Re: [Freeipa-users] trouble creating a replica in the cloud
On 13.2.2014 01:13, Todd Maugh wrote: thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5 and was able to get past it, but now I'm failing with this: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: ObjectclassViolation: missing attribute idnsSOAserial required by object class idnsZone i tried attaching the log file but unfortunately its 30 mb trying to compress That is interesting. Which version of ipa-server package you are trying to install? Is it RHEL or CentOS 6.5? My guess that you have DNS installed on one IPA server and now you are installing another replica without DNS (without --setup-dns option), right? May be that you are hitting https://bugzilla.redhat.com/show_bug.cgi?id=894131 but it was fixed in ipa-3.0.0-22.el6. Petr^2 Spacek From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, February 12, 2014 10:36 AM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] trouble creating a replica in the cloud Dmitri Pal wrote: On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I run the ipa replica and it fails ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'se-idm-01.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@boingo.com password: Execute check on remote master Check connection from master to remote replica 'se-idm-03.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Can't contact LDAP server I check the log file and this is what I get 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [14/02/11:14:57:53] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access
Re: [Freeipa-users] SELinux user categories
On 02/12/2014 09:33 PM, Josh wrote: On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh Nice. Not many of our users got back to us with experience on using the advanced use of the SELinux feature - so feedback welcome! Rob, I am wondering if it would make sense to extend the FreeIPA to allow SELinux user map rules with more SELinux users, per policy? I.e. have a rule like that: # ipa selinuxusermap-show staff_u Rule name: staff_u SELinux User: staff_u:s0-s0:c0.c1023 SELinux User (mls): staff_u:s0-s15:c0.c1023 Enabled: TRUE User Groups: wheel Host Groups: selinuxhosts This
Re: [Freeipa-users] authentication against compat
On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote: Is SSSD working for IPA sudo now? It was working even before, just with a bit of manual config, as I said in the reply you quoted, you just had to configure 'sudo_provider=ldap' I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. sudo_provider=ipa is included in 1.9.6 and also all recent versions (1.11.x) We're thinking about including a newer version in RHEL-6.6, where the sudo_provider=ipa would be included as well. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC
Shree wrote: Ok, failed at the same stage, would you like the entire /var/log/ipareplica-install.log. If yes, should I attach to the email? pa : INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-replica-install, line 467, in main (CA, cs) = cainstance.install_replica_ca(config) File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 1604, in install_replica_ca subject_base=config.subject_base) File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') ipa : INFO The ipa-replica-install command failed, exception: RuntimeError: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed [root@ldap2 ~]# We need to see the full /var/log/ipareplica-install.log and the debug log from /var/log/pki-ca. rob Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal d...@redhat.com wrote: On 02/12/2014 04:57 PM, Shree wrote: If there aren't any other tests to perform, can I go ahead and uninstall the ipa client and configure this Vm as a replica? Thanks for trying. At least we know that certmonger can run by itself. When you install replica please collect all the install logs. Is SELinux on/off? Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 1:40 PM, Shree shreerajkarul...@yahoo.com mailto:shreerajkarul...@yahoo.com wrote: getcert list returned a bunch of info, see below root@ldap2 ~]# getcert list Number of certificates and requests being tracked: 2. Request ID '20140206184920': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,.. . Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/12/2014 03:41 PM, Shree wrote: So I uninstalled the ipa server and installed the client (ipa-client-install) on the same VM pointing at the master and everything seems to work OK. All the sudo rules etc. Are there any tests I can do check connectivity that could be helpful before I configure this as a replica again. Ask certmonger to get a certificate Shreeraj Change is the only Constant ! On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/12/2014 02:09 PM, Shree wrote: Rob I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there. [1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck This ended with a Done configuring NTP daemon (ntpd). A CA is already configured on this system. [2] So did a pkiremove with the following command # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force [3] Re ran the ipa-replica-install command in step 1 The install went a little further but ended below. Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). ipa : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero exit status 1 Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/17]: creating certificate server user [2/17]: creating pki-ca instance [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname .
Re: [Freeipa-users] SELinux user categories
Martin Kosek wrote: On 02/12/2014 09:33 PM, Josh wrote: On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh Nice. Not many of our users got back to us with experience on using the advanced use of the SELinux feature - so feedback welcome! Rob, I am wondering if it would make sense to extend the FreeIPA to allow SELinux user map rules with more SELinux users, per policy? I.e. have a rule like that: # ipa selinuxusermap-show staff_u Rule name: staff_u SELinux User: staff_u:s0-s0:c0.c1023 SELinux User (mls): staff_u:s0-s15:c0.c1023 Enabled: TRUE User Groups: wheel Host Groups: selinuxhosts This proposed rule structure is not ideal and
[Freeipa-users] cannot delete PTR DNS records from the command line
I have run into a problem where I cannot delete PTR DNS records from the command line. This is something that until recently I have never attempted. IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64 When I try to delete a PTR record I get this message. ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com ipa: ERROR: 250: DNS resource record not found ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified Its got to be a simple thing I am missing, can someone please show what I am doing wrong? Thanks! -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog http://www.tendrilinc.com/news-room/blog/ http://www.tendrilinc.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot delete PTR DNS records from the command line
On 02/13/2014 04:15 PM, Brent Clark wrote: I have run into a problem where I cannot delete PTR DNS records from the command line. This is something that until recently I have never attempted. IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64 When I try to delete a PTR record I get this message. ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com ipa: ERROR: 250: DNS resource record not found ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified Its got to be a simple thing I am missing, can someone please show what I am doing wrong? Thanks! Unqualified PTR records do not make sense, this is why we validate them on addition. What does following command show? $ ipa dnsrecord-show 41.100.10.in-addr-arpa. 250 Is the record really resolvable? $ host 10.100.41.250 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot delete PTR DNS records from the command line
On 13.2.2014 16:15, Brent Clark wrote: I have run into a problem where I cannot delete PTR DNS records from the command line. This is something that until recently I have never attempted. IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64 When I try to delete a PTR record I get this message. ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com ipa: ERROR: 250: DNS resource record not found ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified Its got to be a simple thing I am missing, can someone please show what I am doing wrong? Please send us output from commands: $ ipa dnszone-show 41.100.10.in-addr-arpa. $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250 Thank you. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot delete PTR DNS records from the command line
Here are the results of the commands asked for. Also attached is a png of the webui showing the zone and record exists that I want to delete. Many Thanks! ipa dnsrecord-find 41.100.10.in-addr-arpa. 250 Number of entries returned 0 ipa dnszone-show 41.100.10.in-addr-arpa. ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found host 10.100.41.250 250.41.100.10.in-addr.arpa domain name pointer test1.test.com. On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek pspa...@redhat.com wrote: On 13.2.2014 16:15, Brent Clark wrote: I have run into a problem where I cannot delete PTR DNS records from the command line. This is something that until recently I have never attempted. IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64 When I try to delete a PTR record I get this message. ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com ipa: ERROR: 250: DNS resource record not found ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified Its got to be a simple thing I am missing, can someone please show what I am doing wrong? Please send us output from commands: $ ipa dnszone-show 41.100.10.in-addr-arpa. $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250 Thank you. -- Petr^2 Spacek -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog http://www.tendrilinc.com/news-room/blog/ http://www.tendrilinc.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. attachment: 41.100.10-reversednszone.png___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA Replica cannot add user
