[Freeipa-users] Why is port 80 needed for replication?

[Chris Herdt]

I'm curious as to why HTTP (port 80) is needed for IPA server
replication, particularly since HTTPS (port 443) is also used. What
unencrypted data is exchanged?


Chris

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 389-console and IPA

[Mark Reynolds]

On 03/29/2017 02:05 PM, Josh wrote:
> Hi Mark,
>
> Thanks for responding.
>
> Essentially I would like to change access log file size from 100Meg to
> 10Meg and change number of  log files down to 5 for example.
All you need to do is something like:

ldapmodify -p PORT -h HOST - D "cn=directory manager" -w PASSWORD
dn: cn=config
changetype: modify
replace: ATTR
ATTR: NEWVALUE

Example

ldapmodify -p 389 -h localhost - D "cn=directory manager" -w SECRET123
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-maxlogsize
nsslapd-accesslog-maxlogsize: 10


Here are the attributes in question you are probably interested in:

nsslapd-accesslog-maxlogsize
nsslapd-accesslog-maxlogsperdir
nsslapd-errorlog-level

See this link for the log levels:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/error-logs.html#error-logs-levels

HTH,
Mark

>
> Regards,
> Josh.
>
> On 03/29/2017 10:30 AM, Mark Reynolds wrote:
>>
>> On 03/28/2017 07:48 PM, Josh wrote:
>>> Greetings,
>>>
>>> I wonder if possible to use 389-console with default IPA installation
>>> on REHL 7.
>> This should be technically possible, but it has its risks...  You would
>> need to install the 389-admin/console packages, then you would have to
>> register your DS instance using register-ds-admin.pl - which adds the
>> "o=netscaperoot" suffix/backend to the server.  This backend is what the
>> console uses to render the UI.
>>
>> I've never tried this with IPA before, and it would have other
>> implications.  You'd have to exclude the o=netscaperoot suffix from the
>> retro changelog, and possibly other plugin adjustments as well.  Sorry I
>> don't know IPA that well, so perhaps others on this list could comment
>> on other pitfalls you might run into with the added backend.
>>> Primarily reason is to alter log settings
>> Really this isn't that hard from the CLI perspective.   You could write
>> a simple shell script for changing log levels -  I could help you with
>> that if need be.
>>
>> Mark
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Configuring_Logs.html#Viewing_and_Configuring_Log_Files-Defining_a_Log_File_Rotation_Policy
>>>
>>>
>>>
>>> without using command line tools
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_maxlogsize_Access_Log_Maximum_Log_Size
>>>
>>>
>>>
>>> Regards,
>>> Josh.
>>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 389-console and IPA

[Josh]

Hi Mark,

Thanks for responding.

Essentially I would like to change access log file size from 100Meg to 
10Meg and change number of  log files down to 5 for example.


Regards,
Josh.

On 03/29/2017 10:30 AM, Mark Reynolds wrote:


On 03/28/2017 07:48 PM, Josh wrote:

Greetings,

I wonder if possible to use 389-console with default IPA installation
on REHL 7.

This should be technically possible, but it has its risks...  You would
need to install the 389-admin/console packages, then you would have to
register your DS instance using register-ds-admin.pl - which adds the
"o=netscaperoot" suffix/backend to the server.  This backend is what the
console uses to render the UI.

I've never tried this with IPA before, and it would have other
implications.  You'd have to exclude the o=netscaperoot suffix from the
retro changelog, and possibly other plugin adjustments as well.  Sorry I
don't know IPA that well, so perhaps others on this list could comment
on other pitfalls you might run into with the added backend.

Primarily reason is to alter log settings

Really this isn't that hard from the CLI perspective.   You could write
a simple shell script for changing log levels -  I could help you with
that if need be.

Mark

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Configuring_Logs.html#Viewing_and_Configuring_Log_Files-Defining_a_Log_File_Rotation_Policy


without using command line tools

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_maxlogsize_Access_Log_Maximum_Log_Size


Regards,
Josh.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] MAKE Freeipa replica not work now

[Rob Crittenden]

barry...@gmail.com wrote:
> Hi all:
> 
> 9444 port can be telnet ...Any idea ? the log show below as I don't have
> more idea... If I plan to
> migrate to same version of server what I have to copy ? as I saw
> step of migration also similar to replica so now stuck on the steps.
> Any Manual copy steps ? as I copy and paste the LDAP of ABC.com
> and slapd_PKI ..It cannot start up ...can I just move slapd_ABC.com
> 's ldif other ignored ? many thks

I'm not quite sure I follow. It seems there is a bit of history we're
missing here. What is it you're trying to do? It sounds like more than
just stand up another master.

> Preparing replica for central.ABC.com  from
> central.wisers.com 
> Creating SSL certificate for the Directory Server
> preparation of replica failed: cannot connect to
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
> (PR_END_OF_FILE_ERROR) Encountered end of file.
> cannot connect to
> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
> (PR_END_OF_FILE_ERROR) Encountered end of file.
>   File "/usr/sbin/ipa-replica-prepare", line 490, in 
> main()
> 
>   File "/usr/sbin/ipa-replica-prepare", line 361, in main
> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
> replica_fqdn, subject_base)
> 
>   File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
> raise e

What version of IPA?

You'll want to check the dogtag logs for more details, the location
depends on the version.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 389-console and IPA

[Mark Reynolds]

On 03/28/2017 07:48 PM, Josh wrote:
> Greetings,
>
> I wonder if possible to use 389-console with default IPA installation
> on REHL 7.
This should be technically possible, but it has its risks...  You would
need to install the 389-admin/console packages, then you would have to
register your DS instance using register-ds-admin.pl - which adds the
"o=netscaperoot" suffix/backend to the server.  This backend is what the
console uses to render the UI.

I've never tried this with IPA before, and it would have other
implications.  You'd have to exclude the o=netscaperoot suffix from the
retro changelog, and possibly other plugin adjustments as well.  Sorry I
don't know IPA that well, so perhaps others on this list could comment
on other pitfalls you might run into with the added backend.
>
> Primarily reason is to alter log settings
Really this isn't that hard from the CLI perspective.   You could write
a simple shell script for changing log levels -  I could help you with
that if need be.

Mark
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Configuring_Logs.html#Viewing_and_Configuring_Log_Files-Defining_a_Log_File_Rotation_Policy
>
>
> without using command line tools
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig-nsslapd_accesslog_maxlogsize_Access_Log_Maximum_Log_Size
>
>
> Regards,
> Josh.
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-manage failing to delete a node

[Linder, Rolf]

Thanks jochen for your response!
So far, we could quite well identify whos the master and the replica and 
identify how and where we should re-initialize.

Still there is good news at our side, we could further identify an issue and by 
fixing that (see below) also remove the replica and reinstall it. We had to 
"isolate" the second server (it was still reachable by ICMP ping) and were then 
able to just execute "ipa-replica-manage del uspidm02.[domain].[tld] --force 
--cleanup" and afterwards add it again.

After a small duplicate RUV issue (documented at 
https://access.redhat.com/solutions/2741521) we're now up again and have a 
running IdM setup.

Still, at our end there's one question left: for now, we have different 
passwords for the "admin" user and the directory manager password. Is this 
normal? Or do we have a broken setup now?


Best regards,
Rolf

Ps: here's what we did to fix our issue:

1. copied uspidm01 and run isolated (offline) tests => we could identify this 
way all is well
2. after already doing reboots on uspidm02 disconnected that server and removed 
it on uspidm01 via ipa-replica-manage
3. by this identified an error in hosts entry of uspidm01 (listing uspidm02 
with a wrong ip conflicting DNS information)
4. reinstalled uspidm02 according documentation from redhat


smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate IPA cluster F21 -> C7

[Bret Wortman]

I saw as I was working through it, and it's in fact what I did. 
Migrating the last server to CentOS right now.


Thanks for the help!


On 03/29/2017 09:53 AM, Rob Crittenden wrote:

Bret Wortman wrote:

Never mind. Lost my mind.

ipa-replica-install followed by ipa-ca-install appears to be the ticket.

Or you can do it in one step by passing --setup-ca to ipa-replica-install

rob



Bret


On 03/29/2017 06:22 AM, Bret Wortman wrote:

I've tried googling but keep coming up with beer recipes.

How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.

Thanks!


Bret



On 03/28/2017 08:45 AM, Bret Wortman wrote:

I'm studying the best way to migrate out IPA servers (there are two)
from F21 to C7. I _think_ the sequence of steps I need to perform is:

 1. Build new C7 IPA server (ipa-c) and enable replication to it.
 2. Migrate CA functions from our existing CA server (ipa-a) to
 this new one (ipa-c).
 3. Upgrade ipa-b to C7 and enable replication to it.
 4. Either upgrade ipa-a and have a third ipa server or discard
 the vm in favor of the two now in service.

Am I missing anything? Making this harder than it needs to be?

Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm
not if replication across versions is supported between these and IPA
4.4.0 (pki-ca 10.3.3).


--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand  at
http://bwortman.us/2ieQN4t





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate IPA cluster F21 -> C7

[Rob Crittenden]

Bret Wortman wrote:
> Never mind. Lost my mind.
> 
> ipa-replica-install followed by ipa-ca-install appears to be the ticket.

Or you can do it in one step by passing --setup-ca to ipa-replica-install

rob

> 
> 
> Bret
> 
> 
> On 03/29/2017 06:22 AM, Bret Wortman wrote:
>>
>> I've tried googling but keep coming up with beer recipes.
>>
>> How do you suggest adding the replica CA? I'm piecing together the
>> options I want on my ipa-server-install command and am trying to
>> understand the CA-related options.
>>
>> Thanks!
>>
>>
>> Bret
>>
>>
>>
>> On 03/28/2017 08:45 AM, Bret Wortman wrote:
>>> I'm studying the best way to migrate out IPA servers (there are two)
>>> from F21 to C7. I _think_ the sequence of steps I need to perform is:
>>>
>>> 1. Build new C7 IPA server (ipa-c) and enable replication to it.
>>> 2. Migrate CA functions from our existing CA server (ipa-a) to
>>> this new one (ipa-c).
>>> 3. Upgrade ipa-b to C7 and enable replication to it.
>>> 4. Either upgrade ipa-a and have a third ipa server or discard
>>> the vm in favor of the two now in service.
>>>
>>> Am I missing anything? Making this harder than it needs to be?
>>>
>>> Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm
>>> not if replication across versions is supported between these and IPA
>>> 4.4.0 (pki-ca 10.3.3).
>>>
>>>
>>> -- 
>>> *Bret Wortman*
>>> Damascus Products
>>> ph/fax: 1-855-644-2783
>>> Wrap Buddies InDemand  at
>>> http://bwortman.us/2ieQN4t
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Extending FreeIPA with custom atribute (ipa-server-4.4.0)

[Klíma David]

Hi, can anybody help me with extending the FreeIPA Server? I have few custom 
attributes in DS schema. I would like to be able to change the new attributes 
added via the JSON API and thus via the CLI tool.

Today I updated from version ipa-server-4.2.0 to ipa-server-4.4.0 from standart 
RHEL repo and I see plugin directory is on another location 
/usr/lib/python2.7/site-packages/ipaclient/plugins (old location was in version 
4.2.0 /usr/lib/python2.7/site-packages/ipalib/plugins/) and my old CLI 
extension stopped working with this error message:

ipa: ERROR: ImportError: No module named plugins

There is no documentation about that, or some examples. Can you anybody help me 
rewrite this simple code to working with new API version?

from ipalib.plugins import user
from ipalib.parameters import Int
from ipalib.parameters import Str
from ipalib import _
 
user.user.takes_params = user.user.takes_params + (
Str('mailroutingaddress?',
cli_name='mailroutingaddress',
label=_('Mail routing address'),
),  
)


[root@ipa-03 plugins]# rpm -qa | grep ipa-server
ipa-server-4.4.0-12.el7.x86_64
ipa-server-common-4.4.0-12.el7.noarch
ipa-server-dns-4.4.0-12.el7.noarch

https://serverfault.com/questions/809810/minimal-example-of-extending-already-existing-api-and-cli-call-in-freeipa-4


Thank you a lot!
David

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate IPA cluster F21 -> C7

[Bret Wortman]

Never mind. Lost my mind.

ipa-replica-install followed by ipa-ca-install appears to be the ticket.


Bret


On 03/29/2017 06:22 AM, Bret Wortman wrote:


I've tried googling but keep coming up with beer recipes.

How do you suggest adding the replica CA? I'm piecing together the 
options I want on my ipa-server-install command and am trying to 
understand the CA-related options.


Thanks!


Bret



On 03/28/2017 08:45 AM, Bret Wortman wrote:
I'm studying the best way to migrate out IPA servers (there are two) 
from F21 to C7. I _think_ the sequence of steps I need to perform is:


1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard
the vm in favor of the two now in service.

Am I missing anything? Making this harder than it needs to be?

Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm 
not if replication across versions is supported between these and IPA 
4.4.0 (pki-ca 10.3.3).



--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand  at 
http://bwortman.us/2ieQN4t




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate IPA cluster F21 -> C7

[Bret Wortman]

I've tried googling but keep coming up with beer recipes.

How do you suggest adding the replica CA? I'm piecing together the 
options I want on my ipa-server-install command and am trying to 
understand the CA-related options.


Thanks!


Bret



On 03/28/2017 08:45 AM, Bret Wortman wrote:
I'm studying the best way to migrate out IPA servers (there are two) 
from F21 to C7. I _think_ the sequence of steps I need to perform is:


1. Build new C7 IPA server (ipa-c) and enable replication to it.
2. Migrate CA functions from our existing CA server (ipa-a) to
this new one (ipa-c).
3. Upgrade ipa-b to C7 and enable replication to it.
4. Either upgrade ipa-a and have a third ipa server or discard the
vm in favor of the two now in service.

Am I missing anything? Making this harder than it needs to be?

Our F21 servers are using IPA 4.1.4-1 (and pki-ca 10.2.1-3) so I'm not 
if replication across versions is supported between these and IPA 
4.4.0 (pki-ca 10.3.3).



--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand  at http://bwortman.us/2ieQN4t


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Register IPA-Clients within AD domain

[Ronald Wimmer]

On 2017-03-29 11:06, Alexander Bokovoy wrote:

On ke, 29 maalis 2017, Ronald Wimmer wrote:

[...]

Read
http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
There are also higher level description at
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/

Thanks a lot!

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Register IPA-Clients within AD domain

[Alexander Bokovoy]

On ke, 29 maalis 2017, Ronald Wimmer wrote:

Hi,

the documentation states "[...] Client machines do not need to be in 
the same domain as FreeIPA servers. For example, FreeIPA may be a 
domain ipa.example.com and clients in domain clients.example.com, 
there just need to be a clear mapping between DNS domain and Kerberos 
realm. [...]"


Can clients be registered properly if the clients.example.com domain 
is an existing Active Directory domain which - of course - already has 
_kerberos entries in DNS?

Read http://www.freeipa.org/page/V4/IPA_Client_in_Active_Directory_DNS_domain
There are also higher level description at 
http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSSD setting memcache_timeout on ipa master

[Ronald Wimmer]

Hi,

yesterday I suddenly was unable to use the webinterface of my ipa 
master. SSH login (with root user) did not work also.


When I uncommented the setting "memcache_timeout = 600" in the sssd 
config file of the master everything seemed to work fine again. (my ipa 
setup has a trust to AD)


Can anybody explain why this was happening?

Regards,
Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Register IPA-Clients within AD domain

[Ronald Wimmer]

Hi,

the documentation states "[...] Client machines do not need to be in the 
same domain as FreeIPA servers. For example, FreeIPA may be a domain 
ipa.example.com and clients in domain clients.example.com, there just 
need to be a clear mapping between DNS domain and Kerberos realm. [...]"


Can clients be registered properly if the clients.example.com domain is 
an existing Active Directory domain which - of course - already has 
_kerberos entries in DNS?


Regards,
Ronald

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying To Debug AD Trust Quirks

[Jakub Hrozek]

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote:
> Hello,
> 
> I'm using AD trusts with FreeIPA 4.4.0 and am having a heck of a time with 
> strange behavior.  Some examples include:
> 
> - Trust user's home directory sporadically getting set to '/' instead of 
> /home/domain/user
> - Trust user losing HBAC privileges (granted via group membership)
> - Trust user losing sudo privileges (granted via group membership)
> - OS logging that trust user's account has expired when it hasn't
> 
> I'm currently unable to predict/reproduce occurrences of these issues.  I can 
> say that they aren't tied to a specific user or host.  For example, a user 
> will login to a host without any issues and then later that same user's home 
> directory (as reported by getent) will suddenly be set to / instead of 
> /home/...
> 
> My first step, of course, is to gather logs.  Should I be focusing on the 
> SSSD on the client or on the IPA servers?  I'm not entirely clear how/where 
> lots of this data get assigned/queried.
> 
> My other question is if there is a way to pin down a client to [temporarily] 
> use a specific IPA server and specific AD server (even if it means a firewall 
> rule that only allows the host to communicate with one IPA and one AD host).

Normally time-correlated logs from both the server's domain and nss sections
of sssd.conf and the client's domain section are a good start.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying To Debug AD Trust Quirks

[Jakub Hrozek]

On Tue, Mar 28, 2017 at 11:59:27AM -0500, Jason B. Nance wrote:
> My other question is if there is a way to pin down a client to
> [temporarily] use a specific IPA server 

using the ipa_server directive in sssd.conf

> and specific AD server (even if
> it means a firewall rule that only allows the host to communicate with
> one IPA and one AD host).

the clients don't talk to ADs to resolve user information, only the
servers do. The clients only talk to AD DCs for authentication (to make
this a bit more complex, the authentication also involves parsing a
Kerberos PAC blob by the authentication helper in SSSD which also
includes the group memberships).

And unfortunately until RHEL-7.4 and SSSD 1.15 are out, then pinning the
SSSD on the IDM servers to a specific AD DC is only possible by
modifying the DNS SRV records or creating an AD site for the IDM server.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project