[Freeipa-users] ipa and cronjob
Hi all, I have a cronjob run daily by an ipa user, which accesses nfs mounted data on the nfs server (another machine in the realm). The problem is when the user was away for a few days, his credential expired and the cronjob did not run until he came back and logged on to the system again. Then all halted cronjob from the past days started to run, which is not desired because all of them were doing the same thing. My question is: Can we keep the cronjob running when the user's credential is expired? If we cannot, then can we skip or kill all of the old cronjobs but not the most recent one? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] NFS on Mac
sounds to me the link may work for nfs version 3 only. Now with IPA and NFS4, there got to be something more. George > > From: Dmitri Pal >To: freeipa-users@redhat.com >Sent: Monday, September 17, 2012 11:20 AM >Subject: Re: [Freeipa-users] NFS on Mac > > >On 09/17/2012 11:07 AM, george he wrote: >Hello all, >>I have IPA server and NFS server set up on a computer running centos 6.3. >>Is there a way to set up a mac laptop to access the data on the NFS server? >>The laptop does not have a static IP. DNS is not configured with IPA. >> >>If yes, how do I config the mac? >Is this what you are looking for? >http://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial/ > > >Thanks, >>George >> >> >> >>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] NFS on Mac
Hello all, I have IPA server and NFS server set up on a computer running centos 6.3. Is there a way to set up a mac laptop to access the data on the NFS server? The laptop does not have a static IP. DNS is not configured with IPA. If yes, how do I config the mac? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stale NFS file handle
I think it's about half an hour. Any ideas about the authentication failsure thing? Thanks, George > > From: Sigbjorn Lie >To: freeipa-users@redhat.com >Sent: Wednesday, September 12, 2012 3:53 PM >Subject: Re: [Freeipa-users] Stale NFS file handle > > >On 09/12/2012 08:26 PM, george he wrote: > >Hello, >>My ipa server and my nfs server are the same machine running centos 6.3. >>The server was accidentally down and rebooted. >>But then I got "authentication failsure" on some clients when tried to log on >>through gdm, and blue screen (no desktop, no panels) on some others. >>On some clients that I was on before the server was downthe, I got "Stale NFS >>file handle". >>Yet on some other clients, everything is fine. All clients are running centos >>6.3, too. >> >>Is there a way (e.g. restarting some services) to get the above problems away >>instead of rebooting the clients? >> >>Thanks, >>George >> >Just wait and it reconnects a while after the nfs server becomes available again. > >How long have you waited before rebooting? > > >Regards, >Siggi > > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Stale NFS file handle
I tried umount but without -l, it said drive busy. Next time I will try with -l. Thanks, George > > From: Natxo Asenjo >To: "freeipa-users@redhat.com" >Sent: Wednesday, September 12, 2012 2:43 PM >Subject: Re: [Freeipa-users] Stale NFS file handle > > >On Wed, Sep 12, 2012 at 8:26 PM, george he wrote: > >Hello, >>My ipa server and my nfs server are the same machine running centos 6.3. > >try to separate those roles if you can. You can use vm's, it'll work great. > > >The server was accidentally down and rebooted. >>But then I got "authentication failsure" on some clients when tried to log on >>through gdm, and blue screen (no desktop, no panels) on some others. >>On some clients that I was on before the server was downthe, I got "Stale NFS >>file handle". >>Yet on some other clients, everything is fine. All clients are running centos >>6.3, too. >> >>Is there a way (e.g. restarting some services) to get the above problems away >>instead of rebooting the clients? >> > >you could try umounting the stale mount points in the clients with the -l >switch (lazy). It works most of the time, sometimes rebooting or resetting is >necessary. Do not change dir to the mount point because then your client will >not respond :-) > >-- >natxo > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Stale NFS file handle
Hello, My ipa server and my nfs server are the same machine running centos 6.3. The server was accidentally down and rebooted. But then I got "authentication failsure" on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got "Stale NFS file handle". Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
Thanks a lot. It's deleted now! The .jar thing (i.e. jss4.jar, osutil.jar, and symkey.jar) was pointing to /usr/lib/..., but when I was struggling, I read on the web there was a post saying they should point to /usr/lib64/..., so I changed them. The weird thing is I THINK they were pointing to existing files, but now they are not. So I changed the links one more times to make them pointing to /usr/lib/..., restarted ipa, and host-del worked. Thanks again, guys. George > > From: John Dennis >To: a...@redhat.com >Cc: george he ; "freeipa-users@redhat.com" > >Sent: Wednesday, September 5, 2012 2:04 PM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/05/2012 10:46 AM, Ade Lee wrote: >> The logs seem to show that the CA cannot find JSS. >> >> What versions of the following are on your system? >> pki-ca, pki-common, jss, nss, tomcat6, tomcat, java >> >> Is this a system that was working and now fails to work? Or is this a >> new instance? > >Let's verify the link to the jss4.jar is in place. Note this is an x86_64 >system, Mathew did make some adjustments to where native (i.e. arch specific) >jars are located. I think it moved from /usr/lib/java to /usr/lib64/java. >pki-create would have been modified to set up links to them on a new install >but it's possible the links weren't updated on an existing install. Not sure, >guessing at the moment but I think it's worth pursuing. > >Please do this, it will list all the jars which should be visible to the CA >tomcat instance, the jss4.jar should have a link under >/var/lib/pki-ca/common/lib. > >sudo ls -l /var/lib/pki-ca/common/lib /var/lib/pki-ca/webapps/ca/WEB-INF/lib > >We want to verify none of the symbolic links listed above are dangling (point >to a non-existent file). Pay particular attention to >/var/lib/pki-ca/common/lib/jss4.jar, does it point to an existing file that's >a valid jar? If not can you locate jss4.jar? Is it now under /var/lib64/java? >If so adjust the symbolic link under /var/lib/pki-ca/common/lib to point to >it. Do thinks work now after restarting? > >John > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
This is a newly installed system. It does most of the things, but I just cannot
del the host that I have uninstalled ipa-client, which prvents me from
re-installing ipa-client.
Here are the versions:
pki-ca.noarch 9.0.3-24.el6
pki-common.noarch 9.0.3-24.el6
jss.x86_64 4.2.6-22.el6
nss.x86_64 3.13.5-1.el6_3
tomcat6.noarch 6.0.24-45.el6
java-1.5.0-gcj.x86_64 1.5.0.0-29.1.el6
java-1.6.0-openjdk.x86_64 1:1.6.0.0-1.48.1.11.3.el6_2
java_cup.x86_64 1:0.10k-5.el6
Thanks for your help.
George
>
> From: Ade Lee
>To: george he
>Cc: Rob Crittenden ; "freeipa-users@redhat.com"
>
>Sent: Wednesday, September 5, 2012 10:46 AM
>Subject: Re: [Freeipa-users] ipa host-del
>
>The logs seem to show that the CA cannot find JSS.
>
>What versions of the following are on your system?
>pki-ca, pki-common, jss, nss, tomcat6, tomcat, java
>
>Is this a system that was working and now fails to work? Or is this a
>new instance?
>
>Ade
>On Wed, 2012-09-05 at 06:41 -0700, george he wrote:
>> there are somethign like these:
>>
>> type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for
>> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>> type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for
>> pid=4243 comm="gdm" name="arch" dev=dm-0 ino=786829
>> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>>
>>
>>
>> and some others like these:
>> type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
>> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> scontext=unconfined_u:system_r:pki_ca_t:s0
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>> type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
>> pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
>> scontext=unconfined_u:system_r:pki_ca_t:s0
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
>>
>>
>>
>> And yes, I did yum update recently.
>> Where else should I look?
>> Thanks,
>> George
>>
>>
>> __
>> From: Rob Crittenden
>> To: george he
>> Cc: Ade Lee ; "freeipa-users@redhat.com"
>>
>> Sent: Wednesday, September 5, 2012 8:40 AM
>> Subject: Re: [Freeipa-users] ipa host-del
>>
>>
>> george he wrote:
>> > here are the new errors:
>> > # rm /var/log/pki-ca/*
>> > # service dirsrv restart
>> > # service pki-cad restart
>> > # grep -i error /var/log/pki-ca/*
>> > /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while
>> removing
>> > context [/ca]
>> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
>> initializing
>> > socket factory
>> >
>>/var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
>>Error
>> > loading SSL Implementation
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > :java.lang.ClassNotFoundException:
>> org.mozilla.jss.ssl.SSLSocket
>> > /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException:
>> Protocol
>> > handler initialization failed:
>> java.lang.ClassNotFoundException: Error
>> > loading SSL Implementation
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > :java.lang.ClassNotFoundException:
>> org.mozilla.jss.ssl.SSLSocket
>> > /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error
>> deploying web
>> > application directory ca
>> > /var/log/pki-ca/catalina.out:SEVERE: Error initializing
>> socket factory
>> > /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException:
>>Error
>> > loading SSL Implementation
>> > org.apache.tomcat.util.net.jss.JSSImplementation
>> > :java.lang.ClassNotFoundException:
>> org.mozilla.jss.ssl.SSLSocket
>>
Re: [Freeipa-users] ipa host-del
there are somethign like these:
type=AVC msg=audit(1346710042.243:56): avc: denied { execute } for pid=4243
comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1346710042.243:57): avc: denied { execute } for pid=4243
comm="gdm" name="arch" dev=dm-0 ino=786829
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
and some others like these:
type=AVC msg=audit(1346838993.154:2567): avc: denied { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1346838993.154:2568): avc: denied { search } for
pid=17155 comm="java" name="gridengine" dev=dm-0 ino=391879
scontext=unconfined_u:system_r:pki_ca_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
And yes, I did yum update recently.
Where else should I look?
Thanks,
George
>
> From: Rob Crittenden
>To: george he
>Cc: Ade Lee ; "freeipa-users@redhat.com"
>
>Sent: Wednesday, September 5, 2012 8:40 AM
>Subject: Re: [Freeipa-users] ipa host-del
>
>george he wrote:
>> here are the new errors:
>> # rm /var/log/pki-ca/*
>> # service dirsrv restart
>> # service pki-cad restart
>> # grep -i error /var/log/pki-ca/*
>> /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing
>> context [/ca]
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing
>> socket factory
>> /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException:
>> Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol
>> handler initialization failed: java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web
>> application directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application
>> directory ca
>> /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory
>> /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error
>> loading SSL Implementation
>> org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>> /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler
>> initialization failed: java.lang.ClassNotFoundException: Error loading
>> SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation
>> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket
>
>Hmm. Is there any additional information in the debug log? Any AVCs in
>/var/log/audit/audit.log?
>
>Have you updated any packages recently? I'm not sure why dogtag would be
>throwing this exception.
>
>rob
>
>>
>>
>> *From:* Rob Crittenden
>> *To:* george he
>> *Cc:* John Dennis ; "freeipa-users@redhat.com"
>>
>> *Sent:* Tuesday, September 4, 2012 9:49 PM
>> *Subject:* Re: [Freeipa-users] ipa host-del
>>
>> george he wrote:
>> > both of the commands "service dirsrv restart" and "service pki-cad
>> > restart" reported:
>> > stopping ... OK
>> > starting ... OK
>> > but host-del still has the same error.
>> > More suggestions?
