Re: [Freeipa-users] FreeIPA Web UI error: Service Unavailable

2014-09-11 Thread Tevfik Ceydeliler 


Yes I can use ipa on cli
On 11-09-2014 20:17, Petr Vobornik wrote:

On 11.9.2014 13:36, Tevfik Ceydeliler wrote:

hi,
thnx for comment.
I really dont care  sibgle sign on or something like that now :)
All I want I try to get back my ipa server :)
I check IPA status and :
[root@srv httpd]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
seems no problem ın that side.
Now I will resert my httpd error log and restart server.

[root@srv httpd]# more error_log
[Thu Sep 11 14:22:59 2014] [notice] caught SIGTERM, shutting down
[Thu Sep 11 14:24:18 2014] [notice] SELinux policy enabled; httpd 
running as

context system_u:system_r:httpd_t:s0
[Thu Sep 11 14:24:18 2014] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Sep 11 14:24:18 2014] [notice] Digest: generating secret for digest
authentication ...
[Thu Sep 11 14:24:18 2014] [notice] Digest: done
[Thu Sep 11 14:24:19 2014] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4

mod_nss/2.2.15 NSS/3.15.1 Basic ECC mod_wsgi/3.2 Python/2.6.6 configure
d -- resuming normal operations
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***

And

[root@srv httpd]# service iptables status
iptables: Firewall is not running

Seems no problem here.

Which service not available?


The "Service not available" is a generic browser 503 error or is it 
displayed in FreeIPA Web UI (can you access Web UI, but it doesn't work).


Does CLI work on the server?



On 11-09-2014 14:18, Petr Vobornik wrote:

Hello Tevfik,

comments inline

On 11.9.2014 12:24, Tevfik Ceydeliler wrote:


Hi all,
I tried to do single sign on for FreeIPa Web UI according to "4.3.3.
Configuring the Browser"
I did browser side and then turn back to server side. And run those
command:

# scp /etc/krb5.conf 
r...@externalmachine.example.com:/etc/krb5_ipa.conf

and


I assume that you want to configure the machine without enrolling it as
FreeIPA client. If not, I would suggest you enrolling it as a client 
using
ipa-client-install. Then you don't have to do anything else except 
browser

config.

Why /etc/krb5_ipa.conf ?, it should be /etc/krb5.conf



vim /etc/httpd/conf.d/ipa.conf

and change this:

KrbMethodK5Passwd off  --> to --> KrbMethodK5Passwd on


FreeIPA's Web UI support forms-based auth so this is not usually 
needed.




and restart httpd.

Then nothing change. And then I rollback vim 
/etc/httpd/conf.d/ipa.conf


Now when I try to open Web UI I get An popup error:
"Service Unavailable"


run:

ipactl status
or
systemctl status httpd.service

or inspect

   /var/log/httpd/error_log

to find out if web server is running - might not be the case because of
invalid modifications in /etc/httpd/conf.d/ipa.conf , reason should 
be in the log




Have you any idea?



--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Max life set 0 already but still promot admin rese tpassword every 3 months

2014-09-11 Thread barrykfl 
Hi:

i set max life no expiry already but still pomt reset password every 3
month

any idea to disable it ??? what happening

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Use of SAN's with automatic certificates in FreeIPA 4

2014-09-11 Thread Michael Lasevich 
If I remember correctly, you could not use SAN (Subject Alternate Names)
for certificates in FreeIPA 3.0 - is this still the case with 4?

I have hosts that automatically receive two hostnames, a long proper name
(like "service-i-12345678") and a simpler cname based on an index for ease
of access (like "service-1") - however since OS hostname is the "proper"
one, certs would typically be issued to that name. I want my users to be
able to hit it via the simplex "index" names. Is that currently possible
(esp given that the cnames are actualy in a different DNS domain)?

Thanks,

-M
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Web UI error: Service Unavailable

2014-09-11 Thread Petr Vobornik 

On 11.9.2014 13:36, Tevfik Ceydeliler wrote:

hi,
thnx for comment.
I really dont care  sibgle sign on or something like that now :)
All I want I try to get back my ipa server :)
I check IPA status and :
[root@srv httpd]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
seems no problem ın that side.
Now I will resert my httpd error log and restart server.

[root@srv httpd]# more error_log
[Thu Sep 11 14:22:59 2014] [notice] caught SIGTERM, shutting down
[Thu Sep 11 14:24:18 2014] [notice] SELinux policy enabled; httpd running as
context system_u:system_r:httpd_t:s0
[Thu Sep 11 14:24:18 2014] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Sep 11 14:24:18 2014] [notice] Digest: generating secret for digest
authentication ...
[Thu Sep 11 14:24:18 2014] [notice] Digest: done
[Thu Sep 11 14:24:19 2014] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4
mod_nss/2.2.15 NSS/3.15.1 Basic ECC mod_wsgi/3.2 Python/2.6.6 configure
d -- resuming normal operations
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***

And

[root@srv httpd]# service iptables status
iptables: Firewall is not running

Seems no problem here.

Which service not available?


The "Service not available" is a generic browser 503 error or is it 
displayed in FreeIPA Web UI (can you access Web UI, but it doesn't work).


Does CLI work on the server?



