Re: [Freeipa-users] allow trust users to login without domain
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 7:05 AM To: Andy Thompson; freeipa-users@redhat.com; Jakub Hrozek Subject: Re: [Freeipa-users] allow trust users to login without domain On 04/29/2015 12:57 PM, Andy Thompson wrote: In the environment I'm working on currently we have a single trusted AD domain and will never have any additional domain trusts in place. Is there a way to allow users to login without using @ad_domain in their username? We use DB2 in the environment and it's from the dark ages and doesn't like usernames with more than 8 chars :/ Thanks -andy This looks as a job for default_domain_suffix option. See man sssd.conf for details. Note that after this fix, IPA users would need to log in with fully qualified user name instead. CCing Jakub for reference. Perfect. I grepped the man page.. apparently didn't search for the right thing. Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] allow trust users to login without domain
In the environment I'm working on currently we have a single trusted AD domain and will never have any additional domain trusts in place. Is there a way to allow users to login without using @ad_domain in their username? We use DB2 in the environment and it's from the dark ages and doesn't like usernames with more than 8 chars :/ Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] deleting ipa user
I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) Thanks -andy *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] allow trust users to login without domain
On 04/29/2015 12:57 PM, Andy Thompson wrote: In the environment I'm working on currently we have a single trusted AD domain and will never have any additional domain trusts in place. Is there a way to allow users to login without using @ad_domain in their username? We use DB2 in the environment and it's from the dark ages and doesn't like usernames with more than 8 chars :/ Thanks -andy This looks as a job for default_domain_suffix option. See man sssd.conf for details. Note that after this fix, IPA users would need to log in with fully qualified user name instead. CCing Jakub for reference. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/28/2015 11:53 PM, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? Yes. User is automatically logged-in back if he has a valid Kerberos ticket. The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in. IPA had a logout page but it was removed. One reason was that PatternFly says that when a session expires(which, in a way, is a logout), user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected. I've created a new ticket: https://fedorahosted.org/freeipa/ticket/5008 -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. thanks Chris From: Simo Sorce s...@redhat.com To: d...@redhat.com Cc: Rob Crittenden rcrit...@redhat.com, Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 29.04.2015 03:31 Subject:Re: [Freeipa-users] FreeIPA WebUI Logout logs back in On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? I've seen this in the past on my own IPA domain at home. Perhaps what we should do is to have a logout option that says log in with a different user and redirect to anon kerberized page that allows you to do form based login. This would address the case where a domain user wants to log in as admin w/o exiting their user session or destroying there ccache (as that may imply loosing access to email, other company websites, etc...). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/28/2015 11:53 PM, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? CCing Petr, just to be sure he gets the message. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=domain,dc=com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/29/2015 01:42 PM, Christopher Lamb wrote: HI Petr thanks. Can you qualify has a valid Kerberos Ticket? In my case, my user has a valid ticket on the LDAP server, but not on the OSX workstation from which I am using Firefox / Web UI. On the OSX workstation, if the user has a non-expired TGT ticket which could be then used to obtain ticket for principal HTTP/myipa.my.domain@MY.REALM (IPA server API - backend of webui). Cheers Chris From: Petr Vobornik pvobo...@redhat.com To: d...@redhat.com, Rob Crittenden rcrit...@redhat.com, Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date: 29.04.2015 13:27 Subject:Re: [Freeipa-users] FreeIPA WebUI Logout logs back in On 04/28/2015 11:53 PM, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? Yes. User is automatically logged-in back if he has a valid Kerberos ticket. The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in. IPA had a logout page but it was removed. One reason was that PatternFly says that when a session expires(which, in a way, is a logout), user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected. I've created a new ticket: https://fedorahosted.org/freeipa/ticket/5008 -- Petr Vobornik -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 29.4.2015 13:26, Petr Vobornik wrote: On 04/28/2015 11:53 PM, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? Yes. User is automatically logged-in back if he has a valid Kerberos ticket. The reason is that after showing the login form, the whole UI is reloaded in order to forget everything in the app memory. It then behaves as normal access and SSO kicks in. IPA had a logout page but it was removed. One reason was that PatternFly says that when a session expires(which, in a way, is a logout), user should be presented with a login page. As we see, with SSO, the behavior is a little bit different and unexpected. I've created a new ticket: https://fedorahosted.org/freeipa/ticket/5008 I guess that we could have a cookie with meaning 'auto-login disabled' for this purpose. Maybe it could have very short expiration (1 minute?) so it actually kicks in only for the one attempt. Or it could be automatically removed after each login ... -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN but is missing. Did you run the command with 'nscpentrywsi' requested attribute. May be nsuniqueid was hidden for that reason but I would be surprised. nsuniqueid is a key element of replication. I wonder how replication can find the entry itself. nsuniqueid could be in the index but then the entry is corrupted. -- Manage your subscription for the
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
Re: [Freeipa-users] deleting ipa user
This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a- 005056a92af3)) This one returns nothing on either server. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it right 8-) Cheers Chris From: Craig White cwh...@skytouchtechnology.com To: Christopher Lamb/Switzerland/IBM@IBMCH, Simo Sorce s...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 29.04.2015 18:03 Subject:RE: [Freeipa-users] FreeIPA WebUI Logout logs back in -Original Message- From: freeipa-users-boun...@redhat.com [ mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try - a plain search (nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8) (also with nscpentrywsi) or if this doesn't return anything: - (objectclass=nstombstone) and grep for your username what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone
Re: [Freeipa-users] deleting ipa user
dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVhqTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE= krbLoginFailedCount: 0 krbTicketFlags: 128 krbLastPwdChange: 20150421180532Z krbLastFailedAuth: 20150421180457Z mepManagedEntry: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin displayName: user name cn: User Name objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs objectClass: nsTombstone loginShell: /bin/bash initials: GF gecos: User Name homeDirectory: /home/username uid: username mail: usern...@mhbenp.lin krbPrincipalName: usern...@mhbenp.lin givenName: User sn: name ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3 uidNumber: 124903 gidNumber: 124903 nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails at CA setup
Qing Chang wrote: mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap service was available at all at installation stage. I think we'd need to see the full ipareplica-install.log. You might also want to see if a ns-slapd process is running and check /var/log/dirsrv/slapd-REALM/errors for anything interesting. rob Thanks, Qing On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang tmp...@gmail.com mailto:tmp...@gmail.com wrote: CentOS7.1 with IPA server 4.1. ipa-replica-install --setup-ca --setup-dns ... fails with this error message: - [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed - ipareplica-install.log shows this: - 2015-04-29T13:40:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Starting external process 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX' 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmpaUGoKX. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR... Exception from Java Configuration Servlet: Error in populating database: Could not connect to LDAP server host mrip a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://mripa2.mr.ric:389 (91) 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed - I hope this is enough information. Thanks in advance, Qing Chang -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On Wed, 2015-04-29 at 18:31 +0200, Christopher Lamb wrote: Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it right 8-) It's perfectly fine, thank you. Simo. Cheers Chris From: Craig White cwh...@skytouchtechnology.com To: Christopher Lamb/Switzerland/IBM@IBMCH, Simo Sorce s...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 29.04.2015 18:03 Subject: RE: [Freeipa-users] FreeIPA WebUI Logout logs back in -Original Message- From: freeipa-users-boun...@redhat.com [ mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa- us...@redhat.com mailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn- 55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87- e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a- 005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On 04/29/2015 06:31 PM, Christopher Lamb wrote: Hi all @Craig, and using the WebUI for that purpose is much more user friendly then doing the same via a ssh terminal session. @Simo, as requested I have opened a ticket on this issue https://fedorahosted.org/freeipa/ticket/5010 As this my first Fedora ticket, please forgive me If I didn't do it right 8-) No, you did it perfectly right. Just Petr Vobornik was faster and created a ticket https://fedorahosted.org/freeipa/ticket/5008. This makes your ticket a duplicate, so I had to close it. But please do not let this hickup stop you, please continue in discussions, tickets, patches - it's useful! :-) Cheers Chris From: Craig White cwh...@skytouchtechnology.com To: Christopher Lamb/Switzerland/IBM@IBMCH, Simo Sorce s...@redhat.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com Date: 29.04.2015 18:03 Subject:RE: [Freeipa-users] FreeIPA WebUI Logout logs back in -Original Message- From: freeipa-users-boun...@redhat.com [ mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christopher Lamb Sent: Tuesday, April 28, 2015 10:58 PM To: Simo Sorce Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. Seems that would be a useful option for me too. I normally login as myself but there are times when someone comes by and wants to change their password and it's easier if they do it on my system sometimes as the Kerberos auth prompt confuses them and I can coach them through. Also, I occasionally need to login as the primary 'admin' user as some of the options (ahem - Sudo rules on version 3.0.0) are not accessible regardless of the permissions given. Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails at CA setup
ipareplica-install is big, folowing starts at around step 34/35 for directory server config (see red lines), and then CA steup sopped at second step. Relaevnt logs in error and access are attched too. It appears at the time when CA setup eed access to dirsrv, it was down? - ipareplica-install log - 2015-04-29T13:40:03Z DEBUG Final value after applying updates 2015-04-29T13:40:03Z DEBUG dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config 2015-04-29T13:40:03Z DEBUG schema-compat-entry-attribute: 2015-04-29T13:40:03Z DEBUG objectclass=posixGroup 2015-04-29T13:40:03Z DEBUG gidNumber=%{gidNumber} 2015-04-29T13:40:03Z DEBUG memberUid=%{memberUid} 2015-04-29T13:40:03Z DEBUG memberUid=%deref_r(member,uid) 2015-04-29T13:40:03Z DEBUG %ifeq(ipauniqueid,%{ipauniqueid},objectclass=ipaOverrideTarget,) 2015-04-29T13:40:03Z DEBUG %ifeq(ipauniqueid,%{ipauniqueid},ipaanchoruuid=:IPA:mr.ric:%{ipauniqueid},) 2015-04-29T13:40:03Z DEBUG ipaanchoruuid=%{ipaanchoruuid} 2015-04-29T13:40:03Z DEBUG %ifeq(ipaanchoruuid,%{ipaanchoruuid},objectclass=ipaOverrideTarget,) 2015-04-29T13:40:03Z DEBUG cn: 2015-04-29T13:40:03Z DEBUG groups 2015-04-29T13:40:03Z DEBUG objectClass: 2015-04-29T13:40:03Z DEBUG top 2015-04-29T13:40:03Z DEBUG extensibleObject 2015-04-29T13:40:03Z DEBUG schema-compat-search-filter: 2015-04-29T13:40:03Z DEBUG objectclass=posixGroup 2015-04-29T13:40:03Z DEBUG schema-compat-container-rdn: 2015-04-29T13:40:03Z DEBUG cn=groups 2015-04-29T13:40:03Z DEBUG schema-compat-entry-rdn: 2015-04-29T13:40:03Z DEBUG cn=%{cn} 2015-04-29T13:40:03Z DEBUG schema-compat-search-base: 2015-04-29T13:40:03Z DEBUG cn=groups, cn=accounts, dc=mr,dc=ric 2015-04-29T13:40:03Z DEBUG schema-compat-container-group: 2015-04-29T13:40:03Z DEBUG cn=compat, dc=mr,dc=ric 2015-04-29T13:40:03Z DEBUG duration: 1 seconds 2015-04-29T13:40:03Z DEBUG [34/35]: tuning directory server 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/usr/sbin/selinuxenabled' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/sbin/restorecon' '/etc/sysconfig/dirsrv.systemd' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' '--system' 'daemon-reload' 2015-04-29T13:40:04Z DEBUG Process finished, return code=0 2015-04-29T13:40:04Z DEBUG stdout= 2015-04-29T13:40:04Z DEBUG stderr= 2015-04-29T13:40:04Z DEBUG Starting external process 2015-04-29T13:40:04Z DEBUG args='/bin/systemctl' 'restart' 'dirsrv@MR-RIC.service' 2015-04-29T13:40:06Z DEBUG Process finished, return code=0 2015-04-29T13:40:06Z DEBUG stdout= 2015-04-29T13:40:06Z DEBUG stderr= 2015-04-29T13:40:06Z DEBUG Starting external process 2015-04-29T13:40:06Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv@MR-RIC.service' 2015-04-29T13:40:06Z DEBUG Process finished, return code=0 2015-04-29T13:40:06Z DEBUG stdout=active 2015-04-29T13:40:06Z DEBUG stderr= 2015-04-29T13:40:06Z DEBUG wait_for_open_ports: localhost [389] timeout 300 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-active' 'dirsrv@MR-RIC.service' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=active 2015-04-29T13:40:10Z DEBUG stderr= 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpH_pfpG' '-H' 'ldap://mripa2.mr.ric:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpqvAwmY' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=replace nsslapd-maxdescriptors: 8192 replace nsslapd-reservedescriptors: 64 modifying entry cn=config modify complete 2015-04-29T13:40:10Z DEBUG stderr=ldap_initialize( ldap://mripa2.mr.ric:389/??base ) 2015-04-29T13:40:10Z DEBUG duration: 6 seconds 2015-04-29T13:40:10Z DEBUG [35/35]: configuring directory to start on boot 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'is-enabled' 'dirsrv@MR-RIC.service' 2015-04-29T13:40:10Z DEBUG Process finished, return code=0 2015-04-29T13:40:10Z DEBUG stdout=enabled 2015-04-29T13:40:10Z DEBUG stderr= 2015-04-29T13:40:10Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:10Z DEBUG Starting external process 2015-04-29T13:40:10Z DEBUG args='/bin/systemctl' 'disable' 'dirsrv@MR-RIC.service' 2015-04-29T13:40:11Z DEBUG Process finished, return code=0 2015-04-29T13:40:11Z DEBUG stdout= 2015-04-29T13:40:11Z DEBUG stderr=rm '/etc/systemd/system/dirsrv.target.wants/dirsrv@MR-RIC.service' 2015-04-29T13:40:11Z DEBUG duration: 0 seconds
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] thousands DSRetroclPlugin mesages
Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: On 04/26/2015 10:49 AM, Martin (Lists) wrote: Hallo after a reboot I get almost thousand of the following messages: DSRetroclPlugin - delete_changerecord: could not delete change record 128755 (rc: 32) this message comes from changeglog trimming and means that an entry, which should be purged does not exist (any more). the retrocl maintains a first/lastchange and trinming starts at firstchange. if for some reason (race ?) there is an attempt to try to delete the same entry a second time this message should be logged. since the changenumbers in the error message increases, I think changelog trimming moves forward. you could do searches on cn=changelog to verify that trimming works. changelog is part of the ldbm database plugin and contains several informations I don't understand (or understand partially). What kind of information should I look for? I only have one server running by the way. Regards Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] thousands DSRetroclPlugin mesages
On 04/29/2015 03:17 PM, Martin (Lists) wrote: Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: On 04/26/2015 10:49 AM, Martin (Lists) wrote: Hallo after a reboot I get almost thousand of the following messages: DSRetroclPlugin - delete_changerecord: could not delete change record 128755 (rc: 32) this message comes from changeglog trimming and means that an entry, which should be purged does not exist (any more). the retrocl maintains a first/lastchange and trinming starts at firstchange. if for some reason (race ?) there is an attempt to try to delete the same entry a second time this message should be logged. since the changenumbers in the error message increases, I think changelog trimming moves forward. you could do searches on cn=changelog to verify that trimming works. changelog is part of the ldbm database plugin and contains several informations I don't understand (or understand partially). What kind of information should I look for? the changelog keeps track of the changes applied to the database, a typical entry looks like: dn: changenumber=4,cn=changelog objectClass: top objectClass: changelogentry changeNumber: 4 targetDn: cn=tuser,ou=people,dc=example,dc=com changeTime: 20140411093444Z changeType: delete each entry gets a DN made up from he changenumber, so your entries will be named: dn: changenumber=61,cn=changelog dn: changenumber=62,cn=changelog dn: changenumber=63,cn=changelog dn: changenumber=64,cn=changelog changenumbers start and are always incremented, changelog trimming removes old entries (depending on config). so if you do a search like: ldapsearch .. -b cn=changelog the changenumber of the first entry rerurne should always increase, indicating that trimming works. you said thousands of messages, how frequent are they really ? I only have one server running by the way. Regards Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first. I see this in the logs on the replica [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson;freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? ? I have a non systematic test case for 48165. Is it happening systematically in your case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA WebUI Logout logs back in
On Wed, 2015-04-29 at 07:57 +0200, Christopher Lamb wrote: HI Simo, Dmitiri, Rob and co. Simos log in with a different user suggestion is pretty much what I was intending. I want to be able to log out of the web ui, then log back in with a different user. e.g. to allow a newly added user to change their password to something secret. Can you open a RFE ticket about this ? We should track it. Thanks, Simo. On this particular workstation I have no kerberos ticket (double checking with klist at the terminal confirms this). I have not saved the password in Firefox (checking in the settings confirms this). I often have ssh sessons open via terminal to the FreeIPA Server, and even Apache Directory Studio open to browse the LDAP structure and content. I don't see how that can play a role, but I mention it for completeness. thanks Chris From: Simo Sorce s...@redhat.com To: d...@redhat.com Cc: Rob Crittenden rcrit...@redhat.com, Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 29.04.2015 03:31 Subject: Re: [Freeipa-users] FreeIPA WebUI Logout logs back in On Tue, 2015-04-28 at 17:53 -0400, Dmitri Pal wrote: On 04/28/2015 05:39 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 04/28/2015 05:11 PM, Christopher Lamb wrote: HI All I have just tested with the FreeIPA Web UI public demo https://ipa.demo1.freeipa.org/ipa/ui/ Using the public demo, when I log out, I get returned to the login screen, as expected. This allows me to log in with a different user. With our own installation FreeIPA, from exactly the same browser, I get logged straight back in to the Web UI - which makes logging out pointless. still confused ... Do you have a kerberos ticket on your local system? Do klist. See which tickets you have. If you have tickets do kdestroy - this will remove the ability to SSO. If you then try to use your IPA server you will have the same experience as with public demo. I think this is a question for Petr. On logout one should be directed to a page that doesn't require auth so it doesn't renegotiate the connection. rob Petr can you reproduce this? I've seen this in the past on my own IPA domain at home. Perhaps what we should do is to have a logout option that says log in with a different user and redirect to anon kerberized page that allows you to do form based login. This would address the case where a domain user wants to log in as admin w/o exiting their user session or destroying there ccache (as that may imply loosing access to email, other company websites, etc...). Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:07 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command executed, is the result the same if repeated ? I attempted using the web interface initially and then tried using ipa user-del username to see if it gave any more detail. were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ? I had errors from the other delete attempts but they
Re: [Freeipa-users] deleting ipa user
can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager -w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:07 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:40 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 9:22 AM To: thierry bordaz Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 03:14 PM, thierry bordaz wrote: On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com mailto:freeipa-users@redhat.com ; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 01:26 PM, Andy Thompson wrote: I'm trying to delete an IPA account and I get a generic operations error when trying to remove it. It looks like something is messed up with the group object. The user doesn't show up in the ipausers group and there also isn't a group object for the user in question. Here is the error from the attempt. [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting member: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] referint-plugin - _update_all_per_mod: entry ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=domain,dc= com: deleting memberUser: uid=username,cn=users,cn=accounts,dc=domain,dc=com failed (16) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a tombstone into a tombstone! nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=group s,cn=accounts,dc=domain,dc=com; e: 0x7fcc84226070, cache_state: 0x0, refcnt: 1 [29/Apr/2015:07:21:32 -0400] managed- entries-plugin - mep_del_post_op: failed to delete managed entry (cn=username,cn=groups,cn=accounts,dc=domain,dc=com) - error (1) This is the first time I see this error. CCing Ludwig or Thierry to advise. Andy, please also include FreeIPA and 389-ds-base packages versions so that Thierry and Ludwig know what to look at. Here you go ipa-server-4.1.0-18.el7_1.3.x86_64 389-ds-base-1.3.3.1-15.el7_1.x86_64 Thanks much -andy Hello, I wonder it is not a similar issue I hit https://fedorahosted.org/389/ticket/48165. What differs is '_update_all_per_mod' logs but could be a consequence of the same bug. I think what differs taht in the ticket there is an attempt to delete an existng entry, but in the log snippet provided it attempts to delete a tombstone entry (an entry which was already deleted). So the errors logged by DS seem to be ok, but why does IPA want to delete an already deleted user ? but mybe only the mep plugin finds a tombstone and tries to delete it. What was the command
[Freeipa-users] ipa-replica-install fails at CA setup
CentOS7.1 with IPA server 4.1. ipa-replica-install --setup-ca --setup-dns ... fails with this error message: - [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed - ipareplica-install.log shows this: - 2015-04-29T13:40:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Starting external process 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX' 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmpaUGoKX. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR... Exception from Java Configuration Servlet: Error in populating database: Could not connect to LDAP server host mrip a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://mripa2.mr.ric:389 (91) 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed - I hope this is enough information. Thanks in advance, Qing Chang -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails at CA setup
mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap service was available at all at installation stage. Thanks, Qing On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang tmp...@gmail.com wrote: CentOS7.1 with IPA server 4.1. ipa-replica-install --setup-ca --setup-dns ... fails with this error message: - [2/22]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 [error] RuntimeError: Configuration of CA failed - ipareplica-install.log shows this: - 2015-04-29T13:40:11Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state' 2015-04-29T13:40:11Z DEBUG Starting external process 2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX' 2015-04-29T13:40:51Z DEBUG Process finished, return code=1 2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from /tmp/tmpaUGoKX. Installing CA into /var/lib/pki/pki-tomcat. Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. Installation failed. 2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR... Exception from Java Configuration Servlet: Error in populating database: Could not connect to LDAP server host mrip a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to server ldap://mripa2.mr.ric:389 (91) 2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero exit status 1 2015-04-29T13:40:51Z DEBUG Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 382, in start_creation run_step(full_msg, method) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 372, in run_step method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 673, in __spawn_instance raise RuntimeError('Configuration of CA failed') RuntimeError: Configuration of CA failed - I hope this is enough information. Thanks in advance, Qing Chang -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
did you run the searches as directory manager ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Master level IPA server
Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com/, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com/. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. So if there is documentation on how to set that up I would appreciate a pointer, I haven’t been able to find it yet. Thanks much! Regards, -- Aric Wilisch awili...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Master level IPA server
On 04/29/2015 08:38 PM, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. So if there is documentation on how to set that up I would appreciate a pointer, I haven't been able to find it yet. Thanks much! Regards, -- Aric Wilisch awili...@gmail.com mailto:awili...@gmail.com You can have one IPA Kerberos realm spanning several zones but the top level domain should be the same as the realm otherwise trust would not work. I think Alexander would have some pointers. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:08 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0a bc1a8)) nscpentrywsi | grep -i objectClass and if you omit the grep ? still puzzled. Ah if I omit the grep on the second server I get dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn-55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn-55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn-55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn-55364a4200050004: top nscpentrywsi: objectClass;vucsn-5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn-55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn-55364a4200050004: 124903 nscpentrywsi: description;vucsn-55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn-55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn-55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn-55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn-55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193-e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. This is looking like that on the replica where the errors are logged. The entry is a tombstone but can not be find with the nsuniqueid. If on that server you do ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(ipaUniqueID=94dc1638-e826-11e4-878a-005056a92af3)) what is logged in the access log for these two searches? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: objectClass;vucsn- 55364a4200050004: posixgroup nscpentrywsi: objectClass;vucsn- 55364a4200050004: ipaobject nscpentrywsi: objectClass;vucsn- 55364a4200050004: mepManagedEntry nscpentrywsi: objectClass;vucsn- 55364a4200050004: top nscpentrywsi: objectClass;vucsn- 5540deb800030003: nsTombstone nscpentrywsi: cn;vucsn-55364a4200050004;mdcsn- 55364a4200050004: gfeigh nscpentrywsi: gidNumber;vucsn- 55364a4200050004: 124903 nscpentrywsi: description;vucsn- 55364a4200050004: User private group for username nscpentrywsi: mepManagedBy;vucsn- 55364a4200050004: uid= username,cn=users,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: creatorsName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: modifiersName;vucsn- 55364a4200050004: cn=Managed Entries,cn=plugins,cn=config nscpentrywsi: createTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: modifyTimestamp;vucsn- 55364a4200050004: 20150421130152Z nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4- 99f1b343-f0abc1a8 nscpentrywsi: ipaUniqueID;vucsn- 55364a4200050004: 94dc1638-e826-11e4-878a-005056a92af3 nscpentrywsi: parentid: 4 nscpentrywsi: entryid: 385 nscpentrywsi: nsParentUniqueId: 3763f193- e76411e4-99f1b343-f0abc1a8 nscpentrywsi: nstombstonecsn: 5540deb800030003 nscpentrywsi: nscpEntryDN: cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin nscpentrywsi: entryusn: 52327 thought I tried that before, apparently not. ok, so we have the entry on one server, the csn of the objectclass: tombstone is : objectClass;vucsn-5540deb800030003: nsTombstone , which matches the csn in the error log: Consumer failed to replay change (uniqueid 7e1a1f87- e82611e4-99f1b343- f0abc1a8, CSN 5540deb800030003): Operations error (1) so the state of the entry is as expected. Now we nend to find it on the other server. If the search for the filter with nstombstone does return nothing, could you try If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D cn=directory manager -W -b dc=mhbenp,dc=lin ((objectclass=nstombstone)) I get below. If I add nsuniqueid to the filter it returns nothing on the primary server dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343- f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin memberOf: ipaUniqueID=3897c894-e764-11e4-b05b- 005056a92af3,cn=hbac,dc=mhbenp,dc=lin ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916- 1003 krbLastSuccessfulAuth: 20150421180533Z krbPasswordExpiration: 20150720180532Z userPassword:: e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh qTXQxUT09 krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA== krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A 0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT mdmZWlnaKFBMD +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
Re: [Freeipa-users] Master level IPA server
On Wed, 29 Apr 2015, Aric Wilisch wrote: Is it possible to setup a Master level FreeIPA domain, then have 3 sub level domains use it for authentication? So master server at say ipa.domain.com http://ipa.domain.com/, then have a secondary zone that is ipa2.sub1.domain.com http://ipa2.sub1.domain.com/. This is possible. As long as DNS domains of IPA do not overlap with DNS domains of Active Directory deployment, or any other Kerberos realm, things should work. We have 3 different environments that need to stay separated. We were going to have them all authenticate to an Active Directory domain but getting that setup is turning into a real issue. So if possible I would like to have a master level IPA server, then three sub level IPA servers that authenticate against it, then have our Windows Terminal Servers authenticate against it as well if possible. You cannot login to Windows machines by authenticating against IPA right now, this is not supported. You can establish cross-forest trust between IPA realm and Active Directory and then login to IPA machines with Active Directory credentials. If this is not what you want, IPA is not yet supporting your case. There isn't enough details to see what is your issue, though. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] PWM and IPA
Hi all, Just wondering if anyone has put together a guide for integrating PWM with IPA? I know there is a section on 389-ds, but that is kind of raw-389 and not the highly modified-for-IPA 389-ds. I would like to set this up for my users, but really don't want to do it using that guide unless that is what others might suggest? Any suggestions? ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] deleting ipa user
-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:59 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015 04:49 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:51 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user did you run the searches as directory manager ? Yep sure did that's weird, as directory manager you should be able to see the nscpentrywsi attribute, could you paste your full search request ? This returns the object ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) | grep -i objectClass This returns nothing ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa02 -x -D cn=directory manager -W -b dc=... ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8)) nscpentrywsi | grep -i objectClass On 04/29/2015 04:34 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 10:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user can you do the followin search on both servers ? ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D cn=directory manager - w xxx -b dc=xxx ((objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4- 99f1b343- f0abc1a8)) nscpentrywsi | grep -i objectClass The server that I initially attempted the deletion on returns nothing. The second server (the one currently throwing the consumer failed replay error) returns this if I remove the nscpentrywsi attribute filter. If I leave the attribute filter I don't get anything objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top objectClass: nsTombstone -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project