>>
>> Check the logs again. The service starting does not mean it kept
>> running.
>>
>> rob
>>
>> > Thanks
Re: [Freeipa-users] ipa host-del
here are the new errors: # rm /var/log/pki-ca/* # service dirsrv restart # service pki-cad restart # grep -i error /var/log/pki-ca/* /var/log/pki-ca/catalina.2012-09-05.log:WARNING: Error while removing context [/ca] /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-05.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-05.log:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:SEVERE: Error deploying web application directory ca /var/log/pki-ca/catalina.out:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.out:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.out:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 9:49 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> both of the commands "service dirsrv restart" and "service pki-cad >> restart" reported: >> stopping ... OK >> starting ... OK >> but host-del still has the same error. >> More suggestions? > >Check the logs again. The service starting does not mean it kept running. > >rob > >> Thanks, >> George >> >> >> *From:* Rob Crittenden >> *To:* george he >> *Cc:* John Dennis ; "freeipa-users@redhat.com" >> >> *Sent:* Tuesday, September 4, 2012 4:20 PM >> *Subject:* Re: [Freeipa-users] ipa host-del >> >> george he wrote: >> > I'm running centos 6.3 >> > # uname -r >> > 2.6.32-279.5.2.el6.x86_64 >> > >> > pki-ca: unrecognized service >> > >> > There are tons of errors in /var/log/pki-ca/*, some of them are: >> > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >> [3] [3] >> > Cannot build CA chain. Error java.security.cert.CertificateException: >> > Certificate is not a PKCS #11 certificate >> > /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] >> [13] [3] >> > authz instance DirAclAuthz initialization failed and skipped, >> > error=Property internaldb.ldapconn.port missing value >> > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >> > [3] [3] Cannot build CA chain. Error >> > java.security.cert.CertificateException: Certificate is not a >> PKCS #11 >> > certificate >> > /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >> > [3] [3] CASigningUnit: Object certificate not found. Error >> > org.mozilla.jss.crypto.ObjectNotFoundException >> > /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] >> [3] In >> > Ldap (bound) connection pool to host cushing.psych.yale.edu port >> 7389, >> > Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >> > failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >> > >> > /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >> > socket fact
Re: [Freeipa-users] cannot logon: system error?
I removed the host on ipa server (ipa host-del, which works for this client but not another one), reinstalled the system, and configured the client, it worked. Thanks, George > > From: Jakub Hrozek >To: freeipa-users@redhat.com >Sent: Tuesday, September 4, 2012 3:05 PM >Subject: Re: [Freeipa-users] cannot logon: system error? > >On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote: >> Hi all, >> >> This is another issue I'm having with another ipa client. >> Both the sever and the client are centos 6.3 >> The client was configured all right. I was able to log on at a point. >> but then after the screen was auto-locked over the night, I cannot log on >> any more. >> If I try on the console, it says "system error" and return to the locked >> screen. >> If I try ssh myclient, it says "Connection closed by myclient". >> >> This is what in /var/log/secure >> Sep 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal >> j...@psych.yale.edu (krb5_kuserok) >> Sep 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied >> for user jhe: 4 (System error) >> Sep 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by >> PAM account configuration >> > >System Error usually means an internal error in the SSSD. > >Please put debug_level = 8 into the [pam] and [domain] sections, restart >the SSSD, re-run the login attempt and attach or copy the relevant >sections of /var/log/sssd/sssd_pam.log and >/var/log/sssd/sssd_$domain.log > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
both of the commands "service dirsrv restart" and "service pki-cad restart" reported: stopping ... OK starting ... OK but host-del still has the same error. More suggestions? Thanks, George > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 4:20 PM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> I'm running centos 6.3 >> # uname -r >> 2.6.32-279.5.2.el6.x86_64 >> >> pki-ca: unrecognized service >> >> There are tons of errors in /var/log/pki-ca/*, some of them are: >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] >> Cannot build CA chain. Error java.security.cert.CertificateException: >> Certificate is not a PKCS #11 certificate >> /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] >> authz instance DirAclAuthz initialization failed and skipped, >> error=Property internaldb.ldapconn.port missing value >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] >> [3] [3] Cannot build CA chain. Error >> java.security.cert.CertificateException: Certificate is not a PKCS #11 >> certificate >> /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] >> [3] [3] CASigningUnit: Object certificate not found. Error >> org.mozilla.jss.crypto.ObjectNotFoundException >> /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In >> Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, >> Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: >> failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) >> >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing >> socket factory >> /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: >> Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol >> handler initialization failed: java.lang.ClassNotFoundException: Error >> loading SSL Implementation >> org.apache.tomcat.util.net.jss.JSSImplementation >> :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket >> /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web >> application directory ca > >The problem looks to be that the dogtag 389-ds instance is not started. >I'd try: service dirsrv restart PKI-IPA > >Then service pki-cad restart > >rob > > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] cannot logon: system error?
Hi all, This is another issue I'm having with another ipa client. Both the sever and the client are centos 6.3 The client was configured all right. I was able to log on at a point. but then after the screen was auto-locked over the night, I cannot log on any more. If I try on the console, it says "system error" and return to the locked screen. If I try ssh myclient, it says "Connection closed by myclient". This is what in /var/log/secure Sep 4 13:57:52 localhost sshd[4208]: Authorized to jhe, krb5 principal j...@psych.yale.edu (krb5_kuserok) Sep 4 13:57:52 localhost sshd[4208]: pam_sss(sshd:account): Access denied for user jhe: 4 (System error) Sep 4 13:57:52 localhost sshd[4209]: fatal: Access denied for user jhe by PAM account configuration What do I do to fix this problem? Thanks in advance, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
How do I start dogtag? It's centos 6.3. some errors are posted to my other email. Thanks, George > > From: Rob Crittenden >To: george he >Cc: John Dennis ; "freeipa-users@redhat.com" > >Sent: Tuesday, September 4, 2012 10:26 AM >Subject: Re: [Freeipa-users] ipa host-del > >george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> .. >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 > >dogtag does not appear to be running. I'd suggest looking at >/var/log/pki-ca/catalina.out or debug to see if it has any hints as what >the problem is. > >What distribution is this? > >rob > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
I'm running centos 6.3 # uname -r 2.6.32-279.5.2.el6.x86_64 pki-ca: unrecognized service There are tons of errors in /var/log/pki-ca/*, some of them are: /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.main - [30/Aug/2012:16:34:56 EDT] [13] [3] authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:01 EDT] [3] [3] Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate /var/log/pki-ca/system:11605.http-9445-1 - [30/Aug/2012:16:35:10 EDT] [3] [3] CASigningUnit: Object certificate not found. Error org.mozilla.jss.crypto.ObjectNotFoundException /var/log/pki-ca/system:3281.main - [31/Aug/2012:17:54:28 EDT] [8] [3] In Ldap (bound) connection pool to host cushing.psych.yale.edu port 7389, Cannot connect to LDAP server. Error: netscape.ldap.LDAPException: failed to connect to server ldap://cushing.psych.yale.edu:7389 (91) /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error initializing socket factory /var/log/pki-ca/catalina.2012-09-03.log:java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:LifecycleException: Protocol handler initialization failed: java.lang.ClassNotFoundException: Error loading SSL Implementation org.apache.tomcat.util.net.jss.JSSImplementation :java.lang.ClassNotFoundException: org.mozilla.jss.ssl.SSLSocket /var/log/pki-ca/catalina.2012-09-03.log:SEVERE: Error deploying web application directory ca Thanks, George > > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 10:40 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 10:23 AM, george he wrote: >> First of all, i don't see any java process after ipactl stop. >> >> Then I turned on debug and this is what I get on terminal: >> # ipa host-del hnl09.psych.yale.edu >> .. >> ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer >> ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 >> ipa: DEBUG: Caught fault 4301 from server >> http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be >> completed: Unable to communicate with CMS (Service Temporarily Unavailable) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Service Temporarily Unavailable) >> >> So there's a "fault 4301" being caught. >> And this is at the end of /var/log/httpd/error_log: >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = >> SSLServer intended_usage = SSLServer >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for >> "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer >> = 130.132.167.68:443 >> [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: >> attempt to connect to 127.0.0.1:9447 (localhost) failed >> [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling >> worker for (localhost) >> [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection >> to backend: localhost >> [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: >> host_del((u'hnl09.psych.yale.edu',), updatedns=False): >> CertificateOperationError >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: >> CertificateOperationError: Certificate operation cannot be completed: >> Unable to communicate with CMS (Service Temporarily Unavailable) >> [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection >> context.ldap2 >> >> Thanks, >> George > >It appears as if your CA instance is not running (pki-ca). Depending on which >OS you're running on could you verify pki-ca is running via either the service >or systemctl command. Do you see any errors in the log files found under >/var/log/pki-ca? > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
First of all, i don't see any java process after ipactl stop. Then I turned on debug and this is what I get on terminal: # ipa host-del hnl09.psych.yale.edu .. ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 ipa: DEBUG: Caught fault 4301 from server http://cushing.psych.yale.edu/ipa/xml: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) So there's a "fault 4301" being caught. And this is at the end of /var/log/httpd/error_log: [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: cert valid True for "CN=cushing.psych.yale.edu,O=PSYCH.YALE.EDU" [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: handshake complete, peer = 130.132.167.68:443 [Tue Sep 04 10:17:05 2012] [error] (111)Connection refused: proxy: AJP: attempt to connect to 127.0.0.1:9447 (localhost) failed [Tue Sep 04 10:17:05 2012] [error] ap_proxy_connect_backend disabling worker for (localhost) [Tue Sep 04 10:17:05 2012] [error] proxy: AJP: failed to make connection to backend: localhost [Tue Sep 04 10:17:05 2012] [error] ipa: INFO: ad...@psych.yale.edu: host_del((u'hnl09.psych.yale.edu',), updatedns=False): CertificateOperationError [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: response: CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) [Tue Sep 04 10:17:05 2012] [error] ipa: DEBUG: Destroyed connection context.ldap2 Thanks, George >________ > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 8:53 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/04/2012 08:28 AM, george he wrote: >> >> There's only one conf file in /etc/ipa/, which is default.conf. ca_host >> is not defined there. But I think my CA is the IPA server. >> >> Everything is reported running: >> # ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> but when I try # ipactl restart, it reports: >> Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker >> ajp://localhost:9447/ already used by another worker >> [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already >> used by another worker > >ajp worker threads are used by tomcat instances of which the CA is one >example. It sounds like your CA has gotten into a funny state. I would do a >ipactl stop to shut down all your services and then do a ps to look for any >Java processes that are still running (I'm assuming the only Java you're >running on this box would be for the CA). If you can identify a running Java >process that you believe belongs to the CA then kill it and try starting IPA >again (or you could use a big hammer and reboot). > >BTW, the ajp threads are the listeners on the CA communication ports, if those >treads are not in the right state you could see the CA communication problems >you reported. > >If that still does not work then my next suggestion would be to add this line >to /etc/ipa/default.conf > >debug=True > >and restart IPA, that will cause verbose logging to be written to >/var/log/httpd/error_log which may have more detailed messages indicating >where things might be going wrong. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa host-del