On 11-09-2014 14:18, Petr Vobornik wrote:

Hello Tevfik,

comments inline

On 11.9.2014 12:24, Tevfik Ceydeliler wrote:


Hi all,
I tried to do single sign on for FreeIPa Web UI according to "4.3.3.
Configuring the Browser"
I did browser side and then turn back to server side. And run those
command:

# scp /etc/krb5.conf r...@externalmachine.example.com:/etc/krb5_ipa.conf
and


I assume that you want to configure the machine without enrolling it as
FreeIPA client. If not, I would suggest you enrolling it as a client using
ipa-client-install. Then you don't have to do anything else except browser
config.

Why /etc/krb5_ipa.conf ?, it should be /etc/krb5.conf



vim /etc/httpd/conf.d/ipa.conf

and change this:

KrbMethodK5Passwd off  --> to --> KrbMethodK5Passwd on


FreeIPA's Web UI support forms-based auth so this is not usually needed.



and restart httpd.

Then nothing change. And then I rollback vim /etc/httpd/conf.d/ipa.conf

Now when I try to open Web UI I get An popup error:
"Service Unavailable"


run:

ipactl status
or
systemctl status httpd.service

or inspect

   /var/log/httpd/error_log

to find out if web server is running - might not be the case because of
invalid modifications in /etc/httpd/conf.d/ipa.conf , reason should be in the 
log



Have you any idea?


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

2014-09-11 Thread Alexander Bokovoy 

On Thu, 11 Sep 2014, Traiano Welcome wrote:

This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
Debugging_trust
in the part where it talks about /usr/share/ipa/smb.conf.empty.




I've attached the debug logs, I'd be thankful if you could find anything
in them!

Can you please keep debugging and re-establish the trust using AD
credentials?

I can see that AD DC does believe yet the trust is working:
Ticket in credentials cache for @LINUX will expire in 86400 secs
GSS client Update(krb5)(1) Update failed: Unspecified GSS failure.
Minor code may provide more information: KDC policy rejects request

"KDC policy rejects request" means AD-side of the trust is not set and
verified.

By running 'ipa trust-add ... --admin ..' you'll force AD DC to reset trust
and verify it.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] BIND not starting after IPA install

2014-09-11 Thread Petr Spacek 

On 11.9.2014 14:20, Renier Gertzen wrote:

Hi,

My bind server refuses to start. I get the following:
Sep 11 14:14:40 orpst named-sdb[4343]: generating session key for dynamic DNS
Sep 11 14:14:40 orpst named-sdb[4343]: sizing zone task pool based on 6 zones
Sep 11 14:14:40 orpst named-sdb[4343]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind'
Sep 11 14:15:30 orpst named-sdb[4343]: Failed to retrieve default realm 
(Configuration file does not specify default realm)
Sep 11 14:15:30 orpst named-sdb[4343]: Failed to init credentials (Cryptosystem 
internal error)
Sep 11 14:15:30 orpst named-sdb[4343]: loading configuration: failure
Sep 11 14:15:30 orpst named-sdb[4343]: exiting (due to fatal error)

System is running Oracle Linux 6.5

The following is my config:
dynamic-db "ipa" {
 library "ldap.so";
 arg "uri ldapi://%2fvar%2frun%2fslapd-SUBDOM-EXAMPLE-COM.socket";
 arg "base cn=dns, dc=subdom,dc=example,dc=com";
 arg "fake_mname server.subdom.example.com.";
 arg "auth_method sasl";
 arg "sasl_mech GSSAPI";
 arg "sasl_user DNS/server.subdom.example@server.subdom.com";
 arg "zone_refresh 0";
 arg "psearch yes";
 arg "serial_autoincrement yes";
};

Any assistance would be appreciated.



Hello!

Do you use IPA or not? Which version of IPA and bind-dyndb-ldap do you have?

AFAIK bind-dyndb-ldap was never tested with sdb version of named...

Anyway, I would try to look into /etc/krb5.conf and double check that is 
contains likes like these:


[libdefaults]
default_realm = IPA.EXAMPLE

Have a nice day!

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

2014-09-11 Thread Traiano Welcome 
On Thu, Sep 11, 2014 at 6:06 PM, Traiano Welcome  wrote:

> Hi Alexander
>
>
>
> On Thu, Sep 11, 2014 at 4:38 PM, Alexander Bokovoy 
> wrote:
>
>> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>>
>>> Hi List
>>>
>>> I'm currently working through the IPAv3 AD integration document at:
>>>
>>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>>
>>>
>>> I've managed to establish a trust between the IdM and the AD server.
>>> However, when I run the command:
>>>
>>> ---
>>> [root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
>>> ipa: ERROR: unknown command 'trustdomain-fetch'
>>> ---
>>>
>>> It would appear the  'trustdomain-fetch' command is not present anymore
>>> or
>>> has been replaced with something else?
>>>
>> No, it was my mistake when I expanded the wiki few days ago. ;)
>>
>> # ipa trust 2>&1|grep '  trust'
>>  trust-addAdd new trust to use.
>>  trust-delDelete a trust.
>>  trust-fetch-domains  Refresh list of the domains associated with the
>> trust
>>  trust-find   Search for trusts.
>>  trust-modModify a trust (for future use).
>>  trust-show   Display information about a trust.
>>  trustconfig-mod  Modify global trust configuration.
>>  trustconfig-show Show global trust configuration.
>>  trustdomain-del  Remove infromation about the domain associated with
>> the trust.
>>  trustdomain-disable  Disable use of IPA resources by the domain of the
>> trust
>>  trustdomain-enable   Allow use of IPA resources by the domain of the
>> trust
>>  trustdomain-find Search domains of the trust
>>
>> I fixed the page to use proper one -- trust-fetch-domains.
>>
>>
>
> Excellent. Thanks.
>
>
>
>
>
>
>>  I speculate it's this:
>>>
>>> ---
>>> [root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
>>> ipa: ERROR: AD domain controller complains about communication sequence.
>>> It
>>> may mean unsynchronized time on both sides, for example
>>> ---
>>>
>>> Is this correct?
>>>
>>>
>>> If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
>>> error message:
>>>
>>> "ipa: ERROR: AD domain controller complains about communication sequence.
>>> It may mean unsynchronized time on both sides, for example"
>>>
>>> a) Checked the time synch on the AD server and the RHEL 7 IdM server and
>>> it's fine.
>>>
>> Check time zone. I've seen many times that time zone on test Windows
>> installs is set to PDT while your actual zone might be something
>> different; thus it gets out of sync.
>>
>>
>
> Timezones appear synced/the same:
>
>  - IPA server: Thu Sep 11 18:01:58 AST 2014
>  - Windows AD server:Thursday, ‎September ‎11, ‎2014,  6:02:10 PM  TZ:
> (UTC+03:00) Kuwait, Riyadh
>
>


Just to confirm they're both in sync, I've set the IdM server to use the AD
DC as an ntp service:

---
[root@kwtpocidm001 ~]# ntpdate -u 172.16.107.109
11 Sep 19:29:11 ntpdate[2736]: adjust time server 172.16.107.109 offset
-0.146107 sec
---











>
>
>
>
>>  b) Here's a snippet around the error when running ipa with "-d":
>>>
>> This one is not usable. You need to enable debugging on the server side.
>> See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#
>> Debugging_trust
>> in the part where it talks about /usr/share/ipa/smb.conf.empty.
>>
>>
>
> I've attached the debug logs, I'd be thankful if you could find anything
> in them!
>
>
>> --
>> / Alexander Bokovoy
>>
>
> Traiano Welcome
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA, SSSD, sudo and Local Users

2014-09-11 Thread Jakub Hrozek 
On Wed, Sep 10, 2014 at 09:58:27PM +, Trevor T Kates (Services - 6) wrote:
> Hi all:
> 
> I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a 
> quirky
> problem. From what I've read thus far, sudo under SSSD can't provide sudo  
> rules
> for local users that are not part of the directory. To get around this, I've 
> been
> using the sudo-ldap.conf file to provide sudo with direct access to the 
> directory.
> This, however, can't make use of service discovery, so if the first server in 
> the
> ldap_uri list is taken down, sudo delays for the length of the timeout set. My
> idea for getting around this has been to use sudo in SSSD for users that are 
> in
> the directory and let sudo-ldap take care of local users with a line in 
> nsswitch.conf
> like this:
> 
> sudoers: files sss ldap

I think this is more of a sudo question and I'm not too familiar with
the sudo code to answer this question well. I added the sudo Fedora
maintainer to CC, maybe he has some ideas?

> 
> My problem now seems to be that the ldap query is still run even if a 
> successful hit
> is made to sssd. Changing the line in nsswitch.conf to:
> 
> sudoers: files sss [success=return] ldap

I don't think [success=return] will work here. Despite sudoers being
configured in nsswitch.conf, it's not actually a NSS map handled by
glibc. sudo itself parses the file..

> 
> doesn't seem to actually work.
> 
> Does anyone have pointers on how I can resolve this particular problem?
> 
> Thanks!
> 
> 
> Trevor T. Kates
> 
> 
> 
> 
> CONFIDENTIALITY NOTICE:  This electronic message contains information which 
> may be legally confidential and or privileged and does not in any case 
> represent a firm ENERGY COMMODITY bid or offer relating thereto which binds 
> the sender without an additional express written confirmation to that effect. 
>  The information is intended solely for the individual or entity named above 
> and access by anyone else is unauthorized.  If you are not the intended 
> recipient, any disclosure, copying, distribution, or use of the contents of 
> this information is prohibited and may be unlawful.  If you have received 
> this electronic transmission in error, please reply immediately to the sender 
> that you have received the message in error, and delete it.  Thank you.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

2014-09-11 Thread Alexander Bokovoy 

On Thu, 11 Sep 2014, Traiano Welcome wrote:

Hi List

I'm currently working through the IPAv3 AD integration document at:

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup


I've managed to establish a trust between the IdM and the AD server.
However, when I run the command:

---
[root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
ipa: ERROR: unknown command 'trustdomain-fetch'
---

It would appear the  'trustdomain-fetch' command is not present anymore or
has been replaced with something else?

