Re: [Freeipa-users] FreeIPA user can't login to linux.
The problem still exist after update from 4.1 to 4.2.3. Rob, how to check the missed manage entry? 2015-11-20 0:11 GMT+08:00 Rob Crittenden <rcrit...@redhat.com>: > zhiyong xue wrote: > > Rob, where can I get more error information beside the log? > > [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op: > > failed to delete managed entry > > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32) > > I can still only assume what you're doing: manually adding the entries > directly by LDAP. To do this you need to follow IPA conventions, or use > the new user lifecycle framework added in 4.2. > > I'm guessing it can't delete the managed entry because either it doesn't > exist or it is missing an objectclass/attribute marking it as managed. > > rob > > > > > 2015-11-16 13:43 GMT+08:00 zhiyong xue <xuez...@gmail.com > > <mailto:xuez...@gmail.com>>: > > > > I am using IPA 4.1 in CenOS7. And I can login to system after "id > > syncopex5", maybe it's cache problem. > > > > 2015-11-16 11:24 GMT+08:00 Rob Crittenden <rcrit...@redhat.com > > <mailto:rcrit...@redhat.com>>: > > > > zhiyong xue wrote: > > > We integrated the Apache Syncope server with FreeIPA server. > So user can > > > self register ID from Apache Syncope then synchronize to > FreeIPA. The > > > problems are: > > > *1) User created from Apache Syncope can't login to linux. The > > user > > > created from FreeIPA web gui works well.* > > > > For login issues see > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > This is unlikely to fix things but it will help with later > > debugging. > > > > This likely revolves around how you are creating these accounts. > > We'll > > need information on what you're doing. The more details the > better. > > > > > *2) The user also can't be deleted from web UI and CLI. It said > > > "syncopex5: user not found".* > > > > Again, you probably aren't creating the users correctly. > > > > I can only assume that you are creating the users directly via > > an LDAP > > add. This is working around the IPA framework which does > > additional work. > > > > Knowing what version of IPA this is would help too. > > > > You'll probably also want to read this: > > http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This > > is in > > IPA 4.2. > > > > rob > > rob > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user can't login to linux.
Rob, where can I get more error information beside the log? [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32) 2015-11-16 13:43 GMT+08:00 zhiyong xue <xuez...@gmail.com>: > I am using IPA 4.1 in CenOS7. And I can login to system after "id > syncopex5", maybe it's cache problem. > > 2015-11-16 11:24 GMT+08:00 Rob Crittenden <rcrit...@redhat.com>: > >> zhiyong xue wrote: >> > We integrated the Apache Syncope server with FreeIPA server. So user can >> > self register ID from Apache Syncope then synchronize to FreeIPA. The >> > problems are: >> > *1) User created from Apache Syncope can't login to linux. The user >> > created from FreeIPA web gui works well.* >> >> For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting >> This is unlikely to fix things but it will help with later debugging. >> >> This likely revolves around how you are creating these accounts. We'll >> need information on what you're doing. The more details the better. >> >> > *2) The user also can't be deleted from web UI and CLI. It said >> > "syncopex5: user not found".* >> >> Again, you probably aren't creating the users correctly. >> >> I can only assume that you are creating the users directly via an LDAP >> add. This is working around the IPA framework which does additional work. >> >> Knowing what version of IPA this is would help too. >> >> You'll probably also want to read this: >> http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in >> IPA 4.2. >> >> rob >> rob >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA user can't login to linux.
I query a new user syncopex8, it's same created from Apache Syncope server. *The output of command "ldapsearch -x -h localhost -b dc=exampe,dc=com uid=syncopex8":* # extended LDIF # # LDAPv3 # base
Re: [Freeipa-users] FreeIPA user can't login to linux.