There's only one conf file in /etc/ipa/, which is default.conf. ca_host is not defined there. But I think my CA is the IPA server. Everything is reported running: # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try # ipactl restart, it reports: Starting httpd: [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker [Tue Sep 04 08:19:10 2012] [warn] worker ajp://localhost:9447/ already used by another worker Thanks for your help, George > > From: John Dennis >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, September 4, 2012 8:10 AM >Subject: Re: [Freeipa-users] ipa host-del > >On 09/03/2012 06:00 PM, george he wrote: >> Hello all, >> >> I'm trying to reinstall myipaclient so I did ipa-client-install >> --uninstall on my client, but when I try to do >> ipa host-del on the sever, I got the following error: >> >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found) >> >> What does it mean, and how do I fix this? >> ps, both the server and the client are centos 6.3 > >I'm guessing the configuration option that specifies where to locate your CA >was lost. Check and see if ca_host is defined in any of the .conf files under >/etc/ipa, if so is it the correct host? If not then the server will assume >it's co-located on the same machine. Is your CA on the same machine as your >IPA server? > >One other thing to check, is the CA running? Do an ipactl status to verify or >an ipactl restart. > > >-- John Dennis > >Looking to carve out IT costs? >www.redhat.com/carveoutcosts/ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa host-del
Hello all, I'm trying to reinstall myipaclient so I did ipa-client-install --uninstall on my client, but when I try to do ipa host-del on the sever, I got the following error: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What does it mean, and how do I fix this? ps, both the server and the client are centos 6.3 Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ip changed
Hello all, I have free-ipa set up on my lab machines all running Fedora 17. Today the lab was moved to another building on campus and the IPs have to be changed. Now that the IPs are changed, I cannot even run kinit on the ipa-server. The error message returned with kinit is "connot contact any KDC for realm MYREALM while getting initial credentials" What I have done to change the IPs is to run system-config-network, modify the file /etc/hosts, and call the IT department to update the DNS server entries. What else do I need to do to make the ipa work with the new IPs? Thanks in advance for your help, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
Thank you, Martin. This helps. George > > From: Martin Kosek >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, July 31, 2012 3:04 AM >Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife > >On 07/30/2012 05:00 PM, george he wrote: >> Hello all, >> I'm trying to change the krb ticket life time for myself, so I used >> ipa krbtpolicy-mod MYUSERNAME --maxlife 36 >> but then after I do kinit, my new ticket is still going to expire after 24 >> hours, which is the default ticket life, even though >> ipa krbtpolicy-show MYUSERNAME >> returns >> Max life: 36 >> What am I missing? I'm using ipa2.2 on FC17. >> Thanks, >> George > >Hello George, > >I think there are 2 different things being mixed - maximal lifetime which can >configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the >lifetime of a ticket that is actually requested. > >The requested lifetime is by default 24h, as per krb5.conf man page: > > ticket_lifetime > The value of this tag is the default lifetime for initial > tickets. The default value for the tag is 1 day (1d). > >If you change this default value in krb5.conf or specifically kinit with a >chosen lifetime, you should get it: > ># ipa krbtpolicy-mod admin --maxlife 172800 > Max life: 172800 > ># kinit -l 2d > ># klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: ad...@redhat.com > >Valid starting Expires Service principal >07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat@redhat.com > >HTH, >Martin > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa krbtpolicy-mod --maxlife
Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 36 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even though ipa krbtpolicy-show MYUSERNAME returns Max life: 36 What am I missing? I'm using ipa2.2 on FC17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Hi Simo, Could you advise how to add 1. thesamba samAccount objectclass to a user, and 2. the sambaGroups class to a group? I guess I would need to use ldap commands, which I don't know enough. By the way, do I need to add both of the above, or if everybody is allowed to use the samba share, (and they are all in ipausers group), I would only need to add the sambaGroups class to ipausers group? Thanks, George > > From: Simo Sorce >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, July 10, 2012 9:56 AM >Subject: Re: [Freeipa-users] ipa samba win7 > >On Tue, 2012-07-10 at 06:01 -0700, george he wrote: >> Hello all, >> I have an ipa client that is also a file server. How do I set up a >> samba server on the file server so that the files can be accessed by a >> win7 machine, which is not a member of the ipa realm? >> Should I set the file server as a domain controller? How do I deal >> with the "passdb backend" option? I guess I can set it to "ldapsam", >> but the user information is kept on the ipa server, not the file >> server. >> What else should I take care of before I start? >> ps. my ipa version is 2.2, running on fc17. >> > >You can install samba with the ldapsam passdb backend. >security = user will suffice, you do not need to make it a domain >controller. >Authentication will happen only using NTLM, so you will have to add the >samba samAccount objectclass to those users that you want to be able to >log in to samba and the sambaGroups class to those groups you want to >use with samba. >After you added the right objectclass to users you will need to change >the user's password once so that the ipa-pwd-exto plugin can generate NT >hashes for the user. >Once that is done samba should allow you to log in using the ipa >password. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa samba win7
Hi Ondrej, The win7 is standing alone. I don't have an AD for it. I used to have a samba domain controller that took care of user authentication for both linux and winxp machines. Thanks, George > > From: Ondrej Valousek >To: freeipa-users@redhat.com >Sent: Tuesday, July 10, 2012 9:12 AM >Subject: Re: [Freeipa-users] ipa samba win7 > > >Do you have an AD for the win7 machine or is it just standalone machine? >Ondrej > >On 07/10/2012 03:01 PM, george he wrote: >Hello all, >>I have an ipa client that is also a file server. How do I set up a samba >>server on the file server so that the files can be accessed by a win7 >>machine, which is not a member of the ipa realm? >>Should I set the file server as a domain controller? How do I deal with the >>"passdb backend" option? I guess I can set it to "ldapsam", but the user >>information is kept on the ipa server, not the file server. >>What else should I take care of before I start? >>ps. my ipa version is 2.2, running on fc17. >> >>Thanks, >>George >> >> >>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa samba win7
Hello all, I have an ipa client that is also a file server. How do I set up a samba server on the file server so that the files can be accessed by a win7 machine, which is not a member of the ipa realm? Should I set the file server as a domain controller? How do I deal with the "passdb backend" option? I guess I can set it to "ldapsam", but the user information is kept on the ipa server, not the file server. What else should I take care of before I start? ps. my ipa version is 2.2, running on fc17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] error yum install freeipa-server
Hello Rob,
These are printed to the command window after this line:
Installing :
pki-selinux-9.0.20-1.fc17.noarch
34/96
The files reported missing are not there after yum install completed.
I turned selinux off ("setenforce 0" and modified /etc/sysconfig/selinux)
before installing freeipa-server. Don't know whether this caused the files not
created by yum.
Thanks,
George
>
> From: Rob Crittenden
>To: george he
>Cc: "freeipa-users@redhat.com"
>Sent: Thursday, July 5, 2012 11:27 AM
>Subject: Re: [Freeipa-users] error yum install freeipa-server
>
>george he wrote:
>> Hello all,
>>
>> When I do "yum install -y freeipa-server" on a newly installed FC17
>> system, I get a lot of errors like this:
>>
>> /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory
>> /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory
>> /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file
>> or directory
>> /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file
>> or directory
>> .
>> .
>> .
>> /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such
>> file or directory
>> /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or
>> directory
>> .
>> .
>> .
>> /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file
>> or directory
>> /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file
>> or directory
>>
>> It seems to me these missing files are supposed to be installed by this
>> yum install command.
>> With these errors, can I still go ahead and set up the ipa-server?
>>
>> Thanks,
>> George
>
>Where are you seeing these logged? Some of those files/directories don't
>exist yet, they are created by the install. It should be safe to proceed.
>
>rob
>
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] error yum install freeipa-server
Hello all, When I do "yum install -y freeipa-server" on a newly installed FC17 system, I get a lot of errors like this: /sbin/restorecon: lstat(/etc/pki-tks*) failed: No such file or directory /sbin/restorecon: lstat(/etc/pki-tps*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/ca*) failed: No such file or directory /sbin/restorecon: lstat(/etc/sysconfig/pki/kra*) failed: No such file or directory . . . /sbin/restorecon: lstat(/usr/bin/dtomcat5-pki-tks) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca*) failed: No such file or directory . . . /sbin/restorecon: lstat(/var/lib/ipa/ca_serialno) failed: No such file or directory /sbin/restorecon: lstat(/var/lib/pki-ca/publish*) failed: No such file or directory It seems to me these missing files are supposed to be installed by this yum install command. With these errors, can I still go ahead and set up the ipa-server? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] win7 client
Hello all, I'm trying to set up a win7 as a client of my freeipa server running on fc17. so I followed the instructions here: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html But then what? The win7 is currently in a "workgroup". I tried to join the win7 to a domain with my ipa realm name, but it failed. Thanks in advance for your help, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rpcgssd
Hello all, nfs-secure.service is running on the client, but I still get mount.nfs4: mount(2): Permission denied and there's no message in /var/log/. Any help? Thanks, George > > From: george he >To: Rob Crittenden >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 29, 2012 1:52 PM >Subject: Re: [Freeipa-users] rpcgssd > > >Hello Rob, > > >It is fedora 17. >I did "systemctl start nfs-secure.service" on the nfs-server. No error message. >What needs to be started on the nfs-client in order to mount the share (which >is on a separate disk, if it matters). >I tried >mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ >on the client, which happens to be the ipa-server, and get > >mount.nfs4: mount(2): Permission denied >Thanks, >George > > > >> >> From: Rob Crittenden >>To: george he >>Cc: "freeipa-users@redhat.com" >>Sent: Friday, June 29, 2012 1:41 PM >>Subject: Re: [Freeipa-users] rpcgssd >> >>george he wrote: >>> Hello all, >>> >>> Is there a problem with this document: >>> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html >>> >>> It says >>> Start the GSS daemon. >>> >>> [root@nfs-client-server ~]# service rpcgssd start >>> >>> but when I do it, the nfs-client says >>> >>> Failed to issue method call: Unit rpcgssd.service failed to load: No such >>> file or directory. See system logs and 'systemctl status rpcgssd.service' >>> for details. >>> # systemctl status rpcgssd.service >>> rpcgssd.service >>> Loaded: error (Reason: No such file or directory) >>> Active: inactive (dead) >> >>You don't say what Fedora release you're using but I'm going to assume >>Fedora 17. >> >>Try starting nfs-secure.service >> >>rob >> >> >> >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] rpcgssd
Hello Rob, It is fedora 17. I did "systemctl start nfs-secure.service" on the nfs-server. No error message. What needs to be started on the nfs-client in order to mount the share (which is on a separate disk, if it matters). I tried mount -v -t nfs4 -o sec=krb5 mynfsserver.edu:/data /mnt/nfs/ on the client, which happens to be the ipa-server, and get mount.nfs4: mount(2): Permission denied Thanks, George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 29, 2012 1:41 PM >Subject: Re: [Freeipa-users] rpcgssd > >george he wrote: >> Hello all, >> >> Is there a problem with this document: >> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html >> >> It says >> Start the GSS daemon. >> >> [root@nfs-client-server ~]# service rpcgssd start >> >> but when I do it, the nfs-client says >> >> Failed to issue method call: Unit rpcgssd.service failed to load: No such >> file or directory. See system logs and 'systemctl status rpcgssd.service' >> for details. >> # systemctl status rpcgssd.service >> rpcgssd.service >> Loaded: error (Reason: No such file or directory) >> Active: inactive (dead) > >You don't say what Fedora release you're using but I'm going to assume >Fedora 17. > >Try starting nfs-secure.service > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] rpcgssd
Hello all, Is there a problem with this document: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kerb-nfs.html It says Start the GSS daemon. [root@nfs-client-server ~]# service rpcgssd start but when I do it, the nfs-client says Failed to issue method call: Unit rpcgssd.service failed to load: No such file or directory. See system logs and 'systemctl status rpcgssd.service' for details. # systemctl status rpcgssd.service rpcgssd.service Loaded: error (Reason: No such file or directory) Active: inactive (dead) Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nfs server
