Re: [Freeipa-users] AD trust users cannot login to Solaris

2015-03-04 Thread Nathan Peters
I am using FreeIPA 4.1.2 on CentOS 7. Yes, AD users can login to all Linux / Centos machines. Also, when I'm at a shell prompt on the FreeIPA DC, I can getent passwd aduser and I see their info properly. The guide you linked below is the first thing I read while trying to troubleshoot this.

Re: [Freeipa-users] [Solaris 10] Cannot login through console or ssh with ipa users

2015-02-26 Thread Nathan Peters
Yes, we are trying to figure out why IPA users are not being handled properly however given that : 1. the method you suggested to troubleshoot my Solaris 10 system, adding pam_permit.so to the stack, will never work because Solaris does not include pam_permit.so. so therefore 2. I had to come

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

2015-05-02 Thread Nathan Peters
The last 3 sentences of my original post refer to me adding the NS records for the slave. Is that what you mean? I have also ensured that the slave hostname and IP are in FreeIPA DNS. I have also added an NS entry pointing to the slave. -Original Message- From: Baird, Josh Sent:

Re: [Freeipa-users] Cannot find KDC for realm MYDOMAIN.NET - AD trust and UPN issues

2015-05-05 Thread Nathan Peters
From this link : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb The diagram in that section shows the client communicating with FreeIPA and FreeIPA contacting AD. So why are you saying the

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

2015-05-16 Thread Nathan Peters
created the hashes? There is nothing in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req about creating any hashes. Sorry I should have been more specific. I mean updated the hash symlinks which

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

2015-05-16 Thread Nathan Peters
I have updated the bug report you filed below. The issue was that the instructions would only work in Windows Server 2003 because My Network Places was removed in 2008 and above. Since the manual clearly states that the AD sync is to be performed with server 2008 / 2012 only it made no sense

Re: [Freeipa-users] FreeIPA web UI Freezing up

2015-06-05 Thread Nathan Peters
I had originally set this up with AD trust but when we found out that our alternative UPNs were not supported we switched to ad sync. I removed the trust relationship from the webui by deleting all trusts showing in the ui. I then set it up for sync. Do I need to remove the trust from the

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-19 Thread Nathan Peters
-Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege

2015-06-22 Thread Nathan Peters
-Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission System: Read HBAC Rules with bindtype all to a privilege Nathan Peters wrote

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-11 Thread Nathan Peters
On 9/11/2015 10:32 AM, Simo Sorce wrote: On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote: I have been trying to figure this out for a while now but when I join machine to FreeIPA, the installer properly creates forward DNS entries,and DNSSSHFP entries, but does not create

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

2015-09-14 Thread Nathan Peters
.* during the first join on a clean OS. Can't confirm it was working before. Is it normal behavior? Allow PTR sync is enabled. Cheers, Le 12 sept. 2015 7:44 AM, "Nathan Peters" <nat...@nathanpeters.com <mailto:nat...@nathanpeters.com>> a écrit : On 9/11/2015 10:3

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0 plus ldapmodify freezes up

2016-01-12 Thread Nathan Peters
Ok. I did that and it ended properly. Debugging was enabled properly. Here are the logs from dc1 where it is refusing the update ? Not sure how to parse these... [12/Jan/2016:23:11:15 +] NSMMReplicationPlugin - ruv_add_csn_inprogress: successfully inserted csn 569560240005 into

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-08 Thread Nathan Peters
I'm pretty lost here. I tried following the directions on that page but the results still make no sense to me. From what I can see, the account is successfully authorized, and the groups that I am part of are found and some sudo rules are found, but then I am denied access for no reason.

[Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-07 Thread Nathan Peters
I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on Fedora 23. When I try to sudo on this host, it fails. Here are the log entries from /var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines where this works fine. Is this a new bug in CentOS

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-10 Thread Nathan Peters
- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: Wednesday, June 8, 2016 11:14 AM To: Jakub Hrozek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails I'm pretty lost here. I tried

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-13 Thread Nathan Peters
-Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Monday, June 13, 2016 1:54 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails On (13/06/16 20:24), Nathan Peters wrote: >Taking a second look at the s

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-13 Thread Nathan Peters
There doesn't seem to be an option to add POSIX attributes to my sudo rules. Which attributes should I be adding and how? -Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Monday, June 13, 2016 1:57 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-13 Thread Nathan Peters
and user groups... -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, June 13, 2016 2:20 PM To: Nathan Peters; Jakub Hrozek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails Nathan Peters wrote: > There does

