Re: [Freeipa-users] Help needed - CA Server role not adding

[Rob Crittenden]

Chris Moody wrote:
> Hello.
> 
> First wanted to thank everyone working hard to bring this awesome bundle
> of applications to market.  This is a great project and I really
> appreciate the efforts.
> 
> I need a hand with a new 4.4.3 install that I'm still trying to flesh
> out fully to support all the services I need.
> 
> I recently attempted to add the 'CA Server' Role to a node in a replica
> pair.
> 
> I ran the 'ipa-ca-install' command on the node in question but in the
> middle of the operation, it unfortunately bombed out due to memory
> exhaustion.  I have since doubled the RAM in the host, but I can no
> longer get this system to proceed with the multitude of steps it
> performs to enable this role.
> 
> When I type 'ipa server-role-find' it lists the 'CA Server' Role as
> absent, but whenever I issue the command 'ipa-ca-install' to try and
> re-instantiate the process of adding the role, it spits back out 'CA is
> already installed on this host.'.
> 
> I'm not seeing a 'remove role' or 'force' option via any of the
> tab-completed command options now available in 4.x nor is the man page
> of much help.  Online documentation as well seems to be in a state of
> flux between the older 3.x docs and the new 4.x functionality.

At the moment the only way around this is to uninstall IPA master on
this server and re-run the installation.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] help

[Martin Babinsky]

On 10/17/2016 02:44 AM, 郑磊 wrote:

Hello everyone,
I'm using freeipa, and having a test and research with the function
of freeipa. At the same time, I have carried on the chinese translation
to the web interface, also added own function module in web interface.
However, For these changes I don't know how to interact with the
community, please help me. Thank you very much!




That depends on what are you trying to achieve.

If you wish to contribute your translations to the upstream, you may 
have a look at our Zanata project page:


https://fedora.zanata.org/project/view/freeipa/

We periodically push our message strings there so the community can 
translate them. We then pull the changes into the upstream repo. You may 
wish to read http://zanata.org/help/ for more information about this 
workflow.


If you would like to contribute your code to the upstream, make sure you 
read our Contribution guide: http://www.freeipa.org/page/Contribute


Otherwise feel free to ask questions on this list, we will try our best 
to help you out.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] help

[David Kupka]

On 17/10/16 02:44, 郑磊 wrote:

Hello everyone,
I'm using freeipa, and having a test and research with the  function of 
freeipa. At the same time, I have carried on the chinese  translation to the 
web interface, also added own function module in web  interface. However, For 
these changes I don't know how to interact with  the community, please help me. 
Thank you very much!




Hello!

Do you have problem with developing your own module? Ask on 
freeipa-de...@redhat.com


Is your module complete, you think that it will be useful for a lot of 
FreeIPA users and want it in upstream? Create pull request on GitHub 
(https://github.com/freeipa/freeipa ).


Do you want to contribute the translations? Submit it via zanata 
(https://fedora.zanata.org/project/view/freeipa ).


HTH,
--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help with sudo permission for a command

[Ryan Whalen]

Hey Pavel,

Thanks for the reply! It's not exactly that I want to allow any command to
be run as app_user. The command I actually want to run is very long, and
complicated and wouldn't mean much in this context, so I simplified my
example. The problem is that *any command *I run will fail, wether or not
they already have the permissions to run said command.

The exact command that I want to run *will work* if I `sudo su - app_user`
and then run the command in the new shell for `app_user`.  It *wont work* if
I try to run `sudo su - app_user -c `. So the user has the
permissions to run the command. it just wont work with the `-c` option.

So thats where I'm stuck. From my perspective they should have all the
permissions that they need. They have sudo privileges to `sudo su -
app_user -c` as well as the specific command that I want to be run.

Thanks

Ryan

On Wed, Aug 31, 2016 at 4:51 AM, Pavel Březina  wrote:

> On 08/30/2016 05:08 PM, Ryan Whalen wrote:
>
>> Hi All,
>>
>> Im having an issue getting a command to run properly, and the issue
>> seems to be with Freeipa sudo permissions. Specifically 'sudo su -
>> app_user -c ""' prompts for a password when run.
>>
>> However if I 'sudo su - app_user' and then run the '' as
>> app_user, it works fine.
>>
>> example:
>> ```
>> $ ssh r...@production-server.pp
>> Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15
>> ryan$ sudo su - app_user -c "df"
>> [sudo] password for ryan:
>> ^C
>> ryan$ sudo su - app_user
>> app_user$ df
>> Filesystem   1K-blocks Used Available Use% Mounted on
>> /dev/sda3 14845784  6667296   7417708  48% /
>> tmpfs  14742280   1474228   0% /dev/shm
>> /dev/sda1   48765281221380831  18% /boot
>> 10.51.0.34:/srv/nfs/app
>>   287687168 69111040 218576128  25% /var/app
>> 10.51.0.54:/srv/nfs/ipa
>>16377088  3728640  11809792  24% /home/ipa
>> ap_user$
>> ```
>>
>> I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
>> app_user -c` but I cant get the `-c` to work in a single command. I also
>> tried giving sudo permission to `/bin/bash` in case the `-c` needed it
>> to create a new shell for some reason, but it didn't work.
>>
>> Does anyone have any thoughts on what permissions I might be missing to
>> allow the user to run `sudo su - app_user -c `?
>>
>> Thanks,
>> Ryan
>>
>>
>>
> Try to allow /bin/su - app_user -c '*'
>
> If I understand you correctly, you want to allow user to run any command
> as app_user. You can do it also by creating a rule that allows to run any
> command and run it as app_user.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help with sudo permission for a command

[Pavel Březina]

On 08/30/2016 05:08 PM, Ryan Whalen wrote:

Hi All,

Im having an issue getting a command to run properly, and the issue
seems to be with Freeipa sudo permissions. Specifically 'sudo su -
app_user -c ""' prompts for a password when run.

However if I 'sudo su - app_user' and then run the '' as
app_user, it works fine.

example:
```
$ ssh r...@production-server.pp
Last login: Mon Aug 29 21:36:14 2016 from 10.20.3.15
ryan$ sudo su - app_user -c "df"
[sudo] password for ryan:
^C
ryan$ sudo su - app_user
app_user$ df
Filesystem   1K-blocks Used Available Use% Mounted on
/dev/sda3 14845784  6667296   7417708  48% /
tmpfs  14742280   1474228   0% /dev/shm
/dev/sda1   48765281221380831  18% /boot
10.51.0.34:/srv/nfs/app
  287687168 69111040 218576128  25% /var/app
10.51.0.54:/srv/nfs/ipa
   16377088  3728640  11809792  24% /home/ipa
ap_user$
```

I have a sudo rule that allows `/bin/su - app_user` and `/bin/su -
app_user -c` but I cant get the `-c` to work in a single command. I also
tried giving sudo permission to `/bin/bash` in case the `-c` needed it
to create a new shell for some reason, but it didn't work.

Does anyone have any thoughts on what permissions I might be missing to
allow the user to run `sudo su - app_user -c `?

Thanks,
Ryan




Try to allow /bin/su - app_user -c '*'

If I understand you correctly, you want to allow user to run any command 
as app_user. You can do it also by creating a rule that allows to run 
any command and run it as app_user.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

[Petr Spacek]

On 5.5.2016 18:39, Roderick Johnstone wrote:
> Hi
> 
> I need to run some ipa commands in cron jobs.
> 
> The post here:
> https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
> suggests I need to use a keytab file to authenticate kerberos.
> 
> I've tried the prescription there, with variations, without success.
> 
> My current testing framework is to log into the ipa client (RHEL6.7,
> ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, destroy
> the current tickets, re-establish a tgt for the user with kinit using the
> keytab and try to run an ipa command. The ipa command fails (just like in my
> cron jobs which use the same kinit command).
> 
> 1) Log into ipa client as user test.
> 
> 2) Get the keytab
> $ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
> /home/test/test.keytab -P
> New Principal Password:
> Verify Principal Password:
> Keytab successfully retrieved and stored in: /home/test/test.keytab
> 
> I seem to have to reset the password to what it was in this step, otherwise it
> gets set to something random and the user test cannot log into the ipa client
> any more.
> 
> 3) Log into the ipa client as user test. Then
> $ kdestroy
> $ klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3395_PWO4wH)
> 
> 4) kinit from the keytab:
> $ kinit -F t...@example.com -k -t /home/test/test.keytab
> 
> 5) Check the tickets
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
> Default principal: t...@example.com
> 
> Valid starting ExpiresService principal
> 05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
> 
> 6) Run an ipa command:
> $ ipa ping
> ipa: ERROR: cannot connect to Gettext('any of the configured servers',
> domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
> https://ipa2.example.com/ipa/xml
> 
> Can someone advise what I'm doing wrong in this procedure please (some strings
> were changed to anonymize the setting)?