Hello, do you mean to run only this on the nfs-server? ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /etc/krb5.keytab Rob says to run ipa-getkeytab on each machine... So I guess I should run the above command on the ipa-server before I run it on the nfs-server? Otherwise it seems to me the nfs-server won't know the new keytab in /tmp/ on the ipa-server. Thanks, George > > From: Simo Sorce >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 29, 2012 10:53 AM >Subject: Re: [Freeipa-users] nfs server > >On Fri, 2012-06-29 at 07:45 -0700, george he wrote: >> Hello Simo, >> >> >> So you mean I should run >> >> >> ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu >> -k /tmp/krb5.keytab >> >> >> on the ipa-server, and > > >You should run the command only once (running more than once will simply >invalidate whatever you downloaded in previous runs), preferably on the >target server so you avoid the need of transfering keytab files around. >> >> >> ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu >> -k my.ipaserver.edu:/tmp/krb5.keytab >> >> >> on the nfs-server? where /tmp/krb5.keytab is the key generated on the >> ipa-server for nfs. > >If you have ipa-getkeytab on the target server (my.nfsserve.edu) in your >case just run it there and point it at /etc/krb5.keytab directly. > >The ipa-getkeytab command does not rewrite the file it appends the new >keys there, which is what you want. > > >Simo. > > >-- >Simo Sorce * Red Hat, Inc * New York > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] nfs server
Hello Simo, So you mean I should run ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu -k /tmp/krb5.keytab on the ipa-server, and ipa-getkeytab -s my.ipaserver.edu -p nfs/my.nfsserve@myrealm.edu-k my.ipaserver.edu:/tmp/krb5.keytab on the nfs-server? where /tmp/krb5.keytab is the key generated on the ipa-server for nfs. Thanks, George > > From: Simo Sorce >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 29, 2012 10:24 AM >Subject: Re: [Freeipa-users] nfs server > >On Fri, 2012-06-29 at 07:18 -0700, george he wrote: >> Hello all, >> >> >> Now I have an ipa server and a few ipa clients set up, I need to set >> up an nfs server on one of the ipa-clients. >> I'm following the instructions here >> https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >> where at 8.c and 8.d, it says >> >> >> scp /tmp/krb5.keytab r...@nfs.example.com:/etc/krb5.keytab >> >> and >> >> scp /tmp/krb5.keytab r...@client.example.com:/etc/krb5.keytab >> >> >> >> But the file /etc/krb5.keytab already exists on both of the ipa-server >> and the nfs-server. >> Should I just over-write the existing keytabs? > >No, you should not overwrite them if they contain the host keytab. > >If they are ipa clients and you can install admin tools you can simply >run the ipa-getkeytab command on the right machine directly. > >if you can't for whatever reason you should copy the new keytab to the >machine in a temporary (but protected) location like /root/nfs.keytab > >Then use the ktutil tool to merge the 2 keytab files >into /etc/krb5.keytab > >ktutil is not the most intuitive tool, but the documentation should be >good enough to sort out what you need to do. > >Simo. > >-- >Simo Sorce * Red Hat, Inc * New York > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] nfs server
Hello all, Now I have an ipa server and a few ipa clients set up, I need to set up an nfs server on one of the ipa-clients. I'm following the instructions here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html where at 8.c and 8.d, it says scp /tmp/krb5.keytab r...@nfs.example.com:/etc/krb5.keytab and scp /tmp/krb5.keytab r...@client.example.com:/etc/krb5.keytab But the file /etc/krb5.keytab already exists on both of the ipa-server and the nfs-server. Should I just over-write the existing keytabs? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create session
Hello Dan, Many thanks. It worked. Now I remember this was done by default on my other clients... don't know why. George > > From: Dan Scott >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 29, 2012 9:51 AM >Subject: Re: [Freeipa-users] pam_systemd(sshd:session): Failed to create >session > >Hi, > >I don't know if this is done by the default IPA install, but you need >to configure it to auto create home directories: > >authconfig --update --enablemkhomedir > >You may need the oddjob-mkhomedir package installed too. > >Thanks, > >Dan > >On Fri, Jun 29, 2012 at 9:42 AM, george he wrote: >> Hello all, >> >> I'm running out of time to figure out what was wrong with my replica set up, >> so I just went ahead and installed ipa-client on that machine. >> It seems the client was installed all right, except when I ssh to the new >> client from another client, I get this: >> >> Could not chdir to home directory /home/ghe: No such file or directory >> >> and then I was left at /. I don't remember what I did differently on the >> other client machines that would create /home/ghe for me the first time I >> log on. >> >> Here is the error message from /var/log/secure on the new client. >> >> pam_systemd(sshd:session): Failed to create session: No such file or >> directory >> >> How do I fix this problem? >> >> Thanks, >> George >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] pam_systemd(sshd:session): Failed to create session
Hello all, I'm running out of time to figure out what was wrong with my replica set up, so I just went ahead and installed ipa-client on that machine. It seems the client was installed all right, except when I ssh to the new client from another client, I get this: Could not chdir to home directory /home/ghe: No such file or directory and then I was left at /. I don't remember what I did differently on the other client machines that would create /home/ghe for me the first time I log on. Here is the error message from /var/log/secure on the new client. pam_systemd(sshd:session): Failed to create session: No such file or directory How do I fix this problem? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello, I think it might be easier to just re-install FC17 on my machine since it's brand new and I won't loss any data. Now I want to backup a few folders where some files are changed during ipa installation, so that if I mess up again, I only need to copy the original folder over. For this purpose, is the following list sufficient? /boot /etc /home /root /usr /var I think I probably don't need /boot /home /root either, but these are small. Thanks for your advice. George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Friday, June 22, 2012 4:23 PM >Subject: Re: [Freeipa-users] replica installation clean up > >george he wrote: >> Hello, >> >> Since I didn't get any reply on this, I just went ahead and did >> /ipa-server-install --uninstall >> to clean up and did >> ipa-replica-manage del myreplica --force >> on mymaster >> After these I did ipa-replica-install again but this time I get >> >> ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command >> '/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D >> cn=Directory Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1 >> >> Any suggestions on this? > >It depends on why it failed. When there is an installation error I recommend >you start by looking at /var/log/ipa-server-install.log or >/var/log/ipareplica-install.log as needed. > >This error would suggest that something was not removed from LDAP when the >last replica was deleted. This may ok. You'll need to use ldapsearch to verify >that cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX and dn: >cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX has a >memberPrincipal for the service principal of your replica. > >something like: > >ldapsearch -LLL -x -b cn=s4u2proxy,cn=etc,dc=example,d=com > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Yes! reboot works. Thanks a lot. George > > From: Simo Sorce >To: george he >Cc: Stephen Gallagher ; "freeipa-users@redhat.com" > >Sent: Monday, June 25, 2012 2:39 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:41 -0700, george he wrote: >> Hi Stephen, >> >> >> I already have a home directory which was created the first time I ssh >> in. >> Now when I click on "sign in", nothing happens... >> > >I've encountered this recently as well, apparently GDM uses some service >that misbehaves when nsswitch.conf is changed. >It used to be simple to fix that by forcing a restart of GDM (I used to >ctrl+alt+backspace once after install of sssd/ipa), but on my recent F17 >it didn't work. >I suspect soem stuff has been moved to a helper that is not restarted >when gdm restart. >A reboot fixed it for me. > >Simo. > > >-- >Simo Sorce * Red Hat, Inc * New York > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, Here are the lines from /var/log/messages. it seems there's some info, but I don't understand it... Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus[775]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Jun 25 13:53:37 mz dbus-daemon[775]: Launching FprintObject Jun 25 13:53:37 mz dbus-daemon[775]: dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus[775]: [system] Successfully activated service 'net.reactivated.Fprint' Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Jun 25 13:53:37 mz dbus-daemon[775]: ** Message: entering main loop Jun 25 13:54:08 mz dbus-daemon[775]: ** Message: No devices in use, exit Jun 25 14:03:53 mz dbus-daemon[775]: dbus[775]: [system] Rejected send message, 2 matched rules; type="method_return", sender=":1.0" (uid=0 pid=728 comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f ") Jun 25 14:03:53 mz dbus[775]: [system] Rejected send message, 2 matched rules; type="method_return", sender=":1.0" (uid=0 pid=728 comm="/usr/lib/systemd/systemd-logind ") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.21" (uid=42 pid=1183 comm="/usr/bin/gnome-session -f ") Your help is appreciated. George >________ > From: Stephen Gallagher >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 25, 2012 1:58 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:55 -0700, george he wrote: >> Hi Stephen, >> selinux was set to permissive before I installed the client. ( I >> modified the file /etc/sysconfig/selinex) > > >Modifying that file without a reboot does not change the current state. >That only tells the kernel whether to boot with SELinux enabled. > >I suggest looking at /var/log/messages for other possible failures as >well. From /var/log/secure, SSSD is authenticating successfully, so the >failure is happening in GDM somewhere. > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, selinux was set to permissive before I installed the client. ( I modified the file /etc/sysconfig/selinex) So It cannot be the reason. Thanks, George > > From: Stephen Gallagher >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 25, 2012 1:42 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:41 -0700, george he wrote: >> Hi Stephen, >> >> >> I already have a home directory which was created the first time I ssh >> in. >> Now when I click on "sign in", nothing happens... >> > >Just to experiment, try 'setenforce 0' as root and then try to log in. >SELinux could be denying you. > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hi Stephen, I already have a home directory which was created the first time I ssh in. Now when I click on "sign in", nothing happens... Thanks, George > > From: Stephen Gallagher >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 25, 2012 1:30 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 10:25 -0700, george he wrote: >> Hello Stephen, >> >> >> this is what in the log file: >> >> Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): >> authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= >> rhost= user=jhe >> Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): >> authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= >> rhost= user=jhe > > >According to that, SSSD successfully authenticated the user, but you >still didn't get logged in? I'll bet that means you don't have your >system set up to create home directories on first login automatically. > >If you run ipa-client-install with the --mkhomedir option when >configuring the client, it will set this up for you. If you want to >change it after the fact, do this: > >authconfig --update --enable-mkhomedir > >That should do the trick. > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] freeipa and gdm
Hello Stephen, this is what in the log file: Jun 25 13:22:10 mz gdm-password][21545]: pam_unix(gdm-password:auth): authentication failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=jhe Jun 25 13:22:11 mz gdm-password][21545]: pam_sss(gdm-password:auth): authentication success; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost= user=jhe and this is the sssd version: sssd-1.8.4-13.fc17.x86_64 Thanks, George > > From: Stephen Gallagher >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 25, 2012 1:07 PM >Subject: Re: [Freeipa-users] freeipa and gdm > >On Mon, 2012-06-25 at 09:52 -0700, george he wrote: >> Hello, >> I have a server and a few client set up. I can ssh to the server or >> clients. But there's no entry on the console gdm for ipa user, and I >> cannot login by choosing "others" either. >> What do I need to set up for gdm log on? I searched the docs but >> didn't find any... > > >Entries do not appear on the GDM login until you have logged in at least >once by choosing "others". I'm concerned that this is not working, >however. > >Can you do >'tail -n0 -f /var/log/secure' in a root shell while attempting to log in >through GDM and then show us what it says? > >Also, please tell us what version of SSSD is installed on your system >(you can find out with 'rpm -q sssd') > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] freeipa and gdm
Hello, I have a server and a few client set up. I can ssh to the server or clients. But there's no entry on the console gdm for ipa user, and I cannot login by choosing "others" either. What do I need to set up for gdm log on? I searched the docs but didn't find any... Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello,
Since I didn't get any reply on this, I just went ahead and did
/ipa-server-install --uninstall
to clean up and did
ipa-replica-manage del myreplica --force
on mymaster
After these I did ipa-replica-install again but this time I get
ipa : CRITICAL Failed to load replica-s4u2proxy.ldif: Command
'/usr/bin/ldapmodify -h myreplica -v -f /tmp/tmpExxi0H -x -D cn=Directory
Manager -y /tmp/tmpa12oUA' returned non-zero exit status 1
Any suggestions on this?
