[Freeipa-users] getting a kerberos ticket for Firefox
Hi, I am trying to web browse to the localhost and it is telling me to obtain a valid kerberos ticket and configure Firefox... Where do I export / find this ticket? and how do I install it as a user so I can connect? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] probems installin freeipa v2
Hi, Since there seems to be no explanation why I cant update via ldapmodify, Can I install some the 389 gui parts to allow me to do this via its GUI? If so how? And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 21 September 2010 12:58 p.m. To: Freeipa-users@redhat.com Subject: [Freeipa-users] probems installin freeipa v2 Section 4.3 of the manual Running the command, ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz ldapmodify: wrong attributeType at line 4, entry cn=ipa_pwd_extop,cn=plugins,cn=config I cannot figure out what is wrong here? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] probems installin freeipa v2
Hi, This is Fedora 13 with the yum repo setup as per your web site... 389-ds-base-1.2.6-1.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 Your ldapsearch command gives me, ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) um.. So the LDAP server is dead? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 10:02 a.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: Hi, Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. Can I install some the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. If so how? And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 21 September 2010 12:58 p.m. To: Freeipa-users@redhat.com Subject: [Freeipa-users] probems installin freeipa v2 Section 4.3 of the manual Running the command, ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz ldapmodify: wrong attributeType at line 4, entry cn=ipa_pwd_extop,cn=plugins,cn=config I cannot figure out what is wrong here? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] probems installin freeipa v2
This time I copied the output from the ldapsearch command dn: cn=ipa_pwd_extop,cn=plugins,cn=config and it worked... ? So, section 4.4 ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v This appears to be wrong? It should be, ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --cacert /path/to/certfile.cer adserver.example.com --passsync domain admin password -v ? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Steven Jones Sent: Wednesday, 22 September 2010 10:49 a.m. To: Steven Jones; Freeipa-users@redhat.com Subject: RE: [Freeipa-users] probems installin freeipa v2 Hi, I backed out the snapshot and restartednow I get, # extended LDIF # # LDAPv3 # base cn=ipa_pwd_extop,cn=plugins,cn=config with scope baseObject # filter: (objectclass=*) # requesting: ALL # # ipa_pwd_extop, plugins, config dn: cn=ipa_pwd_extop,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: ipa_pwd_extop nsslapd-pluginPath: libipa_pwd_extop nsslapd-pluginInitfunc: ipapwd_init nsslapd-pluginType: extendedop nsslapd-pluginEnabled: on nsslapd-pluginId: IPA Password Manager nsslapd-pluginVersion: FreeIPA/1.0 nsslapd-pluginVendor: FreeIPA project nsslapd-pluginDescription: IPA Password Extended Operation plugin nsslapd-plugin-depends-on-type: database nsslapd-realmtree: dc=vuw,dc=ac,dc=nz # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 === I tried again, this line seems to be the issue, dn: cn=ipa_pwd_extop,cn=plugins,cn=config So I simply follow the guide and input each line one by one? hitting enter at the end of each line? My impression is its like I am doing something wrong because the instruction is so un-clearreally the manuals are written by ppl that know how to do this syntax wellso you are maybe over looking my simple mis-understanding of how to enter these commands correctly. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 10:18 a.m. To: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Hi, This is Fedora 13 with the yum repo setup as per your web site... 389-ds-base-1.2.6-1.fc13.x86_64 ipa-server-1.2.2-4.fc13.x86_64 Your ldapsearch command gives me, ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) um.. So the LDAP server is dead? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 10:02 a.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: Hi, Since there seems to be no explanation why I cant update via ldapmodify, It wasn't entirely clear what version of IPA you were using. You filed a doc bug against v1 and asked other basic questions, I assumed you had the version wrong. I figured this would come back up once you were able to kinit and get to the GUI. Can I install some the 389 gui parts to allow me to do this via its GUI? This is strongly discouraged. If so how? And/Or how can I get a look at the attributes to figure out what's wrong with the commands? something like you have changed ver2 from ver1 and the doc hasnt been corrected? It works for me in the IPA v2 git head. What does your entry look like now? $ ldapsearch -x -D 'cn=directory manager' -W -s base -b 'cn=ipa_pwd_extop,cn=plugins,cn=config' And more importantly, what is the rpm version of the IPA server you are using? The version of 389-ds-base might be handy too. rob regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Tuesday, 21 September 2010 12:58 p.m. To: Freeipa-users@redhat.com Subject: [Freeipa-users] probems installin freeipa v2 Section 4.3 of the manual Running the command, ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: *** dn: cn=ipa_pwd_extop,cn=plugins,cn=config changetype: modify add: passSyncManagersDNs passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=vuw,dc=ac,dc=nz ldapmodify: wrong attributeType at line 4, entry cn=ipa_pwd_extop,cn=plugins,cn=config I cannot figure out what is wrong here? regards Steven Jones
Re: [Freeipa-users] probems installin freeipa v2
Hi, Ok, it isnt crashing the LDAP server/service its doing a shutdown of it according to the error log... So while a sync is happening the LDAP server is offline? How long should this take? 30secs? 3mins? 30mins? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Steven Jones Sent: Wednesday, 22 September 2010 2:27 p.m. To: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 For ipa-replica-manage list The output is my AD vuwwincodc1.vuw.ac.nz regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 2:20 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: Hi, yes I think you are correct, --binpw is ndded except running this crashed the LDAP serveror sends it off to zombie land and I have to reboot it! ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com --bindpwdomain admin password \ --cacert /path/to/certfile.cer adserver.example.com --passsyncdomain admin password -v Is there a log somewhere to look for why? Crashed which LDAP server? Logs are in /var/log/dirsrv-YOUR_INSTANCE_NAME. Can you provide the output of ipa-replica-manage? rob regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 22 September 2010 1:57 p.m. To: Steven Jones Cc: Freeipa-users@redhat.com Subject: Re: [Freeipa-users] probems installin freeipa v2 Steven Jones wrote: This time I copied the output from the ldapsearch command dn: cn=ipa_pwd_extop,cn=plugins,cn=config and it worked... Cosmic rays maybe, those strings look identical to me. Glad its working now in any case. ? So, section 4.4 ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --bindpw password --cacert /path/to/certfile.cer adserver.example.com -v This appears to be wrong? It should be, ipa-replica-manage add --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \ --cacert /path/to/certfile.cer adserver.example.com --passsyncdomain admin password -v You're right in that --passsync is required but --bindpw should also be required. I filed https://bugzilla.redhat.com/show_bug.cgi?id=636377 for this. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] probems installin freeipa v2
8--- Can you reliably reproduce this behavior after restarting directory server? 8 Yes it appears so.. =error [22/Sep/2010:15:58:16 +1200] - slapd shutting down - signaling operation threads [22/Sep/2010:15:58:16 +1200] - slapd shutting down - closing down internal subsystems and plugins [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - error in windows_conn_get_search_result, rc=-1 [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - agmt=cn=meTovuwwincodc1.vuw.ac.nz636 (vuwwincodc1:636): Failed to get search operation: LDAP error 81 (Can't contact LDAP server) [22/Sep/2010:16:08:31 +1200] NSMMReplicationPlugin - failed to send dirsync search request: 2 [22/Sep/2010:16:08:32 +1200] - Waiting for 4 database threads to stop [22/Sep/2010:16:08:32 +1200] - All database threads now stopped [22/Sep/2010:16:08:32 +1200] - slapd stopped. = =access [22/Sep/2010:15:57:41 +1200] conn=6 op=15 SRCH base=dc=vuw,dc=ac,dc=nz scope=2 filter=((cn=pulse-rt)(objectClass=posixGroup)) attrs=objectClass cn userPassword gidNumber member nsUniqueId modifyTimestamp [22/Sep/2010:15:57:41 +1200] conn=6 op=15 RESULT err=0 tag=101 nentries=0 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 fd=70 slot=70 SSL connection from 130.195.53.104 to 130.195.53.104 [22/Sep/2010:15:58:16 +1200] conn=8 SSL 256-bit AES [22/Sep/2010:15:58:16 +1200] conn=8 op=0 BIND dn=cn=directory manager method=128 version=3 [22/Sep/2010:15:58:16 +1200] conn=8 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=directory manager [22/Sep/2010:15:58:16 +1200] conn=8 op=1 SRCH base=cn=config scope=0 filter=(objectClass=*) attrs=nsslapd-instancedir nsslapd-errorlog nsslapd-certdir nsslapd-schemadir [22/Sep/2010:15:58:16 +1200] conn=8 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [22/Sep/2010:15:58:16 +1200] conn=8 op=2 SRCH base=cn=config,cn=ldbm database,cn=plugins,cn=config scope=0 filter=(objectClass=*) attrs=nsslapd-directory [22/Sep/2010:15:58:16 +1200] conn=8 op=2 RESULT err=0 tag=101 nentries=1 etime=0 = regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] bug 634561
Hi, Bug 634561 has been fixed... How do I get this into/onto my setup please? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Migrating passwd files etc into free-ipa
Is there a method to do this? I tried to use LdapImport.pl from the 389 project and this failed Giving me all # = entry not added to destination (other error) Possibly the password criteria in freeipa is too strong? How can I disable this feature? or is there another way to import? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Free-ipa no longer working
Hi, I have come back after the weekend and find that the gui no longer works While trying to get a new kerberos ticket I get, kinit: Cannot contact and KDC realm 'VUW.AC.NZ' while getting credentials So any ideas where I go looking? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migrating passwd files etc into free-ipa
Hi, Thanks... Re: your comment...However I will re-direct you to one of the core ideas I thought was behind FreeIPA?to make it easy for the end user to deploy and use? In my situation I have hundreds of users, over 2 hundred RHEL servers and probably shortly a pile of workstations...I have no experience/knowledge with any centralised system, LDAP, AD etc and zero programming capability beyond bash scripting, no money and no timeso this is actually VERY technically challenging for me ESPECIALLY with a management that are all Windows trained and are used to typing dcpromo and job done with no cost and would happliy rip out RedHat to save money at the drop of a hat if they could. Redhat I assume wants to sell this into the enterprise?, in version RHEL 6.1? this is certainly what our friendly RH architect tells us...He recommended we try freeIPA, I will feed back to him. So please dont under-estimate the value of migration tools. For you, sure, its techinically easy, for me at the bottom of the identity management ladder, I have a huge setup, so its close to impossible. You dont deploy this as a one off in the real world or day to day.? So anyway I used the existing padl tools and oh that didnt workeasy would have been...it worked. Its very simple, vendors who want to sell their [alternative] product into the market place have to supply a migration tool from the competition's product or there wont be a deal regards Steven bcc MW. From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 28 September 2010 4:30 a.m. To: Steven Jones Cc: Dmitri Pal; freeipa-users Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa Steven Jones wrote: Ok, So lets avoid the passwords Is there an automatic / scripted way to import the passwd file so I get the UID's, GID's etc into ipa? We have generally left this as an exercise for the end-user because it isn't a technically difficult problem. It is more a policy and config problem. Attached is a simple demonstration of doing this using IPA command-line. The tricky part is dealing with names. There is no universal way of getting it right. Entries without a gecos are skipped. It worked fine on my system with 2 password entries. YYMV. rob regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Dmitri Pal [mailto:d...@redhat.com] Sent: Friday, 24 September 2010 11:18 p.m. To: Steven Jones Cc: freeipa-users Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa Steven Jones wrote: Is there a method to do this? I tried to use LdapImport.pl from the 389 project and this failed Giving me all # = entry not added to destination (other error) Possibly the password criteria in freeipa is too strong? How can I disable this feature? or is there another way to import? Migration of the passwords is a tough problem. The issue is that the passwords in the local files are hashed using simple hash algorithm while in IPA they are hashed to create kerberos keys. Converting from one to another without knowing clear password is not possible. If you already have an LDAP server with password you can take advantage of our LDAP migration schemes but if you have local files this will be a challenge. For migrating from LDAP case you can load your users into the IPA and then configure SSSD to use migration mode on the client or you can instruct users to go to a special migration web page. In both cases you already have the password hashed in the LDAP format in the IPA so SSSD or Migration page will capture the cleartext password and pass it to IPA so that it can use it to generate the Kerberos hashes. A quick search around migrating passwords from flat files to LDAP showed that it is in some cases possible (if the hash that is used by the flat file is supported by the DS server, but tricky). We do not have any aid here so it is simpler to reset the password. If this is not an option, as far as I understand you need to create user accounts first with some password and then overwrite the password attribute in the LDAP with the properly decorated hash take from the password file. And after that you still need the kerberos keys for IPA to work so you still need to use Migration page or SSSD. It might be less trouble just to bite the bullet and reset passwords as you migrate to IPA. Thanks Dmitri regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo
Re: [Freeipa-users] bug 634561
Hi, Sorry if this sounds pushy but any chance of an ETA please? regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand -Original Message- From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Friday, 24 September 2010 8:20 a.m. To: Steven Jones Cc: freeipa-users Subject: Re: [Freeipa-users] bug 634561 Steven Jones wrote: Hi, Bug 634561 has been fixed... How do I get this into/onto my setup please? We're working on a 389-ds-base 1.2.6.1 release. Should be in testing very soon. regards Steven Jones Technical Specialist Linux/Vmware Tele 64 4 463 6272 Victoria University Kelburn New Zealand ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
Has anyone tried this? I get a Damaged repo file regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing FreeIPA v2 Server Release Candidate 1 Release
Is there a series of RPMS I can download? ie can someone tell which ones I need for the server and which ones I need for the client and in what order I install? I can get the rpms off the store, just not via yum as the repo is dead for meeither its a remote issue, or our firewall is preventing a connection by some means. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] While attempting to make a replica....I get this failure....
