Re: [Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-16 Thread Rob Crittenden 

Dmitri Pal wrote:

On 12/16/2013 10:40 AM, Bret Wortman wrote:

I had a replica that was completely failing to respond to its clients,
so I removed it by first running "ipa-replica-manage del" on the
replica master, then "ipa-server-install -U --uninstall" on the
replica. I regenereated the replica file and, upon trying to
re-initialize the replica, received this error:

:
The host fsipa.spx.net already exists on the master server.
You should remove it before proceeding:
% ipa host-del fsipa.damascusgrp.com
[root@fsipa ~]#

On the master:

[root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted
or disabled
[root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com
  Host name: fsipa.damascusgrp.com
  Principal name: host/fsipa.damascusgrp@damascusgrp.com
  Password: False
  Keytab: True
  Managed by: fsipa.damascusgrp.com
  SSH public key fingerprint: ...
  :
[root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
'ipamaster.damascusgrp.com' has no replication agreement for
'fsipa.damascusgrp.com'
[root@ipamaster ~]#

What's the right way to clean this up without making the situation worse?


Do you use IPA DNS?
What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?


It would appear that the replica uninstallation was a bit incomplete. 
The lack of replication may be part of, or the cause of, the problem.


I guess I would start by double-checking that the remaining master 
doesn't have an RUV record for the old one:


# ipa-replica-manage list-ruv

If so you can use the clean-ruv command to clean things up. Be very 
careful what number you plug in there. This is one of those "with great 
power comes great responsibility" commands.


As for the remaining master entries, you'll need to use ldapdelete to 
remove them.


Something like this:

# ldapdelete -x -D 'cn=directory manager' -W r
cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com
^D

My syntax may be a bit off but you basically want to delete this entry 
and all its children. If you're nervous stick in the -n option and it 
will tell you what its going to do without deleting anything.


Newer IPA has a new command in ipa-replica-manage to make this cleanup 
easier.


Once those entries are gone you can delete the host entry and proceed on 
your way.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] i could use some help with installing FreeIPA

2013-12-16 Thread Rob Crittenden 

Dmitri Pal wrote:

On 12/16/2013 06:46 PM, Galen Brownsmith wrote:

My install fails on the invocation of pkispawn with a Socket Error in
the pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue
with special characters in the DM's password, as my Directory Manager
and IPA Admin passwords may be 32 characters long, but only contain
[A-Za-z0-9_] )

Configuration and Error Messages follow.

Target System: Fedora19 64bit LXC Container running on top of a
Fedora19 64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
'disabled' on the host and container.

/etc/hosts:
# IPFQDNAlias(es)
127.0.0.1   localhost.localdomain   localhost localhost4
192.168.253.94 woeg.marphod.net  woeg

# Peers
192.168.253.99 skete.marphod.net  skete
wiki.marphod.net  wiki www.marphod.net
 www
[... several more machines]

/etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search marphod.net 
nameserver 192.168.253.1

/etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=woeg.marphod.net 

No software firewall on the Container:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


Not using NetworkManager.  The machine has a virtual nic, and is
connected to the bridge on the host, and can interact with the outside
world.

Installation commands:
# ipa-server-install --uninstall -U
# pkidestroy -s CA -i pki-tomcat
# ipa-server-install -N -d --no-host-dns

I select the defaults during the interactive install.

During installation, everything seems to run fine up to the invocation
of pkispawn.   I then get the errors:

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.

ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service
failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and
'journalctl -xn' for details.
pkispawn: ERROR... server failed to restart

ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
status 1
ipa : DEBUG  File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
line 622, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1074, in main
dm_password, subject_base=options.subject)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 478, in configure_instance
self.start_creation(runtime=210)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
364, in start_creation
method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')

ipa : DEBUGThe ipa-server-install command failed,
exception: RuntimeError: Configuration of CA failed
Configuration of CA failed


the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
... skipping... is from the file)

...skipping...
y still be down
2013-12-16 18:12:23 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
server may still be down
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:25 pkispawn: DEBUG... No connection -
server may still be down
...
(error repeated 12 more times)
...
2013-12-16 18:12:39 pkispawn: ERROR... server failed to
restart
2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit
2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1
2013-12-16 18:12:39 pkispawn: DEBUG...   File
"/usr/sbin/pkispawn", line 374, in main
rv = instance.spawn()
  File
"/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
line 102, in spawn
sys.exit(1)




You are trying it in a container. I do not know whether this makes a
difference.
It might be due to the fact that underlying directory server has not
started.
Please look at the pki instance DS logs to determine whether the DS
instance was installed and configured correctly.
http://www.freeipa.org/page/Troubleshooting#Server_Installation
Please publish these logs here.