Kerberos part seems okay but for some reason connection to IPA servers does
not work.

I would try following commands:
$ ipa --debug ping
$ curl 'https://ipa1.example.com/ipa/xml'

and see what these print out.

Petr^2 Spacek

> 
> For completeness of information, the ipa servers are RHEL 7.2,
> ipa-server-4.2.0-15.el7_2.6.1.x86_64.
> 
> Thanks
> 
> Roderick Johnstone

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

[Roderick Johnstone]

Hi again

After further testing, it seems like my problems were caused by the use 
of the -F option on the kinit line.


Roderick

On 05/05/2016 22:31, Roderick Johnstone wrote:

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping
successfully. Then I tried my kinit syntax (after a kdestroy) and I can
still ipa ping successfully!

So, it does work now, but I don't know why it didn't work for me
earlier. It feels like some sort of caching problem but I think kdestroy
clears the cache.

Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere
secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to
switch user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone 
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

[Roderick Johnstone]

Hi Mike

Thanks for sharing your setup. It looks pretty much like mine.

I just tried your kinit command syntax and then I can ipa ping 
successfully. Then I tried my kinit syntax (after a kdestroy) and I can 
still ipa ping successfully!


So, it does work now, but I don't know why it didn't work for me 
earlier. It feels like some sort of caching problem but I think kdestroy 
clears the cache.


Thanks again for your help.

Roderick

On 05/05/2016 19:47, Michael ORourke wrote:


Roderick,

Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-

From: Roderick Johnstone 
Sent: May 5, 2016 12:39 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Help needed with keytabs

Hi

I need to run some ipa commands in cron jobs.

The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.

I've tried the prescription there, with variations, without success.

My current testing framework is to log into the ipa client (RHEL6.7,
ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab,
destroy the current tickets, re-establish a tgt for the user with kinit
using the keytab and try to run an ipa command. The ipa command fails
(just like in my cron jobs which use the same kinit command).

1) Log into ipa client as user test.

2) Get the keytab
$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k
/home/test/test.keytab -P
New Principal Password:
Verify Principal Password:
Keytab successfully retrieved and stored in: /home/test/test.keytab

I seem to have to reset the password to what it was in this step,
otherwise it gets set to something random and the user test cannot log
into the ipa client any more.

3) Log into the ipa client as user test. Then
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache
FILE:/tmp/krb5cc_3395_PWO4wH)

4) kinit from the keytab:
$ kinit -F t...@example.com -k -t /home/test/test.keytab

5) Check the tickets
$ klist
Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
Default principal: t...@example.com

Valid starting ExpiresService principal
05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com

6) Run an ipa command:
$ ipa ping
ipa: ERROR: cannot connect to Gettext('any of the configured servers',
domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml,
https://ipa2.example.com/ipa/xml

Can someone advise what I'm doing wrong in this procedure please (some
strings were changed to anonymize the setting)?

For completeness of information, the ipa servers are RHEL 7.2,
ipa-server-4.2.0-15.el7_2.6.1.x86_64.

Thanks

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help needed with keytabs

[Michael ORourke]

Roderick,

Here's how we do it.  
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k 
/root/svc_useradm.keytab

Now we can leverage the keytab for that user principal.
Example:
[root@infrae2u01 ~]# kdestroy

[root@infrae2u01 ~]# kinit -k -t /root/svc_useradm.keytab 
svc_user...@lnx.dr.LOCAL

[root@infrae2u01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: svc_user...@lnx.dr.LOCAL

Valid starting ExpiresService principal
05/05/16 14:24:12  05/06/16 14:24:12  krbtgt/lnx.dr.lo...@lnx.dr.LOCAL

[root@infrae2u01 ~]# ipa ping
--
IPA server version 3.0.0. API version 2.49
--

If you need to access the service account, then setup a sudo rule to switch 
user to that account.
Example: "sudo su - svc_useradm"

-Mike

-Original Message-
>From: Roderick Johnstone 
>Sent: May 5, 2016 12:39 PM
>To: freeipa-users@redhat.com
>Subject: [Freeipa-users] Help needed with keytabs
>
>Hi
>
>I need to run some ipa commands in cron jobs.
>
>The post here: 
>https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html 
>suggests I need to use a keytab file to authenticate kerberos.
>
>I've tried the prescription there, with variations, without success.
>
>My current testing framework is to log into the ipa client (RHEL6.7, 
>ipa-client-3.0.0-47.el6_7.1.x86_64) as a test user, get the keytab, 
>destroy the current tickets, re-establish a tgt for the user with kinit 
>using the keytab and try to run an ipa command. The ipa command fails 
>(just like in my cron jobs which use the same kinit command).
>
>1) Log into ipa client as user test.
>
>2) Get the keytab
>$ /usr/sbin/ipa-getkeytab -s ipa.example.com -p t...@example.com -k 
>/home/test/test.keytab -P
>New Principal Password:
>Verify Principal Password:
>Keytab successfully retrieved and stored in: /home/test/test.keytab
>
>I seem to have to reset the password to what it was in this step, 
>otherwise it gets set to something random and the user test cannot log 
>into the ipa client any more.
>
>3) Log into the ipa client as user test. Then
>$ kdestroy
>$ klist
>klist: No credentials cache found (ticket cache 
>FILE:/tmp/krb5cc_3395_PWO4wH)
>
>4) kinit from the keytab:
>$ kinit -F t...@example.com -k -t /home/test/test.keytab
>
>5) Check the tickets
>$ klist
>Ticket cache: FILE:/tmp/krb5cc_3395_PWO4wH
>Default principal: t...@example.com
>
>Valid starting ExpiresService principal
>05/05/16 17:24:44  05/06/16 17:24:44  krbtgt/example@example.com
>
>6) Run an ipa command:
>$ ipa ping
>ipa: ERROR: cannot connect to Gettext('any of the configured servers', 
>domain='ipa', localedir=None): https://ipa1.example.com/ipa/xml, 
>https://ipa2.example.com/ipa/xml
>
>Can someone advise what I'm doing wrong in this procedure please (some 
>strings were changed to anonymize the setting)?
>
>For completeness of information, the ipa servers are RHEL 7.2, 
>ipa-server-4.2.0-15.el7_2.6.1.x86_64.
>
>Thanks
>
>Roderick Johnstone
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help regarding SUDo rule implementation

[Jakub Hrozek]

On Mon, May 02, 2016 at 06:13:42AM +0300, Ben .T.George wrote:
> HI All
> 
> sudo rules got worked .actually i tried after 6 hours, what is the default
> time to get affect this rule affect normally, is there any way to manually
> pull changes from client?

see man sssd-sudo, there are explanations of the different timeouts sssd
uses.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help regarding SUDo rule implementation

[Ben .T.George]

HI All

sudo rules got worked .actually i tried after 6 hours, what is the default
time to get affect this rule affect normally, is there any way to manually
pull changes from client?

