Re: [Freeipa-users] Radius schema addition to default user objectclasses in FreeIPA 4.1
One last question: if I'm using 2 FreeIPA servers in a multi-master replication scenario, should I add the radiusschema.ldif file on both servers? Or it's sufficient to add it on just one server? 29-Oct-14 09:50, Orkhan Gasimov пишет: I solved the problem. I tried to add my radiusschema.ldif using LDAP admin, and it gave an error: Line 64: dn expected, but add found. So instructions here: https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html are incomplete. When creating an ldif-file from the schema-file, it's necessary to repeat this part: dn: cn=schema changetype: modify before this part: add: objectclasses After that everything proceeds normally, and it's possible to add radiusprofile objectclass to default user objectclasses. 28-Oct-14 15:43, Orkhan Gasimov пишет: OK, thanks for info. First I used that command with | grep radius at the end prior to adding my radiusschema.ldif. It returned no data. Then I added my radiusschema.ldif using the command: # ldapmodify -ZZ -x -D cn=Directory Manager -W -H ldap://localhost -f /usr/share/radiusschema.ldif Then I issued the command you suggested again with | grep radius|less at the end. This time it retrned a lot of entries (apparently those that were in the radiusschema.ldif file). But when I tried to switch to GUI and add radiusprofile objectclass, I got the same message: IPA Error 4001: NotFound objectclass radiusprofile not found I know that radius schema taken from http://open.rhx.it/phamm/schema/radius.schema works, it was checked by me with OpenLDAP 2.4 and FreeRadius 2.2. What am I doing wrong? Removing MUST cn from the schema gives no difference. 25-Oct-14 00:38, Rich Megginson пишет: Are you trying to list the schema over LDAP? Where did you get the above instructions? They are wrong. Use ldapsearch -o ldif-wrap=no -Y GSSAPI -s base -b cn=schema attributeTypes objectClasses -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Question About Properly Configuring DNS
On 27.10.2014 19:15, Simo Sorce wrote: On Mon, 27 Oct 2014 17:50:13 + Trevor T Kates (Services - 6) trevor.t.ka...@dom.com wrote: -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, October 27, 2014 12:30 PM To: Trevor T Kates (Services - 6) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question About Properly Configuring DNS On Mon, 27 Oct 2014 14:07:42 + Trevor T Kates (Services - 6) trevor.t.ka...@dom.com wrote: Hi, all: I have four servers (two in one location, two in another) running IPA 3.0 set to replicate like so: Location A Server 1 - - - - - - - - Location B Server 1 || || || || Location A Server 2 - - - - - - - - Location B Server 2 Each server has DNS configured; however, I think I have configured something inappropriately with respect to authoritative records. I have eight zones configured and ipa dnszone-show for any one of them has Location B Server 1's name as authoritative. In each of the eight zones, I have added NS records for the other three servers. On all of the servers except Location B Server 1, /var/log/messages will show: client x.xxx.x.xxx#14366: received notify for zone 'x.xxx.x.in-addr.arpa': not authoritative This occurs for most, but not all, zones. Along with this: LDAP query timed out. Try to adjust timeout parameter update_record (psearch) failed, dn 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com' change type 0x0. Records can be outdated, run `rndc reload`: not found I feel like I've misconfigured a few things along the way and I'd love some help. Along with that if anyone has recommendations on things I should read to help me better understand what I should be doing with DNS, I'd appreciate it. Uhmm sounds like a bug in reloading the info in the bind ldap plugin. Can you restart named on one of the other servers and tell if the warning goes away and/or if the client returns that server as authoritative after the bounce ? Simo. -- Simo Sorce * Red Hat, Inc * New York Upon restarting named, 'not authoritative' is not present for any of the zones and dig on clients shows all of the servers as authoritative. The restart of named did not always go cleanly, however. Sometimes, the same timeout issue as before would present itself. Should I not worry about those? Ok would you be able to opne a bug (bugzilla or trac, either is fine) for the 2 issues ? One seem to be that changing the NS record is not causing a proper change in authoritative status. The second should be about the timeout error you are seeing. Please keep in mind that bind-dyndb-ldap just reads data from LDAP so naturally changes done in LDAP are not visible in DNS if directory server is not working properly. Default LDAP search timeout used by bind-dyndb-ldap is 60 seconds which is *a lot*, i.e. it should not happen at all. I would recommend you to dig in directory server logs /var/log/dirsrv/ to see if there is a problem before you open a bind-dyndb-ldap bug - I would point you to DS logs anyway :-) Do you see high CPU/memory utilization or something like that? Does the LDAP server respond to normal LDAP query when you see messages like LDAP query timeout? Which version of bind-dyndb-ldap and 389-ds-base do you use? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] F20 Problem upgrading to 4.1