I'm not entirely sure that IPA works in a container. I think that 
Nathaniel looked at this a few months ago but I can't recall his findings.


rob

__

Re: [Freeipa-users] i could use some help with installing FreeIPA

2013-12-16 Thread Dmitri Pal 
On 12/16/2013 06:46 PM, Galen Brownsmith wrote:
> My install fails on the invocation of pkispawn with a Socket Error in
> the pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue
> with special characters in the DM's password, as my Directory Manager
> and IPA Admin passwords may be 32 characters long, but only contain
> [A-Za-z0-9_] )
>
> Configuration and Error Messages follow.
>
> Target System: Fedora19 64bit LXC Container running on top of a
> Fedora19 64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
> Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
> 'disabled' on the host and container. 
>
> /etc/hosts:
> # IPFQDNAlias(es)
> 127.0.0.1   localhost.localdomain   localhost localhost4
> 192.168.253.94  woeg.marphod.net
> woeg
>
> # Peers
> 192.168.253.99  skete.marphod.net
>    skete wiki.marphod.net
>  wiki www.marphod.net
>  www
> [... several more machines]
>
> /etc/resolv.conf
> ; generated by /usr/sbin/dhclient-script
> search marphod.net 
> nameserver 192.168.253.1
>
> /etc/sysconfig/network:
> NETWORKING=yes
> HOSTNAME=woeg.marphod.net 
>
> No software firewall on the Container:
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination   
>
>
> Not using NetworkManager.  The machine has a virtual nic, and is
> connected to the bridge on the host, and can interact with the outside
> world.
>
> Installation commands:
> # ipa-server-install --uninstall -U
> # pkidestroy -s CA -i pki-tomcat
> # ipa-server-install -N -d --no-host-dns
>
> I select the defaults during the interactive install.
>
> During installation, everything seems to run fine up to the invocation
> of pkispawn.   I then get the errors:
> 
> Installing CA into /var/lib/pki/pki-tomcat.
> Storing deployment configuration into
> /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
> Installation failed.
>
> ipa : DEBUGstderr=Job for pki-tomcatd@pki-tomcat.service
> failed. See 'systemctl status pki-tomcatd@pki-tomcat.service' and
> 'journalctl -xn' for details.
> pkispawn: ERROR... server failed to restart
>
> ipa : CRITICAL failed to configure ca instance Command
> '/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit
> status 1
> ipa : DEBUG  File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py",
> line 622, in run_script
> return_value = main_function()
>
>   File "/usr/sbin/ipa-server-install", line 1074, in main
> dm_password, subject_base=options.subject)
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 478, in configure_instance
> self.start_creation(runtime=210)
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line
> 364, in start_creation
> method()
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 604, in __spawn_instance
> raise RuntimeError('Configuration of CA failed')
>
> ipa : DEBUGThe ipa-server-install command failed,
> exception: RuntimeError: Configuration of CA failed
> Configuration of CA failed
> 
>
> the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the
> ... skipping... is from the file)
> 
> ...skipping...
> y still be down
> 2013-12-16 18:12:23 pkispawn: DEBUG... No connection -
> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
> Connection refused.
> 2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
> server may still be down
> 2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
> exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
> Connection refused.
> 2013-12-16 18:12:25 pkispawn: DEBUG... No connection -
> server may still be down
> ...
> (error repeated 12 more times)
> ...
> 2013-12-16 18:12:39 pkispawn: ERROR... server failed to
> restart
> 2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit
> 2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1
> 2013-12-16 18:12:39 pkispawn: DEBUG...   File
> "/usr/sbin/pkispawn", line 374, in main
> rv = instance.spawn()
>   File
> "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
> line 102, in spawn
> sys.exit(1)
> 
>