Regards,
Ben

On Sun, May 1, 2016 at 11:46 PM, Ben .T.George 
wrote:

> HI
>
> i have a working setup of FreeIPA 4.3 with AD integrated, I can able to
> apply HBAC rules and from client side it's working.
>
> how can i apply sudo rules to that specific POSIX group.
>
> i have created sample rue and added 2 commands put option as !authenticate
> and attached this rule to client, but still sudo -l is not working
>
> /etc/nsswitch.conf file has : sudoers: files sss
>
> and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh
>
> Thanks & Regards,
> Ben
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

[Sparks, Alan]

 
>> [root@als-centos0002 sys-ops]# nisdomainname 
>> dakar.useast.hpcloud.net
>> 
>> [root@als-centos0002 sys-ops]# getent netgroup opsauto
>> opsauto  
>> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal)
>> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal)
> 

>Your NIS domain name doesn't match. dakar.useast.hpcloud.net != 
>eucalyptus.internal
>rob

Thanks for that.   I must be misunderstanding the purpose of the --domain 
option.
-Alan

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

[Rob Crittenden]

Sparks, Alan wrote:
> I still can’t find the problem after a lot of searching, can someone
> give me a little advice?   Assembling a POC of FreeIPA 4.1.0 server
> (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0
> packages.   Sudo version on the client is sudo-1.8.6p3. 
> 
>  
> 
> Have created a general sudo rule on the IPA server to grant access to a
> host group.   However it doesn’t allow access, just a “sparksa is not
> allowed to run sudo on als-centos0002”.If I change the rule to not
> use host groups, and explicitly set the hosts, it works OK.
> 
>  
> 
> Have checked the stuff I’ve seen in general search, like the
> nisdomainname, values are set and look plausible.   The sudo debug logs
> seem to indicate vaguely that it can’t match the netgroup:
> 
>  
> 
> Nov 18 16:07:37 sudo[15713]   username=sparksa
> 
> Nov 18 16:07:37 sudo[15713] domainname=(null)
> 
> Nov 18 16:07:37 sudo[15713] Received 1 rule(s)
> 
> Nov 18 16:07:37 sudo[15713] sssd/ldap sudoHost '+opsauto' ... not
> 
> Nov 18 16:07:37 sudo[15713] Sorting the remaining entries using the
> sudoOrder attribute
> 
> Nov 18 16:07:37 sudo[15713] searching SSSD/LDAP for sudoers entries
> 
> Nov 18 16:07:37 sudo[15713] Done with LDAP searches
> 
> Nov 18 16:07:37 sudo[15713] keep
> HOSTNAME=als-centos0002.dakar.useast.hpcloud.net: YES
> 
> Nov 18 16:07:37 sudo[15713] sudo_putenv:
> HOSTNAME=als-centos0002.dakar.useast.hpcloud.net
> 
>  
> 
> The setup of the client used the normal ‘ipa-client-install’ script.   
> From questions asked before, some salient debugging info:
> 
>  
> 
> [root@als-centos0002 sys-ops]# nisdomainname
> 
> dakar.useast.hpcloud.net
> 
> [root@als-centos0002 sys-ops]# hostname
> 
> als-centos0002.dakar.useast.hpcloud.net
> 
> [root@als-centos0002 sys-ops]# getent netgroup opsauto
> 
> opsauto  
> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal)
> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal)
> 
>  
> 
> Does anyone have any advice on what additional debug I should look at,
> just not sure what I’m missing.   Thanks in advance.

Your NIS domain name doesn't match. dakar.useast.hpcloud.net !=
eucalyptus.internal

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

[Rob Crittenden]

Sparks, Alan wrote:
>  
>>> [root@als-centos0002 sys-ops]# nisdomainname 
>>> dakar.useast.hpcloud.net
>>>
>>> [root@als-centos0002 sys-ops]# getent netgroup opsauto
>>> opsauto  
>>> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal)
>>> (als-centos0002.dakar.useast.hpcloud.net,-,eucalyptus.internal)
>>
> 
>> Your NIS domain name doesn't match. dakar.useast.hpcloud.net != 
>> eucalyptus.internal
>> rob
> 
> Thanks for that.   I must be misunderstanding the purpose of the --domain 
> option.
> -Alan
> 

--domain in the server is the default DNS zone for the IPA installation.

--domain in the client tells it where to look for the IPA server in DNS.

There is no actual NIS domain but since netgroups are a NIS construct it
requires something to be set. The NIS domain needs to match the IPA
server domain.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master

[Rob Crittenden]

Martin Kosek wrote:

On 06/01/2015 02:19 AM, Sina Owolabi wrote:

Hi!

I am still stumbling along with this, I have had my IPA domain
destroyed and currently only a CA-less replica is left running the
network.
The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
I am trying to setup a fresh CA-master and I have exported the data in
the replica into ldif and bak folders in
/var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
I have copied these files and folders to the fresh install, which is
running RHEL7.1.
If I can complete an install, I plan to destroy the existing replica
and install from scratch 2 new ones just to be safe.

Please can someone direct me in properly editing the ldif file or the
bak archivedir to make it useful for the new CA master? I have already
deleted the existing replication agreements between the CA-less
replica and the lost CA master (the new fresh install is the same
hostname).
Importing data is successful, but then IPA refuses to run afterwords
with different error messages.

Thanks for any light shown my way.



Let me reiterate to see if I understood your scenario correctly:

- you had CA-powered FreeIPA infrastructure, with just one FreeIPA
server with CA service running
- the single FreeIPA+CA server was lost (I would suggest having more of
those in the future or using backup (snapshot or ipa-backup))
- you now want to install a brand new FreeIPA server and add data from
the old FreeIPA installation.

This is quite tricky, you can just add data from old FreeIPA server to
the new server - the new FreeIPA server will have different Kerberos
master key, different CA key. All this and derived data would be
invalid. If you backed up the FreeIPA+CA master, I assume the PKI could
be recreated, but it does not seem as the case.

In that case, I am afraid you would need to start a new infrastructure
and migrate old data, I put short description on how to migrate one
FreeIPA to other FreeIPA on the wiki:

https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA


I guess it depends on what data you want/need to preserve from the 
original IPA installation and calculate which is more time consuming: 
crafting an LDIF to import or re-adding the data manually.


If you want to import from an LDIF, in general you need to:
- exclude any IPA master information (hosts, services, cn=masters,etc).
- exclude the admin user
- exclude any krbPrincipalKey values
- exclude any userCertificate values

You'll need to enable migration mode so your users can generate their 
Kerberos principal keys.


Also consider the UID range. If you installed the new master using the 
same range you'll probably want to modify the DNA range to mask out the 
already-assigned values.


If you used the same fqdn and REALM the import is easier.

You'll also need to re-enroll every client machine and browsers will 
need to re-import the CA cert. Expect conflicts.


I probably forgot some things too. It is not a super simple process 
though, and requires some understanding of IPA and its data.


So like I said, possible, but it can be problematic and expect several 
iterations of:


- import ldif
- test
- uninstall / reinstall
- goto import

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master

[Sina Owolabi]

Thanks Martin, Rob,

but I think I am totally lost.. I was able to migrate-ds but  I think
along the way I broke the replica. Errors I am seeing in the ipa
clients are like so:

Jun  2 16:33:11 ipaclient1 [sssd[ldap_child[27865]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun  2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun  2 16:33:57 ipaclient1 certmonger: Server failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction.
Couldn't resolve host 'services01.mydom.com').
Jun  2 16:39:28 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun  2 16:44:59 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database


 I've been editing and trying to import data from the ldif I was able
to export out of the CA-less replica. No luck so far.

On Tue, Jun 2, 2015 at 1:43 PM, Rob Crittenden rcrit...@redhat.com wrote:
 Martin Kosek wrote:

 On 06/01/2015 02:19 AM, Sina Owolabi wrote:

 Hi!

 I am still stumbling along with this, I have had my IPA domain
 destroyed and currently only a CA-less replica is left running the
 network.
 The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
 I am trying to setup a fresh CA-master and I have exported the data in
 the replica into ldif and bak folders in
 /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
 I have copied these files and folders to the fresh install, which is
 running RHEL7.1.
 If I can complete an install, I plan to destroy the existing replica
 and install from scratch 2 new ones just to be safe.

 Please can someone direct me in properly editing the ldif file or the
 bak archivedir to make it useful for the new CA master? I have already
 deleted the existing replication agreements between the CA-less
 replica and the lost CA master (the new fresh install is the same
 hostname).
 Importing data is successful, but then IPA refuses to run afterwords
 with different error messages.

 Thanks for any light shown my way.


 Let me reiterate to see if I understood your scenario correctly:

 - you had CA-powered FreeIPA infrastructure, with just one FreeIPA
 server with CA service running
 - the single FreeIPA+CA server was lost (I would suggest having more of
 those in the future or using backup (snapshot or ipa-backup))
 - you now want to install a brand new FreeIPA server and add data from
 the old FreeIPA installation.

 This is quite tricky, you can just add data from old FreeIPA server to
 the new server - the new FreeIPA server will have different Kerberos
 master key, different CA key. All this and derived data would be
 invalid. If you backed up the FreeIPA+CA master, I assume the PKI could
 be recreated, but it does not seem as the case.

 In that case, I am afraid you would need to start a new infrastructure
 and migrate old data, I put short description on how to migrate one
 FreeIPA to other FreeIPA on the wiki:


 https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA


 I guess it depends on what data you want/need to preserve from the original
 IPA installation and calculate which is more time consuming: crafting an
 LDIF to import or re-adding the data manually.