On 28/10/14 20:54, Michael Lasevich wrote: I have a pair of servers that were both installed on clean Fedora20 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1 During update, secondary was done first and worked but primary run into trouble as described Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one entry with dn: ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com Not sure what of that you need there, but for ipk11Label it has: dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS working) Thanks, -M On 10/28/14, 3:21 AM, Martin Basti wrote: On 28/10/14 06:14, Michael Lasevich wrote: Running into same thing, but running ipa-dnsinstall does not complete: = Configuring DNS (named) [1/8]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up CA record [5/8]: setting up kerberos principal [6/8]: setting up named.conf [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/6]: checking status [2/6]: setting up kerberos principal [3/6]: setting up SoftHSM [4/6]: adding DNSSEC containers [5/6]: creating replica keys [error] DuplicateEntry: This entry already exists Unexpected error - see /var/log/ipaserver-install.log for details: DuplicateEntry: This entry already exists = Looking into the /var/log/ipaserver-install.log gets: = 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com 2014-10-28T05:01:24Z DEBUG flushing ldap://infra-dc-01.my.domain.com:389 from SchemaCache 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache url=ldap://infra-dc-01.my.domain.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 340, in __setup_replica_keys ldap.add_entry(entry) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1169, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 218, in main dnskeysyncd.create_instance(api.env.host, api.env.realm) File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 128, in create_instance self.start_creation() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 340, in __setup_replica_keys ldap.add_entry(entry) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1169, in error_handler raise errors.DuplicateEntry() 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed, exception: DuplicateEntry: This entry already exists Hello Michael, can you send me which entries do you have in cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory server doesn't generate uniqueID for keys. Do you have upgraded IPA or fresh installed? Martin^2 Can you send me content of cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config entry? (If exists) It looks like DS doesn't generate unique IDs Martin^2 -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Radius schema addition to default user objectclasses in FreeIPA 4.1
I checked myself on test VMs. It's enough to add Radius schema to one FreeIPA server and issue ipactl restart on another. 29-Oct-14 10:16, Orkhan Gasimov пишет: One last question: if I'm using 2 FreeIPA servers in a multi-master replication scenario, should I add the radiusschema.ldif file on both servers? Or it's sufficient to add it on just one server? 29-Oct-14 09:50, Orkhan Gasimov пишет: I solved the problem. I tried to add my radiusschema.ldif using LDAP admin, and it gave an error: Line 64: dn expected, but add found. So instructions here: https://www.redhat.com/archives/freeipa-users/2014-February/msg00050.html are incomplete. When creating an ldif-file from the schema-file, it's necessary to repeat this part: dn: cn=schema changetype: modify before this part: add: objectclasses After that everything proceeds normally, and it's possible to add radiusprofile objectclass to default user objectclasses. 28-Oct-14 15:43, Orkhan Gasimov пишет: OK, thanks for info. First I used that command with | grep radius at the end prior to adding my radiusschema.ldif. It returned no data. Then I added my radiusschema.ldif using the command: # ldapmodify -ZZ -x -D cn=Directory Manager -W -H ldap://localhost -f /usr/share/radiusschema.ldif Then I issued the command you suggested again with | grep radius|less at the end. This time it retrned a lot of entries (apparently those that were in the radiusschema.ldif file). But when I tried to switch to GUI and add radiusprofile objectclass, I got the same message: IPA Error 4001: NotFound objectclass radiusprofile not found I know that radius schema taken from http://open.rhx.it/phamm/schema/radius.schema works, it was checked by me with OpenLDAP 2.4 and FreeRadius 2.2. What am I doing wrong? Removing MUST cn from the schema gives no difference. 25-Oct-14 00:38, Rich Megginson пишет: Are you trying to list the schema over LDAP? Where did you get the above instructions? They are wrong. Use ldapsearch -o ldif-wrap=no -Y GSSAPI -s base -b cn=schema attributeTypes objectClasses -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