You are trying it in a container. I do not know whether this makes a
difference.
It might be due to the fact that underlying directory server has not
started.
Please look at the pki instance DS logs to determine whether the DS
instance was i

Re: [Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-16 Thread Dmitri Pal 

  
  
On 12/16/2013 10:40 AM, Bret Wortman wrote:

  
  I had a replica that was completely failing to respond to its
  clients, so I removed it by first running "ipa-replica-manage del"
  on the replica master, then "ipa-server-install -U --uninstall" on
  the replica. I regenereated the replica file and, upon trying to
  re-initialize the replica, received this error:
  
  :
The host fsipa.spx.net already exists on the master server.
You should remove it before proceeding:
    % ipa host-del fsipa.damascusgrp.com
[root@fsipa ~]#
  
  On the master:
  
  [root@ipamaster ~]#
ipa host-del fsipa.damascusgrp.com
ipa: ERROR: invalid 'hostname': An IPA master host cannot be
deleted or disabled
[root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com
  Host name: fsipa.damascusgrp.com
  Principal name: host/fsipa.damascusgrp@damascusgrp.com
  Password: False
  Keytab: True
  Managed by: fsipa.damascusgrp.com
  SSH public key fingerprint: ...
  :
[root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
'ipamaster.damascusgrp.com' has no replication agreement for
'fsipa.damascusgrp.com'
[root@ipamaster ~]#
  
  What's the right way to clean this up without making the situation
  worse?


Do you use IPA DNS? 
What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?


  

-- 
Bret Wortman


http://damascusgrp.com/

http://about.me/wortmanbret
  

  
  
  
  
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



  

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] i could use some help with installing FreeIPA

2013-12-16 Thread Galen Brownsmith 
My install fails on the invocation of pkispawn with a Socket Error in the
pki-ca-spawn log  ; anyone have any ideas?  (It isn't the issue with
special characters in the DM's password, as my Directory Manager and IPA
Admin passwords may be 32 characters long, but only contain [A-Za-z0-9_] )

Configuration and Error Messages follow.

Target System: Fedora19 64bit LXC Container running on top of a Fedora19
64bit host.  Kernel 3.11.10, Q9550 Intel CPU.
Attempting to install freeipa server 3.3.3 .  SEllinux has been set to
'disabled' on the host and container.

/etc/hosts:
# IPFQDNAlias(es)
127.0.0.1   localhost.localdomain   localhost localhost4
192.168.253.94  woeg.marphod.netwoeg

# Peers
192.168.253.99  skete.marphod.net   skete wiki.marphod.net wiki
www.marphod.net www
[... several more machines]

/etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search marphod.net
nameserver 192.168.253.1

/etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=woeg.marphod.net

No software firewall on the Container:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


Not using NetworkManager.  The machine has a virtual nic, and is connected
to the bridge on the host, and can interact with the outside world.

Installation commands:
# ipa-server-install --uninstall -U
# pkidestroy -s CA -i pki-tomcat
# ipa-server-install -N -d --no-host-dns

I select the defaults during the interactive install.

During installation, everything seems to run fine up to the invocation of
pkispawn.   I then get the errors:

Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.

ipa : DEBUGstderr=Job for
pki-tomcatd@pki-tomcat.servicefailed. See 'systemctl status
pki-tomcatd@pki-tomcat.service'
and 'journalctl -xn' for details.
pkispawn: ERROR... server failed to restart

ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpwNB5bU' returned non-zero exit status 1
ipa : DEBUG  File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
622, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-server-install", line 1074, in main
dm_password, subject_base=options.subject)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 478, in configure_instance
self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 364, in start_creation
method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 604, in __spawn_instance
raise RuntimeError('Configuration of CA failed')

ipa : DEBUGThe ipa-server-install command failed, exception:
RuntimeError: Configuration of CA failed
Configuration of CA failed


the relevant errors from /var/log/pki/pki-ca-spawn.timestamp.log: (the ...
skipping... is from the file)