 If you want to import from an LDIF, in general you need to:
 - exclude any IPA master information (hosts, services, cn=masters,etc).
 - exclude the admin user
 - exclude any krbPrincipalKey values
 - exclude any userCertificate values

 You'll need to enable migration mode so your users can generate their
 Kerberos principal keys.

 Also consider the UID range. If you installed the new master using the same
 range you'll probably want to modify the DNA range to mask out the
 already-assigned values.

 If you used the 

Re: [Freeipa-users] Help with debugging HBACs

[Andrew Egelhofer]

​Thank you for the reply Sumit - I will look into updating the version of
sssd. If that doesn't work, I will also try adding the
​'sourceHostCategory' attribute to rules. Though, I would imagine I would
have to do this for *all* rules if I want them to work as intended. I'll
report back my findings tomorrow.

Thanks,
-Andrew

On Mon, Feb 16, 2015 at 12:40 AM, Sumit Bose sb...@redhat.com wrote:

 On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
  Hi FreeIPA Users-
 
  I've deployed a FreeIPA instance in my Lab, and enrolled a single host,
 and
  a single user ('testuser'). The only HBAC rule I currently have is the
  stock allow_all. Yet, when I attempt to log into the host via ssh, it
  closes the connection.
 
  $ ssh testuser@host
  Warning: Permanently added 'host,host-ip' (RSA) to the list of known
  hosts.
  testuser@host's password:
  Connection closed by host-ip
 
  The host I'm attempting to login to can correctly look up the user using
  getent:
 
  # getent passwd testuser
  testuser:*:16843:16843:Test User:/home/testuser:/bin/bash
 
  Scanning /var/log/secure, I see these entries:
 
  Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication
  failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
   user=testuser
  Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication
  success; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=172.30.3.58 user=testuser
  Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied
 for
  user testuser: 6 (Permission denied)
 
  That tells me (From reading online) the user / password was correctly
  authenticated, but failed authorization due to HBAC rules. I've tested
 the
  rule using the 'hbactest' utility and it passes
 
  [root@Master ~]# ipa hbactest --user=testuser --host=host
 --service=sshd
  
  Access granted: True
  
Matched rules: allow_all
 
  I'm at a loss here, because If I comment out the line:
 
  account [default=bad success=ok user_unknown=ignore] pam_sss.so
 
  in /etc/pam.d/system-auth, the user is able to login.
 
  So what am I missing here? Is there a way I can debug HBAC rules? I've
  already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able
 to
  access the HBAC 'allow_all' rule in the log
 /var/log/sssd/sssd_domain.dc
  .log:
 
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [sdap_get_generic_done] (7): Total count [0]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule]
  (7): Processing rule [allow_all]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
  (5): Category is set to 'all'.
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_service_attrs_to_rule] (7): Processing PAM services for rule
  [allow_all]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
  (5): Category is set to 'all'.
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule
 [allow_all]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
  (5): Category is set to 'all'.
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule
 [allow_all]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (7): [12] groups for [admin]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (7): Added group [admins] for user [admin]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
  administrators,cn=privileges,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
  replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
  replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
  replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
  enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
  keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
  (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
  [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
  

Re: [Freeipa-users] Help with debugging HBACs

[Sumit Bose]

On Sat, Feb 14, 2015 at 12:52:10PM -0800, Andrew Egelhofer wrote:
 Hi FreeIPA Users-
 
 I've deployed a FreeIPA instance in my Lab, and enrolled a single host, and
 a single user ('testuser'). The only HBAC rule I currently have is the
 stock allow_all. Yet, when I attempt to log into the host via ssh, it
 closes the connection.
 
 $ ssh testuser@host
 Warning: Permanently added 'host,host-ip' (RSA) to the list of known
 hosts.
 testuser@host's password:
 Connection closed by host-ip
 
 The host I'm attempting to login to can correctly look up the user using
 getent:
 
 # getent passwd testuser
 testuser:*:16843:16843:Test User:/home/testuser:/bin/bash
 
 Scanning /var/log/secure, I see these entries:
 
 Feb 14 12:01:50 host sshd[6528]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.30.3.58
  user=testuser
 Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:auth): authentication
 success; logname= uid=0 euid=0 tty=ssh ruser=
 rhost=172.30.3.58 user=testuser
 Feb 14 12:01:51 host sshd[6528]: pam_sss(sshd:account): Access denied for
 user testuser: 6 (Permission denied)
 
 That tells me (From reading online) the user / password was correctly
 authenticated, but failed authorization due to HBAC rules. I've tested the
 rule using the 'hbactest' utility and it passes
 
 [root@Master ~]# ipa hbactest --user=testuser --host=host --service=sshd
 
 Access granted: True
 
   Matched rules: allow_all
 
 I'm at a loss here, because If I comment out the line:
 
 account [default=bad success=ok user_unknown=ignore] pam_sss.so
 
 in /etc/pam.d/system-auth, the user is able to login.
 
 So what am I missing here? Is there a way I can debug HBAC rules? I've
 already set debug_level = 10 in /etc/sssd/sssd.conf, and I see its able to
 access the HBAC 'allow_all' rule in the log /var/log/sssd/sssd_domain.dc
 .log:
 
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [sdap_get_generic_done] (7): Total count [0]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_attrs_to_rule]
 (7): Processing rule [allow_all]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
 (5): Category is set to 'all'.
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_service_attrs_to_rule] (7): Processing PAM services for rule
 [allow_all]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
 (5): Category is set to 'all'.
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]] [hbac_get_category]
 (5): Category is set to 'all'.
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_host_attrs_to_rule] (4): No host specified, rule will never apply.
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (7): [12] groups for [admin]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (7): Added group [admins] for user [admin]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=replication
 administrators,cn=privileges,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
 replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=modify
 replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=remove
 replication agreements,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=host
 enrollment,cn=privileges,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=manage host
 keytab,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=enroll a
 host,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=add
 krbprincipalname to a host,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf [cn=unlock user
 accounts,cn=permissions,cn=pbac,dc=domain,dc=dc]
 (Fri Feb 13 21:38:15 2015) [sssd[be[domain.dc]]]
 [hbac_eval_user_element] (8): Skipping non-group memberOf 

Re: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline

[Sumit Bose]

On Fri, Jun 27, 2014 at 02:23:47PM -0400, Mark Gardner wrote:
 Was trying to add an external ad group to IPA, it kept failing with unable
 to connect to server.
 
 Figured I'd reboot to clear things up.  Oops.
 
 Now wbinfo --online-status shows are AD as offline.
 wbinfo -u shows blank
 
 wbinfo -n 'DOMAIN\user' gives the following message:
 
 failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
 could not lookup 'Domain\user'

There might be various reasons for this issue. To debug this winbindd
logs are needed.
Please

- call net conf setparm global 'log level' 10 on the command lien
- stop smbd and winbindd
- remove (or save at a different location) the log files in
  /var/log/samba
- start smbd and winbindd
- run wbinfo -n 'DOMAIN\user' again
- check /var/log/samba/wb-ADDOMAIN for errors

Feel free to send the log to the list or directly to me if you think the
file is too large for a mailing-list or if it might contain sensitive
information.

bye,
Sumit
 
 I saw a similar post in the freeipa-users archive about adding
 client min protocol = CORE
 client max protocol = SMB2_02
 to the samba config; restarted winbind and still getting errors
 
 FreeIPA 3.0
 Windows 2008 R2.

 -- 
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline

[Johan Petersson]

Hi,

Probably there are better ways to solve this issue but the way that works for 
me is to validate the trust from the AD side after a reboot of the IPA Server - 
it always shows as offline for me too. On 2012 Server you can do this through 
Active Directory Domains and Trusts - properties on your domain and go to trust 
tab - properties again. Next you press validate on the General tab. AD will ask 
for authentication but that can be skipped.
AD Trust will be back online right away and you can check it through wbinfo 
--online-status.

Probably the procedure are similar on Server 2008.

Johan

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Mark Gardner [malek...@gmail.com]
Sent: Friday, June 27, 2014 20:23
To: freeipa-users
Subject: [Freeipa-users] Help: Rebooted IPA server and AD Trust shows offline

Was trying to add an external ad group to IPA, it kept failing with unable to 
connect to server.

Figured I'd reboot to clear things up.  Oops.

