subject:"\[Freeipa\-users\] FreeIPA user can't login to linux."

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-20 Thread Rob Crittenden

zhiyong xue wrote:
> The problem still exist after update from 4.1 to  4.2.3.

Because the problem is not in IPA, it is in how you are manually adding
entries.

Since you are now running 4.2 I'd suggest you look into using staged
users, http://www.freeipa.org/page/V4/User_Life-Cycle_Management

> Rob, how to check the missed manage entry?

A managed group needs the attribute mepManagedBy with a value of the dn
that is managing it and the objectclass mepManagedEntry.

rob

> 
> 2015-11-20 0:11 GMT+08:00 Rob Crittenden  >:
> 
> zhiyong xue wrote:
> > Rob, where can I get more error information beside the log?
> > [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
> > failed to delete managed entry
> > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
> 
> I can still only assume what you're doing: manually adding the entries
> directly by LDAP. To do this you need to follow IPA conventions, or use
> the new user lifecycle framework added in 4.2.
> 
> I'm guessing it can't delete the managed entry because either it doesn't
> exist or it is missing an objectclass/attribute marking it as managed.
> 
> rob
> 
> >
> > 2015-11-16 13:43 GMT+08:00 zhiyong xue  
> > >>:
> >
> > I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> > syncopex5", maybe it's cache problem.
> >
> > 2015-11-16 11:24 GMT+08:00 Rob Crittenden  
> > >>:
> >
> > zhiyong xue wrote:
> > > We integrated the Apache Syncope server with FreeIPA
> server. So user can
> > > self register ID from Apache Syncope then synchronize to
> FreeIPA. The
> > > problems are:
> > > *1) User created from Apache Syncope can't login to
> linux. The
> > user
> > > created from FreeIPA web gui works well.*
> >
> > For login issues see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > This is unlikely to fix things but it will help with later
> > debugging.
> >
> > This likely revolves around how you are creating these
> accounts.
> > We'll
> > need information on what you're doing. The more details
> the better.
> >
> > > *2) The user also can't be deleted from web UI and CLI.
> It said
> > > "syncopex5: user not found".*
> >
> > Again, you probably aren't creating the users correctly.
> >
> > I can only assume that you are creating the users directly via
> > an LDAP
> > add. This is working around the IPA framework which does
> > additional work.
> >
> > Knowing what version of IPA this is would help too.
> >
> > You'll probably also want to read this:
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management
> . This
> > is in
> > IPA 4.2.
> >
> > rob
> > rob
> >
> >
> >
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-20 Thread zhiyong xue

The problem still exist after update from 4.1 to  4.2.3.

Rob, how to check the missed manage entry?

2015-11-20 0:11 GMT+08:00 Rob Crittenden :

> zhiyong xue wrote:
> > Rob, where can I get more error information beside the log?
> > [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
> > failed to delete managed entry
> > (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
>
> I can still only assume what you're doing: manually adding the entries
> directly by LDAP. To do this you need to follow IPA conventions, or use
> the new user lifecycle framework added in 4.2.
>
> I'm guessing it can't delete the managed entry because either it doesn't
> exist or it is missing an objectclass/attribute marking it as managed.
>
> rob
>
> >
> > 2015-11-16 13:43 GMT+08:00 zhiyong xue  > >:
> >
> > I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> > syncopex5", maybe it's cache problem.
> >
> > 2015-11-16 11:24 GMT+08:00 Rob Crittenden  > >:
> >
> > zhiyong xue wrote:
> > > We integrated the Apache Syncope server with FreeIPA server.
> So user can
> > > self register ID from Apache Syncope then synchronize to
> FreeIPA. The
> > > problems are:
> > > *1) User created from Apache Syncope can't login to linux. The
> > user
> > > created from FreeIPA web gui works well.*
> >
> > For login issues see
> > https://fedorahosted.org/sssd/wiki/Troubleshooting
> > This is unlikely to fix things but it will help with later
> > debugging.
> >
> > This likely revolves around how you are creating these accounts.
> > We'll
> > need information on what you're doing. The more details the
> better.
> >
> > > *2) The user also can't be deleted from web UI and CLI. It said
> > > "syncopex5: user not found".*
> >
> > Again, you probably aren't creating the users correctly.
> >
> > I can only assume that you are creating the users directly via
> > an LDAP
> > add. This is working around the IPA framework which does
> > additional work.
> >
> > Knowing what version of IPA this is would help too.
> >
> > You'll probably also want to read this:
> > http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This
> > is in
> > IPA 4.2.
> >
> > rob
> > rob
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-19 Thread zhiyong xue

Rob, where can I get more error information beside the log?
[16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)

2015-11-16 13:43 GMT+08:00 zhiyong xue :