No, it was my mistake when I expanded the wiki few days ago. ;)

# ipa trust 2>&1|grep '  trust'
 trust-addAdd new trust to use.
 trust-delDelete a trust.
 trust-fetch-domains  Refresh list of the domains associated with the trust
 trust-find   Search for trusts.
 trust-modModify a trust (for future use).
 trust-show   Display information about a trust.
 trustconfig-mod  Modify global trust configuration.
 trustconfig-show Show global trust configuration.
 trustdomain-del  Remove infromation about the domain associated with the 
trust.
 trustdomain-disable  Disable use of IPA resources by the domain of the trust
 trustdomain-enable   Allow use of IPA resources by the domain of the trust
 trustdomain-find Search domains of the trust

I fixed the page to use proper one -- trust-fetch-domains.


I speculate it's this:

---
[root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
ipa: ERROR: AD domain controller complains about communication sequence. It
may mean unsynchronized time on both sides, for example
---

Is this correct?


If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
error message:

"ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example"

a) Checked the time synch on the AD server and the RHEL 7 IdM server and
it's fine.

Check time zone. I've seen many times that time zone on test Windows
installs is set to PDT while your actual zone might be something
different; thus it gets out of sync.


b) Here's a snippet around the error when running ipa with "-d":

This one is not usable. You need to enable debugging on the server side.
See http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
in the part where it talks about /usr/share/ipa/smb.conf.empty.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA Active directory Integration: ipa "unknown command trustdomain-fetch"

2014-09-11 Thread Traiano Welcome 
Hi List

I'm currently working through the IPAv3 AD integration document at:

http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup


I've managed to establish a trust between the IdM and the AD server.
However, when I run the command:

---
[root@kwtpocidm001 ~]# ipa trustdomain-fetch "mhatest.local"
ipa: ERROR: unknown command 'trustdomain-fetch'
---

It would appear the  'trustdomain-fetch' command is not present anymore or
has been replaced with something else?
I speculate it's this:

---
[root@kwtpocidm001 ~]# ipa trust-fetch-domains "mhatest.local"
ipa: ERROR: AD domain controller complains about communication sequence. It
may mean unsynchronized time on both sides, for example
---

Is this correct?


If indeed "trust-fetch-domains" is the correct command, then .w.r.t this
error message:

"ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example"

a) Checked the time synch on the AD server and the RHEL 7 IdM server and
it's fine.
b) Here's a snippet around the error when running ipa with "-d":


ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
ipa: DEBUG: cert valid True for
"CN=kwtpocidm001.linux.mhatest.local,O=LINUX.MHATEST.LOCAL"
ipa: DEBUG: handshake complete, peer = 172.16.107.108:443
ipa: DEBUG: received Set-Cookie
'ipa_session=1fe28460c7ec75d6da8d7e3b53c2e51f;
Domain=kwtpocidm001.linux.mhatest.local; Path=/ipa; Expires=Thu, 11 Sep
2014 13:12:02 GMT; Secure; HttpOnly'
ipa: DEBUG: storing cookie 'ipa_session=1fe28460c7ec75d6da8d7e3b53c2e51f;
Domain=kwtpocidm001.linux.mhatest.local; Path=/ipa; Expires=Thu, 11 Sep
2014 13:12:02 GMT; Secure; HttpOnly' for principal admin@LINUX.MHATEST.LOCAL
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:admin@LINUX.MHATEST.LOCAL
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=334684795
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl search @s user
ipa_session_cookie:admin@LINUX.MHATEST.LOCAL
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=334684795
ipa: DEBUG: stderr=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=keyctl pupdate 334684795
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa: DEBUG: Caught fault 4016 from server
https://kwtpocidm001.linux.mhatest.local/ipa/session/xml: AD domain
controller complains about communication sequence. It may mean
unsynchronized time on both sides, for example
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: AD domain controller complains about communication sequence. It
may mean unsynchronized time on both sides, for example



Many thanks in advance for any assistance!

Traiano
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] BIND not starting after IPA install

2014-09-11 Thread Renier Gertzen 
Hi,

My bind server refuses to start. I get the following:
Sep 11 14:14:40 orpst named-sdb[4343]: generating session key for dynamic DNS
Sep 11 14:14:40 orpst named-sdb[4343]: sizing zone task pool based on 6 zones
Sep 11 14:14:40 orpst named-sdb[4343]: set up managed keys zone for view 
_default, file 'dynamic/managed-keys.bind'
Sep 11 14:15:30 orpst named-sdb[4343]: Failed to retrieve default realm 
(Configuration file does not specify default realm)
Sep 11 14:15:30 orpst named-sdb[4343]: Failed to init credentials (Cryptosystem 
internal error)
Sep 11 14:15:30 orpst named-sdb[4343]: loading configuration: failure
Sep 11 14:15:30 orpst named-sdb[4343]: exiting (due to fatal error)

System is running Oracle Linux 6.5

The following is my config:
dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-SUBDOM-EXAMPLE-COM.socket";
arg "base cn=dns, dc=subdom,dc=example,dc=com";
arg "fake_mname server.subdom.example.com.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/server.subdom.example@server.subdom.com";
arg "zone_refresh 0";
arg "psearch yes";
arg "serial_autoincrement yes";
};

Any assistance would be appreciated.

Regards,

--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Branding

2014-09-11 Thread Kodiak Firesmith 
Sounds like a job for Puppet.