[root@fed14-64-ipam001 jonesst1]# ipa-replica-prepare fed14-64-ipam002.ipa.ac.nz Directory Manager (existing master) password: Preparing replica for fed14-64-ipam002.ipa.ac.nz from fed14-64-ipam001.ipa.ac.nz Creating SSL certificate for the Directory Server ipa: INFO: sslget 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient' Creating SSL certificate for the Web Server ipa: INFO: sslget 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient' preparation of replica failed: cannot connect to 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key necessary for authentication. cannot connect to 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key necessary for authentication. File /usr/sbin/ipa-replica-prepare, line 431, in module main() File /usr/sbin/ipa-replica-prepare, line 363, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, httpcert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-prepare, line 136, in export_certdb raise e If I go to the URL I get, The Certificate System has encountered an unrecoverable error. Error Message: java.lang.NullPointerException Please contact your local administrator for assistance. ??? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] While attempting to join a client ....I get this failure....
I have just built these 2 fed14 to act as a server and client and run yum updateso they should be as closely sync'd as possible... =client=== [root@fed14-64-ipacl01 ~]# ipa-client-install Discovery was successful! Realm: IPA.AC.NZ DNS Domain: ipa.ac.nz IPA Server: fed14-64-ipam001.ipa.ac.nz BaseDN: dc=ipa,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for ad...@ipa.ac.nz: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. [root@fed14-64-ipacl01 ~]# date Mon Feb 28 03:12:57 NZDT 2011 [root@fed14-64-ipacl01 ~]# =server=== 8 is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata updates-testing/prestodelta | 30 kB 00:00 Processing delta metadata Package(s) data still to download: 304 k (1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm | 175 kB 00:00 (2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm | 129 kB 00:00 Total 789 kB/s | 304 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : nss-softokn-freebl-3.12.9-5.fc14.x86_64 1/4 Updating : nss-softokn-3.12.9-5.fc14.x86_64 2/4 Cleanup: nss-softokn-3.12.9-4.fc14.x86_64 3/4 Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64 4/4 Updated: nss-softokn.x86_64 0:3.12.9-5.fc14 nss-softokn-freebl.x86_64 0:3.12.9-5.fc14 Complete! [root@fed14-64-ipam001 tmp]# date Mon Feb 28 03:13:02 NZDT 2011 [root@fed14-64-ipam001 tmp]# So nothing major on the server needs updating and the client is bang up to date, time stamp is close regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Freeipa fails to start after a reboot
What scrips need to be runa and in what order to start the primary ipa server? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] While attempting to join a client ....I get this failure....
Hi, The point is both the client and the server are up to date in terms of patches from teh repo. So your repo is not consistent and needs fixing.. regards On Mon, 2011-02-28 at 10:43 -0500, Rob Crittenden wrote: Steven Jones wrote: I have just built these 2 fed14 to act as a server and client and run yum updateso they should be as closely sync'd as possible... =client=== [root@fed14-64-ipacl01 ~]# ipa-client-install Discovery was successful! Realm: IPA.AC.NZ DNS Domain: ipa.ac.nz IPA Server: fed14-64-ipam001.ipa.ac.nz BaseDN: dc=ipa,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for ad...@ipa.ac.nz: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. [root@fed14-64-ipacl01 ~]# date Mon Feb 28 03:12:57 NZDT 2011 [root@fed14-64-ipacl01 ~]# =server=== 8 is this ok [y/N]: y Downloading Packages: Setting up and reading Presto delta metadata updates-testing/prestodelta | 30 kB 00:00 Processing delta metadata Package(s) data still to download: 304 k (1/2): nss-softokn-3.12.9-5.fc14.x86_64.rpm | 175 kB 00:00 (2/2): nss-softokn-freebl-3.12.9-5.fc14.x86_64.rpm | 129 kB 00:00 Total 789 kB/s | 304 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : nss-softokn-freebl-3.12.9-5.fc14.x86_64 1/4 Updating : nss-softokn-3.12.9-5.fc14.x86_64 2/4 Cleanup: nss-softokn-3.12.9-4.fc14.x86_64 3/4 Cleanup: nss-softokn-freebl-3.12.9-4.fc14.x86_64 4/4 Updated: nss-softokn.x86_64 0:3.12.9-5.fc14 nss-softokn-freebl.x86_64 0:3.12.9-5.fc14 Complete! [root@fed14-64-ipam001 tmp]# date Mon Feb 28 03:13:02 NZDT 2011 [root@fed14-64-ipam001 tmp]# So nothing major on the server needs updating and the client is bang up to date, time stamp is close regards The client and server packages need to be the same version. We realized that we had re-used an OID and had to change the OID used to register the enrollment OID. So the client package needs to be the same version as the server, for now anyway. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Freeipa fails to start after a reboot
So Im having fun. Looks like the rpm didnt install properly? or the install script failed? strange because it seemed to be running before I rebootedso something has gone wrong after teh install? [root@fed14-64-ipam001 init.d]# ipa start ipa: ERROR: unknown command 'start' [root@fed14-64-ipam001 init.d]# ./ipa start Starting Directory Service Starting dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] Error retrieving list of services {'matched': 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'} Is IPA installed? Failed to read data from Directory Service Shutting down Shutting down dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] [root@fed14-64-ipam001 init.d]# service ipactl start ipactl: unrecognized service ]# So find gets me the script.. [root@fed14-64-ipam001 init.d]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] Error retrieving list of services {'matched': 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'} Is IPA installed? Failed to read data from Directory Service Shutting down Shutting down dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] [root@fed14-64-ipam001 init.d]# On Mon, 2011-02-28 at 16:39 +1000, David O'Brien wrote: Steven Jones wrote: What scrips need to be runa and in what order to start the primary ipa server? regards if you run service ipactl start it should start all the required ipa services in the correct order. -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] While attempting to make a replica....I get this failure....
=== [root@fed14-64-ipam001 init.d]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u IPA.AC.NZ IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u [root@fed14-64-ipam001 init.d]# === regards On Mon, 2011-02-28 at 10:50 -0500, Rob Crittenden wrote: Steven Jones wrote: [root@fed14-64-ipam001 jonesst1]# ipa-replica-prepare fed14-64-ipam002.ipa.ac.nz Directory Manager (existing master) password: Preparing replica for fed14-64-ipam002.ipa.ac.nz from fed14-64-ipam001.ipa.ac.nz Creating SSL certificate for the Directory Server ipa: INFO: sslget 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient' Creating SSL certificate for the Web Server ipa: INFO: sslget 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient' preparation of replica failed: cannot connect to 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key necessary for authentication. cannot connect to 'https://fed14-64-ipam001.ipa.ac.nz:9444/ca/ee/ca/profileSubmitSSLClient': [Errno -12285] (SSL_ERROR_NO_CERTIFICATE) Unable to find the certificate or key necessary for authentication. File /usr/sbin/ipa-replica-prepare, line 431, inmodule main() File /usr/sbin/ipa-replica-prepare, line 363, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, httpcert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-prepare, line 136, in export_certdb raise e If I go to the URL I get, The Certificate System has encountered an unrecoverable error. Error Message: java.lang.NullPointerException Please contact your local administrator for assistance. ??? regards Can you provide the output of: # certutil -L -d /etc/httpd/alias During installation dogtag provides us with an RA agent certificate that we use to communicate with the CA. This certificate should be stored in /etc/httpd/alias. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] While attempting to join a client ....I get this failure....
