[Freeipa-users] Unable to install clien

2013-10-07 Thread Mohan Cheema 
Hi,

 

I am trying to install client on one of the machine I'm getting following
error:

 


Cannot obtain CA certificate

'ldap://ipa1.example.com' doesn't have a certificate.

Installation failed. Rolling back changes.

IPA client is not configured on this system.


 

I am able to install same on other clients.

 

Output of running in debug

-
/usr/sbin/ipa-client-install was invoked with options: {'domain':
'EXAMPLE.COM', 'force': False, 'krb5_offline_passwords': True, 'primary':
True, 'mkhomedir': False, 'create_sshfp': True, 'conf_sshd': True,
'on_master': False, 'conf_ntp': True, 'ca_cert_file': None, 'ntp_server':
None, 'principal': None, 'hostname': None, 'no_ac': False, 'unattended':
None, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False,
'realm_name': None, 'conf_ssh': True, 'server': ['ipa1.example.com',
'ipa2.example.com'], 'prompt_password': False, 'permit': False, 'debug':
True, 'preserve_sssd': False, 'uninstall': False}

missing options might be asked for interactively later

Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'

Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'

[IPA Discovery]

Starting IPA discovery with domain=EXAMPLE.COM, server=['ipa1.example.com',
'ipa2.example.com'], hostname=perf-fe1.example.com

Server and domain forced

[Kerberos realm search]

Search DNS for TXT record of _kerberos.EXAMPLE.COM.

No DNS record found

[LDAP server check]

Verifying that ipa1.example.com (realm None) is an IPA server

Init LDAP connection with: ldap://ipa1.example.com:389

Search LDAP server for IPA base DN

Check if naming context 'dc=example,dc=com' is for IPA

Naming context 'dc=example,dc=com' is a valid IPA context

Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)

Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

Discovery result: Success; server=ipa1.example.com, domain=EXAMPLE.COM,
ipa=None, basedn=dc=example,dc=com

will use discovered domain: EXAMPLE.COM

Using servers from command line, disabling DNS discovery

will use provided server: ipa1.example.com, ipa2.example.com

Autodiscovery of servers for failover cannot work with this configuration.

If you proceed with the installation, services will be configured to always
access the discovered server for all operations and will not fail over to
other servers in case of failure.

Proceed with fixed values and no DNS discovery? [no]: yes

will use discovered realm: EXAMPLE.COM

will use discovered basedn: dc=example,dc=com

[IPA Discovery]

Starting IPA discovery with domain=EXAMPLE.COM, server=ipa2.example.com,
hostname=perf-fe1.example.com

Server and domain forced

[Kerberos realm search]

Search DNS for TXT record of _kerberos.EXAMPLE.COM.

No DNS record found

[LDAP server check]

Verifying that ipa2.example.com (realm None) is an IPA server

Init LDAP connection with: ldap://ipa2.example.com:389

Search LDAP server for IPA base DN

Check if naming context 'dc=example,dc=com' is for IPA

Naming context 'dc=example,dc=com' is a valid IPA context

Search for (objectClass=krbRealmContainer) in dc=example,dc=com (sub)

Found: cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com

Discovery result: Success; server=ipa2.example.com, domain=EXAMPLE.COM,
ipa=None, basedn=dc=example,dc=com

Hostname: perf-fe1.example.com

Hostname source: Machine's FQDN

Realm: EXAMPLE.COM

Realm source: Discovered from LDAP DNS records in ipa1.example.com

DNS Domain: EXAMPLE.COM

DNS Domain source: Forced

IPA Server: ipa1.example.com, ipa2.example.com

IPA Server source: Provided as option

BaseDN: dc=example,dc=com

BaseDN source: From IPA server ldap://ipa1.example.com:389

 

Continue to configure the system with these values? [no]: yes

args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r EXAMPLE.COM

stdout=

stderr=Failed to open keytab '/etc/krb5.keytab': No such file or directory

 

User authorized to enroll computers: admin

Synchronizing time with KDC...

Search DNS for SRV record of _ntp._udp.EXAMPLE.COM.

No DNS record found

args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com

stdout=

stderr=

args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com

stdout=

stderr=

args=/usr/sbin/ntpdate -U ntp -s -b -v ipa1.example.com

stdout=

stderr=

Unable to sync time with IPA NTP server, assuming the time is in sync.
Please check that 123 UDP port is opened.

Writing Kerberos configuration to /tmp/tmpune77A:

#File modified by ipa-client-install

 

includedir /var/lib/sss/pubconf/krb5.include.d/

 

[libdefaults]

  default_realm = EXAMPLE.COM

  dns_lookup_realm = false

  dns_lookup_ipa = false

  rdns = false

  ticket_lifetime = 24h

  forwardable = yes

 

[realms]

  EXAMPLE.COM = {

ipa = ipa1.example.com:88

master_ipa = ipa1.example.com:88

admin_server = ipa1.example.com:749

ipa = ipa2.example.com:88

master_ipa = ipa2.example.com:88

[Freeipa-users] memberOf

2013-10-07 Thread Tamas Papp 
hi All,

I have a fedora directory server with memberOf attributes.
I'm able to migrate users to Freeipa, but I can see there are no such
attributes at the new place.
If I understand correctly, a memberOf plugin should be enabled. How can
I do that?

Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] memberOf

2013-10-07 Thread Dmitri Pal 
On 10/07/2013 12:06 PM, Tamas Papp wrote:
 hi All,

 I have a fedora directory server with memberOf attributes.
 I'm able to migrate users to Freeipa, but I can see there are no such
 attributes at the new place.
 If I understand correctly, a memberOf plugin should be enabled. How can
 I do that?

 Thanks,
 tamas

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
Are you using ipa migrate-ds command?
Were your groups migrated?
If there are no groups then the membership will not be migrated.
Memeberof is enabled by default so there might be something wrong with
how the migration happened.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] memberOf

2013-10-07 Thread Tamas Papp 

On 10/07/2013 06:06 PM, Tamas Papp wrote:
 hi All,

 I have a fedora directory server with memberOf attributes.
 I'm able to migrate users to Freeipa, but I can see there are no such
 attributes at the new place.
 If I understand correctly, a memberOf plugin should be enabled. How can
 I do that?

I wasn't correct here.

This works:
# ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l
2424


This not:
# ldapsearch -x 2/dev/null |grep memberOf|wc -l
0


I miss something, but I don't know, what. I'm not really an ldap or IPA
expert, please give me some advise:)

Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] memberOf

2013-10-07 Thread Dmitri Pal 
On 10/07/2013 12:32 PM, Tamas Papp wrote:
 On 10/07/2013 06:06 PM, Tamas Papp wrote:
 hi All,

 I have a fedora directory server with memberOf attributes.
 I'm able to migrate users to Freeipa, but I can see there are no such
 attributes at the new place.
 If I understand correctly, a memberOf plugin should be enabled. How can
 I do that?
 I wasn't correct here.

 This works:
 # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l
 2424


 This not:
 # ldapsearch -x 2/dev/null |grep memberOf|wc -l
 0


 I miss something, but I don't know, what. I'm not really an ldap or IPA
 expert, please give me some advise:)

With anonymous bind you do not see any data. With GSSAPI you
authenticate and thus entitled to see what you are looking for.


 Thanks,
 tamas

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] memberOf

2013-10-07 Thread Tamas Papp 

On 10/07/2013 08:59 PM, Dmitri Pal wrote:
 On 10/07/2013 12:32 PM, Tamas Papp wrote:
 On 10/07/2013 06:06 PM, Tamas Papp wrote:
 hi All,

 I have a fedora directory server with memberOf attributes.
 I'm able to migrate users to Freeipa, but I can see there are no such
 attributes at the new place.
 If I understand correctly, a memberOf plugin should be enabled. How can
 I do that?
 I wasn't correct here.

 This works:
 # ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l
 2424


 This not:
 # ldapsearch -x 2/dev/null |grep memberOf|wc -l
 0


 I miss something, but I don't know, what. I'm not really an ldap or IPA
 expert, please give me some advise:)
 With anonymous bind you do not see any data. With GSSAPI you
 authenticate and thus entitled to see what you are looking for.


I see, that's true.
Although I don't understand why memberOf not works if every other
information available?

ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore
all information is available, just not showed up right.
Am I wrong?

Thanks,
tamas

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] memberOf

2013-10-07 Thread Rob Crittenden 

Tamas Papp wrote:


On 10/07/2013 08:59 PM, Dmitri Pal wrote:

On 10/07/2013 12:32 PM, Tamas Papp wrote:

On 10/07/2013 06:06 PM, Tamas Papp wrote:

hi All,

I have a fedora directory server with memberOf attributes.
I'm able to migrate users to Freeipa, but I can see there are no such
attributes at the new place.
If I understand correctly, a memberOf plugin should be enabled. How can
I do that?

I wasn't correct here.

This works:
# ldapsearch -Y GSSAPI 2/dev/null |grep memberOf|wc -l
2424


This not:
# ldapsearch -x 2/dev/null |grep memberOf|wc -l
0


I miss something, but I don't know, what. I'm not really an ldap or IPA
expert, please give me some advise:)

With anonymous bind you do not see any data. With GSSAPI you
authenticate and thus entitled to see what you are looking for.



I see, that's true.
Although I don't understand why memberOf not works if every other
information available?

ldapsearch -x uid=user and ldapsearch -x cn=group works fine. Therefore
all information is available, just not showed up right.
Am I wrong?


memberOf can contain some privileged information that you don't want to 
expose to anonymous users, like sudo and HBAC rule membership.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Requesting IDM Consulting

2013-10-07 Thread Hoot, Joseph 
Hi all,

I'm interested in finding a consultant who might be able to help us with our 
IDM solutions.

Does anyone have any suggestions as to who would be good to use for discussing 
a possible engagement with?

Thanks,
Joe

===
Joseph R. Hoot @ SUNY ITEC
Supervising Programmer/Analyst
(w) 716-878-4832 (Office - Receptionist/able to leave message)
(w) 716-878-4863 (Direct - no voicemail)
(c) 716-759-HOOT
joe.h...@itec.suny.edu
GPG KEY:   7145F633
===

Managing trade-offs, attempting to reduce risk, instilling trust, and accepting 
responsibility for the system and networking team at SUNY ITEC.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users