Hi everyone, I've installed my IPA environment as it follows: ipa01.example.com - master install ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is: IPA Error 4203 Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Via command-line, debug-enabled: root@ipa02's password: Last login: Thu Feb 13 15:36:34 2014 [root@ipa02 ~]# kinit admin Password for ad...@example.com: [root@ipa02 ~]# ipa-replica-manage list ipa01.example.com: master ipa02.example.com: master [root@ipa02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/example@example.com 02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example@example.com [root@ipa02 ~]# ipa -d user-add usertest ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module
Re: [Freeipa-users] cannot delete PTR DNS records from the command line
Hmm, amazing what works when you spell stuff right. Epic Fail on my part. Face plant in the mud. Apologies to all for such silliness that I have put you all thru. Thanks! On Thu, Feb 13, 2014 at 9:25 AM, Petr Vobornik pvobo...@redhat.com wrote: Hello, The zone name is: 41.100.10.in-addr.arpa. Not: 41.100.10.in-addr-arpa. HTH On 13.2.2014 16:40, Brent Clark wrote: Here are the results of the commands asked for. Also attached is a png of the webui showing the zone and record exists that I want to delete. Many Thanks! ipa dnsrecord-find 41.100.10.in-addr-arpa. 250 Number of entries returned 0 ipa dnszone-show 41.100.10.in-addr-arpa. ipa: ERROR: 41.100.10.in-addr-arpa.: DNS zone not found host 10.100.41.250 250.41.100.10.in-addr.arpa domain name pointer test1.test.com. On Thu, Feb 13, 2014 at 8:23 AM, Petr Spacek pspa...@redhat.com wrote: On 13.2.2014 16:15, Brent Clark wrote: I have run into a problem where I cannot delete PTR DNS records from the command line. This is something that until recently I have never attempted. IPA version = ipa-server-2.2.0-17.el6_3.1.x86_64 When I try to delete a PTR record I get this message. ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified ipa dnsrecord-del 41.100.10.in-addr-arpa. 250 --ptr-rec test1.test.com ipa: ERROR: 250: DNS resource record not found ipa dnsrecord-del 41.100.10.in-addr-arpa. test1.test.com. --ptr-rec 250 ipa: ERROR: invalid 'hostname': invalid domain-name: not fully qualified Its got to be a simple thing I am missing, can someone please show what I am doing wrong? Please send us output from commands: $ ipa dnszone-show 41.100.10.in-addr-arpa. $ ipa dnsrecord-find 41.100.10.in-addr-arpa. 250 Thank you. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Petr Vobornik -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog http://www.tendrilinc.com/news-room/blog/ http://www.tendrilinc.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] WebUI questions.
When I assign a user the role of User Administrator, when they log into the WebUI, they can see all the role, dns, config, tab and links. They should only see the necessary tabs and links that having that role requires and none of the extra stuff. Is there a way to limit when appears in the WebUI based on Role? -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com | blog http://www.tendrilinc.com/news-room/blog/ http://www.tendrilinc.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA not Starting after crash
Hello All, We’ve been running IPA now nicely for a while, and I wrote a script to run something every minute and that filled the logs and crashed the server. I cleared the logs and started IPA again. [root@ log]# ipactl start Starting Directory Service Starting dirsrv: DIGITALREASONING-COM... already running[ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname ‘blah.digitalreasoning.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 'desc': 'No such object'} Thanks, _ John Moyer Director, IT Operations signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not Starting after crash
John Moyer wrote: Hello All, We’ve been running IPA now nicely for a while, and I wrote a script to run something every minute and that filled the logs and crashed the server. I cleared the logs and started IPA again. [root@ log]# ipactl start Starting Directory Service Starting dirsrv: DIGITALREASONING-COM... already running[ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname ‘blah.digitalreasoning.com http://blah.digitalreasoning.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 'desc': 'No such object'} I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there are any database consistency problems. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI questions.
On 02/13/2014 01:51 PM, Brent Clark wrote: When I assign a user the role of User Administrator, when they log into the WebUI, they can see all the role, dns, config, tab and links. They should only see the necessary tabs and links that having that role requires and none of the extra stuff. Is there a way to limit when appears in the WebUI based on Role? https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#server-access-controls -- Brent S. Clark NOC Engineer 2580 55th St. | Boulder, Colorado 80301 www.tendrilinc.com http://www.tendrilinc.com/ | blog http://www.tendrilinc.com/news-room/blog/ http://www.tendrilinc.com/ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] WebUI questions.