Now wbinfo --online-status shows are AD as offline.
wbinfo -u shows blank

wbinfo -n 'DOMAIN\user' gives the following message:

failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
could not lookup 'Domain\user'

I saw a similar post in the freeipa-users archive about adding
client min protocol = CORE
client max protocol = SMB2_02
to the samba config; restarted winbind and still getting errors

FreeIPA 3.0
Windows 2008 R2.

This e-mail is private and confidential between the sender and the addressee.
In the event of misdirection, the recipient is prohibited from using, copying 
or disseminating it or any information in it. Please notify the above if any 
misdirection.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] HELP

[Natxo Asenjo]

On Thu, Mar 27, 2014 at 7:58 PM, Todd Maugh tma...@boingo.com wrote:

  My Master IPA server has been lost,


  My replica is still up and functioning.


  what is the best way to proceed?


  Do I rebuild my master and add it has a replica?


  how do I get my master back in line with my IPA env?


  the Master needs to be rebuilt from scratch


  red hat 6.5 latest version of IPA


Just a quick question: is this a production network with real business in
risk? Or is this a test lab?

To answer your questions: I guess that it depends on whether the 2nd master
(in ipa all domain controllers are multimaster) has a copy of the CA too.
If it does then yes, you can rebuild it and create a replica.

If the domain controller does not have a copy of the CA, well, I am not
really sure at this point.

-- 
regards,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HELP

[Rob Crittenden]

Todd Maugh wrote:

My Master IPA server has been lost,


My replica is still up and functioning.


what is the best way to proceed?


Do I rebuild my master and add it has a replica?


how do I get my master back in line with my IPA env?


the Master needs to be rebuilt from scratch


red hat 6.5 latest version of IPA


Is the replica running the CA? If not things will get very complicated.

See http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

The replica has a replication agreement with the master that is now gone 
so you'll want to delete that agreement using ipa-replica-manage. But 
yes, once the new host is ready, create it as a new replica.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] help: ipa error 4301

[Martin Kosek]

On 07/17/2013 11:14 PM, Shapiro, Matthew E CTR DODHRA DMDC (US) wrote:
 Hi ,
 
  
 
 While running the ipa-client-install script on a RHEL 6.4 server, I get the
 following output (please note the indicated line with the arrow):
 
  
 
 [root@[hostname]]# ipa-client-install
 
 Discovery was successful!
 
 Hostname: [hostname]
 
 Realm: example.com
 
 DNS Domain: example.com
 
 IPA Server: chtvm-389.example.com
 
 BaseDN: dc=example,dc=com
 
  
 
 Continue to configure the system with these values? [no]: yes
 
 User authorized to enroll computers: admin
 
 Password for admin example com:
 
  
 
 Enrolled in IPA realm example.com
 
 Created /etc/ipa/default.conf
 
 Configured /etc/sssd/sssd.conf
 
 Configured /etc/krb5.conf for IPA realm example.com
 
 SSSD enabled
 
 Kerberos 5 enabled
 
 ---àUnable to find 'admin' user with 'getent passwd admin'!
 
 Recognized configuration: SSSD
 
 NTP enabled
 
 Client configuration complete.
 
  
 
 Also, please note that I’ve obfuscated the hostname, domain, and realm for
 security reasons.I believe I’ve narrowed down the problem to certificate
 enrollment.  When I check my IPA Server Web UI, I have a notice in my host
 details that says “no valid certificate present.”  I then checked my client
 host by running:
 
  
 
 [root@hostname user]# ipa-getcert list
 
 Number of certificates and requests being tracked: 1.
 
 Request ID '20130717205230':
 
 status: CA_UNCONFIGURED
 
 ca-error: Error setting up ccache for local host service using
 default keytab: Resource temporarily unavailable.
 
 stuck: yes
 
 key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
 Machine Certificate - hostname.example.com',token='NSS Certificate DB'
 
 certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA 
 Machine
 Certificate - hostname.example.com '
 
 CA: IPA
 
 issuer:
 
 subject:
 
 expires: unknown
 
 pre-save command:
 
 post-save command:
 
 track: yes
 
 auto-renew: yes
 
  
 
 I’m concerned about that “stuck” field, I have no idea what that means.
 
 I have other RHEL 6.4 clients that have been able to join my IPA domain with 
 no
 issue at all, but this one client baffles me.  Any thoughts??
 
  
 
 --
 
 Matthew Shapiro
 
 Systems Administrator
 
  
 
 Trofholz Technologies, Inc.
 
 Defense Personnel and Security Research Center (PERSEREC)
 
 Defense Manpower Data Center (DMDC)
 
 Office: 831.583.2828
 
  
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 

There seems to be something wrong with the host keytab:

...

 ca-error: Error setting up ccache for local host service using
 default keytab: Resource temporarily unavailable.

Can you check if the host principal in keytab are correct?

# klist -kt /etc/krb5.keytab

Are you able to kinit with the host principal?

# kinit -kt /etc/krb5.keytab host/[hostname]@[REALM]


Another issue I saw (Unable to find 'admin' user with 'getent passwd admin') -
is this still not working?

# getent passwd admin

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help troubleshooting migrate-ds

[Arturo Borrero]

On 07/05/13 22:04, Rob Crittenden wrote:

https://fedorahosted.org/freeipa/ticket/3364

rob


Thanks for poiting. It was the key.

Now I'm having other issues, but the kind of issues I use to like :)

Regards

--
Arturo Borrero González
Departamento de Seguridad Informática (n...@cica.es)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help troubleshooting migrate-ds

[Arturo Borrero]

On 03/05/13 12:40, Arturo Borrero wrote:

Hi there!

In a freshly installed FreeIPA server, I try:

# ipa migrate-ds
LDAP URI: ldaps://ldap.example.com
Contraseña:
ipa: ERROR: no es posible conectar con u'ldaps://ldap.example.com': 
LDAP Server Down


This is a related line I found in the logfile:

[Fri May 03 12:30:53 2013] [error] ipa: INFO: ad...@example.com: 
migrate_ds(u'ldaps://ldap.example.com', u'', 
binddn=u'cn=admin,dc=example,dc=com', 
usercontainer=u'ou=example,ou=users', 
groupcontainer=u'ou=example,ou=groups', userobjectclass=(u'person',), 
groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'), 
userignoreobjectclass=None, userignoreattribute=None, 
groupignoreobjectclass=None, groupignoreattribute=None, 
groupoverwritegid=False, schema=u'RFC2307bis', continue=False, 
basedn=u'ou=cuentas,dc=example,dc=com', compat=False, 
exclude_groups=None, exclude_users=None): NetworkError


Am I missing something? There is some prerequisites in the DNS server 
for this to work?


Of course, the IPA server has full network contact with the LDAP 
server (tcp/636), i see some packets doing a tpcdump in the LDAP server.


Is there a way to get a more verbose log output of what is going on?


I don't have any clue yet. Google seems empty when I search for this 
error and this operation made by others seems errorfree.


Any idea?

--
Arturo Borrero González
Departamento de Seguridad Informática (n...@cica.es)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía




smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help troubleshooting migrate-ds

[Dmitri Pal]

On 05/07/2013 07:53 AM, Arturo Borrero wrote:
 On 03/05/13 12:40, Arturo Borrero wrote:
 Hi there!

 In a freshly installed FreeIPA server, I try:

 # ipa migrate-ds
 LDAP URI: ldaps://ldap.example.com
 Contraseña:
 ipa: ERROR: no es posible conectar con u'ldaps://ldap.example.com':
 LDAP Server Down

 This is a related line I found in the logfile:

 [Fri May 03 12:30:53 2013] [error] ipa: INFO: ad...@example.com:
 migrate_ds(u'ldaps://ldap.example.com', u'',
 binddn=u'cn=admin,dc=example,dc=com',
 usercontainer=u'ou=example,ou=users',
 groupcontainer=u'ou=example,ou=groups', userobjectclass=(u'person',),
 groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'),
 userignoreobjectclass=None, userignoreattribute=None,
 groupignoreobjectclass=None, groupignoreattribute=None,
 groupoverwritegid=False, schema=u'RFC2307bis', continue=False,
 basedn=u'ou=cuentas,dc=example,dc=com', compat=False,
 exclude_groups=None, exclude_users=None): NetworkError

 Am I missing something? There is some prerequisites in the DNS server
 for this to work?

