[Freeipa-users] Unknown Client?

2015-03-17 Thread Tevfik Ceydeliler
Hi, Altough I have this configuration in client .conf: ## client 172.30.47.241 { secret = 877909 shortname = VodafonePinarsuAPNYeni1 nastype = other } client 172.30.47.242 { secret = 877909

Re: [Freeipa-users] Unknown Client?

2015-03-17 Thread Rob Crittenden
Tevfik Ceydeliler wrote: Hi, Altough I have this configuration in client .conf: ## client 172.30.47.241 { secret = 877909 shortname = VodafonePinarsuAPNYeni1 nastype = other } client 172.30.47.242 {

[Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Janelle
Hello, I have a server - a master (has CA) - and it does not want to restart after it has been running sometime. pki-tomcatd keeps failing. It starts up with these errors, then adds a lot more. Maybe this might point you to something that is know or a place I can start looking? Any ideas?

Re: [Freeipa-users] DNS forwarders

2015-03-17 Thread Roberto Cornacchia
I see. Peter, Martin, thanks for the explanation. My worry was that something went wrong in my reinstallation, glad to hear it is not the case. Roberto On 17 Mar 2015 14:51, Petr Spacek pspa...@redhat.com wrote: On 17.3.2015 14:06, Martin Basti wrote: On 17/03/15 13:32, Roberto Cornacchia

[Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. When a user tries to SSH to the IPA server with AD credentials, the logs show: (Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]]

[Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
HI List i was following this link : http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions to setup IPA server my IPA version is 4.1.2 every setps in this tutorials was passed without any error even *Allow access for users from AD domain to protected resources* went successfully

Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing

2015-03-17 Thread Martin Kosek
Looks like a bug, yes. I am just not sure whether in missing Saltstack SELinux module or the actual SELinux policy. You can try filing a bug to SELinux policy. Looking at SaltStack Troubleshooting guide, would switching to rpm_script_t help?

Re: [Freeipa-users] IPA Trusts

2015-03-17 Thread Martin Kosek
Joshua or Erinn, can either of you please help us improve the docs and file a bug for the Windows integration guide, about the section you are concerned with? This is a direct link:

Re: [Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Dmitri Pal
On 03/17/2015 12:12 PM, Janelle wrote: On 3/17/15 9:06 AM, Martin Kosek wrote: On 03/17/2015 04:35 PM, Janelle wrote: Hello, I have a server - a master (has CA) - and it does not want to restart after it has been running sometime. pki-tomcatd keeps failing. It starts up with these errors,

[Freeipa-users] Scripting reports from ipa?

2015-03-17 Thread Watson, Dan
Hi all, Can anyone tell me how to script calls from the ipa server? I would like to be able to do something like ipa group-show unix_admin in a script, but I don't know how to pass Kerberos credentials that don't expire. I'd appreciate some help, thanks! Dan -- Manage your subscription for

Re: [Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Kim Perrin
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin kper...@doctorondemand.com wrote: Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Kim Perrin wrote: Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment.

Re: [Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Dmitri Pal
On 03/17/2015 03:41 PM, Janelle wrote: On 3/17/15 12:14 PM, Dmitri Pal wrote: On 03/17/2015 12:12 PM, Janelle wrote: On 3/17/15 9:06 AM, Martin Kosek wrote: On 03/17/2015 04:35 PM, Janelle wrote: Hello, I have a server - a master (has CA) - and it does not want to restart after it has been

[Freeipa-users] sssd options ignored?

2015-03-17 Thread Gould, Joshua
I’ve been getting messages like these when I try the id command for a test AD domain user: (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_primary_name] (0x0400): Processing object farus@test.osuwmc (Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]

Re: [Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Rob Crittenden
Kim Perrin wrote: Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running

Re: [Freeipa-users] Scripting reports from ipa?