> I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> syncopex5", maybe it's cache problem.
>
> 2015-11-16 11:24 GMT+08:00 Rob Crittenden :
>
>> zhiyong xue wrote:
>> > We integrated the Apache Syncope server with FreeIPA server. So user can
>> > self register ID from Apache Syncope then synchronize to FreeIPA. The
>> > problems are:
>> > *1) User created from Apache Syncope can't login to linux. The user
>> > created from FreeIPA web gui works well.*
>>
>> For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting
>> This is unlikely to fix things but it will help with later debugging.
>>
>> This likely revolves around how you are creating these accounts. We'll
>> need information on what you're doing. The more details the better.
>>
>> > *2) The user also can't be deleted from web UI and CLI. It said
>> > "syncopex5: user not found".*
>>
>> Again, you probably aren't creating the users correctly.
>>
>> I can only assume that you are creating the users directly via an LDAP
>> add. This is working around the IPA framework which does additional work.
>>
>> Knowing what version of IPA this is would help too.
>>
>> You'll probably also want to read this:
>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in
>> IPA 4.2.
>>
>> rob
>> rob
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-19 Thread Rob Crittenden

zhiyong xue wrote:
> Rob, where can I get more error information beside the log?
> [16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
> failed to delete managed entry
> (member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)

I can still only assume what you're doing: manually adding the entries
directly by LDAP. To do this you need to follow IPA conventions, or use
the new user lifecycle framework added in 4.2.

I'm guessing it can't delete the managed entry because either it doesn't
exist or it is missing an objectclass/attribute marking it as managed.

rob

> 
> 2015-11-16 13:43 GMT+08:00 zhiyong xue  >:
> 
> I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> syncopex5", maybe it's cache problem.
> 
> 2015-11-16 11:24 GMT+08:00 Rob Crittenden  >:
> 
> zhiyong xue wrote:
> > We integrated the Apache Syncope server with FreeIPA server. So 
> user can
> > self register ID from Apache Syncope then synchronize to FreeIPA. 
> The
> > problems are:
> > *1) User created from Apache Syncope can't login to linux. The
> user
> > created from FreeIPA web gui works well.*
> 
> For login issues see
> https://fedorahosted.org/sssd/wiki/Troubleshooting
> This is unlikely to fix things but it will help with later
> debugging.
> 
> This likely revolves around how you are creating these accounts.
> We'll
> need information on what you're doing. The more details the better.
> 
> > *2) The user also can't be deleted from web UI and CLI. It said
> > "syncopex5: user not found".*
> 
> Again, you probably aren't creating the users correctly.
> 
> I can only assume that you are creating the users directly via
> an LDAP
> add. This is working around the IPA framework which does
> additional work.
> 
> Knowing what version of IPA this is would help too.
> 
> You'll probably also want to read this:
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This
> is in
> IPA 4.2.
> 
> rob
> rob
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-16 Thread zhiyong xue

I query a new user syncopex8, it's same created from Apache Syncope server.

*The output of command "ldapsearch -x -h localhost -b dc=exampe,dc=com
uid=syncopex8":*

# extended LDIF
#
# LDAPv3
# base

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-16 Thread Tomas Babej

Can you provide a result of a LDAP search run on that entry? As Rob
points out, you're probably creating the user in a manner that bypasses
the framework.

Tomas

On 11/16/2015 06:43 AM, zhiyong xue wrote:
> I am using IPA 4.1 in CenOS7.  And I can login to system after "id
> syncopex5", maybe it's cache problem.
> 
> 2015-11-16 11:24 GMT+08:00 Rob Crittenden  >:
> 
> zhiyong xue wrote:
> > We integrated the Apache Syncope server with FreeIPA server. So user can
> > self register ID from Apache Syncope then synchronize to FreeIPA. The
> > problems are:
> > *1) User created from Apache Syncope can't login to linux. The user
> > created from FreeIPA web gui works well.*
> 
> For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting
> This is unlikely to fix things but it will help with later debugging.
> 
> This likely revolves around how you are creating these accounts. We'll
> need information on what you're doing. The more details the better.
> 
> > *2) The user also can't be deleted from web UI and CLI. It said
> > "syncopex5: user not found".*
> 
> Again, you probably aren't creating the users correctly.
> 
> I can only assume that you are creating the users directly via an LDAP
> add. This is working around the IPA framework which does additional
> work.
> 
> Knowing what version of IPA this is would help too.
> 
> You'll probably also want to read this:
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in
> IPA 4.2.
> 
> rob
> rob
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-16 Thread zhiyong xue

I am using IPA 4.1 in CenOS7.  And I can login to system after "id
syncopex5", maybe it's cache problem.

2015-11-16 11:24 GMT+08:00 Rob Crittenden :

> zhiyong xue wrote:
> > We integrated the Apache Syncope server with FreeIPA server. So user can
> > self register ID from Apache Syncope then synchronize to FreeIPA. The
> > problems are:
> > *1) User created from Apache Syncope can't login to linux. The user
> > created from FreeIPA web gui works well.*
>
> For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting
> This is unlikely to fix things but it will help with later debugging.
>
> This likely revolves around how you are creating these accounts. We'll
> need information on what you're doing. The more details the better.
>
> > *2) The user also can't be deleted from web UI and CLI. It said
> > "syncopex5: user not found".*
>
> Again, you probably aren't creating the users correctly.
>
> I can only assume that you are creating the users directly via an LDAP
> add. This is working around the IPA framework which does additional work.
>
> Knowing what version of IPA this is would help too.
>
> You'll probably also want to read this:
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in
> IPA 4.2.
>
> rob
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA user can't login to linux.

