Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-11 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 06:30 PM, Steven Jones wrote:
 My problem is To troubleshoot we need logs. There are all sorts of
 logs and configuration files on the server and on the client.
 
 Thats just it.I dont know where to look.its simply not
 documentedso what I need is for someone to tell me what logs you
 needand how to make the system log reliably.. for instance
 debug_level = 9 in the sssd.conf still produces 0 length logs on
 client1so there is nothing to report
 

If that's happening, then it likely means that SSSD was never started
(or not restarted after adding debug_level=9; SSSD doesn't autodetect
this change). Please try 'service sssd restart'

 It may well be my problems stems from trying to use RHEL6 svr and KVM
 with fedora 14 clients inside it which I am finding very flakyI
 may need to blow it away and move the test bed to vmware ESXi.
 
 Or maybe indeed I am serially doing something wrong.
 
 I am trying again to setup client 3, what selinux is telling me is
 ipa-submit is trying to open krb5.keytab
 
 I will test and maybe turn selinux off, if i can figur eout how!
 

As root, run 'setenforce 0'. This will set SELinux into permissive
mode. It will still report SELinux errors, but it won't prevent the
functionality. Please keep an eye on any such errors and report them to us.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk157WkACgkQeiVVYja6o6M3oACeIb9tbVL8A7PMWcbrqfQedykZ
cnUAoJGIa9lvGbPJbg1fecogYYwU4VWk
=E+gl
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-11 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 07:26 PM, Dmitri Pal wrote:
 On 03/10/2011 06:30 PM, Steven Jones wrote:
 My problem is To troubleshoot we need logs. There are all sorts of
 logs and configuration files on the server and on the client.
 On the client:
 
 Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3)
 /etc/nsswitch.conf
 
 Logs /var/log/sssd The most interesting one is sssd_default.log but
 you can include all of them. /var/log/ipaclient-install.log 
 /var/log/ipaclient-uninstall.log

Just a correction, it wouldn't be sssd_default.log. It would be
sssd_ipa_domain.log. The ipa-client doesn't set up the 'default'
domain, it names it after the IPA domain.

So it's possible you've been looking at the wrong log. (This could also
explain your comment about zero-length logs earlier). Sorry for the
confusion.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk157egACgkQeiVVYja6o6NMeQCfaq3Or5XENZp97ORVyRqE/awa
h1QAniJllm1U19aSj3ryXPo3SbbqD5p+
=w27/
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-11 Thread Rob Crittenden

Simo Sorce wrote:

- Original Message -

Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl03.ipa.ac...@ipa.ac
.NZ] not found in keytab [default]
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
C.NZ] not found in keytab [default]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
(0): fatal error initializing data providers
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
[root@Fed14-64-ipacl03 sssd]#


root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal

--
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
[root@Fed14-64-ipacl03 sssd]#

?



Caught Steven on IRC, this was a case of hostname being mixed case, which 
confuses kerberos libraries as they are case-sensitive and expect all lowercase 
names for hosts.

This would not have been a problem if sssd just used the first key in the 
keytab instead of trying to guess the principal name in advance. (Yeah being 
stingy, no pressure Stephen :-)

Simo.



Simo, this probably explain why the keytab isn't disabled on the server 
when he uninstalls the client. I'll make sure that gets tested as part 
of ticket 1080.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Simo Sorce
- Original Message -
 Steven Jones wrote:
  Ok,
 
  However I cant LDAP/Ipa authenticate stillon either
  client..
 
  So what next?
 
 sssd handles logins, you can try turning up the log level on that
 (though I suspect it wasn't the reboot that fixed this but restarting
 sssd).

If sssd was never used before then what was needed was a restart of the 
services using it (sshd, gdm), as nsswitch.conf is never re-read by glibc, you 
can't use the new users until those services are restarted after nsswitch.conf 
is modified.

I think we also offer to restart the client after ipa-client-install exactly as 
a way to restart all services that may depend on picking up this change. That 
reboot is not necessary if you manually restart all services after that, but if 
you don't than you better do a reboot as we suggest.

 As part of ipa-client-install sssd is restarted and tested via 'getent
 passwd admin'. This should be visible in
 /var/log/ipaclient-install.log.
 Did this command succeed?

Even if this succeed, authentication via gdm or ssh can still fail until the 
services are restarted.

Just pointing out this fact as a help point for other users testing 
ipa-client-install in future.

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
 - Original Message -
 Steven Jones wrote:
 Ok,
 
 However I cant LDAP/Ipa authenticate stillon either 
 client..
 
 So what next?
 
 sssd handles logins, you can try turning up the log level on that 
 (though I suspect it wasn't the reboot that fixed this but
 restarting sssd).
 
 If sssd was never used before then what was needed was a restart of
 the services using it (sshd, gdm), as nsswitch.conf is never re-read
 by glibc, you can't use the new users until those services are
 restarted after nsswitch.conf is modified.
 
 I think we also offer to restart the client after ipa-client-install
 exactly as a way to restart all services that may depend on picking
 up this change. That reboot is not necessary if you manually restart
 all services after that, but if you don't than you better do a reboot
 as we suggest.
 
 As part of ipa-client-install sssd is restarted and tested via
 'getent passwd admin'. This should be visible in 
 /var/log/ipaclient-install.log. Did this command succeed?
 
 Even if this succeed, authentication via gdm or ssh can still fail
 until the services are restarted.
 
 Just pointing out this fact as a help point for other users testing
 ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Steven Jones
While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
 - Original Message -
 Steven Jones wrote:
 Ok,

 However I cant LDAP/Ipa authenticate stillon either
 client..

 So what next?

 sssd handles logins, you can try turning up the log level on that
 (though I suspect it wasn't the reboot that fixed this but
 restarting sssd).

 If sssd was never used before then what was needed was a restart of
 the services using it (sshd, gdm), as nsswitch.conf is never re-read
 by glibc, you can't use the new users until those services are
 restarted after nsswitch.conf is modified.

 I think we also offer to restart the client after ipa-client-install
 exactly as a way to restart all services that may depend on picking
 up this change. That reboot is not necessary if you manually restart
 all services after that, but if you don't than you better do a reboot
 as we suggest.

 As part of ipa-client-install sssd is restarted and tested via
 'getent passwd admin'. This should be visible in
 /var/log/ipaclient-install.log. Did this command succeed?

 Even if this succeed, authentication via gdm or ssh can still fail
 until the services are restarted.

 Just pointing out this fact as a help point for other users testing
 ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Steven Jones
third client wont authenticate either

So I guess its a problem around the install script if not selinux

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:06 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
 - Original Message -
 Steven Jones wrote:
 Ok,

 However I cant LDAP/Ipa authenticate stillon either
 client..

 So what next?

 sssd handles logins, you can try turning up the log level on that
 (though I suspect it wasn't the reboot that fixed this but
 restarting sssd).

 If sssd was never used before then what was needed was a restart of
 the services using it (sshd, gdm), as nsswitch.conf is never re-read
 by glibc, you can't use the new users until those services are
 restarted after nsswitch.conf is modified.

 I think we also offer to restart the client after ipa-client-install
 exactly as a way to restart all services that may depend on picking
 up this change. That reboot is not necessary if you manually restart
 all services after that, but if you don't than you better do a reboot
 as we suggest.

 As part of ipa-client-install sssd is restarted and tested via
 'getent passwd admin'. This should be visible in
 /var/log/ipaclient-install.log. Did this command succeed?

 Even if this succeed, authentication via gdm or ssh can still fail
 until the services are restarted.

 Just pointing out this fact as a help point for other users testing
 ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Steven Jones
I have run the in-install script and it wont delete the client in the ipa 
system, so again I had to delete it via the web guiI will try re-installing.

A release candidate?

I dont see howfor me a release candidate should pretty much work with the 
odd bug in an odd areathis is still like alphamajor functionality 
failure, as personally I class being unable to do the very first thing you need 
to do as a major failure.

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:17 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

third client wont authenticate either

So I guess its a problem around the install script if not selinux

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 11 March 2011 11:06 a.m.
To: Stephen Gallagher; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

While installing  my third client selinux popped up a warning it was blocking 
access to krb5so Im wondering if the reason teh install of the client is 
failing is due to selinux?

regards



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
 - Original Message -
 Steven Jones wrote:
 Ok,

 However I cant LDAP/Ipa authenticate stillon either
 client..

 So what next?

 sssd handles logins, you can try turning up the log level on that
 (though I suspect it wasn't the reboot that fixed this but
 restarting sssd).

 If sssd was never used before then what was needed was a restart of
 the services using it (sshd, gdm), as nsswitch.conf is never re-read
 by glibc, you can't use the new users until those services are
 restarted after nsswitch.conf is modified.

 I think we also offer to restart the client after ipa-client-install
 exactly as a way to restart all services that may depend on picking
 up this change. That reboot is not necessary if you manually restart
 all services after that, but if you don't than you better do a reboot
 as we suggest.

 As part of ipa-client-install sssd is restarted and tested via
 'getent passwd admin'. This should be visible in
 /var/log/ipaclient-install.log. Did this command succeed?

 Even if this succeed, authentication via gdm or ssh can still fail
 until the services are restarted.

 Just pointing out this fact as a help point for other users testing
 ipa-client-install in future.


FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Dmitri Pal
On 03/10/2011 05:37 PM, Steven Jones wrote:
 I have run the in-install script and it wont delete the client in the
ipa system, so again I had to delete it via the web guiI will try
re-installing.

 A release candidate?

 I dont see howfor me a release candidate should pretty much work
with the odd bug in an odd areathis is still like alphamajor
functionality failure, as personally I class being unable to do the very
first thing you need to do as a major failure.

 regards


Steve,

Sorry but it looks like you are doing something wrong over and over
again or there is something mis-configured in your environment.
We are executing tests every day with new and old machines bare metal
and VMs.
And everything works so there is definitely something specific to your
environment which is different.
May be it is DNS or NTP or something like. We do not know. May be it is
a bug that we do not hit because we do not run things in the sequence
you run or with configuration you use.

You write a lot of mails to us but few contain any substantial
information about your setup.
To troubleshoot we need logs.
There are all sorts of logs and configuration files on the server and on
the client.
You do not include them in your emails.
How do you think we can troubleshoot the problems?

If you want us to help please include more detailed information.
I am really sorry that you are experiencing the issues and spending that
much time but I do not see a way to help you since we do not have
sufficient information to do the troubleshooting.

We will be happy to help you as soon as you provide such information.


Thank you,
Dmitri

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Dmitri Pal
On 03/10/2011 06:30 PM, Steven Jones wrote:
 My problem is To troubleshoot we need logs. There are all sorts of logs and 
 configuration files on the server and on the client.

 Thats just it.I dont know where to look.its simply not 
 documentedso what I need is for someone to tell me what logs you 
 needand how to make the system log reliably.. for instance 
 debug_level = 9 in the sssd.conf still produces 0 length logs on 
 client1so there is nothing to report

 It may well be my problems stems from trying to use RHEL6 svr and KVM with 
 fedora 14 clients inside it which I am finding very flakyI may need to 
 blow it away and move the test bed to vmware ESXi.

 Or maybe indeed I am serially doing something wrong.

 I am trying again to setup client 3, what selinux is telling me is ipa-submit 
 is trying to open krb5.keytab

 I will test and maybe turn selinux off, if i can figur eout how!

 regards

 Steven



 Steve,

 Sorry but it looks like you are doing something wrong over and over again or 
 there is something mis-configured in your environment.
 We are executing tests every day with new and old machines bare metal and VMs.
 And everything works so there is definitely something specific to your 
 environment which is different.
 May be it is DNS or NTP or something like. We do not know. May be it is a bug 
 that we do not hit because we do not run things in the sequence you run or 
 with configuration you use.

 You write a lot of mails to us but few contain any substantial information 
 about your setup.
 To troubleshoot we need logs.
 There are all sorts of logs and configuration files on the server and on the 
 client.
 You do not include them in your emails.
 How do you think we can troubleshoot the problems?

 If you want us to help please include more detailed information.
 I am really sorry that you are experiencing the issues and spending that much 
 time but I do not see a way to help you since we do not have sufficient 
 information to do the troubleshooting.

 We will be happy to help you as soon as you provide such information.


 Thank you,
 Dmitri

I plan to play with the installation tomorrow morning.
I will send you the fill list of the config and log files from both sides.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Steven Jones
Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] 
(0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac
.NZ] not found in keytab [default]
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not 
verify keytab
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): 
Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal 
error initializing data providers
(Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not 
initialize backend [14]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] 
(0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
C.NZ] not found in keytab [default]
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not 
verify keytab
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): 
Error (14) in module (ipa) initialization (sssm_ipa_id
_init)!
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal 
error initializing data providers
(Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not 
initialize backend [14]
[root@Fed14-64-ipacl03 sssd]#


root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
[root@Fed14-64-ipacl03 sssd]#

?

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, 11 March 2011 11:58 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

On 03/10/2011 05:37 PM, Steven Jones wrote:
 I have run the in-install script and it wont delete the client in the ipa 
 system, so again I had to delete it via the web guiI will try 
 re-installing.

 A release candidate?

 I dont see howfor me a release candidate should pretty much work with the 
 odd bug in an odd areathis is still like alphamajor functionality 
 failure, as personally I class being unable to do the very first thing you 
 need to do as a major failure.

 regards


Steve,

Sorry but it looks like you are doing something wrong over and over again or 
there is something mis-configured in your environment.
We are executing tests every day with new and old machines bare metal and VMs.
And everything works so there is definitely something specific to your 
environment which is different.
May be it is DNS or NTP or something like. We do not know. May be it is a bug 
that we do not hit because we do not run things in the sequence you run or with 
configuration you use.

You write a lot of mails to us but few contain any substantial information 
about your setup.
To troubleshoot we need logs.
There are all sorts of logs and configuration files on the server and on the 
client.
You do not include them in your emails.
How do you think we can troubleshoot the problems?

If you want us to help please include more detailed information.
I am really sorry that you are experiencing the issues and spending that much 
time but I do not see a way to help you since we do not have sufficient 
information to do the troubleshooting.

We will be happy to help you as soon as you provide such information.


Thank you,
Dmitri


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Dmitri Pal
On 03/10/2011 06:30 PM, Steven Jones wrote:
 My problem is To troubleshoot we need logs. There are all sorts of logs and 
 configuration files on the server and on the client.
On the client:

Config:
1) /etc/sssd/sssd.conf
2) /etc/pam.d/system-auth-ac
3) /etc/nsswitch.conf

Logs
/var/log/sssd
The most interesting one is sssd_default.log but you can include all of
them.
/var/log/ipaclient-install.log
/var/log/ipaclient-uninstall.log


On the server there are all sorts of logs in the /var/log and under the
directories. Dirsrv for DS, http for apache etc. Do not have the
directory in front of me.

Make sure that the versions of the packages are latest and match each
other on both sides.
Make sure the time is in synch.
Make sure that names are resolvable if you are not using IPA with the
embedded DNS.
It makes sense to reboot machine after installing and configuring SSSD.
Test a user on the server first make sure you can authenticate and he
has a valid password.

Include the commands you used to install the server and the client in
the mail.

Good luck!

Thanks
Dmitri


 Thats just it.I dont know where to look.its simply not 
 documentedso what I need is for someone to tell me what logs you 
 needand how to make the system log reliably.. for instance 
 debug_level = 9 in the sssd.conf still produces 0 length logs on 
 client1so there is nothing to report

 It may well be my problems stems from trying to use RHEL6 svr and KVM with 
 fedora 14 clients inside it which I am finding very flakyI may need to 
 blow it away and move the test bed to vmware ESXi.

 Or maybe indeed I am serially doing something wrong.

 I am trying again to setup client 3, what selinux is telling me is ipa-submit 
 is trying to open krb5.keytab

 I will test and maybe turn selinux off, if i can figur eout how!

 regards

 Steven



 Steve,

 Sorry but it looks like you are doing something wrong over and over again or 
 there is something mis-configured in your environment.
 We are executing tests every day with new and old machines bare metal and VMs.
 And everything works so there is definitely something specific to your 
 environment which is different.
 May be it is DNS or NTP or something like. We do not know. May be it is a bug 
 that we do not hit because we do not run things in the sequence you run or 
 with configuration you use.

 You write a lot of mails to us but few contain any substantial information 
 about your setup.
 To troubleshoot we need logs.
 There are all sorts of logs and configuration files on the server and on the 
 client.
 You do not include them in your emails.
 How do you think we can troubleshoot the problems?

 If you want us to help please include more detailed information.
 I am really sorry that you are experiencing the issues and spending that much 
 time but I do not see a way to help you since we do not have sufficient 
 information to do the troubleshooting.

 We will be happy to help you as soon as you provide such information.


 Thank you,
 Dmitri


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-10 Thread Simo Sorce
- Original Message -
 Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]]
 [sss_krb5_verify_keytab_ex] (0): Principal
 [host/fed14-64-ipacl03.ipa.ac...@ipa.ac
 .NZ] not found in keytab [default]
 (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
 Could not verify keytab
 (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
 (0): Error (14) in module (ipa) initialization (sssm_ipa_id
 _init)!
 (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
 (0): fatal error initializing data providers
 (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
 initialize backend [14]
 (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]]
 [sss_krb5_verify_keytab_ex] (0): Principal
 [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A
 C.NZ] not found in keytab [default]
 (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
 Could not verify keytab
 (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
 (0): Error (14) in module (ipa) initialization (sssm_ipa_id
 _init)!
 (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init]
 (0): fatal error initializing data providers
 (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
 initialize backend [14]
 [root@Fed14-64-ipacl03 sssd]#
 
 
 root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab
 Keytab name: WRFILE:/etc/krb5.keytab
 KVNO Principal
 
 --
 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz
 [root@Fed14-64-ipacl03 sssd]#
 
 ?
 

Caught Steven on IRC, this was a case of hostname being mixed case, which 
confuses kerberos libraries as they are case-sensitive and expect all lowercase 
names for hosts.

This would not have been a problem if sssd just used the first key in the 
keytab instead of trying to guess the principal name in advance. (Yeah being 
stingy, no pressure Stephen :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
Hi,

I had/have already done the uninstall...and re-install.

Also I registered a brand new 2nd client...that hasnt worked
either..

regards


On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
 Steven Jones wrote:
  Hi,
 
  Log,
 
 
 The error is Host is already joined so no keytab is requested. The 
 enrollment failed.
 
 ipa-client-install --uninstall should unenroll the client (you can 
 verify that Keytab is False in ipa host-show client_fqdn on the IPA 
 server.
 
 If so running ipa-client-install on the client should configure things 
 properly.
 
 rob
 
  
  2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
  with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
  'force': True, 'sssd': True, 'hostname': None, 'permit': False,
  'server': None, 'prompt_password': False, 'realm_name': None,
  'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
  None, 'mkhomedir': False, 'unattended': None, 'principal': None}
  2011-03-04 15:08:58,726 DEBUG missing options might be asked for
  interactively later
 
  2011-03-04 15:08:58,726 DEBUG Loading Index file from
  '/var/lib/ipa-client/sysrestore/sysrestore.index'
  2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
  2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
  2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
  2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
  -O /tmp/tmp7MhOze/ca.crt
  http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
  2011-03-04 15:08:58,736 DEBUG stdout=
  2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
  http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
  Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
  Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 1321 (1.3K) [application/x-x509-ca-cert]
  Saving to: `/tmp/tmp7MhOze/ca.crt'
 
0K . 100%
  237M=0s
 
  2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
  [1321/1321]
 
 
  2011-03-04 15:08:58,736 DEBUG Init ldap with:
  ldap://fed14-64-ipam001.ipa.ac.nz:389
  2011-03-04 15:08:58,749 DEBUG Search rootdse
  2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
  dc=ipa,dc=ac,dc=nz(base)
  2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
  {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
  'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
  ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
  2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
  in dc=ipa,dc=ac,dc=nz(sub)
  2011-03-04 15:08:58,753 DEBUG Found:
  [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
  ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
  ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
  'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
  'krbticketpolicyaux'], 'krbSearchScope': ['2'],
  'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
  'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
  'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
  'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
  'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
  'krbMaxRenewableAge': ['604800']})]
  2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz
 
  2011-03-04 15:08:58,753 DEBUG will use server:
  fed14-64-ipam001.ipa.ac.nz
 
  2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ
 
  2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz
 
  2011-03-04 15:09:04,645 DEBUG will use principal: admin
 
  2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
  http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
  2011-03-04 15:09:04,659 DEBUG stdout=
  2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
  http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
  Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
  Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 1321 (1.3K) [application/x-x509-ca-cert]
  Saving to: `/etc/ipa/ca.crt'
 
0K . 100%
  249M=0s
 
  2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]
 
 
  2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
  2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:
 
  2011-03-04 15:09:11,665 DEBUG stderr=
  2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
  fed14-64-ipam001.ipa.ac.nz
  2011-03-04 15:09:13,931 DEBUG stdout=
  2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.
 
  2011-03-04 15:09:13,937 DEBUG args=kdestroy
  2011-03-04 15:09:13,937 DEBUG stdout=
  2011-03-04 15:09:13,937 DEBUG stderr=
  2011-03-04 

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Dmitri Pal
On 03/09/2011 02:21 PM, Steven Jones wrote:
 Hi,

 I had/have already done the uninstall...and re-install.

 Also I registered a brand new 2nd client...that hasnt worked
 either..

How did you create the host record for it on the server?



 regards


 On Tue, 2011-03-08 at 23:29 -0500, Rob Crittenden wrote:
 Steven Jones wrote:
 Hi,

 Log,

 The error is Host is already joined so no keytab is requested. The 
 enrollment failed.

 ipa-client-install --uninstall should unenroll the client (you can 
 verify that Keytab is False in ipa host-show client_fqdn on the IPA 
 server.

 If so running ipa-client-install on the client should configure things 
 properly.

 rob

 
 2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
 with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
 'force': True, 'sssd': True, 'hostname': None, 'permit': False,
 'server': None, 'prompt_password': False, 'realm_name': None,
 'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
 None, 'mkhomedir': False, 'unattended': None, 'principal': None}
 2011-03-04 15:08:58,726 DEBUG missing options might be asked for
 interactively later

 2011-03-04 15:08:58,726 DEBUG Loading Index file from
 '/var/lib/ipa-client/sysrestore/sysrestore.index'
 2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
 2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
 2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
 2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
 -O /tmp/tmp7MhOze/ca.crt
 http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
 2011-03-04 15:08:58,736 DEBUG stdout=
 2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
 http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
 Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 1321 (1.3K) [application/x-x509-ca-cert]
 Saving to: `/tmp/tmp7MhOze/ca.crt'

   0K . 100%
 237M=0s

 2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
 [1321/1321]


 2011-03-04 15:08:58,736 DEBUG Init ldap with:
 ldap://fed14-64-ipam001.ipa.ac.nz:389
 2011-03-04 15:08:58,749 DEBUG Search rootdse
 2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
 dc=ipa,dc=ac,dc=nz(base)
 2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
 {'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
 'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
 ['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
 2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
 in dc=ipa,dc=ac,dc=nz(sub)
 2011-03-04 15:08:58,753 DEBUG Found:
 [('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
 ['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
 ['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
 'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
 'krbticketpolicyaux'], 'krbSearchScope': ['2'],
 'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
 'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
 'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
 'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
 'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
 'krbMaxRenewableAge': ['604800']})]
 2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz

 2011-03-04 15:08:58,753 DEBUG will use server:
 fed14-64-ipam001.ipa.ac.nz

 2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ

 2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz

 2011-03-04 15:09:04,645 DEBUG will use principal: admin

 2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
 http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
 2011-03-04 15:09:04,659 DEBUG stdout=
 2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
 http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
 Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
 Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 1321 (1.3K) [application/x-x509-ca-cert]
 Saving to: `/etc/ipa/ca.crt'

   0K . 100%
 249M=0s

 2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]


 2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
 2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:

 2011-03-04 15:09:11,665 DEBUG stderr=
 2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
 fed14-64-ipam001.ipa.ac.nz
 2011-03-04 15:09:13,931 DEBUG stdout=
 2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.

 2011-03-04 15:09:13,937 DEBUG args=kdestroy
 2011-03-04 15:09:13,937 DEBUG stdout=
 2011-03-04 15:09:13,937 DEBUG stderr=
 2011-03-04 

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
I have setup a 2nd client I have the same resultbut it looks like
the keytab is correct?  however LDAP logins still dont work...


Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
 --
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
   1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz


regards


On Tue, 2011-03-08 at 17:10 -0500, Stephen Gallagher wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 03/08/2011 04:40 PM, Steven Jones wrote:
  On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
  Steven Jones wrote:
  8--
 
 
  So how do I fault find? where do I start?
 
  ie Where do I start to look to determine why a user cannot login to a
  client via freeipa?
 
  How can I be more clear? because so far the replies have been not very
  productive.
 
  regards
 
 
 
  Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
  sssd, and try your login again. Look
  in/var/log/sssd/sssd_example.com.log for information on the login attempt.
 
  Your uid/gid will likely differ.
 
  # getent passwd admin
  admin:*:26420:26420:Administrator:/home/admin:/bin/bash
  # id admin
  uid=26420(admin) gid=26420(admins) groups=26420(admins)
  # getent group admins
  admins:*:26420:admin
  # finger admin
  Login: adminName: Administrator
  Directory: /home/admin  Shell: /bin/bash
  Never logged in.
  No mail.
  No Plan.
  
  (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
  [sss_krb5_verify_keytab_ex] (0): Principal
  [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
  [default]
  (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
  Could not verify keytab
  (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
  (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
  (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
  fatal error initializing data providers
  (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
  initialize backend [14]
  (Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
  [sss_krb5_verify_keytab_ex] (0): Principal
  [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
  [default]
 
 
 Well, here's your problem. The SSSD isn't starting up successfully
 because you don't have a host principal for this server in your
 /etc/krb5.keytab file. This was probably a bug in the ipa-client-install.
 
 What does
 klist -k /etc/krb5.keytab
 return to you?
 
 - -- 
 Stephen Gallagher
 RHCE 804006346421761
 
 Delivering value year after year.
 Red Hat ranks #1 in value among software vendors.
 http://www.redhat.com/promo/vendor/
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.11 (GNU/Linux)
 Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70
 HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai
 =R7BT
 -END PGP SIGNATURE-
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/09/2011 02:45 PM, Steven Jones wrote:
 I have setup a 2nd client I have the same resultbut it looks like
 the keytab is correct?  however LDAP logins still dont work...
 
 
 Keytab name: WRFILE:/etc/krb5.keytab
 KVNO Principal
  
 --
1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
 
 

Could you please check the SSSD debug logs on that machine as well? It
may be a different problem now.
- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo
x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN
=PBNu
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote:
 On 03/09/2011 02:21 PM, Steven Jones wrote:
  Hi,
 
  I had/have already done the uninstall...and re-install.
 
  Also I registered a brand new 2nd client...that hasnt worked
  either..
 
 How did you create the host record for it on the server?
 


I didnt, I ran ipa-client-install from the client

I have just run with the --uninstall flag and then re-run and its
failing as the client record was not removed...

Joining realm failed: Host is already joined

So the un-install script/flag isnt removing the client/host

regards


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
Hi,

I have gone into the webgui and manually removed the no1 client/host, it
has now joined successfully...

So Yes, the next issue

regards




On Wed, 2011-03-09 at 14:51 -0500, Stephen Gallagher wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 On 03/09/2011 02:45 PM, Steven Jones wrote:
  I have setup a 2nd client I have the same resultbut it looks like
  the keytab is correct?  however LDAP logins still dont work...
  
  
  Keytab name: WRFILE:/etc/krb5.keytab
  KVNO Principal
   
  --
 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
 1 host/fed14-64-ipacl02.ipa.ac...@ipa.ac.nz
  
  
 
 Could you please check the SSSD debug logs on that machine as well? It
 may be a different problem now.
 - -- 
 Stephen Gallagher
 RHCE 804006346421761
 
 Delivering value year after year.
 Red Hat ranks #1 in value among software vendors.
 http://www.redhat.com/promo/vendor/
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.11 (GNU/Linux)
 Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk132iQACgkQeiVVYja6o6PMmwCfZutW0kF3eZKT9l9ZSs0gh0Zo
 x+gAnRtixQjNA8cZcZRZE0AQjxP38SdN
 =PBNu
 -END PGP SIGNATURE-


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Dmitri Pal
On 03/09/2011 03:09 PM, Steven Jones wrote:
 On Wed, 2011-03-09 at 14:42 -0500, Dmitri Pal wrote:
 On 03/09/2011 02:21 PM, Steven Jones wrote:
 Hi,

 I had/have already done the uninstall...and re-install.

 Also I registered a brand new 2nd client...that hasnt worked
 either..

 How did you create the host record for it on the server?


 I didnt, I ran ipa-client-install from the client

 I have just run with the --uninstall flag and then re-run and its
 failing as the client record was not removed...

 Joining realm failed: Host is already joined

 So the un-install script/flag isnt removing the client/host

We have a bug when it does not remove the keytab on the client.
It is addressed but have not yet been in the build you are using.
When you uninstall the machine tries to remove it keytab from the server
(if it is accessible).
If the server is not accessible for whatever reason you have to clean
keytab on the host entry manually.
I either via the ipa host commands or via ipa-rmkeytab remotely.

The actual entry is not removed.

1) Run unsinstall on the client
2) Make sure that the host entry is clean. Remove it on the server and
re-add again.
3) Remove the keytab file and cert on the client (these bugs are fixed
https://fedorahosted.org/freeipa/ticket/1028
https://fedorahosted.org/freeipa/ticket/1029)
4) Install client again

Everything should work.
If not please send us the logs.



 regards


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
8---

 4) Install client again
 
 Everything should work.
 If not please send us the logs.

Not sure which logs as Im losing track of so many
suggestions/threadsbut,

On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is
zero length

I just tried to add a local user and set a password and Im getting
passwd: Authentication token manipulation error

regards











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
Ok,

However I cant LDAP/Ipa authenticate stillon either client..

So what next?

regards

Steven

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 10 March 2011 10:47 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

Steven Jones wrote:
 Hi,

 I have gone into the webgui and manually removed the no1 client/host, it
 has now joined successfully...

 So Yes, the next issue

 regards


I'm going to try to consolidate a few things here from some other responses.

* You do not need to pre-create the host in order to enroll it using
kerberos credentials. It is ok if the host already exists but not
absolutely required.

* When a host is unenrolled it uses its own credentials (the service
principal in /etc/krb5.keytab host/client.example@example.com) to
authenticate to IPA and say I'm done with these credentials. If you
lack this principal it cannot authenticate to IPA to say I'm done with
these credentials. If a keytab was actually created for this host and
the contents are lost then you will need to manually free it up for
enrollment again either with:

# ipa host-disable client.example.com

or

# ipa host-del client.example.com

You can see if a keytab was issued with:

# ipa host-show client.example.com

Look for Keytab: True

* Tickets 1028 and 1029 probably don't apply here. 1028 relates only to
tracking SSL certificates and 1029 only applies if you used the
--hostname option with ipa-client-install.

* ipa-rmkeytab is client side only. It just removes the principals for a
specific host or realm from a keytab file. It has no effect on the
server at all.

regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Steven Jones
I rebooted both clients and after the reboot they now do IPA 
authentication..

So client1 we did some work on and it wouldnt work until a rebootclient2 I 
did nothing to until I rebooted.then that also worked

So I will make a third client and try that

Are there rpms  scripts for a rhel6ws?I could try that as well...also 
RHEL5

regards

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Thursday, 10 March 2011 11:35 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

8---

 4) Install client again

 Everything should work.
 If not please send us the logs.

Not sure which logs as Im losing track of so many
suggestions/threadsbut,

On the client the sssd.log is zero length, the sssd_ipa.ac.nz.log is
zero length

I just tried to add a local user and set a password and Im getting
passwd: Authentication token manipulation error

regards











___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-09 Thread Rob Crittenden

Steven Jones wrote:

Ok,

However I cant LDAP/Ipa authenticate stillon either client..

So what next?


sssd handles logins, you can try turning up the log level on that 
(though I suspect it wasn't the reboot that fixed this but restarting sssd).


As part of ipa-client-install sssd is restarted and tested via 'getent 
passwd admin'. This should be visible in /var/log/ipaclient-install.log. 
Did this command succeed?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Rob Crittenden

Steven Jones wrote:


I can do a ldapsearch -x -b dc=ipa,dc=ac,dc=nz' |more

Which returns LDAP infothat looks finethe query looks OK

getent passwd user however only returns one line, not the two I should
expect?


Why do you expect two lines? It should only return one, for that user.



It also returns very fastlike its not even looking remotely.


Is the user in /etc/passwd too?



I have run authconfig-tui and that looks OK as far as I can tell

I have set cli.conf and server.conf but there are no logs any where I
can find

Ideas please?

Also how to get logging going so I have something to look at


Logging depends entirely on the context you are in.

For nss data (user, group, etc) you'll need to check system logs. If you 
are using sssd, the default, then you can try adding debug_level = 9 to 
/etc/sssd/sssd.conf in the ipa provider (domain/example.com) and restart 
sssd. Watch the logs in /var/log/sssd.


Since sssd uses LDAP you can also see the queries it makes on your IPA 
server in /var/log/dirsrv/slapd-REALM/access. This log is buffered.


cli.conf and server.conf are only used by the IPA management framework 
(the ipa command the webUI). The server-side log is the Apache error 
log, /var/log/httpd/error_log.


So if the question is why can't user x log in or why can't I see 
user y then look in the sssd error logs.


If you can't manage users using the ipa command, the Apache error log is 
the place to look.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
8-

 
  getent passwd user however only returns one line, not the two I should
  expect?
 
 Why do you expect two lines? It should only return one, for that user.
 
 
  It also returns very fastlike its not even looking remotely.
 
 Is the user in /etc/passwd too?
 

When I tried to get FDS going a few years ago getent used to return 2,
the local one and the ldap one, hence two linesif it was
working.

I guess the ipa manual is lacking somewhat in that it says run these
commands, but doesnt say what the expected output is or looks like, so
how am I meant to know if its right or wrong? like duh.

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
8--


So how do I fault find? where do I start?

ie Where do I start to look to determine why a user cannot login to a
client via freeipa? 

How can I be more clear? because so far the replies have been not very
productive.

regards



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/08/2011 02:43 PM, Steven Jones wrote:
 8--
 
 
 So how do I fault find? where do I start?
 
 ie Where do I start to look to determine why a user cannot login to a
 client via freeipa? 
 
 How can I be more clear? because so far the replies have been not very
 productive.
 


Steven, sorry you're having such a hard time with this. Let me see if I
can help point you in the right direction.

I'm trying to look at the history of this thread, but I'm coming into it
late, so please forgive me if I retread any ground that's already been
covered.

First, I need to verify that I understand the state from which you're
working. Have you installed FreeIPA from the jdennis.fedorapeople.org
yum repository?

What version of the RPM packages for freeipa-server, freeipa-client and
sssd do you have? (rpm -q)

I noticed that you mentioned in an earlier email that you were editing
nslcd.conf. This is not the preferred mechanism for setting up a FreeIPA
client (any more). We now use SSSD (and ipa-client-install should be
setting this up for you).

So what I need to see are the following configuration files:
1) /etc/nsswitch.conf
2) /etc/sssd/sssd.conf
3) /etc/pam.d/system-auth
4) /etc/pam.d/password-auth (if using GDM)

Also, to start debugging login problems, the best place to look is in
/var/log/secure, which should report any PAM modules that are denying
access to the account (and the reason why it's being denied).

Please provide us with the above information and we'll see what we can
do to get you up and running.

Also, for much faster triage and debugging, you can join the #freeipa
and/or #sssd IRC channels on the irc.freenode.net IRC server and speak
with us directly. My nick on those channels is 'sgallagh'.


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk12iroACgkQeiVVYja6o6NIQQCfWpxNdMTQyjJ8HojOOeBOIcuS
qdsAoIrVUcvY2lgDv9bVFjyWqUjjH9ZU
=wJNo
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
8
 
 Steven, sorry you're having such a hard time with this. Let me see if I
 can help point you in the right direction.
 
 I'm trying to look at the history of this thread, but I'm coming into it
 late, so please forgive me if I retread any ground that's already been
 covered.
 
 First, I need to verify that I understand the state from which you're
 working. Have you installed FreeIPA from the jdennis.fedorapeople.org
 yum repository?

[freeipa-devel]
name=FreeIPA Development
baseurl=http://freeipa.com/downloads/devel/rpms/F$releasever/$basearch
enabled=1
gpgcheck=0

F14 and 64bit.

 What version of the RPM packages for freeipa-server, freeipa-client and
 sssd do you have? (rpm -q)


 'd output,

==
sssd-1.5.1-9.fc14.x86_64
freeipa-client-2.0.0.rc2-0.fc14.x86_64
freeipa-server-2.0.0.rc2-0.fc14.x86_64
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#   nisplus Use NIS+ (NIS version 3)
#   nis Use NIS (NIS version 2), also called YP
#   dns Use DNS (Domain Name Service)
#   files   Use the local files
#   db  Use the local database (.db) files
#   compat  Use NIS on compat mode
#   hesiod  Use Hesiod for user lookups
#   [NOTFOUND=return]   Stop searching if not found so far
#

# To use db, put the db in front of files for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:db files nisplus nis
#shadow:db files nisplus nis
#group: db files nisplus nis

passwd: files sss
shadow: files sss
group:  files sss

#hosts: db files nisplus nis dns
hosts:  files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files 

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks:   files
networks:   files
protocols:  files
rpc:files
services:   files

netgroup:   files sss

publickey:  nisplus

automount:  files
aliases:files nisplus

[sssd]
services = nss, pam
config_file_version = 2

domains = ipa.ac.nz
[nss]

[pam]

[domain/ipa.ac.nz]
cache_credentials = True
ipa_domain = ipa.ac.nz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, fed14-64-ipam001.ipa.ac.nz

[domain/default]
cache_credentials = True
krb5_realm = IPA.AC.NZ
krb5_kdcip = fed14-64-ipam001.ipa.ac.nz:88
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = fed14-64-ipam001.ipa.ac.nz:749
debug_level=9
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_fprintd.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid  500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
passwordsufficientpam_unix.so sha512 shadow nullok
try_first_pass use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_sss.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid  500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Rob Crittenden

Steven Jones wrote:

8--


So how do I fault find? where do I start?

ie Where do I start to look to determine why a user cannot login to a
client via freeipa?

How can I be more clear? because so far the replies have been not very
productive.

regards




Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart 
sssd, and try your login again. Look 
in/var/log/sssd/sssd_example.com.log for information on the login attempt.


Your uid/gid will likely differ.

# getent passwd admin
admin:*:26420:26420:Administrator:/home/admin:/bin/bash
# id admin
uid=26420(admin) gid=26420(admins) groups=26420(admins)
# getent group admins
admins:*:26420:admin
# finger admin
Login: adminName: Administrator
Directory: /home/admin  Shell: /bin/bash
Never logged in.
No mail.
No Plan.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
 Steven Jones wrote:
  8--
 
 
  So how do I fault find? where do I start?
 
  ie Where do I start to look to determine why a user cannot login to a
  client via freeipa?
 
  How can I be more clear? because so far the replies have been not very
  productive.
 
  regards
 
 

 Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
 sssd, and try your login again. Look
 in/var/log/sssd/sssd_example.com.log for information on the login attempt.

 Your uid/gid will likely differ.

 # getent passwd admin
 admin:*:26420:26420:Administrator:/home/admin:/bin/bash
 # id admin
 uid=26420(admin) gid=26420(admins) groups=26420(admins)
 # getent group admins
 admins:*:26420:admin
 # finger admin
 Login: adminName: Administrator
 Directory: /home/admin  Shell: /bin/bash
 Never logged in.
 No mail.
 No Plan.

(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:22 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:24 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 13:28:28 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
fatal error initializing data providers
(Tue Mar  8 15:37:30 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
initialize backend [14]
(Tue Mar  8 15:37:31 2011) [sssd[be[ipa.ac.nz]]]
[sss_krb5_verify_keytab_ex] (0): Principal
[host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
[default]
(Tue Mar  8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
Could not verify keytab
(Tue Mar  8 15:37:31 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
(0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
(Tue Mar  8 15:37:31 2011) 

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/08/2011 04:40 PM, Steven Jones wrote:
 On Tue, 2011-03-08 at 15:50 -0500, Rob Crittenden wrote:
 Steven Jones wrote:
 8--


 So how do I fault find? where do I start?

 ie Where do I start to look to determine why a user cannot login to a
 client via freeipa?

 How can I be more clear? because so far the replies have been not very
 productive.

 regards



 Add debug_level = 9 to the ipa provide in /etc/sssd/sssd.conf, restart
 sssd, and try your login again. Look
 in/var/log/sssd/sssd_example.com.log for information on the login attempt.

 Your uid/gid will likely differ.

 # getent passwd admin
 admin:*:26420:26420:Administrator:/home/admin:/bin/bash
 # id admin
 uid=26420(admin) gid=26420(admins) groups=26420(admins)
 # getent group admins
 admins:*:26420:admin
 # finger admin
 Login: adminName: Administrator
 Directory: /home/admin  Shell: /bin/bash
 Never logged in.
 No mail.
 No Plan.
 
 (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]]
 [sss_krb5_verify_keytab_ex] (0): Principal
 [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
 [default]
 (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0):
 Could not verify keytab
 (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module]
 (0): Error (14) in module (ipa) initialization (sssm_ipa_id_init)!
 (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0):
 fatal error initializing data providers
 (Tue Mar  8 13:28:18 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not
 initialize backend [14]
 (Tue Mar  8 13:28:20 2011) [sssd[be[ipa.ac.nz]]]
 [sss_krb5_verify_keytab_ex] (0): Principal
 [host/fed14-64-ipacl01.ipa.ac...@ipa.ac.nz] not found in keytab
 [default]


Well, here's your problem. The SSSD isn't starting up successfully
because you don't have a host principal for this server in your
/etc/krb5.keytab file. This was probably a bug in the ipa-client-install.

What does
klist -k /etc/krb5.keytab
return to you?

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk12qV4ACgkQeiVVYja6o6OH/gCfabjbwcx/WSookcjKPXeq9N70
HpgAn3gj78oH0CW/WKS0F6X1Whvx/Wai
=R7BT
-END PGP SIGNATURE-

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Simo Sorce
On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
Stephen Gallagher sgall...@redhat.com wrote:

 
 
 On Mar 8, 2011, at 5:45 PM, Steven Jones steven.jo...@vuw.ac.nz
 wrote:
 
  Keytab name: WRFILE:/etc/krb5.keytab
  KVNO Principal
  
  --
  
  8-
  
  
  
  
 
 Looks like you have no host key in the keytab. That's the root of the
 problem. Seems like IPA-client-install failed to populate it. Rob, do
 you have any insight here?

does /var/log/ipaclient-install.log show any error ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
Hi,

Log,


2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': True, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None,
'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-03-04 15:08:58,726 DEBUG missing options might be asked for
interactively later

2011-03-04 15:08:58,726 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
-O /tmp/tmp7MhOze/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:08:58,736 DEBUG stdout=
2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp7MhOze/ca.crt'

 0K . 100%
237M=0s

2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
[1321/1321]


2011-03-04 15:08:58,736 DEBUG Init ldap with:
ldap://fed14-64-ipam001.ipa.ac.nz:389
2011-03-04 15:08:58,749 DEBUG Search rootdse
2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
dc=ipa,dc=ac,dc=nz(base)
2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
in dc=ipa,dc=ac,dc=nz(sub)
2011-03-04 15:08:58,753 DEBUG Found:
[('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz

2011-03-04 15:08:58,753 DEBUG will use server:
fed14-64-ipam001.ipa.ac.nz

2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ

2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz

2011-03-04 15:09:04,645 DEBUG will use principal: admin

2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:09:04,659 DEBUG stdout=
2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

 0K . 100%
249M=0s

2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]


2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz: 

2011-03-04 15:09:11,665 DEBUG stderr=
2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:09:13,931 DEBUG stdout=
2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.

2011-03-04 15:09:13,937 DEBUG args=kdestroy
2011-03-04 15:09:13,937 DEBUG stdout=
2011-03-04 15:09:13,937 DEBUG stderr=
2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG   - Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG args=/usr/bin/certutil -A
-d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt
2011-03-04 15:09:14,012 DEBUG stdout=
2011-03-04 15:09:14,012 DEBUG stderr=
2011-03-04 15:09:14,012 DEBUG Backing up system configuration file
'/etc/krb5.conf'
2011-03-04 15:09:14,013 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Steven Jones
Hi,

I have just done another F14 client and I have the same issue.

regards

regards

On Tue, 2011-03-08 at 19:28 -0500, Simo Sorce wrote:
 On Tue, 8 Mar 2011 19:05:45 -0500 (EST)
 Stephen Gallagher sgall...@redhat.com wrote:
 
  
  
  On Mar 8, 2011, at 5:45 PM, Steven Jones steven.jo...@vuw.ac.nz
  wrote:
  
   Keytab name: WRFILE:/etc/krb5.keytab
   KVNO Principal
   
   --
   
   8-
   
   
   
   
  
  Looks like you have no host key in the keytab. That's the root of the
  problem. Seems like IPA-client-install failed to populate it. Rob, do
  you have any insight here?
 
 does /var/log/ipaclient-install.log show any error ?
 
 Simo.
 
 -- 
 Simo Sorce * Red Hat, Inc * New York
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-08 Thread Rob Crittenden

Steven Jones wrote:

Hi,

Log,



The error is Host is already joined so no keytab is requested. The 
enrollment failed.


ipa-client-install --uninstall should unenroll the client (you can 
verify that Keytab is False in ipa host-show client_fqdn on the IPA 
server.


If so running ipa-client-install on the client should configure things 
properly.


rob



2011-03-04 15:08:58,725 DEBUG /usr/sbin/ipa-client-install was invoked
with options: {'conf_ntp': True, 'domain': None, 'uninstall': False,
'force': True, 'sssd': True, 'hostname': None, 'permit': False,
'server': None, 'prompt_password': False, 'realm_name': None,
'dns_updates': False, 'debug': False, 'on_master': False, 'ntp_server':
None, 'mkhomedir': False, 'unattended': None, 'principal': None}
2011-03-04 15:08:58,726 DEBUG missing options might be asked for
interactively later

2011-03-04 15:08:58,726 DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:08:58,726 DEBUG [ipadnssearchldap(ipa.ac.nz)]
2011-03-04 15:08:58,727 DEBUG [ipadnssearchkrb]
2011-03-04 15:08:58,729 DEBUG [ipacheckldap]
2011-03-04 15:08:58,736 DEBUG args=/usr/bin/wget
-O /tmp/tmp7MhOze/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:08:58,736 DEBUG stdout=
2011-03-04 15:08:58,736 DEBUG stderr=--2011-03-04 15:08:58--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/tmp/tmp7MhOze/ca.crt'

  0K . 100%
237M=0s

2011-03-04 15:08:58 (237 MB/s) - `/tmp/tmp7MhOze/ca.crt' saved
[1321/1321]


2011-03-04 15:08:58,736 DEBUG Init ldap with:
ldap://fed14-64-ipam001.ipa.ac.nz:389
2011-03-04 15:08:58,749 DEBUG Search rootdse
2011-03-04 15:08:58,750 DEBUG Search for (info=*) in
dc=ipa,dc=ac,dc=nz(base)
2011-03-04 15:08:58,751 DEBUG Found: [('dc=ipa,dc=ac,dc=nz',
{'objectClass': ['top', 'domain', 'pilotObject', 'nisDomainObject',
'domainRelatedObject'], 'info': ['IPA V2.0'], 'associatedDomain':
['ipa.ac.nz'], 'dc': ['ipa'], 'nisDomain': ['ipa.ac.nz']})]
2011-03-04 15:08:58,752 DEBUG Search for (objectClass=krbRealmContainer)
in dc=ipa,dc=ac,dc=nz(sub)
2011-03-04 15:08:58,753 DEBUG Found:
[('cn=IPA.AC.NZ,cn=kerberos,dc=ipa,dc=ac,dc=nz', {'krbSubTrees':
['dc=ipa,dc=ac,dc=nz'], 'cn': ['IPA.AC.NZ'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'],
'krbSupportedEncSaltTypes': ['aes256-cts:normal', 'aes256-cts:special',
'aes128-cts:normal', 'aes128-cts:special', 'des3-hmac-sha1:normal',
'des3-hmac-sha1:special', 'arcfour-hmac:normal', 'arcfour-hmac:special',
'des-hmac-sha1:normal', 'des-cbc-md5:normal', 'des-cbc-crc:normal',
'des-cbc-crc:v4', 'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'],
'krbMaxRenewableAge': ['604800']})]
2011-03-04 15:08:58,753 DEBUG will use domain: ipa.ac.nz

2011-03-04 15:08:58,753 DEBUG will use server:
fed14-64-ipam001.ipa.ac.nz

2011-03-04 15:08:58,754 DEBUG will use cli_realm: IPA.AC.NZ

2011-03-04 15:08:58,754 DEBUG will use cli_basedn: dc=ipa,dc=ac,dc=nz

2011-03-04 15:09:04,645 DEBUG will use principal: admin

2011-03-04 15:09:04,659 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
2011-03-04 15:09:04,659 DEBUG stdout=
2011-03-04 15:09:04,660 DEBUG stderr=--2011-03-04 15:09:04--
http://fed14-64-ipam001.ipa.ac.nz/ipa/config/ca.crt
Resolving fed14-64-ipam001.ipa.ac.nz... 192.168.100.2
Connecting to fed14-64-ipam001.ipa.ac.nz|192.168.100.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1321 (1.3K) [application/x-x509-ca-cert]
Saving to: `/etc/ipa/ca.crt'

  0K . 100%
249M=0s

2011-03-04 15:09:04 (249 MB/s) - `/etc/ipa/ca.crt' saved [1321/1321]


2011-03-04 15:09:11,665 DEBUG args=kinit ad...@ipa.ac.nz
2011-03-04 15:09:11,665 DEBUG stdout=Password for ad...@ipa.ac.nz:

2011-03-04 15:09:11,665 DEBUG stderr=
2011-03-04 15:09:13,931 DEBUG args=/usr/sbin/ipa-join -s
fed14-64-ipam001.ipa.ac.nz
2011-03-04 15:09:13,931 DEBUG stdout=
2011-03-04 15:09:13,931 DEBUG stderr=Host is already joined.

2011-03-04 15:09:13,937 DEBUG args=kdestroy
2011-03-04 15:09:13,937 DEBUG stdout=
2011-03-04 15:09:13,937 DEBUG stderr=
2011-03-04 15:09:13,937 DEBUG Backing up system configuration file
'/etc/ipa/default.conf'
2011-03-04 15:09:13,938 DEBUG   -  Not backing up -
'/etc/ipa/default.conf' doesn't exist
2011-03-04 15:09:13,938 DEBUG Backing up system configuration file
'/etc/sssd/sssd.conf'
2011-03-04 15:09:13,938 DEBUG Saving Index File to
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2011-03-04 15:09:14,012 DEBUG 

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-07 Thread Dmitri Pal
On 03/06/2011 02:48 PM, Steven Jones wrote:
 How do i turn on logging on the client and the server so as to start
 troubleshooting this authentication failure?

 regards

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


http://freeipa.org/page/IPAv2_config_files

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-07 Thread Steven Jones
Hi,

Where does this log to?

regards

On Mon, 2011-03-07 at 12:33 -0500, Dmitri Pal wrote:
 On 03/06/2011 02:48 PM, Steven Jones wrote:
  How do i turn on logging on the client and the server so as to start
  troubleshooting this authentication failure?
 
  regards
 
  ___
  Freeipa-users mailing list
  Freeipa-users@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-users
 
 
 http://freeipa.org/page/IPAv2_config_files
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IPA project,
 Red Hat Inc.
 
 
 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/
 
 
 


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-06 Thread Steven Jones
Hi,

Well client to ipa server doesnt work..

regards


On Fri, 2011-03-04 at 10:45 -0500, Rob Crittenden wrote:
 Dmitri Pal wrote:
  On 03/03/2011 02:53 PM, Steven Jones wrote:
  8
 
  I have no idea, Im trying to follow the ipa document (version 0.5)so
  if it says do something I try and do itif it doesnt say do something
  wellit doesnt get done as I cant mind read.
 
  What I want is encrypted connections on all services / communications so
  it is secure and safe.
 
  regards
 
  Here is some more information for you on SSSD.
  https://fedorahosted.org/sssd/wiki/HOWTO_Configure
  And also SSSD man pages are good.
 
 Let me also point out that ipa-client-install already configures the 
 client to use sssd. No additional configuration should be required.
 
 rob
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-06 Thread Steven Jones
8---

This didnt work...intuitive, no I guess not

regards


 Sorry but the doc might be incomplete. We are in the middle of reviewing
 it actually and adding information to it.
  
 Please go to your system-authconfig dialog and configure LDAP + Kerberos
 with the IPA server. It should be intuitive.
 It will update all the right config files.
 
 The logs are in the sub-directory under /var/log.
 The name starts with ipa but I do not remember the exact name from the
 top of my head.

There are no logs...

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-06 Thread Steven Jones
How do i turn on logging on the client and the server so as to start
troubleshooting this authentication failure?

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-04 Thread Dmitri Pal
On 03/03/2011 02:53 PM, Steven Jones wrote:
 8

 I have no idea, Im trying to follow the ipa document (version 0.5)so
 if it says do something I try and do itif it doesnt say do something
 wellit doesnt get done as I cant mind read.

 What I want is encrypted connections on all services / communications so
 it is secure and safe.

 regards

Here is some more information for you on SSSD.
https://fedorahosted.org/sssd/wiki/HOWTO_Configure
And also SSSD man pages are good.


 Are you planning to use pam_ldap + nss_ldap or SSSD?
 If SSSD have you installed SSSD packages first?

 The pam and nss config files as well as SSSD config and SSSD logs if it
 is in picture together with ipa-client-install logs would be a good
 starting point to troubleshoot the issue.

 -- 
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-04 Thread Rob Crittenden

Dmitri Pal wrote:

On 03/03/2011 02:53 PM, Steven Jones wrote:

8

I have no idea, Im trying to follow the ipa document (version 0.5)so
if it says do something I try and do itif it doesnt say do something
wellit doesnt get done as I cant mind read.

What I want is encrypted connections on all services / communications so
it is secure and safe.

regards


Here is some more information for you on SSSD.
https://fedorahosted.org/sssd/wiki/HOWTO_Configure
And also SSSD man pages are good.


Let me also point out that ipa-client-install already configures the 
client to use sssd. No additional configuration should be required.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-04 Thread Dmitri Pal
On 03/04/2011 10:45 AM, Rob Crittenden wrote:
 Dmitri Pal wrote:
 On 03/03/2011 02:53 PM, Steven Jones wrote:
 8

 I have no idea, Im trying to follow the ipa document (version
 0.5)so
 if it says do something I try and do itif it doesnt say do
 something
 wellit doesnt get done as I cant mind read.

 What I want is encrypted connections on all services /
 communications so
 it is secure and safe.

 regards

 Here is some more information for you on SSSD.
 https://fedorahosted.org/sssd/wiki/HOWTO_Configure
 And also SSSD man pages are good.

 Let me also point out that ipa-client-install already configures the
 client to use sssd. No additional configuration should be required.

Rob, I do not remember does the ipa-client-install pull sssd
automatically or you have to yum install it first?


 rob

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Rob Crittenden

Steven Jones wrote:

I appear to have IPA running, I have run the install client on a fed14
KVM guest and that guest is in the IPA system, however the users in IPA
cannot authenticate via IPA and get onto the client.  There appears to
be traffic to port 389, so I assume its almost workingbut I can
find anything in logs to say whats wrongnot that I can determine
what logs to check.Ive been looking in /var/log so farare there
any other logs about?

And/or where do I start looking to get this working?

regards




On that client can you do things like:

$ getent passwd some_ipa_user

or

$ id some_ipa_user

?

That should cause sssd to fetch user information. If it fails then we'll 
start by looking at the sssd configuration. If not I guess we'll turn up 
some debugging knobs to see what is going on.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Dmitri Pal
On 03/03/2011 02:21 PM, Steven Jones wrote:
 I appear to have IPA running, I have run the install client on a fed14
 KVM guest and that guest is in the IPA system, however the users in IPA
 cannot authenticate via IPA and get onto the client.  There appears to
 be traffic to port 389, so I assume its almost workingbut I can
 find anything in logs to say whats wrongnot that I can determine
 what logs to check.Ive been looking in /var/log so farare there
 any other logs about?

 And/or where do I start looking to get this working?

 regards



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

Are you planning to use pam_ldap + nss_ldap or SSSD?
If SSSD have you installed SSSD packages first?

The pam and nss config files as well as SSSD config and SSSD logs if it
is in picture together with ipa-client-install logs would be a good
starting point to troubleshoot the issue.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Steven Jones

id thing returns id: thing: no such user...

In iptraf there is a port 389 connection, suggesting its asking the ipa master 
about user thingso its either asking the wrong Q

or the ipa master cant see the user thing yet its there in the gui.

One thing thing only exists on the ipa master, with irwin it exists locally 
so id returns local info as I see no 389 connection taking place

there was no nslcd.conf so I wrote one as per,

8.1.4. Configuring System Login
You need to modify the /etc/nslcd.conf file, used by the nslcd service,
on the client, to include additional information about the IPA server.
This is so that the client can reach the IPA server's LDAP server for
getent commands and also for ssh. For example, you should include the
following information in your /etc/nslcd.conf file: 
uri host ip-address-of-ipaserver.example.com-here
base dc=example,dc=com

So mine says,

uri host 192.168.100.2
base dc=ipa,dc=ac,dc=nz

Where 192.168.100.2 is the original master.

regards



On Thu, 2011-03-03 at 14:30 -0500, Rob Crittenden wrote:
 Steven Jones wrote:
  I appear to have IPA running, I have run the install client on a fed14
  KVM guest and that guest is in the IPA system, however the users in IPA
  cannot authenticate via IPA and get onto the client.  There appears to
  be traffic to port 389, so I assume its almost workingbut I can
  find anything in logs to say whats wrongnot that I can determine
  what logs to check.Ive been looking in /var/log so farare there
  any other logs about?
 
  And/or where do I start looking to get this working?
 
  regards
 
 
 
 On that client can you do things like:
 
 $ getent passwd some_ipa_user
 
 or
 
 $ id some_ipa_user
 
 ?
 
 That should cause sssd to fetch user information. If it fails then we'll 
 start by looking at the sssd configuration. If not I guess we'll turn up 
 some debugging knobs to see what is going on.
 
 rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Steven Jones
8

I have no idea, Im trying to follow the ipa document (version 0.5)so
if it says do something I try and do itif it doesnt say do something
wellit doesnt get done as I cant mind read.

What I want is encrypted connections on all services / communications so
it is secure and safe.

regards

 
 Are you planning to use pam_ldap + nss_ldap or SSSD?
 If SSSD have you installed SSSD packages first?
 
 The pam and nss config files as well as SSSD config and SSSD logs if it
 is in picture together with ipa-client-install logs would be a good
 starting point to troubleshoot the issue.
 
 -- 
 Thank you,
 Dmitri Pal
 
 Sr. Engineering Manager IPA project,
 Red Hat Inc.
 
 
 ---
 Looking to carve out IT costs?
 www.redhat.com/carveoutcosts/
 
 
 
 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Dmitri Pal
On 03/03/2011 02:31 PM, Dmitri Pal wrote:
 On 03/03/2011 02:21 PM, Steven Jones wrote:
 I appear to have IPA running, I have run the install client on a fed14
 KVM guest and that guest is in the IPA system, however the users in IPA
 cannot authenticate via IPA and get onto the client.  There appears to
 be traffic to port 389, so I assume its almost workingbut I can
 find anything in logs to say whats wrongnot that I can determine
 what logs to check.Ive been looking in /var/log so farare there
 any other logs about?

 And/or where do I start looking to get this working?

 regards



 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Are you planning to use pam_ldap + nss_ldap or SSSD?
 If SSSD have you installed SSSD packages first?

 The pam and nss config files as well as SSSD config and SSSD logs if it
 is in picture together with ipa-client-install logs would be a good
 starting point to troubleshoot the issue.


Sorry but the doc might be incomplete. We are in the middle of reviewing
it actually and adding information to it.
 
Please go to your system-authconfig dialog and configure LDAP + Kerberos
with the IPA server. It should be intuitive.
It will update all the right config files.

The logs are in the sub-directory under /var/log.
The name starts with ipa but I do not remember the exact name from the
top of my head.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Jakub Hrozek

On 03/04/2011 02:35 AM, Steven Jones wrote:

Hi,

Thanks, I think there maybe a dependency missing for the yum install of
the clientwhen I go to the system-auth, ipa is there as an option
but its missing a .so in nss-pam-ldapd and asks for it to be installed,
the dependency off that is nscd and pam_ldap

Hopefully this will workI am dwnloading now.

regards




May I suggest using SSSD instead of nss-pam-ldapd. Apart from caching 
mechanism, it also enables client side of features such as HBAC or 
dynamic DNS update. Also all the client installation bits such as 
ipa-client-install default to using SSSD.


That said, if you opt for nss-pam-ldapd, it should work, too..

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users