Re: [Freeipa-users] Checking 389 for ACI contamination
On 04/14/2015 03:51 AM, Brian Topping wrote: On Apr 13, 2015, at 1:33 PM, Martin Kosek mko...@redhat.com wrote: On 04/12/2015 05:27 AM, Brian Topping wrote: Hi all, trying to figure out if I may have contaminated my ACIs in the process of upgrading my replicated deployment. I didn't upgrade the instances at the same time, is there any possibility that the 3.x ACIs contaminated the 4.x DIT? What do you mean, by... contaminated? Can you please described what exactly happened? As Dmitri said, there were major ACI related changes in 4.0, but I am not sure what is the problem in your case. The only thing that is broken at the moment is my OCD. I did make a couple of changes in my 3.x deployment that appear to have been insufficient when I upgraded, but I didn't name them well and I'm having issues trying to find which ones they were. Now that I've RTFM on ACIs, I want to make sure everything that is there is there for a reason. I'd rather put effort in now than be surprised by some cruft I left behind in a future upgrade. Ok :-) If so, how would I check it? Is there an LDIF in the disto that I can manually compare the entries? I am not sure which entries are you referring to. But from 4.0, most of the ACIs are now generated dynamically, from Python code. If the schema/ACIs are managed by Python, it might be interesting for the script to generate warnings when it runs. Stuff like missing/extra schema ACIs. Just a thought. I think the ACI upgrade plugin indeed generates warnings whet it has problems when processing the ACIs. Not all ACIs are processed during upgrade to FreeIPA 4.0+. Only the FreeIPA default system ACIs are processed, after upgrade you will see them as System: ... permissions that you will only have limited edit capabilities. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Upgrading Freeipa 3 server.
You do not need to uninstall the 4 server, you just need to install the CA component on it: # ipa-ca-install /path/to/replica.file ... and make it CRL/renewal master. See step 8 and later in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html On 04/14/2015 02:06 AM, Aric Wilisch wrote: I didn’t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. I’ll uninstall the 4 server and work through the script process to see if that fixes the issue. Regards, -- Aric Wilisch awili...@gmail.com On Apr 13, 2015, at 7:47 PM, Dmitri Pal d...@redhat.com wrote: On 04/13/2015 07:26 PM, Aric Wilisch wrote: One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I’m stuck. I can’t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del —force stip01.staging.fioptics.int it tells me I can’t because it would leave me without a CA. However I can’t find any documentation on migrating the CA from IPA3 to IPA4. Any help would be appreciated. Regards, -- Aric Wilisch awili...@gmail.com mailto:awili...@gmail.com Did you follow this procedure? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc I would say that I would recommend upgrading to 6.6 rather than 6.5. If you did not what exactly did you do? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multihome - single interface?
On 13.4.2015 16:07, Janne Blomqvist wrote: On 2015-04-10 12:05, Petr Spacek wrote: On 10.4.2015 10:52, Janne Blomqvist wrote: On 2015-04-07 14:29, Martin Kosek wrote: On 04/05/2015 08:03 PM, Dmitri Pal wrote: On 04/05/2015 12:51 PM, Janelle wrote: Hello, Trying to find a way on a multi-homed server to force IPA and its related apps to listen on a specific interface. I can find all kinds of info saying the services listen on all interfaces by default so there must be a way? Thank you ~J Sounds familiar. I think there is a ticket open for that. This is the RFE: https://fedorahosted.org/freeipa/ticket/3338 Just in case anybody would like to help us extend FreeIPA installers :-) Hi, I have a related, or opposite really, problem. So I have configured IPA for a domain (say, ipa.example.org). Then I have a bunch of client machines that can join the domain etc. Fine so far. However, I also have another bunch of client machines on an internal network (with NAT access to the outside world). So for these I add another network interface on the ipa servers. So my ipa servers have two IP's and dns names, say, ipa1.ipa.example.org (some public IP) and ipa1.local (10.x.x.x IP). Now it doesn't work so well anymore for these clients, because the krb principals for the IPA server(s) are bound to the public name, so joining the domain fails (ipa1.local != ipa1.ipa.example.org). I can sort-of make it work by joining via the public interface (manually creating the machine accounts on the ipa server first, since otherwise it doesn't understand clientX.local dns names/IP's), but then obviously all communication goes via the NAT box which is a SPOF. So is there some reasonable way to make the above work? IMHO cleanest solution is to properly configure routing in your network to route your public IP range properly to the respective subnet instead of going through a NAT. Details depend on your network so I do not have exact steps for you, sorry. Thanks. So do you mean