 Of course, the IPA server has full network contact with the LDAP
 server (tcp/636), i see some packets doing a tpcdump in the LDAP server.

 Is there a way to get a more verbose log output of what is going on?

 I don't have any clue yet. Google seems empty when I search for this
 error and this operation made by others seems errorfree.

 Any idea?

Can it be that the certs are not properly configured?
What LDAP server you are trying to use?




 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help troubleshooting migrate-ds

[Rob Crittenden]

Arturo Borrero wrote:

On 03/05/13 12:40, Arturo Borrero wrote:

Hi there!

In a freshly installed FreeIPA server, I try:

# ipa migrate-ds
LDAP URI: ldaps://ldap.example.com
Contraseña:
ipa: ERROR: no es posible conectar con u'ldaps://ldap.example.com':
LDAP Server Down

This is a related line I found in the logfile:

[Fri May 03 12:30:53 2013] [error] ipa: INFO: ad...@example.com:
migrate_ds(u'ldaps://ldap.example.com', u'',
binddn=u'cn=admin,dc=example,dc=com',
usercontainer=u'ou=example,ou=users',
groupcontainer=u'ou=example,ou=groups', userobjectclass=(u'person',),
groupobjectclass=(u'groupOfUniqueNames', u'groupOfNames'),
userignoreobjectclass=None, userignoreattribute=None,
groupignoreobjectclass=None, groupignoreattribute=None,
groupoverwritegid=False, schema=u'RFC2307bis', continue=False,
basedn=u'ou=cuentas,dc=example,dc=com', compat=False,
exclude_groups=None, exclude_users=None): NetworkError

Am I missing something? There is some prerequisites in the DNS server
for this to work?

Of course, the IPA server has full network contact with the LDAP
server (tcp/636), i see some packets doing a tpcdump in the LDAP server.

Is there a way to get a more verbose log output of what is going on?


I don't have any clue yet. Google seems empty when I search for this
error and this operation made by others seems errorfree.

Any idea?


https://fedorahosted.org/freeipa/ticket/3364

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Ben Ho]

Sorry for the late reply Steven - No, there is no firewall.
-Ben
From: steven.jo...@vuw.ac.nz
CC: freeipa-users@redhat.com
Date: Tue, 15 May 2012 21:04:04 +
Subject: Re: [Freeipa-users] Help with ipa-replica-manage







firewall?




regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272






From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Ben Ho [ben1...@hotmail.com]

Sent: Wednesday, 16 May 2012 8:49 a.m.

To: rmegg...@redhat.com

Cc: freeipa-users@redhat.com

Subject: Re: [Freeipa-users] Help with ipa-replica-manage







This is the information I retrieved about my server.



ipa-server-selinux-2.1.3-9.el6.x86_64

ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64

CentOS release 6.2
389-ds-base-1.2.9.14-1.el6_2.2.x86_64



Thanks again.



-Ben





Date: Tue, 15 May 2012 13:15:46 -0600

From: rmegg...@redhat.com

To: ben1...@hotmail.com

CC: freeipa-users@redhat.com

Subject: Re: [Freeipa-users] Help with ipa-replica-manage



On 05/15/2012 01:00 PM, Ben Ho wrote:


Hello,
  I am pretty new to IPA.  Right now I have three servers that are running IPA. 
 I am trying to replicate one server to two other servers.  I use this command:



ipa-replica-manage re-initialize --from example2.edu



  On the first server I need to replicate, it works fine.  However, on the 
second server I get this message in my log files.  The errors get printed out 
once every 1 to 5 minutes.



[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu 
(example1:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu 
(example1:389): Warning: unable to replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu 
(example2:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu 
(example2:389): Warning: unable to replicate schema: rc=1






  Again, I am pretty new to this, so any help or tips would be appreciated.




What platform and what version of 389-ds-base and ipa-server for all of your 
servers?








  Thanks!



-Ben






 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users   
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Ben Ho]

Hi Rich,  Yes, replication is working otherwise on these two servers:
Server1 and 
Server2:freeipa-server-selinux-2.1.4-7.fc16.x86_64freeipa-client-2.1.4-7.fc16.x86_64freeipa-server-2.1.4-7.fc16.x86_64Fedora
 release 16389-ds-base-1.2.10.6-1.fc16.x86_64
Date: Tue, 15 May 2012 18:33:34 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage


  

  
  
On 05/15/2012 02:49 PM, Ben Ho wrote:

  
  
This is the information I retrieved about my server.



ipa-server-selinux-2.1.3-9.el6.x86_64

  ipa-client-2.1.3-9.el6.x86_64
  ipa-server-2.1.3-9.el6.x86_64

CentOS release 6.2
389-ds-base-1.2.9.14-1.el6_2.2.x86_64



Thanks again.
  



Is replication otherwise working?




  



-Ben



  Date: Tue, 15 May 2012 13:15:46 -0600

  From: rmegg...@redhat.com

  To: ben1...@hotmail.com

  CC: freeipa-users@redhat.com

  Subject: Re: [Freeipa-users] Help with ipa-replica-manage

  

  On 05/15/2012 01:00 PM, Ben Ho wrote:
  


  Hello,
I am pretty new to IPA.  Right now I have three
servers that are running IPA.  I am trying to replicate
one server to two other servers.  I use this command:
  

  
  ipa-replica-manage re-initialize --from example2.edu
  

  
On the first server I need to replicate, it works
fine.  However, on the second server I get this message
in my log files.  The errors get printed out once every
1 to 5 minutes.
  

  
  [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Schema
replication update failed: Type or value exists
  [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Warning:
unable to replicate schema: rc=1
  [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Schema
replication update failed: Type or value exists
  [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Warning:
unable to replicate schema: rc=1
  

  
  

  
Again, I am pretty new to this, so any help or tips
would be appreciated.

  
  

  What platform and what version of 389-ds-base and ipa-server
  for all of your servers?

  

  

  

  
Thanks!
  

  
  -Ben
  

  






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
  
  


  


  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Rich Megginson]

On 05/21/2012 03:57 PM, Ben Ho wrote:

Hi Rich,
  Yes, replication is working otherwise on these two servers:

*Server1 and Server2:*
freeipa-server-selinux-2.1.4-7.fc16.x86_64
freeipa-client-2.1.4-7.fc16.x86_64
freeipa-server-2.1.4-7.fc16.x86_64
Fedora release 16
389-ds-base-1.2.10.6-1.fc16.x86_64


Ok.  I'm not sure what's going on.  But as long as replication is 
working otherwise, you can ignore this.





Date: Tue, 15 May 2012 18:33:34 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 02:49 PM, Ben Ho wrote:

This is the information I retrieved about my server.

*ipa-server-selinux-2.1.3-9.el6.x86_64*
*ipa-client-2.1.3-9.el6.x86_64*
*ipa-server-2.1.3-9.el6.x86_64*
*CentOS release 6.2*
*389-ds-base-1.2.9.14-1.el6_2.2.x86_64*

Thanks again.


Is replication otherwise working?


-Ben


Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com mailto:rmegg...@redhat.com
To: ben1...@hotmail.com mailto:ben1...@hotmail.com
CC: freeipa-users@redhat.com mailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 01:00 PM, Ben Ho wrote:

Hello,
  I am pretty new to IPA.  Right now I have three servers that
are running IPA.  I am trying to replicate one server to two
other servers.  I use this command:

ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.
 However, on the second server I get this message in my log
files.  The errors get printed out once every 1 to 5 minutes.

[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Warning: unable to
replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Warning: unable to
replicate schema: rc=1


  Again, I am pretty new to this, so any help or tips would be
appreciated.


What platform and what version of 389-ds-base and ipa-server for
all of your servers?


  Thanks!

-Ben



___
Freeipa-users mailing list
Freeipa-users@redhat.com  mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Simo Sorce]

On Mon, 2012-05-14 at 19:11 -0400, Dmitri Pal wrote:
 On 05/14/2012 05:25 PM, Chandan Kumar wrote:
 
  System: Centos 6.2
  IPA version : ipa-server-2.1.3-9.el6.x86_64
 
 
  Thanks
  Chandan
 
 
 
 I am not sure but seems like something is not properly configured with
 the browser.
 I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
 on a working configuration.
 But I will defer to experts.
 
Firefox always uses SPNEGO.
HEre what fails is the init_sec_context, I assume the user does not have
a kerberos ticket, so spengo fails to find valid credentials for any of
the supported mechs and punts.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Chandan Kumar]

The kinit does show that the keys are there.