I am using IPA 4.1 in CenOS7. And I can login to system after "id syncopex5", maybe it's cache problem. 2015-11-16 11:24 GMT+08:00 Rob Crittenden <rcrit...@redhat.com>: > zhiyong xue wrote: > > We integrated the Apache Syncope server with FreeIPA server. So user can > > self register ID from Apache Syncope then synchronize to FreeIPA. The > > problems are: > > *1) User created from Apache Syncope can't login to linux. The user > > created from FreeIPA web gui works well.* > > For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting > This is unlikely to fix things but it will help with later debugging. > > This likely revolves around how you are creating these accounts. We'll > need information on what you're doing. The more details the better. > > > *2) The user also can't be deleted from web UI and CLI. It said > > "syncopex5: user not found".* > > Again, you probably aren't creating the users correctly. > > I can only assume that you are creating the users directly via an LDAP > add. This is working around the IPA framework which does additional work. > > Knowing what version of IPA this is would help too. > > You'll probably also want to read this: > http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in > IPA 4.2. > > rob > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA user can't login to linux.
We integrated the Apache Syncope server with FreeIPA server. So user can self register ID from Apache Syncope then synchronize to FreeIPA. The problems are: *1) User created from Apache Syncope can't login to linux. The user created from FreeIPA web gui works well.* This is the user(syncopex5) information created from Apache Syncope: # syncopex5, users, compat, example.com dn: uid=syncopex5,cn=users,cn=compat,dc=example,dc=com cn: x5syncope objectClass: posixAccount objectClass: top gidNumber: 657600034 gecos: x5syncope uidNumber: 657600034 loginShell: /bin/sh homeDirectory: /home/syncopex5 uid: syncopex5 # syncopex5, users, accounts, example.com dn: uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixAccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry cn: x5syncope displayName: x5syncope uid: syncopex5 gecos: x5syncope uidNumber: 657600034 gidNumber: 657600034 loginShell: /bin/sh homeDirectory: /home/syncopex5 sn: syncope givenName: x5 initials: xs # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 *2) The user also can't be deleted from web UI and CLI. It said "syncopex5: user not found".* *The errors log:* [13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4130 (rc: 32) [13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4131 (rc: 32) [13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4221 (rc: 32) [13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4222 (rc: 32) [13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4353 (rc: 32) [13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could not delete change record 4354 (rc: 32) [15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could not delete change record 5129 (rc: 32) [15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could not delete change record 5130 (rc: 32) [15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could not delete change record 5155 (rc: 32) [15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could not delete change record 5156 (rc: 32) [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32) [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op: failed to delete managed entry (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32) *The access log:* [16/Nov/2015:02:52:50 +] conn=5512 op=36 UNBIND [16/Nov/2015:02:52:50 +] conn=5512 op=36 fd=621 closed - U1 [16/Nov/2015:02:52:59 +] conn=5513 fd=621 slot=621 connection from 192.168.10.39 to 192.168.10.39 [16/Nov/2015:02:52:59 +] conn=5513 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Nov/2015:02:52:59 +] conn=5513 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [16/Nov/2015:02:52:59 +] conn=5513 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Nov/2015:02:52:59 +] conn=5513 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [16/Nov/2015:02:52:59 +] conn=5513 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [16/Nov/2015:02:52:59 +] conn=5513 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com" [16/Nov/2015:02:52:59 +] conn=5513 op=3 SRCH base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [16/Nov/2015:02:52:59 +] conn=5513 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2015:02:52:59 +] conn=5513 op=4 SRCH base="cn=users,cn=accounts,dc=example,dc=com" scope=1 filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))" attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber gidNumber sn homeDirectory mail givenName nsAccountLock" [16/Nov/2015:02:52:59 +] conn=5513 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2015:02:52:59 +] conn=5513 op=5 SRCH base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0 filter="(userPassword=*)" attrs="userPassword" [16/Nov/2015:02:52:59 +] conn=5513 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2015:02:52:59 +] conn=5513 op=6 SRCH base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey" [16/Nov/2015:02:52:59 +] conn=5513 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [16/Nov/2015:02:52:59 +] conn=5513 op=7 SRCH base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
Re: [Freeipa-users] How to install freeIPA client to many VMs?
