Re: [Freeipa-users] AD - Freeipa trust confusion
I have gotten a little further along with this but am having problems
connecting to the AD LDAP.
[r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
--binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
X9deiX9dei --passsync X9deiX9dei --cacert
/etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts » prattle.com.
Realm name: prattle.com
Domain NetBIOS name: PRATTLE
Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
Trust direction: Two-way trust
Trust type: Active Directory domain
However I cant see any of the AD users that I have created nor can I
log on to any of the systems under my freeipa realm.
Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user
bob from 10.51.120.1 port 55101 ssh2
I haven't actually done anything to AD to facilitate this trust. Its
not particularly clear what should be done.
Many thanks,
Andrew
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 07:38 AM, Andrew Holway wrote:
I have gotten a little further along with this but am having problems
connecting to the AD LDAP.
[r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
--binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
X9deiX9dei --passsync X9deiX9dei --cacert
/etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
Hello,
Trusts and winsync are mutually exclusive.
You either do one or another. We do not have a way to move from one
configuration to another yet and the decision should be made at the
deployment time.
Which one do you prefer?
If you prefer trusts please follow the instructions on the wiki. The
guide is not updated yet, sorry.
http://www.freeipa.org/page/Trusts
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
It seems that after the trust is established you try to login and fail.
Can you provide more details about those attempts?
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
also see other sections on the same page.
HTH
Thanks
Dmitri
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts » prattle.com.
Realm name: prattle.com
Domain NetBIOS name: PRATTLE
Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
Trust direction: Two-way trust
Trust type: Active Directory domain
However I cant see any of the AD users that I have created nor can I
log on to any of the systems under my freeipa realm.
Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user
bob from 10.51.120.1 port 55101 ssh2
I haven't actually done anything to AD to facilitate this trust. Its
not particularly clear what should be done.
Many thanks,
Andrew
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NIS Compat issues
Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NIS Compat issues
On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trouble with replica install
Ah, I see this thread was resolved already, my MUA just failed to properly attach it to the thread. Please disregard this mail then (but I was right with the root cause though :) Martin On 01/02/2014 05:46 PM, Martin Kosek wrote: Hello Les, Did you manage to resolve the issue? I just got to it after the Christmas break. Reading few resources online, this error seems to come of a misconfigured httpd when for example mod_authz_groupfile.so or mod_authz_user.so Apache modules are not loaded (I have them loaded in /etc/httpd/conf.modules.d/00-base.conf). Did you modify httpd configuration before you run ipa-replica-install in any way? Martin On 12/16/2013 01:44 PM, Les Stott wrote: Petr, The below was the error from apache error logs Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml Other lines in the /var/log/httpd/error log at the same time... [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:49 2013] [error] ipa: INFO: *** PROCESS START *** [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No groups file?: /ipa/xml, referer: https://replica.mydomain.com/ipa/xml [Mon Dec 16 04:29:01 2013] [notice] caught SIGTERM, shutting down [Mon Dec 16 04:29:02 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 Regards, Les From: Petr Spacek [pspa...@redhat.com] Sent: Monday, December 16, 2013 10:38 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble with replica install On 16.12.2013 10:55, Les Stott wrote: Sorry, when I said selinux is in permissive mode, but it's the same as on the master server, so it should be the issue. It should have read as selinux is in permissive mode, but it's the same as on the master server, so it should NOT be the issue. Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Monday, 16 December 2013 8:47 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Trouble with replica install Hi, Running ipa-server-3.0.0-37.el6.x86_64 on rhel6. Already setup master server, now trying to install replica (which I've done before and its worked fine). The replica install gets all the way to the end but errors out. For the most part, it looks like it is complete, but I want to be sure there are no lingering issues. The error I see in the log is...