...skipping...
y still be down
2013-12-16 18:12:23 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
server may still be down
2013-12-16 18:12:24 pkispawn: DEBUG... No connection -
exception thrown: Cannot connect to proxy. Socket error: [Errno 111]
Connection refused.
2013-12-16 18:12:25 pkispawn: DEBUG... No connection -
server may still be down
...
(error repeated 12 more times)
...
2013-12-16 18:12:39 pkispawn: ERROR... server failed to restart
2013-12-16 18:12:39 pkispawn: DEBUG... Error Type: SystemExit
2013-12-16 18:12:39 pkispawn: DEBUG... Error Message: 1
2013-12-16 18:12:39 pkispawn: DEBUG...   File
"/usr/sbin/pkispawn", line 374, in main
rv = instance.spawn()
  File "/usr/lib/python2.7/site-packages/pki/deployment/configuration.py",
line 102, in spawn
sys.exit(1)






--
That's the news from the Mystic River, where all the alliums are strong,
all the degu are good looking, and all the stuffed animals are above
average.
"May the ducks of your life quack ever harmoniously" - A. Yelton
gal...@capaccess.org gal...@marphod.net marp...@gmail.com & others
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble with replica install - SOLVED

2013-12-16 Thread Les Stott 
Alexander,

I think it was a case of a manually locked down (post install) system that had 
been previously built. The master was on a vm that was a newer build, but not 
done in the same way as the older server, so it had a more default out of the 
box configuration.

At least now I now to check this before installing the replica on existing 
machines.

Regards,

Les

-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Tuesday, 17 December 2013 12:52 AM
To: Les Stott
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install - SOLVED

On Mon, 16 Dec 2013, Les Stott wrote:
>Figured it out.
>
>Missing apache modules (not loaded). One of the following
>
>LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule 
>auth_digest_module modules/mod_auth_digest.so LoadModule 
>authn_file_module modules/mod_authn_file.so LoadModule 
>authn_alias_module modules/mod_authn_alias.so LoadModule 
>authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module 
>modules/mod_authn_dbm.so LoadModule authn_default_module 
>modules/mod_authn_default.so LoadModule authz_host_module 
>modules/mod_authz_host.so LoadModule authz_user_module 
>modules/mod_authz_user.so LoadModule authz_owner_module 
>modules/mod_authz_owner.so LoadModule authz_groupfile_module 
>modules/mod_authz_groupfile.so LoadModule authz_dbm_module 
>modules/mod_authz_dbm.so LoadModule authz_default_module 
>modules/mod_authz_default.so LoadModule authnz_ldap_module 
>modules/mod_authnz_ldap.so
>
>I'm not sure which one, i just matched what was on the master and 
>reinstalled the replica - no errors. Been a long day so i don't feel 
>like going through one by one, uninstalling/reinstalling etc. I imagine 
>its probably mod_authz_groupfile.so, but others are probably needed 
>too.
I wonder if this server was refurbished from some other task where original 
configuration was already changed. FreeIPA install scripts assumes non-modified 
configuration files.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integration with AIX and sudo

2013-12-16 Thread Yves Degauquier 

Hi,

I'm running the Sudo version 1.8.8 downloaded as RPM on 
http://www.oss4aix.org/download/RPMS/sudo/


Authentication is fine, but sudo is wrong.

If in /etc/security/user for default stanza I don't mention

SYSTEM = "KRB5ALDAP"
registry = LDAP

then when running sudo with a freeipa user it return the message that 
the id of the user is wrong.


If I mention the 2 lines, then I have a Memory fault message.


On 16/12/13 19:38, KodaK wrote:
I am an unfortunate AIX sufferer as well.  I've gotten through setting 
this up.


First, what version of sudo are you running on the AIX box?


On Mon, Dec 16, 2013 at 8:46 AM, > wrote:


Hi,

I'm trying to integrate on AIX environment (as clients) a
centralized authentication and authorization with freeipa, and
using sudo also with sudo rules on freeipa.

I followed several how-to and notes found by googeling, but still
have problem with sudo.