Thanks Rich, The VMs created by Nova include the domain name or you set static name by "ipa-client-install --hostname `hostname`.mydomain.test" ? 2015-10-15 0:14 GMT+08:00 Rich Megginson <rmegg...@redhat.com>: > On 10/14/2015 09:58 AM, zhiyong xue wrote: > > Yes, that's my problem. These VMs were created by openstack and generated > host name without domain at all. Anyway can let the new created VM can > join domain automatically? > > > I am working on such a feature: > https://github.com/richm/rdo-vm-factory/tree/master/rdo-ipa-nova > > This is not a product yet, just a PoC. > > This allows you to: > * automatically register VMs created by Nova with IPA > * automatically assign DNS A records in IPA when you assign a floating IP > address to a VM > > > Thanks Martin. > > 2015-10-14 22:40 GMT+08:00 Martin Kosek <mko...@redhat.com>: > >> On 10/14/2015 03:43 PM, zhiyong xue wrote: >> > There are lots of VMs created from Openstack in our envrioment. And we >> > need to install IPA client on them. I want to create a base image which >> > have installed IPA client, and generate VM from this image. >> > >> > When the VM first boot will auto register to IPA server. But the VM's >> > host name has no domain(not a FQDN) and failed to register. >> >> How does the client get the domain then? It is currently needed for the >> FreeIPA >> clients, so you need to either postpone Client registration until domain >> is >> set, or override the hostname in ipa-client-install with static domain, >> like >> >> # ipa-client-install --hostname `hostname`.mydomain.test >> >> >What's the right approach to install IPA client for VMs which cloned >> > from base image? >> > >> > Thanks, >> > -- Brave >> > >> > >> > >> >> > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to config automembership for IP or subnet
Thanks Martin. This is the document link: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/automember.html It says : Dividing hosts based on their IP address or subnet. After I installed ipa-client-install the host would be registered to server automatically. I have many clients in two subnets ,it's impossible to add description manually. 2015-10-14 22:29 GMT+08:00 Martin Kosek <mko...@redhat.com>: > On 10/14/2015 03:33 PM, zhiyong xue wrote: > > The document said > > Hi, > > What document you have in mind? > > > we can create automembership rule based by IP or subnet. > > But there's no any sample about it. Anyone know knows how to create them? > > If the information/attribute is not in the LDAP entry for the Host, > Automember > has no means of applying the rule and adding the membership. The only idea > I > have now is that you could create the Host entries before > ipa-client-install is > run, and manually set some attribute containing the subnet identification > to > description os Host Class attribute that Automember could consume. > > > I have two subnets and need to create two host groups for them. And all > > host name were auto generated without any pattern. > > > > Thanks all. > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to install freeIPA client to many VMs?
Yes, that's my problem. These VMs were created by openstack and generated host name without domain at all. Anyway can let the new created VM can join domain automatically? Thanks Martin. 2015-10-14 22:40 GMT+08:00 Martin Kosek <mko...@redhat.com>: > On 10/14/2015 03:43 PM, zhiyong xue wrote: > > There are lots of VMs created from Openstack in our envrioment. And we > > need to install IPA client on them. I want to create a base image which > > have installed IPA client, and generate VM from this image. > > > > When the VM first boot will auto register to IPA server. But the VM's > > host name has no domain(not a FQDN) and failed to register. > > How does the client get the domain then? It is currently needed for the > FreeIPA > clients, so you need to either postpone Client registration until domain is > set, or override the hostname in ipa-client-install with static domain, > like > > # ipa-client-install --hostname `hostname`.mydomain.test > > >What's the right approach to install IPA client for VMs which cloned > > from base image? > > > > Thanks, > > -- Brave > > > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to config automembership for IP or subnet
The document said we can create automembership rule based by IP or subnet. But there's no any sample about it. Anyone know knows how to create them? I have two subnets and need to create two host groups for them. And all host name were auto generated without any pattern. Thanks all. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to install freeIPA client to many VMs?
There are lots of VMs created from Openstack in our envrioment. And we need to install IPA client on them. I want to create a base image which have installed IPA client, and generate VM from this image. When the VM first boot will auto register to IPA server. But the VM's host name has no domain(not a FQDN) and failed to register. What's the right approach to install IPA client for VMs which cloned from base image? Thanks, -- Brave -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project