(domain and ip's changed) 2013-12-16T09:26:50Z DEBUG stderr=Hostname: replica.mydomain.com Realm: MYDOMAIN.COM DNS Domain: mydomain.com IPA Server: replica.mydomain.com BaseDN: dc=mydomain,dc=com Domain mydomain.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf trying https://replica.mydomain.com/ipa/xml Forwarding 'env' to server u'https://replica.mydomain.com/ipa/xml' Traceback (most recent call last): File /usr/sbin/ipa-client-install, line 2377, in module sys.exit(main()) File /usr/sbin/ipa-client-install, line 2363, in main rval = install(options, env, fstore, statestore) File /usr/sbin/ipa-client-install, line 2167, in install remote_env = api.Command['env'](server=True)['result'] File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 435, in __call__ ret = self.run(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 1073, in run return self.forward(*args, **options) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 769, in forward return self.Backend.xmlclient.forward(self.name, *args, **kw) File /usr/lib/python2.6/site-packages/ipalib/rpc.py, line 776, in forward raise NetworkError(uri=server, error=e.errmsg) ipalib.errors.NetworkError: cannot connect to u'https://replica.mydomain.com/ipa/xml': Internal Server Error Please look into /var/log/httpd/errors.log on server replica.mydomain.com and check error messages there. Petr^2 Spacek 2013-12-16T09:26:50Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 527, in main raise RuntimeError(Failed to configure the client) 2013-12-16T09:26:50Z INFO The ipa-replica-install command failed, exception: RuntimeError: Failed to configure the client --- Apache logs the following error at the same time... [Mon Dec 16 04:26:50 2013] [crit] [client 192.168.0.13] configuration error: couldn't check access. No
Re: [Freeipa-users] AD - Freeipa trust confusion
I have taken out the winsync.
[r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn
cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync
pa$$ --cacert /etc/openldap/cacerts/prattle.crt
win-5uglhak7rin.prattle.com. -vvv
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
You cannot connect to a previously deleted master
I cant find anything useful in the server2008 AD logsI am seeing
If I can make them more sensitive.
/var/log/messages
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'lsarpc' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'samr' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'netlogon' already registered on endpoint
Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server
Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost
Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't
contact LDAP server
Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0]
ipa_sam.c:3689(bind_callback_cleanup)
Jan 2 16:53:49 ipa winbindd[12071]: kerberos error:
code=-1765328324, message=Generic error (see e-text)
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0]
../source3/lib/smbldap.c:998(smbldap_connect_system)
Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server
ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous
bind] Error: Local error
Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown)
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote:
On 01/02/2014 07:38 AM, Andrew Holway wrote:
I have gotten a little further along with this but am having problems
connecting to the AD LDAP.
[r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
--binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
X9deiX9dei --passsync X9deiX9dei --cacert
/etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
Hello,
Trusts and winsync are mutually exclusive.
You either do one or another. We do not have a way to move from one
configuration to another yet and the decision should be made at the
deployment time.
Which one do you prefer?
If you prefer trusts please follow the instructions on the wiki. The
guide is not updated yet, sorry.
http://www.freeipa.org/page/Trusts
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
It seems that after the trust is established you try to login and fail.
Can you provide more details about those attempts?
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
also see other sections on the same page.
HTH
Thanks
Dmitri
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts » prattle.com.
Realm name: prattle.com
Domain NetBIOS name: PRATTLE
Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
Trust direction: Two-way trust
Trust type: Active Directory domain
However I cant see any of the AD users that I have created nor can I
log on to any of the systems under my freeipa realm.