8 On the client: rpm -q freeipa-client freeipa-client-2.0.0.rc1-0.fc14.x86_64 On the server: rpm -q freeipa-server freeipa-server-2.0.0.rc1-0.fc14.x86_64 regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Not sure if I have to change anything in the repo? but rc2.0 does not appear... regards On Mon, 2011-02-28 at 16:07 -0500, Rob Crittenden wrote: To all freeipa-interest, freeipa-users and freeipa-devel list members, The FreeIPA project team is pleased to announce the availability of the Release Candidate 2 release of freeIPA 2.0 server [1]. * Binaries are available for F-14 and F-15 [2]. * Please do not hesitate to share feedback, criticism or bugs with us on our mailing list: freeipa-users@redhat.com Main Highlights of the Release Candidate. This release consists primarily of bug fixes and polish across all areas of the project. Modifications include but are not limited to * Make Indirect membership clearer. * Input validation fixes. * WebUI improvements. * Created default Roles. * IPv6 support * Documentation updates Focus of the Release Candidate Testing * There was a Fedora test day for FreeIPA on Feb 15th [3]. These tests are still relevant and feedback would be appreciated. * The following section outlines the areas that we are mostly interested to test [4]. Significant Changes Since RC 1 To see all the tickets addressed since the beta 2 release see [6]. Repositories and Installation * Use the following link to install the RC 2 packages [5]. * FreeIPA relies on the latest versions of the packages currently available from the updates-testing repository. Please make sure to enable this repository before you proceed with installation. Known Issues: * There are known issues that currently prevent FreeIPA from successfully installing with dogtag on F-15 [2]. We will send a separate message when this issue is resolved. The FreeIPA server is installable with the --selfsign option on F-15, or with dogtag on F-14. * Server-generated error messages are not translated yet. * The 'ipa help' command does not support localization. We plan to address all the outstanding tickets before the final 2.0 release. For the complete list see [7]. Thank you, The FreeIPA development team [1] http://www.freeipa.org/page/Downloads [2] dogtag is having issues with systemd: https://bugzilla.redhat.com/show_bug.cgi?id=676330 [3] https://fedoraproject.org/wiki/QA/Fedora_15_test_days [4] https://fedoraproject.org/wiki/Features/FreeIPAv2#How_To_Test [5] http://freeipa.org/downloads/freeipa-devel.repo [6] https://fedorahosted.org/freeipa/query?status=closedmilestone=2.0.2+Bug+fixing+(RC2) [7] https://fedorahosted.org/freeipa/milestone/2.0.3.%20Bug%20Fixing%20%28GA%29 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
umchecksum error? === [root@fed14-64-ipacl01 yum.repos.d]# yum update Loaded plugins: langpacks, presto, refresh-packagekit Adding en_US to language list freeipa-devel | 1.3 kB 00:00 freeipa-devel/primary | 10 kB 00:00 http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Trying other mirror. updates/metalink | 2.1 kB 00:00 updates-testing/metalink | 45 kB 00:01 Setting up Update Process No Packages marked for Update [root@fed14-64-ipacl01 yum.repos.d]# === ? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
I have tried to download the rpms by hand and the dependencies are all broken ie pythonwell stuffed by the looks of it... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Im getting a pycurl error 6so every few hours the errors change regards Steven On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: Hi, I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. Rgds, Siggi On Tue, March 1, 2011 01:32, Steven Jones wrote: I have tried to download the rpms by hand and the dependencies are all broken ie pythonwell stuffed by the looks of it... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Hi, Yes Ive now figured it outthe KVM software seems to spit the dummy every day or so and simply stop forwarding / returning dns requests I have uninstalled rc1 and installed rc2 but its still dying with the previous msgsso it wont survive a reboot, but kinit admin etc works fine before the reboot === [root@fed14-64-ipam001 init.d]# /usr/sbin/ipactl start Starting Directory Service Starting dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] Error retrieving list of services {'matched': 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=ac,dc=nz', 'desc': 'No such object'} Is IPA installed? Failed to read data from Directory Service Shutting down Shutting down dirsrv: IPA-AC-NZ... [ OK ] PKI-IPA... [ OK ] [root@fed14-64-ipam001 init.d]# regards On Tue, 2011-03-01 at 16:10 -0500, Rob Crittenden wrote: Steven Jones wrote: Im getting a pycurl error 6so every few hours the errors change I don't know if the pycurl errors are equivalent to the curl errors but in curl error 6 means couldn’t resolve host. You might try: yum clean all I tried the repo myself and was able to install rc2 ok. rob regards Steven On Tue, 2011-03-01 at 11:55 +0100, Sigbjorn Lie wrote: Hi, I updated my IPA test servers last night without a problem. I have only the default Fedora 14 repo + Fedora 14 updates-testing repo and the Freeipa-devel repo enabled on my IPA test servers. Rgds, Siggi On Tue, March 1, 2011 01:32, Steven Jones wrote: I have tried to download the rpms by hand and the dependencies are all broken ie pythonwell stuffed by the looks of it... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Announcing FreeIPA v2 Server Release Candidate 2 Release
Hi, Yepthat is the issueI put it in, rebooted, worked, took it out rebooted, didnt work, put it back in rebooted and it worked again. Wonders of a gui setupnormally I do it by hand and do a FQDNI assumed because it was short form in the file that is the way it is now, obviously not.bugger. 8- The hostname is lacking a domain name, that may be what is confusing things. As an test you might try setting hostname to be a fqdn and see if things improve. rob thanks... regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Unable to authenticate a client user against IPA
I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its almost workingbut I can find anything in logs to say whats wrongnot that I can determine what logs to check.Ive been looking in /var/log so farare there any other logs about? And/or where do I start looking to get this working? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
id thing returns id: thing: no such user... In iptraf there is a port 389 connection, suggesting its asking the ipa master about user thingso its either asking the wrong Q or the ipa master cant see the user thing yet its there in the gui. One thing thing only exists on the ipa master, with irwin it exists locally so id returns local info as I see no 389 connection taking place there was no nslcd.conf so I wrote one as per, 8.1.4. Configuring System Login You need to modify the /etc/nslcd.conf file, used by the nslcd service, on the client, to include additional information about the IPA server. This is so that the client can reach the IPA server's LDAP server for getent commands and also for ssh. For example, you should include the following information in your /etc/nslcd.conf file: uri host ip-address-of-ipaserver.example.com-here base dc=example,dc=com So mine says, uri host 192.168.100.2 base dc=ipa,dc=ac,dc=nz Where 192.168.100.2 is the original master. regards On Thu, 2011-03-03 at 14:30 -0500, Rob Crittenden wrote: Steven Jones wrote: I appear to have IPA running, I have run the install client on a fed14 KVM guest and that guest is in the IPA system, however the users in IPA cannot authenticate via IPA and get onto the client. There appears to be traffic to port 389, so I assume its almost workingbut I can find anything in logs to say whats wrongnot that I can determine what logs to check.Ive been looking in /var/log so farare there any other logs about? And/or where do I start looking to get this working? regards On that client can you do things like: $ getent passwd some_ipa_user or $ id some_ipa_user ? That should cause sssd to fetch user information. If it fails then we'll start by looking at the sssd configuration. If not I guess we'll turn up some debugging knobs to see what is going on. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8 I have no idea, Im trying to follow the ipa document (version 0.5)so if it says do something I try and do itif it doesnt say do something wellit doesnt get done as I cant mind read. What I want is encrypted connections on all services / communications so it is secure and safe. regards Are you planning to use pam_ldap + nss_ldap or SSSD? If SSSD have you installed SSSD packages first? The pam and nss config files as well as SSSD config and SSSD logs if it is in picture together with ipa-client-install logs would be a good starting point to troubleshoot the issue. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Documentation
Hi, Is it possible to have the ipa 0.5 documentation (and future documentation) as a pdf file? I'd like to download it and print it off. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Documentation
Thanks very much I can live with rough.lets me study it on the train regards On Fri, 2011-03-04 at 11:24 +1000, David O'Brien wrote: Steven Jones wrote: Hi, Is it possible to have the ipa 0.5 documentation (and future documentation) as a pdf file? I'd like to download it and print it off. regards I've pushed the latest versions in both formats here: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/ This is the first time I've built the pdf so it might be a bit rough around the edges. For future versions I'll build both so you can download it. As Dmitri mentioned, this is undergoing review and active development, so expect lots of changes in the near future. cheers -- David O'Brien Red Hat Asia Pacific Pty Ltd +61 7 3514 8189 He who asks is a fool for five minutes, but he who does not ask remains a fool forever. ~ Chinese proverb ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Time bug
Hi, Americans are funny ppl they put the date format as month then day.the problem is in the real world, its day then month So I have registered 1 client and 2 ipa masters as of 4th march 2011 NZST, but the IPA server's gui says I registered them a month in the future, ie 3rd April 2011 GMT+12 NZSTvery neat... ;] So you need some sort of detection script/software to sort that I suspect.or fix the display format in the gui...? Possibly this might not be helping with my issues as all my machines think its NZST while the IPA master server's software might be thinking they are telling it April? hence security certificates etc go boom? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8--- This didnt work...intuitive, no I guess not regards Sorry but the doc might be incomplete. We are in the middle of reviewing it actually and adding information to it. Please go to your system-authconfig dialog and configure LDAP + Kerberos with the IPA server. It should be intuitive. It will update all the right config files. The logs are in the sub-directory under /var/log. The name starts with ipa but I do not remember the exact name from the top of my head. There are no logs... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, Where does this log to? regards On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote: On 03/06/2011 02:48 PM, Steven Jones wrote: How do i turn on logging on the client and the server so as to start troubleshooting this authentication failure? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users http://freeipa.org/page/IPAv2_config_files -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8- getent passwd user however only returns one line, not the two I should expect? Why do you expect two lines? It should only return one, for that user. It also returns very fastlike its not even looking remotely. Is the user in /etc/passwd too? When I tried to get FDS going a few years ago getent used to return 2, the local one and the ldap one, hence two linesif it was working. I guess the ipa manual is lacking somewhat in that it says run these commands, but doesnt say what the expected output is or looks like, so how am I meant to know if its right or wrong? like duh. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote: Steven Jones wrote: 8-- So how do I fault find? where do I start? ie Where do I start to look to determine why a user cannot login to a client via freeipa? How can I be more clear? because so far the replies have been not very productive. regards Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart sssd, and try your login again. Look in/var/log/sssd/sssd_example.com.log for information on the login attempt. Your uid/gid will likely differ. # getent passwd admin admin:*:26420:26420:Administrator:/home/admin:/bin/bash # id admin uid=26420(admin) gid=26420(admins) groups=26420(admins) # getent group admins admins:*:26420:admin # finger admin Login: adminName: Administrator Directory: /home/admin Shell: /bin/bash Never logged in. No mail. No Plan. (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Tue Mar 8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab [default] (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Tue Mar 8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)! (Tue Mar 8 15:37:31 2011) [sssd
Re: [Freeipa-users] Unable to authenticate a client user against IPA
:14,104 DEBUG args=/sbin/service certmonger status 2011-03-04 15:09:14,104 DEBUG stdout=certmonger is stopped 2011-03-04 15:09:14,104 DEBUG stderr= 2011-03-04 15:09:14,279 DEBUG args=/sbin/service certmonger restart 2011-03-04 15:09:14,280 DEBUG stdout=Stopping certmonger: [FAILED] Starting certmonger: [ OK ] 2011-03-04 15:09:14,280 DEBUG stderr= 2011-03-04 15:09:14,295 DEBUG args=/sbin/chkconfig certmonger --list 2011-03-04 15:09:14,295 DEBUG stdout=certmonger 0:off 1:off 2:off 3:off 4:off 5:off 6:off 2011-03-04 15:09:14,295 DEBUG stderr= 2011-03-04 15:09:14,564 DEBUG args=/sbin/chkconfig certmonger on 2011-03-04 15:09:14,564 DEBUG stdout= 2011-03-04 15:09:14,564 DEBUG stderr= 2011-03-04 15:09:14,586 DEBUG args=ipa-getcert request -d /etc/pki/nssdb -n IPA Machine Certificate - fed14-64-ipacl01.ipa.ac.nz -N CN=fed14-64-ipacl01.ipa.ac.nz,O=IPA.AC.NZ -K host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz 2011-03-04 15:09:14,586 DEBUG stdout=Error org.fedorahosted.certmonger.duplicate: Certificate at same location is already used by request 20110303020539. 2011-03-04 15:09:14,586 DEBUG stderr= 2011-03-04 15:09:14,605 DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab 2011-03-04 15:09:14,605 DEBUG stdout= 2011-03-04 15:09:14,605 DEBUG stderr=kinit: Hostname cannot be canonicalized when creating default server principal name 2011-03-04 15:09:14,764 DEBUG args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt 2011-03-04 15:09:14,764 DEBUG stdout= 2011-03-04 15:09:14,765 DEBUG stderr=Check your Kerberos ticket, it may have expired. 2011-03-04 15:09:14,827 DEBUG args=/sbin/service nscd status 2011-03-04 15:09:14,827 DEBUG stdout=nscd (pid 1238) is running... 2011-03-04 15:09:14,827 DEBUG stderr= 2011-03-04 15:09:14,855 DEBUG args=/sbin/service nscd stop 2011-03-04 15:09:14,855 DEBUG stdout=Stopping nscd: [ OK ] 2011-03-04 15:09:14,856 DEBUG stderr= 2011-03-04 15:09:14,858 DEBUG args=/sbin/chkconfig nscd --list 2011-03-04 15:09:14,858 DEBUG stdout=nscd 0:off 1:off 2:on 3:on4:on5:on6:off 2011-03-04 15:09:14,858 DEBUG stderr= 2011-03-04 15:09:14,958 DEBUG args=/sbin/chkconfig nscd off 2011-03-04 15:09:14,958 DEBUG stdout= 2011-03-04 15:09:14,958 DEBUG stderr= 2011-03-04 15:09:16,401 DEBUG args=/usr/sbin/authconfig --enablesssd --enablesssdauth --update 2011-03-04 15:09:16,401 DEBUG stdout=Starting sssd: [ OK ] [ OK ] 2011-03-04 15:09:16,402 DEBUG stderr= 2011-03-04 15:09:16,419 DEBUG args=getent passwd admin 2011-03-04 15:09:16,419 DEBUG stdout= 2011-03-04 15:09:16,419 DEBUG stderr= 2011-03-04 15:09:17,424 DEBUG args=getent passwd admin 2011-03-04 15:09:17,424 DEBUG stdout= 2011-03-04 15:09:17,424 DEBUG stderr= 2011-03-04 15:09:18,429 DEBUG args=getent passwd admin 2011-03-04 15:09:18,429 DEBUG stdout= 2011-03-04 15:09:18,429 DEBUG stderr= 2011-03-04 15:09:19,432 DEBUG args=getent passwd admin 2011-03-04 15:09:19,432 DEBUG stdout= 2011-03-04 15:09:19,432 DEBUG stderr= 2011-03-04 15:09:20,435 DEBUG args=getent passwd admin 2011-03-04 15:09:20,436 DEBUG stdout= 2011-03-04 15:09:20,436 DEBUG stderr= 2011-03-04 15:09:22,303 DEBUG args=/usr/sbin/authconfig --enablekrb5 --update --nostart 2011-03-04 15:09:22,303 DEBUG stdout= 2011-03-04 15:09:22,303 DEBUG stderr= 2011-03-04 15:09:22,303 DEBUG Backing up system configuration file '/etc/ntp.conf' 2011-03-04 15:09:22,304 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:22,305 DEBUG Backing up system configuration file '/etc/sysconfig/ntpd' 2011-03-04 15:09:22,305 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2011-03-04 15:09:22,398 DEBUG args=/sbin/chkconfig ntpd on 2011-03-04 15:09:22,398 DEBUG stdout= 2011-03-04 15:09:22,398 DEBUG stderr= 2011-03-04 15:09:22,537 DEBUG args=/sbin/service ntpd restart 2011-03-04 15:09:22,537 DEBUG stdout=Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] 2011-03-04 15:09:22,537 DEBUG stderr= regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher sgall...@redhat.com wrote: On Mar 8, 2011, at 5:45 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 8- Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have just done another F14 client and I have the same issue. regards regards On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote: On Tue, 8 Mar 2011 19:05:45 -0500 (EST) Stephen Gallagher sgall...@redhat.com wrote: On Mar 8, 2011, at 5:45 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 8- Looks like you have no host key in the keytab. That's the root of the problem. Seems like IPA-client-install failed to populate it. Rob, do you have any insight here? does /var/log/ipaclient-install.log show any error ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote: On 03/09/2011 02:21 PM, Steven Jones wrote: Hi, I had/have already done the uninstall...and re-install. Also I registered a brand new 2nd client...that hasnt worked either.. How did you create the host record for it on the server? I didnt, I ran ipa-client-install from the client I have just run with the --uninstall flag and then re-run and its failing as the client record was not removed... Joining realm failed: Host is already joined So the un-install script/flag isnt removing the client/host regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Hi, I have gone into the webgui and manually removed the no1 client/host, it has now joined successfully... So Yes, the next issue regards On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/09/2011 02:45 PM, Steven Jones wrote: I have setup a 2nd client I have the same resultbut it looks like the keytab is correct? however LDAP logins still dont work... Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz Could you please check the SSSD debug logs on that machine as well? It may be a different problem now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN =PBNu -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