Hello, I might be interested in this as well. Does this mean it would be possible for a windows client to access samba FS through IPA provided credentials? Currently my Windows PC gets IPA ticket (through MIT kerberos application) and can use this ticket to login to Linux server via putty. I would jump up and down if I could access samba FS in the same way from Windows:) (I got sssd 1.12.1 and freeipa 4.1 running on F20) -- john 2014-10-23 12:32 GMT+02:00 Sumit Bose sb...@redhat.com: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. bye, Sumit Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
On 10/29/2014 08:15 AM, John Obaterspok wrote: Hello, I might be interested in this as well. Does this mean it would be possible for a windows client to access samba FS through IPA provided credentials? Currently my Windows PC gets IPA ticket (through MIT kerberos application) and can use this ticket to login to Linux server via putty. I would jump up and down if I could access samba FS in the same way from Windows:) (I got sssd 1.12.1 and freeipa 4.1 running on F20) I suspect that if you deploy Samba FS with SSSD configured as a member server of the IPA domain it should be possible. -- john 2014-10-23 12:32 GMT+02:00 Sumit Bose sb...@redhat.com mailto:sb...@redhat.com: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. bye, Sumit Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve mailto:xmpp%3alo...@lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve mailto:sip%3a...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5.NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn= meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 389 DS admin consoles
Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Rich Megginson *Sent:* Tuesday, October 28, 2014 3:02 PM *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] 389 DS admin consoles On 10/28/2014 02:45 PM, Craig White wrote: RHEL 6.5 new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 Is it safe to install the 389 DS and admin console packages and use them? In general, no, it is not supported. IPA depends on a certain tree structure, schema, etc. I think it would be useful to use for things like editing ACIs, etc. It would be useful for a lot of lower level management and monitoring. But unfortunately it is not supported. You might be able to install it and make it work, but it might also mess up your IdM deployment. Not worth it then. I have been all over your Documentation page on FreeIPA.org (http://www.freeipa.org/page/Documentation) I have not found any way to actually edit ACLs (I believe the terminology in 389 Server was ACI when I last used it some 8 or so years ago). Is there any way to edit them? The permission plugin, ipa help permission rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5. NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5. NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Synchronization Agreements between FreeIPA and AD
On 10/29/2014 03:19 AM, Сапегин Валерий wrote: Yes Dmitri, ldapsearch works good: [root@ipa ~]# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-TEST-CSBI-ITS-RU/ ldapsearch -xLLL -ZZ -h csbi-it-dc01.csbigroup.ru http://csbi-it-dc01.csbigroup.ru -D cn=ipa-test,cn=users,dc=csbigroup,dc=ru -w t -s base -b cn=users,dc=csbigroup,dc=ru dn: cn=users,dc=csbigroup,dc=ru objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=csbigroup,DC=ru instanceType: 4 ... ... Ok. Now try to do a windows sync with the dirsrv replication error log level - http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Then we can take a look at the detailed errors. С уважением, Сапегин Валерий 2014-10-23 16:19 GMT+04:00 Сапегин Валерий unit...@gmail.com mailto:unit...@gmail.com: Hello! I tryed to configure synchronization between FreeIPA and Windows AD 2012. In the thirst time accounts from AD synchronization properly but next schedule after 5 min is not work and in error log I see the following errors: # tail -f /var/log/dirsrv/slapd-TEST-CSBI-ITS-RU/errors [23/Oct/2014:15:51:34 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:37 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. [23/Oct/2014:15:51:40 +0300] NSMMReplicationPlugin - agmt=cn=meTocsbi-it-dc01.csbigroup.ru http://meTocsbi-it-dc01.csbigroup.ru (csbi-it-dc01:389): Replica has no update vector. It has never been initialized. Thirst synchronization out Added CA certificate /etc/openldap/certs/CSBIGROUP-CA.crt to certificate database for ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru ipa: INFO: AD Suffix is: DC=csbigroup,DC=ru The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=test-csbi-its,dc=ru Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress, 13 seconds elapsed [ipa.test-csbi-its.ru http://ipa.test-csbi-its.ru] reports: Update failed! Status: [-1 Total update abortedLDAP error: Can't contact LDAP server] Failed to start replication FreeIPA server version 3.3.3 OS version Centos 7 AD Domain 2012 Can you help me to resolve this problem? Best regards, Valeriy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5. NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com mailto:mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP
Re: [Freeipa-users] dns stops working after upgrade
On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com mailto:mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that
Re: [Freeipa-users] dns stops working after upgrade
On 29/10/14 16:13, Martin Basti wrote: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update If doesn't help, just run ipa-ldap-updater without parameters 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com mailto:mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward
Re: [Freeipa-users] dns stops working after upgrade
Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again :-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. Rob 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5 . NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
On 29/10/14 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again :-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. Rob We know where the problem is, and we though we fixed it, but obviously some parts of problem persist. Thank you for your patience :-) 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com mailto:mba...@redhat.com: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com mailto:mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Re: [Freeipa-users] dns stops working after upgrade
Hello again, I jumped to early. # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't work but ipa-ldap-updater fixes the problem for me. Rob 2014-10-29 16:55 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again :-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. Rob We know where the problem is, and we though we fixed it, but obviously some parts of problem persist. Thank you for your patience :-) 2014-10-29 16:13 GMT+01:00 Martin Basti mba...@redhat.com: On 29/10/14 15:56, Martin Basti wrote: On 29/10/14 15:46, Rob Verduijn wrote: You're right duh I should read more carefully and not try to do to many things at once. when using the dns principal and keytab the entries are not found. How do i fix the access controll instructions ? I can revert back easely and try a different aproach for the upgrade if you know one (I really started to appreciate snapshots with this upgrade :-) Rob Please try first this: # ipa-ldap-updater /usr/share/ipa/memberof-task.ldif It should repair privileges. Sorry I wrote you wrong file # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update 2014-10-29 14:50 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 14:32, Rob Verduijn wrote: I've checked and I see a lot of objects representing my dns entries. Still I get no answers if i try to resolve any of them :( Are you running ldapsearch with *exactly* same credentials as you have in /etc/named.conf? Could you post dynamic-db section from your named.conf? Petr^2 Spacek Rob 2014-10-29 13:28 GMT+01:00 Petr Spacek pspa...@redhat.com: On 28.10.2014 18:42, Rob Verduijn wrote: before the update its 4.5-1.fc20.x86_64.rpm from fedora 20 updates repo after the update its 6.0-5.fc20.x86_64.rpm from copr repo Regards Rob 2014-10-28 17:58 GMT+01:00 Martin Basti mba...@redhat.com: On 28/10/14 16:10, Rob Verduijn wrote: Hello all, I've been digging into my problem of being unable to update from 3.3.5 to 4.1 First I add the repo from copr Then I used to update it by issueing 'yum update' which resulted in an update in which my local dns zone entries no longer resolved. So i tried the instructions mentioned on the site : yum update freeipa-server And this failed with a conflict in bind-32:9.9.4-18.fc20.1.pkcs11.x86_64 and bind-utils-32:9.9.4-15.P2.fc20.x86_64 I noticed the new bind comes from the copr repo and the old bind utils from fedora. So I first run 'yum update bind-utils -y' Then I ran yum update freeipa-server and see it fail with errors about softhsm I remembered reading about package errors with softhsm and installed the softhsm-devel package first. so revert back the freeipa kvm snapshot to 3.3.5 and try again yum update bind-utils -y ; yum install softhsm-devel -y ; yum update freeipa-server -y However when restarting named-pkcs11 I can see in the system log that it has 0 zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: managed-keys-zone: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone localhost.localdomain/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.ip6.arpa/IN: loaded serial 0 Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: all zones loaded Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: running Oct 28 15:28:30 freeipa.x.x named-pkcs11[3029]: 0 zones from LDAP instance 'ipa' loaded (0 zones defined, 0 inactive, 0 failed to load) It claims 0 zones loaded but I can see my forward and reverse zones in ipa what could cause it not to load the zones that I defined in ipa ? This problem is usually caused by broken IPA upgrade which destroys ACIs in LDAP which allow access to DNS sub-tree. Please follow instructions on: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a5 . NozonesfromLDAPareloaded ... and let us know if you are able to see idnsZone objects in LDAP or not. -- Petr^2 Spacek -- Martin Basti -- Martin Basti -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3.3-28 Integration with Samba 4.1.1-37 Problems