Thanks,
George
>________
> From: george he
>To: Rob Crittenden
>Cc: "freeipa-users@redhat.com"
>Sent: Thursday, June 21, 2012 10:28 PM
>Subject: Re: [Freeipa-users] replica installation clean up
>
>
>Hello,
>
>
>I used --force to delete myreplica from mymaster. And then
>runipa-replica-install on the myreplica again.
>This time everything seems ok until it comes to the end:
>
>
>Applying LDAP updates
>Restarting the directory server
>Restarting the KDC
>Restarting the web server
>creation of replica failed: Command '/bin/systemctl restart ipa.service'
>returned non-zero exit status 1
>
>Your system may be partly configured.
>Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
>
>And this is the error message at the end of /var/log/ipareplica-install.log:
>
>
>2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and
>'systemctl status' for details.
>
>2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service'
>returned non-zero exit status 1
> File "/sbin/ipa-replica-install", line 494, in
> main()
>
> File "/sbin/ipa-replica-install", line 488, in main
> ipaservices.knownservices.ipa.enable()
>
> File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line
>101, in enable
> self.restart(instance_name)
>
> File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line
>85, in restart
> ipautil.run(["/bin/systemctl", "restart",
>self.service_instance(instance_name)], capture_output=capture_output)
>
> File
"/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 304, in run
> raise CalledProcessError(p.returncode, args)
>
>Should I run ipa-server-install --uninstall on myreplica now?
>
>
>Thanks,
>George
>
>
>
>
>>
>> From: Rob Crittenden
>>To: george he
>>Cc: "freeipa-users@redhat.com"
>>Sent: Thursday, June 21, 2012 4:35 PM
>>Subject: Re: [Freeipa-users] replica installation clean up
>>
>>george he wrote:
>>> Hi,
>>>
>>> after ipa-replica-install and ipa-replica-install --uninstall, now I get
>>>
>>> [root@myreplica ~]# ipa-replica-install --setup-ca
>>> /var/lib/ipa/replica-info.gpg
>>> .
>>> .
>>> .
>>> Connection check OK
>>> The host myreplica already exists on the master server. Depending on
>>> your configuration, you may perform the following:
>>>
>>> Remove the replication agreement, if any:
>>> % ipa-replica-manage del myreplica
>>> Remove the host entry:
>>> % ipa host-del myreplica
>>>
>>> If I run this on myreplica:
>>> [root@myreplica ~]# ipa-replica-manage del myreplica
>>> IPA is not configured on this system.
>>> [root@myreplica ~]# ipa host-del myreplica
>>> ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may
>>> provide more information', 851968)/('Cannot find KDC for requested
>>> realm',
-1765328230)
>>>
>>> If I un this on mymaster:
>>> [root@mymaster ~]# ipa-replica-manage del myreplica
>>> Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"}
>>> [root@mymaster ~]# ipa host-del myreplica
>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
>>> disabled
>>>
>>> How do I clean up the unsuccessful installation - uninstallation of a
>>> replica?
>>
>>Ideally you remove the agreement before deleting the replica, hence the
>>LDAP error. Add the --force flag:
>>
>># ipa-replica-manage del myreplica.fqdn --force
>>
>>Then you should be able to delete the host entry.
>>
>>rob
>>
>>
>>
>>
>___
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Rich, Thanks for the help. This does remove the group so I can add the user back. But when I try to ssh, as that user, to the machines that the user logged on before "ipa user-del", I get "permission denied". I removed the user's home directory because it still belongs to the deleted UID:GID. After that I still get "permission denied". Any suggestions? Thanks again, George >____ > From: Rich Megginson >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Thursday, June 21, 2012 2:43 PM >Subject: Re: [Freeipa-users] ipa user-add > > >On 06/21/2012 12:25 PM, george he wrote: >Hello all, >> >> >>After the server and the client are installed, I run >> >> >>ipa user-add myname >> >> >> >>to add users. The users are added successfully, but each user get his own >>GID, which is the same as his UID, even though "ipa config-show --all" shows >> >> Default users group: ipausers >> >> >> >>How do I put all new users to this ipausers group? If I use --gidnumber=INT, >>how to find out the GID of the ipausers group? >> >> >>I tried to delete a user using "ipa user-del myname", but the private group >>myname is left there. So I did the following: >> >> >> >># ipa group-del myname >>ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. >># ipa group-detach myname >>ipa: ERROR: myname: group not found >> >># ipa user-add myname >>First name: myfirstname >>Last name: mylastname >>ipa: ERROR: Unable to create private group. A group 'myname' already exists. >> >> >>How do I get out of this loop? >What is your platform and 389-ds-base version? > >I'm not familiar with group-detach, but you can manually detach and remove the private group using ldapsearch and ldapmodify: > >assuming you have done kinit admin: >1) ldapsearch -LLL -Y GSSAPI cn=myname dn >This will give you the DN of the group - ignore any entries in the compat tree > >2) ldapmodify -Y GSSAPI <dn: DN of the group from ldapsearch >changetype: modify >delete: objectclass >objectclass: mepManagedEntry >- >delete: mepManagedBy >- > >dn: DN of the group from ldapsearch >changetype: delete >EOF > >This will remove the private group. > > >> >>Thanks, >>George >> >> >> >> >>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] replica installation clean up
Hello,
I used --force to delete myreplica from mymaster. And then
runipa-replica-install on the myreplica again.
This time everything seems ok until it comes to the end:
Applying LDAP updates
Restarting the directory server
Restarting the KDC
Restarting the web server
creation of replica failed: Command '/bin/systemctl restart ipa.service'
returned non-zero exit status 1
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
And this is the error message at the end of /var/log/ipareplica-install.log:
2012-06-22T02:02:01Z DEBUG stderr=Job failed. See system journal and 'systemctl
status' for details.
2012-06-22T02:02:01Z DEBUG Command '/bin/systemctl restart ipa.service'
returned non-zero exit status 1
File "/sbin/ipa-replica-install", line 494, in
main()
File "/sbin/ipa-replica-install", line 488, in main
ipaservices.knownservices.ipa.enable()
File "/usr/lib/python2.7/site-packages/ipapython/platform/fedora16.py", line
101, in enable
self.restart(instance_name)
File "/usr/lib/python2.7/site-packages/ipapython/platform/systemd.py", line
85, in restart
ipautil.run(["/bin/systemctl", "restart",
self.service_instance(instance_name)], capture_output=capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 304, in run
raise CalledProcessError(p.returncode, args)
Should I run ipa-server-install --uninstall on myreplica now?
Thanks,
George
>
> From: Rob Crittenden
>To: george he
>Cc: "freeipa-users@redhat.com"
>Sent: Thursday, June 21, 2012 4:35 PM
>Subject: Re: [Freeipa-users] replica installation clean up
>
>george he wrote:
>> Hi,
>>
>> after ipa-replica-install and ipa-replica-install --uninstall, now I get
>>
>> [root@myreplica ~]# ipa-replica-install --setup-ca
>> /var/lib/ipa/replica-info.gpg
>> .
>> .
>> .
>> Connection check OK
>> The host myreplica already exists on the master server. Depending on
>> your configuration, you may perform the following:
>>
>> Remove the replication agreement, if any:
>> % ipa-replica-manage del myreplica
>> Remove the host entry:
>> % ipa host-del myreplica
>>
>> If I run this on myreplica:
>> [root@myreplica ~]# ipa-replica-manage del myreplica
>> IPA is not configured on this system.
>> [root@myreplica ~]# ipa host-del myreplica
>> ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may
>> provide more information', 851968)/('Cannot find KDC for requested
>> realm', -1765328230)
>>
>> If I un this on mymaster:
>> [root@mymaster ~]# ipa-replica-manage del myreplica
>> Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"}
>> [root@mymaster ~]# ipa host-del myreplica
>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
>> disabled
>>
>> How do I clean up the unsuccessful installation - uninstallation of a
>> replica?
>
>Ideally you remove the agreement before deleting the replica, hence the
>LDAP error. Add the --force flag:
>
># ipa-replica-manage del myreplica.fqdn --force
>
>Then you should be able to delete the host entry.
>
>rob
>
>
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] replica installation clean up
Hi,
after ipa-replica-install and ipa-replica-install --uninstall, now I get
[root@myreplica ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info.gpg
.
.
.
Connection check OK
The host myreplica already exists on the master server. Depending on your
configuration, you may perform the following:
Remove the replication agreement, if any:
% ipa-replica-manage del myreplica
Remove the host entry:
% ipa host-del myreplica
If I run this on myreplica:
[root@myreplica ~]# ipa-replica-manage del myreplica
IPA is not configured on this system.
[root@myreplica ~]# ipa host-del myreplica
ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide
more information', 851968)/('Cannot find KDC for requested realm', -1765328230)
If I un this on mymaster:
[root@mymaster ~]# ipa-replica-manage del myreplica
Unable to delete replica myreplica: {'desc': "Can't contact LDAP server"}
[root@mymaster ~]# ipa host-del myreplica
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled
How do I clean up the unsuccessful installation - uninstallation of a replica?