2015-03-17 Thread Rob Crittenden
Watson, Dan wrote: Hi all, Can anyone tell me how to script calls from the ipa server? I would like to be able to do something like “ipa group-show unix_admin” in a script, but I don’t know how to pass Kerberos credentials that don’t expire. I think you want to use credentials in a

Re: [Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Kim Perrin
Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Kim Perrin wrote: Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Jakub Hrozek
On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote: HI List i was following this link : http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions to setup IPA server my IPA version is 4.1.2 every setps in this tutorials was passed without any error even *Allow

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
HI i have enabled debug here is my sssd.conf [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname =

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
i tried to establish trust again and got below output. Is this the expected one. i can see Insufficient access: CIFS server denied your credentials here too. [root@kwtpocpbis01 ~]# ipa trust-add --type=ad infra.com --admin Administrator --password ipa: DEBUG: importing all plugin modules in

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Jakub Hrozek
On Tue, Mar 17, 2015 at 12:57:27PM +0300, Ben .T.George wrote: HI i have enabled debug here is my sssd.conf [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider =

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
another thing i notice is: [root@kwtpocpbis01 ~]# kinit admin Password for admin@SOLARIS.LOCAL: [root@kwtpocpbis01 ~]# ipa trust-fetch-domains infra.com ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module

Re: [Freeipa-users] Unknown Client?

2015-03-17 Thread Brendan Kearney
On Tue, 2015-03-17 at 18:07 +0100, Natxo Asenjo wrote: On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler tevfik.ceydeli...@astron.yasar.com.tr wrote: Hi, Altough I have this configuration in client .conf: ##

Re: [Freeipa-users] Using FreeIPA for LDAP authentication in 3rd party applications

2015-03-17 Thread Dan
Thomas Raehalme thomas.raehalme@... writes: Hi, Previously we have used Atlassian Crowd as a source for user data in various applications, both in-house built and proprietary such as JIRA or Confluence. As we have deployed FreeIPA, I would like to start using it as the identity source.

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
Hi all how can i fix this issue.? even i tried to trust add AD again. that too failed. from where i need to troubleshoot ? On Tue, Mar 17, 2015 at 3:02 PM, Ben .T.George bentech4...@gmail.com wrote: Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab

Re: [Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-17 Thread Prasun Gera
Sorry, the message got sent accidentally earlier before I could provide all the details. Version: 4.1.0 on RHEL 7.1 x86_64 Steps: 1. ipa-server-install 2. service sshd restart 3. kinit admin - This always works 4. ssh admin@localhost - This works for the

[Freeipa-users] Problems with ssh and install-uninstall-install sequence on the server

2015-03-17 Thread Prasun Gera
Hello, I installed the ipa-server on an RHEL 7.1 system, uninstalled it and reinstalled it with the same domain name as the first time. This somehow creates problems with ssh authentication on the server from external systems as well as from the server itself. Steps: 1. ipa-server-install 2.

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
I don't think sss_cache -E removes cached idrange objects. You need to delete the databases in /var/lib/sss/db/. OK, I stopped sssd, removed everything in /var/lib/sss/db, and restarted sssd. Still no change -- I get the same error. You mean RHEL 7.1, right? Yes, RHEL 7.1. David Guertin

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Alexander Bokovoy
On Tue, 17 Mar 2015, Ben .T.George wrote: Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab contains no suitable keys for host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial credentials i destroyed and re-created. but still same What did

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread David Guertin
On 03/17/2015 08:30 PM, Gould, Joshua wrote: It looks like the range for your AD domain defined in ³ipa idrange-find ‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf. For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have ldap_idmap_range_min = 182460

Re: [Freeipa-users] sssd options ignored?

2015-03-17 Thread Gould, Joshua
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need to match whats in ipa idrange-find --all for the AD domain. # ipa idrange-mod --base-id=10 --range-size=90 --rid-base=0 Range name: TEST.OSUWMC_id_range Modified ID range

Re: [Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Kim Perrin
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin kper...@doctorondemand.com wrote: On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin kper...@doctorondemand.com wrote: Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Kim Perrin wrote: Hello all,

Re: [Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Dmitri Pal
On 03/17/2015 06:27 PM, Kim Perrin wrote: On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin kper...@doctorondemand.com wrote: On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin kper...@doctorondemand.com wrote: Thanks for the reply Rob. On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden rcrit...@redhat.com

