldapsearch -x 2/dev/null |grep memberOf|wc -l 0 I miss something, but I don't know, what. I'm not really an ldap or IPA expert, please give me some advise:) With anonymous bind you do not see any data. With GSSAPI you authenticate and thus entitled to see what you are looking for. I see, that's true. Although I don't understand why memberOf not works if every other information available? ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore all information is available, just not showed up right. Am I wrong? memberOf can contain some privileged information that you don't want to expose to anonymous users, like sudo and HBAC rule membership. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Requesting IDM Consulting
Hi all, I'm interested in finding a consultant who might be able to help us with our IDM solutions. Does anyone have any suggestions as to who would be good to use for discussing a possible engagement with? Thanks, Joe === Joseph R. Hoot @ SUNY ITEC Supervising Programmer/Analyst (w) 716-878-4832 (Office - Receptionist/able to leave message) (w) 716-878-4863 (Direct - no voicemail) (c) 716-759-HOOT joe.h...@itec.suny.edu GPG KEY: 7145F633 === Managing trade-offs, attempting to reduce risk, instilling trust, and accepting responsibility for the system and networking team at SUNY ITEC. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users