Brent Clark wrote: When I assign a user the role of User Administrator, when they log into the WebUI, they can see all the role, dns, config, tab and links. They should only see the necessary tabs and links that having that role requires and none of the extra stuff. Is there a way to limit when appears in the WebUI based on Role? Not yet, see https://fedorahosted.org/freeipa/ticket/217 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not Starting after crash
On 02/13/2014 02:12 PM, John Moyer wrote: This is the error log when I try to start it: [13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 starting up [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com) [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [13/Feb/2014:19:08:28 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 for LDAPS requests [13/Feb/2014:19:08:28 +] - Listening on /var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests [13/Feb/2014:19:08:30 +] - slapd shutting down - signaling operation threads [13/Feb/2014:19:08:30 +] - slapd shutting down - closing down internal subsystems and plugins [13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop [13/Feb/2014:19:08:30 +] - All database threads now stopped [13/Feb/2014:19:08:30 +] - slapd stopped. Seems like your dna-plugin configuration is corrupted or missing. The easiest way would be probably to reinit or reinstall replica. If we want to try to repair we need help from DS team. Thanks, _ John Moyer Director, IT Operations On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: John Moyer wrote: Hello All, We've been running IPA now nicely for a while, and I wrote a script to run something every minute and that filled the logs and crashed the server. I cleared the logs and started IPA again. [root@ log]# ipactl start Starting Directory Service Starting dirsrv: DIGITALREASONING-COM... already running[ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'blah.digitalreasoning.com http://blah.digitalreasoning.com http://blah.digitalreasoning.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 'desc': 'No such object'} I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there are any database consistency problems. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not Starting after crash
I think I know my problem, back in August I was having performance issues so I hooked part of my IPA server to RAM disk. I’m assuming looking at the symlink below that since I’ve rebooted the server that I’m completely out of luck. This is in this directory : /var/lib/dirsrv/slapd-DIGITALREASONING-COM/ lrwxrwxrwx 1 root root 12 Aug 27 03:21 db - /dev/shm/db/ At this point I just want confirmation that my data is gone. I was doing backups, but of the disks not the RAM. Thanks, _ John Moyer Director, IT Operations On Feb 13, 2014, at 2:20 PM, Dmitri Pal d...@redhat.com wrote: On 02/13/2014 02:12 PM, John Moyer wrote: This is the error log when I try to start it: [13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 starting up [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com) [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [13/Feb/2014:19:08:28 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 for LDAPS requests [13/Feb/2014:19:08:28 +] - Listening on /var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests [13/Feb/2014:19:08:30 +] - slapd shutting down - signaling operation threads [13/Feb/2014:19:08:30 +] - slapd shutting down - closing down internal subsystems and plugins [13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop [13/Feb/2014:19:08:30 +] - All database threads now stopped [13/Feb/2014:19:08:30 +] - slapd stopped. Seems like your dna-plugin configuration is corrupted or missing. The easiest way would be probably to reinit or reinstall replica. If we want to try to repair we need help from DS team. Thanks, _ John Moyer Director, IT Operations On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Hello All, We’ve been running IPA now nicely for a while, and I wrote a script to run something every minute and that filled the logs and crashed the server. I cleared the logs and started IPA again. [root@ log]# ipactl start Starting Directory Service Starting dirsrv: DIGITALREASONING-COM... already running[ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname ‘blah.digitalreasoning.com http://blah.digitalreasoning.com' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 'desc': 'No such object'} I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there are any database consistency problems. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? My fedora 20 client doesn't have this option listed, or is it baked in? *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 3:46 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Feb 12, 2014 at 03:35:58PM -0800, Will Sheldon wrote: Is SSSD working for IPA sudo now? It was working even before, just with a bit of manual config, as I said in the reply you quoted, you just had to configure 'sudo_provider=ldap' I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. sudo_provider=ipa is included in 1.9.6 and also all recent versions (1.11.x) We're thinking about including a newer version in RHEL-6.6, where the sudo_provider=ipa would be included as well. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not Starting after crash