Jan 1 20:50:30
Re: [Freeipa-users] ipa-client-install 2.58 client incompatible with 2.49 server
On 12/28/2013 06:50 PM, Rob Crittenden wrote: Will Sheldon wrote: Hello :) I'm trying to setup a ubuntu 12.04.3 client running freeipa-client 3.2.0-0ubuntu1~precise1 form the apt repo at http://ppa.launchpad.net/freeipa/ppa/ubuntu The server is a (fully updated) centos 6.5 box running ipa-server.x86_64 3.0.0-37.el6 The script mostly works on a stock install, but there is an error uploading SSH keys, This appears to be called from the ipa-client-install script line 1436: result = api.Command['host_mod'](unicode(hostname), Which generates the following output when run: stderr= Caught fault 901 from server https://ipa.[domain].com/ipa/xml: 2.58 client incompatible with 2.49 server at u'https://ipa.[domain].com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://ipa.[domain].com/ipa/xml' Failed to upload host SSH public keys. I understand that this is not a critical failure and that I can manually upload the host keys if needed but the bit I don't understand is where the version numbers come from. The API version is baked into the client and server. We generally provide a backwards compatible server, but right now not the client (so a new client can't always have 100% success talking to an old server). We are actually working on this, especially for client enrollment, to make things work more smoothly. How do I revert the api to version 2.49 to match the server? You'd have to modify ipapython/version.py on each client before enrollment. For enrollment I can't think of any side-effects, but if you ever tried the IPA admin tool on such a client then some odd things could happen. What is best practice here, should I be using a different source for the client install script? I don't know what is available for Debian/Ubuntu clients these days. It is being worked on very hard though I think the focus is on the latest source which explains the mismatch. Is there a copy of the correct client files stashed on the server somewhere? Would anyone be interested in helping with development of a yum and apt repo on the server to make all this easier? The server being the IPA server, so it can distribute the client bits? An interesting idea. rob Note that this issue was fixed in FreeIPA version 3.3.2 (upstream ticket https://fedorahosted.org/freeipa/ticket/3931). Thus, when using FreeIPA client 3.3.2 and later, ipa-client-install will upload the SSH keys even to the older SSH server. No other changes required. HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On 01/02/2014 12:07 PM, Andrew Holway wrote:
I have taken out the winsync.
[r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn
cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync
pa$$ --cacert /etc/openldap/cacerts/prattle.crt
win-5uglhak7rin.prattle.com. -vvv
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
You are still setting up a replication agreement not a trust.
You cannot connect to a previously deleted master
I think it confuses your AD for a replica that does not exist.
I cant find anything useful in the server2008 AD logsI am seeing
If I can make them more sensitive.
/var/log/messages
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'lsarpc' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'samr' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'netlogon' already registered on endpoint
Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server
Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost
Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't
contact LDAP server
This seems to indicate that the directory server is not running.
Can you check that the dirsrv is running?
Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0]
ipa_sam.c:3689(bind_callback_cleanup)
Jan 2 16:53:49 ipa winbindd[12071]: kerberos error:
code=-1765328324, message=Generic error (see e-text)
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0]
../source3/lib/smbldap.c:998(smbldap_connect_system)
Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server
ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous
bind] Error: Local error
Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown)
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote:
On 01/02/2014 07:38 AM, Andrew Holway wrote:
I have gotten a little further along with this but am having problems
connecting to the AD LDAP.
[r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
--binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
X9deiX9dei --passsync X9deiX9dei --cacert
/etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
Hello,
Trusts and winsync are mutually exclusive.
You either do one or another. We do not have a way to move from one
configuration to another yet and the decision should be made at the
deployment time.
Which one do you prefer?
If you prefer trusts please follow the instructions on the wiki. The
guide is not updated yet, sorry.
http://www.freeipa.org/page/Trusts
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
It seems that after the trust is established you try to login and fail.
Can you provide more details about those attempts?
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
also see other sections on the same page.
HTH
Thanks
Dmitri
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts » prattle.com.
Realm
Re: [Freeipa-users] AD - Freeipa trust confusion
I turned off all the AD processed on my windows domain controller.
The error did not change.
On 2 January 2014 17:07, Andrew Holway andrew.hol...@gmail.com wrote:
I have taken out the winsync.
[r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn
cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync
pa$$ --cacert /etc/openldap/cacerts/prattle.crt
win-5uglhak7rin.prattle.com. -vvv
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
You cannot connect to a previously deleted master
I cant find anything useful in the server2008 AD logsI am seeing
If I can make them more sensitive.