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Gould, Joshua
David, I had a very similar issue which I posted to the list today. Your notes indirectly helped me. I think we both had two ends to the same puzzle. It looks like the range for your AD domain defined in ³ipa idrange-find ‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf. For

Re: [Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Janelle
On 3/17/15 12:14 PM, Dmitri Pal wrote: On 03/17/2015 12:12 PM, Janelle wrote: On 3/17/15 9:06 AM, Martin Kosek wrote: On 03/17/2015 04:35 PM, Janelle wrote: Hello, I have a server - a master (has CA) - and it does not want to restart after it has been running sometime. pki-tomcatd keeps

[Freeipa-users] Can't remove all replica records from ldap

2015-03-17 Thread Kim Perrin
Hello all, For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42) environment. We've had 2 masters since the start. Several replicas have had problems that required me to remove them. I’ve removed them all (except the very last one) by running ‘ipa-server-install --uninstall’

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
HI i have changed like this: [root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname =

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Martin Kosek
On 03/16/2015 08:01 PM, Benjamin Reed wrote: So given my RHEL6 machine started on an older FreeIPA 3.0, was a self-signed cert, and has gone through all kinds of hell and I'm having an impossible time setting up new master(s), I've decided to start over. I installed the EPEL7 FreeIPA 4.1.3

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
Oops sorry here is the logs == sssd_pam.log == (Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7fdea7263bd0 (Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_message_handler] (0x4000): Received

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Jakub Hrozek
On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote: here is separated logs: tail -f sssd_solaris.local.log Thank you, see inline: (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Decrypt integrity check failed], expired on

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab contains no suitable keys for host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial credentials i destroyed and re-created. but still same On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek

Re: [Freeipa-users] 4.1.0: Logon issue after upgrading IPA

2015-03-17 Thread Dan Lavu
I was helping a friend out with his environment that was experiencing the same issue. CC'ing him as well. Between his ipa servers, the conflicted values were the same just time stamp that created the conflict? (I'm still not sure what caused the conflict in the first place). So what we did to

Re: [Freeipa-users] 4.1.0: Logon issue after upgrading IPA

2015-03-17 Thread Andreas Skarmutsos Lindh
Thanks, I'll look into that. Would you mind sharing the script used to clean up the entries? That would save me some time. Not expecting anything that I can run blindly and that will magically solve my problems, but some hints would definitely be appreciated :-) - Andreas On Mon, Mar 16, 2015

Re: [Freeipa-users] 4.1.0: Logon issue after upgrading IPA

2015-03-17 Thread Andreas Skarmutsos Lindh
Quick update: I think that I have solved it, by just deleting the entries holding nsuniqueid additional string. I went forward using a gui application for browsing LDAP structures. I guess a script for tackling this issue in a slightly more automated way could probably be of value to other people.

[Freeipa-users] DNS forwarders

2015-03-17 Thread Roberto Cornacchia
Hi there, I've just installed freeIPA on a FC21 server and trying to perform some sanity checks. A first puzzle for me is: I have some DNS forwarders, which I selected during installation. They do work and they do appear in /etc/named.conf forward first; forwarders {

Re: [Freeipa-users] 4.1.0: Logon issue after upgrading IPA

2015-03-17 Thread Ludwig Krispenz
Hi, do you have the DS access logs from your servers from the time around the conflicting entry was created ? Thanks, Ludwig On 03/17/2015 11:14 AM, Andreas Skarmutsos Lindh wrote: Quick update: I think that I have solved it, by just deleting the entries holding nsuniqueid additional

Re: [Freeipa-users] DNS forwarders

2015-03-17 Thread Martin Basti
On 17/03/15 13:32, Roberto Cornacchia wrote: Hi there, I've just installed freeIPA on a FC21 server and trying to perform some sanity checks. A first puzzle for me is: I have some DNS forwarders, which I selected during installation. They do work and they do appear in /etc/named.conf

Re: [Freeipa-users] DNS forwarders

2015-03-17 Thread Petr Spacek
On 17.3.2015 14:06, Martin Basti wrote: On 17/03/15 13:32, Roberto Cornacchia wrote: Hi there, I've just installed freeIPA on a FC21 server and trying to perform some sanity checks. A first puzzle for me is: I have some DNS forwarders, which I selected during installation. They do work