On Wed, Sep 10, 2014 at 7:58 PM, Dmitri Pal  wrote:
> On 09/10/2014 07:49 PM, William Graboyes wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> Hi Dimitri,
>>
>> Yeah just the logo should do, I believe I found it at
>> `/usr/share/ipa/ui/images/ipa-logo.png`.  I am more just making sure it
>> is allowed.
>
>
> I do not know what you mean.
> Yes it is allowed.
> But it is your responsibility to either rebuild the package with new bitmap
> and support it in your deployment or change it to your image after every
> update in your deployment.
>
>
>
>>
>> Thanks,
>> Bill
>>
>> On Wed Sep 10 16:42:29 2014, Dmitri Pal wrote:
>>>
>>> On 09/10/2014 06:52 PM, William Graboyes wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi List,

 I am looking into changing the branding on the free-ipa GUI interface.
This is something that is being requested by my management,
 considering that we are asking users to trust an e-mail prodding them
 to change their password.  I don't see an easy method in the GUI
 interface for changing the logo.  I was wondering if anyone else has
 had need for these changes, and what steps they may have taken to
 change the branding.
>>>
>>> Is it just the logo or other things too, like colors and styles?
>>>
>>>
 Thanks,
 Bill
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - https://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCgAGBQJUENY7AAoJEJFMz73A1+zrxuoP/0NUQdonXJFSrxxy1/3vVHuW
 Mbf/kHo3tCn26GGkNBYgVqa5FJ7hri9eEsRhIR/krJP7mbRk9XoRJ7XcGF8YO+4c
 O5MtJftMU6vueOWQZx6JZXm9+bqhvDnT24kwq2V19IrQX5Q0JcRY4EOzLc5BgBqR
 bSlNbhxBj0H+WFdU7z4jkfiSbOoRcYSIV+nlX7hZK9G7WHVqcYRi2iaTQ1kMX5ju
 oMTbkOrSKK8EixNamvHdr9y4UrxQhEks9Pa1xBHo0sZm2/YTeIX4KRWBs4dT/KKt
 flSa93AF/8CnPeQHGCHP37FMJLtct7ySRuldo09AQULNN51fqBZlbHpMGSILmbt+
 BIrRaG3tZ4cB5rOfYlJ7UBnTFO7o101a1BJIxXWahsg39QBYsEQFswOPmR3ivvfg
 bJnPbJ7WqB5ir7b21iQJ1kkNcpeScdFhebMlEqskfZ92CBJu/S6Av25mxy4fku4b
 1HhOAXK9s1LDR8l8LhwxVOAAIs2ILQ5SxFl6u/hNsgvdC0M5tPtvCnpgvpvoMBB/
 E+poXBWbVQkkxl8AI+IERQaUx4Ou+ihwhMrGuBjXry6zts9J3b+cgIHzbbS3thZf
 PooMTTiiy7R6gZiZdvqjl0G4QmJvegjHjWySZZwIjPKZAeEb7fI8jEpLOSM54KQ6
 sqSR7rg3TB0P91YAMqXo
 =AscS
 -END PGP SIGNATURE-

>>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> Comment: GPGTools - https://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCgAGBQJUEOOlAAoJEJFMz73A1+zrASEP/0gBH7ZilDBY/UEVrGxFDLkx
>> FnGpCniouAF05b4EvvKz6KH+S4DElXgpVJOYPeufLtFg3xYLmhrzRI5uPG1Bpp8D
>> 9caoEqsyqiKz96+gqglrcvjptwCLNuzBuC46l8QJLhL6ROPwB72Xwh8JVfUzMn9e
>> gIn2McnsCIz2/tZOLgDqXraw0dIsvxS4T0aRO4XkRpEZ/EkozYzxJHEHHuCoL5GO
>> P7ITGroyPZaCojj0UJaCMjeK1ddIHS2anot64qkQUQiIBkCjvBZpqFbpQumoGd5T
>> ZbdpM/yRkhHFgHPEjQn0+cxBzhNEqfTfotU1zBwAQEu3GbpxAXmbILrJJpOup8hf
>> mOdCmkAv2Pwne5x4481qn0mnobmLZYyCTjRLgKttMGz4NbH0E1WkQeLN523Q8wyC
>> seQf+Jtxvt6K+ZbD4RlcVTAKUJfvBiQQwJsK9b8++vjebv4Dhrr+vp3wTZBHEpRt
>> gGU/5eXUWAyEiYv3Ce5aAjtTX88fGr3J95wdTmAWv4vmQ7D20FvVKuUEkRz5q/Hy
>> xYTxUhK9ccmzvkzxAeUkuwOR7tVKp3rP5eM9K3vG1+YhT2xYa/I7JpNIwRmYmnHM
>> TLCia5mEZAFBZtsI0up6DXGUAu356+kRe1tjvU8TgsbAmKAGPgqZZDbhwDmGsNee
>> wo6IQ6Itxp6ucU5m2Qet
>> =wjKX
>> -END PGP SIGNATURE-
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Integrating FreeIPA with ActiveDirectory (Windows 2008 R2)

2014-09-11 Thread Traiano Welcome 
Thanks for your responses Alexander, Dimitri and Gerardo. It appears
further debugging will be unnecessary: I reinstalled on RHEL 7 and the
trust established without issue:



[root@kwtpocidm001 ~]# ipa trust-add --type=ad mhatest.local --admin
Administrator --password
Active directory domain administrator's password:
--
Added Active Directory trust for realm "MHATEST.LOCAL"
--
  Realm name: MHATEST.LOCAL
  Domain NetBIOS name: MHATEST
  Domain Security Identifier: S-1-5-21-2226261992-3934846357-352671753
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
  S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, S-1-5-2,
S-1-5-3, S-1-5-4, S-1-5-5, S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, S-1-5-10,
  S-1-5-11, S-1-5-12, S-1-5-13, S-1-5-14, S-1-5-15,
S-1-5-16, S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified
[root@kwtpocidm001 ~]#



Now onto the next hurdle :-)



On Thu, Sep 11, 2014 at 12:31 AM, Alexander Bokovoy 
wrote:

> On Thu, 11 Sep 2014, Traiano Welcome wrote:
>
>> Hi List
>>
>> I've been following the AD integration guide for IPAv3 here:
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>> However, when I reach the "Add trust with AD domain" step I get the
>> following error:
>>
>> ---
>> [root@ipa ~]# ipa trust-add --type=ad mhatest.local --admin Administrator
>> --password
>> Active directory domain administrator's password:
>> ipa: ERROR: CIFS server communication error: code "-1073741801",
>>  message "Memory allocation error" (both may be "None")
>> ---
>>
>> ... And I'm at a loss for how to interpret this :-) Details on my setup:
>>
> Please follow
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
> to provide useful debugging information.
>
>  - Windows 2008 R2 AD DC
>> - CentOS Linux 6.5 IPA server (installed  from yum repos)
>>
> Ideally you'd need to use RHEL 7 or CentOS 7 for trusts as IPA version
> 3.3 is more mature in this regard.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule

2014-09-11 Thread Gregor Bregenzer 
Hello Sumit!

Ah, thanks alot! I was wondering why this worked on the FreeIPA server
(ipa1.linux.intern), but there i have SSSD 1.12. I will try with a
newer client on another client and join the FreeIPA domain.
About the original UID change problem: i will try that again and post
the correct logfiles with the appropriate loglevel.

Thanks!
Gregor

2014-09-11 12:58 GMT+02:00 Sumit Bose :
> On Wed, Sep 10, 2014 at 08:19:15AM +0200, Gregor Bregenzer wrote:
>> Hello Sumit,
>> i think maybe there is a different problem i just discovered by
>> accident. As stated in the first email, i have an AD trust with
>> FreeIPA that receives all POSIX attributes from AD, but i get
>> different values:
>> On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get
>> the correct GID (=1, this is the AD group linuxusers) that is set
>> in AD, but on the client (linux1.linux.intern) i get another one ( =
>> 10005):
>>
>> ipa1.linux.intern
>> 
>> [root@ipa1 httpd]# getent passwd user1@aaa
>> user1@aaa.intern:*:10005:
>> 1:user1:/home/aaa.intern/user1:/bin/bash
>>
>> -bash-4.2$ id
>> uid=10005(user1@aaa.intern) gid=1(linuxusers@aaa.intern)
>> groups=1(linuxusers@aaa.intern),193304(ad_users)
>> 
>>
>> linux1.linux.intern
>> 
>> [root@linux1 sssd]# getent passwd user1@aaa
>> user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash
>>
>> [user1@aaa.intern@linux1 ~]$ id
>> uid=10005(user1@aaa.intern) gid=10005(user1@aaa.intern)
>> Gruppen=10005(user1@aaa.intern),193304(ad_users)
>
> Since you are using SSSD-1.9.x on the client this behaviour is expected.
> In this version SSSD could only handle users from a trusted AD domain as
> users with User Private Groups (UPG), hence POSIX UID and GID are the
> same. The additional group memberships are only available after the user
> logged in. For this the PAC from the Kerberos ticket is evaluated. But
> the PAC does not contain any information about POSIX attributes and only
> contains groups  the user is member of from the AD point of view. If
> user1 is not a member of the linuxuser AD group SSSD cannot resolve this
> membership.
>
> Nevertheless I think this is not related to the UID change you reported
> earlier.
>
> bye,
> Sumit
>
>>
>> Logfile on ipa1.linux.intern sssd_nss.log
>> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
>> Running command [17] with input [user1@aaa.intern].
>>   │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
>> (0x0200): name 'user1@aaa.intern' matched expression for domain
>> 'aaa.intern', user is user1  │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
>> Requesting info for [user1] from [aaa.intern]
>>   │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
>> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
>> │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
>> (0x0100): Requesting info for [user1@aaa.intern]
>>  │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
>> event "ltdb_callback": 0x7fe19e562700
>>│
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
>> event "ltdb_timeout": 0x7fe19e562830
>>│
>> 03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
>> timer event 0x7fe19e562700 "ltdb_callback"
>>│
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
>> timer event 0x7fe19e562830 "ltdb_timeout"
>> │va
>> r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
>> event 0x7fe19e562700 "ltdb_callback"
>>   │
>>   │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400):
>> Cached entry is valid, returning..
>>│
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
>> (0x0400): Returning info for user [user1@aaa.intern]
>>  │
>> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
>> Idle timer re-set for client [0x7fe19e563d40][21]
>>   │
>>
>> --
>> Logfile on linux1.linux.intern sssd_nss.log
>>
>> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
>> (0x0200): name 'user1@aaa' matched expression for domain 'aaa.intern',

Re: [Freeipa-users] FreeIPA Web UI error: Service Unavailable

2014-09-11 Thread Tevfik Ceydeliler 


hi,
thnx for comment.
I really dont care  sibgle sign on or something like that now :)
All I want I try to get back my ipa server :)
I check IPA status and :
[root@srv httpd]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
seems no problem ın that side.
Now I will resert my httpd error log and restart server.