/var/log/messages
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'lsarpc' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'samr' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'netlogon' already registered on endpoint
Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server
Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost
Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't
contact LDAP server
Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0]
ipa_sam.c:3689(bind_callback_cleanup)
Jan 2 16:53:49 ipa winbindd[12071]: kerberos error:
code=-1765328324, message=Generic error (see e-text)
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0]
../source3/lib/smbldap.c:998(smbldap_connect_system)
Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server
ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn=[Anonymous
bind] Error: Local error
Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown)
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote:
On 01/02/2014 07:38 AM, Andrew Holway wrote:
I have gotten a little further along with this but am having problems
connecting to the AD LDAP.
[r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
--binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
X9deiX9dei --passsync X9deiX9dei --cacert
/etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
ipa: INFO: The error was: {'info': ': LdapErr: DSID-0C090E17,
comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
is unavailable'}
Failed to setup winsync replication
Hello,
Trusts and winsync are mutually exclusive.
You either do one or another. We do not have a way to move from one
configuration to another yet and the decision should be made at the
deployment time.
Which one do you prefer?
If you prefer trusts please follow the instructions on the wiki. The
guide is not updated yet, sorry.
http://www.freeipa.org/page/Trusts
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
It seems that after the trust is established you try to login and fail.
Can you provide more details about those attempts?
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
also see other sections on the same page.
HTH
Thanks
Dmitri
On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote:
Hello,
I am attempting to set up trust between my test freeipa server at
ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
In the GUI I can see the following in Trusts » prattle.com.
Realm name: prattle.com
Domain NetBIOS name: PRATTLE
Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
On 01/02/2014 12:30 PM, Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. Have you checked the logs to confirm that the DS server actually loaded the plugins? The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? I mean doing an ldapsearch operation against cn=compat,... sub tree by running it on the server. Just to see if it returns any data. If it does then the server is probably OK and this is the client that can't connect due to FW or DNS. Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I've recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I've configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says Can't communicate with ypbind which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: NIS Compat issues
Joseph, Matthew (EXP) wrote: Hello, All of the IPA services are running. When I tried running the ipa-compat-manage enable and ipa-nis-manage enable they are both loaded and running. On the IPA master you should be able to run something like: $ ypcat -h `hostname` -d your nis domain name passwd This will confirm basic operation on the server. If you can run the same on a client it will rule out firewall issues. Is a ypbind process already running on these clients? That might explain the 'address in use' error. rob The firewall is not the issue, I am positive about that. What do you mean by looking at the compat tree from the IPA server? Matt *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Thursday, January 02, 2014 12:13 PM *To:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] NIS Compat issues On 01/02/2014 11:05 AM, Joseph, Matthew (EXP) wrote: Hello, I’ve recently had to restart my IPA servers and my NIS compatibility mode has stopped working. I’ve configured my IPA server to run in NIS compatibility mode by doing the following. [root@ipaserver ~]# ipa-nis-manage enable [root@ipaserver ~]# ipa-compat-manage enable Restart the DNS and Directory Server service: [root@server ~]# service restart rpcbind [root@server ~]# service restart dirsrv On my NIS clients I have the following setup in the yp.conf file. domain domainname.ca server ipaservername.domainname.ca I tried just running the broadcast option but with no luck. When I try to do a service ypbind start on my NIS clients it takes a few minutes to finally fail. When I tried an