Thanks,
George
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
Hello Dmitri, OK, I can accept the good practice of using private groups, then I need to delete the "left over" group. The instructions in the document failed as stated in my original email. Any suggestions how to delete the private group whose user has been deleted? Thanks, George > > From: Dmitri Pal >To: freeipa-users@redhat.com >Sent: Thursday, June 21, 2012 3:47 PM >Subject: Re: [Freeipa-users] ipa user-add > > >On 06/21/2012 03:10 PM, george he wrote: >it's x86_64 2.2.0-1.fc17. >>Thanks, >>George >> > >You are looking at the private group feature. >By default IPA encorages you to take advantage of the user private groups - the groups that have only current user in them. >The value of this is that the files on the file system can be owned just by the user. It is a good practice. >To turn it off there is a utility to turn the managed entries creation. > >Please do not use LDAP directly (at least yet). > >There is another feature that allows one to specify a criteria for placing users or hosts into groups. >Users in the past were automatically placed into the ipausers group but not any more for security reasons explained above and for performance reasons as one huge group causes sssd to pull everybody on the first lookup. > > > >> >> >>> >>> From: Rob Crittenden >>>To: Rich Megginson >>>Cc: george he ; "freeipa-users@redhat.com" >>> >>>Sent: Thursday, June 21, 2012 2:54 PM >>>Subject: Re: [Freeipa-users] ipa user-add >>> >>>Rich Megginson wrote: >>>> On 06/21/2012 12:25 PM, george he wrote: >>>>> Hello all, >>>>> >>>>> After the server and the client are installed, I run >>>>> >>>>> ipa user-add myname >>>>> >>>>> to add users. The users are added successfully, but each user get his >>>>> own GID, which is the same as his UID, even though "ipa config-show >>>>> --all" shows >>>>> Default users group: ipausers >>>>> >>>>> How do I put all new users to this ipausers group? If I use >>>>> --gidnumber=INT, how to find out the GID of the ipausers group? >>> >>>It would help to know what version and platform of IPA you are using. >>>The method differs by version. >>> >>>>> >>>>> I tried to delete a user using "ipa user-del myname", but the private >>>>> group myname is left there. So I did the following: >>>>> >>>>> # ipa group-del myname >>>>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>>>> detached first. >>>>> # ipa group-detach myname >>>>> ipa: ERROR: myname: group not found >>>>> # ipa user-add myname >>>>> First name: myfirstname >>>>> Last name: mylastname >>>>> ipa: ERROR: Unable to create private group. A group 'myname' already >>>>> exists. >>>>> >>>>> How do I get out of this loop? >>>> >>>> What is your platform and 389-ds-base version? >>>> >>>> I'm not familiar with group-detach, but you can manually detach and >>>> remove the private group using ldapsearch and ldapmodify: >>>> >>>> assuming you have done kinit admin: >>>> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >>>> This will give you the DN of the group - ignore any entries in the >>>> compat tree >>>> >>>> 2) ldapmodify -Y GSSAPI <>>> dn: DN of the group from ldapsearch >>>> changetype: modify >>>> delete: objectclass >>>> objectclass: mepManagedEntry >>>> - >>>> delete: mepManagedBy >>>> - >>>> >>>> dn: DN of the group from ldapsearch >>>> changetype: delete >>>> EOF >>>> >>>> This will remove the private group. >>>>> >>>>> Thanks, >>>>> George >>>>> >>>>> >>>>> >>>>> ___ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> ___ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> >> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa user-add
it's x86_64 2.2.0-1.fc17. Thanks, George > > From: Rob Crittenden >To: Rich Megginson >Cc: george he ; "freeipa-users@redhat.com" > >Sent: Thursday, June 21, 2012 2:54 PM >Subject: Re: [Freeipa-users] ipa user-add > >Rich Megginson wrote: >> On 06/21/2012 12:25 PM, george he wrote: >>> Hello all, >>> >>> After the server and the client are installed, I run >>> >>> ipa user-add myname >>> >>> to add users. The users are added successfully, but each user get his >>> own GID, which is the same as his UID, even though "ipa config-show >>> --all" shows >>> Default users group: ipausers >>> >>> How do I put all new users to this ipausers group? If I use >>> --gidnumber=INT, how to find out the GID of the ipausers group? > >It would help to know what version and platform of IPA you are using. >The method differs by version. > >>> >>> I tried to delete a user using "ipa user-del myname", but the private >>> group myname is left there. So I did the following: >>> >>> # ipa group-del myname >>> ipa: ERROR: Deleting a managed group is not allowed. It must be >>> detached first. >>> # ipa group-detach myname >>> ipa: ERROR: myname: group not found >>> # ipa user-add myname >>> First name: myfirstname >>> Last name: mylastname >>> ipa: ERROR: Unable to create private group. A group 'myname' already >>> exists. >>> >>> How do I get out of this loop? >> >> What is your platform and 389-ds-base version? >> >> I'm not familiar with group-detach, but you can manually detach and >> remove the private group using ldapsearch and ldapmodify: >> >> assuming you have done kinit admin: >> 1) ldapsearch -LLL -Y GSSAPI cn=myname dn >> This will give you the DN of the group - ignore any entries in the >> compat tree >> >> 2) ldapmodify -Y GSSAPI <> dn: DN of the group from ldapsearch >> changetype: modify >> delete: objectclass >> objectclass: mepManagedEntry >> - >> delete: mepManagedBy >> - >> >> dn: DN of the group from ldapsearch >> changetype: delete >> EOF >> >> This will remove the private group. >>> >>> Thanks, >>> George >>> >>> >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa user-add
Hello all, After the server and the client are installed, I run ipa user-add myname to add users. The users are added successfully, but each user get his own GID, which is the same as his UID, even though "ipa config-show --all" shows Default users group: ipausers How do I put all new users to this ipausers group? If I use --gidnumber=INT, how to find out the GID of the ipausers group? I tried to delete a user using "ipa user-del myname", but the private group myname is left there. So I did the following: # ipa group-del myname ipa: ERROR: Deleting a managed group is not allowed. It must be detached first. # ipa group-detach myname ipa: ERROR: myname: group not found # ipa user-add myname First name: myfirstname Last name: mylastname ipa: ERROR: Unable to create private group. A group 'myname' already exists. How do I get out of this loop? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: Host is already joined
Hello Rob, Here is what I get by running the commands: # klist -kt /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Timestamp Principal - # ipa-rmkeytab -k /etc/krb5.keytab -r MYREALM realm not found # I thought the commands didn't solve the problem, but when I run ipa-client-install again, it says at the end "Client configuration complete." and it was found on the server by "ipa host-find". So I guess the problem is gone. Your help is very appreciated. George > > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users@redhat.com" > >Sent: Thursday, June 21, 2012 11:18 AM >Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined > >george he wrote: >> Thanks Petr, >> >> Now it says: >> >> Failed to obtain host TGT. >> Installation failed. Rolling back changes. >> I did the manual installation on this machine when the >> ipa-client-install script failed. >> I guess there's a lot to clean up :( > >/var/log/ipaclient-install.log may have more details on the failure. > >It could be that you have a lingering host principal. Run klist -kt >/etc/krb5.keytab. To remove all principals for your realm from this >keytab run: > ># ipa-rmkeytab -k /etc/krb5.keytab -r YOUR_REALM > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Joining realm failed: Host is already joined
Thanks Petr, Now it says: Failed to obtain host TGT. Installation failed. Rolling back changes. I did the manual installation on this machine when the ipa-client-install script failed. I guess there's a lot to clean up :( George > > From: Petr Viktorin >To: freeipa-users@redhat.com >Sent: Thursday, June 21, 2012 10:50 AM >Subject: Re: [Freeipa-users] Joining realm failed: Host is already joined > >On 06/21/2012 04:42 PM, george he wrote: >> Hello all, >> >> When I do ipa-client-install on a client with previous unsuccessful >> installation, I get this error message: >> >> Joining realm failed: Host is already joined. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> How do I clean up the machine for a clean installation? >> I tried >> ipa-client-install --uninstall >> but get this: >> IPA client is not configured on this system. >> >> Thanks, >> George >> > >Do a ipa host-del on the server. > > >-- >Petr³ > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Joining realm failed: Host is already joined
Hello all, When I do ipa-client-install on a client with previous unsuccessful installation, I get this error message: Joining realm failed: Host is already joined. Installation failed. Rolling back changes. IPA client is not configured on this system. How do I clean up the machine for a clean installation? I tried ipa-client-install --uninstall but get this: IPA client is not configured on this system. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem -- 2
Hi Rob, Client configuration complete. but it says Failed to upload host SSH public keys. Hope it's OK. Thanks a lot, George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Wednesday, June 20, 2012 4:24 PM >Subject: Re: [Freeipa-users] ipa installation problem -- 2 > >george he wrote: >> Hello all, >> >> My first problem was related to firewall, the command >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> opened port 80 after this line in iptables thus the problem I had. >> REJECT all -- anywhere anywhere reject-with icmp-host-prohibited >> >> Now I have another problem when I run ipa-client-install on the client >> (after it asked for admin password): >> >> Joining realm failed: HTTP response code is 400, not 200 >> >> Here are the related lines in /var/log/ipaclient-install.log >> 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s >> cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu >> 2012-06-20T19:46:53Z DEBUG stdout= >> 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 >> >> > >Try updating mod_nss to mod_nss.x86_64 0:1.0.8-17.fc17. > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa installation problem -- 2
Hello all, My first problem was related to firewall, the command iptables -A INPUT -p tcp --dport 80 -j ACCEPT opened port 80 after this line in iptables thus the problem I had. REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Now I have another problem when I run ipa-client-install on the client (after it asked for admin password): Joining realm failed: HTTP response code is 400, not 200 Here are the related lines in /var/log/ipaclient-install.log 2012-06-20T19:46:53Z DEBUG args=/usr/sbin/ipa-join -s cns2.psych.yale.edu -b dc=psych,dc=yale,dc=edu 2012-06-20T19:46:53Z DEBUG stdout= 2012-06-20T19:46:53Z DEBUG stderr=HTTP response code is 400, not 200 Suggestions, please. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, netstat |grep 443 returned nothing, but lsof -i :80 (or :443) returned things like this: httpd 4206 apache 5u IPv6 846355 TCP *:http (LISTEN) is the IPv6 here a problem? Thanks, George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, June 19, 2012 10:43 AM >Subject: Re: [Freeipa-users] ipa installation problem > >george he wrote: >> Hello Rob, >> Can it be that the httpd service is not running properly? >> On all servers, I can only run wget on the server itself successfully... >> At least on fc15, the client was able to contact the server, but the >> connection was refused. >> maybe the configuration part of httpd? >> On other machines in the same lab, I have set up two web servers in the >> "usual" way and they both run with no problem. > >I don't know what to tell you. This problem is independent of IPA. It >means that the client doesn't know how to get to the server (no route to >host) > >Connection refused would suggest that the server isn't accepting >connections. You could use netstat to confirm that it is listening on >ports 80 and 443, I think you'll find it is. > >IPA doesn't do anything particularly clever with the web server, just >configures it to use mod_nss as an SSL listener. Since wget is using >port 80 you aren't even using any changes made by IPA. And no route to >host suggests it isn't even getting that far. > >You might try shutting down iptables on the server and client and try that. > >rob > >> Thanks, >> George >> >> >> *From:* Rob Crittenden >> *To:* george he >> *Cc:* "freeipa-users@redhat.com" >> *Sent:* Tuesday, June 19, 2012 9:32 AM >> *Subject:* Re: [Freeipa-users] ipa installation problem >> >> george he wrote: >> > Hello all, >> > While waiting for more suggestions on my thread "is not an IPA v2 >> > Server", I tried to install ipa server on other machines running fc16 >> > and fc15. >> > When server is on fc16, I get the same error as when it's on >> fc17, wget >> > failed: No route to host. >> > when server is on fc15, wget still failed, but the reason was >> > "Connection refused". >> > Seems to me there's something else to do after running >> > ipa-server-install on the server. >> >> This is unrelated to IPA. We do no network configuration changes, >> only start services. >> >> The client is doing a simple wget which just issues an HTTP request. >> The network stack is saying it can't talk to the IPA server so I'd >> start there. wireshark might be helpful. >> >> rob >> >> > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa installation problem
