Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18
On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal d...@redhat.com wrote: Do you have SELinux enabled? Any AVCs? it's disabled [maciek@freeipa ~]$ sudo sestatus [sudo] password for maciek: SELinux status: disabled best regards, Maciek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18
enabling SELinux fixed the problem. thank you for help!. regards, Maciek On Fri, Dec 7, 2012 at 2:05 PM, Maciej Sawicki viroos...@gmail.com wrote: On Fri, Dec 7, 2012 at 12:57 AM, Dmitri Pal d...@redhat.com wrote: Do you have SELinux enabled? Any AVCs? it's disabled [maciek@freeipa ~]$ sudo sestatus [sudo] password for maciek: SELinux status: disabled best regards, Maciek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIpa 3.0.1 installation on Fedora 18
On Thu, Dec 6, 2012 at 5:46 PM, Rob Crittenden rcrit...@redhat.com wrote: Look in the log /var/log/ipaserver-install.log for more details on why the installation failed. hi rob, thank you for quick answer. sorry for forgetting to post the log. here it is: 2012-12-06T16:30:29Z DEBUG stderr=Traceback (most recent call last): File /usr/sbin/pkispawn, line 223, in module main(sys.argv) File /usr/sbin/pkispawn, line 207, in main fromlist = [pki_scriptlet[4:]]) File /usr/lib/python2.7/site-packages/pki/deployment/initialization.py, line 25, in module import pkihelper as util File /usr/lib/python2.7/site-packages/pki/deployment/pkihelper.py, line 39, in module import seobject File /usr/lib64/python2.7/site-packages/seobject.py, line 27, in module import sepolicy File /usr/lib64/python2.7/site-packages/sepolicy/__init__.py, line 43, in module policy(policy_file) File /usr/lib64/python2.7/site-packages/sepolicy/__init__.py, line 40, in policy _policy.policy(policy_file) RuntimeError: Cannot allocate memory 2012-12-06T16:30:29Z CRITICAL failed to configure ca instance Command '/usr/sbin/pkispawn -s CA -f /tmp/tmpAmKZ0f' returned non-zero exit status 1 2012-12-06T16:30:29Z INFO File /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /sbin/ipa-server-install, line 943, in main subject_base=options.subject) File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 591, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.7/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py, line 695, in __spawn_instance raise RuntimeError('Configuration of CA failed') 2012-12-06T16:30:29Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed I still have no idea whats wrong :(. best regards, Maciek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Tue, Jun 19, 2012 at 3:19 PM, Rob Crittenden rcrit...@redhat.com wrote: Pass in --schema=RFC2307 to the migrate-ds command to migrate these groups. Thank you Rob. I tried this option and it didn't helped, my groups in ipa are steel empty :(. regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 18, 2012 at 7:24 PM, Rob Crittenden rcrit...@redhat.com wrote If you could provide an ldif for one of the groups to be migrated we can tell you. dn: cn=management-team,ou=groups,dc=domain,dc=com objectClass: posixGroup cn: management-team gidNumber: 10004 description: Management team of SomeCompany memberUid: some.user0 memberUid: some.user1 memberUid: some.user2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. I think the problem is that my current installation use memberUid attribute in group object and free-ipa uses memberUid in user object. I find the compatibility plugin so I think after migration it will allow me to use IPA in legacy environment. The problem is how to preform migration? Can I use migrate script for this or should I write my own? regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration
On Thu, Jun 14, 2012 at 8:00 PM, Simo Sorce s...@redhat.com wrote: On Thu, 2012-06-14 at 15:34 +0200, Maciej Sawicki wrote: bump On Mon, Jun 11, 2012 at 2:11 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. Hi Maciej, what kind of schema is in used in the server you want to migrate from ? rfc2309/rfc2309bis ? other ? I think its rfc2307: maciej.sawicki@lem:/etc/ldap$ grep -r 2307 schema/nis.schema # Definitions from RFC2307 (Experimental) # Note: The definitions in RFC2307 are given in syntaxes closely related # i.e. nisSchema in RFC2307 is 1.3.6.1.1.1 maciej.sawicki@lem:/etc/ldap$ Is there any better way to check this? Some more info about ipa server: os: Fedora 17 ipa version: 2.2 regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] groups migration
Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote: The basedn is automatically appended. Try --group-container=ou=groups Hi Rob, Thanks for quick answer. I tried it today. Didn't helped. [root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' Password: ipa: ERROR: Container for group not found regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] groups migration problem