Everything is fine wiith root account (sudo -l list all sudo
rules), but with a user from freeipa I have "Memory fault".

Does anybody have good experience with FreeIPA (installed on
CentOS), AIX (6.1) and sudo (from Perzl)?

Thanks in advance,

Yves

___
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/mailman/listinfo/freeipa-users




--
The government is going to read our mail anyway, might as well make it 
tough for them.  GPG Public key ID:  B6A1A7C6


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA integration with AIX and sudo

2013-12-16 Thread KodaK 
I am an unfortunate AIX sufferer as well.  I've gotten through setting this
up.

First, what version of sudo are you running on the AIX box?


On Mon, Dec 16, 2013 at 8:46 AM,  wrote:

> Hi,
>
> I'm trying to integrate on AIX environment (as clients) a centralized
> authentication and authorization with freeipa, and using sudo also with
> sudo rules on freeipa.
>
> I followed several how-to and notes found by googeling, but still have
> problem with sudo.
>
> Everything is fine wiith root account (sudo -l list all sudo rules), but
> with a user from freeipa I have "Memory fault".
>
> Does anybody have good experience with FreeIPA (installed on CentOS), AIX
> (6.1) and sudo (from Perzl)?
>
> Thanks in advance,
>
> Yves
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-16 Thread Bret Wortman 

  
  
I had a replica that was completely failing to respond to its
clients, so I removed it by first running "ipa-replica-manage del"
on the replica master, then "ipa-server-install -U --uninstall" on
the replica. I regenereated the replica file and, upon trying to
re-initialize the replica, received this error:

:
  The host fsipa.spx.net already exists on the master server.
  You should remove it before proceeding:
      % ipa host-del fsipa.damascusgrp.com
  [root@fsipa ~]#

On the master:

[root@ipamaster ~]# ipa
  host-del fsipa.damascusgrp.com
  ipa: ERROR: invalid 'hostname': An IPA master host cannot be
  deleted or disabled
  [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com
    Host name: fsipa.damascusgrp.com
    Principal name: host/fsipa.damascusgrp@damascusgrp.com
    Password: False
    Keytab: True
    Managed by: fsipa.damascusgrp.com
    SSH public key fingerprint: ...
    :
  [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
  'ipamaster.damascusgrp.com' has no replication agreement for
  'fsipa.damascusgrp.com'
  [root@ipamaster ~]#

What's the right way to clean this up without making the situation
worse?

  
  -- 
  Bret Wortman
  
  
  http://damascusgrp.com/
  
  http://about.me/wortmanbret

  

  



smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA integration with AIX and sudo

2013-12-16 Thread yves 

Hi,

I'm trying to integrate on AIX environment (as clients) a centralized 
authentication and authorization with freeipa, and using sudo also with 
sudo rules on freeipa.


I followed several how-to and notes found by googeling, but still have 
problem with sudo.


Everything is fine wiith root account (sudo -l list all sudo rules), 
but with a user from freeipa I have "Memory fault".


Does anybody have good experience with FreeIPA (installed on CentOS), 
AIX (6.1) and sudo (from Perzl)?


Thanks in advance,

Yves

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble with replica install - SOLVED

2013-12-16 Thread Alexander Bokovoy 

On Mon, 16 Dec 2013, Les Stott wrote:

Figured it out.

Missing apache modules (not loaded). One of the following

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

I'm not sure which one, i just matched what was on the master and
reinstalled the replica - no errors. Been a long day so i don't feel
like going through one by one, uninstalling/reinstalling etc. I imagine
its probably mod_authz_groupfile.so, but others are probably needed
too.

I wonder if this server was refurbished from some other task where
original configuration was already changed. FreeIPA install scripts
assumes non-modified configuration files.


--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble with replica install - SOLVED

2013-12-16 Thread Les Stott 
Figured it out.

Missing apache modules (not loaded). One of the following

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

I'm not sure which one, i just matched what was on the master and reinstalled 
the replica - no errors. Been a long day so i don't feel like going through one 
by one, uninstalling/reinstalling etc. I imagine its probably 
mod_authz_groupfile.so, but others are probably needed too.