On 02/13/2014 12:58 PM, John Moyer wrote: I think I know my problem, back in August I was having performance issues so I hooked part of my IPA server to RAM disk. I'm assuming looking at the symlink below that since I've rebooted the server that I'm completely out of luck. This is in this directory : /var/lib/dirsrv/slapd-DIGITALREASONING-COM/ lrwxrwxrwx 1 root root 12 Aug 27 03:21 db - /dev/shm/db/ At this point I just want confirmation that my data is gone. I was doing backups, but of the disks not the RAM. I'm not sure where else the data would be, if it is not in /dev/shm/db, and not in /var/lib/dirsrv/slapd-DOMAIN Do you have a replica? Thanks, _ John Moyer Director, IT Operations On Feb 13, 2014, at 2:20 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/13/2014 02:12 PM, John Moyer wrote: This is the error log when I try to start it: [13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177 starting up [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=groups, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set up under cn=users, cn=compat,dc=digitalreasoning,dc=com [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Unable to locate shared configuration entry (cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com) [13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Invalid config entry [cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config] skipped [13/Feb/2014:19:08:28 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 for LDAPS requests [13/Feb/2014:19:08:28 +] - Listening on /var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests [13/Feb/2014:19:08:30 +] - slapd shutting down - signaling operation threads [13/Feb/2014:19:08:30 +] - slapd shutting down - closing down internal subsystems and plugins [13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop [13/Feb/2014:19:08:30 +] - All database threads now stopped [13/Feb/2014:19:08:30 +] - slapd stopped. Seems like your dna-plugin configuration is corrupted or missing. The easiest way would be probably to reinit or reinstall replica. If we want to try to repair we need help from DS team. Thanks, _ John Moyer Director, IT Operations On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: John Moyer wrote: Hello All, We've been running IPA now nicely for a while, and I wrote a script to run something every minute and that filled the logs and crashed the server. I cleared the logs and started IPA again. [root@ log]# ipactl start Starting Directory Service Starting dirsrv: DIGITALREASONING-COM... already running[ OK ] PKI-IPA... already running [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'blah.digitalreasoning.com http://blah.digitalreasoning.com/ http://blah.digitalreasoning.com http://blah.digitalreasoning.com/' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=digitalreasoning,dc=com', 'desc': 'No such object'} I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there are any database consistency problems. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. Maybe you're working towards this, but in the meantime it would be great if the options existed in the config files so we immediately know what options are available and can comment/uncomment them rather than searching around man pages for options that might exist. I believe you were looking for a documentation bug: # man sssd-sudo To enable SSSD as a source for sudo rules, *add sss to the sudoers entry* in nsswitch.conf(5). For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users) and then in SSSD, the nsswitch.conf file should contain the following line: * sudoers: files sss* # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus Entry does not exist. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo
the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
and If I am configuring the sud-ldap.conf what should it look like does any one have an example? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Thursday, February 13, 2014 3:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On 02/13/2014 06:04 PM, Steve Dainard wrote: I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. Maybe you're working towards this, but in the meantime it would be great if the options existed in the config files so we immediately know what options are available and can comment/uncomment them rather than searching around man pages for options that might exist. I believe you were looking for a documentation bug: # man sssd-sudo To enable SSSD as a source for sudo rules, *add sss to the sudoers entry* in nsswitch.conf(5). For example, to configure sudo to first lookup rules in the standard sudoers(5) file (which should contain rules that apply to local users) and then in SSSD, the nsswitch.conf file should contain the following line: * sudoers: files sss* # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # #nisplusUse NIS+ (NIS version 3) #nisUse NIS (NIS version 2), also called YP #dnsUse DNS (Domain Name Service) #filesUse the local files #dbUse the local database (.db) files #compatUse NIS on compat mode #hesiodUse Hesiod for user lookups #[NOTFOUND=return]Stop searching if not found so far # # To use db, put the db in front of files for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #initgroups: files #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus Entry does not exist. *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | /Rethink Traffic/ *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. On Thu, Feb 13, 2014 at 5:15 PM, Jakub Hrozek jhro...