something like on each client machine in the NATed network I add special routes to the ipa servers? And by that the client machines would know that ipa1.ipa.example.org can be reached via ipa1.local instead of going via the default route (which is the NAT box)? Details really depend on your setup. For example: - IPA servers are in subnet 10.1.1.0/24 and have public addresses in 192.0.2.0/24 subnet. - Clients are in 10.2.2.0/24 subnet behind NAT, subnet gateway is 10.2.2.254. In this setup you need to add route 192.0.2.0/24 to the gateway 10.2.2.254 (and to add 192.0.2.0/24 addresses to IPA server interfaces if they are not configured yet). If you have really small network where all hosts are in a single network then you really might need to add route to multiple hosts to get rid of SPOF on gateway. Here you need to consider what happens if adding the route to all hosts is worth the effort: What happens if the gateway is down? Is the gateway a separate router or is it some kind of all-in-one switch+router as typically seen in really small setups? I hope this helps. -- Petr Spacek @ Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about their creation is touched in all the links I posted (all about freeIPA) and never really answered. This is what documented and recommended: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#kerb-nfs
Re: [Freeipa-users] Synology DSM5 and freeIPA
Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. I'm happy to proof read as well On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote: We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely :-) On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote: On 03/19/2015 02:46 PM, Roberto Cornacchia wrote: Hi Dmitri, I do realise my question is borderline and I accept that it is considered off-topic. I did post it here because I believe it's not *only* about NFS, but also about its interaction with freeIPA. The issue of NFS home and in particular about
Re: [Freeipa-users] Sudo rules w/ external users (RHEL7)
On Tue, 14 Apr 2015, Martin Kosek wrote: On 04/13/2015 05:37 PM, Alexander Bokovoy wrote: On Mon, 13 Apr 2015, Gould, Joshua wrote: I’ve looked at the docs and it looks as if I can specify an external user who can have sudo rights via IPA. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-sudorules.html#about-external-sudo The issue being that when I try to add my AD Trust user, it doesn’t allow the @ sign. (ex. gould@test.osuwmc). If I modify the sudo rule to allow all users, I can see that it allows my AD account sudo rights. $ sudo –l User gould@test.osuwmc may run the following commands on this host: (ALL : ALL) ALL How can I configure the rule to allow certain AD users to be able to execute certain sudo rules? Through external users' groups mechanism we use for any other AD users mapping in HBAC and SUDO. These are not local (not defined in IPA but defined on the host) groups and users but rather AD groups and users. ipa group-add --external gould_group_ext ipa group-add-member gould_group_ext --external=gould@test.osuwmc ipa group-add gould_group ipa group-add-member gould_group --groups=gould_group_ext And now make sudo rule that allows users of gould_group to run needed commands. SSSD will pull in all membership information for gould_group, including AD users. Theoretically, adding AD users as *external* users to the SUDO rule should work, given they are stored as a bare string, no? See example of such rule below.. # ipa sudorule-show test --all --raw dn: ipaUniqueID=01405730-e273-11e4-9df6-001a4a104e33,cn=sudorules,cn=sudo,dc=f21 cn: test ipaenabledflag: TRUE hostcategory: all externaluser: foouser ipaUniqueID: 01405730-e273-11e4-9df6-001a4a104e33 memberallowcmd: ipaUniqueID=11281796-e273-11e4-abfe-001a4a104e33,cn=sudocmds,cn=sudo,dc=f21 objectClass: ipasudorule objectClass: ipaassociation The change in FreeIPA would be then only a matter of allowing users with '@' in 'externaluser' attribute You lose validation of the user name here (we do validate that AD user in question exists). And externaluser* options are deprecated. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Synology DSM5 and freeIPA
On 04/14/2015 11:04 AM, Iain Bell wrote: Getting FreeIPA Synology DSM5 working together is something I'm interested in doing as well. Just to make sure we are on the same page - someone would proof read the problematic chapter in Red Hat docs: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories not the Synology DSM5 specific information/HOWTO - members of this list will have more experience in that. I'm happy to proof read as well On 14 Apr 2015, at 09:55, Martin Kosek mko...@redhat.com wrote: We will get someone review the chapter again, to remove the uncertainty. Would you then be willing to proof-read the result? On 04/14/2015 10:37 AM, Prasun Gera wrote: Thanks. Yes, the feature would be pretty useful. Do you have any thoughts on the documentation blurb mentioned a couple of mails ago ( Use a remote user ...) ? The local root on the IPA server can be mapped to a particular user on the NFS server. That bit sounds straightforward. The other parts are less clear. On Tue, Apr 14, 2015 at 3:03 AM, Martin Kosek mko...@redhat.com wrote: I am personally not aware of such deployment. The linux-nfs.org NFS HOWTOs we link from http://www.freeipa.org/page/HowTos#Authentication also uses no_root_squash. To do this properly, I assume you would need have some notification mechanism deployed on FreeIPA server, that would trigger the home directory creation on the server. (We have a ticket for it: https://fedorahosted.org/freeipa/ticket/1593) On 04/13/2015 08:58 PM, Prasun Gera wrote: Just a follow up. I thought that making NFS a service in IPA takes care of this, but it looks like the issues are unrelated. Home directories are created automatically if the user logs in to the NFS server, but I haven't found any solution to trigger this from a client without using no_root_squah for the mount on the IPA server. If someone has achieved this functionality, can you share your experience ? On Fri, Apr 10, 2015 at 1:05 PM, Prasun Gera prasun.g...@gmail.com wrote: Here's the link: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/users.html#home-directories On Fri, Apr 10, 2015 at 12:42 PM, Dmitri Pal d...@redhat.com wrote: On 04/09/2015 07:44 PM, Prasun Gera wrote: I have a somewhat related question. Without kerberizing NFS, which I'll do eventually since that needs all the clients to be migrated first, how does one create home directories automatically ? The IPA server and NFS server are different systems. I was able to verify that automatic home creation works if the NFS share is exported to the IPA server with no_root_squash. What's the proper way of doing this ? The documentation says: Which documentation you are referring to? Can you please post the link? Use a remote user who has limited permissions to create home directories and mount the share on the IdM server as that user. Since the IdM server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IdM server to create home directories on the NFS server. What would be the list of steps that would achieve this ? What are the limited permissions that the NFS user would need ? Read + Write, but no Delete to the /home directory ? Sounds like something that would need ACLs. And where does sudo on the IPA server fit into this ? On Thu, Mar 19, 2015 at 4:51 PM, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: Thanks, Jakub. On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote: On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: It's possible that I'm simply not getting the point, or that I don't understand the documentation correctly, but this is what I don't find clear: I had seen the instructions you pointed me at. These are not specifically about home directories. However, this section is: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#homedir-reqs It first suggests that automatic creation of home directories over NFS shares is possible: just automount /home and then use pam_oddjob_mkhomedir or pam_mkhomedir to create homedirs at first login. But then it also suggests that mounting the whole /home tree could be an issue, and says: Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree. That means that automatic homedir creation is out of the game, doesn't it? That's what I find confusing. What's the recommended way? It really depends on your environment. For your size, it's perfectly fine to NFS mount the whole /home tree and be done with it. Don't optimize prematurely
[Freeipa-users] FreeIPA 4.1 on RHEL7/Power?
We have the option to deploy our production IPA environment on either x86_64/VMWare or IBM Power. The RHEL7 IDM doc states that only x86_64 is supported. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prereqs.html#Operating_System_Requirements If we went ahead with either a mix of Power/x86_64 or entirely Power for IDM, would that be a Red Hat supported configuration? The docs are pretty clear, but documentation is usually the last thing to get updated! Anything else as far as current IPA plans/roadmap/etc. for Power vs. x86_64? Joshua -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Hey Rob, It couldn't find the group when I did your command. I replaced show with find and was able to find the dn number. I can use the ldapdelete command to delete the entry right? Thanks, Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Joseph, Matthew (EXP) wrote: Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare failing
David Dejaeghere wrote: Hi Rob, So you want to output of the command using pk12 with server cert and key? or with the ca chain in there too? Oddly enough it is failing in exactly the same place. Those GoDaddy CA certs are still being loaded from somewhere, I'm not sure where, and I suspect that is the source of the problem. I'm going to forward the log to a colleague who has worked on this code more recently than I have. Maybe he will have an idea. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
I tried to do the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca And I get the ldap_delete: no such object Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 2:32 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-getcert Problem ?
Hello I mean I have a Problem with the ipa-getcert script. system CentOS 7 (1503) and IPA 4.1.x can any help or declare my mistake or is this a IPA Problem I do a kinit admin ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' and have afterward with ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150414172251': status: CA_REJECTED ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HOST/xxx.4gjn@4gjn.prv,cn=services,cn=accounts,dc=4gjn,dc=prv'.). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes ipa-getcert status process 4731: arguments to dbus_message_new_method_call() were incorrect, assertion path != NULL failed in file dbus-message.c line 1262. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Abgebrochen (Speicherabzug geschrieben) what is wrong ? -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow user logon with IPA
On 04/14/2015 05:36 PM, Mateusz Malek wrote: On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: On 04/10/2015 08:13 AM, Mateusz Malek wrote: I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some weird performance problems. When I'm using IPA, it takes about 5-7 (or even more) seconds to get shell prompt after entering user password (...) (...) Do authentication and see where the time is spent by examining the logs. Correlate it to the logs on the server. (...) I spent the better part of today fixing this issue: https://fedorahosted.org/sssd/ticket/2624 You might want to check if you're hit by this bug by setting: selinux_provider=none temporarily. With selinux_provider=none things seems faster. It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just stop flowing for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes hangs on MOD operation - is it updating user last logon time?). Hello, When such long requests happened, you may take several pstack of the 389-ds process. Ideally you can timestamp the pstack output so that it is easier to correlate with DS access logs. Providing pstacks+access/errors logs would really help to know if there is a bottleneck. thanks Best regards, Mateusz Malek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't delete group because it states it's not found
Joseph, Matthew (EXP) wrote: Hello, Im trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow user logon with IPA
On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: On 04/10/2015 08:13 AM, Mateusz Malek wrote: I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some weird performance problems. When I'm using IPA, it takes about 5-7 (or even more) seconds to get shell prompt after entering user password (...) (...) Do authentication and see where the time is spent by examining the logs. Correlate it to the logs on the server. (...) I spent the better part of today fixing this issue: https://fedorahosted.org/sssd/ticket/2624 You might want to check if you're hit by this bug by setting: selinux_provider=none temporarily. With selinux_provider=none things seems faster. It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just stop flowing for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes hangs on MOD operation - is it updating user last logon time?). Best regards, Mateusz Malek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.
On Tue, 14 Apr 2015, g.fer.or...@unicyber.co.uk wrote: Hi Dealing with AD -- Cert Trust I am reaching the following step: ipa trust-add ad.company.com --admin user --password Active Directory domain administrator's password: ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most likely it is a DNS or firewall issue Reaching this far I do not know what the issue is .. Nevertheless and before start playing around with the DNS further more The issue is what reported above -- at request of IPA DC to validate the trust, AD DC tried to resolve IPA DC via SRV records and then tried to contact its Samba instance on its own to complete validation of the trust. Either step might fail, after which AD DC would report back to IPA DC that it was unable to reach it. This diagnostics wasn't added for nothing, you need to trust it. :) if I run the following it seems to successfully establish the trust by the IPA side of the business # ipa trust-add --type=ad ad_domain --trust-secret So this part seems find by the look of it.. It works because it does not communicate with AD DCs here, only with IPA's Samba instance. I also had to manually add the AD host and the remote CIFS resource but I am getting instead: ipa trust-fetch-domains corp.hootsuitemedia.com ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example This doesn't work because AD DC did not complete the trust validation and cannot trust IPA Kerberos tickets, thus refusing operation. Unfortunately, reporting in SMB protocol is less than perfect so we only are able to get guesses at what has happened. In any case, running trust-fetch-domains makes no sense until you complete validation. And to complete validation you really need to fix issues with either DNS or firewall so that AD DCs are capable to reach proper IPA DCs. And all IPA DCs should be initialized with ipa-adtrust-install currently. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare failing
Hi, Dne 14.4.2015 v 19:47 Rob Crittenden napsal(a): David Dejaeghere wrote: Hi Rob, So you want to output of the command using pk12 with server cert and key? or with the ca chain in there too? Oddly enough it is failing in exactly the same place. Those GoDaddy CA certs are still being loaded from somewhere, I'm not sure where, and I suspect that is the source of the problem. They are in the default CA certificate bundle (in the ca-certificate package). I guess NSS loads it automatically. I'm going to forward the log to a colleague who has worked on this code more recently than I have. Maybe he will have an idea. Could you try if the following works? # mv /usr/share/pki/ca-trust-source/ca-bundle.trust.crt /root/ca-bundle.trust.crt # update-ca-trust # ipa-replica-prepare ... # mv /root/ca-bundle.trust.crt /usr/share/pki/ca-trust-source/ca-bundle.trust.crt # update-ca-trust rob Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found
Joseph, Matthew (EXP) wrote: I tried to do the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=nsuniqueid_random_set_of_numbers,cn=groups,cn=accounts,dc=domain,dc=ca And I get the ldap_delete: no such object Maybe this will help: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I can't see what you're seeing so it's hard to get more precise. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 2:32 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hey Rob, So I did the following command; Ldapdelete -D cn=Directory Manager -h server_name -p 389 cn=group_name,cn=groups,cn=accounts,dc=domain,dc=ca and it comes back with the following; Ldap_delete: No such object I also tried replacing the group_name with the nsuniqueid and still the same results. I'd need more details on what you did. You already know the group by it's name doesn't exist otherwise IPA would have been able to delete it. The point is to use the --all --raw flags to get the actual DN of the group entry and delete that. rob Matt -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 14, 2015 12:01 PM To: Joseph, Matthew (EXP); freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Can't delete group because it states it's not found Joseph, Matthew (EXP) wrote: Hello, I'm trying to delete a group in IdM but when I do a ipa group-del group it states the following; Ipa: ERROR: group: group not found I do an ipa group-find and it displays the group with the current memebers. I look in the WebgUI and I can see the group in there but it has no information. If I try to view the group or delete it from there it again states that the group is not found. Anyone see this before? Run ipa group-show --all --raw groupname and look at the dn value. It may be a replication conflict entry. You'd need to delete that manually using something like ldapdelete. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CRON: Authentication service cannot retrieve authentication info
On 04/13/2015 10:41 PM, Thomas Lau wrote: Hi, It's an in-house program which runs on one kerberos user. You need to look what this program is doing. I suspect it is doing some sort of kinit itself and does not rely on the PAM stack, i.e it bypasses SSSD in the given scenario. Can this be the case? On Tue, Apr 14, 2015 at 5:34 AM, Dmitri Pal d...@redhat.com wrote: On 04/13/2015 08:23 AM, Thomas Lau wrote: Hi, These problem appear randomly, sometime it still work even under heavy packet loss, some times would be like this. So its hard to catch. On Apr 13, 2015 3:22 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote: Hi all, We have cronjob which running on a FreeIPA LDAP user; When connection between IPA server and client having heavy packet loss, following error would occur: CRON[20637]: Authentication service cannot retrieve authentication info I have cache credentials and store password if offline enabled on sssd, how these problem would still happening? It might be that the cause of the problem is actually the packet loss or some kind of delay. SSSD might not think that it is offline but cron job itself times out and reports failure. Do you know what operation in the job fails? sssd.conf: cache_credentials = True krb5_store_password_if_offline = True Did the use log in at least once offline? You can verify if the password has been cached using the ldbsearch utility. It would be best to catch the occurence of the problem in logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Slow user logon with IPA
On 04/14/2015 12:35 PM, thierry bordaz wrote: On 04/14/2015 05:36 PM, Mateusz Malek wrote: On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: On 04/10/2015 08:13 AM, Mateusz Malek wrote: I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some weird performance problems. When I'm using IPA, it takes about 5-7 (or even more) seconds to get shell prompt after entering user password (...) (...) Do authentication and see where the time is spent by examining the logs. Correlate it to the logs on the server. (...) I spent the better part of today fixing this issue: https://fedorahosted.org/sssd/ticket/2624 You might want to check if you're hit by this bug by setting: selinux_provider=none temporarily. With selinux_provider=none things seems faster. It's still not as fast as with existing OpenLDAP, but logon times seem acceptable now (they mostly vary from 0.5 to 2 seconds, sometimes they go up to 3 seconds). It seems that most time is spent in Kerberos authentication (logs just stop flowing for a while) and on HBAC processing - on the 389 DS side it seems that LDAP is busy with requests (it looks like it sometimes hangs on MOD operation - is it updating user last logon time?). Hello, When such long requests happened, you may take several pstack of the 389-ds process. Ideally you can timestamp the pstack output so that it is easier to correlate with DS access logs. Providing pstacks+access/errors logs would really help to know if there is a bottleneck. See also http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs You'll need to do debuginfo-install ipa-server slapi-nis thanks Best regards, Mateusz Malek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa: ERROR: AD DC was unable to reach any IPA domain controller --- AD domain controller complains about communication sequence.
Hi
Dealing with AD -- Cert Trust I am reaching the following step:
ipa trust-add ad.company.com --admin user --password
Active Directory domain administrator's password:
ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
likely it is a DNS or firewall issue
Reaching this far I do not know what the issue is .. Nevertheless and
before start playing around with the DNS further more
if I run the following it seems to successfully establish the trust by
the IPA side of the business
# ipa trust-add --type=ad ad_domain --trust-secret
So this part seems find by the look of it..
I also had to manually add the AD host and the remote CIFS resource but
I am getting instead:
ipa trust-fetch-domains corp.hootsuitemedia.com
ipa: ERROR: AD domain controller complains about communication sequence.
It may mean unsynchronized time on both sides, for example
on the log for kerberos I get:
krb5kdc[23951](info): TGS_REQ (6 etypes {18 17 16 23 25 26})
10.0.146.161:
BAD_ENCRYPTION_TYPE: authtime 0,
HTTP/freeipaserver.ldap.company.com@LDAP.COMPANY.COMfor
cifs/server1.ad.company@ldap.company.com, KDC has no support for
encryption type
Any idea? tips?
Thanks very much!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Upgrading Freeipa 3 server.
Thanks that actually helped. I have the CA moved and the old server decommissioned now. Thanks. Regards, -- Aric Wilisch awili...@gmail.com On Apr 14, 2015, at 3:07 AM, Martin Kosek mko...@redhat.com wrote: You do not need to uninstall the 4 server, you just need to install the CA component on it: # ipa-ca-install /path/to/replica.file ... and make it CRL/renewal master. See step 8 and later in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html On 04/14/2015 02:06 AM, Aric Wilisch wrote: I didn’t see this guide until now. The IPA3 server started off as a RHEL 6.6 server so no upgrade is necessary, but I simply generated the replica file and created the IPA 4 server as a replica. Aside from the CA not being there the server looks to be working fine and shows up as a master. I’ll uninstall the 4 server and work through the script process to see if that fixes the issue. Regards, -- Aric Wilisch awili...@gmail.com On Apr 13, 2015, at 7:47 PM, Dmitri Pal d...@redhat.com wrote: On 04/13/2015 07:26 PM, Aric Wilisch wrote: One of our environments has a Freeipa3 sever installed and I need to upgrade it to FreeIPA 4. I brought up RHEL 7 server and installed FreeIPA 4 as a replica of the FreeIPA3 box. But now I’m stuck. I can’t find any good documentation on how to promote the new FreeIPA4 server and take the old FreeIPA3 server out of the picture. If I do a ida-replica-manage del —force stip01.staging.fioptics.int it tells me I can’t because it would leave me without a CA. However I can’t find any documentation on migrating the CA from IPA3 to IPA4. Any help would be appreciated. Regards, -- Aric Wilisch awili...@gmail.com mailto:awili...@gmail.com mailto:awili...@gmail.com mailto:awili...@gmail.com Did you follow this procedure? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-prochttps://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#migrating-ipa-proc I would say that I would recommend upgrading to 6.6 rather than 6.5. If you did not what exactly did you do? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org http://freeipa.org/ for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert Problem ?
On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote: Hello I mean I have a Problem with the ipa-getcert script. system CentOS 7 (1503) and IPA 4.1.x can any help or declare my mistake or is this a IPA Problem I do a kinit admin ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' and have afterward with ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150414172251': status: CA_REJECTED ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HOST/xxx.4gjn@4gjn.prv,cn=services,cn=accounts,dc=4gjn,dc=prv'.). stuck: yes key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes The server rejected the request because no service with the Kerberos principal name in the request exists yet. The host service is the one that's automatically created, and because Kerberos principal names are case sensitive, HOST is seen as being different from host. The certmonger service uses the local host's credentials in /etc/krb5.keytab to authenticate when it sends the request to the CA (so you could skip the kinit step above), and the host doesn't have the necessary privileges to create a new service, and that's why that particular error message is coming back from the server. ipa-getcert status process 4731: arguments to dbus_message_new_method_call() were incorrect, assertion path != NULL failed in file dbus-message.c line 1262. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace Abgebrochen (Speicherabzug geschrieben) That's a bug in ipa-getcert. It should be producing an error message, suggesting that you'd need to specify additional options to indicate which request you wanted to check the status on, like so: getcert status -i 20150414172251 getcert status -d /etc/pki/nssdb -n Server-Cert I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv' (note the lower case) to change the parameters in the certificate request, which should be enough to satisfy the server's requirements. HTH, Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