Regards,

Les




From: Les Stott
Sent: Monday, December 16, 2013 11:44 PM
To: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Trouble with replica install

Petr,

The below was the error from apache error logs

> Apache logs the following error at the same time...
>
> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
> couldn't check access.  No groups file?: /ipa/xml, referer: 
> https://replica.mydomain.com/ipa/xml

Other lines in the /var/log/httpd/error log at the same time...

[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
couldn't check access.  No groups file?: /ipa/xml, referer: 
https://replica.mydomain.com/ipa/xml
[Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down
[Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as 
context unconfined_u:system_r:httpd_t:s0

Regards,

Les


From: Petr Spacek [pspa...@redhat.com]
Sent: Monday, December 16, 2013 10:38 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install

On 16.12.2013 10:55, Les Stott wrote:
> Sorry, when I said "selinux is in permissive mode, but it's the same as on 
> the master server, so it should be the issue." It should have read as 
> "selinux is in permissive mode, but it's the same as on the master server, so 
> it should NOT be the issue."
>
> Les
>
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 16 December 2013 8:47 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] Trouble with replica install
>
> Hi,
>
> Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
> Already setup master server, now trying to install replica (which I've done 
> before and its worked fine).
>
> The replica install gets all the way to the end but errors out. For the most 
> part, it looks like it is complete, but I want to be sure there are no 
> lingering issues.
>
> The error I see in the log is...(domain and ip's changed)
>
> 
> 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
> Realm: MYDOMAIN.COM
> DNS Domain: mydomain.com
> IPA Server: replica.mydomain.com
> BaseDN: dc=mydomain,dc=com
> Domain mydomain.com is already configured in existing SSSD config, creating a 
> new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during 
> uninstall.
> Configured /etc/sssd/sssd.conf
> trying https://replica.mydomain.com/ipa/xml
> Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
> Traceback (most recent call last):
>File "/usr/sbin/ipa-client-install", line 2377, in 
>  sys.exit(main())
>File "/usr/sbin/ipa-client-install", line 2363, in main
>  rval = install(options, env, fstore, statestore)
>File "/usr/sbin/ipa-client-install", line 2167, in install
>  remote_env = api.Command['env'](server=True)['result']
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in 
> __call__
>  ret = self.run(*args, **options)
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in 
> run
>  return self.forward(*args, **options)
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in 
> forward
>  return self.Backend.xmlclient.forward(self.name, *args, **kw)
>File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
>  raise NetworkError(uri=server, error=e.errmsg)

> ipalib.errors.NetworkError: cannot connect to 
> u'https://replica.mydomain.com/ipa/xml': Internal Server Error

Please look int

Re: [Freeipa-users] Trouble with replica install

2013-12-16 Thread Les Stott 
Petr,

The below was the error from apache error logs

> Apache logs the following error at the same time...
>
> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
> couldn't check access.  No groups file?: /ipa/xml, referer: 
> https://replica.mydomain.com/ipa/xml

Other lines in the /var/log/httpd/error log at the same time...

[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START ***
[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
couldn't check access.  No groups file?: /ipa/xml, referer: 
https://replica.mydomain.com/ipa/xml
[Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down
[Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as 
context unconfined_u:system_r:httpd_t:s0

Regards,

Les


From: Petr Spacek [pspa...@redhat.com]
Sent: Monday, December 16, 2013 10:38 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Trouble with replica install