Hi, I Solved my problem :D. I had to add --group-objectclas argument: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' --group-objectclas='posixGroup' Anyway I think ipa: ERROR: Container for group not found error is confusing. best regards, Maciej Sawicki On Fri, Mar 23, 2012 at 11:16 AM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: On Tue, Mar 20, 2012 at 7:22 PM, Rob Crittenden rcrit...@redhat.com wrote: The basedn is automatically appended. Try --group-container=ou=groups Hi Rob, Thanks for quick answer. I tried it today. Didn't helped. [root@free-ipa ~]# ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=polidea,dc=pl --group-container='ou=groups' Password: ipa: ERROR: Container for group not found regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Firefox on OS X 10.6 problem
Hi, Today I setup free ipa on CentOS release 6.2. I configured my client machine, that is: 1. I edited my /Library/Preferences/edu.mit.Kerberos file so it has following content: [domain_realm] polidea.pl = POLIDEA.PL .polidea.pl = .POLIDEA.PL [libdefaults] default_realm = POLIDEA.PL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] POLIDEA.PL = { admin_server = free-ipa.polidea.pl:749 default_domain = polidea.pl kdc = free-ipa.polidea.pl:88 } [logging] kdc = FILE:/var/log/krb5kdc/kdc.log admin_server = FILE:/var/log/krb5kdc/kadmin.log I I run open /System/Library/Coreservices/Ticket\ Viewer.app and added ad...@polidea.pl identity (i get ticket so password is valid) also i configured my firefox like in this link: http://freeipa.org/page/InstallAndDeploy#Configuring_your_Browser Unfortunately when I try to login I get following error: Your kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your browser. my /var/log/krb5kdc/kadmin.log has only few old entries (0 today's entries from today). I will appreciate any help. regards, Maciek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Firefox on OS X 10.6 problem
On Mon, Mar 19, 2012 at 5:38 PM, Dmitri Pal d...@redhat.com wrote: Have you done everything covered in the section 4.3.3 of the document? http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/using-the-ui.html#Using_a_Browser_on_Another_System Hi Dmitri, Thanks for quick answer. I did this, but still have the same problem :(. regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Firefox on OS X 10.6 problem
Sorry for double post, but I would like to provide firefox log: 1886907584[10031d220]: using REQ_DELEGATE 1886907584[10031d220]: service = free-ipa.polidea.pl 1886907584[10031d220]: using negotiate-gss 1886907584[10031d220]: entering nsAuthGSSAPI::nsAuthGSSAPI() 1886907584[10031d220]: Attempting to load gss functions 1886907584[10031d220]: entering nsAuthGSSAPI::Init() 1886907584[10031d220]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 1886907584[10031d220]: entering nsAuthGSSAPI::GetNextToken() 1886907584[10031d220]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information 1886907584[10031d220]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] 1886907584[10031d220]: using REQ_DELEGATE 1886907584[10031d220]: service = free-ipa.polidea.pl 1886907584[10031d220]: using negotiate-gss 1886907584[10031d220]: entering nsAuthGSSAPI::nsAuthGSSAPI() 1886907584[10031d220]: entering nsAuthGSSAPI::Init() 1886907584[10031d220]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] 1886907584[10031d220]: entering nsAuthGSSAPI::GetNextToken() 1886907584[10031d220]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information 1886907584[10031d220]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] best regards, Maciek Sawicki On Mon, Mar 19, 2012 at 5:58 PM, Maciej Sawicki maciej.sawi...@polidea.pl wrote: On Mon, Mar 19, 2012 at 5:38 PM, Dmitri Pal d...@redhat.com wrote: Have you done everything covered in the section 4.3.3 of the document? http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/using-the-ui.html#Using_a_Browser_on_Another_System Hi Dmitri, Thanks for quick answer. I did this, but still have the same problem :(. regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Firefox on OS X 10.6 problem
On Mon, Mar 19, 2012 at 6:10 PM, Stephen Ingram sbing...@gmail.com wrote: I just edited /etc/krb5.conf on my mac and then kinit from command line and you should see ticket in the Ticket Viewer app. From there, you should be able to renew the ticket inside the app or from command line. I did not touch the /Library/Preferences/edu.mit.Kerberos file at all. Steve Thanks from answer. I manage to solve this issue (I'm not sure if it best way but it works). In link from Dmitri I saw that I have to copy /etc/krb5.conf file from free-ipa server so I copied it to /Library/Preferences/edu.mit.Kerberos It's a little different then in http://freeipa.com/page/ConfiguringMacintoshClients. best regards, Maciek Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users