8--- 4) Install client again Everything should work. If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting passwd: Authentication token manipulation error regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I rebooted both clients and after the reboot they now do IPA authentication.. So client1 we did some work on and it wouldnt work until a rebootclient2 I did nothing to until I rebooted.then that also worked So I will make a third client and try that Are there rpms scripts for a rhel6ws?I could try that as well...also RHEL5 regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Thursday, 10 March 2011 11:35 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA 8--- 4) Install client again Everything should work. If not please send us the logs. Not sure which logs as Im losing track of so many suggestions/threadsbut, On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is zero length I just tried to add a local user and set a password and Im getting passwd: Authentication token manipulation error regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: - Original Message - Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
third client wont authenticate either So I guess its a problem around the install script if not selinux regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: - Original Message - Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web guiI will try re-installing. A release candidate? I dont see howfor me a release candidate should pretty much work with the odd bug in an odd areathis is still like alphamajor functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:17 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA third client wont authenticate either So I guess its a problem around the install script if not selinux regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5so Im wondering if the reason teh install of the client is failing is due to selinux? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: - Original Message - Steven Jones wrote: Ok, However I cant LDAP/Ipa authenticate stillon either client.. So what next? sssd handles logins, you can try turning up the log level on that (though I suspect it wasn't the reboot that fixed this but restarting sssd). If sssd was never used before then what was needed was a restart of the services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you can't use the new users until those services are restarted after nsswitch.conf is modified. I think we also offer to restart the client after ipa-client-install exactly as a way to restart all services that may depend on picking up this change. That reboot is not necessary if you manually restart all services after that, but if you don't than you better do a reboot as we suggest. As part of ipa-client-install sssd is restarted and tested via 'getent passwd admin'. This should be visible in /var/log/ipaclient-install.log. Did this command succeed? Even if this succeed, authentication via gdm or ssh can still fail until the services are restarted. Just pointing out this fact as a help point for other users testing ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A C.NZ] not found in keytab [default] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] [root@Fed14-64-ipacl03 sssd]# root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz [root@Fed14-64-ipacl03 sssd]# ? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 11 March 2011 11:58 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA On 03/10/2011 05:37 PM, Steven Jones wrote: I have run the in-install script and it wont delete the client in the ipa system, so again I had to delete it via the web guiI will try re-installing. A release candidate? I dont see howfor me a release candidate should pretty much work with the odd bug in an odd areathis is still like alphamajor functionality failure, as personally I class being unable to do the very first thing you need to do as a major failure. regards Steve, Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment. We are executing tests every day with new and old machines bare metal and VMs. And everything works so there is definitely something specific to your environment which is different. May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use. You write a lot of mails to us but few contain any substantial information about your setup. To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client. You do not include them in your emails. How do you think we can troubleshoot the problems? If you want us to help please include more detailed information. I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting. We will be happy to help you as soon as you provide such information. Thank you, Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2 on F14/RHEl 6.1
Hi. I see IPA 2.0 is F15.uh. Is free-ipa 2.0 going to be put into RHEL6.1? ie Im assuming that F14 will become 6.1? sometime in the next few months? Or should I assume that since ipa2.0 is in F15 only we wont see anything vaguely usable til 6.2 sometime near the end of the year? The reason for this is I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? So to do this I have to put together a huge virtualised test bed of NAS, SAN, clients and shiboleth type stuff to test our systems that's a lot of work to re-do. So should I abandon ipa on F14 and go to F15? and then delay things until the end of the year? or next year? what is the roadmap pls? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2 on F14 / RHEL 6.1
Hi. Is free-ipa going to be put into RHEL6.1? ie Im assuming that F14will become 6.1? Or should I assume that since ipa2 is in F15 we wont see anything til 6.2 sometime near the end of the year? I want to spend the next few months learning IPA and deploy it to limited selected users as a POC (proof of concept) so Im assuming it will be available in 6.1 with a full capability in 6.2...is this a correct assumption? I have to put together a huge visualised test bed to test our systems thats a lot of work to re-do..So should I abandon F14 and go to F15 and then delay things until the end of the year? or next year? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] replica install failure....
Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IPA.AC.NZ -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IPA.AC.NZ -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IPA.AC.NZ -ca_server_cert_subject_name CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ -ca_audit_signing_cert_subject_name CN=CA A! udit,O=IPA.AC.NZ -ca_sign_cert_subject_name CN=Certificate Authority,O=IPA.AC.NZ -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fed14-64-ipam002 jonesst1]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD setup failure
Hi, It would be the self cert off the AD controller I got made for methat is the limit of my knowledge on AD I will ask the MS ppl when they get in. regards Steven From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Got a bit further...I was missing --passsync I think you were using the V1 documentation. The Enterprise Identity Management Guide is what you want off freeipa.org in the Documentation section. [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} unexpected error: Failed to setup winsync replication [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz dc0001.ipa.ac.nz has address 192.168.101.2 [root@fed14-64-ipam001 samba]# But still isnt working. I think you have the wrong AD cert. -8179 translates to Certificate is signed by an unknown issuer. Can you verify that you have the AD CA certificate? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica install failure....
Hi, This is F14, guess you missed the hostnames... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Tuesday, 29 March 2011 9:09 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] replica install failure On Mon, 2011-03-28 at 23:45 +, Steven Jones wrote: Just tried to make a replica and the install failed with, [4/11]: configuring certificate server instance root: CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname fed14-64-ipam002.ipa.ac.nz -cs_port 9445 -client_certdb_dir /tmp/tmp-r_2iHV -client_certdb_pwd '' -preop_pin nnARxLnIWvR9Aw1RYjRn -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password '' -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=IPA.AC.NZ -ldap_host fed14-64-ipam002.ipa.ac.nz -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password '' -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd '' -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=IPA.AC.NZ -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=IPA.AC.NZ -ca_server_cert_subject_name CN=fed14-64-ipam002.ipa.ac.nz,O=IPA.AC.NZ -ca_audit_signing_cert_subject_name CN=CA! A! udit,O=IPA.AC.NZ -ca_sign_cert_subject_name CN=Certificate Authority,O=IPA.AC.NZ -external false -clone true -clone_p12_file ca.p12 -clone_p12_password '' -sd_hostname fed14-64-ipam001.ipa.ac.nz -sd_admin_port 9445 -sd_admin_name admin -sd_admin_password '' -clone_start_tls true -clone_uri https://fed14-64-ipam001.ipa.ac.nz:9444' returned non-zero exit status 255 creation of replica failed: Configuration of CA failed Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. [root@fed14-64-ipam002 jonesst1]# Hello Steven, can you please send me a version of tomcat6 server on your Fedora 15 with IPA replica? This is most probably a known issue which was stated in Freeipa v2 announcement: [Freeipa-devel] Announcing FreeIPA v2 Server [snip] Known Issues * The latest tomcat6 package has not been pushed to updates-testing. You need tomcat6-6-0.30-5 or higher. The packages can be retrieved from koji at http://koji.fedoraproject.org/koji/buildinfo?buildID=231410 . The installation will fail restarting the CA with the current tomcat6 package in Fedora 15. [snip] If this is your case, you may want to install the RPMs from koji or just install them from rawhide repository. Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8 What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server=your_IPA_server --domain=domain Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
How do I add these manually to the script? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Martin Kosek [mko...@redhat.com] Sent: Tuesday, 29 March 2011 11:52 p.m. To: tomasz.napier...@allegro.pl Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote: On 2011-03-29, at 10:20, Martin Kosek wrote: On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote: What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. In AD managed zone that would be domain controller itself. pz You are right. In that case the autodiscovery have to be skipped and --server/--domain parameters need to be added to the client installation script manually. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
What do I put in the python script as a work around? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8 What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server=your_IPA_server --domain=domain That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
uh OK.but why is it ignoring my --server and --domain ? and going to the dc for the certificate? This ticket still does not help me proceed regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:50 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8 What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server=your_IPA_server --domain=domain That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
I used --force as wellit still ignores it regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:58 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: uh OK.but why is it ignoring my --server and --domain ? and going to the dc for the certificate? This ticket still does not help me proceed You need --force as well. We try very hard not to hardcode values into the configuration files which is why we always autodiscover. With the patch and --force it should push through and complete the installation. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:50 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8 What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server=your_IPA_server --domain=domain That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] client setup failure
[root@fed14-64-cli01 tmp]# ipa-client-install --server fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force Retrieving CA from dc0001.ipa.ac.nz failed. Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8 [root@fed14-64-cli01 tmp]# So the client isnt appearing in the IPA web gui.so its a total failure to join... regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:03 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: I used --force as wellit still ignores it More information would be helpful. Ignores it how, what error messages do you get, etc. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:58 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: uh OK.but why is it ignoring my --server and --domain ? and going to the dc for the certificate? This ticket still does not help me proceed You need --force as well. We try very hard not to hardcode values into the configuration files which is why we always autodiscover. With the patch and --force it should push through and complete the installation. rob regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 8:50 a.m. To: Steven Jones Cc: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure Steven Jones wrote: What do I put in the python script as a work around? https://www.redhat.com/archives/freeipa-devel/2011-March/msg00227.html regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 30 March 2011 8:29 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] client setup failure On 03/29/2011 03:26 PM, Steven Jones wrote: Hi, The DNS is in AD so it cant be set to suit IPA I did as below and even with --force your script ignores these flags, it insists on doing AD lookups and gets the AD infoand obviously the cert isnt on the AD box. 8 What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client installation uses this DNS record in an autodiscovery of IPA server in the given DNS domain. You may want to check the DNS record or set the domain and server manually: # ipa-client-install --server=your_IPA_server--domain=domain That was the bug that we fixed last week. Rob, did it make the GA? Or the bits you are using are not GA. Regards, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD setup failure
