Re: [Freeipa-users] Checking 389 for ACI contamination
On 04/11/2015 11:27 PM, Brian Topping wrote: Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? If so, how would I check it? Is there an LDIF in the disto that I can manually compare the entries? cheers, Brian Did you do any custom ACIs in 3.3? 4.0 has new ACI framework so it most likely replicated into 3.3 not the other way around. I would leave to experts to provide specific commands on how to check things. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute objectclass
On 04/11/2015 03:51 PM, Traiano Welcome wrote: Hi I got this error while installing an IPA replica of my primary master IDM server: .LDAPUpdate: ERRORAdd failure missing required attribute objectclass Replica add command: ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg A little more context: --- . . . Done configuring ipa-otpd. Applying LDAP updates ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa : ERRORAnonymous ACI not found, cannot update it Restarting the directory server Restarting the KDC Restarting the certificate server Using reverse zone xxx.16.172.in-addr.arpa. --- What does this error mean? If it's suggesting that somehow a key ldap attribute was not created, how can I fix this? Thanks in advance, Traiano You are probably installing a replica on a server that has different version than the server that created the initial replica file. What are the versions you are working with? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] .LDAPUpdate: ERROR Add failure missing required attribute objectclass
Hi Dmitri Thanks for the response. On Mon, Apr 13, 2015 at 5:14 AM, Dmitri Pal d...@redhat.com wrote: On 04/11/2015 03:51 PM, Traiano Welcome wrote: Hi I got this error while installing an IPA replica of my primary master IDM server: .LDAPUpdate: ERRORAdd failure missing required attribute objectclass Replica add command: ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-siteX-idm-slve.lol.local.gpg A little more context: --- . . . Done configuring ipa-otpd. Applying LDAP updates ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa.ipaserver.install.ldapupdate.LDAPUpdate: ERRORAdd failure missing required attribute objectclass ipa : ERRORAnonymous ACI not found, cannot update it Restarting the directory server Restarting the KDC Restarting the certificate server Using reverse zone xxx.16.172.in-addr.arpa. --- What does this error mean? If it's suggesting that somehow a key ldap attribute was not created, how can I fix this? Thanks in advance, Traiano You are probably installing a replica on a server that has different version than the server that created the initial replica file. What are the versions you are working with? That's possible, but very unlikely, I installed master and replicas of the same .iso, to make sure of no package variations in repos. CentOS 7.0 with this set of packages off the installation CD: --- ipa-admintools-3.3.3-28.el7.centos.x86_64.rpm ipa-client-3.3.3-28.el7.centos.x86_64.rpm ipa-gothic-fonts-003.03-5.el7.noarch.rpm ipa-mincho-fonts-003.03-5.el7.noarch.rpm ipa-pgothic-fonts-003.03-5.el7.noarch.rpm ipa-pmincho-fonts-003.03-5.el7.noarch.rpm ipa-python-3.3.3-28.el7.centos.x86_64.rpm ipa-server-3.3.3-28.el7.centos.x86_64.rpm ipa-server-trust-ad-3.3.3-28.el7.centos.x86_64.rpm python-sssdconfig-1.11.2-65.el7.noarch.rpm sssd-1.11.2-65.el7.x86_64.rpm sssd-ad-1.11.2-65.el7.x86_64.rpm sssd-client-1.11.2-65.el7.x86_64.rpm sssd-common-1.11.2-65.el7.x86_64.rpm sssd-common-pac-1.11.2-65.el7.x86_64.rpm sssd-ipa-1.11.2-65.el7.x86_64.rpm sssd-krb5-1.11.2-65.el7.x86_64.rpm sssd-krb5-common-1.11.2-65.el7.x86_64.rpm sssd-ldap-1.11.2-65.el7.x86_64.rpm sssd-proxy-1.11.2-65.el7.x86_64.rpm --- I any case, I think I've 'overwritten' the problem by upgrading to FreeIPA 4.1.0 ... This seems to have fixed that particular problem. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CRON: Authentication service cannot retrieve authentication info
Hi all, We have cronjob which running on a FreeIPA LDAP user; When connection between IPA server and client having heavy packet loss, following error would occur: CRON[20637]: Authentication service cannot retrieve authentication info I have cache credentials and store password if offline enabled on sssd, how these problem would still happening? sssd.conf: cache_credentials = True krb5_store_password_if_offline = True -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user account without password
-Original Message- From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us] Sent: Friday, April 10, 2015 9:27 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com Subject: RE: [Freeipa-users] user account without password Also, if such account will also exist locally (my case), it will not be controlled by HBAC rules - it can be a some kind of security trap... Pretty sure accounts should be either local or domain-wide, but not both. Could lead to strange and unforeseen side effects. Last I checked, only local accounts can run services. It may be advantageous to allow local accounts (which can run services) to have a representation in the domain, but the local accounts need to be scoped to the local machine (e.g., apache on server 1 is different than apache on server 2). At least that way, they could belong to the same groups domain accounts belong to. SSO certainly shouldn't work. Any access to shared storage should distinguish between same-named accounts on different machines. Alternatively, allowing domain accounts to run certain services also has some merit. (assuming the user has permissions to do so.) Just thinking into email. Bryce I have a long and positive experience using both local and IPA users with the same attributes, but without HBAC and without sudo way to obtain shell of such users. Default settings in nsswitch.conf and pam provides straight and clear systems behavior, for about three years. But I agree there can be case when such construction may lead to misbehavior and so on. We will try to avoid them. SSO not really the aim for us, we just need to made a environment where users must remember only one password to access all resources on unix/linux servers. Not trying to argue, just sharing some thoughts :) Alexander Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project