Interestingly enough, I have almost the same setup here. I did an ipa-server install, then did ipa-adtrust-install. Afterward, I went through and grabbed the configs with 'net conf list' and modified it to use my shares. This one is just my testing, but the production one works perfectly! How did you import your users? I did mine my setting up an openldap and importing an ldif with the proper DN values. Then ran ipa migrate-ds. In some cases, certain data didn't migrate, so I added that with ldapmodify as necessary. Here's what my samba config looks like with 'net conf list'. It seems it's pretty much the same as yours. Except for mine working, of course. [global] workgroup = EXAMPLE realm = EXAMPLE.COM passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 10 disable spoolss = Yes domain logons = Yes domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = cn=users,cn=accounts registry shares = Yes create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb [homes] browseable = no comment = Home Directories read only = no [share1] browseable = yes read only = no path = /srv/samba/share1 comment = Temporary Public Share valid users = @testgroup Cheers, herlo On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith jasonsm...@attask.com wrote: A little history. We migrated from an OpenLDAP system to FreeIPA. The IPA version is listed above. I have samba installed and integrated directly on the FreeIPA box. The problem we're having are users who were migrated can no longer can see the samba shares. We are connecting to these shares through Mac OSX. When accessing the share with smbclient -L mydom...@domain.com I get the response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. *This is the response I get when connected to the FreeIPA/Samba box. Users were able to access these shares, then overnight, they weren't. No changes were made to the samba config or the FreeIPA. *Any new user created through FreeIPA can see and browse any share they have access to.* If there's any other information needed, please let me know. Thank you!!! Below are a couple configs I have set: *Samba global settings* [global] workgroup = ATTASK netbios name = IPA01 realm = ATTASK.CORP passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab log file = /var/log/samba/log.%m max log size = 10 disable spoolss = Yes domain logons = Yes domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap suffix = dc=attask,dc=corp ldap ssl = no ldap user suffix = cn=users,cn=accounts registry shares = Yes create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb *User Not Working:* dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp uid: test sn: test cn: test mail: t...@test.com nsaccountlock: False has_password: True has_keytab: True dialupAccess: yes displayName: test test emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw== gidNumber: 107001365 givenName: test homeDirectory: /home/test ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355 ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7 krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA= krbLastFailedAuth: 20141028151647Z krbLastPwdChange: 20141028152120Z krbLastSuccessfulAuth: 20141028152012Z krbLoginFailedCount: 0 krbPasswordExpiration: 20150122152120Z krbPrincipalName: t...@attask.corp krbTicketFlags: 128 loginShell: /sbin/nologin memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: organizationalperson
Re: [Freeipa-users] dns stops working after upgrade
On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. I have re-build some packages in mkosek's CORP so now you should not see encounter dependency problems. Simple 'yum upgrade' should give you all the required packages. We are looking at other problems in upgrade process right now so there is not much to test except package dependencies. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. It Works :D, and here is what I did: Test environment: One realm domain with two Centos 7 / ipa 3.3 masters, one trusted AD forest (windows 2008R2 controllers), one Centos 7 file server. Step 1) On the file server enable mkosek's COPR ipa repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa/ 2) Install required packages packages: yum -y install ipa-client sssd-libwbclient samba samba client 3) join file server to the ipa realm: ipa-client-install --mkhomedir Please note that this step fails, shortly after creating the keytab and configuring sssd, probably caused by the version mismatch between ipa server (3.3) and client (4.1). I will report the failure shortly. Because of the failure I had to complete part of the join procedure manually: authconfig --enablesssdauth --enablemkhomedir --update (on the client) ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server) 4) On the ipa server create the cifs principal for samba: ipa service-add cifs/sambatest.my.realm 5) Install keytab on the samba host: ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm -k /etc/samba/samba.keytab 6) Edit /etc/samba/smb.conf on the samba file server: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads [homes] browsable = no writable = yes [shared] path = /home/shared writable = yes browsable=yes write list = @admins 7) To enable samba /home sharing one should turn on a selinux boolean: setsebool -P samba_enable_home_dirs on 8) restart samba Testing: On another linux member of the IPA domain it is possible to connect to the samba shares using smbclient -k : kinit user@MY.REALM smbclient -k -L sambatest.my.realm smbclient -k //sambatest.my.realm/shared On a windows machine, member of the AD domain it is possible to connect to the samba shares typing in the windows explorer location bar: \\sambatest.my.realm Also, if the ad user is an (indirect) member of the IPA admins group, thanks to the trust relationship, with the above smb.conf he may have write access to the \shared folder. Thanks to the ipa and sssd teams for this great enablement! -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. *But,* I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? -- john 2014-10-29 20:54 GMT+01:00 Loris Santamaria lo...@lgs.com.ve: El jue, 23-10-2014 a las 12:32 +0200, Sumit Bose escribió: On Tue, Oct 21, 2014 at 07:49:11AM -0430, Loris Santamaria wrote: El lun, 20-10-2014 a las 21:19 -0400, Dmitri Pal escribió: On 10/20/2014 09:15 AM, Loris Santamaria wrote: [...] Trying to join the server to the domain (net rpc join -U domainadmin -S ipaserver) fails, and it causes a samba crash on the ipa server. Investigating the cause of the crash I found that pdbedit crashes as well (backtrace attached). I couldn't get a meaningful backtrace from the samba crash however I attached it as well. Seems to me that the samba ipasam backend on ipa doesn't like something in the host or the domain computers group object in ldap, but I cannot see what could be the problem. Perhaps someone more familiar with the ipasam code can spot it quickly. Do I get it right that you really looking for https://fedorahosted.org/sssd/ticket/1588 that was just released upstream? It would be cool if you can try using SSSD 1.12.1 under Samba FS in the use case you have and provide feedback on how it works for you. AFAIU you install Samba FS and then use ipa-client to configure SSSD under it and it should work. If not we probably should document it (but I do not see any special design page which leads me to the above expectation). Ok, I'll happily try sssd 1.12.1. Just a question, in smb.conf one should use security = domain or security = ads? 'ads' because we want to use Kerberos. But there some other configuration options which needs attention, e.g. you have to create a keytab for the cifs service and make it available to samba. I'll try to set up an small howto page listing the needed steps and come back to you early next week. It Works :D, and here is what I did: Test environment: One realm domain with two Centos 7 / ipa 3.3 masters, one trusted AD forest (windows 2008R2 controllers), one Centos 7 file server. Step 1) On the file server enable mkosek's COPR ipa repo: https://copr.fedoraproject.org/coprs/mkosek/freeipa/ 2) Install required packages packages: yum -y install ipa-client sssd-libwbclient samba samba client 3) join file server to the ipa realm: ipa-client-install --mkhomedir Please note that this step fails, shortly after creating the keytab and configuring sssd, probably caused by the version mismatch between ipa server (3.3) and client (4.1). I will report the failure shortly. Because of the failure I had to complete part of the join procedure manually: authconfig --enablesssdauth --enablemkhomedir --update (on the client) ipa dnsrecord-add my.realm sambatest --a-rec=x.y.w.z (on ipa server) 4) On the ipa server create the cifs principal for samba: ipa service-add cifs/sambatest.my.realm 5) Install keytab on the samba host: ipa-getkeytab -s ipaserver.my.realm -p cifs/sambatest.my.realm -k /etc/samba/samba.keytab 6) Edit /etc/samba/smb.conf on the samba file server: [global] workgroup = MY realm = MY.REALM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m security = ads [homes] browsable = no writable = yes [shared] path = /home/shared writable = yes browsable=yes write list = @admins 7) To enable samba /home sharing one should turn on a selinux boolean: setsebool -P samba_enable_home_dirs on 8) restart samba Testing: On another linux member of the IPA domain it is possible to connect to the samba shares using smbclient -k : kinit user@MY.REALM smbclient -k -L sambatest.my.realm smbclient -k //sambatest.my.realm/shared On a windows machine, member of the AD domain it is possible to connect to the samba shares typing in the windows explorer location bar: \\sambatest.my.realm Also, if the ad user is an (indirect) member of the IPA admins group, thanks to the trust relationship, with the above smb.conf he may have write access to the \shared folder. Thanks to the ipa and sssd teams for this