So I need 2 certificates? and I have to manually add the root CA with certutil? to the IPA master as a separate process? regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:05 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Hi, My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it? That's what we're doing here. You need to provide the CA that issued the SSL certificate for the AD server we're connecting to. I'm guessing they didn't give you the root CA cert. rob regards Steven From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Got a bit further...I was missing --passsync I think you were using the V1 documentation. The Enterprise Identity Management Guide is what you want off freeipa.org in the Documentation section. [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} unexpected error: Failed to setup winsync replication [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz dc0001.ipa.ac.nz has address 192.168.101.2 [root@fed14-64-ipam001 samba]# But still isnt working. I think you have the wrong AD cert. -8179 translates to Certificate is signed by an unknown issuer. Can you verify that you have the AD CA certificate? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD setup failure
Hi, Yes its a intermediate CA In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do thatI think you need to re-visit that assumption. The older docs suggested a manual import of the root cert is possible? regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:27 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:14 PM, Steven Jones wrote: So I need 2 certificates? No. and I have to manually add the root CA with certutil? No. to the IPA master as a separate process? No. You only need the CA certificate for the CA that issued the MS AD server certificate. ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer will add the CA. If the MS CA is an intermediate CA, you should ask the administrator to give you a single CA certificate file (base64 encoded) that contains the intermediate CA and all of the parent CA up to the root CA. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:05 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Hi, My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it? That's what we're doing here. You need to provide the CA that issued the SSL certificate for the AD server we're connecting to. I'm guessing they didn't give you the root CA cert. rob regards Steven From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Got a bit further...I was missing --passsync I think you were using the V1 documentation. The Enterprise Identity Management Guide is what you want off freeipa.org in the Documentation section. [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'} unexpected error: Failed to setup winsync replication [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz dc0001.ipa.ac.nz has address 192.168.101.2 [root@fed14-64-ipam001 samba]# But still isnt working. I think you have the wrong AD cert. -8179 translates to Certificate is signed by an unknown issuer. Can you verify that you have the AD CA certificate? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD setup failure
JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3 ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62 CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/ b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/ RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ== -END CERTIFICATE- From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:36 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:32 PM, Steven Jones wrote: Hi, Yes its a intermediate CA In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do thatI think you need to re-visit that assumption. It does not appear to be CA cert at all, much less an intermediate CA. Someone please correct me if I'm wrong, but the CA does not have the X509v3 Basic Constraints extension. For example, here is a CA cert issued by Windows 2008: Certificate: Data: Version: 3 (0x2) Serial Number: 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA Validity Not Before: Feb 9 17:44:10 2011 GMT Not After : Feb 9 17:54:07 2021 GMT Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA ... X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE The older docs suggested a manual import of the root cert is possible? regards From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, 30 March 2011 9:27 a.m. To: Steven Jones Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure On 03/29/2011 02:14 PM, Steven Jones wrote: So I need 2 certificates? No. and I have to manually add the root CA with certutil? No. to the IPA master as a separate process? No. You only need the CA certificate for the CA that issued the MS AD server certificate. ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer will add the CA. If the MS CA is an intermediate CA, you should ask the administrator to give you a single CA certificate file (base64 encoded) that contains the intermediate CA and all of the parent CA up to the root CA. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:05 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Hi, My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it? That's what we're doing here. You need to provide the CA that issued the SSL certificate for the AD server we're connecting to. I'm guessing they didn't give you the root CA cert. rob regards Steven From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 2:50 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Got a bit further...I was missing --passsync I think you were using the V1 documentation. The Enterprise Identity Management Guide is what you want off freeipa.org in the Documentation section. [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v ipa: ERROR: The arguments --binddn, --bindpw
Re: [Freeipa-users] AD setup failure
Hi, I get certutil: function failed: security library: bad database. From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: some more output, The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. ro ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] AD setup failure
My windows person tells me that this cert is the root one, which apparently has no permissions to do anything... regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: some more output, The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. rob == [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255 Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer] [root@fed14-64-ipam001 samba]# cd ~jonesst1 [root@fed14-64-ipam001 jonesst1]# ls -l total 52 -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos [root@fed14-64-ipam001 jonesst1]# = Certificate: Data: Version: 3 (0x2) Serial Number: 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6 Signature Algorithm: sha1WithRSAEncryption Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 Validity Not Before: Mar 29 00:45:47 2011 GMT Not After : Mar 29 00:55:22 2016 GMT Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff: e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc: cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f: 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e: ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1: ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83: 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee: e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9: 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93: 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9: a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f: 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29: 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06: 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41: 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8: fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4: d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1: 0a:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha1WithRSAEncryption 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7: 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6: f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83: 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd: 43:c9:2b:e7:02
Re: [Freeipa-users] AD setup failure
Same failure message From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:57 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: Hi, I get certutil: function failed: security library: bad database. Sorry, I should have quoted Imported CA, try: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA rob From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: some more output, The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. ro ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 6.1 beta
Hi, This has IPA 2.0 rcX server and client in it? regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
ooohhh Think I can answer that myself! ipa-server-2.0.0-16.el6.x86_64 :D regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Monday, 4 April 2011 9:29 a.m. To: d...@redhat.com; freeipa-users@redhat.com Subject: [Freeipa-users] 6.1 beta Hi, This has IPA 2.0 rcX server and client in it? regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
8- Just to elaborate on Dmitri's comments. In addition to the IPA client and server packages that are included in the RHEL6.1 beta channel, there will be a separate RHEL add-on channel, Enterprise Identity Replication. That add-on channel will contain ds-replication and the Windows sync packages. If you wish to use IPA during the beta or when it is a tech preview feature of RHEL 6.1 you should request an eval entitlement to the Enterprise Identity Replication channel from your Red Hat account rep. Cheers, Kev Hi Kevin, I have requested the replication channel as you recommended from our account manager. I am curious to why such an important feature as replication is put in it's own channel. I see IPA is trying to compete with Active Directory to service Unix/Linux machines, however with Active Directory all features is included in the base package of the operating system. Why does Red Hat put the replication feature of IPA into a seperate channel from the operating system? Rgds, Siggi == Silly question.they want to make money and lock out the easy possibility of you not paying them. There is a very good reason RedHat is nick named the Microsoft of the Linux world..but they are all pretty much the same. You have to go into this with open eyes..this project isnt a real open source project with real open source ppl from all walks of life.its a Red Hat projectthat they let you see into on their terms, Sun and oracle for instance have done the same thing.their projects splutter along with little OSS community support. Example, so if you went to say mailman (like I do) that's a real open source product and I can get first class support via thatI would think that this will never be a place for open source support for IPA it will be please go to red hat and pay if you want help. I dont know Ive even seen a single contributor who doesnt have a @redhat.com address, that set off warning lights for me..probably why the FDS project still has so many contributors and users I hadnt noticed this wrinkle as I'm busy building a total virtual copy of prod to run a huge proof of concept / pre-prod setup which will take me another week at leastgiven we dont have much money and its going to take me more than 6months to do, paying $ isnt practical/possible and we dont know the cost when 6.2 comes out. So I suspect that if you dont want or cant afford a support contract bailing to CENTOS 6.1 or using CENTOS rpms to finish the glue (on RHEL) will be the way to go. Given we will be using shibboleth and everyone around us with shibboleth is on CENTOS its probably where we will go. Its not all bad, bear in mind of course an Identity / LDAP product off anyone else eg Oracle will cost you mega bucks to buy (think numbers ending in 5 0's), is bloody awful (2 of us spent 6 weeks trying to make its virtual front end LDAP server even start let alone do anything of use and I failed).and costly to look after (think 1 FTE and a highly paid one to boot).I really wonder if the business case stacks up at all regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 6.1 beta
Hi, I think I get a bit peeved when I go on a RH course and the trainer spends too much time telling us about the licencing changes for rhel6 and all the hoops and caveats we have to now considerthis is propriety territorywhere licencing becomes a costly and a time consuming headache. Yes, everyone has to eatso moderately priced, hopefully it will be no worse than RDS but when Im sitting in front of managers convincing them to buy an Open Source product I kind of feel I'm selling my soul, its not why I took up Linux 12 years ago. I think the guy who wrote the Linux network stack summed it up well several years ago when asked why he hadn't charged for his work, his answer was (paraphrase) I write a network stack and in return I get a complete OS in return for my work, why isnt that a great deal? NB Actually for OS licencing we run twice if not three times the Microsoft servers on our site as Linux...it costs us less to run MS than RH in annual fees I find that really weird. regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 8 April 2011 10:21 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] 6.1 beta On 04/07/2011 05:32 PM, Steven Jones wrote: 8- Just to elaborate on Dmitri's comments. In addition to the IPA client and server packages that are included in the RHEL6.1 beta channel, there will be a separate RHEL add-on channel, Enterprise Identity Replication. That add-on channel will contain ds-replication and the Windows sync packages. If you wish to use IPA during the beta or when it is a tech preview feature of RHEL 6.1 you should request an eval entitlement to the Enterprise Identity Replication channel from your Red Hat account rep. Cheers, Kev Hi Kevin, I have requested the replication channel as you recommended from our account manager. I am curious to why such an important feature as replication is put in it's own channel. I see IPA is trying to compete with Active Directory to service Unix/Linux machines, however with Active Directory all features is included in the base package of the operating system. Why does Red Hat put the replication feature of IPA into a seperate channel from the operating system? Rgds, Siggi == Silly question.they want to make money and lock out the easy possibility of you not paying them. There is a very good reason RedHat is nick named the Microsoft of the Linux world..but they are all pretty much the same. You have to go into this with open eyes..this project isnt a real open source project with real open source ppl from all walks of life.its a Red Hat projectthat they let you see into on their terms, Sun and oracle for instance have done the same thing.their projects splutter along with little OSS community support. Example, so if you went to say mailman (like I do) that's a real open source product and I can get first class support via thatI would think that this will never be a place for open source support for IPA it will be please go to red hat and pay if you want help. I dont know Ive even seen a single contributor who doesnt have a @redhat.com address, that set off warning lights for me..probably why the FDS project still has so many contributors and users I hadnt noticed this wrinkle as I'm busy building a total virtual copy of prod to run a huge proof of concept / pre-prod setup which will take me another week at leastgiven we dont have much money and its going to take me more than 6months to do, paying $ isnt practical/possible and we dont know the cost when 6.2 comes out. So I suspect that if you dont want or cant afford a support contract bailing to CENTOS 6.1 or using CENTOS rpms to finish the glue (on RHEL) will be the way to go. Given we will be using shibboleth and everyone around us with shibboleth is on CENTOS its probably where we will go. Its not all bad, bear in mind of course an Identity / LDAP product off anyone else eg Oracle will cost you mega bucks to buy (think numbers ending in 5 0's), is bloody awful (2 of us spent 6 weeks trying to make its virtual front end LDAP server even start let alone do anything of use and I failed).and costly to look after (think 1 FTE and a highly paid one to boot).I really wonder if the business case stacks up at all regards Hello Siggi, Hello Steven It is true that we are human and we sometimes need to eat (just sometimes...). It is true that the project was sponsored by Red Hat and most of the contributors are from Red Hat. It is not rue that all of them are. There are other contributors. Not many but there are. And we hope that there will be more over time. All the bits are available in Fedora at no cost and we do our best to support Fedora community since we
Re: [Freeipa-users] Installing on CentOS 5.X?