Re: [Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Janelle
On 3/17/15 9:06 AM, Martin Kosek wrote: On 03/17/2015 04:35 PM, Janelle wrote: Hello, I have a server - a master (has CA) - and it does not want to restart after it has been running sometime. pki-tomcatd keeps failing. It starts up with these errors, then adds a lot more. Maybe this might

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Martin Kosek
On 03/17/2015 04:27 PM, Benjamin Reed wrote: On 3/17/15 7:33 AM, Martin Kosek wrote: # ipa config-mod --enable-migration=true # echo Secret123 | ipa migrate-ds --bind-dn=cn=Directory Manager --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Benjamin Reed
On 3/17/15 12:09 PM, Martin Kosek wrote: I would still wished we fixed the original root cause why replication was failing for you - as this is the obviously expected way of upgrading to RHEL/CentOS 7.1 from RHEL-6 environment and I think/hope it would be less work than starting over (depends

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Martin Kosek
On 03/17/2015 05:16 PM, Benjamin Reed wrote: On 3/17/15 12:09 PM, Martin Kosek wrote: I would still wished we fixed the original root cause why replication was failing for you - as this is the obviously expected way of upgrading to RHEL/CentOS 7.1 from RHEL-6 environment and I think/hope it

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Benjamin Reed
On 3/17/15 7:33 AM, Martin Kosek wrote: # ipa config-mod --enable-migration=true # echo Secret123 | ipa migrate-ds --bind-dn=cn=Directory Manager --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Alexander Bokovoy
On Tue, 17 Mar 2015, Guertin, David S. wrote: We have a trust relationship established between our AD domain and our IPA domain, and AD users can be found on the IPA server with id and getent passwd. When a user tries to SSH to the IPA server with AD credentials, the logs show: (Tue Mar 17

Re: [Freeipa-users] 4.1.0: Logon issue after upgrading IPA

2015-03-17 Thread Martin Kosek
On 03/17/2015 11:14 AM, Andreas Skarmutsos Lindh wrote: Quick update: I think that I have solved it, by just deleting the entries holding nsuniqueid additional string. I went forward using a gui application for browsing LDAP structures. I guess a script for tackling this issue in a slightly

Re: [Freeipa-users] pki-tomcatd stopped responding? Won't restart?

2015-03-17 Thread Martin Kosek
On 03/17/2015 04:35 PM, Janelle wrote: Hello, I have a server - a master (has CA) - and it does not want to restart after it has been running sometime. pki-tomcatd keeps failing. It starts up with these errors, then adds a lot more. Maybe this might point you to something that is know or a

Re: [Freeipa-users] Gave Up on RHEL6-7 migration, starting over. (ipa migrate-ds)

2015-03-17 Thread Benjamin Reed
On 3/17/15 12:29 PM, Martin Kosek wrote: 1) Migrate users via SSSD and simply SSH or log in to any machine enrolled to the new IPA, as I showed in the example I'll have my users who need working kerberos ssh in. The union of the set of users who need kerberos and users who ssh is a circle. ;)

Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID

2015-03-17 Thread Guertin, David S.
When you changed idrange, it helps to remove SSSD cache, both on IPA master and IPA clients and restart SSSD. OK, I cleared the cache and restarted sssd with: sss_cache -E systemctl restart sssd Still no change in the error: Could not convert objectSID

Re: [Freeipa-users] Unknown Client?

2015-03-17 Thread Natxo Asenjo
On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler tevfik.ceydeli...@astron.yasar.com.tr wrote: Hi, Altough I have this configuration in client .conf: ## client 172.30.47.241 { secret = 877909 shortname = VodafonePinarsuAPNYeni1

Re: [Freeipa-users] Only one AD user can able to login to IPA server

2015-03-17 Thread Ben .T.George
Dear Alex i already enable debugging and this is what i am getting on error_log while running : ipa trust-add --type=ad infra.com --admin Administrator --password [Wed Mar 18 08:10:17.470460 2015] [:error] [pid 15176] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Mar 18 08:10:17.470571 2015]