On 16.12.2013 10:55, Les Stott wrote:
> Sorry, when I said "selinux is in permissive mode, but it's the same as on 
> the master server, so it should be the issue." It should have read as 
> "selinux is in permissive mode, but it's the same as on the master server, so 
> it should NOT be the issue."
>
> Les
>
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
> Sent: Monday, 16 December 2013 8:47 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] Trouble with replica install
>
> Hi,
>
> Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
> Already setup master server, now trying to install replica (which I've done 
> before and its worked fine).
>
> The replica install gets all the way to the end but errors out. For the most 
> part, it looks like it is complete, but I want to be sure there are no 
> lingering issues.
>
> The error I see in the log is...(domain and ip's changed)
>
> 
> 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
> Realm: MYDOMAIN.COM
> DNS Domain: mydomain.com
> IPA Server: replica.mydomain.com
> BaseDN: dc=mydomain,dc=com
> Domain mydomain.com is already configured in existing SSSD config, creating a 
> new one.
> The old /etc/sssd/sssd.conf is backed up and will be restored during 
> uninstall.
> Configured /etc/sssd/sssd.conf
> trying https://replica.mydomain.com/ipa/xml
> Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
> Traceback (most recent call last):
>File "/usr/sbin/ipa-client-install", line 2377, in 
>  sys.exit(main())
>File "/usr/sbin/ipa-client-install", line 2363, in main
>  rval = install(options, env, fstore, statestore)
>File "/usr/sbin/ipa-client-install", line 2167, in install
>  remote_env = api.Command['env'](server=True)['result']
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in 
> __call__
>  ret = self.run(*args, **options)
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in 
> run
>  return self.forward(*args, **options)
>File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in 
> forward
>  return self.Backend.xmlclient.forward(self.name, *args, **kw)
>File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
>  raise NetworkError(uri=server, error=e.errmsg)

> ipalib.errors.NetworkError: cannot connect to 
> u'https://replica.mydomain.com/ipa/xml': Internal Server Error

Please look into /var/log/httpd/errors.log on server replica.mydomain.com and
check error messages there.

Petr^2 Spacek

>
> 2013-12-16T09:26:50Z INFO   File 
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 
> 614, in run_script
>  return_value = main_function()
>
>File "/usr/sbin/ipa-replica-install", line 527, in main
>  raise RuntimeError("Failed to configure the client")
>
> 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: 
> RuntimeError: Failed to configure the client
> ---
>
> Apache logs the following error at the same time...
>
> [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
> couldn't check access.  No groups file?: /ipa/xml, referer: 
> https://replica.mydomain.com/ipa/xml
>
> I can login to the gui and it seems ok, but I'm rolling this into production 
> so I've got to get it right.
>
> I'm hoping this is just some bug because its an older freeipa on redhat 
> (minimal install) etc. selinux is in permissive mode, but it's the same as on 
> the master server, so it should be the issue.
>
> Is this error critical? How can I fix it?
>
> Thanks in advance,
>
> Les

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble with replica install

2013-12-16 Thread Petr Spacek 

On 16.12.2013 10:55, Les Stott wrote:

Sorry, when I said "selinux is in permissive mode, but it's the same as on the master server, 
so it should be the issue." It should have read as "selinux is in permissive mode, but 
it's the same as on the master server, so it should NOT be the issue."

Les

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Monday, 16 December 2013 8:47 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Trouble with replica install

Hi,

Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
Already setup master server, now trying to install replica (which I've done 
before and its worked fine).

The replica install gets all the way to the end but errors out. For the most 
part, it looks like it is complete, but I want to be sure there are no 
lingering issues.

The error I see in the log is...(domain and ip's changed)


2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: replica.mydomain.com
BaseDN: dc=mydomain,dc=com
Domain mydomain.com is already configured in existing SSSD config, creating a 
new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
trying https://replica.mydomain.com/ipa/xml
Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 2377, in 
 sys.exit(main())
   File "/usr/sbin/ipa-client-install", line 2363, in main
 rval = install(options, env, fstore, statestore)
   File "/usr/sbin/ipa-client-install", line 2167, in install
 remote_env = api.Command['env'](server=True)['result']
   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in 
__call__
 ret = self.run(*args, **options)
   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run
 return self.forward(*args, **options)
   File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in 
forward
 return self.Backend.xmlclient.forward(self.name, *args, **kw)
   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
 raise NetworkError(uri=server, error=e.errmsg)



ipalib.errors.NetworkError: cannot connect to 
u'https://replica.mydomain.com/ipa/xml': Internal Server Error


Please look into /var/log/httpd/errors.log on server replica.mydomain.com and 
check error messages there.


Petr^2 Spacek



2013-12-16T09:26:50Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, 
in run_script
 return_value = main_function()

   File "/usr/sbin/ipa-replica-install", line 527, in main
 raise RuntimeError("Failed to configure the client")

2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: 
RuntimeError: Failed to configure the client
---

Apache logs the following error at the same time...