[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/15/12 09:13:35  05/16/12 09:13:32  krbtgt/example@example.com




Thanks
Chandan





On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar chandank.ku...@gmail.comwrote:

 Hi,
 I am running the default Firefox that comes with centos 6.2 . I guess that
  Whatever time I do kinit it just does not working for me even for single
 time.

 Also it shows as that I am logged in as u...@freeipa.org In the main
 back ground web page. Not sure whether it's relevant with this error.


 On Monday, 14 May 2012, Steven Jones wrote:

  Hi,



 I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
 connect but thats a safari issue Im sure.



 After running kinit admin I find the kerberos ticket expires about 24
 hours later so you have to renew?  What you can do if it simply wont
 work is get IPA to fall back to asking for a password, which is what I have
 had to set for Windows 7 firefox users.



 It might depend on which version of firefox, 3 and 10 do work..I
 think RH say firefox 10 is the long term supported version for them so I'd
 run that at least.



 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272
   --
 *From:* freeipa-users-boun...@redhat.com [
 freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [
 chandank.ku...@gmail.com]
 *Sent:* Tuesday, 15 May 2012 9:25 a.m.
 *To:* d...@redhat.com
 *Cc:* freeipa-users@redhat.com
 *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup


 System: Centos 6.2
 IPA version : ipa-server-2.1.3-9.el6.x86_64


 Thanks
 Chandan





 On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote:

 **
  On 05/14/2012 05:09 PM, Chandan Kumar wrote:

 I am a newbie in IPA and was experimenting it on my couple of VMs before
 considering it for production level.

 Installation went fine, however, I am getting the kerberos key
 expiration error at firefox. I am running firefox on the same machine where
 I have installed/configured ipa-server. On googling and some help in IRC I
 checked documentation to trouble shoot it as this appear to be a known
 problem.

 Moreover, I did follow

 http://freeipa.org/page/InstallAndDeploy
 http://freeipa.org/page/TroubleshootingGuide

 Fire fox logs

 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]
 -1977841888[7fc789f5b040]:   using REQ_DELEGATE
 -1977841888[7fc789f5b040]:   service = ipaserver.example.com
 -1977841888[7fc789f5b040]:   using negotiate-gss
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
 -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
 [challenge=Negotiate]
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
 -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
 GSS failure.  Minor code may provide more information
 SPNEGO cannot find mechanisms to negotiate
 -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]

 [root@ds var]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: ad...@example.com

 Valid starting ExpiresService principal
 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
 ipaserver.example@example.com
 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
 ipaserver.example@example.com
 [root@ds var]#

 Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

 at http://fpaste.org/9hXX/

 I am not sure what I am missing though. Appreciate any help.

 Thanks
 Chandan




  Are you running FF on windows?
 Which version of IPA are you using?



 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




 --
 Sent from my iPad

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Rich Megginson]

On 05/15/2012 01:00 PM, Ben Ho wrote:

Hello,
  I am pretty new to IPA.  Right now I have three servers that are 
running IPA.  I am trying to replicate one server to two other 
servers.  I use this command:


ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.  However, on 
the second server I get this message in my log files.  The errors get 
printed out once every 1 to 5 minutes.


[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
agmt=cn=meToexample1.edu (example1:389): Schema replication update 
failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
agmt=cn=meToexample1.edu (example1:389): Warning: unable to 
replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt=cn=meToexample2.edu (example2:389): Schema replication update 
failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt=cn=meToexample2.edu (example2:389): Warning: unable to 
replicate schema: rc=1



  Again, I am pretty new to this, so any help or tips would be 
appreciated.


What platform and what version of 389-ds-base and ipa-server for all of 
your servers?




  Thanks!

-Ben



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Steven Jones]

Hi,

For me it sounds like you have not configured firefox to use IPA or centos is 
missing a package/rpm. What strikes me as strange is you should get pop ups 
telling/helping you do it.just following them make sit easy.

If you have and it just wont work, I suggest moving to password authentication 
to get you past that problem so you can get on with testing.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Chandan Kumar [chandank.ku...@gmail.com]
Sent: Wednesday, 16 May 2012 2:35 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Help regarding Basic FreeIPA setup

Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that  
Whatever time I do kinit it just does not working for me even for single time.

Also it shows as that I am logged in as u...@freeipa.org In the main back 
ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running kinit admin I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.comhttp://ipaserver.example.com
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
05/14/12 13:53:58  05/15/12 13:50:30  HTTP/ipaserver.example@example.com
05/14/12 13:54:13  05/15/12 13:50:30  ldap/ipaserver.example@example.com
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Steven Jones]

firewall?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Ben Ho [ben1...@hotmail.com]
Sent: Wednesday, 16 May 2012 8:49 a.m.
To: rmegg...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

This is the information I retrieved about my server.

ipa-server-selinux-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
CentOS release 6.2
389-ds-base-1.2.9.14-1.el6_2.2.x86_64

Thanks again.

-Ben


Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 01:00 PM, Ben Ho wrote:
Hello,
  I am pretty new to IPA.  Right now I have three servers that are running IPA. 
 I am trying to replicate one server to two other servers.  I use this command:

ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.  However, on the 
second server I get this message in my log files.  The errors get printed out 
once every 1 to 5 minutes.

[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu 
(example1:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt=cn=meToexample1.edu 
(example1:389): Warning: unable to replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu 
(example2:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt=cn=meToexample2.edu 
(example2:389): Warning: unable to replicate schema: rc=1


  Again, I am pretty new to this, so any help or tips would be appreciated.

What platform and what version of 389-ds-base and ipa-server for all of your 
servers?


  Thanks!

-Ben




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Ben Ho]

This is the information I retrieved about my server.
ipa-server-selinux-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64CentOS
 release 6.2389-ds-base-1.2.9.14-1.el6_2.2.x86_64
Thanks again.
-Ben
Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage


  

  
  
On 05/15/2012 01:00 PM, Ben Ho wrote:

  
  
Hello,
  I am pretty new to IPA.  Right now I have three servers
  that are running IPA.  I am trying to replicate one server to
  two other servers.  I use this command:



ipa-replica-manage re-initialize --from example2.edu



  On the first server I need to replicate, it works fine.
   However, on the second server I get this message in my log
  files.  The errors get printed out once every 1 to 5 minutes.



[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
  agmt=cn=meToexample1.edu (example1:389): Schema replication
  update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
  agmt=cn=meToexample1.edu (example1:389): Warning: unable to
  replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
  agmt=cn=meToexample2.edu (example2:389): Schema replication
  update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
  agmt=cn=meToexample2.edu (example2:389): Warning: unable to
  replicate schema: rc=1






  Again, I am pretty new to this, so any help or tips would
  be appreciated.
  



What platform and what version of 389-ds-base and ipa-server for all
of your servers?




  



  Thanks!



-Ben



  
  

  
  

  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

[Rich Megginson]

On 05/15/2012 02:49 PM, Ben Ho wrote:

This is the information I retrieved about my server.

*ipa-server-selinux-2.1.3-9.el6.x86_64*
*ipa-client-2.1.3-9.el6.x86_64*
*ipa-server-2.1.3-9.el6.x86_64*
*CentOS release 6.2*
*389-ds-base-1.2.9.14-1.el6_2.2.x86_64*

Thanks again.


Is replication otherwise working?



-Ben


Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 01:00 PM, Ben Ho wrote:

Hello,
  I am pretty new to IPA.  Right now I have three servers that are
running IPA.  I am trying to replicate one server to two other
servers.  I use this command:

ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.
 However, on the second server I get this message in my log files.
 The errors get printed out once every 1 to 5 minutes.

[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample1.edu (example1:389): Warning: unable to
replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt=cn=meToexample2.edu (example2:389): Warning: unable to
replicate schema: rc=1


  Again, I am pretty new to this, so any help or tips would be
appreciated.


What platform and what version of 389-ds-base and ipa-server for all 
of your servers?



  Thanks!

-Ben



___
Freeipa-users mailing list
Freeipa-users@redhat.com  mailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Dmitri Pal]

On 05/14/2012 05:09 PM, Chandan Kumar wrote:
 I am a newbie in IPA and was experimenting it on my couple of VMs
 before considering it for production level.

 Installation went fine, however, I am getting the kerberos key
 expiration error at firefox. I am running firefox on the same machine
 where I have installed/configured ipa-server. On googling and some
 help in IRC I checked documentation to trouble shoot it as this appear
 to be a known problem.