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

2016-06-13 Thread Nathan Peters
<- sudo_grlist_delref_item @ ./pwutil.c:784 Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792 Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false -Original Message- F

[Freeipa-users] [FreeIPA 4.3.0] Limits exceeded for this query

2016-06-07 Thread Nathan Peters
ipa-dev-van.dev-globalrelay.net/ipa/ui/> * limits exceeded for this query Nathan Peters -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-15 Thread Nathan Peters
redhat.com] Sent: January-15-16 12:19 AM To: Nathan Peters Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0 On 01/15/2016 08:32 AM, Nathan Peters wrote: > I think I've finally started to make some progress on this. I did a lot o

[Freeipa-users] FreeIPA 4.3.0 Replica Installation fails with the hostname is not the primary hostname

2016-01-17 Thread Nathan Peters
2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a primary hostname for localhost 2016-01-18T03:00:07Z DEBUG Primary hostname for localhost: dc2-ipa-dev-van.mydomain.net 2016-01-18T03:00:07Z DEBUG Search DNS for dc2-ipa-dev-van.mydomain.net 2016-01-18T03:00:07Z DEBUG Check if

[Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-17 Thread Nathan Peters
This is another issue I'm not sure how to debug or solve in 4.3.0. A failed replica installation left a replica with stuff in the tree, but not configured properly on the localhost. I did ipa-server-install -uninstall as suggested by the installation program and it deleted the local copy of

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-18 Thread Nathan Peters
I assume you mean look at the DS log on the machine being installed? There is no "err=68" anywhere in the access file : [root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]# grep "err=68" access [root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]# Here is the last few lines of the latest attempt to

Re: [Freeipa-users] FreeIPA 4.3.0 Replica Installation fails with the hostname is not the primary hostname

2016-01-18 Thread Nathan Peters
s with the hostname is not the primary hostname On 18.1.2016 04:23, Nathan Peters wrote: > 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a > primary hostname for localhost 2016-01-18T03:00:07Z DEBUG Primary > hostname for localhost: dc2-ipa-dev-van.mydomain.net > 2016-

[Freeipa-users] ipa-adtrust-install fails with Bad talloc magic value - wrong talloc version used/mixed on FreeIPA 4.3.0

2016-01-17 Thread Nathan Peters
I have no idea how to troubleshoot this. I am trying to run ipa-adtrust-install on FreeIPA 4.3.0 Fedora 23 domain. Samba4-command and all other samba4 packages necessary are installed. It fails at step 3 for apparently no reason. Googling reveals pretty much nothing about what a talloc magic

Re: [Freeipa-users] FreeIPA 4.3.0 replica installation fails with AttributeError: 'NameSpace' object has no attribute 'rpcclient'

2016-01-17 Thread Nathan Peters
controllers with Fedora 23 domain controllers, I was able to perform the upgrade to Fedora 30. From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: January-16-16 2:13 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] FreeIPA 4.3.0

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-17 Thread Nathan Peters
Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: January-15-16 10:00 AM To: Ludwig Krispenz Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0 No dice on the rebuild and RUV

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-17 Thread Nathan Peters
entOS or RHEL machine with no upgrade path to 4.3.0 without switching to Fedora who is experiencing the category of bugs (there were definitely multiple ones) that I encountered trying to fix these replication issues. -Original Message- From: Nathan Peters Sent: January-17-16 1:10 AM To: Natha

[Freeipa-users] FreeIPA 4.3.0 replica installation fails with AttributeError: 'NameSpace' object has no attribute 'rpcclient'

2016-01-16 Thread Nathan Peters
I'm attempting to add a Fedora 23 Server as a replica in a FreeIPA 4.2.0 CentOS 7.2 domain so I can begin migrating my domain to 4.3.0 and Fedora. Because the domain is still domain level 0, I've prepared the replica file on the old CA master (4.2.0) and installed it on the new Fedora replica

Re: [Freeipa-users] Clients with Multi Master IPA replication

2016-01-17 Thread Nathan Peters
Hey Zeal, When you join a FreeIPA client to a domain, as long as you put the address of at least one of the FreeIPA servers (if they are serving DNS) in the /etc/resolv.conf file, they will use DNS to find FreeIPA servers. Specifically they look for _SRV records. I think they naturally

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-14 Thread Nathan Peters
And the saga continues... In my latest round of trying to fix this, I've attempted to remove the replicas again, this time ensuring to use the --force and --cleanup flags to try to remove the data. As you can see from the output below, it seems like every possible error that could happen did.