[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
couldn't check access.  No groups file?: /ipa/xml, referer: 
https://replica.mydomain.com/ipa/xml

I can login to the gui and it seems ok, but I'm rolling this into production so 
I've got to get it right.

I'm hoping this is just some bug because its an older freeipa on redhat 
(minimal install) etc. selinux is in permissive mode, but it's the same as on 
the master server, so it should be the issue.

Is this error critical? How can I fix it?

Thanks in advance,

Les


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble with replica install

2013-12-16 Thread Les Stott 
Sorry, when I said "selinux is in permissive mode, but it's the same as on the 
master server, so it should be the issue." It should have read as "selinux is 
in permissive mode, but it's the same as on the master server, so it should NOT 
be the issue."

Les

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott
Sent: Monday, 16 December 2013 8:47 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Trouble with replica install

Hi,

Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
Already setup master server, now trying to install replica (which I've done 
before and its worked fine).

The replica install gets all the way to the end but errors out. For the most 
part, it looks like it is complete, but I want to be sure there are no 
lingering issues.

The error I see in the log is...(domain and ip's changed)


2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: replica.mydomain.com
BaseDN: dc=mydomain,dc=com
Domain mydomain.com is already configured in existing SSSD config, creating a 
new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
trying https://replica.mydomain.com/ipa/xml
Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2167, in install
remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in 
__call__
ret = self.run(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run
return self.forward(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in 
forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 
u'https://replica.mydomain.com/ipa/xml': Internal Server Error

2013-12-16T09:26:50Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, 
in run_script
return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 527, in main
raise RuntimeError("Failed to configure the client")

2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: 
RuntimeError: Failed to configure the client
---

Apache logs the following error at the same time...

[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
couldn't check access.  No groups file?: /ipa/xml, referer: 
https://replica.mydomain.com/ipa/xml

I can login to the gui and it seems ok, but I'm rolling this into production so 
I've got to get it right.

I'm hoping this is just some bug because its an older freeipa on redhat 
(minimal install) etc. selinux is in permissive mode, but it's the same as on 
the master server, so it should be the issue.

Is this error critical? How can I fix it?

Thanks in advance,

Les
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Trouble with replica install

2013-12-16 Thread Les Stott 
Hi,

Running ipa-server-3.0.0-37.el6.x86_64 on rhel6.
Already setup master server, now trying to install replica (which I've done 
before and its worked fine).

The replica install gets all the way to the end but errors out. For the most 
part, it looks like it is complete, but I want to be sure there are no 
lingering issues.

The error I see in the log is...(domain and ip's changed)


2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com
Realm: MYDOMAIN.COM
DNS Domain: mydomain.com
IPA Server: replica.mydomain.com
BaseDN: dc=mydomain,dc=com
Domain mydomain.com is already configured in existing SSSD config, creating a 
new one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
trying https://replica.mydomain.com/ipa/xml
Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml'
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 2377, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2167, in install
remote_env = api.Command['env'](server=True)['result']
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 435, in 
__call__
ret = self.run(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 1073, in run
return self.forward(*args, **options)
  File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 769, in 
forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 776, in forward
raise NetworkError(uri=server, error=e.errmsg)
ipalib.errors.NetworkError: cannot connect to 
u'https://replica.mydomain.com/ipa/xml': Internal Server Error

2013-12-16T09:26:50Z INFO   File 
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line 614, 
in run_script
return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 527, in main
raise RuntimeError("Failed to configure the client")

2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: 
RuntimeError: Failed to configure the client
---

Apache logs the following error at the same time...

[Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error:  
couldn't check access.  No groups file?: /ipa/xml, referer: 
https://replica.mydomain.com/ipa/xml

I can login to the gui and it seems ok, but I'm rolling this into production so 
I've got to get it right.

I'm hoping this is just some bug because its an older freeipa on redhat 
(minimal install) etc. selinux is in permissive mode, but it's the same as on 
the master server, so it should be the issue.

Is this error critical? How can I fix it?

Thanks in advance,

Les
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users