Hello Rob, Can it be that the httpd service is not running properly? On all servers, I can only run wget on the server itself successfully... At least on fc15, the client was able to contact the server, but the connection was refused. maybe the configuration part of httpd? On other machines in the same lab, I have set up two web servers in the "usual" way and they both run with no problem. Thanks, George > > From: Rob Crittenden >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, June 19, 2012 9:32 AM >Subject: Re: [Freeipa-users] ipa installation problem > >george he wrote: >> Hello all, >> While waiting for more suggestions on my thread "is not an IPA v2 >> Server", I tried to install ipa server on other machines running fc16 >> and fc15. >> When server is on fc16, I get the same error as when it's on fc17, wget >> failed: No route to host. >> when server is on fc15, wget still failed, but the reason was >> "Connection refused". >> Seems to me there's something else to do after running >> ipa-server-install on the server. > >This is unrelated to IPA. We do no network configuration changes, only start >services. > >The client is doing a simple wget which just issues an HTTP request. The >network stack is saying it can't talk to the IPA server so I'd start there. >wireshark might be helpful. > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa installation problem
Hello all, While waiting for more suggestions on my thread "is not an IPA v2 Server", I tried to install ipa server on other machines running fc16 and fc15. When server is on fc16, I get the same error as when it's on fc17, wget failed: No route to host. when server is on fc15, wget still failed, but the reason was "Connection refused". Seems to me there's something else to do after running ipa-server-install on the server. Any suggestions? Thanks, George___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
forget to mention that the server is installed by following this https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/installing-ipa.html and the client has the same ports open as the server. George > > From: george he >To: Rob Crittenden >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 18, 2012 1:41 PM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > > >Hi Rob, >I was just thinking it's very unlikely the university would block http >connections from inside, but not ssh from outside. but I'll contact our ITS >anyways. >BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps >outlined here >https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >There may be some steps that are obvious to people know these things and they >are not listed in the document, then I could have missed them. >Thanks, >George > > > > > >> >> From: Rob Crittenden >>To: george he >>Cc: Petr Viktorin ; "freeipa-users@redhat.com" >> >>Sent: Monday, June 18, 2012 1:28 PM >>Subject: Re: [Freeipa-users] is not an IPA v2 Server. >> >>george he wrote: >>> Hello Rob, >>> >>> Yes, I did the configuration earlier today. And I did kinit too. >>> It seems the web UI loads really slowly - the circular thing can turn >>> for minutes. So maybe I wasn't patient enough to let the page load. >> >>A fair bit of javascript is loaded the very first time you visit IPA, >>that can be slow. Otherwise it should be relatively quick. Not minutes >>anyway. >> >>> I can ssh to the server and the client from my home, so I don't think >>> there's another firewall blocking the connection. >> >>Different ports and that isn't the client talking to the server, it is >>you talking to the client and to the server. This is definitely some >>sort of networking problem, though "no route to host" is rather odd >>since you can ping. You might also look at the iptables configuration on >>the client. >> >>rob >> >>> Thanks, >>> George >>> >>> >>> *From:* Rob Crittenden >>> *To:* george he >>> *Cc:* Petr Viktorin ; >>> "freeipa-users@redhat.com" >>> *Sent:* Monday, June 18, 2012 11:51 AM >>> *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >>> >>> george he wrote: >>> > Hello all, >>> > >>> > Here is some other information. >>> > I'm setting this up for a lab in a university. The university has its >>> > own kerberos server (and DNS server, which I use). >>> > I'm not sure whether anybody has set a kerberos server for the >>> > department, or some other labs used the department sub-domain. >>> > But I'm sure the realm name is unique. >>> > >>> > When I open the web UI on the server (firefox 13.0), I almost >>> always get >>> > this error: >>> > Your Kerberos ticket is no longer valid. Please run kinit and >>> then click >>> > 'Retry'. If this is your first time running the IPA Web UI follow >>> these >>> > directions >>> <https://cns2.psych.yale.edu/ipa/config/unauthorized.html> to >>> > configure your browser. >>> > Or you can use form-based authentication >>> > <https://cns2.psych.yale.edu/ipa/ui/#>. >>> > but I can use the form based authentication sometimes, not always. >>> >>> You need to configure the browser to do Kerberos single sign-on. >>> There should be a link in the failure message to take you to a page >>> to help you configure this. You also need to have done a kinit. >>> >>> I'm not sure why forms-based auth work work only sometimes, >>> additional details would be needed. >>> >>> I'm not sure why the server would be pingable from your client but >>> HTTP doesn't work. There may be another firewall blocking the >>> packets on your network. >>> >>> rob >>> >>> >> >> >> >> >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Rob, I was just thinking it's very unlikely the university would block http connections from inside, but not ssh from outside. but I'll contact our ITS anyways. BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps outlined here https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html There may be some steps that are obvious to people know these things and they are not listed in the document, then I could have missed them. Thanks, George > > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users@redhat.com" > >Sent: Monday, June 18, 2012 1:28 PM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >george he wrote: >> Hello Rob, >> >> Yes, I did the configuration earlier today. And I did kinit too. >> It seems the web UI loads really slowly - the circular thing can turn >> for minutes. So maybe I wasn't patient enough to let the page load. > >A fair bit of javascript is loaded the very first time you visit IPA, >that can be slow. Otherwise it should be relatively quick. Not minutes >anyway. > >> I can ssh to the server and the client from my home, so I don't think >> there's another firewall blocking the connection. > >Different ports and that isn't the client talking to the server, it is >you talking to the client and to the server. This is definitely some >sort of networking problem, though "no route to host" is rather odd >since you can ping. You might also look at the iptables configuration on >the client. > >rob > >> Thanks, >> George >> >> >> *From:* Rob Crittenden >> *To:* george he >> *Cc:* Petr Viktorin ; >> "freeipa-users@redhat.com" >> *Sent:* Monday, June 18, 2012 11:51 AM >> *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >> george he wrote: >> > Hello all, >> > >> > Here is some other information. >> > I'm setting this up for a lab in a university. The university has its >> > own kerberos server (and DNS server, which I use). >> > I'm not sure whether anybody has set a kerberos server for the >> > department, or some other labs used the department sub-domain. >> > But I'm sure the realm name is unique. >> > >> > When I open the web UI on the server (firefox 13.0), I almost >> always get >> > this error: >> > Your Kerberos ticket is no longer valid. Please run kinit and >> then click >> > 'Retry'. If this is your first time running the IPA Web UI follow >> these >> > directions >> <https://cns2.psych.yale.edu/ipa/config/unauthorized.html> to >> > configure your browser. >> > Or you can use form-based authentication >> > <https://cns2.psych.yale.edu/ipa/ui/#>. >> > but I can use the form based authentication sometimes, not always. >> >> You need to configure the browser to do Kerberos single sign-on. >> There should be a link in the failure message to take you to a page >> to help you configure this. You also need to have done a kinit. >> >> I'm not sure why forms-based auth work work only sometimes, >> additional details would be needed. >> >> I'm not sure why the server would be pingable from your client but >> HTTP doesn't work. There may be another firewall blocking the >> packets on your network. >> >> rob >> >> > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Rob, Yes, I did the configuration earlier today. And I did kinit too. It seems the web UI loads really slowly - the circular thing can turn for minutes. So maybe I wasn't patient enough to let the page load. I can ssh to the server and the client from my home, so I don't think there's another firewall blocking the connection. Thanks, George > > From: Rob Crittenden >To: george he >Cc: Petr Viktorin ; "freeipa-users@redhat.com" > >Sent: Monday, June 18, 2012 11:51 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >george he wrote: >> Hello all, >> >> Here is some other information. >> I'm setting this up for a lab in a university. The university has its >> own kerberos server (and DNS server, which I use). >> I'm not sure whether anybody has set a kerberos server for the >> department, or some other labs used the department sub-domain. >> But I'm sure the realm name is unique. >> >> When I open the web UI on the server (firefox 13.0), I almost always get >> this error: >> Your Kerberos ticket is no longer valid. Please run kinit and then click >> 'Retry'. If this is your first time running the IPA Web UI follow these >> directions <https://cns2.psych.yale.edu/ipa/config/unauthorized.html> to >> configure your browser. >> Or you can use form-based authentication >> <https://cns2.psych.yale.edu/ipa/ui/#>. >> but I can use the form based authentication sometimes, not always. > >You need to configure the browser to do Kerberos single sign-on. There should >be a link in the failure message to take you to a page to help you configure >this. You also need to have done a kinit. > >I'm not sure why forms-based auth work work only sometimes, additional details >would be needed. > >I'm not sure why the server would be pingable from your client but HTTP >doesn't work. There may be another firewall blocking the packets on your >network. > >rob > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, Here is some other information. I'm setting this up for a lab in a university. The university has its own kerberos server (and DNS server, which I use). I'm not sure whether anybody has set a kerberos server for the department, or some other labs used the department sub-domain. But I'm sure the realm name is unique. When I open the web UI on the server (firefox 13.0), I almost always get this error: Your Kerberos ticket is no longer valid. Please run kinit and then click 'Retry'. If this is your first time running the IPA Web UI follow these directions to configure your browser. Or you can use form-based authentication. but I can use the form based authentication sometimes, not always. Thanks, George > > From: Petr Viktorin >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 18, 2012 10:47 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >Hi, >If you run the wget manually (downloading to an existing directory >instead of /tmp/tmpjibrhe), do you get the same error? > >Can you connect to the web UI from the client? > > >On 06/18/2012 04:12 PM, george he wrote: >> Hello Petr, >> I can ping or ssh to myserver with no problem. >> btw, here are the ports I opened: >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT >> iptables -A INPUT -p tcp --dport 389 -j ACCEPT >> iptables -A INPUT -p tcp --dport 636 -j ACCEPT >> iptables -A INPUT -p tcp --dport 88 -j ACCEPT >> iptables -A INPUT -p udp --dport 88 -j ACCEPT >> iptables -A INPUT -p tcp --dport 464 -j ACCEPT >> iptables -A INPUT -p udp --dport 464 -j ACCEPT >> iptables -A INPUT -p tcp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 123 -j ACCEPT >> Thanks, >> George >> >> >> *From:* Petr Viktorin >> *To:* "freeipa-users@redhat.com" >> *Cc:* george he >> *Sent:* Monday, June 18, 2012 10:06 AM >> *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >> On 06/18/2012 03:44 PM, george he wrote: >> > Hello all, >> > >> > here is the error message from /var/log/ipaclient-install.log on the >> > client machine: >> > >> > Connecting to myserver|myserver ip|:80... failed: No route to host. >> > Retrieving CA from myserver failed. >> > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >> > http://myserver/ipa/config/ca.crt' >> <http://myserver/ipa/config/ca.crt%27> returned non-zero exit status 4 >> >> Seems like a routing issue. Can you ping myserver from the client >> machine? >> >> >> > but httpd seems running on myserver and port 80 is open. >> > # systemctl status httpd.service >> > httpd.service - The Apache HTTP Server (prefork MPM) >> > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >> > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; >> 22h ago >> > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop >> (code=exited, >> > status=0/SUCCESS) >> > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start >> (code=exited, >> > status=0/SUCCESS) >> > Main PID: 16233 (httpd) >> > CGroup: name=systemd:/system/httpd.service >> > ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >> > ├ 16233 /usr/sbin/httpd -k start >> > ├ 16236 /usr/sbin/httpd -k start >> > ├ 16237 /usr/sbin/httpd -k start >> > ├ 16238 /usr/sbin/httpd -k start >> > ├ 16239 /usr/sbin/httpd -k start >> > ├ 16240 /usr/sbin/httpd -k start >> > ├ 16241 /usr/sbin/httpd -k start >> > ├ 16242 /usr/sbin/httpd -k start >> > ├ 16243 /usr/sbin/httpd -k start >> > ├ 16244 /usr/sbin/httpd -k start >> > └ 16245 /usr/sbin/httpd -k start >> > I have been working on this for days to set this thing up. Any >> help will >> > be very appreciated. >> > George >> > >> > >> >> > *From:* george he > <mailto:george_...@yahoo.com>> >> > *To:* "freeipa-users@redhat.com >> <mailto:freeipa-
Re: [Freeipa-users] is not an IPA v2 Server.