 Moreover, I did follow

 http://freeipa.org/page/InstallAndDeploy
 http://freeipa.org/page/TroubleshootingGuide

 Fire fox logs

 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]
 -1977841888[7fc789f5b040]:   using REQ_DELEGATE
 -1977841888[7fc789f5b040]:   service = ipaserver.example.com
 http://ipaserver.example.com
 -1977841888[7fc789f5b040]:   using negotiate-gss
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
 -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
 [challenge=Negotiate]
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
 -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
 GSS failure.  Minor code may provide more information
 SPNEGO cannot find mechanisms to negotiate
 -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]

 [root@ds var]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: ad...@example.com mailto:ad...@example.com

 Valid starting ExpiresService principal
 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
 mailto:example@example.com
 05/14/12 13:53:58  05/15/12 13:50:30 
 HTTP/ipaserver.example@example.com
 mailto:ipaserver.example@example.com
 05/14/12 13:54:13  05/15/12 13:50:30 
 ldap/ipaserver.example@example.com
 mailto:ipaserver.example@example.com
 [root@ds var]#

 Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

 at http://fpaste.org/9hXX/

 I am not sure what I am missing though. Appreciate any help.

 Thanks
 Chandan




Are you running FF on windows?
Which version of IPA are you using?



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Chandan Kumar]

System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com wrote:

 **
 On 05/14/2012 05:09 PM, Chandan Kumar wrote:

 I am a newbie in IPA and was experimenting it on my couple of VMs before
 considering it for production level.

 Installation went fine, however, I am getting the kerberos key expiration
 error at firefox. I am running firefox on the same machine where I have
 installed/configured ipa-server. On googling and some help in IRC I checked
 documentation to trouble shoot it as this appear to be a known problem.

 Moreover, I did follow

 http://freeipa.org/page/InstallAndDeploy
 http://freeipa.org/page/TroubleshootingGuide

 Fire fox logs

 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]
 -1977841888[7fc789f5b040]:   using REQ_DELEGATE
 -1977841888[7fc789f5b040]:   service = ipaserver.example.com
 -1977841888[7fc789f5b040]:   using negotiate-gss
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
 -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
 [challenge=Negotiate]
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
 -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
 failure.  Minor code may provide more information
 SPNEGO cannot find mechanisms to negotiate
 -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]

 [root@ds var]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: ad...@example.com

 Valid starting ExpiresService principal
 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
 ipaserver.example@example.com
 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
 ipaserver.example@example.com
 [root@ds var]#

 Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

 at http://fpaste.org/9hXX/

 I am not sure what I am missing though. Appreciate any help.

 Thanks
 Chandan




 Are you running FF on windows?
 Which version of IPA are you using?



 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Dmitri Pal]

On 05/14/2012 05:25 PM, Chandan Kumar wrote:

 System: Centos 6.2
 IPA version : ipa-server-2.1.3-9.el6.x86_64


 Thanks
 Chandan



I am not sure but seems like something is not properly configured with
the browser.
I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
on a working configuration.
But I will defer to experts.




 On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal d...@redhat.com
 mailto:d...@redhat.com wrote:

 On 05/14/2012 05:09 PM, Chandan Kumar wrote:
 I am a newbie in IPA and was experimenting it on my couple of VMs
 before considering it for production level.

 Installation went fine, however, I am getting the kerberos key
 expiration error at firefox. I am running firefox on the same
 machine where I have installed/configured ipa-server. On googling
 and some help in IRC I checked documentation to trouble shoot it
 as this appear to be a known problem.

 Moreover, I did follow

 http://freeipa.org/page/InstallAndDeploy
 http://freeipa.org/page/TroubleshootingGuide

 Fire fox logs

 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]
 -1977841888[7fc789f5b040]:   using REQ_DELEGATE
 -1977841888[7fc789f5b040]:   service = ipaserver.example.com
 http://ipaserver.example.com
 -1977841888[7fc789f5b040]:   using negotiate-gss
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
 -1977841888[7fc789f5b040]:
 nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
 -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
 -1977841888[7fc789f5b040]: gss_init_sec_context() failed:
 Unspecified GSS failure.  Minor code may provide more information
 SPNEGO cannot find mechanisms to negotiate
 -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
 [rv=80004005]

 [root@ds var]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: ad...@example.com mailto:ad...@example.com

 Valid starting ExpiresService principal
 05/14/12 13:50:32  05/15/12 13:50:30 
 krbtgt/example@example.com mailto:example@example.com
 05/14/12 13:53:58  05/15/12 13:50:30 
 HTTP/ipaserver.example@example.com
 mailto:ipaserver.example@example.com
 05/14/12 13:54:13  05/15/12 13:50:30 
 ldap/ipaserver.example@example.com
 mailto:ipaserver.example@example.com
 [root@ds var]#

 Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

 at http://fpaste.org/9hXX/

 I am not sure what I am missing though. Appreciate any help.

 Thanks
 Chandan




 Are you running FF on windows?
 Which version of IPA are you using?



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


 -- 
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Steven Jones]

Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running kinit admin I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal 
d...@redhat.commailto:d...@redhat.com wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.comhttp://ipaserver.example.com
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.commailto:ad...@example.com

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  
krbtgt/example@example.commailto:example@example.com
05/14/12 13:53:58  05/15/12 13:50:30  
HTTP/ipaserver.example@example.commailto:ipaserver.example@example.com
05/14/12 13:54:13  05/15/12 13:50:30  
ldap/ipaserver.example@example.commailto:ipaserver.example@example.com
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b dc=example,dc=com uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] help! IPA server she explode!

[Simo Sorce]

On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote:
 I have an internal ajax error!
 
 :(
 
 the logs say,

Ping me later on IRC, I'd like you to run some commands, and it will be
easier done interactively.

Simo.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] help! IPA server she explode!

[Rob Crittenden]

Steven Jones wrote:


I have an internal ajax error!

:(

the logs say,


[Thu May 19 09:59:35 2011] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_auth_kerb/5.4 mod_nss/2.2.15 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.6.6 
mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
jonesst1  [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: 
Unable to retrieve LDAP schema. Error initializing principal 
HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in /etc/httpd/conf/ipa.keytab: 
(-1765328228, 'Cannot contact any KDC for requested realm')
jonesst1  [Thu May 19 09:59:38 2011] [error] ipa: ERROR: Failed to start IPA: 
Unable to retrieve LDAP schema. Error initializing principal 
HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in /etc/httpd/conf/ipa.keytab: 
(-1765328228, 'Cannot contact any KDC for requested realm')
jonesst1  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File 
does not exist: /usr/share/ipa/ui/develop.js, referer: 
https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/
jonesst1  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File 
does not exist: /usr/share/ipa/ui/top-bg.png, referer: 
https://vuwunicoipamt01.unix.vuw.ac.nz/ipa/ui/ipa.css
jonesst1  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File 
does not exist: /usr/share/ipa/ui/favicon.ico
jonesst1  [Thu May 19 10:04:42 2011] [error] [client 130.195.81.236] File 
does not exist: /usr/share/ipa/ui/favicon.ico
jonesst1  [Thu May 19 10:04:43 2011] [error] [client 130.195.81.236] mod_wsgi 
(pid=1917): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI 
application 'application'.
jonesst1  [Thu May 19 10:04:45 2011] [error] [client 130.195.81.236] File 
does not exist: /usr/share/ipa/ui/favicon.ico
jonesst1  [Thu May 19 10:05:09 2011] [error] [client 130.195.81.236] mod_wsgi 
(pid=1916): Target WSGI script '/usr/share/ipa/wsgi.py' does not contain WSGI 
application 'application'.
jonesst1  [root@vuwunicoipamt01 httpd]#

regards


The key bit in the log is:

Failed to start IPA: Unable to retrieve LDAP schema. Error initializing 
principal HTTP/vuwunicoipamt01.unix.vuw.ac...@unix.vuw.ac.nz in 
/etc/httpd/conf/ipa.keytab: (-1765328228, 'Cannot contact any KDC for 
requested realm')


Without the schema the framework can't do much of anything useful so it 
just punts. Some things to try in no particular order:


- /sbin/service httpd restart, perhaps dirsrv was down when httpd started
- on IPA server kinit admin to ensure things are working
- ensure that dirsrv is running (krb5kdc running w/o dirsrv is bound to 
fail)


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users