Hi, Its no where near a full IdM from what I can see so far but if you want to glue a straight forward but mixed environment together ie with MS AD and linux and get one password say across the lot plus some control then it looks good enough. So if you know what your goals are and want to see if it meets them a fedora testbed would be good enough I suspect. Ive gone through that, now I want 6 months of extended trial. You need a decent period, we bought Oracle's IdM and its still not working in #+ years and well past the odd million $ regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Gavin McQuillan [ga...@urbanairship.com] Sent: Thursday, 14 April 2011 8:18 a.m. To: Doug Chapman Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Installing on CentOS 5.X? I did manage to get the 1.0.0 version compiled and running on CentOS 5.6, using the aforementioned spec file mucking. But the suggested course would be to wait for CentOS 6.X, change to RHEL 6, or is Fedora really the only distribution still being targeted? Cheers, -Gavin On Tue, Apr 12, 2011 at 3:34 PM, Doug Chapman prjctg...@gmail.commailto:prjctg...@gmail.com wrote: Recent builds, no. FreeIPA 1.2 will build on Centos5 with some work (as in mucking with spec files). We're using the 389-ds (1.2.4) package from Fedora. At this juncture I would not invest the time to get this working on Centos5. On Tue, Apr 12, 2011 at 1:57 PM, Gavin McQuillan ga...@urbanairship.commailto:ga...@urbanairship.com wrote: Hi, We're moving to a vendor which only supports servers with CentOS or RHEL. I see a 2 1/2 year old document for building SRC RPMs to get an older version of ipa-server running: http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5. However there are problems with it. - It's missing several steps and/or or the package names have changed since 5.2. - Some people hint that 'centos-ds' located in the testing should serve the same purpose, but it looks like it only supports basic LDAP administration. - Naturally, this repo config doesn't work: http://freeipa.org/downloads/freeipa-devel.repo Has anybody in the community successfully gotten a relatively recent version of FreeIPA installed on CentOS 5.X? Thanks in advance, -Gavin ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Doug Chapman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Word of warning on freeipa availability
Hi, Anybody contemplating using Free-ipa should check with Redhat sales in their region before getting interested. It seems freeipa wont be sold in all regions, as an example in Asia Pacfic like RDS it may never be soldor at least it may years away. So without access to the replication/AD sync channel and no support envisaged I would think its of limited use Oops. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Word of warning on freeipa availability
Hi, Im not saying its badactually the opposite. We looked at RDS 18months ago and I bust a gut trying to get my management interested in buying itI finally got an agreement but were told by Redhat sales AP that it was no longer being sold as they couldnt support it but to look at freeIPA 2 because this was a great product and would be supported. So Ive gone and persuaded my line managers to take a good look at IPA, I get them interested on me doing a POC but AP Sales are now telling me the same thing for IPA as they did RDSthey dont foresee selling it in AP for the foreseeable future if evermainly because they tell me they cant support it. Now its possible they dont have a clue...but I cant keep waiting for ever and based on past actions that doesnt seem wise. So my point is if someone joins this open-source group with the intention of using this next year they should be aware there is a risk it wont be commercially supported by Redhat in their regionso in effect they could be wasting their time. In terms of a product Im not saying its rubbish, Im actually so pissed because I think from its overall design, its easy to use and simple interface and to its nuts and bolts it will be a good product and do exactly what we need.Im annoyed because I will probably not be able to use it! regards === From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 22 April 2011 3:23 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Word of warning on freeipa availability On 04/21/2011 04:11 AM, Steven Jones wrote: Hi, Anybody contemplating using Free-ipa should check with Redhat sales in their region before getting interested. It seems freeipa wont be sold in all regions, as an example in Asia Pacfic like RDS it may never be soldor at least it may years away. So without access to the replication/AD sync channel and no support envisaged I would think its of limited use I am not sure this is the accurate information. It was true regarding v1 but it most likely will be different with v2. I do not think the information you are commenting on is even shaped internally as the official sales of IPA will start only with 6.2. IPA is in tech preview in 6.1. The access to replication bits is in fact needed via Red Hat contact. I am really not sure what you are trying to say with this post? IPA is bad, do not use it? It seems that supporting something requires knowledge and right people. It might be very well possible that Red Hat would not be able to ramp up the right support resources for all geographies day 1. It is the question of time and demand. FreeIPA - community release is available and supported using the standard best effort model across the globe. It is unclear what other expectations are not met. Oops. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] test
test ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL6.1 beta
Hi, Where are the ipa-server-2.0 packages held these days ? from previous list posts they were here, but I cant find them now ipa-server-2.0.0-16.el6.x86_64 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=619857 Red Hat Enterprise Linux Server Beta (v. 6 for 64-bit x86_64) ipa-server-2.0.0-16.el6.i686 https://rhn.redhat.com/rhn/software/packages/details/Overview.do?pid=617431 regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA questions
Hi, IMHO. I wouldnt use fedora as a base for a business useits not very stable or more importantly long lived. Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out? to take a good look at yes You should be able to get the macs to authenticate to AD directlywe do, I can ask the Mac guy how its done if that's a help, but its probably out there on google. Distro - there is only RHEL that I can see at present and its a tech previewbare in mind that this is a redhat sponsored projectso its highly Red Hat centric. Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative. I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencingI think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest waywe pay per student so I dont know the commercial costs/licences fine points. ESXi is available as a free option...I run it at home11 guests per Dell 390.way cool for a second hand $400 workstation I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me. There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible I went and kickstarted the guest again and put ipa-server in the script and it installed finebut if you dont have the 6.1 beta dvd that isnt an option.really yum is it. For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .so then they blocked outward http because servers didnt need to do that another 1+hour wasted..the security guy was lucky he is way bigger than me..I was so p*ssed ;] regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of SR [esopt...@cox.net] Sent: Tuesday, 10 May 2011 7:36 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA questions I'm new to FreeIPA and this list so please forgive me for the n00b questions. I have what I think is a pretty straight-forward use for FreeIPA. We have an Active Directory environment with a few hundred users. We are starting to increase our number of Macs and need a directory solution. There are some issues with Macs in AD which Apple doesn't seem interested in addressing. Open Directory would be nice if we only had Macs but it doesn't allow for syncing accounts to AD, so it won't work for us. Based on what I've read about FreeIPA, it seems like it would be a good fit for us. The problem I'm having is that I can't seem to even get FreeIPA installed. I've tried using Fedora 10 with all the latest updates. I've tried adding different .repo files I've found on the various FreeIPA pages, but none of them seem to be working for me. So, my questions are: 1) What is the best distro for running FreeIPA. I'd rather not purchase RHEL, so it sounds like Fedora is the way to go. I just finished downloading Fedora 14 and will give that a try unless someone recommends something else. 2) Is version 2 highly recommended over version 1 or does version 1 have sufficient features to use it in a production environment? Essentially, we have about 30 current Macs users (and growing) that we want to create accounts for in FreeIPA and have sync'd to AD (or vice versa). The users will need the ability to change their passwords. 3) What is the best way to install FreeIPA? I'm having problems with yum (see errors below) so I was wondering if there was another way, e.g., RPMs. # yum install freeipa-server Loaded plugins: refresh-packagekit Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10arch=x86_64 error was [Errno 4] IOError: urlopen error (101, 'Network is unreachable') http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml: [Errno 4] IOError: urlopen error (-2, 'Name or service not known') Trying other mirror. fedora | 2.8kB 00:00 updates | 3.4kB 00:00 Setting up Install Process No package freeipa-server available. Nothing to do Thanks! --Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Disk layout - requirements
Hi, Disk space isnt an issue as such as I thin provision the VMWare guest anyway so I can be fairly generous, 200gb is easythe thing that interests me is splitting up the table spaces to different disks sets for instance (/dev/sdb1, /devsdc1 etc, etc). Later then I can change raid types or spread out to different LUNS if there is a performance bottleneck on the flythat's easy to do if the backend is broken up to different partitions on initial build... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 10 May 2011 3:17 a.m. To: d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Disk layout - requirements Dmitri Pal wrote: On 05/06/2011 11:58 AM, Sigbjorn Lie wrote: On 05/06/2011 04:12 PM, Rob Crittenden wrote: Steven Jones wrote: Hi, Digging through docs / googling I cant see any disk partition suggestions and size thereof requirements... Suggestions please? sizing for 500 servers, 2000 desktops, 5000+ users... Especially around having different sections of the IPA master of different raid groups if that's needed... It depends in part how you use IPA. A bare-bones user entry is about 1k, a host that has a certificate is about the same. There is some amount of overhead in the DIT and you'll need to consider the space for groups, how many kerberos services you'll deploy (also about 1k in size) and what other features of IPA you'll use. We have quite a few indexes into the data, that will take some room too. I think additional RAM will be better than terabytes of disk. 389-ds is going to try to cache much of this data, and with this number of entries it can probably keep most if not all of the database in memory. We haven't done any analysis on different FS performance. Does that help? rob Would you consider these documents describing sizing and performance tuning of the RH DS to be comparable/transferable to IPA? http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Installation_Guide/Installation_Guide-Platform_Support.html#Installation_Guide-Platform_Support-Hardware_Requirements http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html Yes these documents are applicable and can be used to tune up DS server under IPA. Be careful to note that in the first document the disk space assumptions are for 100 byte entries and some (but not all) of the IPA entries are 10x that. Thanks for the links Sigbjorn. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] test use cases
NB in the test use case at, https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS With DNS #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign It is coming back with wanting forwarders set So that might need updating... eg #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set? /etc/hosts? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] failure to un-install FreeIPA