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-14 Thread Nathan Peters
I think I've finally started to make some progress on this. I did a lot of googling and found some stuff to run manually in 389 ds through ldapmodify commands to clean RUVs. During this process the server crashed and when it came back online, suddenly all my ghost RUVs were visible through

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-14 Thread Nathan Peters
So after some more forum searching I found a command that searches your ldap database for RUVs. The output does not seems to match the list-ruv command for each server. Is this where the issue lies in the database? I see 6 ruvs for each host in the ldapsearch but only 3 in the

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

2016-01-14 Thread Nathan Peters
I'm beginning to suspect there may be something wrong with my ldap database. I actually completed deleted dc1-nvan and dc2-nvan last night, leaving only dc1-van. I then re-provosioned dc1-nvan and dc2-nvan from scratch (os install and everything). After re-provisioning I was finally able to

Re: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

2016-01-26 Thread Nathan Peters
-boun...@redhat.com] On Behalf Of Nathan Peters Sent: January-26-16 6:03 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones I have my FreeIPA server setup with a forward only policy for DNS. If I perform an nslookup against

[Freeipa-users] Freeipa 4.1.4 Very slow sudo access waiting for eventpoll

2016-02-03 Thread Nathan Peters
We have a FreeIPA 4.1.4 domain running on CentOS 7.1. We have noticed that from certain machines, sudo is instant, and from others, it takes about 5 seconds. All machines involved can resolve each other through DNS (both forward and reverse lookups). Running an strace reveals that sssd_pam is

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-19 Thread Nathan Peters
[18/Jan/2016:09:28:33 -0800] conn=18732 op=10 ADD dn="cn=replica,cn=dc\3Ddev-globalrelay\2Cdc\3Dnet,cn=mapping tree,cn=config" [18/Jan/2016:09:28:33 -0800] conn=18732 op=10 RESULT err=68 tag=105 nentries=0 etime=0 [18/Jan/2016:09:28:33 -0800] conn=18732 op=11 UNBIND Do you mean that log entry

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-20 Thread Nathan Peters
All checks below were performed from the host we are trying to turn into a replica and they were performed against the master who logs I also show The first check was to kinit admin and try the search. Surprisingly, the GSSAPI bind returns no results when we search that. In my previous email

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-20 Thread Nathan Peters
they search from or against if GSSAPI is used. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters Sent: January-20-16 11:41 PM To: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Freeipa 4.3.0

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Nathan Peters
Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access through a certain method. Unless one of those

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-21 Thread Nathan Peters
Ok, here are the logs and console session from those searches as admin and as the host on the new master against itself. Same result, nothing in there. See my email reply to Rich I sent a few minutes ago for the directory manager aci search results.

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-20 Thread Nathan Peters
Now we are starting to get somewhere (although a resolution still is not visible) :) First, thank you Petr and Rob for your help on this issue. I apologize for our hard to parse server names. I'm not a fan of them myself and in earlier reports I had been reformatting everything nicely with

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-23 Thread Nathan Peters
I can now confirm that this is a 100% reproducible bug, and a pretty severe one at that. You should be able to reproduce this issue at will if you follow these steps. It may actually be possible with less servers and less steps, but here is what I did in a test lab today: 1. Create a brand

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-26 Thread Nathan Peters
cert manager, and not all users -Original Message----- From: Martin Basti [mailto:mba...@redhat.com] Sent: January-25-16 4:57 AM To: Nathan Peters; Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry al

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-26 Thread Nathan Peters
that. Thanks for pointing out the actual bug. I'm fairly new to debugging 389 DS so knowing what branch needed to be fixed was invaluable. -Original Message- From: Martin Basti [mailto:mba...@redhat.com] Sent: January-26-16 12:57 PM To: Nathan Peters; Rich Megginson; freeipa-users

[Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse lookup zones

2016-01-26 Thread Nathan Peters
I have my FreeIPA server setup with a forward only policy for DNS. If I perform an nslookup against either of the configured forward servers, I can do a reverse lookup properly. If I perform the same nslookup against my local server, it will not find the entry. I have confirmed that there are

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

2016-01-22 Thread Nathan Peters
[root@dc2-ipa-dev-nvan ~]# ldapsearch -D "cn=directory manager" -W -b "cn=config" "(aci=*)" aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base

[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?

2016-02-16 Thread Nathan Peters
I have created a trust between my FreeIPA domain and an active directory domain. I can get a kerberos ticket properly from the other domain at the command line on the IPA server. I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the