Hi Petr, Yes, I still get the "failed: No route to host" error. and I cannot connect to the webUI from the client, but I can open the web UI on myserver. Thanks, George > > From: Petr Viktorin >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Monday, June 18, 2012 10:47 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >Hi, >If you run the wget manually (downloading to an existing directory >instead of /tmp/tmpjibrhe), do you get the same error? > >Can you connect to the web UI from the client? > > >On 06/18/2012 04:12 PM, george he wrote: >> Hello Petr, >> I can ping or ssh to myserver with no problem. >> btw, here are the ports I opened: >> iptables -A INPUT -p tcp --dport 80 -j ACCEPT >> iptables -A INPUT -p tcp --dport 443 -j ACCEPT >> iptables -A INPUT -p tcp --dport 389 -j ACCEPT >> iptables -A INPUT -p tcp --dport 636 -j ACCEPT >> iptables -A INPUT -p tcp --dport 88 -j ACCEPT >> iptables -A INPUT -p udp --dport 88 -j ACCEPT >> iptables -A INPUT -p tcp --dport 464 -j ACCEPT >> iptables -A INPUT -p udp --dport 464 -j ACCEPT >> iptables -A INPUT -p tcp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 53 -j ACCEPT >> iptables -A INPUT -p udp --dport 123 -j ACCEPT >> Thanks, >> George >> >> >> *From:* Petr Viktorin >> *To:* "freeipa-users@redhat.com" >> *Cc:* george he >> *Sent:* Monday, June 18, 2012 10:06 AM >> *Subject:* Re: [Freeipa-users] is not an IPA v2 Server. >> >> On 06/18/2012 03:44 PM, george he wrote: >> > Hello all, >> > >> > here is the error message from /var/log/ipaclient-install.log on the >> > client machine: >> > >> > Connecting to myserver|myserver ip|:80... failed: No route to host. >> > Retrieving CA from myserver failed. >> > Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >> > http://myserver/ipa/config/ca.crt' >> <http://myserver/ipa/config/ca.crt%27> returned non-zero exit status 4 >> >> Seems like a routing issue. Can you ping myserver from the client >> machine? >> >> >> > but httpd seems running on myserver and port 80 is open. >> > # systemctl status httpd.service >> > httpd.service - The Apache HTTP Server (prefork MPM) >> > Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >> > Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; >> 22h ago >> > Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop >> (code=exited, >> > status=0/SUCCESS) >> > Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start >> (code=exited, >> > status=0/SUCCESS) >> > Main PID: 16233 (httpd) >> > CGroup: name=systemd:/system/httpd.service >> > ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >> > ├ 16233 /usr/sbin/httpd -k start >> > ├ 16236 /usr/sbin/httpd -k start >> > ├ 16237 /usr/sbin/httpd -k start >> > ├ 16238 /usr/sbin/httpd -k start >> > ├ 16239 /usr/sbin/httpd -k start >> > ├ 16240 /usr/sbin/httpd -k start >> > ├ 16241 /usr/sbin/httpd -k start >> > ├ 16242 /usr/sbin/httpd -k start >> > ├ 16243 /usr/sbin/httpd -k start >> > ├ 16244 /usr/sbin/httpd -k start >> > └ 16245 /usr/sbin/httpd -k start >> > I have been working on this for days to set this thing up. Any >> help will >> > be very appreciated. >> > George >> > >> > >> >> > *From:* george he > <mailto:george_...@yahoo.com>> >> > *To:* "freeipa-users@redhat.com >> <mailto:freeipa-users@redhat.com>" > <mailto:freeipa-users@redhat.com>> >> > *Sent:* Saturday, June 16, 2012 4:02 PM >> > *Subject:* is not an IPA v2 Server. >> > >> > Hello all, >> > >> > I'm trying to install freeipa for a small lab with <10 computers, >> > all running fedora 17. >> > I seemed to have installed ipa server (without DNS) successfully, >> > >>
Re: [Freeipa-users] is not an IPA v2 Server.
Hello Petr, I can ping or ssh to myserver with no problem. btw, here are the ports I opened: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 389 -j ACCEPT iptables -A INPUT -p tcp --dport 636 -j ACCEPT iptables -A INPUT -p tcp --dport 88 -j ACCEPT iptables -A INPUT -p udp --dport 88 -j ACCEPT iptables -A INPUT -p tcp --dport 464 -j ACCEPT iptables -A INPUT -p udp --dport 464 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 123 -j ACCEPT Thanks, George > > From: Petr Viktorin >To: "freeipa-users@redhat.com" >Cc: george he >Sent: Monday, June 18, 2012 10:06 AM >Subject: Re: [Freeipa-users] is not an IPA v2 Server. > >On 06/18/2012 03:44 PM, george he wrote: >> Hello all, >> >> here is the error message from /var/log/ipaclient-install.log on the >> client machine: >> >> Connecting to myserver|myserver ip|:80... failed: No route to host. >> Retrieving CA from myserver failed. >> Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 >> http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 > >Seems like a routing issue. Can you ping myserver from the client machine? > > >> but httpd seems running on myserver and port 80 is open. >> # systemctl status httpd.service >> httpd.service - The Apache HTTP Server (prefork MPM) >> Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) >> Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago >> Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, >> status=0/SUCCESS) >> Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, >> status=0/SUCCESS) >> Main PID: 16233 (httpd) >> CGroup: name=systemd:/system/httpd.service >> ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias >> ├ 16233 /usr/sbin/httpd -k start >> ├ 16236 /usr/sbin/httpd -k start >> ├ 16237 /usr/sbin/httpd -k start >> ├ 16238 /usr/sbin/httpd -k start >> ├ 16239 /usr/sbin/httpd -k start >> ├ 16240 /usr/sbin/httpd -k start >> ├ 16241 /usr/sbin/httpd -k start >> ├ 16242 /usr/sbin/httpd -k start >> ├ 16243 /usr/sbin/httpd -k start >> ├ 16244 /usr/sbin/httpd -k start >> └ 16245 /usr/sbin/httpd -k start >> I have been working on this for days to set this thing up. Any help will >> be very appreciated. >> George >> >> >> *From:* george he >> *To:* "freeipa-users@redhat.com" >> *Sent:* Saturday, June 16, 2012 4:02 PM >> *Subject:* is not an IPA v2 Server. >> >> Hello all, >> >> I'm trying to install freeipa for a small lab with <10 computers, >> all running fedora 17. >> I seemed to have installed ipa server (without DNS) successfully, >> >> # ipactl status >> Directory Service: RUNNING >> KDC Service: RUNNING >> KPASSWD Service: RUNNING >> MEMCACHE Service: RUNNING >> HTTP Service: RUNNING >> CA Service: RUNNING >> >> but when I try to run ipa-client-install on a client machine, I get >> this error message: >> >> http://server.my.edu/>> is not an IPA v2 Server. >> Installation failed. Rolling back changes. >> IPA client is not configured on this system. >> >> what am I missing? >> ps, I'm following the instructions here: >> >>https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html >> Thanks, >> George >> >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- >Petr³ > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] is not an IPA v2 Server.
Hello all, here is the error message from /var/log/ipaclient-install.log on the client machine: Connecting to myserver|myserver ip|:80... failed: No route to host. Retrieving CA from myserver failed. Command '/usr/bin/wget -O /tmp/tmpjibrhe/ca.crt -T 15 -t 2 http://myserver/ipa/config/ca.crt' returned non-zero exit status 4 but httpd seems running on myserver and port 80 is open. # systemctl status httpd.service httpd.service - The Apache HTTP Server (prefork MPM) Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Sun, 17 Jun 2012 11:17:07 -0400; 22h ago Process: 16225 ExecStop=/usr/sbin/httpd $OPTIONS -k stop (code=exited, status=0/SUCCESS) Process: 16230 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=0/SUCCESS) Main PID: 16233 (httpd) CGroup: name=systemd:/system/httpd.service ├ 16231 /usr/sbin/nss_pcache 1212421 off /etc/httpd/alias ├ 16233 /usr/sbin/httpd -k start ├ 16236 /usr/sbin/httpd -k start ├ 16237 /usr/sbin/httpd -k start ├ 16238 /usr/sbin/httpd -k start ├ 16239 /usr/sbin/httpd -k start ├ 16240 /usr/sbin/httpd -k start ├ 16241 /usr/sbin/httpd -k start ├ 16242 /usr/sbin/httpd -k start ├ 16243 /usr/sbin/httpd -k start ├ 16244 /usr/sbin/httpd -k start └ 16245 /usr/sbin/httpd -k start I have been working on this for days to set this thing up. Any help will be very appreciated. George > > From: george he >To: "freeipa-users@redhat.com" >Sent: Saturday, June 16, 2012 4:02 PM >Subject: is not an IPA v2 Server. > > >Hello all, > > >I'm trying to install freeipa for a small lab with <10 computers, all running >fedora 17. >I seemed to have installed ipa server (without DNS) successfully, > > > ># ipactl status >Directory Service: RUNNING >KDC Service: RUNNING >KPASSWD Service: RUNNING >MEMCACHE Service: RUNNING >HTTP Service: RUNNING >CA Service: RUNNING > > > >but when I try to run ipa-client-install on a client machine, I get this error >message: > > > is not an IPA v2 Server. >Installation failed. Rolling back changes. >IPA client is not configured on this system. > > > >what am I missing? >ps, I'm following the instructions here: > >https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html > >Thanks, >George > > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] is not an IPA v2 Server.
Hello all, I'm trying to install freeipa for a small lab with <10 computers, all running fedora 17. I seemed to have installed ipa server (without DNS) successfully, # ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING but when I try to run ipa-client-install on a client machine, I get this error message: is not an IPA v2 Server. Installation failed. Rolling back changes. IPA client is not configured on this system. what am I missing? ps, I'm following the instructions here: https://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