I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything? Or somewhere there is a lock file or something that needs removing? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Wednesday, 11 May 2011 4:37 a.m. To: Adam Young Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks again! Two issues, 1) I had already tried everything you had mentioned in your mail. -- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc) Here is my /etc/export file, /export *(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this. Thanks a lot and regards, Nasir --- On Mon, 5/9/11, Adam Young ayo...@redhat.com wrote: From: Adam Young ayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 8:38 AM On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt mount.nfs4: timeout set for Mon May 9 17:36:14 2011 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting openipa.cohort.org:/ [root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of Make sure the network cable is actually plugged in The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message. Make sure you can kinit and do simple IPA type things on the machine you are doing a NFS mount on. Being able to use the IPA Kerberos ticket to ssh from the nfs client machine to the NFS server machine would be a good validation that the entire problem is just in the NFS configuration. Thanks indeed in advance and regards, Nidal --- On Mon, 5/9/11, Adam Young ayo...@redhat.comUrlBlockedError.aspx wrote: From: Adam Young ayo...@redhat.comUrlBlockedError.aspx Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasir kollath...@yahoo.comUrlBlockedError.aspx Cc: freeipa-users@redhat.comUrlBlockedError.aspx Date: Monday, May 9, 2011, 6:17 AM On 05/08/2011 11:57 PM, nasir nasir wrote: Adam, I truly appreciate your persistence ! I tried using alien and
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, We run just about every distro Ive heard of I think... So, yesI'll need lots of different clientshowever AP still have not replied to my requests. regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 11 May 2011 8:54 a.m. To: Steven Jones Cc: nasir nasir; Adam Young; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. nss_ldap or its equivalent exists on most operating systems. sssd, albeit a rather old one, exists in Debian. The code, particularly the client, should be rather portable. Packaging help from package maintainers on other distros would be welcome. rob regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of nasir nasir [kollath...@yahoo.com] Sent: Wednesday, 11 May 2011 4:37 a.m. To: Adam Young Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment Thanks again! Two issues, 1) I had already tried everything you had mentioned in your mail. -- Times are perfectly in sync across the network. -- I can ssh using IPA users from the client machine also. -- I can mount NFS partition on client machine when NOT using -o sec=krb5 option So it seems to be some issue with kerberos integration of NFS(or some misconfiguration from my side). I had checked all the log files, nothing useful. I had even enabled debug option in /etc/krb5.conf file (severity = DEBUG). Still it is not giving any log at all when I am executing the mount command. But it is giving the sequences of kerberos commands while giving commands like kadmin(AS_REQ, TGS_REQ etc) Here is my /etc/export file, /export *(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5i(rw,fsid=0,insecure,no_subtree_check) /export gss/krb5p(rw,fsid=0,insecure,no_subtree_check) 2) Regarding the kubuntu client, I tried with a 32 bit machine and it is still the same. But I did notice that the python version in kubuntu is 2.7 and that of RHEL I have tried is with 2.6. Could it be due to this ? if so, I can try with an earlier version of kubuntu with python 2.6 and update you on this. Thanks a lot and regards, Nasir --- On Mon, 5/9/11, Adam Youngayo...@redhat.com wrote: From: Adam Youngayo...@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment To: nasir nasirkollath...@yahoo.com Cc: freeipa-users@redhat.com Date: Monday, May 9, 2011, 8:38 AM On 05/09/2011 10:43 AM, nasir nasir wrote: Dimitri/Adam/Stephen, Thnks a lot for all the replies! This is a 64 bit machine. So I will try to install 32 bit and let you know the result. Also, I was trying to configure NFS service on the FreeIPA machine. I followed exactly as given in the deployment guide and tested with another RHEL 6.1 client machine with ipa-client installed on it. When I try to mount the nfs export I am getting the following error, [root@abc Packages]# mount -v -t nfs4 -o sec=krb5 openipa.cohort.org:/ /mnt mount.nfs4: timeout set for Mon May 9 17:36:14 2011 mount.nfs4: trying text-based options 'sec=krb5,addr=192.168.1.240,clientaddr=192.168.1.125' mount.nfs4: mount(2): Permission denied mount.nfs4: access denied by server while mounting openipa.cohort.org:/ [root@abc Packages]# But when I try to remove the kerberos authentication (i.e without -o sec=krb5) it gets mounted without any problem. I googled a lot for this error and tried all the suggestions like adding allow_weak_crypto parameter in the krb5.conf file, checking host/DNS/Keytab entries etc. Still it does not work. When I give weak crypto entry and add some weak crypto like des-cbc-md5, server rejects and says that it is not supported. My /etc/export file and all the necessary commands are copy pasted from the deployment guide with only the necessary modifications to suite my values. Please suggest me what to do. Start off by checking the kerberos logs on both the server and client machines. in /var/log/ krb5kdc.log kadmind.log secure I'm not a a Kerberos Guru...bear that in mind Make sure the clocks are in sync. Always worth doing . Kind of the Kerberos equivalent of Make sure the network cable is actually plugged in The KDC needs to know about the NFS service in order to grant a ticket. Confirm that you can request an nfs ticket for your user and client for the given server. On the IPA server side, you have to create a service entry for your NFS server. Your NFS server needs to know to talk to the IPA Kerberos instance. This is a likely suspect, based on the error message
Re: [Freeipa-users] failure to un-install FreeIPA
VMware local consoleI cant cut and paste outputs or scroll back when its a KDE rdp to a windows 7 vmware guest and then into the vmware thick client and then to a local console simply doesnt work... Bit messy but I get a Linux desktop :D regards From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 11 May 2011 8:52 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] failure to un-install FreeIPA Steven Jones wrote: I logged in via ssh instead so I could get an output and the install worked without a hitch... ssh instead of what? rob :/ weird... regards Steven From: Martin Kosek [mko...@redhat.com] Sent: Tuesday, 10 May 2011 8:32 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] failure to un-install FreeIPA On Tue, 2011-05-10 at 03:58 +, Steven Jones wrote: I am trying to un-install freeipa with ipa-server-install --uninstall and its saying not installed, but when I try to install its saying already installed! oops. Is there a way to force the script to check and remove everything? Or somewhere there is a lock file or something that needs removing? regards Steven, can you please send a full output of `ipa-server-install --uninstall` and then the `ipa-server-install` command? (and freeipa-server package version) There was a that could case this behavior. Anyway, the installer files you are looking for are there: /var/lib/ipa/sysrestore/ # server backup files /var/lib/ipa-client/sysrestore/ # client backup files If you remove then, the installation will continue. However, I wouldn't recommend removing them manually as ipa-[server|client]-install --uninstall won't be able to return the machine to it's original configuration then. I would rather suggest using the server/client uninstaller again. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Hi, There are OSS packages that can be installed into Solaris.so I dont see why freeipa cant be portedat least the x86 CPU version anyway. Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.its bloody awful to install let alone work with or maintainSo its turns into a risky endeavour and no one sane wants that much risk in their businesslet alone the 6 figure costs..and yes Im talking over a million Hopefully we are getting away from the silo attitude of vendors.Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to worktheir loss. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 8:24 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 04:10 PM, Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
Ah sorry I assumed a Solaris clientnot server. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 9:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 05:11 PM, Steven Jones wrote: Hi, There are OSS packages that can be installed into Solaris.so I dont see why freeipa cant be portedat least the x86 CPU version anyway. I think this will be a huge undertaking. It is not that simple. And is there really a value for IPA to be on Solaris? I can understand the client part but the server is less important. It is a dedicated server running on BM or VM so does it really matter what os it is running as long it is supported and affordable? We as a dev community will be open to any effort to port the whole stack to some other distribution but I bet there are better uses for someones energy that we can utilize to deliver better functionality to this user community. Client is a different issue. I tried to talk to IBM, HP and Sun a year ago. They are not interested in porting SSSD to their platforms. Oracle/Sun may not want to do IPA but if you had ever had the mis-fortune to try and use Oracle's IdM / OVD /OID you'd understand why few techies/ppl/businesses want it.its bloody awful to install let alone work with or maintainSo its turns into a risky endeavour and no one sane wants that much risk in their businesslet alone the 6 figure costs..and yes Im talking over a million Hopefully we are getting away from the silo attitude of vendors.Vendors might want only their products in a customer site, but realistically customers dont want that for lots of reasons, and pillaging your wallet is one of the biggest In our case all that happens is we wont buy Sun kit if it doesnt work the way we want to worktheir loss. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, 11 May 2011 8:24 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment On 05/10/2011 04:10 PM, Steven Jones wrote: Hi, Its quite interesting that there are no real clients for ipa outside of RH/Fedorathis will probably do more to delay or restrict its adoption than anything else. Not sure what you are talking about. Any kerberos enabled service is a service and any pam_krb5/nss_ldap or SSSD enabled system can be a client. SSSD is in Debian, Ubuntu, SUSE, Fedora, RH Would be nice to have it in other OSs like Solaris and HP-UX but they have other plans. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
Hi, Fixed I think, forgot to disable networkmanager.so did that uninstalled and re-installed and its fine...so far... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 11 May 2011 2:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] fatal error for ipa with dns. I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
Hi, Nope looks like DNS is barfed big time... == [root@vuwunicoipamt01 ~]# host vuwunicoipamt01.unix.vuw.ac.nz vuwunicoipamt01.unix.vuw.ac.nz has address 130.195.81.236 [root@vuwunicoipamt01 ~]# ipa dns-resolve vuwunicoipamt01.unix.vuw.ac.nz ipa: ERROR: Kerberos error: No credentials cache found/ [root@vuwunicoipamt01 ~]# ipa host-show vuwunicoipamt01.unix.vuw.ac.nz ipa: ERROR: Kerberos error: No credentials cache found/ [root@vuwunicoipamt01 ~]# == also clients cant resolve against the dns server is its looking buggered regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Adam Young [ayo...@redhat.com] Sent: Wednesday, 11 May 2011 3:16 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] fatal error for ipa with dns. Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual environment using DNSMasq, so I feel your pain. Please send a quick write up of your set up if you get everything working. On 05/10/2011 11:02 PM, Steven Jones wrote: Hi, Fixed I think, forgot to disable networkmanager.so did that uninstalled and re-installed and its fine...so far... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 11 May 2011 2:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] fatal error for ipa with dns. I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst! ac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa with dns.