[root@srv httpd]# more error_log
[Thu Sep 11 14:22:59 2014] [notice] caught SIGTERM, shutting down
[Thu Sep 11 14:24:18 2014] [notice] SELinux policy enabled; httpd 
running as context system_u:system_r:httpd_t:s0
[Thu Sep 11 14:24:18 2014] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Thu Sep 11 14:24:18 2014] [notice] Digest: generating secret for digest 
authentication ...

[Thu Sep 11 14:24:18 2014] [notice] Digest: done
[Thu Sep 11 14:24:19 2014] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.15.1 Basic ECC mod_wsgi/3.2 
Python/2.6.6 configure

d -- resuming normal operations
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***
[Thu Sep 11 14:24:23 2014] [error] ipa: INFO: *** PROCESS START ***

And

[root@srv httpd]# service iptables status
iptables: Firewall is not running

Seems no problem here.

Which service not available?

On 11-09-2014 14:18, Petr Vobornik wrote:

Hello Tevfik,

comments inline

On 11.9.2014 12:24, Tevfik Ceydeliler wrote:


Hi all,
I tried to do single sign on for FreeIPa Web UI according to "4.3.3.
Configuring the Browser"
I did browser side and then turn back to server side. And run those
command:

# scp /etc/krb5.conf r...@externalmachine.example.com:/etc/krb5_ipa.conf
and


I assume that you want to configure the machine without enrolling it 
as FreeIPA client. If not, I would suggest you enrolling it as a 
client using ipa-client-install. Then you don't have to do anything 
else except browser config.


Why /etc/krb5_ipa.conf ?, it should be /etc/krb5.conf



vim /etc/httpd/conf.d/ipa.conf

and change this:

KrbMethodK5Passwd off  --> to --> KrbMethodK5Passwd on


FreeIPA's Web UI support forms-based auth so this is not usually needed.



and restart httpd.

Then nothing change. And then I rollback vim /etc/httpd/conf.d/ipa.conf

Now when I try to open Web UI I get An popup error:
"Service Unavailable"


run:

ipactl status
or
systemctl status httpd.service

or inspect

   /var/log/httpd/error_log

to find out if web server is running - might not be the case because 
of invalid modifications in /etc/httpd/conf.d/ipa.conf , reason should 
be in the log




Have you any idea?



--



http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Web UI error: Service Unavailable

2014-09-11 Thread Petr Vobornik 

Hello Tevfik,

comments inline

On 11.9.2014 12:24, Tevfik Ceydeliler wrote:


Hi all,
I tried to do single sign on for FreeIPa Web UI according to "4.3.3.
Configuring the Browser"
I did browser side and then turn back to server side. And run those
command:

# scp /etc/krb5.conf r...@externalmachine.example.com:/etc/krb5_ipa.conf
and


I assume that you want to configure the machine without enrolling it as 
FreeIPA client. If not, I would suggest you enrolling it as a client 
using ipa-client-install. Then you don't have to do anything else except 
browser config.


Why /etc/krb5_ipa.conf ?, it should be /etc/krb5.conf



vim /etc/httpd/conf.d/ipa.conf

and change this:

KrbMethodK5Passwd off  --> to --> KrbMethodK5Passwd on


FreeIPA's Web UI support forms-based auth so this is not usually needed.



and restart httpd.

Then nothing change. And then I rollback vim /etc/httpd/conf.d/ipa.conf

Now when I try to open Web UI I get An popup error:
"Service Unavailable"


run:

ipactl status
or
systemctl status httpd.service

or inspect

   /var/log/httpd/error_log

to find out if web server is running - might not be the case because of 
invalid modifications in /etc/httpd/conf.d/ipa.conf , reason should be 
in the log




Have you any idea?


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd receives another uid/gid after disabled HBAC rule

2014-09-11 Thread Sumit Bose 
On Wed, Sep 10, 2014 at 08:19:15AM +0200, Gregor Bregenzer wrote:
> Hello Sumit,
> i think maybe there is a different problem i just discovered by
> accident. As stated in the first email, i have an AD trust with
> FreeIPA that receives all POSIX attributes from AD, but i get
> different values:
> On the FreeIPA server that has the AD trust (ipa1.linux.intern) i get
> the correct GID (=1, this is the AD group linuxusers) that is set
> in AD, but on the client (linux1.linux.intern) i get another one ( =
> 10005):
> 
> ipa1.linux.intern
> 
> [root@ipa1 httpd]# getent passwd user1@aaa
> user1@aaa.intern:*:10005:
> 1:user1:/home/aaa.intern/user1:/bin/bash
> 
> -bash-4.2$ id
> uid=10005(user1@aaa.intern) gid=1(linuxusers@aaa.intern)
> groups=1(linuxusers@aaa.intern),193304(ad_users)
> 
> 
> linux1.linux.intern
> 
> [root@linux1 sssd]# getent passwd user1@aaa
> user1@aaa.intern:*:10005:10005::/home/user1@aaa.intern:/bin/bash
> 
> [user1@aaa.intern@linux1 ~]$ id
> uid=10005(user1@aaa.intern) gid=10005(user1@aaa.intern)
> Gruppen=10005(user1@aaa.intern),193304(ad_users)

Since you are using SSSD-1.9.x on the client this behaviour is expected.
In this version SSSD could only handle users from a trusted AD domain as
users with User Private Groups (UPG), hence POSIX UID and GID are the
same. The additional group memberships are only available after the user
logged in. For this the PAC from the Kerberos ticket is evaluated. But
the PAC does not contain any information about POSIX attributes and only
contains groups  the user is member of from the AD point of view. If
user1 is not a member of the linuxuser AD group SSSD cannot resolve this
membership.