yptest says “Can’t communicate with ypbind” which makes sense since ypbind will not start. On the NIS client in the messages file it says the following; Ypbind: broadcast: RPC: Timed Out Cannot bind UDP: Address already in use Nothing has changed on my IPA server/configuration so I have no idea why this stopped working. Any suggestions? Please check if the IPA is running, the DS is running. Check the logs that the compat plugin is loaded and working. You can also try looking at the compat tree from the server itself to verify that the plugin, at least the DS part is functional. This generally smells as a firewall issue but I have not way to prove or disprove the theory. Matt ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status dirsrv PKI-IPA (pid 7394) is running... dirsrv WIBBLE-COM (pid 7463) is running... [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin Administrator --password Active directory domain administrator's password: Added Active Directory trust for realm prattle.com Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified However I cannot log into the windows domain with my linux users nor the linux domain with my linux users. Ta, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
On Thu, 2014-01-02 at 19:12 +, Andrew Holway wrote: You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This seems to indicate that the directory server is not running. Can you check that the dirsrv is running? [r...@ipa.wibble.com log]# /etc/init.d/dirsrv status dirsrv PKI-IPA (pid 7394) is running... dirsrv WIBBLE-COM (pid 7463) is running... [r...@ipa.wibble.com log]# ipa trust-add --type=ad prattle.com --admin Administrator --password Active directory domain administrator's password: Added Active Directory trust for realm prattle.com Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified However I cannot log into the windows domain with my linux users nor the linux domain with my linux users. At this time loggin in with linux iusers into the Windows domain is not supported and does not work. However loggin with Windows user into a linux machine joined to the ipa realm should work, a slong as you use sssd on the linux machine. What error do you see on the linux machine whe you try to log in with a windows user ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
As for AD users we need to look at the client and see what is going on
there. What is your client? Version and component? Is it using latest SSSD?
If not additional steps might be needed. Please provide the details
about the clients. Please start with trying AD users on the IPA server
itself, looking at the logs and seeing what is going on.
/var/log/secure
Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown
Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error
retrieving information about user b...@prattle.com
Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user
b...@prattle.com from 192.168.202.12 port 51537 ssh2
/var/log/messages (not sure if related. this error is going off every 20s)
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'samr' already registered on endpoint
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'netlogon' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'samr' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'netlogon' already registered on endpoint
/var/log/krb5kdc.log
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH:
host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com,
Additional pre-authentication required
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18
tkt=18 ses=18}, host/ipa.wibble@wibble.com for
krbtgt/wibble@wibble.com
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18
tkt=18 ses=18}, host/ipa.wibble@wibble.com for
ldap/ipa.wibble@wibble.com
/var/log/sssd/*
this is using bob@host (prattle.com is the windows domain)
https://gist.github.com/anonymous/ff817a251948ff58bdb1
this is using b...@prattle.com@host (prattle.com is the windows domain)
https://gist.github.com/anonymous/885d8bfd6cf7d224de93
Thanks
Dmitri
Ta,
Andrew
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD - Freeipa trust confusion
Sorry, I forgot this. It works fine for the wibble.com linux domain.
[r...@ipa.wibble.com log]# ldapsearch -x -ZZ -H ldap://localhost -b
dc=prattle,dc=com
# extended LDIF
#
# LDAPv3
# base dc=prattle,dc=com with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 32 No such object
# numResponses: 1
On 2 January 2014 20:06, Andrew Holway andrew.hol...@gmail.com wrote:
As for AD users we need to look at the client and see what is going on
there. What is your client? Version and component? Is it using latest SSSD?
If not additional steps might be needed. Please provide the details
about the clients. Please start with trying AD users on the IPA server
itself, looking at the logs and seeing what is going on.