client that failed install log as requested. regards From: Adam Young [ayo...@redhat.com] Sent: Wednesday, 11 May 2011 3:33 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] fatal error for ipa with dns. OK, I'll take a look. BTW, what is your DNS set up outside of the IPA Server: does your IPA server have A FQDN in a different server? On 05/10/2011 11:28 PM, Steven Jones wrote: all the logs regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Adam Young [ayo...@redhat.com] Sent: Wednesday, 11 May 2011 3:16 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] fatal error for ipa with dns. Very cool. I've had a slew on DNS related issues when trying to set things up in a small virtual environment using DNSMasq, so I feel your pain. Please send a quick write up of your set up if you get everything working. On 05/10/2011 11:02 PM, Steven Jones wrote: Hi, Fixed I think, forgot to disable networkmanager.so did that uninstalled and re-installed and its fine...so far... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Wednesday, 11 May 2011 2:14 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] fatal error for ipa with dns. I have installed ipa but Im getting this error, named wont run as wont kinit admin. = May 11 14:11:40 vuwunicoipamt01 named[3132]: starting BIND 9.7.3-RedHat-9.7.3-1.el6 -u named May 11 14:11:40 vuwunicoipamt01 named[3132]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fst! ac! k-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' May 11 14:11:40 vuwunicoipamt01 named[3132]: adjusted limit on open files from 1024 to 1048576 May 11 14:11:40 vuwunicoipamt01 named[3132]: found 1 CPU, using 1 worker thread May 11 14:11:40 vuwunicoipamt01 named[3132]: using up to 4096 sockets May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration from '/etc/named.conf' May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv4 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: using default UDP/IPv6 port range: [1024, 65535] May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv6 interfaces, port 53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface lo, 127.0.0.1#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: listening on IPv4 interface eth0, 130.195.81.236#53 May 11 14:11:40 vuwunicoipamt01 named[3132]: generating session key for dynamic DNS May 11 14:11:40 vuwunicoipamt01 named[3132]: Failed to init credentials (Cannot contact any KDC for realm 'UNIX.VUW.AC.NZ') May 11 14:11:40 vuwunicoipamt01 named[3132]: loading configuration: failure May 11 14:11:40 vuwunicoipamt01 named[3132]: exiting (due to fatal error) May 11 14:12:36 vuwunicoipamt01 ntpd[1771]: synchronized to LOCAL(0), stratum 10 = there appears to be no named.log? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for Linux desktop deployment
8 What I see as one of the selling points of IPA over any *nix client for Active Directory, is the ability to use the operating system built in tools. Indeed.what makes my nether regions churn is installing something from likewise or Quest which does nasties to the guts of RHEL/linux and then Red Hat wont/cant support it not to mention the crazy cost.indeed even if I have a connection to AD, MS wont support it either, our Windows admins wont/cant and are in fact dangerous anywhere near Linux..but of course our MS biased architect loves it because its a MS solution, and on the other side our bsd/linux ppl want a single password functionality (AD--unix) they dont care if its supportable just as long as their lives are easy and they have someone to beat when it breaksI'm determined it wont be megetting a bit sick of that, hence something like IPA fits so well...if the password sync breaks everything else should carry on.its one single point to fault find on, and i have one vendor not 3 and some of 5000 odd intermediate faults that there is no time to work on as there is just me. regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] fatal error for ipa rhel 5.6 client
Any ideas with this please? [root@vuwunicoadmint2 ~]# ipa-client-install --mkhomedir --server vuwunicoipamt01 --domain unix.vuw.ac.nz -p admin Discovery was successful! Realm: UNIX.VUW.AC.NZ DNS Domain: unix.vuw.ac.nz IPA Server: vuwunicoipamt01 BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Password for ad...@unix.vuw.ac.nz: Joining realm failed: HTTP response code is 301, not 200 [root@vuwunicoadmint2 ~]# Im getting this from a client ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] RHEL client to IPA
Still having problems with getting a 5.6 cleint to 6.1beta master server... [root@vuwunicologint2 x86_64]# rpm -q ipa-client ipa-client-2.0-11 [root@vuwunicologint2 x86_64]# [root@vuwunicologint2 x86_64]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -p admin Discovery was successful! Realm: UNIX.VUW.AC.NZ DNS Domain: unix.vuw.ac.nz IPA Server: vuwunicoipamt01.unix.vuw.ac.nz BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Password for ad...@unix.vuw.ac.nz: kinit(v5): Password incorrect while getting initial credentials As far as I recall the password is correctbut it no longer works, but its fine to kinit on the master though... [root@vuwunicologint2 x86_64]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz [root@vuwunicologint2 x86_64]# amn klist -bash: amn: command not found [root@vuwunicologint2 x86_64]# man klist [root@vuwunicologint2 x86_64]# kinit admin Password for ad...@unix.vuw.ac.nz: kinit(v5): Password incorrect while getting initial credentials [root@vuwunicologint2 x86_64]# rpm -q ipa-client ipa-client-2.0-11 [root@vuwunicologint2 x86_64]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
Building the keytab simply fails to populate it correctly [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin Keytab successfully retrieved and stored in: /tmp/vuwnicologint2.keytab [root@vuwunicoipamt01 etc]# klist -kt /tmp/vuwnicologint2.keytab Keytab name: WRFILE:/tmp/vuwnicologint2.keytab KVNO Timestamp Principal - 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 6 05/13/11 15:58:34 ad...@unix.vuw.ac.nz 6 05/13/11 15:58:34 ad...@unix.vuw.ac.nz 6 05/13/11 15:58:35 ad...@unix.vuw.ac.nz 6 05/13/11 15:58:35 ad...@unix.vuw.ac.nz 7 05/13/11 15:59:20 ad...@unix.vuw.ac.nz 7 05/13/11 15:59:20 ad...@unix.vuw.ac.nz 7 05/13/11 15:59:21 ad...@unix.vuw.ac.nz 7 05/13/11 15:59:21 ad...@unix.vuw.ac.nz [root@vuwunicoipamt01 etc]# === From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 13 May 2011 3:56 p.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] RHEL client to IPA Still having problems with getting a 5.6 cleint to 6.1beta master server... [root@vuwunicologint2 x86_64]# rpm -q ipa-client ipa-client-2.0-11 [root@vuwunicologint2 x86_64]# [root@vuwunicologint2 x86_64]# ipa-client-install --mkhomedir --server vuwunicoipamt01.unix.vuw.ac.nz --domain unix.vuw.ac.nz -p admin Discovery was successful! Realm: UNIX.VUW.AC.NZ DNS Domain: unix.vuw.ac.nz IPA Server: vuwunicoipamt01.unix.vuw.ac.nz BaseDN: dc=unix,dc=vuw,dc=ac,dc=nz Continue to configure the system with these values? [no]: yes Password for ad...@unix.vuw.ac.nz: kinit(v5): Password incorrect while getting initial credentials As far as I recall the password is correctbut it no longer works, but its fine to kinit on the master though... [root@vuwunicologint2 x86_64]# klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 3 05/13/11 12:01:09 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz 4 05/13/11 14:50:43 ad...@unix.vuw.ac.nz [root@vuwunicologint2 x86_64]# amn klist -bash: amn: command not found [root@vuwunicologint2 x86_64]# man klist [root@vuwunicologint2 x86_64]# kinit admin Password for ad...@unix.vuw.ac.nz: kinit(v5): Password incorrect while getting initial credentials [root@vuwunicologint2 x86_64]# rpm -q ipa-client ipa-client-2.0-11 [root@vuwunicologint2 x86_64]# ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
So what should the command be? regards -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: Friday, 13 May 2011 9:11 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] RHEL client to IPA On 05/13/2011 06:00 AM, Steven Jones wrote: [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin The second -p overrides the first. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] RHEL client to IPA
Im getting, SASL bind failed! 8 Steven Jones wrote: So what should the command be? # kinit admin # ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA server as a DNS server and design things
Qs, 1) We have a single master only for freeipa 2.0? so from what I can read the replicas are passive? ie do they answer LDAP queries and also DNS queries if DNS is integrated? but simply dont have a gui? or are they totally inert? Im thinking of this as we really want 2 active DNS servers minimum... 2) We discussed its better to have DNS as a stub domain off the main domain.so Linux servers will be unix.vuw.ac.nz.should I do the same for the reverse lookup? Should I cleave off part of the class B? say 2 x 24s? problem then becomes what do I do with mixed environments where I have windows web front ends and linux db backends..or user areas where I cant do that... regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa and AD
is this how ipa works? End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. My understanding is its simpler.just a password sync? which I guess is achieved by that password sync. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and AD
So this will be freeipa 3.0? or 4.0? ie I assume its not 2.0.xxx? about how far away is it? 2 years? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 20 May 2011 10:27 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa and AD On 05/19/2011 06:06 PM, Steven Jones wrote: is this how ipa works? End State 5. A cross-realm trust is established between UNIX-based Kerberos and Active Directory–based Kerberos in UNIX and Windows infrastructures that remain separate. Windows and UNIX clients each authenticate to their own Kerberos Key Distribution Center (KDC) and (if the trust is two-way) can then access resources hosted by computers on the other side. This is what we are building now. My understanding is its simpler.just a password sync? which I guess is achieved by that password sync. User synch from AD and password synch from in both directions is what it is capable of now. regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and Universties shiboleth/federation
oh lucky me then regards Steven From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, 20 May 2011 11:27 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeipa and Universties shiboleth/federation On 05/19/2011 07:19 PM, Steven Jones wrote: Hi Has anyone been near this? My limited understanding is the shiboleth rpms can work with FDS, so Im assuming there is a capability/link? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I do not think we ever got to trying it. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Startup issues
Hi, I seem to have similar issues, but since 6.1 proper is now out, Im starting again from scratch, I need to improve disk layouts etc anyway. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Sigbjorn Lie [sigbj...@nixtra.com] Sent: Sunday, 22 May 2011 10:16 p.m. To: Rich Megginson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Startup issues On 05/17/2011 07:24 PM, Rich Megginson wrote: On 05/17/2011 06:40 AM, Sigbjorn Lie wrote: On 05/16/2011 04:56 PM, Rich Megginson wrote: On 05/16/2011 08:43 AM, Sigbjorn Lie wrote: On 05/16/2011 03:52 PM, Simo Sorce wrote: On Sat, 2011-05-14 at 16:46 +0200, Sigbjorn Lie wrote: I've noticed that if the machine running IPA is very busy at startup, the IPA services will not be online when the machine is started. I noticed this is as my test virtualization host has had it's power cord knocked out a few times. When I restart the host machine, all the virtual machines is started at the same time, causing (a lot) higher than normal latency for each virtual machine. This causes the IPA daemons to start, while during the startup one or several IPA daemons fails due to dependencies of other daemons which is not started yet, and all the IPA daemons is stopped as not all the IPA daemons started successfully. I've noticed that the default behavior of the ipactl command is to shut down all the IPA daemons, if any of the IPA daemons should fail during startup. This can be seen in the logs of the individual services, as some is started successfully, just to receive a shutdown signal shortly after. It seem to be the pki-ca which shut down my IPA services this morning. When rebooting the virtual machine running the IPA daemons during normal load of the host machine, all the IPA daemons start successfully. Logging on to the IPA server and manually starting the IPA daemons after the load of the host machine has decreased also works. I suggest changing the startup scripts to allow (a lot) longer startup times for the IPA daemons prior to failing them. At the moment we just run servicename start and wait until it is done. If the pki-cad service timeouts and returns an error I think we need to open a bug against the dogtag component as that is the cause. Can you open a bug in the freeipa trac with logs showing that service is responsible for the failure ? I haven't been able to figure out which service that failed IPA yet. A lot of log files scattered around. As you can see from the slapd errors file, the slapd daemon was available for almost 3 minutes before receiving the shutdown signal. I notice now that the PKI daemon failed 8 seconds after slapd had shut down, so I was wrong in blaming the PKI daemon. See below for a list of log files I've been trough. They all have on thing in common, the daemons starts when the host machine is started, at approx 06:34, then receives a shutdown signal around 06:37. Some time later when the host has calmed down, I'm logging in and manually starting IPA using ipactl start, and all the daemons start without any problem. And they keep running after my manual intervention. I wish I could be more specific, but I'm unsure where else to look. Suggestions? /var/log/krb5kdc.log /var/log/pki-ca/catalina.out /var/log/dirsrv/slapd-IX-TEST-COM/errors /var/log/dirsrv/slapd-PKI-IPA/errors /var/log/httpd/error_log /var/log/messages (named log) slapd errors: [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 B2011.062.1416 starting up [14/May/2011:06:33:54 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. 1) Disorderly Shutdown means a) crash b) kill -9 or similar - neither of which should be happening - is this the replica install or the first master install? First master install. What is in the slapd errors log before [14/May/2011:06:33:52 +0200] - 389-Directory/1.2.8.rc1 B2011.062.1416 starting up? Hi, Rich, there is nothing above that line. Previous entry was from last time the server started. Yesterday I rebooted my host platform, graceful shutdown this time, and the same problem occurred again when the host, and all the virtual machines started. I had a look in my boot.log file, see below for output. As you can see the Starting pki-ca return an OK, but the next line says: Failed to start CA Service Shutting down. Looking at the timestamps, it looks like the dirsrv instance is shut down before the pki-ca is given a chance to start, or am I looking at the incorrect log files? I have included my boot.log, and the PKI-CA dirsrv log, and the pki-ca debug log. /var/log/boot.log: Starting Directory Service Starting dirsrv: IX-TEST-COM... [ OK ] PKI-IPA... [ OK ] Starting KDC Service Starting Kerberos 5 KDC:
[Freeipa-users] Why not unix UIDs (numbers and range)
Hi, Why doesnt IPA use std unix UIDs? and how does that translate into Unix permissions on a client if it does not? BTW neat install, under 10mins and its up! :D regards Steven ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
turned it off, same failure. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
looking at the install log its not resolving the server via DNS, Im now getting resolvining issues Suggests the integrated DNS is poked... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 12:07 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1
ignore that i was making a typodoh. Included is the install log.shows that same error as 5.6 in the log 2011-05-24 12:58:10,407 DEBUG stderr=HTTP response code is 401, not 200 looks like its the ipa-join thats failing From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, 24 May 2011 12:57 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 looking at the install log its not resolving the server via DNS, Im now getting resolvining issues Suggests the integrated DNS is poked... regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, 24 May 2011 12:07 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:58 PM, Steven Jones wrote: When its on I poked holes through it, to test I did service iptables stop... Here's the iptables -L -n output (attached) This is as much as I can help. Hopefully there is enough info for developers to see what is going on. regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:52 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:45 PM, Steven Jones wrote: turned it off, same failure. There are multiple protocols... did you turn it off completely or just poke holes? What about DNS? Does the client resolve the server correctly? Can you specify the server explicitly on the client command line? Would the result be different? regards From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.commailto:d...@redhat.com] Sent: Tuesday, 24 May 2011 11:34 a.m. To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Server - client mismatch has no progressed to 6.1 On 05/23/2011 07:25 PM, Steven Jones wrote: So even though I have the same versions I get the mis-match error., as per 5.6...except these did differ. Firewall? :( regards ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ipaclient-install.log Description: ipaclient-install.log ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users