Nevertheless I think this is not related to the UID change you reported
earlier.

bye,
Sumit

> 
> Logfile on ipa1.linux.intern sssd_nss.log
> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
> Running command [17] with input [user1@aaa.intern].
>   │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'user1@aaa.intern' matched expression for domain
> 'aaa.intern', user is user1  │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [user1] from [aaa.intern]
>   │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
> │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0100): Requesting info for [user1@aaa.intern]
>  │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_callback": 0x7fe19e562700
>│
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Added timed
> event "ltdb_timeout": 0x7fe19e562830
>│
> 03│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Running
> timer event 0x7fe19e562700 "ltdb_callback"
>│
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Destroying
> timer event 0x7fe19e562830 "ltdb_timeout"
> │va
> r/│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [ldb] (0x4000): Ending timer
> event 0x7fe19e562700 "ltdb_callback"
>   │
>   │(Wed Sep 10 08:14:42 2014) [sssd[nss]] [check_cache] (0x0400):
> Cached entry is valid, returning..
>│
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
> (0x0400): Returning info for user [user1@aaa.intern]
>  │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [reset_idle_timer] (0x4000):
> Idle timer re-set for client [0x7fe19e563d40][21]
>   │
> 
> --
> Logfile on linux1.linux.intern sssd_nss.log
> 
> (Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_parse_name_for_domains]
> (0x0200): name 'user1@aaa' matched expression for domain 'aaa.intern',
> user is user1 │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [nss_cmd_getpwnam] (0x0100):
> Requesting info for [user1] from [aaa.intern]
>   │
> (W│(Wed Sep 10 08:14:42 2014) [sssd[nss]] [sss_ncache_check_str]
> (0x2000): Checking negative cache for [NCE/USER/aaa.intern/user1]
> │
> (W│(Wed Sep 10 08:14:42 2014)

[Freeipa-users] FreeIPA Web UI error: Service Unavailable

2014-09-11 Thread Tevfik Ceydeliler 


Hi all,
I tried to do single sign on for FreeIPa Web UI according to "4.3.3. 
Configuring the Browser"

I did browser side and then turn back to server side. And run those command:

# scp /etc/krb5.conf r...@externalmachine.example.com:/etc/krb5_ipa.conf
and

vim /etc/httpd/conf.d/ipa.conf

and change this:

KrbMethodK5Passwd off  --> to --> KrbMethodK5Passwd on

and restart httpd.

Then nothing change. And then I rollback vim /etc/httpd/conf.d/ipa.conf

Now when I try to open Web UI I get An popup error:
"Service Unavailable"

Have you any idea?





http://www.yasar.com.tr/banner/yhbanner.jpg";> 

Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece 
adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi 
ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi 
dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar 
ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail 
and any files transmitted with it are intended solely for the use of the 
individual or entity to whom they are addressed and Yasar Group Companies do 
not accept legal responsibility for the contents. If you are not the intended 
recipient, please immediately notify the sender and delete it from your system.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Integrating FreeIPA with ActiveDirectory (Windows 2008 R2)

2014-09-11 Thread Gerardo Padierna 

Hi Traiano,

I think it really needs quite some memory (I think it's the SELinux 
setboolean part); In my case, I ran some initial configuration tests on 
virtual machines (configured initially with just around 512MB mem), and 
had to increase to close to 800MB for the config setup scripts to run 
fine. Can you monitor your free mem while you run the scripts? (btw, how 
much total mem do you have?)


Regards,
Gerardo


El 11/09/14 a las #4, Dmitri Pal escribió:

On 09/10/2014 05:31 PM, Alexander Bokovoy wrote:

On Thu, 11 Sep 2014, Traiano Welcome wrote:

Hi List

I've been following the AD integration guide for IPAv3 here:
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
However, when I reach the "Add trust with AD domain" step I get the
following error:

---
[root@ipa ~]# ipa trust-add --type=ad mhatest.local --admin 
Administrator

--password
Active directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741801",
 message "Memory allocation error" (both may be "None")
---

... And I'm at a loss for how to interpret this :-) Details on my 
setup:

Please follow
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust
to provide useful debugging information.


- Windows 2008 R2 AD DC
- CentOS Linux 6.5 IPA server (installed  from yum repos)

Ideally you'd need to use RHEL 7 or CentOS 7 for trusts as IPA version
3.3 is more mature in this regard.



FYI
https://fedorahosted.org/freeipa/ticket/3266



--

*Gerardo Padierna Nanclares*
Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware]
Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana
C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A
Tel: 961 208973
Email: asl.gera...@gmail.com 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project