/var/log/secure
Jan 2 19:27:46 ipa sshd[8252]: pam_unix(sshd:auth): check pass; user unknown
Jan 2 19:27:46 ipa sshd[8252]: pam_succeed_if(sshd:auth): error
retrieving information about user b...@prattle.com
Jan 2 19:27:49 ipa sshd[8252]: Failed password for invalid user
b...@prattle.com from 192.168.202.12 port 51537 ssh2
/var/log/messages (not sure if related. this error is going off every 20s)
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.895536, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896121, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'samr' already registered on endpoint
Jan 2 19:52:18 ipa smbd[7279]: [2014/01/02 19:52:18.896616, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:52:18 ipa smbd[7279]: dcesrv_interface_register: interface
'netlogon' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.913794, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'lsarpc' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914377, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'samr' already registered on endpoint
Jan 2 19:53:18 ipa smbd[7279]: [2014/01/02 19:53:18.914853, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 19:53:18 ipa smbd[7279]: dcesrv_interface_register: interface
'netlogon' already registered on endpoint
/var/log/krb5kdc.log
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: NEEDED_PREAUTH:
host/ipa.wibble@wibble.com for krbtgt/wibble@wibble.com,
Additional pre-authentication required
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): AS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18
tkt=18 ses=18}, host/ipa.wibble@wibble.com for
krbtgt/wibble@wibble.com
Jan 02 19:27:37 ipa.wibble.com krb5kdc[6611](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.51.120.1: ISSUE: authtime 1388690857, etypes {rep=18
tkt=18 ses=18}, host/ipa.wibble@wibble.com for
ldap/ipa.wibble@wibble.com
/var/log/sssd/*
this is using bob@host (prattle.com is the windows domain)
https://gist.github.com/anonymous/ff817a251948ff58bdb1
this is using b...@prattle.com@host (prattle.com is the windows domain)
https://gist.github.com/anonymous/885d8bfd6cf7d224de93
Thanks
Dmitri
Ta,
Andrew
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf . When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com Password for administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com administra...@addc.com@192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? Thank you in advance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user Administrator@ADDC.COMfrom 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_ Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_ Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
On 01/02/2014 04:45 PM, Genadi Postrilko wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user administra...@addc.com mailto:administra...@addc.com from 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com mailto:administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com mailto:administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com mailto:administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com mailto:addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Looks an error similar to what I see in the other thread. Unfortunately be might need to wait till Monday for Alexander, Sumit and Jakub to come back and provide help. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
If you add debug_level = 5 into every section of /etc/sssd/sssd.conf Restart sssd Try and log in again cat /var/log/sssd/* And paste that somewhere. On 2 January 2014 21:45, Genadi Postrilko genadip...@gmail.com wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user administra...@addc.com from 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf. When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto:administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.
Here are the *sssd.log, **sssd_nss.log. *Other logs where empty of did not contain the output for the relevant log in. https://gist.github.com/anonymous/8228284 2014/1/2 Dmitri Pal d...@redhat.com On 01/02/2014 04:45 PM, Genadi Postrilko wrote: Its a newly installed IPA Server, haven't added any Rules. The relevant output from /var/log/secure : Jan 2 13:36:24 ipaserver sshd[4864]: Invalid user from 192.168.227.100 Jan 2 13:36:24 ipaserver sshd[4865]: input_userauth_request: invalid user Jan 2 13:36:26 ipaserver sshd[4865]: Connection closed by 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4868]: Invalid user Administrator@ADDC.COMfrom 192.168.227.100 Jan 2 13:36:35 ipaserver sshd[4869]: input_userauth_request: invalid user administra...@addc.com Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): check pass; user unknown Jan 2 13:36:44 ipaserver sshd[4868]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.227.100 Jan 2 13:36:44 ipaserver sshd[4868]: pam_succeed_if(sshd:auth): error retrieving information about user administra...@addc.com Jan 2 13:36:46 ipaserver sshd[4868]: Failed password for invalid user administra...@addc.com from 192.168.227.100 port 62484 ssh2 2014/1/2 Rob Crittenden rcrit...