@redhat.com mailto:jhro...@redhat.com wrote: On Thu, Feb 13, 2014 at 03:05:07PM -0500, Steve Dainard wrote: Is this server or client side where sudo_provider=ipa is included in ver 1.11.x? Client side (sssd) My fedora 20 client doesn't have this option listed, or is it baked in? Where exactly do you see the documentation lacking, perhaps the sssd-ipa man page, or the sssd-sudo man page? I agree that docs are important, but my view might be skewed because I know the internals.. All that should be required with 1.9.6 or 1.11.x is: sudo_provider=ipa And enabling the 'sss' module in /etc/nsswitch.conf: sudoers: files sss That's it. Please let us know if you find any bugs in code or docs. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Managing configuration files is outside of scope of IPA or SSSD. We looked at this at the beginning of the IPA project a got a push back from
Re: [Freeipa-users] Setting up sudo
On 02/13/2014 06:23 PM, Todd Maugh wrote: and If I am configuring the sud-ldap.conf what should it look like does any one have an example? You have two options. Sudo can be integrated with SSSD or not. If you want SUDO to be integrated then this should help: http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf If you want to use SUDO independently from sssd and connect directly to IPA from SUDO you need to configure sudo -ldap.conf and use some user to bind to IPA. This user should be configured in the file. See more details in the IPA docs: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#config-sudo-clients *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Thursday, February 13, 2014 3:17 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the |sudo| information is not available anonymously over LDAP by default, Identity Management defines a default |sudo| user, |uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX|, which can be set in the LDAP/|sudo| configuration file, |/etc/sud-ldap.conf|. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] authentication against compat
On Thu, 13 Feb 2014, Steve Dainard wrote: I don't think this is an issue of bugs or documentation, more of design. Perhaps there's someplace other than a users list this belongs in but: If IPA is a centrally managed identity and access control system, should these configurations not be passed to clients, rather than every client needing configuration changes post join? Obviously I can automate config changes, but why would I want to? I don't think sudoers priv is a fringe case, its pretty much THE case for access/admin control. I cringe to compare to a Windows domain, but I don't have to manually tell a domain client that it should respect the rules I set on a domain controller, I joined it to the domain for this reason. When majority of expected features are already implemented, it is easy to fall into assumption that everything has to be complete from start. That's understandable but we are dealing with a living and evolving project where a feature addition often means integrating across multiple actual free software projects, all with their own priorities and schedules, step by step, or things will never happen. SUDO integration is not an exception here. First we needed to expand SUDO's support for external plugins. When SUDO data was placed in LDAP, it appeared that existing schema isn't really optimal, so FreeIPA schema was designed better (but incompatible with existing one from SUDO LDAP), but required a compatibility part to work with existing SUDO LDAP plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO LDAP schema as it gave SSSD wider coverage of SUDO support. Now we implemented support for native FreeIPA schema. The next step is to integrate configuration of it in ipa-client-install so that clients will get set up properly if there are SUDO rules configured on the server or ipa-client-install was actually given a bless from the admin (via CLI option or answering a question). It takes time and effort. Unsurprisingly, this is a relatively minor feature in the grand picture because we have dozens of such features all asking for attention and time, and our development teams are not expanding infinitely regardless how we all wished. :) Any help is welcome! -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Replica cannot add user
On 02/13/2014 06:55 PM, Bruno Henrique Barbosa wrote: Hi everyone, I've installed my IPA environment as it follows: ipa01.example.com - master install ipa02.example.com - replica install, as the guide says, with ipa-replica-prepare on ipa01 and ipa-replica-install using gpg key generated. All good, environment is fine, can access both UI, but the underlying problem is: I can edit and remove users from IPA using instance ipa02 (replica), but I CANNOT add users from that instance. In the UI, error returned is: IPA Error 4203 Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Via command-line, debug-enabled: root@ipa02's password: Last login: Thu Feb 13 15:36:34 2014 [root@ipa02 ~]# kinit admin Password for ad...@example.com: [root@ipa02 ~]# ipa-replica-manage list ipa01.example.com: master ipa02.example.com: master [root@ipa02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 02/13/14 15:37:48 02/14/14 15:37:29 krbtgt/example@example.com 02/13/14 15:38:03 02/14/14 15:37:29 ldap/ipa02.example@example.com [root@ipa02 ~]# ipa -d user-add usertest ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: