[Freeipa-users] Fedora 12 install documentation 2.0.0 & admin documentation 2.0.0 and problems.

[Steven Jones]

Hi,



I have installed free-ipa on fedora 12...



Install documentation



Some issues"3.2 To test your IPA installation",



3. Item should read "/usr/sbin/ipa-finduser admin"  and not "/usr/bin/ipa 
user-find admin"







Admin documentation



1.1.1.1



"Using the Web Interface",



There is no explanation of how to do get to the user homepage



I tried https://localhost:443



and I get a "Kerberos Authentication failed".there is no workable 
documentation / indication on how to fix this



===

"Kerberos Authentication Failed

Unable to verify your Kerberos credentials. Please make sure that you have 
valid Kerberos tickets (obtainable via kinit), and that you have configured 
your browser 
correctly. If you 
are still unable to access the IPA Web interface, please contact the helpdesk 
on for additional assistance.

Import the IPA Certificate 
Authority.

You can automatically configure your browser to work with Kerberos by importing 
the Certificate Authority above and clicking on the Configure Browser button.

You must reload this page after importing the Certificate Authority for the 
automatic settings to work

=





So I run kinit as a local user and get told



"kinit: Client not found in Kerberos database while getting initial credentials"



So anyway I attempt to follow the instruction in the web browser window (as 
above) and keep getting the same thing when I restart Firefox.



So what next?



regards



Steven




















___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fedora 12 install documentation 2.0.0 & admin documentation 2.0.0 and problems.

[Steven Jones]

8><

> I tried https://localhost:443
> 
> and I get a "Kerberos Authentication failed".there is no workable 
> documentation / indication on how to fix this

http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_the_IPA_Server-Configuring_Your_Browser.html

In short, you need to configure your browser to do kerberos 
authentication, trust the IPA root CA and you need a kerberos ticket in 
order to connect.
> 

8><--

I did this however it keeps coming up with the same msg.

Also there is no instruction to tell me how to get the kerberos ticket 
recognised.

> ===
> 
> 
> "Kerberos Authentication Failed
> 
> Unable to verify your Kerberos credentials. Please make sure that you 
> have valid Kerberos tickets (obtainable via kinit), and that you have 
> configured your browser correctly 
> . If you 
> are still unable to access the IPA Web interface, please contact the 
> helpdesk on for additional assistance.
> 
> Import the IPA Certificate Authority 
> .
> 
> You can automatically configure your browser to work with Kerberos by 
> importing the Certificate Authority above and clicking on the Configure 
> Browser button.
> 
> You *must* reload this page after importing the Certificate Authority 
> for the automatic settings to work
> 
> =
> 
>  
> 
>  
> 
> So I run kinit as a local user and get told
> 
>  
> 
> "kinit: Client not found in Kerberos database while getting initial 
> credentials"

>Did you add your user as a user in IPA? You can always try getting a 
>ticket as the admin user for testing (kinit admin).

No, the documentation didnt tell me to, or howso this part of the "testing" 
needs to include suitable cli commands / instructions to allow a proper test. 
This should be a sequence all in order of all the steps needed and not dig your 
way through a 500 page manual and guess...

Really I guess someone wants to write a quick start or evaluation guide. Its 
interesting when you watch the youtube on freeipa and they talk about not 
having to be an expert in every single aspect, yet that's exactly what we end 
up with here, again.

I have run kinit as admin and that seems fine, however the I have not been able 
to figure out how to use the admin's kerberos ticket I assume its /tmp/krb5cc_0 
(which is owned by root) in a user's webrowser...Fedora 12 prevents root 
logging in under a gui which is silly...and I have not been able to find how to 
allow that yet.

Also I cant login as the admin user as I got told that the admin account 
already exists when I try a "adduser admin"yet does not exist in 
/etc/passwd, group or shadow

So what do I do with this ticket? simply change its permissions to  that of the 
local user?  hack a file somewhere to point to it?

regards

Steven


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] probems installin freeipa v2

[Steven Jones]

Section 4.3 of the manual

Running the command,

ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: ***
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz


ldapmodify: wrong attributeType at line 4, entry 
"cn=ipa_pwd_extop,cn=plugins,cn=config

I cannot figure out what is wrong here?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] getting a kerberos ticket for Firefox

[Steven Jones]

Hi,

I am trying to web browse to the localhost and it is telling me to obtain a 
valid kerberos ticket and configure Firefox...

Where do I export / find this ticket? and how do I install it as a user so I 
can connect?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

Since there seems to be no explanation why I cant update via ldapmodify,

Can I install "some" the 389 gui parts to allow me to do this via its GUI?

If so how?

And/Or how can I get a look at the attributes to figure out what's wrong with 
the commands? something like you have changed ver2 from ver1 and the doc hasnt 
been corrected?

regards 

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Tuesday, 21 September 2010 12:58 p.m.
To: Freeipa-users@redhat.com
Subject: [Freeipa-users] probems installin freeipa v2

Section 4.3 of the manual

Running the command,

ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: ***
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz


ldapmodify: wrong attributeType at line 4, entry 
"cn=ipa_pwd_extop,cn=plugins,cn=config

I cannot figure out what is wrong here?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

This is Fedora 13 with the yum repo setup as per your web site...

389-ds-base-1.2.6-1.fc13.x86_64
ipa-server-1.2.2-4.fc13.x86_64

Your ldapsearch command gives me,

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

um..

So the LDAP server is dead?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 10:02 a.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> Since there seems to be no explanation why I cant update via ldapmodify,

It wasn't entirely clear what version of IPA you were using. You filed a 
doc bug against v1 and asked other basic questions, I assumed you had 
the version wrong. I figured this would come back up once you were able 
to kinit and get to the GUI.

> Can I install "some" the 389 gui parts to allow me to do this via its GUI?

This is strongly discouraged.

>
> If so how?
>
> And/Or how can I get a look at the attributes to figure out what's wrong with 
> the commands? something like you have changed ver2 from ver1 and the doc 
> hasnt been corrected?

It works for me in the IPA v2 git head. What does your entry look like now?

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b 
'cn=ipa_pwd_extop,cn=plugins,cn=config'

And more importantly, what is the rpm version of the IPA server you are 
using? The version of 389-ds-base might be handy too.

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Tuesday, 21 September 2010 12:58 p.m.
> To: Freeipa-users@redhat.com
> Subject: [Freeipa-users] probems installin freeipa v2
>
> Section 4.3 of the manual
>
> Running the command,
>
> ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: ***
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz
>
>
> ldapmodify: wrong attributeType at line 4, entry 
> "cn=ipa_pwd_extop,cn=plugins,cn=config
>
> I cannot figure out what is wrong here?
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

I backed out the snapshot and restartednow I get,


# extended LDIF
#
# LDAPv3
# base  with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: ipa_pwd_extop
nsslapd-pluginPath: libipa_pwd_extop
nsslapd-pluginInitfunc: ipapwd_init
nsslapd-pluginType: extendedop
nsslapd-pluginEnabled: on
nsslapd-pluginId: IPA Password Manager
nsslapd-pluginVersion: FreeIPA/1.0
nsslapd-pluginVendor: FreeIPA project
nsslapd-pluginDescription: IPA Password Extended Operation plugin
nsslapd-plugin-depends-on-type: database
nsslapd-realmtree: dc=vuw,dc=ac,dc=nz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
===

I tried again, this line seems to be the issue,

dn: cn=ipa_pwd_extop,cn=plugins,cn=config

So I simply follow the guide and input each line one by one? hitting enter at 
the end of each line?

My impression is its like I am doing something wrong because the instruction is 
so un-clearreally the manuals are written by ppl that know how to do this 
syntax wellso you are maybe over looking my simple mis-understanding of how 
to enter these commands correctly.

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Wednesday, 22 September 2010 10:18 a.m.
To: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Hi,

This is Fedora 13 with the yum repo setup as per your web site...

389-ds-base-1.2.6-1.fc13.x86_64
ipa-server-1.2.2-4.fc13.x86_64

Your ldapsearch command gives me,

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

um..

So the LDAP server is dead?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 10:02 a.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> Since there seems to be no explanation why I cant update via ldapmodify,

It wasn't entirely clear what version of IPA you were using. You filed a 
doc bug against v1 and asked other basic questions, I assumed you had 
the version wrong. I figured this would come back up once you were able 
to kinit and get to the GUI.

> Can I install "some" the 389 gui parts to allow me to do this via its GUI?

This is strongly discouraged.

>
> If so how?
>
> And/Or how can I get a look at the attributes to figure out what's wrong with 
> the commands? something like you have changed ver2 from ver1 and the doc 
> hasnt been corrected?

It works for me in the IPA v2 git head. What does your entry look like now?

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b 
'cn=ipa_pwd_extop,cn=plugins,cn=config'

And more importantly, what is the rpm version of the IPA server you are 
using? The version of 389-ds-base might be handy too.

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Tuesday, 21 September 2010 12:58 p.m.
> To: Freeipa-users@redhat.com
> Subject: [Freeipa-users] probems installin freeipa v2
>
> Section 4.3 of the manual
>
> Running the command,
>
> ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: ***
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz
>
>
> ldapmodify: wrong attributeType at line 4, entry 
> "cn=ipa_pwd_extop,cn=plugins,cn=config
>
> I cannot figure out what is wrong here?
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

This time I copied the output from the ldapsearch command

"dn: cn=ipa_pwd_extop,cn=plugins,cn=config"

and it worked...

?

So, section 4.4

ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=example,dc=com \
--bindpw password --cacert /path/to/certfile.cer adserver.example.com -v

This appears to be wrong?

It should be,

ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=example,dc=com \
--cacert /path/to/certfile.cer adserver.example.com --passsync-v

?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-----
From: Steven Jones 
Sent: Wednesday, 22 September 2010 10:49 a.m.
To: Steven Jones; Freeipa-users@redhat.com
Subject: RE: [Freeipa-users] probems installin freeipa v2

Hi,

I backed out the snapshot and restartednow I get,


# extended LDIF
#
# LDAPv3
# base  with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# ipa_pwd_extop, plugins, config
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: ipa_pwd_extop
nsslapd-pluginPath: libipa_pwd_extop
nsslapd-pluginInitfunc: ipapwd_init
nsslapd-pluginType: extendedop
nsslapd-pluginEnabled: on
nsslapd-pluginId: IPA Password Manager
nsslapd-pluginVersion: FreeIPA/1.0
nsslapd-pluginVendor: FreeIPA project
nsslapd-pluginDescription: IPA Password Extended Operation plugin
nsslapd-plugin-depends-on-type: database
nsslapd-realmtree: dc=vuw,dc=ac,dc=nz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
===

I tried again, this line seems to be the issue,

dn: cn=ipa_pwd_extop,cn=plugins,cn=config

So I simply follow the guide and input each line one by one? hitting enter at 
the end of each line?

My impression is its like I am doing something wrong because the instruction is 
so un-clearreally the manuals are written by ppl that know how to do this 
syntax wellso you are maybe over looking my simple mis-understanding of how 
to enter these commands correctly.

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Wednesday, 22 September 2010 10:18 a.m.
To: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Hi,

This is Fedora 13 with the yum repo setup as per your web site...

389-ds-base-1.2.6-1.fc13.x86_64
ipa-server-1.2.2-4.fc13.x86_64

Your ldapsearch command gives me,

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

um..

So the LDAP server is dead?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 10:02 a.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> Since there seems to be no explanation why I cant update via ldapmodify,

It wasn't entirely clear what version of IPA you were using. You filed a 
doc bug against v1 and asked other basic questions, I assumed you had 
the version wrong. I figured this would come back up once you were able 
to kinit and get to the GUI.

> Can I install "some" the 389 gui parts to allow me to do this via its GUI?

This is strongly discouraged.

>
> If so how?
>
> And/Or how can I get a look at the attributes to figure out what's wrong with 
> the commands? something like you have changed ver2 from ver1 and the doc 
> hasnt been corrected?

It works for me in the IPA v2 git head. What does your entry look like now?

$ ldapsearch -x -D 'cn=directory manager' -W -s base -b 
'cn=ipa_pwd_extop,cn=plugins,cn=config'

And more importantly, what is the rpm version of the IPA server you are 
using? The version of 389-ds-base might be handy too.

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Tuesday, 21 September 2010 12:58 p.m.
> To: Freeipa-users@redhat.com
> Subject: [Freeipa-users] probems installin freeipa v2
>
> Section 4.3 of the manual
>
> Running the command,
>
> ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: ***
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

yes I think you are correct, --binpw is ndded except running this crashed the 
LDAP serveror sends it off to zombie land and I have to reboot it!


ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=example,dc=com --bindpw  \
--cacert /path/to/certfile.cer adserver.example.com --passsync-v

Is there a log somewhere to look for why?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 1:57 p.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> This time I copied the output from the ldapsearch command
>
> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config"
>
> and it worked...

Cosmic rays maybe, those strings look identical to me. Glad its working 
now in any case.

>
> ?
>
> So, section 4.4
>
> ipa-replica-manage add --winsync --binddn 
> cn=administrator,cn=users,dc=example,dc=com \
> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v
>
> This appears to be wrong?
>
> It should be,
>
> ipa-replica-manage add --winsync --binddn 
> cn=administrator,cn=users,dc=example,dc=com \
> --cacert /path/to/certfile.cer adserver.example.com --passsync password>-v
>

You're right in that --passsync is required but --bindpw should also be 
required.

I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

I have created a user only to find that the login, home directory, UID and GID 
are all auto-generated...

How can I set the gui to let me put these values in myself?

The linux account and AD account already have these...so I need to be able to 
set these.

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

For ipa-replica-manage list

The output is my AD

vuwwincodc1.vuw.ac.nz


regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 2:20 p.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> yes I think you are correct, --binpw is ndded except running this crashed the 
> LDAP serveror sends it off to zombie land and I have to reboot it!
>
>
> ipa-replica-manage add --winsync --binddn 
> cn=administrator,cn=users,dc=example,dc=com --bindpw  \
> --cacert /path/to/certfile.cer adserver.example.com --passsync password> -v
>
> Is there a log somewhere to look for why?

Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME.

Can you provide the output of ipa-replica-manage?

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, 22 September 2010 1:57 p.m.
> To: Steven Jones
> Cc: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
>
> Steven Jones wrote:
>> This time I copied the output from the ldapsearch command
>>
>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config"
>>
>> and it worked...
>
> Cosmic rays maybe, those strings look identical to me. Glad its working
> now in any case.
>
>>
>> ?
>>
>> So, section 4.4
>>
>> ipa-replica-manage add --winsync --binddn 
>> cn=administrator,cn=users,dc=example,dc=com \
>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v
>>
>> This appears to be wrong?
>>
>> It should be,
>>
>> ipa-replica-manage add --winsync --binddn 
>> cn=administrator,cn=users,dc=example,dc=com \
>> --cacert /path/to/certfile.cer adserver.example.com --passsync> password> -v
>>
>
> You're right in that --passsync is required but --bindpw should also be
> required.
>
> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this.
>
> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

Hi,

Ok, it isnt crashing the LDAP server/service its doing a shutdown of it 
according to the error log...

So while a sync is happening the LDAP server is offline?

How long should this take?

30secs?

3mins?

30mins?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Wednesday, 22 September 2010 2:27 p.m.
To: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

For ipa-replica-manage list

The output is my AD

vuwwincodc1.vuw.ac.nz


regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Wednesday, 22 September 2010 2:20 p.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> yes I think you are correct, --binpw is ndded except running this crashed the 
> LDAP serveror sends it off to zombie land and I have to reboot it!
>
>
> ipa-replica-manage add --winsync --binddn 
> cn=administrator,cn=users,dc=example,dc=com --bindpw  \
> --cacert /path/to/certfile.cer adserver.example.com --passsync password> -v
>
> Is there a log somewhere to look for why?

Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME.

Can you provide the output of ipa-replica-manage?

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, 22 September 2010 1:57 p.m.
> To: Steven Jones
> Cc: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
>
> Steven Jones wrote:
>> This time I copied the output from the ldapsearch command
>>
>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config"
>>
>> and it worked...
>
> Cosmic rays maybe, those strings look identical to me. Glad its working
> now in any case.
>
>>
>> ?
>>
>> So, section 4.4
>>
>> ipa-replica-manage add --winsync --binddn 
>> cn=administrator,cn=users,dc=example,dc=com \
>> --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v
>>
>> This appears to be wrong?
>>
>> It should be,
>>
>> ipa-replica-manage add --winsync --binddn 
>> cn=administrator,cn=users,dc=example,dc=com \
>> --cacert /path/to/certfile.cer adserver.example.com --passsync> password> -v
>>
>
> You're right in that --passsync is required but --bindpw should also be
> required.
>
> I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this.
>
> rob
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

After I do the sync command,

ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=example,dc=com --bindpw   \
--cacert /path/to/certfile.cer adserver.example.com --passsync  -v


this is what starts in the error log,


[22/Sep/2010:14:33:36 +1200] - slapd shutting down - signaling operation threads
[22/Sep/2010:14:33:36 +1200] - slapd shutting down - closing down internal 
subsystems and plugins
[22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - error in 
windows_conn_get_search_result, rc=-1
[22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwwincodc1.vuw.ac.nz636" (vuwwincodc1:636): Failed to get 
search operation: LDAP error 81 (Can't contact LDAP server)
[22/Sep/2010:14:43:35 +1200] NSMMReplicationPlugin - failed to send dirsync 
search request: 2
[22/Sep/2010:14:43:36 +1200] NSMMReplicationPlugin - Finished total update of 
replica "agmt="cn=meTovuwwincodc1.vuw.ac.nz636" (vuwwincodc1:636)". 
Sent 0 entries.

So after ten mins the LDAP server isnt responding, After ten minutes there is 
some more in the error log,

[22/Sep/2010:14:53:36 +1200] NSMMReplicationPlugin - Warning: incremental 
protocol for replica "agmt="cn=meTovuwwincodc1.vuw.ac.nz636" 
(vuwwincodc1:636)" did not shut down properly.
[22/Sep/2010:14:53:37 +1200] - Waiting for 4 database threads to stop
[22/Sep/2010:14:53:37 +1200] - All database threads now stopped
[22/Sep/2010:14:53:37 +1200] - slapd stopped.


regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: Wednesday, 22 September 2010 2:45 p.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> Ok, it isnt crashing the LDAP server/service its doing a shutdown of it 
> according to the error log...
>   
What exactly do you see in the error log?  Can you provide excerpts?  
Can you also provide excerpts of the access log from around the time of 
the shutdown?
> So while a sync is happening the LDAP server is offline?
>   
No, not possible.  Something is going wrong.
> How long should this take?
>
> 30secs?
>
> 3mins?
>
> 30mins?
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -----Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Wednesday, 22 September 2010 2:27 p.m.
> To: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
>
> For ipa-replica-manage list
>
> The output is my AD
>
> vuwwincodc1.vuw.ac.nz
>
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com] 
> Sent: Wednesday, 22 September 2010 2:20 p.m.
> To: Steven Jones
> Cc: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
>
> Steven Jones wrote:
>   
>> Hi,
>>
>> yes I think you are correct, --binpw is ndded except running this crashed 
>> the LDAP serveror sends it off to zombie land and I have to reboot it!
>>
>>
>> ipa-replica-manage add --winsync --binddn 
>> cn=administrator,cn=users,dc=example,dc=com --bindpw  
>> \
>> --cacert /path/to/certfile.cer adserver.example.com --passsync> password> -v
>>
>> Is there a log somewhere to look for why?
>> 
>
> Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME.
>
> Can you provide the output of ipa-replica-manage?
>
> rob
>
>   
>> regards
>>
>> Steven Jones Technical Specialist Linux/Vmware
>> Tele 64 4 463 6272
>> Victoria University
>> Kelburn
>> New Zealand
>>
>>
>> -Original Message-
>> From: Rob Crittenden [mailto:rcrit...@redhat.com]
>> Sent: Wednesday, 22 September 2010 1:57 p.m.
>> To: Steven Jones
>> Cc: Freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] probems installin freeipa v2
>>
>> Steven Jones wrote:
>> 
>>> This time I copied the output from the ldapsearch command
>>>
>>> "dn: cn=ipa_pwd_extop,cn=plugins,cn=config"
>>>
>>> and it worked...
>>>   
>> Cosmic rays maybe, those strings look identical to me. Glad its working
>> now in any case.
>>
>> 
>>> ?
>>>
>>>

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

access log,

[22/Sep/2010:14:22:39 +1200] conn=48 fd=65 slot=65 connection from 127.0.0.1 to 
127.0.0.1
[22/Sep/2010:14:22:39 +1200] conn=48 op=0 BIND dn="" method=128 version=3
[22/Sep/2010:14:22:39 +1200] conn=48 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn=""
[22/Sep/2010:14:22:39 +1200] conn=48 op=1 SRCH base="dc=vuw,dc=ac,dc=nz" 
scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn 
userPassword gidNumber member nsUniqueId modifyTimestamp"
[22/Sep/2010:14:22:39 +1200] conn=48 op=1 RESULT err=0 tag=101 nentries=0 
etime=0
[22/Sep/2010:14:23:57 +1200] conn=49 fd=66 slot=66 SSL connection from 
130.195.53.104 to 130.195.53.104
[22/Sep/2010:14:23:57 +1200] conn=49 SSL 256-bit AES
[22/Sep/2010:14:23:57 +1200] conn=49 op=0 BIND dn="cn=directory manager" 
method=128 version=3
[22/Sep/2010:14:23:57 +1200] conn=49 op=0 RESULT err=49 tag=97 nentries=0 
etime=0
[22/Sep/2010:14:23:57 +1200] conn=49 op=1 UNBIND
[22/Sep/2010:14:23:57 +1200] conn=49 op=1 fd=66 closed - U1
[22/Sep/2010:14:24:02 +1200] conn=50 fd=66 slot=66 SSL connection from 
130.195.53.104 to 130.195.53.104
[22/Sep/2010:14:24:02 +1200] conn=50 SSL 256-bit AES
[22/Sep/2010:14:24:02 +1200] conn=50 op=0 BIND dn="cn=directory manager" 
method=128 version=3
[22/Sep/2010:14:24:02 +1200] conn=50 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=directory manager"
[22/Sep/2010:14:24:02 +1200] conn=50 op=1 SRCH base="cn=config" scope=0 
filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog 
nsslapd-certdir nsslapd-schemadir"
[22/Sep/2010:14:24:02 +1200] conn=50 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[22/Sep/2010:14:24:02 +1200] conn=50 op=2 SRCH base="cn=config,cn=ldbm 
database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" 
attrs="nsslapd-directory"
[22/Sep/2010:14:24:02 +1200] conn=50 op=2 RESULT err=0 tag=101 nentries=1 
etime=0
[22/Sep/2010:14:24:02 +1200] conn=50 op=3 SRCH base="cn=mapping tree,cn=config" 
scope=2 
filter="(|(objectClass=nsDSWindowsReplicationAgreement)(objectClass=nsds5ReplicationAgreement))"
 attrs=ALL
[22/Sep/2010:14:24:02 +1200] conn=50 op=3 RESULT err=0 tag=101 nentries=1 
etime=0
[22/Sep/2010:14:24:02 +1200] conn=50 op=4 SRCH 
base="cn=meTovuwwincodc1.vuw.ac.nz636, cn=replica, 
cn=\22dc=vuw,dc=ac,dc=nz\22, cn=mapping tree, cn=config" scope=2 
filter="(objectClass=*)" attrs=ALL
[22/Sep/2010:14:24:02 +1200] conn=50 op=4 RESULT err=0 tag=101 nentries=1 
etime=0
[22/Sep/2010:14:24:02 +1200] conn=50 op=5 UNBIND
[22/Sep/2010:14:24:02 +1200] conn=50 op=5 fd=66 closed - U1
[22/Sep/2010:14:33:36 +1200] conn=51 fd=66 slot=66 SSL connection from 
130.195.53.104 to 130.195.53.104
[22/Sep/2010:14:33:36 +1200] conn=51 SSL 256-bit AES
[22/Sep/2010:14:33:36 +1200] conn=51 op=0 BIND dn="cn=directory manager" 
method=128 version=3
[22/Sep/2010:14:33:36 +1200] conn=51 op=0 RESULT err=0 tag=97 nentries=0 
etime=0 dn="cn=directory manager"
[22/Sep/2010:14:33:36 +1200] conn=51 op=1 SRCH base="cn=config" scope=0 
filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog 
nsslapd-certdir nsslapd-schemadir"
[22/Sep/2010:14:33:36 +1200] conn=51 op=1 RESULT err=0 tag=101 nentries=1 
etime=0
[22/Sep/2010:14:33:36 +1200] conn=51 op=2 SRCH base="cn=config,cn=ldbm 
database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" 
attrs="nsslapd-directory"
[22/Sep/2010:14:33:36 +1200] conn=51 op=2 RESULT err=0 tag=101 nentries=1 
etime=0

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: Wednesday, 22 September 2010 2:45 p.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2

Steven Jones wrote:
> Hi,
>
> Ok, it isnt crashing the LDAP server/service its doing a shutdown of it 
> according to the error log...
>   
What exactly do you see in the error log?  Can you provide excerpts?  
Can you also provide excerpts of the access log from around the time of 
the shutdown?
> So while a sync is happening the LDAP server is offline?
>   
No, not possible.  Something is going wrong.
> How long should this take?
>
> 30secs?
>
> 3mins?
>
> 30mins?
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Wednesday, 22 September 2010 2:27 p.m.
> To: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
&

Re: [Freeipa-users] probems installin freeipa v2

[Steven Jones]

8><---


Can you reliably reproduce this behavior after restarting directory server?


8><

Yes it appears so..

=error
[22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads
[22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal 
subsystems and plugins
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in 
windows_conn_get_search_result, rc=-1
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwwincodc1.vuw.ac.nz636" (vuwwincodc1:636): Failed to get 
search operation: LDAP error 81 (Can't contact LDAP server)
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync 
search request: 2
[22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop
[22/Sep/2010:16:08:32 +1200] - All database threads now stopped
[22/Sep/2010:16:08:32 +1200] - slapd stopped.
=

=access
[22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" 
scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn 
userPassword gidNumber member nsUniqueId modifyTimestamp"
[22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 
etime=0
[22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 
130.195.53.104 to 130.195.53.104
[22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES
[22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" 
method=128 version=3
[22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn="cn=directory manager"
[22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 
filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog 
nsslapd-certdir nsslapd-schemadir"
[22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm 
database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" 
attrs="nsslapd-directory"
[22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0
=

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Probems syncing freeipa v2 to AD

[Steven Jones]

Hi,

Any idea how to stop the LDAP server hosing itself?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
Sent: Wednesday, 22 September 2010 4:11 p.m.
To: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] probems installin freeipa v2


8><---


Can you reliably reproduce this behavior after restarting directory server?


8><

Yes it appears so..

=error
[22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads
[22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal 
subsystems and plugins
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in 
windows_conn_get_search_result, rc=-1
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - 
agmt="cn=meTovuwwincodc1.vuw.ac.nz636" (vuwwincodc1:636): Failed to get 
search operation: LDAP error 81 (Can't contact LDAP server)
[22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync 
search request: 2
[22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop
[22/Sep/2010:16:08:32 +1200] - All database threads now stopped
[22/Sep/2010:16:08:32 +1200] - slapd stopped.
=

=access
[22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" 
scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass cn 
userPassword gidNumber member nsUniqueId modifyTimestamp"
[22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 
etime=0
[22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 
130.195.53.104 to 130.195.53.104
[22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES
[22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" 
method=128 version=3
[22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 
dn="cn=directory manager"
[22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 
filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog 
nsslapd-certdir nsslapd-schemadir"
[22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm 
database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" 
attrs="nsslapd-directory"
[22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0
=

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Probems syncing freeipa v2 to AD

[Steven Jones]

Hi,

I have not seen such an email.

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Dmitri Pal [mailto:d...@redhat.com] 
Sent: Thursday, 23 September 2010 9:19 a.m.
To: Steven Jones
Cc: Freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Probems syncing freeipa v2 to AD

Steven Jones wrote:
> Hi,
>
> Any idea how to stop the LDAP server hosing itself?
>   

Have you filed a bug with this issue as Rich suggested in his last email?

Thank you
Dmitri

> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones
> Sent: Wednesday, 22 September 2010 4:11 p.m.
> To: Freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] probems installin freeipa v2
>
>
> 8><---
>
>
> Can you reliably reproduce this behavior after restarting directory server?
>
>
> 8><
>
> Yes it appears so..
>
> =error
> [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation 
> threads
> [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal 
> subsystems and plugins
> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in 
> windows_conn_get_search_result, rc=-1
> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - 
> agmt="cn=meTovuwwincodc1.vuw.ac.nz636" (vuwwincodc1:636): Failed to 
> get search operation: LDAP error 81 (Can't contact LDAP server)
> [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync 
> search request: 2
> [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop
> [22/Sep/2010:16:08:32 +1200] - All database threads now stopped
> [22/Sep/2010:16:08:32 +1200] - slapd stopped.
> =
>
> =access
> [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base="dc=vuw,dc=ac,dc=nz" 
> scope=2 filter="(&(cn=pulse-rt)(objectClass=posixGroup))" attrs="objectClass 
> cn userPassword gidNumber member nsUniqueId modifyTimestamp"
> [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 
> etime=0
> [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 
> 130.195.53.104 to 130.195.53.104
> [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES
> [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn="cn=directory manager" 
> method=128 version=3
> [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 
> etime=0 dn="cn=directory manager"
> [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base="cn=config" scope=0 
> filter="(objectClass=*)" attrs="nsslapd-instancedir nsslapd-errorlog 
> nsslapd-certdir nsslapd-schemadir"
> [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 
> etime=0
> [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base="cn=config,cn=ldbm 
> database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" 
> attrs="nsslapd-directory"
> [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 
> etime=0
> =
>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] bug 634561

[Steven Jones]

Hi,

Bug 634561 has been fixed...

How do I get this into/onto my setup please?

regards 


Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Migrating passwd files etc into free-ipa

[Steven Jones]

Is there a method to do this?

I tried to use LdapImport.pl from the 389 project and this failed

Giving me all # = entry not added to destination (other error)

Possibly the password criteria in freeipa is "too strong"?

How can I disable this feature?

or is there another way to import?

regards 


Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Migrating passwd files etc into free-ipa

[Steven Jones]

Ok,

So lets avoid the passwords

Is there an automatic / scripted way to import the passwd file so I get the 
UID's, GID's etc into ipa?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Dmitri Pal [mailto:d...@redhat.com] 
Sent: Friday, 24 September 2010 11:18 p.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa

Steven Jones wrote:
> Is there a method to do this?
>
> I tried to use LdapImport.pl from the 389 project and this failed
>
> Giving me all # = entry not added to destination (other error)
>
> Possibly the password criteria in freeipa is "too strong"?
>
> How can I disable this feature?
>
> or is there another way to import?
>
>   
Migration of the passwords is a tough problem.
The issue is that the passwords in the local files are hashed using
simple hash algorithm while in IPA they are hashed to create kerberos keys.
Converting from one to another without knowing clear password is not
possible. If you already have an LDAP server with password you can take
advantage of our LDAP migration schemes but if you have local files this
will be a challenge.
For migrating from LDAP case you can load your users into the IPA and
then configure SSSD to use migration mode on the client or you can
instruct users to go to a special migration web page. In both cases you
already have the password hashed in the LDAP format in the IPA so SSSD
or Migration page will capture the cleartext password and pass it to IPA
so that it can use it to generate the Kerberos hashes.

A quick search around migrating passwords from flat files to LDAP showed
that it is in some cases possible (if the hash that is used by the flat
file is supported by the DS server, but tricky).
We do not have any aid here so it is simpler to reset the password. If
this is not an option, as far as I understand you need to create user
accounts first with some password and then overwrite the password
attribute in the LDAP with the properly decorated hash take from the
password file. And after that you still need the kerberos keys for IPA
to work so you still need to use Migration page or SSSD. It might be
less trouble just to bite the bullet and reset passwords as you migrate
to IPA.

Thanks
Dmitri

> regards 
>
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>   


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Free-ipa no longer working

[Steven Jones]

Hi,

I have come back after the weekend and find that the gui no longer works

While trying to get a new kerberos ticket I get,

"kinit: Cannot contact and KDC realm 'VUW.AC.NZ' while getting credentials"

So any ideas where I go looking?


regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Migrating passwd files etc into free-ipa

[Steven Jones]

Hi,

Thanks...

Re: your comment...However I will re-direct you to one of the core ideas I 
thought was behind FreeIPA?to make it easy for the end user to deploy and 
use? 

In my situation I have hundreds of users, over 2 hundred RHEL servers and 
probably shortly a pile of workstations...I have no experience/knowledge 
with any centralised system, LDAP, AD etc and zero programming capability 
beyond  bash scripting, no money and no timeso this is actually VERY 
technically challenging for me ESPECIALLY with a management that are all 
Windows trained and are used to typing "dcpromo" and job done with no cost and 
would happliy rip out RedHat to save money at the drop of a hat if they could.

Redhat I assume wants to sell this into the enterprise?, in version RHEL 6.1?  
this is certainly what our friendly RH architect tells us...He recommended we 
try freeIPA, I will feed back to him.

So please dont under-estimate the value of migration tools.  For you, sure, its 
techinically easy, for me at the bottom of the identity management ladder, I 
have a huge setup, so its close to impossible.

You dont deploy this as a one off in the real world or day to day.?

So anyway I used the existing padl tools and oh that didnt workeasy would 
have been...it worked.

Its very simple, vendors who want to sell their [alternative] product into the 
market place have to supply a migration tool from the competition's product or 
there wont be a deal

regards

Steven
bcc MW.


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 28 September 2010 4:30 a.m.
To: Steven Jones
Cc: Dmitri Pal; freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa

Steven Jones wrote:
> Ok,
>
> So lets avoid the passwords
>
> Is there an automatic / scripted way to import the passwd file so I get the 
> UID's, GID's etc into ipa?

We have generally left this as an exercise for the end-user because it
isn't a technically difficult problem. It is more a policy and config
problem.

Attached is a simple demonstration of doing this using IPA command-line.
The tricky part is dealing with names. There is no universal way of
getting it right. Entries without a gecos are skipped.

It worked fine on my system with 2 password entries. YYMV.

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -Original Message-
> From: Dmitri Pal [mailto:d...@redhat.com]
> Sent: Friday, 24 September 2010 11:18 p.m.
> To: Steven Jones
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa
>
> Steven Jones wrote:
>> Is there a method to do this?
>>
>> I tried to use LdapImport.pl from the 389 project and this failed
>>
>> Giving me all # = entry not added to destination (other error)
>>
>> Possibly the password criteria in freeipa is "too strong"?
>>
>> How can I disable this feature?
>>
>> or is there another way to import?
>>
>>
> Migration of the passwords is a tough problem.
> The issue is that the passwords in the local files are hashed using
> simple hash algorithm while in IPA they are hashed to create kerberos keys.
> Converting from one to another without knowing clear password is not
> possible. If you already have an LDAP server with password you can take
> advantage of our LDAP migration schemes but if you have local files this
> will be a challenge.
> For migrating from LDAP case you can load your users into the IPA and
> then configure SSSD to use migration mode on the client or you can
> instruct users to go to a special migration web page. In both cases you
> already have the password hashed in the LDAP format in the IPA so SSSD
> or Migration page will capture the cleartext password and pass it to IPA
> so that it can use it to generate the Kerberos hashes.
>
> A quick search around migrating passwords from flat files to LDAP showed
> that it is in some cases possible (if the hash that is used by the flat
> file is supported by the DS server, but tricky).
> We do not have any aid here so it is simpler to reset the password. If
> this is not an option, as far as I understand you need to create user
> accounts first with some password and then overwrite the password
> attribute in the LDAP with the properly decorated hash take from the
> password file. And after that you still need the kerberos keys for IPA
> to work so you still need to use Migration page or SSSD. It might be
> less trouble just to bite the bullet and reset passwords as you migrate
> to IPA.
>
> Thanks
> Dmitri
>
>> regards
>>
>

Re: [Freeipa-users] bug 634561

[Steven Jones]

Hi,

Sorry if this sounds pushy but any chance of an ETA please?

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


-Original Message-
From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: Friday, 24 September 2010 8:20 a.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] bug 634561

Steven Jones wrote:
> Hi,
>
> Bug 634561 has been fixed...
>
> How do I get this into/onto my setup please?
>   
We're working on a 389-ds-base 1.2.6.1 release.  Should be in testing 
very soon.
> regards   
>
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>   


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Adding a freeipa version 2 repo to RHEL 5

[Steven Jones]

Hi,

Is it possible to install a ipafree v2 client on RHELu5 64bit?

I cannot find anything via Google that indicates this is so or how to do it.

If so what's the repo config pls?

If not will the ver1 of freeipa work and if so what is the repo?

The client documentation simply says its possibleyet nothing on google 
indicates how or if this is actually the case...

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] When does freeipa make it to the Red Hat tree? some years off? RHEL7?

[Steven Jones]

regards

Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release

[Steven Jones]

Has anyone tried this?

I get a "Damaged repo file"

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release

[Steven Jones]

Is there a series of RPMS I can download?

ie can someone tell which ones I need for the server and which ones I
need for the client and in what order I install? I can get the rpms off
the store, just not via yum as the repo is dead for meeither its a
remote issue, or our firewall is preventing a connection by some means.


regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 1 Release

[Steven Jones]

Trying to install but there appears to be a dependency failure

ipa server requires 389-ds-base > 1.2.8 but 389-ds-base = 1.2.6

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] While attempting to make a replica....I get this failure....

[Steven Jones]

[root@fed14-64-ipam001 jonesst1]# ipa-replica-prepare
fed14-64-ipam002.ipa.ac.nz
Directory Manager (existing master) password: 

Preparing replica for fed14-64-ipam002.ipa.ac.nz from
fed14-64-ipam001.ipa.ac.nz
Creating SSL certificate for the Directory Server
ipa: INFO: sslget
'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient'
Creating SSL certificate for the Web Server
ipa: INFO: sslget
'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient'
preparation of replica failed: cannot connect to
'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': 
[Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key 
necessary for authentication.
cannot connect to
'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': 
[Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key 
necessary for authentication.
  File "/usr/sbin/ipa-replica-prepare", line 431, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 363, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 136, in export_certdb
raise e


If I go to the URL I get,



The Certificate System has encountered an unrecoverable error.

Error Message:
java.lang.NullPointerException

Please contact your local administrator for assistance. 


???

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] While attempting to join a client ....I get this failure....

[Steven Jones]

I have just built these 2 fed14 to act as a server and client and run
yum updateso they should be as closely sync'd as possible...

=client===

[root@fed14-64-ipacl01 ~]# ipa-client-install
Discovery was successful!
Realm: IPA.AC.NZ
DNS Domain: ipa.ac.nz
IPA Server: fed14-64-ipam001.ipa.ac.nz
BaseDN: dc=ipa,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
Enrollment principal: admin
Password for ad...@ipa.ac.nz: 

Joining realm failed because of failing XML-RPC request.
  This error may be caused by incompatible server/client major versions.
[root@fed14-64-ipacl01 ~]# date
Mon Feb 28 03:12:57 NZDT 2011
[root@fed14-64-ipacl01 ~]# 


=server===

8><
is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates-testing/prestodelta
|  30 kB 00:00 
Processing delta metadata
Package(s) data still to download: 304 k
(1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm
| 175 kB 00:00 
(2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm
| 129 kB 00:00 

Total
789 kB/s | 304 kB 00:00 
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : nss-softokn-freebl-3.12.9-5.fc14.x86_64
1/4 
  Updating   : nss-softokn-3.12.9-5.fc14.x86_64
2/4 
  Cleanup: nss-softokn-3.12.9-4.fc14.x86_64
3/4 
  Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64
4/4 

Updated:
  nss-softokn.x86_64 0:3.12.9-5.fc14
nss-softokn-freebl.x86_64 0:3.12.9-5.fc14 

Complete!
[root@fed14-64-ipam001 tmp]# date
Mon Feb 28 03:13:02 NZDT 2011
[root@fed14-64-ipam001 tmp]# 


So nothing major on the server needs updating and the client is bang up
to date, time stamp is close

regards


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Freeipa fails to start after a reboot

[Steven Jones]

What scrips need to be runa and in what order to start the primary ipa
server?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

[Steven Jones]

Hi,

The point is both the client and the server are up to date in terms of
patches from teh repo.

So your repo is not consistent and needs fixing..

regards


On Mon, 2011-02-28 at 10:43 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > I have just built these 2 fed14 to act as a server and client and run
> > yum updateso they should be as closely sync'd as possible...
> >
> > =client===
> >
> > [root@fed14-64-ipacl01 ~]# ipa-client-install
> > Discovery was successful!
> > Realm: IPA.AC.NZ
> > DNS Domain: ipa.ac.nz
> > IPA Server: fed14-64-ipam001.ipa.ac.nz
> > BaseDN: dc=ipa,dc=ac,dc=nz
> >
> >
> > Continue to configure the system with these values? [no]: yes
> > Enrollment principal: admin
> > Password for ad...@ipa.ac.nz:
> >
> > Joining realm failed because of failing XML-RPC request.
> >This error may be caused by incompatible server/client major versions.
> > [root@fed14-64-ipacl01 ~]# date
> > Mon Feb 28 03:12:57 NZDT 2011
> > [root@fed14-64-ipacl01 ~]#
> >
> >
> > =server===
> >
> > 8><
> > is this ok [y/N]: y
> > Downloading Packages:
> > Setting up and reading Presto delta metadata
> > updates-testing/prestodelta
> > |  30 kB 00:00
> > Processing delta metadata
> > Package(s) data still to download: 304 k
> > (1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm
> > | 175 kB 00:00
> > (2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm
> > | 129 kB 00:00
> > 
> > Total
> > 789 kB/s | 304 kB 00:00
> > Running rpm_check_debug
> > Running Transaction Test
> > Transaction Test Succeeded
> > Running Transaction
> >Updating   : nss-softokn-freebl-3.12.9-5.fc14.x86_64
> > 1/4
> >Updating   : nss-softokn-3.12.9-5.fc14.x86_64
> > 2/4
> >Cleanup: nss-softokn-3.12.9-4.fc14.x86_64
> > 3/4
> >Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64
> > 4/4
> >
> > Updated:
> >nss-softokn.x86_64 0:3.12.9-5.fc14
> > nss-softokn-freebl.x86_64 0:3.12.9-5.fc14
> >
> > Complete!
> > [root@fed14-64-ipam001 tmp]# date
> > Mon Feb 28 03:13:02 NZDT 2011
> > [root@fed14-64-ipam001 tmp]#
> > 
> >
> > So nothing major on the server needs updating and the client is bang up
> > to date, time stamp is close
> >
> > regards
> 
> The client and server packages need to be the same version. We realized 
> that we had re-used an OID and had to change the OID used to register 
> the enrollment OID. So the client package needs to be the same version 
> as the server, for now anyway.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

[Steven Jones]

Hi,

How do I tell?

ie what are the package names?

but apart from that both are yum updated from the same repo, so this
means your repo is probably the problem

regards

On Mon, 2011-02-28 at 10:42 -0500, Dmitri Pal wrote:
> On 02/27/2011 10:22 PM, Steven Jones wrote:
> > I have just built these 2 fed14 to act as a server and client and run
> > yum updateso they should be as closely sync'd as possible...
> >
> > =client===
> >
> > [root@fed14-64-ipacl01 ~]# ipa-client-install
> > Discovery was successful!
> > Realm: IPA.AC.NZ
> > DNS Domain: ipa.ac.nz
> > IPA Server: fed14-64-ipam001.ipa.ac.nz
> > BaseDN: dc=ipa,dc=ac,dc=nz
> >
> >
> > Continue to configure the system with these values? [no]: yes
> > Enrollment principal: admin
> > Password for ad...@ipa.ac.nz: 
> >
> > Joining realm failed because of failing XML-RPC request.
> >   This error may be caused by incompatible server/client major versions.
> > [root@fed14-64-ipacl01 ~]# date
> > Mon Feb 28 03:12:57 NZDT 2011
> > [root@fed14-64-ipacl01 ~]# 
> >
> >
> > =server===
> >
> > 8><
> > is this ok [y/N]: y
> > Downloading Packages:
> > Setting up and reading Presto delta metadata
> > updates-testing/prestodelta
> > |  30 kB 00:00 
> > Processing delta metadata
> > Package(s) data still to download: 304 k
> > (1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm
> > | 175 kB 00:00 
> > (2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm
> > | 129 kB 00:00 
> > 
> > Total
> > 789 kB/s | 304 kB 00:00 
> > Running rpm_check_debug
> > Running Transaction Test
> > Transaction Test Succeeded
> > Running Transaction
> >   Updating   : nss-softokn-freebl-3.12.9-5.fc14.x86_64
> > 1/4 
> >   Updating   : nss-softokn-3.12.9-5.fc14.x86_64
> > 2/4 
> >   Cleanup: nss-softokn-3.12.9-4.fc14.x86_64
> > 3/4 
> >   Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64
> > 4/4 
> >
> > Updated:
> >   nss-softokn.x86_64 0:3.12.9-5.fc14
> > nss-softokn-freebl.x86_64 0:3.12.9-5.fc14 
> >
> > Complete!
> > [root@fed14-64-ipam001 tmp]# date
> > Mon Feb 28 03:13:02 NZDT 2011
> > [root@fed14-64-ipam001 tmp]# 
> > 
> >
> > So nothing major on the server needs updating and the client is bang up
> > to date, time stamp is close
> >
> > regards
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> Recent changes and fixes in the server and client communication require
> the updates to both.
> Which versions do you have?
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa fails to start after a reboot

[Steven Jones]

So Im having fun.

Looks like the rpm didnt install properly?  or the install script
failed? strange because it seemed to be running before I rebootedso
something has gone wrong after teh install?

[root@fed14-64-ipam001 init.d]# ipa start
ipa: ERROR: unknown command 'start'
[root@fed14-64-ipam001 init.d]# ./ipa start
Starting Directory Service
Starting dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
Error retrieving list of services {'matched':
'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'}
Is IPA installed?
Failed to read data from Directory Service
Shutting down
Shutting down dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
[root@fed14-64-ipam001 init.d]# service ipactl start
ipactl: unrecognized service
]# 


So find gets me the script..


[root@fed14-64-ipam001 init.d]# /usr/sbin/ipactl start
Starting Directory Service
Starting dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
Error retrieving list of services {'matched':
'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'}
Is IPA installed?
Failed to read data from Directory Service
Shutting down
Shutting down dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
[root@fed14-64-ipam001 init.d]# 















On Mon, 2011-02-28 at 16:39 +1000, David O'Brien wrote:
> Steven Jones wrote:
> > What scrips need to be runa and in what order to start the primary ipa
> > server?
> > 
> > regards
> > 
> 
> if you run "service ipactl start" it should start all the required ipa 
> services in the correct order.
> 
> -- 
> 
> David O'Brien
> Red Hat Asia Pacific Pty Ltd
> +61 7 3514 8189
> 
> 
> "He who asks is a fool for five minutes, but he who does not ask remains 
> a fool forever."
>   ~ Chinese proverb


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] While attempting to make a replica....I get this failure....

[Steven Jones]

===

[root@fed14-64-ipam001 init.d]# certutil -L -d /etc/httpd/alias

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
IPA.AC.NZ IPA CA CT,C,C
ipaCert  u,u,u
Server-Cert  u,u,u
[root@fed14-64-ipam001 init.d]# 

===

regards


On Mon, 2011-02-28 at 10:50 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> >
> > [root@fed14-64-ipam001 jonesst1]# ipa-replica-prepare
> > fed14-64-ipam002.ipa.ac.nz
> > Directory Manager (existing master) password:
> >
> > Preparing replica for fed14-64-ipam002.ipa.ac.nz from
> > fed14-64-ipam001.ipa.ac.nz
> > Creating SSL certificate for the Directory Server
> > ipa: INFO: sslget
> > 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient'
> > Creating SSL certificate for the Web Server
> > ipa: INFO: sslget
> > 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient'
> > preparation of replica failed: cannot connect to
> > 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': 
> > [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or 
> > key necessary for authentication.
> > cannot connect to
> > 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': 
> > [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or 
> > key necessary for authentication.
> >File "/usr/sbin/ipa-replica-prepare", line 431, in
> >  main()
> >
> >File "/usr/sbin/ipa-replica-prepare", line 363, in main
> >  export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "httpcert",
> > replica_fqdn, subject_base)
> >
> >File "/usr/sbin/ipa-replica-prepare", line 136, in export_certdb
> >  raise e
> >
> >
> > If I go to the URL I get,
> >
> > 
> >
> > The Certificate System has encountered an unrecoverable error.
> >
> > Error Message:
> > java.lang.NullPointerException
> >
> > Please contact your local administrator for assistance.
> > 
> >
> > ???
> >
> > regards
> 
> Can you provide the output of:
> 
> # certutil -L -d /etc/httpd/alias
> 
> During installation dogtag provides us with an RA agent certificate that 
> we use to communicate with the CA. This certificate should be stored in 
> /etc/httpd/alias.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

[Steven Jones]

Hi,

As per your website and I SCP'd the freeipa-devel.repo over to the
client and the replica from the master

regards


On Mon, 2011-02-28 at 14:30 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > Hi,
> >
> > The point is both the client and the server are up to date in terms of
> > patches from teh repo.
> >
> > So your repo is not consistent and needs fixing..
> 
> Yes, but what version are you using and what repo, the ipa-devel repo?
> 
> rob
> 
> >
> > regards
> >
> >
> > On Mon, 2011-02-28 at 10:43 -0500, Rob Crittenden wrote:
> >> Steven Jones wrote:
> >>> I have just built these 2 fed14 to act as a server and client and run
> >>> yum updateso they should be as closely sync'd as possible...
> >>>
> >>> =client===
> >>>
> >>> [root@fed14-64-ipacl01 ~]# ipa-client-install
> >>> Discovery was successful!
> >>> Realm: IPA.AC.NZ
> >>> DNS Domain: ipa.ac.nz
> >>> IPA Server: fed14-64-ipam001.ipa.ac.nz
> >>> BaseDN: dc=ipa,dc=ac,dc=nz
> >>>
> >>>
> >>> Continue to configure the system with these values? [no]: yes
> >>> Enrollment principal: admin
> >>> Password for ad...@ipa.ac.nz:
> >>>
> >>> Joining realm failed because of failing XML-RPC request.
> >>> This error may be caused by incompatible server/client major versions.
> >>> [root@fed14-64-ipacl01 ~]# date
> >>> Mon Feb 28 03:12:57 NZDT 2011
> >>> [root@fed14-64-ipacl01 ~]#
> >>>
> >>>
> >>> =server===
> >>>
> >>> 8><
> >>> is this ok [y/N]: y
> >>> Downloading Packages:
> >>> Setting up and reading Presto delta metadata
> >>> updates-testing/prestodelta
> >>> |  30 kB 00:00
> >>> Processing delta metadata
> >>> Package(s) data still to download: 304 k
> >>> (1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm
> >>> | 175 kB 00:00
> >>> (2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm
> >>> | 129 kB 00:00
> >>> 
> >>> Total
> >>> 789 kB/s | 304 kB 00:00
> >>> Running rpm_check_debug
> >>> Running Transaction Test
> >>> Transaction Test Succeeded
> >>> Running Transaction
> >>> Updating   : nss-softokn-freebl-3.12.9-5.fc14.x86_64
> >>> 1/4
> >>> Updating   : nss-softokn-3.12.9-5.fc14.x86_64
> >>> 2/4
> >>> Cleanup: nss-softokn-3.12.9-4.fc14.x86_64
> >>> 3/4
> >>> Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64
> >>> 4/4
> >>>
> >>> Updated:
> >>> nss-softokn.x86_64 0:3.12.9-5.fc14
> >>> nss-softokn-freebl.x86_64 0:3.12.9-5.fc14
> >>>
> >>> Complete!
> >>> [root@fed14-64-ipam001 tmp]# date
> >>> Mon Feb 28 03:13:02 NZDT 2011
> >>> [root@fed14-64-ipam001 tmp]#
> >>> 
> >>>
> >>> So nothing major on the server needs updating and the client is bang up
> >>> to date, time stamp is close
> >>>
> >>> regards
> >>
> >> The client and server packages need to be the same version. We realized
> >> that we had re-used an OID and had to change the OID used to register
> >> the enrollment OID. So the client package needs to be the same version
> >> as the server, for now anyway.
> >>
> >> rob
> >
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] While attempting to join a client ....I get this failure....

[Steven Jones]

8><

> On the client: rpm -q freeipa-client

freeipa-client-2.0.0.rc1-0.fc14.x86_64

> On the server: rpm -q freeipa-server

freeipa-server-2.0.0.rc1-0.fc14.x86_64

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

Not sure if I have to change anything in the repo? but rc2.0 does not
appear...

regards


On Mon, 2011-02-28 at 16:07 -0500, Rob Crittenden wrote:
> To all freeipa-interest, freeipa-users and freeipa-devel list members,
> 
> The FreeIPA project team is pleased to announce the availability of the 
> Release Candidate 2 release of freeIPA 2.0 server [1].
> 
> * Binaries are available for F-14 and F-15 [2].
> * Please do not hesitate to share feedback, criticism or bugs with us on 
> our mailing list: freeipa-users@redhat.com
> 
> Main Highlights of the Release Candidate.
> 
> This release consists primarily of bug fixes and polish across all areas 
> of the project. Modifications include but are not limited to
> * Make Indirect membership clearer.
> * Input validation fixes.
> * WebUI improvements.
> * Created default Roles.
> * IPv6 support
> * Documentation updates
> 
> Focus of the Release Candidate Testing
> * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests 
> are still relevant and feedback would be appreciated.
> * The following section outlines the areas that we are mostly interested 
> to test [4].
> 
> Significant Changes Since RC 1
> To see all the tickets addressed since the beta 2 release see [6].
> 
> Repositories and Installation
> * Use the following link to install the RC 2 packages [5].
> * FreeIPA relies on the latest versions of the packages currently 
> available from the updates-testing repository. Please make sure to 
> enable this repository before you proceed with installation.
> 
> Known Issues:
> * There are known issues that currently prevent FreeIPA from 
> successfully installing with dogtag on F-15 [2]. We will send a separate 
> message when this issue is resolved. The FreeIPA server is installable 
> with the --selfsign option on F-15, or with dogtag on F-14.
> * Server-generated error messages are not translated yet.
> * The 'ipa help' command does not support localization.
> 
> We plan to address all the outstanding tickets before the final 2.0 
> release. For the complete list see [7].
> 
> Thank you,
> The FreeIPA development team
> 
> [1] http://www.freeipa.org/page/Downloads
> [2] dogtag is having issues with systemd: 
> https://bugzilla.redhat.com/show_bug.cgi?id=676330
> [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days
> [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test
> [5] http://freeipa.org/downloads/freeipa-devel.repo
> [6] 
> https://fedorahosted.org/freeipa/query?status=closed&milestone=2.0.2+Bug+fixing+(RC2)
> [7] 
> https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

umchecksum error?

===
[root@fed14-64-ipacl01 yum.repos.d]# yum update
Loaded plugins: langpacks, presto, refresh-packagekit
Adding en_US to language list
freeipa-devel
| 1.3 kB 00:00 
freeipa-devel/primary
|  10 kB 00:00 
http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: 
[Errno -1] Metadata file does not match checksum
Trying other mirror.
updates/metalink
| 2.1 kB 00:00 
updates-testing/metalink
|  45 kB 00:01 
Setting up Update Process
No Packages marked for Update
[root@fed14-64-ipacl01 yum.repos.d]#
===

?

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

I have tried to download the rpms by hand and the dependencies are all
broken ie pythonwell stuffed by the looks of it...

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

Im getting a pycurl error 6so every few hours the errors change

regards

Steven



On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote:
> Hi,
> 
> I updated my IPA test servers last night without a problem. I have only the 
> default Fedora 14 repo
> + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA 
> test servers.
> 
> 
> Rgds,
> Siggi
> 
> 
> 
> 
> On Tue, March 1, 2011 01:32, Steven Jones wrote:
> > I have tried to download the rpms by hand and the dependencies are all
> > broken ie pythonwell stuffed by the looks of it...
> >
> > regards
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

Hi,

Yes Ive now figured it outthe KVM software seems to spit the dummy
every day or so and simply stop forwarding / returning dns requests

I have uninstalled rc1 and installed rc2 but its still dying with the
previous msgsso it wont survive a reboot, but kinit admin etc works
fine before the reboot

===
[root@fed14-64-ipam001 init.d]# /usr/sbin/ipactl start
Starting Directory Service
Starting dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
Error retrieving list of services {'matched':
'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'}
Is IPA installed?
Failed to read data from Directory Service
Shutting down
Shutting down dirsrv: 
IPA-AC-NZ...   [  OK  ]
PKI-IPA... [  OK  ]
[root@fed14-64-ipam001 init.d]# 


regards




On Tue, 2011-03-01 at 16:10 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > Im getting a pycurl error 6so every few hours the errors change
> 
> I don't know if the pycurl errors are equivalent to the curl errors but 
> in curl error 6 means couldn’t resolve host.
> 
> You might try: yum clean all
> 
> I tried the repo myself and was able to install rc2 ok.
> 
> rob
> 
> >
> > regards
> >
> > Steven
> >
> >
> >
> > On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote:
> >> Hi,
> >>
> >> I updated my IPA test servers last night without a problem. I have only 
> >> the default Fedora 14 repo
> >> + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my 
> >> IPA test servers.
> >>
> >>
> >> Rgds,
> >> Siggi
> >>
> >>
> >>
> >>
> >> On Tue, March 1, 2011 01:32, Steven Jones wrote:
> >>> I have tried to download the rpms by hand and the dependencies are all
> >>> broken ie pythonwell stuffed by the looks of it...
> >>>
> >>> regards
> >>>
> >>> ___
> >>> Freeipa-users mailing list
> >>> Freeipa-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>
> >>>
> >>
> >>
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

8><-

> I think it is a mismatch between what we've stored as the hostname and 
> the hostname of the machine.
> 
> Can you look at the output of these commands and see if the hostname is 
> the same between them all?
> 
> $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn

LDAP server is dead

> $ hostname

fed14-64-ipam001

> $ cat /etc/sysconfig/network (there should be only one HOSTNAME)

HOSTNAME=fed14-64-ipam001





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

> I think it is a mismatch between what we've stored as the hostname and 
> the hostname of the machine.
> 
> Can you look at the output of these commands and see if the hostname is 
> the same between them all?
> 
> $ ldapsearch -x -s one -b cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz dn
> $ hostname
> $ cat /etc/sysconfig/network (there should be only one HOSTNAME)
> 
> thanks
> 
> rob



So I un-installed and re-installed rc2, here is the output as requested,

===

[root@fed14-64-ipam001 /]# kinit admin
Password for ad...@ipa.ac.nz: 
[root@fed14-64-ipam001 /]# ldapsearch -x -s one -b
cn=masters,cn=ipa,cn=etc,dc=ac,dc=nz dn
# extended LDIF
#
# LDAPv3
# base  with scope oneLevel
# filter: (objectclass=*)
# requesting: dn 
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
[root@fed14-64-ipam001 /]# 

fed14-64-ipam001
NETWORKING=yes
HOSTNAME=fed14-64-ipam001
NTPSERVERARGS=iburst

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release

[Steven Jones]

Hi,

Yepthat is the issueI put it in, rebooted, worked, took it out
rebooted, didnt work, put it back in rebooted and it worked again.
Wonders of a gui setupnormally I do it by hand and do a FQDNI
assumed because it was short form in the file that is the way it is now,
obviously not.bugger.

8><-
> 
> The hostname is lacking a domain name, that may be what is confusing 
> things. As an test you might try setting hostname to be a fqdn and see 
> if things improve.
> 
> rob


thanks...

regards

Steven

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Definitive firewall ruleset.

[Steven Jones]

This is becoming a bit of a grind

Anyway, either I have not found it yet, or a definitive set of ports
that need to be open isnt there,  this is my best shot so far,

Have I missed any or are there some not needed?

ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp dpt:80 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp dpt:88 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:464 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:443 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:123 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:389 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:389 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:636 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:636 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:7389 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:7389 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:9180 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:9180 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:9444 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:9444 
ACCEPT tcp  --  192.168.100.0/24 0.0.0.0/0   tcp
dpt:9445 
ACCEPT udp  --  192.168.100.0/24 0.0.0.0/0   udp
dpt:9445 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] replication setup failure

[Steven Jones]

8><
starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update in progress
Update in progress
Update succeeded
  [21/27]: adding replication acis
  [22/27]: initializing group membership
  [23/27]: adding master entry
  [24/27]: configuring Posix uid/gid generation
  [25/27]: enabling compatibility plugin
  [26/27]: tuning directory server
  [27/27]: configuring directory to start on boot
done configuring dirsrv.
Configuring Kerberos KDC: Estimated time 30 seconds
  [1/9]: adding sasl mappings to the directory
  [2/9]: writing stash file from DS
  [3/9]: configuring KDC
  [4/9]: creating a keytab for the directory
  [5/9]: creating a keytab for the machine
  [6/9]: adding the password extension to the directory
  [7/9]: enable GSSAPI for replication
creation of replica failed: list index out of range

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@fed14-64-ipam002 ~]#


 messages log 
==
Mar  3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]:
segfault at 0 ip 7f
e9a7fd5de4 sp 7fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000
+5000]
==

Replica install log
==
8><
2011-03-03 00:12:14,977 INFO Changing agreement
cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn
=dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore
original schedule -2359 
0123456
2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE:
status: 0 Replica acquired 
successfully: Incremental update succeeded: start: 20110302111214Z: end:
20110302111214Z
2011-03-03 00:12:16,048 DEBUG list index out of range
  File "/usr/sbin/ipa-replica-install", line 507, in 
main()

  File "/usr/sbin/ipa-replica-install", line 468, in main
install_krb(config, setup_pkinit=options.setup_pkinit)

  File "/usr/sbin/ipa-replica-install", line 216, in install_krb
setup_pkinit, pkcs12_info)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 211, in create
_replica
self.start_creation("Configuring Kerberos KDC", 30)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 283, in start_crea
tion
method()

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
line 556, in __conv
ert_to_gssapi_replication
r_bindpw=self.dm_password)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 688, in conver
t_to_gssapi_replication
self.gssapi_update_agreements(self.conn, r_conn)
 File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 458, in gssapi
_update_agreements
self.setup_krb_princs_as_replica_binddns(a, b)

  File
"/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
line 451, in setup_
krb_princs_as_replica_binddns
mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]



So how to fix?

regards

Steven


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

I appear to have IPA running, I have run the install client on a fed14
KVM guest and that guest is in the IPA system, however the users in IPA
cannot authenticate via IPA and get onto the client.  There appears to
be traffic to port 389, so I assume its "almost" workingbut I can
find anything in logs to say whats wrongnot that I can determine
what logs to check.Ive been looking in /var/log so farare there
any other logs about?

And/or where do I start looking to get this working?

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] replication setup failure

[Steven Jones]

Hi

The original ipa master has a running LDAP, the replica does not so the
install failed on it.so I cant give you an ldapsearch output from
the replica.

Here's the master's output

=
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: krbprincipalname=ldap/*
# requesting: dn 
#

# ldap/fed14-64-ipam001.ipa.ac...@ipa.ac.nz, services, accounts, ipa.ac.nz
dn: krbprincipalname=ldap/fed14-64-ipam001.ipa.ac...@ipa.ac.nz,cn=services,cn=
 accounts,dc=ipa,dc=ac,dc=nz

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
===

On Wed, 2011-03-02 at 23:32 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > 8><
> > starting replication, please wait until this has completed.
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update in progress
> > Update succeeded
> >[21/27]: adding replication acis
> >[22/27]: initializing group membership
> >[23/27]: adding master entry
> >[24/27]: configuring Posix uid/gid generation
> >[25/27]: enabling compatibility plugin
> >[26/27]: tuning directory server
> >[27/27]: configuring directory to start on boot
> > done configuring dirsrv.
> > Configuring Kerberos KDC: Estimated time 30 seconds
> >[1/9]: adding sasl mappings to the directory
> >[2/9]: writing stash file from DS
> >[3/9]: configuring KDC
> >[4/9]: creating a keytab for the directory
> >[5/9]: creating a keytab for the machine
> >[6/9]: adding the password extension to the directory
> >[7/9]: enable GSSAPI for replication
> > creation of replica failed: list index out of range
> >
> > Your system may be partly configured.
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> > [root@fed14-64-ipam002 ~]#
> >
> >
> >   messages log
> > ==
> > Mar  3 00:12:04 fed14-64-ipam002 kernel: [11214.180151] ns-slapd[7867]:
> > segfault at 0 ip 7f
> > e9a7fd5de4 sp 7fe9617e0910 error 4 in libipa_uuid.so[7fe9a7fd3000
> > +5000]
> > ==
> >
> > Replica install log
> > ==
> > 8><
> > 2011-03-03 00:12:14,977 INFO Changing agreement
> > cn=meTofed14-64-ipam002.ipa.ac.nz,cn=replica,cn
> > =dc\3Dipa\2Cdc\3Dac\2Cdc\3Dnz,cn=mapping tree,cn=config to restore
> > original schedule -2359
> > 0123456
> > 2011-03-03 00:12:15,997 INFO Replication Update in progress: FALSE:
> > status: 0 Replica acquired
> > successfully: Incremental update succeeded: start: 20110302111214Z: end:
> > 20110302111214Z
> > 2011-03-03 00:12:16,048 DEBUG list index out of range
> >File "/usr/sbin/ipa-replica-install", line 507, in
> >  main()
> >
> >File "/usr/sbin/ipa-replica-install", line 468, in main
> >  install_krb(config, setup_pkinit=options.setup_pkinit)
> >
> >File "/usr/sbin/ipa-replica-install", line 216, in install_krb
> >  setup_pkinit, pkcs12_info)
> >
> >File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 211, in create
> > _replica
> >  self.start_creation("Configuring Kerberos KDC", 30)
> >
> >File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> > line 283, in start_crea
> > tion
> >  method()
> >
> >File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/krbinstance.py",
> > line 556, in __conv
> > ert_to_gssapi_replication
> >  r_bindpw=self.dm_password)
> >
> >File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 688, in conver
> > t_to_gssapi_replication
> >  self.gssapi_update_agreements(self.conn, r_conn)
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 458, in gssapi
> > _update_agreements
> >  self.setup_krb_princs_as_replica_binddns(a, b)
> >
> >File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> > line 451, in setup_
> > krb_princs_as_replica_binddns
> >  mod = [(ldap.MOD_ADD, "nsds5replicabinddn", a_pn[0].dn)]
> > 
> >
> >
> > So how to fix?
> >
> > regards
> >
> > Steven
> >
> 
> Ok, this is a new one and may be similar to other hostname issues you've 
> run into. Can you give me the o

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

"id thing" returns id: thing: no such user...

In iptraf there is a port 389 connection, suggesting its asking the ipa master 
about user "thing"so its either asking the wrong Q

or the ipa master cant see the user "thing" yet its there in the gui.

One thing "thing" only exists on the ipa master, with "irwin" it exists locally 
so id returns local info as I see no 389 connection taking place

there was no nslcd.conf so I wrote one as per,

8.1.4. Configuring System Login
You need to modify the /etc/nslcd.conf file, used by the nslcd service,
on the client, to include additional information about the IPA server.
This is so that the client can reach the IPA server's LDAP server for
getent commands and also for ssh. For example, you should include the
following information in your /etc/nslcd.conf file: 
uri host ip-address-of-ipaserver.example.com-here
base dc=example,dc=com

So mine says,

uri host 192.168.100.2
base dc=ipa,dc=ac,dc=nz

Where 192.168.100.2 is the original master.

regards



On Thu, 2011-03-03 at 14:30 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > I appear to have IPA running, I have run the install client on a fed14
> > KVM guest and that guest is in the IPA system, however the users in IPA
> > cannot authenticate via IPA and get onto the client.  There appears to
> > be traffic to port 389, so I assume its "almost" workingbut I can
> > find anything in logs to say whats wrongnot that I can determine
> > what logs to check.Ive been looking in /var/log so farare there
> > any other logs about?
> >
> > And/or where do I start looking to get this working?
> >
> > regards
> >
> >
> 
> On that client can you do things like:
> 
> $ getent passwd 
> 
> or
> 
> $ id 
> 
> ?
> 
> That should cause sssd to fetch user information. If it fails then we'll 
> start by looking at the sssd configuration. If not I guess we'll turn up 
> some debugging knobs to see what is going on.
> 
> rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><

I have no idea, Im trying to follow the ipa document (version 0.5)so
if it says do something I try and do itif it doesnt say do something
wellit doesnt get done as I cant mind read.

What I want is encrypted connections on all services / communications so
it is secure and safe.

regards

> 
> Are you planning to use pam_ldap + nss_ldap or SSSD?
> If SSSD have you installed SSSD packages first?
> 
> The pam and nss config files as well as SSSD config and SSSD logs if it
> is in picture together with ipa-client-install logs would be a good
> starting point to troubleshoot the issue.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Documentation

[Steven Jones]

Hi,

Is it possible to have the ipa 0.5 documentation (and future
documentation) as a pdf file?   I'd like to download it and print it
off.

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

Thanks, I think there maybe a dependency missing for the yum install of
the clientwhen I go to the system-auth, ipa is there as an option
but its missing a .so in nss-pam-ldapd and asks for it to be installed,
the dependency off that is nscd and pam_ldap

Hopefully this will workI am dwnloading now.

regards



On Thu, 2011-03-03 at 18:22 -0500, Dmitri Pal wrote:
> On 03/03/2011 02:31 PM, Dmitri Pal wrote:
> > On 03/03/2011 02:21 PM, Steven Jones wrote:
> >> I appear to have IPA running, I have run the install client on a fed14
> >> KVM guest and that guest is in the IPA system, however the users in IPA
> >> cannot authenticate via IPA and get onto the client.  There appears to
> >> be traffic to port 389, so I assume its "almost" workingbut I can
> >> find anything in logs to say whats wrongnot that I can determine
> >> what logs to check.Ive been looking in /var/log so farare there
> >> any other logs about?
> >>
> >> And/or where do I start looking to get this working?
> >>
> >> regards
> >>
> >>
> >>
> >> ___
> >> Freeipa-users mailing list
> >> Freeipa-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > Are you planning to use pam_ldap + nss_ldap or SSSD?
> > If SSSD have you installed SSSD packages first?
> >
> > The pam and nss config files as well as SSSD config and SSSD logs if it
> > is in picture together with ipa-client-install logs would be a good
> > starting point to troubleshoot the issue.
> >
> 
> Sorry but the doc might be incomplete. We are in the middle of reviewing
> it actually and adding information to it.
>  
> Please go to your system-authconfig dialog and configure LDAP + Kerberos
> with the IPA server. It should be intuitive.
> It will update all the right config files.
> 
> The logs are in the sub-directory under /var/log.
> The name starts with ipa but I do not remember the exact name from the
> top of my head.
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Documentation

[Steven Jones]

Thanks very much

I can live with rough.lets me study it on the train

regards

On Fri, 2011-03-04 at 11:24 +1000, David O'Brien wrote:
> Steven Jones wrote:
> > Hi,
> > 
> > Is it possible to have the ipa 0.5 documentation (and future
> > documentation) as a pdf file?   I'd like to download it and print it
> > off.
> > 
> > regards
> 
> I've pushed the latest versions in both formats here:
> 
> http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/
> 
> This is the first time I've built the pdf so it might be a bit rough 
> around the edges.
> 
> For future versions I'll build both so you can download it. As Dmitri 
> mentioned, this is undergoing review and active development, so expect 
> lots of changes in the near future.
> 
> cheers
> 
> -- 
> 
> David O'Brien
> Red Hat Asia Pacific Pty Ltd
> +61 7 3514 8189
> 
> 
> "He who asks is a fool for five minutes, but he who does not ask remains 
> a fool forever."
>   ~ Chinese proverb


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Time bug

[Steven Jones]

Hi,

Americans are funny ppl they put the date format as month then
day.the problem is in the real world, its day then month

So I have registered 1 client and 2 ipa masters as of 4th march 2011
NZST, but the IPA server's gui says I registered them a month in the
future, ie 3rd April 2011  GMT+12 NZSTvery neat...

;]

So you need some sort of detection script/software to sort that I
suspect.or fix the display format in the gui...?

Possibly this might not be helping with my issues as all my machines
think its NZST while the IPA master server's software might be thinking
they are telling it April? hence security certificates etc go "boom"?

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

Well client to ipa server doesnt work..

regards


On Fri, 2011-03-04 at 10:45 -0500, Rob Crittenden wrote:
> Dmitri Pal wrote:
> > On 03/03/2011 02:53 PM, Steven Jones wrote:
> >> 8><
> >>
> >> I have no idea, Im trying to follow the ipa document (version 0.5)so
> >> if it says do something I try and do itif it doesnt say do something
> >> wellit doesnt get done as I cant mind read.
> >>
> >> What I want is encrypted connections on all services / communications so
> >> it is secure and safe.
> >>
> >> regards
> >
> > Here is some more information for you on SSSD.
> > https://fedorahosted.org/sssd/wiki/HOWTO_Configure
> > And also SSSD man pages are good.
> 
> Let me also point out that ipa-client-install already configures the 
> client to use sssd. No additional configuration should be required.
> 
> rob
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><---

This didnt work...intuitive, no I guess not

regards


> Sorry but the doc might be incomplete. We are in the middle of reviewing
> it actually and adding information to it.
>  
> Please go to your system-authconfig dialog and configure LDAP + Kerberos
> with the IPA server. It should be intuitive.
> It will update all the right config files.
> 
> The logs are in the sub-directory under /var/log.
> The name starts with ipa but I do not remember the exact name from the
> top of my head.

There are no logs...

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

How do i turn on logging on the client and the server so as to start
troubleshooting this authentication failure?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

Where does this log to?

regards

On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote:
> On 03/06/2011 02:48 PM, Steven Jones wrote:
> > How do i turn on logging on the client and the server so as to start
> > troubleshooting this authentication failure?
> >
> > regards
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> http://freeipa.org/page/IPAv2_config_files
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

I can do a ldapsearch -x -b "dc=ipa,dc=ac,dc=nz' |more

Which returns LDAP infothat looks finethe query looks OK

getent passwd "user" however only returns one line, not the two I should
expect?

It also returns very fastlike its not even looking remotely.

I have run authconfig-tui and that looks OK as far as I can tell

I have set cli.conf and server.conf but there are no logs any where I
can find

Ideas please?

Also how to get logging going so I have something to look at

regards




On Tue, 2011-03-08 at 13:31 +1300, Steven Jones wrote:
> Hi,
> 
> Where does this log to?
> 
> regards
> 
> On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote:
> > On 03/06/2011 02:48 PM, Steven Jones wrote:
> > > How do i turn on logging on the client and the server so as to start
> > > troubleshooting this authentication failure?
> > >
> > > regards
> > >
> > > ___
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > >
> > http://freeipa.org/page/IPAv2_config_files
> > 
> > -- 
> > Thank you,
> > Dmitri Pal
> > 
> > Sr. Engineering Manager IPA project,
> > Red Hat Inc.
> > 
> > 
> > ---
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> > 
> > 
> > 
> 
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><-

> >
> > getent passwd "user" however only returns one line, not the two I should
> > expect?
> 
> Why do you expect two lines? It should only return one, for that user.
> 
> >
> > It also returns very fastlike its not even looking remotely.
> 
> Is the user in /etc/passwd too?
> 

When I tried to get FDS going a few years ago getent used to return 2,
the local one and the ldap one, hence two linesif it was
working.

I guess the ipa manual is lacking somewhat in that it says run these
commands, but doesnt say what the expected output is or looks like, so
how am I meant to know if its right or wrong? like duh.

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><--


So how do I fault find? where do I start?

ie Where do I start to look to determine why a user cannot login to a
client via freeipa? 

How can I be more clear? because so far the replies have been not very
productive.

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><
> 
> Steven, sorry you're having such a hard time with this. Let me see if I
> can help point you in the right direction.
> 
> I'm trying to look at the history of this thread, but I'm coming into it
> late, so please forgive me if I retread any ground that's already been
> covered.
> 
> First, I need to verify that I understand the state from which you're
> working. Have you installed FreeIPA from the jdennis.fedorapeople.org
> yum repository?

[freeipa-devel]
name=FreeIPA Development
baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch
enabled=1
gpgcheck=0

F14 and 64bit.

> What version of the RPM packages for freeipa-server, freeipa-client and
> sssd do you have? (rpm -q)


">>" 'd output,

==
sssd-1.5.1-9.fc14.x86_64
freeipa-client-2.0.0.rc2-0.fc14.x86_64
freeipa-server-2.0.0.rc2-0.fc14.x86_64
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#   nisplus Use NIS+ (NIS version 3)
#   nis Use NIS (NIS version 2), also called YP
#   dns Use DNS (Domain Name Service)
#   files   Use the local files
#   db  Use the local database (.db) files
#   compat  Use NIS on compat mode
#   hesiod  Use Hesiod for user lookups
#   [NOTFOUND=return]   Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss

#hosts: db files nisplus nis dns
hosts:  files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files 

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:files nisplus

[sssd]
services = nss, pam
config_file_version = 2

domains = ipa.ac.nz
[nss]

[pam]

[domain/ipa.ac.nz]
cache_credentials = True
ipa_domain = ipa.ac.nz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz

[domain/default]
cache_credentials = True
krb5_realm = IPA.AC.NZ
krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749
debug_level=9
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_fprintd.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok
try_first_pass use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > 8><--
> >
> >
> > So how do I fault find? where do I start?
> >
> > ie Where do I start to look to determine why a user cannot login to a
> > client via freeipa?
> >
> > How can I be more clear? because so far the replies have been not very
> > productive.
> >
> > regards
> >
> >
>
> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
> sssd, and try your login again. Look
> in/var/log/sssd/sssd_example.com.log for information on the login attempt.
>
> Your uid/gid will likely differ.
>
> # getent passwd admin
> admin:*:26420:26420:Administrator:/home/admin:/bin/bash
> # id admin
> uid=26420(admin) gid=26420(admins) groups=26420(admins)
> # getent group admins
> admins:*:26420:admin
> # finger admin
> Login: adminName: Administrator
> Directory: /home/admin  Shell: /bin/bash
> Never logged in.
> No mail.
> No Plan.

(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 15:37:31 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_chi

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

--

8><-
> 
> Well, here's your problem. The SSSD isn't starting up successfully
> because you don't have a host principal for this server in your
> /etc/krb5.keytab file. This was probably a bug in the ipa-client-install.
> 
> What does
> klist -k /etc/krb5.keytab
> return to you?
> 
> - -- 
> Stephen Gallagher
> RHCE 804006346421761
> 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG   -> Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
-d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-03-04 15:09:14,012 DEBUG stdout=
2011-03-04 15:09:14,012 DEBUG stderr=
2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
'/etc/krb5.conf'
2011-03-04 15:09:14,013 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,104 DEBUG args=/sbin/service certmonger status
2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped

2011-03-04 15:09:14,104 DEBUG stderr=
2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart
2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED]
Starting certmonger: [  OK  ]

2011-03-04 15:09:14,280 DEBUG stderr=
2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list
2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off   1:off   2:off
3:off   4:off   5:off   6:off

2011-03-04 15:09:14,295 DEBUG stderr=
2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on
2011-03-04 15:09:14,564 DEBUG stdout=
2011-03-04 15:09:14,564 DEBUG stderr=
2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb
-n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N
CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K
host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz
2011-03-04 15:09:14,586 DEBUG stdout=Error
org.fedorahosted.certmonger.duplicate: Certificate at same location is
already used by request "20110303020539".

2011-03-04 15:09:14,586 DEBUG stderr=
2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab
2011-03-04 15:09:14,605 DEBUG stdout=
2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be
canonicalized when creating default server principal name

2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate
-g /etc/ipa/.dns_update.txt
2011-03-04 15:09:14,764 DEBUG stdout=
2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may
have expired.

2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status
2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running...

2011-03-04 15:09:14,827 DEBUG stderr=
2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop
2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [  OK  ]

2011-03-04 15:09:14,856 DEBUG stderr=
2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list
2011-03-04 15:09:14,858 DEBUG stdout=nscd   0:off   1:off   2:on
3:on4:on5:on6:off

2011-03-04 15:09:14,858 DEBUG stderr=
2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off
2011-03-04 15:09:14,958 DEBUG stdout=
2011-03-04 15:09:14,958 DEBUG stderr=
2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd
--enablesssdauth --update
2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [  OK  ]
[  OK  ]

2011-03-04 15:09:16,402 DEBUG stderr=
2011-03-04 15:09:16,419 DEBUG args=getent passwd admin
2011-03-04 15:09:16,419 DEBUG stdout=
2011-03-04 15:09:16,419 DEBUG stderr=
2011-03-04 15:09:17,424 DEBUG args=getent passwd admin
2011-03-04 15:09:17,424 DEBUG stdout=
2011-03-04 15:09:17,424 DEBUG stderr=
2011-03-04 15:09:18,429 DEBUG args=getent passwd admin
2011-03-04 15:09:18,429 DEBUG stdout=
2011-03-04 15:09:18,429 DEBUG stderr=
2011-03-04 15:09:19,432 DEBUG args=getent passwd admin
2011-03-04 15:09:19,432 DEBUG stdout=
2011-03-04 15:09:19,432 DEBUG stderr=
2011-03-04 15:09:20,435 DEBUG args=getent passwd admin
2011-03-04 15:09:20,436 DEBUG stdout=
2011-03-04 15:09:20,436 DEBUG stderr=
2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5
--update --nostart
2011-03-04 15:09:22,303 DEBUG stdout=
2011-03-04 15:09:22,303 DEBUG stderr=
2011-03-04 15:09:22,303 DEBUG Backing up system configuration file
'/etc/ntp.conf'
2011-03-04 15:09:22,304 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:22,305 DEBUG Backing up system configuration file
'/etc/sysconfig/ntpd'
2011-03-04 15:09:22,305 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on
2011-03-04 15:09:22,398 DEBUG stdout=
2011-03-04 15:09:22,398 DEBUG stderr=
2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart
2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [  OK  ]
Starting ntpd: [  OK  ]

2011-03-04 15:09:22,537 DEBUG stderr=


regards

On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
> Stephen Gallagher  wrote:
> 
> > 
> > 
> > On Mar 8, 2011, at 5:45 PM, Steven Jones 
&g

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

I have just done another F14 client and I have the same issue.

regards

regards

On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
> On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
> Stephen Gallagher  wrote:
> 
> > 
> > 
> > On Mar 8, 2011, at 5:45 PM, Steven Jones 
> > wrote:
> > 
> > > Keytab name: WRFILE:/etc/krb5.keytab
> > > KVNO Principal
> > > 
> > > --
> > > 
> > > 8><-
> > >> 
> > >> 
> > >> 
> > >> 
> > 
> > Looks like you have no host key in the keytab. That's the root of the
> > problem. Seems like IPA-client-install failed to populate it. Rob, do
> > you have any insight here?
> 
> does /var/log/ipaclient-install.log show any error ?
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

I had/have already done the uninstall...and re-install.

Also I registered a brand new 2nd client...that hasnt worked
either..

regards


On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
> Steven Jones wrote:
> > Hi,
> >
> > Log,
> >
> 
> The error is "Host is already joined" so no keytab is requested. The 
> enrollment failed.
> 
> ipa-client-install --uninstall should unenroll the client (you can 
> verify that Keytab is False in ipa host-show  on the IPA 
> server.
> 
> If so running ipa-client-install on the client should configure things 
> properly.
> 
> rob
> 
> > 
> > 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
> > with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
> > 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
> > 'server': None, 'prompt_password': False, 'realm_name': None,
> > 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
> > None, 'mkhomedir': False, 'unattended': None, 'principal': None}
> > 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
> > interactively later
> >
> > 2011-03-04 15:08:58,726 DEBUG Loading Index file from
> > '/var/lib/ipa-client/sysrestore/sysrestore.index'
> > 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
> > 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
> > 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
> > 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
> > -O /tmp/tmp7MhOze/ca.crt
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > 2011-03-04 15:08:58,736 DEBUG stdout=
> > 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
> > http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
> > Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
> > Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
> > HTTP request sent, awaiting response... 200 OK
> > Length: 1321 (1.3K) [application/x-x509-ca-cert]
> > Saving to: `/tmp/tmp7MhOze/ca.crt'
> >
> >   0K . 100%
> > 237M=0s
> >
> > 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
> > [1321/1321]
> >
> >
> > 2011-03-04 15:08:58,736 DEBUG Init ldap with:
> > ldap://fed14-64-ipam001.ipa.ac.nz:389
> > 2011-03-04 15:08:58,749 DEBUG Search rootdse
> > 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
> > dc=ipa,dc=ac,dc=nz(base)
> > 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
> > {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
> > 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
> > ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
> > 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
> > in dc=ipa,dc=ac,dc=nz(sub)
> > 2011-03-04 15:08:58,753 DEBUG Found:
> > [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
> > ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
> > ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
> > 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
> > 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
> > 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
> > 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
> > 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
> > 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
> > 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
> > 'krbMaxRenewableAge': ['604800']})]
> > 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
> >
> > 2011-03-04 15:08:58,753 DEBUG will use server:
> > fed14-64-ipam001.ipa.ac.nz
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
> >
> > 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

I have setup a 2nd client I have the same resultbut it looks like
the keytab is correct?  however LDAP logins still dont work...


Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz


regards


On Tue, 2011-03-08 at 17:10 -0500, Stephen Gallagher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 03/08/2011 04:40 PM, Steven Jones wrote:
> > On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
> >> Steven Jones wrote:
> >>> 8><--
> >>>
> >>>
> >>> So how do I fault find? where do I start?
> >>>
> >>> ie Where do I start to look to determine why a user cannot login to a
> >>> client via freeipa?
> >>>
> >>> How can I be more clear? because so far the replies have been not very
> >>> productive.
> >>>
> >>> regards
> >>>
> >>>
> >>
> >> Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
> >> sssd, and try your login again. Look
> >> in/var/log/sssd/sssd_example.com.log for information on the login attempt.
> >>
> >> Your uid/gid will likely differ.
> >>
> >> # getent passwd admin
> >> admin:*:26420:26420:Administrator:/home/admin:/bin/bash
> >> # id admin
> >> uid=26420(admin) gid=26420(admins) groups=26420(admins)
> >> # getent group admins
> >> admins:*:26420:admin
> >> # finger admin
> >> Login: adminName: Administrator
> >> Directory: /home/admin  Shell: /bin/bash
> >> Never logged in.
> >> No mail.
> >> No Plan.
> > 
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
> > [sss_krb5_verify_keytab_ex] (0): Principal
> > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
> > [default]
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
> > Could not verify keytab
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
> > (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
> > fatal error initializing data providers
> > (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
> > initialize backend [14]
> > (Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
> > [sss_krb5_verify_keytab_ex] (0): Principal
> > [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
> > [default]
> 
> 
> Well, here's your problem. The SSSD isn't starting up successfully
> because you don't have a host principal for this server in your
> /etc/krb5.keytab file. This was probably a bug in the ipa-client-install.
> 
> What does
> klist -k /etc/krb5.keytab
> return to you?
> 
> - -- 
> Stephen Gallagher
> RHCE 804006346421761
> 
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70
> HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai
> =R7BT
> -END PGP SIGNATURE-
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote:
> On 03/09/2011 02:21 PM, Steven Jones wrote:
> > Hi,
> >
> > I had/have already done the uninstall...and re-install.
> >
> > Also I registered a brand new 2nd client...that hasnt worked
> > either..
> >
> How did you create the host record for it on the server?
> 


I didnt, I ran ipa-client-install from the client

I have just run with the --uninstall flag and then re-run and its
failing as the client record was not removed...

"Joining realm failed: Host is already joined"

So the un-install script/flag isnt removing the client/host

regards


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Hi,

I have gone into the webgui and manually removed the no1 client/host, it
has now joined successfully...

So Yes, the next issue

regards




On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 03/09/2011 02:45 PM, Steven Jones wrote:
> > I have setup a 2nd client I have the same resultbut it looks like
> > the keytab is correct?  however LDAP logins still dont work...
> > 
> > 
> > Keytab name: WRFILE:/etc/krb5.keytab
> > KVNO Principal
> >  
> > --
> >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
> >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
> >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
> >1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
> > 
> > 
> 
> Could you please check the SSSD debug logs on that machine as well? It
> may be a different problem now.
> - -- 
> Stephen Gallagher
> RHCE 804006346421761
> 
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo
> x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN
> =PBNu
> -END PGP SIGNATURE-


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

8><---

> 4) Install client again
> 
> Everything should work.
> If not please send us the logs.

Not sure which logs as Im losing track of so many
suggestions/threadsbut,

On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is
zero length

I just tried to add a local user and set a password and Im getting
"passwd: Authentication token manipulation error"

regards











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Ok,

However I cant LDAP/Ipa authenticate stillon either client..

So what next?

regards

Steven

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 10 March 2011 10:47 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote:
> Hi,
>
> I have gone into the webgui and manually removed the no1 client/host, it
> has now joined successfully...
>
> So Yes, the next issue
>
> regards
>

I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
absolutely required.

* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example@example.com) to
authenticate to IPA and say "I'm done with these credentials." If you
lack this principal it cannot authenticate to IPA to say "I'm done with
these credentials." If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:

# ipa host-disable client.example.com

or

# ipa host-del client.example.com

You can see if a keytab was issued with:

# ipa host-show client.example.com

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

I rebooted both clients and after the reboot they now do IPA 
authentication..

So client1 we did some work on and it wouldnt work until a rebootclient2 I 
did nothing to until I rebooted.then that also worked

So I will make a third client and try that

Are there rpms & scripts for a rhel6ws?I could try that as well...also 
RHEL5

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Thursday, 10 March 2011 11:35 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

8><---

> 4) Install client again
>
> Everything should work.
> If not please send us the logs.

Not sure which logs as Im losing track of so many
suggestions/threadsbut,

On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is
zero length

I just tried to add a local user and set a password and Im getting
"passwd: Authentication token manipulation error"

regards











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
> - Original Message -
>> Steven Jones wrote:
>>> Ok,
>>>
>>> However I cant LDAP/Ipa authenticate stillon either
>>> client..
>>>
>>> So what next?
>>
>> sssd handles logins, you can try turning up the log level on that
>> (though I suspect it wasn't the reboot that fixed this but
>> restarting sssd).
>
> If sssd was never used before then what was needed was a restart of
> the services using it (sshd, gdm), as nsswitch.conf is never re-read
> by glibc, you can't use the new users until those services are
> restarted after nsswitch.conf is modified.
>
> I think we also offer to restart the client after ipa-client-install
> exactly as a way to restart all services that may depend on picking
> up this change. That reboot is not necessary if you manually restart
> all services after that, but if you don't than you better do a reboot
> as we suggest.
>
>> As part of ipa-client-install sssd is restarted and tested via
>> 'getent passwd admin'. This should be visible in
>> /var/log/ipaclient-install.log. Did this command succeed?
>
> Even if this succeed, authentication via gdm or ssh can still fail
> until the services are restarted.
>
> Just pointing out this fact as a help point for other users testing
> ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

third client wont authenticate either

So I guess its a problem around the install script if not selinux

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:06 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
> - Original Message -
>> Steven Jones wrote:
>>> Ok,
>>>
>>> However I cant LDAP/Ipa authenticate stillon either
>>> client..
>>>
>>> So what next?
>>
>> sssd handles logins, you can try turning up the log level on that
>> (though I suspect it wasn't the reboot that fixed this but
>> restarting sssd).
>
> If sssd was never used before then what was needed was a restart of
> the services using it (sshd, gdm), as nsswitch.conf is never re-read
> by glibc, you can't use the new users until those services are
> restarted after nsswitch.conf is modified.
>
> I think we also offer to restart the client after ipa-client-install
> exactly as a way to restart all services that may depend on picking
> up this change. That reboot is not necessary if you manually restart
> all services after that, but if you don't than you better do a reboot
> as we suggest.
>
>> As part of ipa-client-install sssd is restarted and tested via
>> 'getent passwd admin'. This should be visible in
>> /var/log/ipaclient-install.log. Did this command succeed?
>
> Even if this succeed, authentication via gdm or ssh can still fail
> until the services are restarted.
>
> Just pointing out this fact as a help point for other users testing
> ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

I have run the in-install script and it wont delete the client in the ipa 
system, so again I had to delete it via the web guiI will try re-installing.

A release candidate?

I dont see howfor me a release candidate should pretty much work with the 
odd bug in an "odd" areathis is still like alphamajor functionality 
failure, as personally I class being unable to do the very first thing you need 
to do as a major failure.

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:17 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

third client wont authenticate either

So I guess its a problem around the install script if not selinux

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:06 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
> - Original Message -----
>> Steven Jones wrote:
>>> Ok,
>>>
>>> However I cant LDAP/Ipa authenticate stillon either
>>> client..
>>>
>>> So what next?
>>
>> sssd handles logins, you can try turning up the log level on that
>> (though I suspect it wasn't the reboot that fixed this but
>> restarting sssd).
>
> If sssd was never used before then what was needed was a restart of
> the services using it (sshd, gdm), as nsswitch.conf is never re-read
> by glibc, you can't use the new users until those services are
> restarted after nsswitch.conf is modified.
>
> I think we also offer to restart the client after ipa-client-install
> exactly as a way to restart all services that may depend on picking
> up this change. That reboot is not necessary if you manually restart
> all services after that, but if you don't than you better do a reboot
> as we suggest.
>
>> As part of ipa-client-install sssd is restarted and tested via
>> 'getent passwd admin'. This should be visible in
>> /var/log/ipaclient-install.log. Did this command succeed?
>
> Even if this succeed, authentication via gdm or ssh can still fail
> until the services are restarted.
>
> Just pointing out this fact as a help point for other users testing
> ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

My problem is "To troubleshoot we need logs. There are all sorts of logs and 
configuration files on the server and on the client."

Thats just it.I dont know where to look.its simply not documentedso 
what I need is for someone to tell me what logs you needand how to make the 
system log reliably.. for instance debug_level = 9 in the sssd.conf still 
produces 0 length logs on client1so there is nothing to report

It may well be my problems stems from trying to use RHEL6 svr and KVM with 
fedora 14 clients inside it which I am finding very flakyI may need to blow 
it away and move the test bed to vmware ESXi.

Or maybe indeed I am serially doing something wrong.

I am trying again to setup client 3, what selinux is telling me is ipa-submit 
is trying to open krb5.keytab

I will test and maybe turn selinux off, if i can figur eout how!

regards

Steven



Steve,

Sorry but it looks like you are doing something wrong over and over again or 
there is something mis-configured in your environment.
We are executing tests every day with new and old machines bare metal and VMs.
And everything works so there is definitely something specific to your 
environment which is different.
May be it is DNS or NTP or something like. We do not know. May be it is a bug 
that we do not hit because we do not run things in the sequence you run or with 
configuration you use.

You write a lot of mails to us but few contain any substantial information 
about your setup.
To troubleshoot we need logs.
There are all sorts of logs and configuration files on the server and on the 
client.
You do not include them in your emails.
How do you think we can troubleshoot the problems?

If you want us to help please include more detailed information.
I am really sorry that you are experiencing the issues and spending that much 
time but I do not see a way to help you since we do not have sufficient 
information to do the troubleshooting.

We will be happy to help you as soon as you provide such information.


Thank you,
Dmitri


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

[Steven Jones]

Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] 
(0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac
.NZ] not found in keytab [default]
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not 
verify keytab
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): 
Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal 
error initializing data providers
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not 
initialize backend [14]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] 
(0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
C.NZ] not found in keytab [default]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not 
verify keytab
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): 
Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal 
error initializing data providers
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not 
initialize backend [14]
[root@Fed14-64-ipacl03 sssd]#


root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
[root@Fed14-64-ipacl03 sssd]#

?

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, 11 March 2011 11:58 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

On 03/10/2011 05:37 PM, Steven Jones wrote:
> I have run the in-install script and it wont delete the client in the ipa 
> system, so again I had to delete it via the web guiI will try 
> re-installing.
>
> A release candidate?
>
> I dont see howfor me a release candidate should pretty much work with the 
> odd bug in an "odd" areathis is still like alphamajor functionality 
> failure, as personally I class being unable to do the very first thing you 
> need to do as a major failure.
>
> regards
>

Steve,

Sorry but it looks like you are doing something wrong over and over again or 
there is something mis-configured in your environment.
We are executing tests every day with new and old machines bare metal and VMs.
And everything works so there is definitely something specific to your 
environment which is different.
May be it is DNS or NTP or something like. We do not know. May be it is a bug 
that we do not hit because we do not run things in the sequence you run or with 
configuration you use.

You write a lot of mails to us but few contain any substantial information 
about your setup.
To troubleshoot we need logs.
There are all sorts of logs and configuration files on the server and on the 
client.
You do not include them in your emails.
How do you think we can troubleshoot the problems?

If you want us to help please include more detailed information.
I am really sorry that you are experiencing the issues and spending that much 
time but I do not see a way to help you since we do not have sufficient 
information to do the troubleshooting.

We will be happy to help you as soon as you provide such information.


Thank you,
Dmitri


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Standalone or VM instance of FreeIPA

[Steven Jones]

Hi,

A year or two back free vm's were easy to find/common, these days its quite 
hardmostly I look, give up and go build my own VM for the job.

If you want to do some routeing in VMware vyatta do a free vm and it does dhcp 
as well.

You can set up bind on your fedora VM just invent a domain, ive invented 
ipa.ac.nz and off you go.

You just need 2 zone files forward and reverse, if need be I can post mine.

There is an option to do an integrated dns but maybe dns has to be going 
first...

regards

Steven


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Bernstein [sber...@gmail.com]
Sent: Tuesday, 22 March 2011 5:43 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Standalone or VM instance of FreeIPA

Hey there! Please forgive my n00b level question, but is there good 
documentation on setting up a test environment using FreeIPA?

I'd like to tinker with this using VMware if possible.  I took a cursory look 
on Google and Bing, but mostly found pay-for VM Appliances.

I really would like to learn how to set it up (with the help of the install 
scripts... I'm not scared of install work, but those scripts were created for a 
reason)

My point is: When I go to run the installation script on my Fedora box, it 
tells me the script cannot be run unless the IP resolves in both directions.  
Is there a 'decent' way to go 'round this?  Looking for help, if you please.

Thanks so much!

Steven

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA 2 on F14/RHEl 6.1

[Steven Jones]

Hi.

I see IPA 2.0 is F15.uh.

Is free-ipa 2.0 going to be put into RHEL6.1?  ie Im assuming that F14 will 
become 6.1? sometime in the next few months?

Or should I assume that since ipa2.0 is in F15 only we wont see anything 
vaguely usable  til 6.2 sometime near the end of the year?

The reason for this is I want to spend the next few months learning IPA  and 
deploy it to limited selected users as a POC (proof of concept) so Im assuming 
it will be available in 6.1 with a full capability in 6.2...is this a correct 
assumption?  So to do this I have to put together a huge virtualised test bed 
of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot 
of work to re-do.

So should I abandon ipa on F14 and go to F15? and then delay things until the 
end of the year? or next year?  what is the roadmap pls?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA 2 on F14 / RHEL 6.1

[Steven Jones]

Hi.

Is free-ipa going to be put into RHEL6.1?  ie Im assuming that F14will become 
6.1?

Or should I assume that since ipa2 is in F15 we wont see anything til 6.2 
sometime near the end of the year?

I want to spend the next few months learning IPA  and deploy it to limited 
selected users as a POC (proof of concept) so Im assuming it will be available 
in 6.1 with a full capability in 6.2...is this a correct assumption?

I have to put together a huge visualised test bed to test our systems thats a 
lot of work to re-do..So should I abandon F14 and go to F15 and then delay 
things until the end of the year? or next year?

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1

[Steven Jones]

Hi,

Thanks close enough

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Tuesday, 29 March 2011 11:15 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA 2 on F14/RHEl 6.1

On 03/28/2011 05:30 PM, Steven Jones wrote:
> Hi.
>
> I see IPA 2.0 is F15.uh.
>
> Is free-ipa 2.0 going to be put into RHEL6.1?  ie Im assuming that F14 will 
> become 6.1? sometime in the next few months?
>
> Or should I assume that since ipa2.0 is in F15 only we wont see anything 
> vaguely usable  til 6.2 sometime near the end of the year?
>
> The reason for this is I want to spend the next few months learning IPA  and 
> deploy it to limited selected users as a POC (proof of concept) so Im 
> assuming it will be available in 6.1 with a full capability in 6.2...is this 
> a correct assumption?

You assumption is correct. IPA is planned for 6.1 as tech preview in the
same shape as FreeIPA v2.
We will be working on 2.1 for several months now.
It will be a stabilization release. See the trak instance for the list
of the issues we plan to address.
The intent is to have 2.1 or core parts of it ported to RHEL and
released as fully supported version in 6.2.

So I guess you do not need to delay or abandon your plans.


Hope this helps.
>   So to do this I have to put together a huge virtualised test bed of NAS, 
> SAN, clients and shiboleth type stuff to test our systems that's a lot of 
> work to re-do.
>
> So should I abandon ipa on F14 and go to F15? and then delay things until the 
> end of the year? or next year?  what is the roadmap pls?
>
> regards
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] replica install failure....

[Steven Jones]

Just tried to make a replica and the install failed with,

  [4/11]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command '/usr/bin/perl 
/usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 
9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd '' 
-preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email 
root@localhost -admin_password '' -agent_name ipa-ca-agent 
-agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
"CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 
7389 -bind_dn "cn=Directory Manager" -bind_password '' -base_dn o=ipaca 
-db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA 
-save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name 
internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" 
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" 
-ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" 
-ca_audit_signing_cert_subject_name "CN=CA A!
 udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate 
Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 
-clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz 
-sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' 
-clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' 
returned non-zero exit status 255
creation of replica failed: Configuration of CA failed

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
[root@fed14-64-ipam002 jonesst1]# 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] client setup failure

[Steven Jones]

Trying to set up a fed14 cleint and since DNS is on the AD server (dc0002) 
there is no dns_discoveryso as per doc I ran the install and it should ask 
me for the infobut it fails with,

Complete!
[root@fed14-64-cli01 yum.repos.d]# ipa-client-install
DNS discovery failed to determine your DNS domain
Please provide the domain name of your IPA server (ex: example.com): ipa.ac.nz
Retrieving CA from dc0002.ipa.ac.nz failed.
Command '/usr/bin/wget -O /tmp/tmpzR381G/ca.crt 
http://dc0002.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 4
[root@fed14-64-cli01 yum.repos.d]#

So its asking the dns server for the cert which doesnt have it instead of the 
ipa serverwhich does.

I think the install script needs some work

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] AD setup failure

[Steven Jones]

Following the install guide I get,

[root@fed14-64-ipam001 samba]# ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \
> --bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Usage: ipa-replica-manage [options]

ipa-replica-manage: error: must provide a command [force-sync | disconnect | 
list | del | connect | re-initialize]
[root@fed14-64-ipam001 samba]# 

So its connect instead of add.?

Nope connect fails

root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
required to create a winsync agreement
[root@fed14-64-ipam001 samba]#

So section 4.4 in the manual needs fixing i thinkand what do I actually 
type pls?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD setup failure

[Steven Jones]

Got a bit further...I was missing   "--passsync"

[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
required to create a winsync agreement
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync 
Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Added CA certificate /home/jonesst1/domaincert.cer to certificate database for 
fed14-64-ipam001.ipa.ac.nz
ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 
'desc': 'Connect error'}
unexpected error: Failed to setup winsync replication
[root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
dc0001.ipa.ac.nz has address 192.168.101.2
[root@fed14-64-ipam001 samba]#

But still isnt working.

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, 29 March 2011 3:24 p.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] AD setup failure

Following the install guide I get,

[root@fed14-64-ipam001 samba]# ipa-replica-manage add --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \
> --bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Usage: ipa-replica-manage [options]

ipa-replica-manage: error: must provide a command [force-sync | disconnect | 
list | del | connect | re-initialize]
[root@fed14-64-ipam001 samba]#

So its connect instead of add.?

Nope connect fails

root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
required to create a winsync agreement
[root@fed14-64-ipam001 samba]#

So section 4.4 in the manual needs fixing i thinkand what do I actually 
type pls?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD setup failure

[Steven Jones]

Hi,

It would be the self cert off the AD controller I got made for methat is 
the limit of my knowledge on AD

I will ask the MS ppl when they get in.

regards

Steven

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:50 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

Steven Jones wrote:
> Got a bit further...I was missing   "--passsync"

I think you were using the V1 documentation. The "Enterprise Identity
Management Guide" is what you want off freeipa.org in the Documentation
section.

>
> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
> /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
> required to create a winsync agreement
> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync 
> Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
> Added CA certificate /home/jonesst1/domaincert.cer to certificate database 
> for fed14-64-ipam001.ipa.ac.nz
> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 
> 'desc': 'Connect error'}
> unexpected error: Failed to setup winsync replication
> [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
> dc0001.ipa.ac.nz has address 192.168.101.2
> [root@fed14-64-ipam001 samba]#
>
> But still isnt working.

I think you have the wrong AD cert. -8179 translates to "Certificate is
signed by an unknown issuer". Can you verify that you have the AD CA
certificate?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] replica install failure....

[Steven Jones]

Hi,

This is F14, guess you missed the hostnames...

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 29 March 2011 9:09 p.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] replica install failure

On Mon, 2011-03-28 at 23:45 +, Steven Jones wrote:
> Just tried to make a replica and the install failed with,
>
>   [4/11]: configuring certificate server instance
> root: CRITICAL failed to configure ca instance Command '/usr/bin/perl 
> /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz 
> -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 
> '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin 
> -admin_email root@localhost -admin_password '' -agent_name 
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject 
> "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host fed14-64-ipam002.ipa.ac.nz 
> -ldap_port 7389 -bind_dn "cn=Directory Manager" -bind_password '' 
> -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm 
> SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad 
> -token_name internal -ca_subsystem_cert_subject_name "CN=CA 
> Subsystem,O=IPA.AC.NZ" -ca_ocsp_cert_subject_name "CN=OCSP 
> Subsystem,O=IPA.AC.NZ" -ca_server_cert_subject_name 
> "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" 
> -ca_audit_signing_cert_subject_name "CN=CA!
  A!
>  udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate 
> Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 
> -clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz 
> -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' 
> -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' 
> returned non-zero exit status 255
> creation of replica failed: Configuration of CA failed
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> [root@fed14-64-ipam002 jonesst1]#
>

Hello Steven,

can you please send me a version of tomcat6 server on your Fedora 15
with IPA replica?

This is most probably a known issue which was stated in Freeipa v2
announcement:

[Freeipa-devel] Announcing FreeIPA v2 Server

[snip]
Known Issues

  * The latest tomcat6 package has not been pushed to updates-testing.
You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from
koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 .
The installation will fail restarting the CA with the current tomcat6
package in Fedora 15.
[snip]


If this is your case, you may want to install the RPMs from koji or just
install them from rawhide repository.

Regards,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

Hi,

The DNS is in AD so it cant be set to suit IPA

I did as below and even with --force your script ignores these flags, it 
insists on doing AD lookups and gets the AD infoand obviously the cert isnt 
on the AD box.

8><

What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
installation uses this DNS record in an autodiscovery of IPA server in
the given DNS domain.

You may want to check the DNS record or set the domain and server
manually:

# ipa-client-install --server= --domain=

Regards,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

How do I add these manually to the script?  

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 29 March 2011 11:52 p.m.
To: tomasz.napier...@allegro.pl
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote:
> On 2011-03-29, at 10:20, Martin Kosek wrote:
>
> > On Tue, 2011-03-29 at 00:08 +0000, Steven Jones wrote:
> >
> > What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
> > installation uses this DNS record in an autodiscovery of IPA server in
> > the given DNS domain.
>
> In AD managed zone that would be domain controller itself.
>
> pz

You are right. In that case the autodiscovery have to be skipped and
--server/--domain parameters need to be added to the client installation
script manually.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

Hi,

I cant use --server or --domain the install script ignores thoseit 
insists on going to AD for its info

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:41 a.m.
To: Martin Kosek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

Martin Kosek wrote:
> On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote:
>> On 2011-03-29, at 10:20, Martin Kosek wrote:
>>
>>> On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote:
>>>
>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
>>> installation uses this DNS record in an autodiscovery of IPA server in
>>> the given DNS domain.
>>
>> In AD managed zone that would be domain controller itself.
>>
>> pz
>
> You are right. In that case the autodiscovery have to be skipped and
> --server/--domain parameters need to be added to the client installation
> script manually.
>
> Martin

Yes, please try with --server as a workaround.

This is a rather tricky one. We fetch the IPA CA so we can make a TLS
connection and gather some data for autodiscovery. I guess we need to
make the failure to retrieve the CA non-fatal, I'm just not sure what
other implications that will have. I thought we passed along the
provided server to to autodiscovery so this wouldn't happen.

I've opened https://fedorahosted.org/freeipa/ticket/1135 to track this.

thanks

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] replica install failure....

[Steven Jones]

actPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at java.net.Socket.(Socket.java:392)
at java.net.Socket.(Socket.java:235)
at HTTPClient.sslConnect(HTTPClient.java:326)
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:359)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
Exception: Unable to Send Request:java.net.NoRouteToHostException: No route to 
host
java.net.NoRouteToHostException: No route to host
at java.net.PlainSocketImpl.socketConnect(Native Method)
at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at java.net.Socket.(Socket.java:392)
at java.net.Socket.(Socket.java:235)
at HTTPClient.sslConnect(HTTPClient.java:326)
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:364)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)
java.lang.NullPointerException
at ConfigureCA.SecurityDomainLoginPanel(ConfigureCA.java:369)
at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1239)
at ConfigureCA.main(ConfigureCA.java:1761)

2011-03-28 23:39:05,352 CRITICAL failed to configure ca instance Command 
'/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV 
-client_certdb_pwd '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA 
-admin_user admin -admin_email root@localhost -admin_password '' 
-agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa 
-agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host 
fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" 
-bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 
-key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
'' -subsystem_name pki-cad -token_name internal 
-ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" 
-ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" 
-ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" 
-ca_audit_signing_cert_subject_nam!
 e "CN=CA Audit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate 
Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 
-clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz 
-sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' 
-clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' 
returned non-zero exit status 255
2011-03-28 23:39:05,388 DEBUG Configuration of CA failed
  File "/usr/sbin/ipa-replica-install", line 551, in 
main()

  File "/usr/sbin/ipa-replica-install", line 490, in main
CA = install_ca(config)

  File "/usr/sbin/ipa-replica-install", line 190, in install_ca
subject_base=config.subject_base)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
514, in configure_instance
self.start_creation("Configuring certificate server", 360)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
282, in start_creation
method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
653, in __configure_instance
raise RuntimeError('Configuration of CA failed')


regards



From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:37 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] replica install failure

Steven Jones wrote:
> Just tried to make a replica and the install failed with,
>
>[4/11]: configuring certificate server instance
> root: CRITICAL failed to configure ca instance Command '/usr/bin/perl 
> /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz 
> -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd 
> '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin 
> -admin_email root@localhost -admi

Re: [Freeipa-users] client setup failure

[Steven Jones]

Hi,

This is RC3 on F14 which seems to be the latest available for F14?, guess you 
need a rc4..not F15 with 2.0that's alphaI have enough bugs to 
battle with.  

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 30 March 2011 8:29 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

On 03/29/2011 03:26 PM, Steven Jones wrote:
> Hi,
>
> The DNS is in AD so it cant be set to suit IPA
>
> I did as below and even with --force your script ignores these flags, it 
> insists on doing AD lookups and gets the AD infoand obviously the cert 
> isnt on the AD box.
>
> 8><
>
> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
> installation uses this DNS record in an autodiscovery of IPA server in
> the given DNS domain.
>
> You may want to check the DNS record or set the domain and server
> manually:
>
> # ipa-client-install --server= --domain=
>

That was the bug that we fixed last week.
Rob, did it make the GA?
Or the bits you are using are not GA.

> Regards,
> Martin
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

What do I put in the python script as a work around?

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 30 March 2011 8:29 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

On 03/29/2011 03:26 PM, Steven Jones wrote:
> Hi,
>
> The DNS is in AD so it cant be set to suit IPA
>
> I did as below and even with --force your script ignores these flags, it 
> insists on doing AD lookups and gets the AD infoand obviously the cert 
> isnt on the AD box.
>
> 8><
>
> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
> installation uses this DNS record in an autodiscovery of IPA server in
> the given DNS domain.
>
> You may want to check the DNS record or set the domain and server
> manually:
>
> # ipa-client-install --server= --domain=
>

That was the bug that we fixed last week.
Rob, did it make the GA?
Or the bits you are using are not GA.

> Regards,
> Martin
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] replica install failure....

[Steven Jones]

The ipv6 wasnt "right" I guess.

I have added the host's name into that line.will retry.

regards

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 8:43 a.m.
To: Steven Jones
Cc: Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] replica install failure....

Steven Jones wrote:
> Hi,
>
> This is F14, guess you missed the hostnames...

It is not safe to assume based on hostname which is why I also asked.

Your problem is this:

Unable to Send Request:java.net.NoRouteToHostException: No route to host
java.net.NoRouteToHostException: No route to host

It looks to be resolving to a very strange reverse, :-1?

Posting Query =
https://fed14-64-ipam002.ipa.ac.nz:9445//ca/admin/console/config/wizard?p=4&op=next&xml=true
RESPONSE STATUS:  HTTP/1.1 302 Moved Temporarily
RESPONSE HEADER:  Server: Apache-Coyote/1.1
RESPONSE HEADER:  Location: https://:-1/

Can you double-check that /etc/hosts is set up correctly?

thanks

rob

>
> regards
>
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Martin Kosek [mko...@redhat.com]
> Sent: Tuesday, 29 March 2011 9:09 p.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] replica install failure
>
> On Mon, 2011-03-28 at 23:45 +, Steven Jones wrote:
>> Just tried to make a replica and the install failed with,
>>
>>[4/11]: configuring certificate server instance
>> root: CRITICAL failed to configure ca instance Command 
>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname 
>> fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV 
>> -client_certdb_pwd '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name 
>> IPA -admin_user admin -admin_email root@localhost -admin_password '' 
>> -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa 
>> -agent_cert_subject "CN=ipa-ca-agent,O=IPA.AC.NZ" -ldap_host 
>> fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn "cn=Directory Manager" 
>> -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 
>> -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
>> '' -subsystem_name pki-cad -token_name internal 
>> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=IPA.AC.NZ" 
>> -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=IPA.AC.NZ" 
>> -ca_server_cert_subject_name "CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ" 
>> -ca_audit_signing_cert_subject_name "CN=CA
!
>A!
>>   udit,O=IPA.AC.NZ" -ca_sign_cert_subject_name "CN=Certificate 
>> Authority,O=IPA.AC.NZ" -external false -clone true -clone_p12_file ca.p12 
>> -clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz 
>> -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' 
>> -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' 
>> returned non-zero exit status 255
>> creation of replica failed: Configuration of CA failed
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>> [root@fed14-64-ipam002 jonesst1]#
>>
>
> Hello Steven,
>
> can you please send me a version of tomcat6 server on your Fedora 15
> with IPA replica?
>
> This is most probably a known issue which was stated in Freeipa v2
> announcement:
>
> [Freeipa-devel] Announcing FreeIPA v2 Server
>
> [snip]
> Known Issues
>
>* The latest tomcat6 package has not been pushed to updates-testing.
> You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from
> koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 .
> The installation will fail restarting the CA with the current tomcat6
> package in Fedora 15.
> [snip]
>
>
> If this is your case, you may want to install the RPMs from koji or just
> install them from rawhide repository.
>
> Regards,
> Martin
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

uh OK.but why is it ignoring my --server and --domain ? and going to the dc 
for the certificate?

This ticket still does not help me proceed

regards



From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 8:50 a.m.
To: Steven Jones
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

Steven Jones wrote:
> What do I put in the python script as a work around?

https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html

>
> regards
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Wednesday, 30 March 2011 8:29 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] client setup failure
>
> On 03/29/2011 03:26 PM, Steven Jones wrote:
>> Hi,
>>
>> The DNS is in AD so it cant be set to suit IPA
>>
>> I did as below and even with --force your script ignores these flags, it 
>> insists on doing AD lookups and gets the AD infoand obviously the cert 
>> isnt on the AD box.
>>
>> 8><
>>
>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
>> installation uses this DNS record in an autodiscovery of IPA server in
>> the given DNS domain.
>>
>> You may want to check the DNS record or set the domain and server
>> manually:
>>
>> # ipa-client-install --server=  --domain=
>>
>
> That was the bug that we fixed last week.
> Rob, did it make the GA?
> Or the bits you are using are not GA.
>
>> Regards,
>> Martin
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

I used --force as wellit still ignores it

regards

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 8:58 a.m.
To: Steven Jones
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

Steven Jones wrote:
> uh OK.but why is it ignoring my --server and --domain ? and going to the 
> dc for the certificate?
>
> This ticket still does not help me proceed

You need --force as well.

We try very hard not to hardcode values into the configuration files
which is why we always autodiscover.

With the patch and --force it should push through and complete the
installation.

rob

>
> regards
>
>
> 
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, 30 March 2011 8:50 a.m.
> To: Steven Jones
> Cc: d...@redhat.com; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] client setup failure
>
> Steven Jones wrote:
>> What do I put in the python script as a work around?
>
> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html
>
>>
>> regards
>> 
>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
>> behalf of Dmitri Pal [d...@redhat.com]
>> Sent: Wednesday, 30 March 2011 8:29 a.m.
>> To: freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] client setup failure
>>
>> On 03/29/2011 03:26 PM, Steven Jones wrote:
>>> Hi,
>>>
>>> The DNS is in AD so it cant be set to suit IPA
>>>
>>> I did as below and even with --force your script ignores these flags, it 
>>> insists on doing AD lookups and gets the AD infoand obviously the cert 
>>> isnt on the AD box.
>>>
>>> 8><
>>>
>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
>>> installation uses this DNS record in an autodiscovery of IPA server in
>>> the given DNS domain.
>>>
>>> You may want to check the DNS record or set the domain and server
>>> manually:
>>>
>>> # ipa-client-install --server=   --domain=
>>>
>>
>> That was the bug that we fixed last week.
>> Rob, did it make the GA?
>> Or the bits you are using are not GA.
>>
>>> Regards,
>>> Martin
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AD setup failure

[Steven Jones]

Hi,

My Windows person suggests because this is a self signed cert, the client needs 
to be forced to trust it?

regards

Steven

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:50 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

Steven Jones wrote:
> Got a bit further...I was missing   "--passsync"

I think you were using the V1 documentation. The "Enterprise Identity
Management Guide" is what you want off freeipa.org in the Documentation
section.

>
> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
> /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
> required to create a winsync agreement
> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
> cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync 
> Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
> Added CA certificate /home/jonesst1/domaincert.cer to certificate database 
> for fed14-64-ipam001.ipa.ac.nz
> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 
> 'desc': 'Connect error'}
> unexpected error: Failed to setup winsync replication
> [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
> dc0001.ipa.ac.nz has address 192.168.101.2
> [root@fed14-64-ipam001 samba]#
>
> But still isnt working.

I think you have the wrong AD cert. -8179 translates to "Certificate is
signed by an unknown issuer". Can you verify that you have the AD CA
certificate?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] client setup failure

[Steven Jones]

[root@fed14-64-cli01 tmp]# ipa-client-install --server 
fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force
Retrieving CA from dc0001.ipa.ac.nz failed.
Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt 
http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8
[root@fed14-64-cli01 tmp]#

So the client isnt appearing in the IPA web gui.so its a total failure to 
join...

regards


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:03 a.m.
To: Steven Jones
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure

Steven Jones wrote:
> I used --force as wellit still ignores it

More information would be helpful. Ignores it how, what error messages
do you get, etc.

rob

>
> regards
> 
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, 30 March 2011 8:58 a.m.
> To: Steven Jones
> Cc: d...@redhat.com; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] client setup failure
>
> Steven Jones wrote:
>> uh OK.but why is it ignoring my --server and --domain ? and going to the 
>> dc for the certificate?
>>
>> This ticket still does not help me proceed
>
> You need --force as well.
>
> We try very hard not to hardcode values into the configuration files
> which is why we always autodiscover.
>
> With the patch and --force it should push through and complete the
> installation.
>
> rob
>
>>
>> regards
>>
>>
>> ____
>> From: Rob Crittenden [rcrit...@redhat.com]
>> Sent: Wednesday, 30 March 2011 8:50 a.m.
>> To: Steven Jones
>> Cc: d...@redhat.com; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] client setup failure
>>
>> Steven Jones wrote:
>>> What do I put in the python script as a work around?
>>
>> https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html
>>
>>>
>>> regards
>>> 
>>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] 
>>> on behalf of Dmitri Pal [d...@redhat.com]
>>> Sent: Wednesday, 30 March 2011 8:29 a.m.
>>> To: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] client setup failure
>>>
>>> On 03/29/2011 03:26 PM, Steven Jones wrote:
>>>> Hi,
>>>>
>>>> The DNS is in AD so it cant be set to suit IPA
>>>>
>>>> I did as below and even with --force your script ignores these flags, it 
>>>> insists on doing AD lookups and gets the AD infoand obviously the cert 
>>>> isnt on the AD box.
>>>>
>>>> 8><
>>>>
>>>> What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
>>>> installation uses this DNS record in an autodiscovery of IPA server in
>>>> the given DNS domain.
>>>>
>>>> You may want to check the DNS record or set the domain and server
>>>> manually:
>>>>
>>>> # ipa-client-install --server=--domain=
>>>>
>>>
>>> That was the bug that we fixed last week.
>>> Rob, did it make the GA?
>>> Or the bits you are using are not GA.
>>>
>>>> Regards,
>>>> Martin
>>>>
>>>> ___
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>> ___
>>>> Freeipa-users mailing list
>>>> Freeipa-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users