@redhat.com Genadi Postrilko wrote: Hi all. I have a running IPA Server (3.0.0-37) on RHEL 6.2. I'm trying to create Trust between IPA server and AD (In different DNS domains). I followed the red hat guide https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Identity_Management_Guide/Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US.pdf . When i completed the needed step to create the trust and retrieved a krb ticket from the AD server: [root@ipaserver ~]# kinit administra...@addc.com mailto:administra...@addc.com Password for administra...@addc.com mailto:administra...@addc.com: [root@ipaserver ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@addc.com mailto: administra...@addc.com Valid starting ExpiresService principal 01/02/14 12:20:30 01/02/14 22:20:34 krbtgt/addc@addc.com mailto:addc@addc.com renew until 01/03/14 12:20:30 But when i try to connect to the IPA server via SHH (Putty) i get Access denied message: login as: administra...@addc.com mailto:administra...@addc.com administra...@addc.com@192.168.227.128 http://192.168.227.128's password: Access denied Any ideas on what i could have done wrong in the process of creating the trust? I'd check the sssd logs and /var/log/secure. Do you have any HBAC rules? rob ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Looks an error similar to what I see in the other thread. Unfortunately be might need to wait till Monday for Alexander, Sumit and Jakub to come back and provide help. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install 2.58 client incompatible with 2.49 server
Thanks guys. For now I've just reverted the reported version while the install script runs. It seems to work OK. On Thu, Jan 2, 2014 at 9:06 AM, Martin Kosek mko...@redhat.com wrote: On 12/28/2013 06:50 PM, Rob Crittenden wrote: Will Sheldon wrote: Hello :) I'm trying to setup a ubuntu 12.04.3 client running freeipa-client 3.2.0-0ubuntu1~precise1 form the apt repo at http://ppa.launchpad.net/freeipa/ppa/ubuntu The server is a (fully updated) centos 6.5 box running ipa-server.x86_64 3.0.0-37.el6 The script mostly works on a stock install, but there is an error uploading SSH keys, This appears to be called from the ipa-client-install script line 1436: result = api.Command['host_mod'](unicode(hostname), Which generates the following output when run: stderr= Caught fault 901 from server https://ipa.[domain].com/ipa/xml: 2.58 client incompatible with 2.49 server at u'https://ipa. [domain].com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://ipa.[domain].com/ipa/xml' Failed to upload host SSH public keys. I understand that this is not a critical failure and that I can manually upload the host keys if needed but the bit I don't understand is where the version numbers come from. The API version is baked into the client and server. We generally provide a backwards compatible server, but right now not the client (so a new client can't always have 100% success talking to an old server). We are actually working on this, especially for client enrollment, to make things work more smoothly. How do I revert the api to version 2.49 to match the server? You'd have to modify ipapython/version.py on each client before enrollment. For enrollment I can't think of any side-effects, but if you ever tried the IPA admin tool on such a client then some odd things could happen. What is best practice here, should I be using a different source for the client install script? I don't know what is available for Debian/Ubuntu clients these days. It is being worked on very hard though I think the focus is on the latest source which explains the mismatch. Is there a copy of the correct client files stashed on the server somewhere? Would anyone be interested in helping with development of a yum and apt repo on the server to make all this easier? The server being the IPA server, so it can distribute the client bits? An interesting idea. rob Note that this issue was fixed in FreeIPA version 3.3.2 (upstream ticket https://fedorahosted.org/freeipa/ticket/3931). Thus, when using FreeIPA client 3.3.2 and later, ipa-client-install will upload the SSH keys even to the older SSH server. No other changes required. HTH, Martin -- Kind regards, Will Sheldon +1.(778)-689-4144 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Security issue : Anonymous user can fetch user details from IPA without authenticating
This is cause for concern. Is there a hardening / best practices for production guide anywhere, did I miss a section of the documentation? What else do I need to secure? I understand that there is a tradeoff between security and compatibility, but maybe there should be a ipa-secure script somewhere? On Wed, Jan 1, 2014 at 10:41 AM, Jitse Klomp jitsekl...@gmail.com wrote: It is possible to disable anonymous binds to the directory server. Take a look at https://docs.fedoraproject.org/en-US/Fedora/18/html/ FreeIPA_Guide/disabling-anon-binds.html - Jitse On 01/01/2014 07:01 PM, Rajnesh Kumar Siwal wrote: It exposes the details of all the users/admins in the environment. There should be a user that the IPA should use to fetch the details from the IPA Servers. Without Authentication , no one should be able to fetch any information from the IPA Server. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Kind regards, Will Sheldon +1.(778)-689-4144 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