2015-11-15 Thread zhiyong xue

We integrated the Apache Syncope server with FreeIPA server. So user can
self register ID from Apache Syncope then synchronize to FreeIPA. The
problems are:
*1) User created from Apache Syncope can't login to linux. The user created
from FreeIPA web gui works well.*

This is the user(syncopex5) information created from Apache Syncope:
# syncopex5, users, compat, example.com
dn: uid=syncopex5,cn=users,cn=compat,dc=example,dc=com
cn: x5syncope
objectClass: posixAccount
objectClass: top
gidNumber: 657600034
gecos: x5syncope
uidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
uid: syncopex5

# syncopex5, users, accounts, example.com
dn: uid=syncopex5,cn=users,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixAccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
cn: x5syncope
displayName: x5syncope
uid: syncopex5
gecos: x5syncope
uidNumber: 657600034
gidNumber: 657600034
loginShell: /bin/sh
homeDirectory: /home/syncopex5
sn: syncope
givenName: x5
initials: xs

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

*2) The user also can't be deleted from web UI and CLI. It said "syncopex5:
user not found".*
*The errors log:*
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4130 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4131 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4221 (rc: 32)
[13/Nov/2015:07:27:54 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4222 (rc: 32)
[13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4353 (rc: 32)
[13/Nov/2015:07:27:55 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 4354 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5129 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5130 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5155 (rc: 32)
[15/Nov/2015:07:27:53 +] DSRetroclPlugin - delete_changerecord: could
not delete change record 5156 (rc: 32)
[16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)
[16/Nov/2015:02:52:59 +] managed-entries-plugin - mep_del_post_op:
failed to delete managed entry
(member=syncopex5,cn=groups,cn=accounts,dc=example,dc=com) - error (32)

*The access log:*
[16/Nov/2015:02:52:50 +] conn=5512 op=36 UNBIND
[16/Nov/2015:02:52:50 +] conn=5512 op=36 fd=621 closed - U1
[16/Nov/2015:02:52:59 +] conn=5513 fd=621 slot=621 connection from
192.168.10.39 to 192.168.10.39
[16/Nov/2015:02:52:59 +] conn=5513 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +] conn=5513 op=1 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=1 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[16/Nov/2015:02:52:59 +] conn=5513 op=2 BIND dn="" method=sasl
version=3 mech=GSSAPI
[16/Nov/2015:02:52:59 +] conn=5513 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=admin,cn=users,cn=accounts,dc=example,dc=com"
[16/Nov/2015:02:52:59 +] conn=5513 op=3 SRCH
base="cn=ipaconfig,cn=etc,dc=example,dc=com" scope=0
filter="(objectClass=*)" attrs=ALL
[16/Nov/2015:02:52:59 +] conn=5513 op=3 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=4 SRCH
base="cn=users,cn=accounts,dc=example,dc=com" scope=1
filter="(&(objectClass=posixaccount)(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))"
attrs="telephoneNumber sshpubkeyfp uid title loginShell uidNumber gidNumber
sn homeDirectory mail givenName nsAccountLock"
[16/Nov/2015:02:52:59 +] conn=5513 op=4 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=5 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(userPassword=*)" attrs="userPassword"
[16/Nov/2015:02:52:59 +] conn=5513 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=6 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0
filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[16/Nov/2015:02:52:59 +] conn=5513 op=6 RESULT err=0 tag=101 nentries=1
etime=0
[16/Nov/2015:02:52:59 +] conn=5513 op=7 SRCH
base="uid=admin,cn=users,cn=accounts,dc=example,dc=com" scope=0

Re: [Freeipa-users] FreeIPA user can't login to linux.

2015-11-15 Thread Rob Crittenden

zhiyong xue wrote:
> We integrated the Apache Syncope server with FreeIPA server. So user can
> self register ID from Apache Syncope then synchronize to FreeIPA. The
> problems are:
> *1) User created from Apache Syncope can't login to linux. The user
> created from FreeIPA web gui works well.*

For login issues see https://fedorahosted.org/sssd/wiki/Troubleshooting
This is unlikely to fix things but it will help with later debugging.

This likely revolves around how you are creating these accounts. We'll
need information on what you're doing. The more details the better.

> *2) The user also can't be deleted from web UI and CLI. It said
> "syncopex5: user not found".*

Again, you probably aren't creating the users correctly.

I can only assume that you are creating the users directly via an LDAP
add. This is working around the IPA framework which does additional work.

Knowing what version of IPA this is would help too.

You'll probably also want to read this:
http://www.freeipa.org/page/V4/User_Life-Cycle_Management . This is in
IPA 4.2.

rob
rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

[Freeipa-users] FreeIPA user can't login to linux.

Re: [Freeipa-users] FreeIPA user can't login to linux.

9 matches

Site Navigation

Mail list logo

Footer information