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió: Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. But, I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? I guess you should prepare the ipa server for a windows domain trust (even if you won't setup any trust with an ad domain), with ipa-adtrust-install. Beware that it will overwrite your smb.conf. With that configuration and the steps described in http://www.redhat.com/archives/freeipa-users/2013-September/msg00226.html you will be able to use the native windows kerberos libraries and you should be able to open a samba share with your kerberos credentials. Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] dns stops working after upgrade
Hello, I've tested the update again. The bind-utils conflict is still there when I issue yum update freeipa-server ( as indicated on the freeipa 4.1 download page http://www.freeipa.org/page/Downloads#Upgrading ) 'yum update' works fine My internal zones didn't resolv after the update ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update didn't fix it ipa-ldap-updater did fix the 'access control instructions' and my internal dns zones started to resolv again :-) Cheers Rob 2014-10-29 18:14 GMT+01:00 Petr Spacek pspa...@redhat.com: On 29.10.2014 16:46, Rob Verduijn wrote: Hello, # ipa-ldap-updater /usr/share/ipa/updates/55-pbacmemberof.update fixes the problem. I can resolv my internal dns zones again:-) Many thanx. Since this problem happened every time I tried to update the freeipa server. I could re-run the update with some debug options if you like so you can pinpoint what goes wrong with the update script if you like. I have re-build some packages in mkosek's CORP so now you should not see encounter dependency problems. Simple 'yum upgrade' should give you all the required packages. We are looking at other problems in upgrade process right now so there is not much to test except package dependencies. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/29/2014 02:40 PM, Craig White wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00 rackspace-rhel-x86_64-server-6-ius
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
On 10/29/2014 05:01 PM, Loris Santamaria wrote: El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió: Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. But, I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? I guess you should prepare the ipa server for a windows domain trust (even if you won't setup any trust with an ad domain), with ipa-adtrust-install. Beware that it will overwrite your smb.conf. With that configuration and the steps described in http://www.redhat.com/archives/freeipa-users/2013-September/msg00226.html you will be able to use the native windows kerberos libraries and you should be able to open a samba share with your kerberos credentials. Best regards Would by any chance you be able to create a HowTo solution on the FreeIPA wiki? Seems like it would be a simple cutpaste from couple mails. Thanks in advance! http://www.freeipa.org/page/Contribute/Documentation http://www.freeipa.org/page/HowTos -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/29/2014 06:45 PM, Dmitri Pal wrote: On 10/29/2014 02:40 PM, Craig White wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00 rackspace-rhel-x86_64-server-6-ius | 871 B 00:00 rhel-x86_64-server-6 | 1.5 kB 00:00 rhel-x86_64-server-optional-6 | 1.5 kB 00:00 rhel-x86_64-server-supplementary-6 | 1.5 kB 00:00 rhn-tools-rhel-x86_64-server-6 |
Re: [Freeipa-users] Woes adding a samba server to the ipa domain
El mié, 29-10-2014 a las 20:49 -0400, Dmitri Pal escribió: On 10/29/2014 05:01 PM, Loris Santamaria wrote: El mié, 29-10-2014 a las 21:40 +0100, John Obaterspok escribió: Hello, I've tried this as well. My IPA is not connected to an AD. My smb.conf looks almost the same. The differences are: - I got the default workgroup set (MY or something) - No FILE:/ prefix for keytab file I had the samba and ipserver on the same box so I just had to add the cifs server and get keytab file in the same way. I was a bit surprised to see that accessing samba using smbclient -k \\... worked right away from a linux box. Then stopped working if I did kdestroy. But, I never got it to work from Windows. The Windows PC is not joined to any AD, it uses MIT Kerb client 4.0.1 and I successfully get tickes and can sshlogin via putty without password. Any ideas on how to get this going from Windows as well? I guess you should prepare the ipa server for a windows domain trust (even if you won't setup any trust with an ad domain), with ipa-adtrust-install. Beware that it will overwrite your smb.conf. With that configuration and the steps described in http://www.redhat.com/archives/freeipa-users/2013-September/msg00226.html you will be able to use the native windows kerberos libraries and you should be able to open a samba share with your kerberos credentials. Best regards Would by any chance you be able to create a HowTo solution on the FreeIPA wiki? Seems like it would be a simple cutpaste from couple mails. Thanks in advance! Here it is: http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Best regards -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A.http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve If I'd asked my customers what they wanted, they'd have said a faster horse - Henry Ford smime.p7s Description: S/MIME cryptographic signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] F20 Problem upgrading to 4.1
Maybe I should not be doing this late at night, but I cannot find cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config anywhere. -M On 10/29/14, 3:03 AM, Martin Basti wrote: On 28/10/14 20:54, Michael Lasevich wrote: I have a pair of servers that were both installed on clean Fedora20 4.0.1 from pviktori copr repo and then upgraded from mkosek to 4.1 During update, secondary was done first and worked but primary run into trouble as described Looking under cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com I get one entry with dn: ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com Not sure what of that you need there, but for ipk11Label it has: dnssec-replica:infra-dc-02.my.domain.com. (which is the replica that IS working) Thanks, -M On 10/28/14, 3:21 AM, Martin Basti wrote: On 28/10/14 06:14, Michael Lasevich wrote: Running into same thing, but running ipa-dnsinstall does not complete: = Configuring DNS (named) [1/8]: generating rndc key file WARNING: Your system is running out of entropy, you may experience long delays [2/8]: setting up our own record [3/8]: adding NS record to the zones [4/8]: setting up CA record [5/8]: setting up kerberos principal [6/8]: setting up named.conf [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves Done configuring DNS (named). Configuring DNS key synchronization service (ipa-dnskeysyncd) [1/6]: checking status [2/6]: setting up kerberos principal [3/6]: setting up SoftHSM [4/6]: adding DNSSEC containers [5/6]: creating replica keys [error] DuplicateEntry: This entry already exists Unexpected error - see /var/log/ipaserver-install.log for details: DuplicateEntry: This entry already exists = Looking into the /var/log/ipaserver-install.log gets: = 2014-10-28T05:01:24Z DEBUG Storing replica public key to LDAP, ipk11UniqueId=autogenerate,cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com 2014-10-28T05:01:24Z DEBUG flushing ldap://infra-dc-01.my.domain.com:389 from SchemaCache 2014-10-28T05:01:24Z DEBUG retrieving schema for SchemaCache url=ldap://infra-dc-01.my.domain.com:389 conn=ldap.ldapobject.SimpleLDAPObject instance at 0x47d0d88 2014-10-28T05:01:24Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 340, in __setup_replica_keys ldap.add_entry(entry) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1169, in error_handler raise errors.DuplicateEntry() DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG [error] DuplicateEntry: This entry already exists 2014-10-28T05:01:24Z DEBUG File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 646, in run_script return_value = main_function() File /sbin/ipa-dns-install, line 218, in main dnskeysyncd.create_instance(api.env.host, api.env.realm) File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 128, in create_instance self.start_creation() File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py, line 340, in __setup_replica_keys ldap.add_entry(entry) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1592, in add_entry self.conn.add_s(entry.dn, attrs.items()) File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__ self.gen.throw(type, value, traceback) File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 1169, in error_handler raise errors.DuplicateEntry() 2014-10-28T05:01:24Z DEBUG The ipa-dns-install command failed, exception: DuplicateEntry: This entry already exists Hello Michael, can you send me which entries do you have in cn=keys,cn=sec,cn=dns,dc=my,dc=domain,dc=com, it looks like directory server doesn't generate uniqueID for keys. Do you have upgraded IPA or fresh installed? Martin^2 Can you send me content of cn=IPK11 Unique IDs,cn=IPA UUID,cn=plugins,cn=config entry? (If exists) It looks like DS doesn't generate unique IDs Martin^2 -- Manage your subscription for the Freeipa-users mailing list:
