Re: [Freeipa-users] Replication status

[Rob Crittenden]

Rich Megginson wrote:

On 05/02/2012 07:36 PM, Ian Levesque wrote:

On May 2, 2012, at 6:48 PM, Rich Megginson wrote:


Is there any way to expose the nsDS5ReplicationAgreement objectClass
to a less privileged account; i.e., an account solely designed to
check replication status?

You also need to expose the RUV tombstone entry at the base of each
suffix.

Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before;
any pointers?

Cheers,
Ian


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html


We already have some delegated permissions for replication but none 
granting only read access. Off the cuff, something like this might work:


dn: cn="$SUFFIX",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: 
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 
3.0; aci "permission:Read Replication Agreements"; allow (read, search, 
compare) groupdn = "ldap:///cn=Read Replication 
Agreements,cn=permissions,cn=pbac,$SUFFIX";)


dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
changetype: add
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read Replication Agreements
ipapermissiontype: SYSTEM

Note that you'll need to replace $SUFFIX with your base dn 
(dc=example,dc=com).


This is untested so YMMV. If you find that it works and is useful please 
let us know, maybe we can add this for everyone to enjoy :-)


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] bluearc and IPA

[Steven Jones]

Hi,

Has anyone got a Bluearc storage NAS working with IPA?  if so do you have any 
notes please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

[Rich Megginson]

On 05/02/2012 07:36 PM, Ian Levesque wrote:

On May 2, 2012, at 6:48 PM, Rich Megginson wrote:


Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less 
privileged account; i.e., an account solely designed to check replication 
status?

You also need to expose the RUV tombstone entry at the base of each suffix.

Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any 
pointers?

Cheers,
Ian


http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

[Ian Levesque]

On May 2, 2012, at 6:48 PM, Rich Megginson wrote:

>> Is there any way to expose the nsDS5ReplicationAgreement objectClass to a 
>> less privileged account; i.e., an account solely designed to check 
>> replication status?
> 
> You also need to expose the RUV tombstone entry at the base of each suffix.

Good to know, thanks. I haven't messed with ACIs on 389ds/IPA before; any 
pointers?

Cheers,
Ian


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

[Rich Megginson]

On 05/02/2012 04:11 PM, Ian Levesque wrote:

On May 2, 2012, at 5:56 PM, Dmitri Pal wrote:


I'm curious how members of this list are monitoring their IPA servers' replication 
status. `ipa-replica-manage list` doesn't actually tell you if your replica is 
working. I just realized that our replica's IPA processes were hung (likely as a 
result of suspending&  resuming the VM it's running on). It would be great if 
our nagios could monitor the replica status - anyone here have any ideas?

http://port389.org/wiki/Howto:ReplicationMonitoring

Thanks for the reply, but storing the directory manager password in plain text 
defies any sort of paranoia that should be fundamental to an IPA admin. I find 
it hard to believe it's even recommended at all!

Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less 
privileged account; i.e., an account solely designed to check replication 
status?

You also need to expose the RUV tombstone entry at the base of each suffix.


Thanks,
Ian


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

[Ian Levesque]

On May 2, 2012, at 5:56 PM, Dmitri Pal wrote:

>> I'm curious how members of this list are monitoring their IPA servers' 
>> replication status. `ipa-replica-manage list` doesn't actually tell you if 
>> your replica is working. I just realized that our replica's IPA processes 
>> were hung (likely as a result of suspending & resuming the VM it's running 
>> on). It would be great if our nagios could monitor the replica status - 
>> anyone here have any ideas?
> 
> http://port389.org/wiki/Howto:ReplicationMonitoring

Thanks for the reply, but storing the directory manager password in plain text 
defies any sort of paranoia that should be fundamental to an IPA admin. I find 
it hard to believe it's even recommended at all!

Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less 
privileged account; i.e., an account solely designed to check replication 
status?

Thanks,
Ian
 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Dmitri Pal]

On 05/02/2012 05:54 PM, Steven Jones wrote:
> Hi,
>
> BTW, is this advice in the admin guide?  I would suggest its worth 
> stating.
>

Noted.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Thursday, 3 May 2012 9:45 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On 05/02/2012 05:29 PM, Steven Jones wrote:
>> What is the impact of IPA not working properly?
> You need to differentiate client system that uses IPA for identity
> lookups and authentication and administrative station where you have
> ipa-admintools package installed. It is not recommended to have this
> package on the client side to be higher version than on the server. We
> are currently fixing the issue for the client enrollment to work even if
> you try to enroll later version of the ipa client with the earlier
> version of the server but for ipa-admintools the general rule: upgrade
> server first and then the client ipa-admintools package should continue
> to apply.
>
>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: Martin Kosek [mko...@redhat.com]
>> Sent: Thursday, 3 May 2012 1:52 a.m.
>> To: Rob Crittenden
>> Cc: Steven Jones; freeipa-users@redhat.com
>> Subject: Re: [Freeipa-users] ipa-client install error
>>
>> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
>>> Steven Jones wrote:
 So this opens a chicken and egg?

 ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
 older 6.2 clients will break?  but I cant upgrade the clients until after 
 the servers are doneif so that is a huge and ugly looking task that is 
 one way
>>> No, that's not the problem at all. Enrolled clients will work as
>>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
>>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
>>> investigating. We'll fix it if needed.
>>>
>>> rob
>> I just sent a patch for this issue to freeipa-devel list. The problem
>> was in the TGT forwarding as mentioned earlier in this thread. The
>> patched client can now join an older IPA server. But ipa command still
>> won't work properly as its API is higher that the server's.
>>
>> Martin
>>
>>
 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: Rob Crittenden [rcrit...@redhat.com]
 Sent: Wednesday, 2 May 2012 1:19 a.m.
 To: Steven Jones
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] ipa-client install error

 Steven Jones wrote:
> I made a slight oops, I just upgraded a long un-used vm on my desktop 
> from 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our 
> satellite is down I cant correct this so I tried to add the 6.3beta 
> client to IPA on 6.2 and I get an error.
>
> ==
> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
> Discovery was successful!
> Hostname: rhel664ws01.ods.vuw.ac.nz
> Realm: ODS.VUW.AC.NZ
> DNS Domain: ods.vuw.ac.nz
> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
>
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admjonesst1
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> Password for admjones...@ods.vuw.ac.nz:
>
> Enrolled in IPA realm ODS.VUW.AC.NZ
> Created /etc/ipa/default.conf
> Unable to activate the SSH service in SSSD config.
> Please make sure you have SSSD built with SSH support installed.
> Configure SSH support manually in /etc/sssd/sssd.conf.
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 1534, in
>   sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 1521, in main
>   rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 1358, in install
>   api.Backend.xmlclient.connect()
> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, 
> in connect
>   conn = self.create_connection(*args, **kw)
> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
> create_connection
>   raise errors.KerberosError(major=str(krberr), minor='')
> ipalib.e

Re: [Freeipa-users] Replication status

[Dmitri Pal]

On 05/02/2012 05:46 PM, Ian Levesque wrote:
> Hi,
>
> I'm curious how members of this list are monitoring their IPA servers' 
> replication status. `ipa-replica-manage list` doesn't actually tell you if 
> your replica is working. I just realized that our replica's IPA processes 
> were hung (likely as a result of suspending & resuming the VM it's running 
> on). It would be great if our nagios could monitor the replica status - 
> anyone here have any ideas?
>
> Cheers,
> Ian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
http://port389.org/wiki/Howto:ReplicationMonitoring

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Replication status

[Dan Scott]

Hi,

I'm definitely interested in this too.

You can use

ipa-replica-manage -v list $HOSTNAME

to get detailed status information.

I also found this:

http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring

But I believe that it needs to have the Directory Manager password
hardcoded. Let me know if you figure out a nice solution.

Thanks,

Dan

On Wed, May 2, 2012 at 5:46 PM, Ian Levesque  wrote:
> Hi,
>
> I'm curious how members of this list are monitoring their IPA servers' 
> replication status. `ipa-replica-manage list` doesn't actually tell you if 
> your replica is working. I just realized that our replica's IPA processes 
> were hung (likely as a result of suspending & resuming the VM it's running 
> on). It would be great if our nagios could monitor the replica status - 
> anyone here have any ideas?
>
> Cheers,
> Ian
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Steven Jones]

Hi,

BTW, is this advice in the admin guide?  I would suggest its worth stating.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Thursday, 3 May 2012 9:45 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On 05/02/2012 05:29 PM, Steven Jones wrote:
> What is the impact of IPA not working properly?

You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
package on the client side to be higher version than on the server. We
are currently fixing the issue for the client enrollment to work even if
you try to enroll later version of the ipa client with the earlier
version of the server but for ipa-admintools the general rule: upgrade
server first and then the client ipa-admintools package should continue
to apply.


>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: Martin Kosek [mko...@redhat.com]
> Sent: Thursday, 3 May 2012 1:52 a.m.
> To: Rob Crittenden
> Cc: Steven Jones; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> So this opens a chicken and egg?
>>>
>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
>>> older 6.2 clients will break?  but I cant upgrade the clients until after 
>>> the servers are doneif so that is a huge and ugly looking task that is 
>>> one way
>> No, that's not the problem at all. Enrolled clients will work as
>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
>> investigating. We'll fix it if needed.
>>
>> rob
> I just sent a patch for this issue to freeipa-devel list. The problem
> was in the TGT forwarding as mentioned earlier in this thread. The
> patched client can now join an older IPA server. But ipa command still
> won't work properly as its API is higher that the server's.
>
> Martin
>
>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> 
>>> From: Rob Crittenden [rcrit...@redhat.com]
>>> Sent: Wednesday, 2 May 2012 1:19 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] ipa-client install error
>>>
>>> Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
 is down I cant correct this so I tried to add the 6.3beta client to IPA on 
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
 File "/usr/sbin/ipa-client-install", line 1534, in
   sys.exit(main())
 File "/usr/sbin/ipa-client-install", line 1521, in main
   rval = install(options, env, fstore, statestore)
 File "/usr/sbin/ipa-client-install", line 1358, in install
   api.Backend.xmlclient.connect()
 File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in 
 connect
   conn = self.create_connection(*args, **kw)
 File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
 create_connection
   raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 c

Re: [Freeipa-users] ipa-client install error

[Steven Jones]

Hi,

Sorry, I used IPA I should have used lower case eg,

"But ipa command still
won't work properly as its API is higher that the server's."

The way I read that is a client will have limited command line capability? that 
would be Ok over say some weeks while we upgraded.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Thursday, 3 May 2012 9:40 a.m.
To: Steven Jones
Cc: Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Steven Jones wrote:
> What is the impact of IPA not working properly?

That is a bit of a loaded question. It depends on your definition of
"properly" but basically if IPA server isn't working, none of your auth
or identity works. Depending on what state sssd thinks the server is in
it may fall back into offline mode in which case individual workstations
will still operate but networked authentication/identity will fail.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Replication status

[Ian Levesque]

Hi,

I'm curious how members of this list are monitoring their IPA servers' 
replication status. `ipa-replica-manage list` doesn't actually tell you if your 
replica is working. I just realized that our replica's IPA processes were hung 
(likely as a result of suspending & resuming the VM it's running on). It would 
be great if our nagios could monitor the replica status - anyone here have any 
ideas?

Cheers,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Dmitri Pal]

On 05/02/2012 05:29 PM, Steven Jones wrote:
> What is the impact of IPA not working properly?

You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
package on the client side to be higher version than on the server. We
are currently fixing the issue for the client enrollment to work even if
you try to enroll later version of the ipa client with the earlier
version of the server but for ipa-admintools the general rule: upgrade
server first and then the client ipa-admintools package should continue
to apply.


>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: Martin Kosek [mko...@redhat.com]
> Sent: Thursday, 3 May 2012 1:52 a.m.
> To: Rob Crittenden
> Cc: Steven Jones; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
>> Steven Jones wrote:
>>> So this opens a chicken and egg?
>>>
>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
>>> older 6.2 clients will break?  but I cant upgrade the clients until after 
>>> the servers are doneif so that is a huge and ugly looking task that is 
>>> one way
>> No, that's not the problem at all. Enrolled clients will work as
>> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
>> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
>> investigating. We'll fix it if needed.
>>
>> rob
> I just sent a patch for this issue to freeipa-devel list. The problem
> was in the TGT forwarding as mentioned earlier in this thread. The
> patched client can now join an older IPA server. But ipa command still
> won't work properly as its API is higher that the server's.
>
> Martin
>
>
>>> regards
>>>
>>> Steven Jones
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>> Victoria University, Wellington, NZ
>>>
>>> 0064 4 463 6272
>>>
>>> 
>>> From: Rob Crittenden [rcrit...@redhat.com]
>>> Sent: Wednesday, 2 May 2012 1:19 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users@redhat.com
>>> Subject: Re: [Freeipa-users] ipa-client install error
>>>
>>> Steven Jones wrote:
 I made a slight oops, I just upgraded a long un-used vm on my desktop from 
 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
 is down I cant correct this so I tried to add the 6.3beta client to IPA on 
 6.2 and I get an error.

 ==
 [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
 Discovery was successful!
 Hostname: rhel664ws01.ods.vuw.ac.nz
 Realm: ODS.VUW.AC.NZ
 DNS Domain: ods.vuw.ac.nz
 IPA Server: vuwunicoipam002.ods.vuw.ac.nz
 BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


 Continue to configure the system with these values? [no]: yes
 User authorized to enroll computers: admjonesst1
 Synchronizing time with KDC...
 Unable to sync time with IPA NTP server, assuming the time is in sync.
 Password for admjones...@ods.vuw.ac.nz:

 Enrolled in IPA realm ODS.VUW.AC.NZ
 Created /etc/ipa/default.conf
 Unable to activate the SSH service in SSSD config.
 Please make sure you have SSSD built with SSH support installed.
 Configure SSH support manually in /etc/sssd/sssd.conf.
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
 Traceback (most recent call last):
 File "/usr/sbin/ipa-client-install", line 1534, in
   sys.exit(main())
 File "/usr/sbin/ipa-client-install", line 1521, in main
   rval = install(options, env, fstore, statestore)
 File "/usr/sbin/ipa-client-install", line 1358, in install
   api.Backend.xmlclient.connect()
 File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in 
 connect
   conn = self.create_connection(*args, **kw)
 File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
 create_connection
   raise errors.KerberosError(major=str(krberr), minor='')
 ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
 credentials/
 [root@rhel664ws01 ~]#
 ===

 Is this expected when trying to connect 6.3beta? ie its simply not 
 compatible?

>>> The newer 2.2 client cannot connect to an older 2.1 server because it
>>> isn't going to send the TGT that the 2.1 server requires. We should
>>> handle this better, I've opened a ticket to track this:
>>> https://fedorahosted.org/freeipa/ticket/2697
>>>
>>> rob
>>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> __

Re: [Freeipa-users] ipa-client install error

[Rob Crittenden]

Steven Jones wrote:

What is the impact of IPA not working properly?


That is a bit of a loaded question. It depends on your definition of 
"properly" but basically if IPA server isn't working, none of your auth 
or identity works. Depending on what state sssd thinks the server is in 
it may fall back into offline mode in which case individual workstations 
will still operate but networked authentication/identity will fail.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Dmitri Pal]

On 05/02/2012 05:28 PM, Steven Jones wrote:
> Hi,
>
> "proper" isnt defined as such, but yes in an ideal world Trouble is we 
> have so many servers that we patch over 2 or 3 early start mornings, until 
> now we did test first, then prod.now we have to start to separate them
>
> also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
> "proper" to only upgrade one IPA at a time in case the upgrade buggered 
> IPAotherwise I have to do all at once...and if it goes wrong I'm left 
> with nothing..
>

The issue affects client to server authentication not server to server
replication so 6.3 and 6.2 should work fine for several days while you
are migrating servers from 6.2 to 6.3.

> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Martin Kosek [mko...@redhat.com]
> Sent: Thursday, 3 May 2012 1:28 a.m.
> To: d...@redhat.com
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] ipa-client install error
>
> On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
>> On 05/01/2012 06:15 PM, Steven Jones wrote:
>>> So this opens a chicken and egg?
>>>
>>> ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
>>> older 6.2 clients will break?  but I cant upgrade the clients until after 
>>> the servers are doneif so that is a huge and ugly looking task that is 
>>> one way.
>>>
>> Yes this is a serious problem. Thank you for uncovering it.
>> Current plan is to: provide a fix for the older clients to be able to
>> connect to 2.2 via errata.
>> Make sure that the 2.2 client can connect to the 2.1 server.
>>
>> Thanks
>> Dmitri
> I am working on a patch for ipa-client-install which should make it
> capable of joining an older IPA server.
>
> BTW, I always thought that the proper upgrade scenario is to upgrade the
> servers to the new version first and then upgrade the clients. The issue
> here is that the new IPA clients won't be able to use "ipa" command to
> control the old server because they have a higher API version and the
> old server would not support it.
>
> The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
> should be OK as we maintain backwards compatibility.
>
> Martin
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10

[Dmitri Pal]

to the fact that user lookup services are
>  failing.
>
>  >
>
>  > Can you look in /var/log/secure and/or /var/log/sssd/* to
>  see if there
>
>  > are any errors reported regarding sssd?
>
>  >
>
>  > What options did you pass to ipa-client-install?
>
>  >
>
>  > rob
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>--
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> -- next part --
> An HTML attachment was scrubbed...
> URL:
> 
> <https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html>
>
> --
>
> Message: 2
> Date: Wed, 02 May 2012 14:57:24 -0400
> From: Dmitri Pal mailto:d...@redhat.com>>
> To: Matthew Davidson  <mailto:m...@mldserviceslex.com>>
> Cc: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <4fa18394.7080...@redhat.com
> <mailto:4fa18394.7080...@redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> > Dmitri,
> > 1) Do you have admin account on IPA side?
> >
> > Yes. And judging by the command below admin does log in, or am I
> mistaken?
> >
> > [root@rhel5 ~]# kinit admin
> > Password for ad...@example.com <mailto:ad...@example.com>:
> >
> > [root@rhel5 ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: ad...@example.com <mailto:ad...@example.com>
> >
> > Valid starting ExpiresService principal
> > 05/02/12 14:47:40  05/03/12 14:47:36
>  krbtgt/example@example.com <mailto:example@example.com>
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
>
> Is this from the client or from the server? I bet on the server.
> Rob might be right that the client fails to find the right
> authentication server due to the DNS configuration.
>
> > 2) Is there a firewall between client and server? Is LDAP and LDAPS
> > allowed via the FW?
> >
> > No firewall. shut those down at the first sign of trouble.
> >
> > Thanks
> > Matt
> >
> >
> 
> > Date: Wed, 2 May 2012 13:51:15 -0400
> > From: d...@redhat.com <mailto:d...@redhat.com>
> > To: freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> >
> > On 05/02/2012 12:43 PM, Matthew Davidson wrote:
> >
> > Hi Rob
> >
> > [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> <http://EXAMPLE.COM>
> > --server=rhel6.example.com <http://rhel6.example.com>
> > DNS domain 'example.com <http://example.com>' is not
> configured for automatic KDC
> > address lookup.
> > KDC address will be set to fixed value.
> >
> > Discovery was successful!
> > Hostname: rhel6.example.com <http://rhel6.example.com>
> > Realm: EXAMPLE.COM <http://EXAMPLE.COM>
> > DNS Domain: EXAMPLE.COM <http://EXAMPLE.COM>
> > IPA Server: rhel6.example.com <http://rhel6.example.com>
> > BaseDN: dc=example,dc=com
> >
> > Continue to configure the system with these values? [no]: yes
> > User authorized to enroll computers: admin
> > Synchronizing time with KDC...
> &g

Re: [Freeipa-users] ipa-client install error

[Rob Crittenden]

Steven Jones wrote:

Hi,

"proper" isnt defined as such, but yes in an ideal world Trouble is we have 
so many servers that we patch over 2 or 3 early start mornings, until now we did test 
first, then prod.now we have to start to separate them


Right, this is why we fixed the bug.



also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
"proper" to only upgrade one IPA at a time in case the upgrade buggered 
IPAotherwise I have to do all at once...and if it goes wrong I'm left with 
nothing..


It will be fixed to work in 6.3 GA. The client enrollment will succeed 
but you won't get the 6.3 features (like SSH host keys uploaded). The 
ipa tool is not downward compatible, so a 6.3 ipa tool will not work 
with a 6.2 server but the reverse WILL work.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Steven Jones]

What is the impact of IPA not working properly?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Martin Kosek [mko...@redhat.com]
Sent: Thursday, 3 May 2012 1:52 a.m.
To: Rob Crittenden
Cc: Steven Jones; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
> Steven Jones wrote:
> > So this opens a chicken and egg?
> >
> > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
> > older 6.2 clients will break?  but I cant upgrade the clients until after 
> > the servers are doneif so that is a huge and ugly looking task that is 
> > one way
>
> No, that's not the problem at all. Enrolled clients will work as
> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log
> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still
> investigating. We'll fix it if needed.
>
> rob

I just sent a patch for this issue to freeipa-devel list. The problem
was in the TGT forwarding as mentioned earlier in this thread. The
patched client can now join an older IPA server. But ipa command still
won't work properly as its API is higher that the server's.

Martin


>
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > 
> > From: Rob Crittenden [rcrit...@redhat.com]
> > Sent: Wednesday, 2 May 2012 1:19 a.m.
> > To: Steven Jones
> > Cc: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] ipa-client install error
> >
> > Steven Jones wrote:
> >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 
> >> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
> >> is down I cant correct this so I tried to add the 6.3beta client to IPA on 
> >> 6.2 and I get an error.
> >>
> >> ==
> >> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
> >> Discovery was successful!
> >> Hostname: rhel664ws01.ods.vuw.ac.nz
> >> Realm: ODS.VUW.AC.NZ
> >> DNS Domain: ods.vuw.ac.nz
> >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
> >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
> >>
> >>
> >> Continue to configure the system with these values? [no]: yes
> >> User authorized to enroll computers: admjonesst1
> >> Synchronizing time with KDC...
> >> Unable to sync time with IPA NTP server, assuming the time is in sync.
> >> Password for admjones...@ods.vuw.ac.nz:
> >>
> >> Enrolled in IPA realm ODS.VUW.AC.NZ
> >> Created /etc/ipa/default.conf
> >> Unable to activate the SSH service in SSSD config.
> >> Please make sure you have SSSD built with SSH support installed.
> >> Configure SSH support manually in /etc/sssd/sssd.conf.
> >> Configured /etc/sssd/sssd.conf
> >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
> >> Traceback (most recent call last):
> >> File "/usr/sbin/ipa-client-install", line 1534, in
> >>   sys.exit(main())
> >> File "/usr/sbin/ipa-client-install", line 1521, in main
> >>   rval = install(options, env, fstore, statestore)
> >> File "/usr/sbin/ipa-client-install", line 1358, in install
> >>   api.Backend.xmlclient.connect()
> >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in 
> >> connect
> >>   conn = self.create_connection(*args, **kw)
> >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
> >> create_connection
> >>   raise errors.KerberosError(major=str(krberr), minor='')
> >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
> >> credentials/
> >> [root@rhel664ws01 ~]#
> >> ===
> >>
> >> Is this expected when trying to connect 6.3beta? ie its simply not 
> >> compatible?
> >>
> >
> > The newer 2.2 client cannot connect to an older 2.1 server because it
> > isn't going to send the TGT that the 2.1 server requires. We should
> > handle this better, I've opened a ticket to track this:
> > https://fedorahosted.org/freeipa/ticket/2697
> >
> > rob
> >
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Steven Jones]

Hi,

"proper" isnt defined as such, but yes in an ideal world Trouble is we have 
so many servers that we patch over 2 or 3 early start mornings, until now we 
did test first, then prod.now we have to start to separate them

also will  IPA server on 6.3 collide with IPA server on 6.2?   It would be 
"proper" to only upgrade one IPA at a time in case the upgrade buggered 
IPAotherwise I have to do all at once...and if it goes wrong I'm left 
with nothing..

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Martin Kosek [mko...@redhat.com]
Sent: Thursday, 3 May 2012 1:28 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
> On 05/01/2012 06:15 PM, Steven Jones wrote:
> > So this opens a chicken and egg?
> >
> > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
> > older 6.2 clients will break?  but I cant upgrade the clients until after 
> > the servers are doneif so that is a huge and ugly looking task that is 
> > one way.
> >
>
> Yes this is a serious problem. Thank you for uncovering it.
> Current plan is to: provide a fix for the older clients to be able to
> connect to 2.2 via errata.
> Make sure that the 2.2 client can connect to the 2.1 server.
>
> Thanks
> Dmitri

I am working on a patch for ipa-client-install which should make it
capable of joining an older IPA server.

BTW, I always thought that the proper upgrade scenario is to upgrade the
servers to the new version first and then upgrade the clients. The issue
here is that the new IPA clients won't be able to use "ipa" command to
control the old server because they have a higher API version and the
old server would not support it.

The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
should be OK as we maintain backwards compatibility.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10

[Steven Bernstein]

var/log/sssd/ldap_child.log
>(Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3253
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3254
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3255
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3256
>  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
>  Client not found in Kerberos database
>
>
>
>/var/log/sssd/sssd.log
>(Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0):
>  Monitor received Terminated: terminating children
>(Wed May  2 11:34:59 2012) [sssd] [monitor_quit] (0):
>  Monitor received Terminated: terminating children
>
>
>
>thanks for helping!
>Matt
>
>
>> Date: Wed, 2 May 2012 11:30:52 -0400
>
>  > From: rcrit...@redhat.com
>
>  > To: m...@mldserviceslex.com
>
>  > CC: freeipa-users@redhat.com
>
>  > Subject: Re: [Freeipa-users] red hat 5 and red hat 6
>  compatability
>
>  >
>
>  > Matthew Davidson wrote:
>
>  > > To clarify one point.
>
>  > >
>
>  > > I used the current redhat documents to setup the two
>  systems.
>
>  > >
>
>  > >
>  Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
>
>  > >
>
>  > >
>  Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
>
>  > >
>
>  > > SSH does not seem to be discussed and that is when I
>  started web surfing
>
>  > > in an attempt to fix my problem before reaching out
>  for help.
>
>  >
>
>  > A host service principal is created during enrollment so
>  no additional
>
>  > work should be needed for SSH to work. The problem you're
>  having is
>
>  > related to the fact that user lookup services are
>  failing.
>
>  >
>
>  > Can you look in /var/log/secure and/or /var/log/sssd/* to
>  see if there
>
>  > are any errors reported regarding sssd?
>
>  >
>
>  > What options did you pass to ipa-client-install?
>
>  >
>
>  > rob
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>--
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html
> >
>
> --
>
> Message: 2
> Date: Wed, 02 May 2012 14:57:24 -0400
> From: Dmitri Pal 
> To: Matthew Davidson 
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> Message-ID: <4fa18394.7080...@redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> > Dmitri,
> > 1) Do you have admin account on IPA side?
> >
> > Yes. And judging by the command below admin does log in, or am I
> mistaken?
> >
> > [root@rhel5 ~]# kinit admin
> > Password for ad...@example.com:
> >
> > [root@rhel5 ~]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principa

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Rob Crittenden]

Matthew Davidson wrote:

" Is this from the client or from the server? I bet on the server."

That is from the client. I sent a reply to Rob about the DNS, but I was
under the assumption that the client was using the config files.



We recommend using a different realm name for the IPA realm, it makes 
life much simpler. You can try disabling DNS lookups for the KDC in 
/etc/krb5.conf and defining a KDC. You may also need to tell the sssd 
locator, configured in /var/lib/sss/pubconf/kdcinfo.$REALM.


IPA and AD both attempt to use the same DNS SRV records for 
autodiscovery. What is happening is your client is getting the AD 
information and trying to authenticate against it.


regards

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Matthew Davidson]

"
Is this from the client or from the server? I bet on the server."
That is from the client. I sent a reply to Rob about the DNS, but I was under 
the assumption that the client was using the config files.
thanksMatt

Date: Wed, 2 May 2012 14:57:24 -0400
From: d...@redhat.com
To: m...@mldserviceslex.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability



  

  
  
On 05/02/2012 02:50 PM, Matthew Davidson wrote:

  
  

  Dmitri,

1) Do you have admin account on IPA side?



Yes. And judging by the command below admin does log in, or
  am I mistaken?




  [root@rhel5 ~]# kinit admin
  Password for ad...@example.com:
  

  
  [root@rhel5 ~]# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: ad...@example.com
  

  
  Valid starting ExpiresService principal
  05/02/12 14:47:40  05/03/12 14:47:36
 krbtgt/example@example.com
  

  
  Kerberos 4 ticket cache: /tmp/tkt0
  klist: You have no tickets cached




  



Is this from the client or from the server? I bet on the server.

Rob might be right that the client fails to find the right
authentication server due to the DNS configuration.




  
2) Is there a firewall between client and server? Is LDAP
  and LDAPS allowed via the FW?



No firewall. shut those down at the first sign of trouble.




Thanks
Matt



  Date: Wed, 2 May 2012 13:51:15 -0400

  From: d...@redhat.com

  To: freeipa-users@redhat.com

  Subject: Re: [Freeipa-users] red hat 5 and red hat 6
  compatability

  

  On 05/02/2012 12:43 PM, Matthew Davidson wrote:
  


  Hi Rob
  

  
  [root@rhel5 ~]# ipa-client-install
--domain=EXAMPLE.COM --server=rhel6.example.com
  DNS domain 'example.com' is not configured for
automatic KDC address lookup.
  KDC address will be set to fixed value.
  

  
  Discovery was successful!
  Hostname: rhel6.example.com
  Realm: EXAMPLE.COM
  DNS Domain: EXAMPLE.COM
  IPA Server: rhel6.example.com
  BaseDN: dc=example,dc=com
  

  
  Continue to configure the system with these values?
[no]: yes
  User authorized to enroll computers: admin
  Synchronizing time with KDC...
  Password for ad...@example.com:
  

  
  Enrolled in IPA realm EXAMPLE.COM
  Created /etc/ipa/default.conf
  Configured /etc/sssd/sssd.conf
  Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
  SSSD enabled
  Unable to find 'admin' user with 'getent passwd
  admin'!

  
  

  1) Do you have admin account on IPA side?

  2) Is there a firewall between client and server? Is LDAP and
  LDAPS allowed via the FW?

  

  

  Recognized configuration: SSSD
  Changed configuration of /etc/ldap.conf to use
hardcoded server name: rhel6.example.com
  NTP enabled
  Client configuration complete.
  

  
  /var/log/secure
  May  2 12:31:14 rhel5 sshd[3250]: Invalid user
mdavidson from 192.168.1.5
  May  2 12:31:14 rhel5 sshd[3251]:
input_userauth_request: invalid user mdavidson
  May  2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): check pass; user unknown
  May  2 12:31:19 rhel5 sshd[3250]:
pam_unix(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
  May  2 12:31:19 rhel5 sshd[3250]:
pam_succeed_if(sshd:auth): error retrieving information
about user mdavidson
  May  2 12:31:21 rhel5 sshd[3250]: Failed password for
invalid user mdavidson from 192.168.1.5 port 52511 ssh2
  

  
  /var/log/sssd/ldap_child.log
  (Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091
[ldap_child_get_tgt_sync] (0): Failed to init
credentials: Client not found in Kerberos database
  (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252
[ldap_child_get_tgt_syn

Re: [Freeipa-users] Error in Installation - unable to create CA

[Dmitri Pal]

On 05/02/2012 11:34 AM, Rob Crittenden wrote:
> shabahang elmian wrote:
>> Hello,
>> I would be thankful if some one can help me to resolve the problem.
>
> We need to see /var/log/ipaserver-install.log and potentially
> /var/log/pki-ca/debug to determine what the problem is.
>
> It would appear that the CA process didn't start.
>
> Details on your versions of ipa-server and pki-ca would be helpful too.
>
> rob
>

https://bugzilla.redhat.com/show_bug.cgi?id=818123

Might be related. Please see comments there and requests for additional logs.




>>
>> Shabahang
>>
>> 
>> *From:* shabahang elmian 
>> *To:* Rob Crittenden 
>> *Cc:* "freeipa-users@redhat.com" 
>> *Sent:* Sunday, April 29, 2012 12:21 PM
>> *Subject:* Re: [Freeipa-users] Error in Installation - unable to
>> create CA
>>
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser,
>> pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug]
>> set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
>> [2012-04-23 17:07:32] [debug] Processing PKI security modules for
>> '/var/lib/pki-ca' ...
>> [2012-04-23 17:07:32] [debug] Attempting to add hardware security
>> modules to system if applicable ...
>> [2012-04-23 17:07:32] [debug] module name: lunasa lib:
>> /usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
>> [2012-04-23 17:07:32] [debug] module name: nfast lib:
>> /opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
>> [2012-04-23 17:07:32] [debug] configuring SELinux ...
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9180. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9701. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9443. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9444. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9446. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9445. Port already defined otherwise.
>> [2012-04-23 17:07:34] [error] Failed setting selinux context
>> pki_ca_port_t for 9447. Port already defined otherwise.
>> [2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to
>> run semanage.
>> [2012-04-23 17:07:34] [debug] Running restorecon commands
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /usr/share/java/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /usr/share/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/lib/pki-ca)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/run/pki)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /var/log/pki-ca)
>> [2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
>> [2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
>> /etc/pki-ca)
>> [2012-04-23 17:07:34] [debug] Installation manifest:
>> /var/lib/pki-ca/install_info
>> [2012-04-23 17:07:34] [debug] The following was performed:
>> Installed Files:
>> /etc/pki-ca/CS.cfg
>> ...
>> .
>> .
>> /var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
>> Removed Items:
>> /etc/pki-ca/noise
>> /etc/pki-ca/pfile
>>
>> [2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart
>> pki-cad@pki-ca.service)
>> [2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart
>> pki-cad@pki-ca.service"), exit status=1 output="Job failed. See system
>> logs and 'systemctl status' for details."
>> [2012-04-23 17:07:34] [log] Configuration Wizard listening on
>> https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
>>
>> [2012-04-23 17:07:34] [log] After configuration, the server can be
>> operated by the command:
>> /bin/systemctl restart pki-cad@pki-ca.service
>> [root@ipa ~]#
>>
>> [root@ipa system]# ipa-server-install --uninstall
>>
>> This is a NON REVERSIBLE operation and will delete all data and
>> configuration!
>>
>> Are you sure you want to continue with the uninstall procedure? [no]: y
>> Shutting down all IPA services
>> Removing IPA client configuration
>> Unconfigur

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Dmitri Pal]

On 05/02/2012 02:50 PM, Matthew Davidson wrote:
> Dmitri,
> 1) Do you have admin account on IPA side?
>
> Yes. And judging by the command below admin does log in, or am I mistaken?
>
> [root@rhel5 ~]# kinit admin
> Password for ad...@example.com:
>
> [root@rhel5 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com
>
> Valid starting ExpiresService principal
> 05/02/12 14:47:40  05/03/12 14:47:36  krbtgt/example@example.com
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>

Is this from the client or from the server? I bet on the server.
Rob might be right that the client fails to find the right
authentication server due to the DNS configuration.

> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
> No firewall. shut those down at the first sign of trouble.
>
> Thanks
> Matt
>
> 
> Date: Wed, 2 May 2012 13:51:15 -0400
> From: d...@redhat.com
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
> On 05/02/2012 12:43 PM, Matthew Davidson wrote:
>
> Hi Rob
>
> [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> --server=rhel6.example.com
> DNS domain 'example.com' is not configured for automatic KDC
> address lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: rhel6.example.com
> Realm: EXAMPLE.COM
> DNS Domain: EXAMPLE.COM
> IPA Server: rhel6.example.com
> BaseDN: dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for ad...@example.com: 
>
> Enrolled in IPA realm EXAMPLE.COM
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> SSSD enabled
> *Unable to find 'admin' user with 'getent passwd admin'!*
>
>
> 1) Do you have admin account on IPA side?
> 2) Is there a firewall between client and server? Is LDAP and LDAPS
> allowed via the FW?
>
> Recognized configuration: SSSD
> Changed configuration of /etc/ldap.conf to use hardcoded server
> name: rhel6.example.com
> NTP enabled
> Client configuration complete.
>
> /var/log/secure
> May  2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from
> 192.168.1.5
> May  2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid
> user mdavidson
> May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass;
> user unknown
> May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=rhel6.example.com
> May  2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
> retrieving information about user mdavidson
> May  2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
> mdavidson from 192.168.1.5 port 52511 ssh2
>
> /var/log/sssd/ldap_child.log
> (Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3253
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3254
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3255
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3256
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client
> not found in Kerberos database
>
> /var/log/sssd/sssd.log
> (Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor
> received Terminated: terminating children
> (Wed May  2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor
> received Terminated: terminating children
>
> thanks for helping!
> Matt
>
> > Date: Wed, 2 May 2012 11:30:52 -0400
> > From: rcrit...@redhat.com 
> > To: m...@mldserviceslex.com 
> > CC: freeipa-users@redhat.com 
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> >
> > Matthew Davidson wrote:
> > > To clarify one point.
> > >
> > > I used the current redhat documents to setup the two systems.
> > >
> > > R

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Matthew Davidson]

Dmitri,1) Do you have admin account on IPA side?
Yes. And judging by the command below admin does log in, or am I mistaken?
[root@rhel5 ~]# kinit adminPassword for ad...@example.com:
[root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: 
ad...@example.com
Valid starting ExpiresService principal05/02/12 14:47:40  
05/03/12 14:47:36  krbtgt/example@example.com
Kerberos 4 ticket cache: /tmp/tkt0klist: You have no tickets cached
2) Is there a firewall between client and server? Is LDAP and LDAPS allowed via 
the FW?
No firewall. shut those down at the first sign of trouble.

ThanksMatt
Date: Wed, 2 May 2012 13:51:15 -0400
From: d...@redhat.com
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability



  

  
  
On 05/02/2012 12:43 PM, Matthew Davidson wrote:

  
  
Hi Rob



[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
  --server=rhel6.example.com
DNS domain 'example.com' is not configured for automatic
  KDC address lookup.
KDC address will be set to fixed value.



Discovery was successful!
Hostname: rhel6.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: rhel6.example.com
BaseDN: dc=example,dc=com



Continue to configure the system with these values? [no]:
  yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@example.com:



Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
Unable to find 'admin' user with 'getent passwd admin'!
  



1) Do you have admin account on IPA side?

2) Is there a firewall between client and server? Is LDAP and LDAPS
allowed via the FW?




  
Recognized configuration: SSSD
Changed configuration of /etc/ldap.conf to use hardcoded
  server name: rhel6.example.com
NTP enabled
Client configuration complete.



/var/log/secure
May  2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson
  from 192.168.1.5
May  2 12:31:14 rhel5 sshd[3251]: input_userauth_request:
  invalid user mdavidson
May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
  check pass; user unknown
May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth):
  authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
  rhost=rhel6.example.com
May  2 12:31:19 rhel5 sshd[3250]:
  pam_succeed_if(sshd:auth): error retrieving information about
  user mdavidson
May  2 12:31:21 rhel5 sshd[3250]: Failed password for
  invalid user mdavidson from 192.168.1.5 port 52511 ssh2



/var/log/sssd/ldap_child.log
(Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database
(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database
(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3253
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database
(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3254
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database
(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3255
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database
(Wed May  2 12:31:14 2012) [[sssd[ldap_child[3256
  [ldap_child_get_tgt_sync] (0): Failed to init credentials:
  Client not found in Kerberos database



/var/log/sssd/sssd.log
(Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0):
  Monitor received Terminated: terminating children
(Wed May  2 11:34:59 2012) [sssd] [monitor_quit] (0):
  Monitor received Terminated: terminating children



thanks for helping!
Matt


> Date: Wed, 2 May 2012 11:30:52 -0400

  > From: rcrit...@redhat.com

  > To: m...@mldserviceslex.com

  > CC: freeipa-users@redhat.com

  > Subject: Re: [Freeipa-users] red hat 5 and red hat 6
  compatability

  > 

  > Matthew Davidson wrote:

  > > To clarify one point.

  > >

  > > I used the current redhat documents to setup the two
  systems.

  > >

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Rob Crittenden]

Matthew Davidson wrote:

Hi Rob

[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
--server=rhel6.example.com
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: rhel6.example.com
Realm: EXAMPLE.COM
DNS Domain: EXAMPLE.COM
IPA Server: rhel6.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for ad...@example.com:

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
SSSD enabled
*Unable to find 'admin' user with 'getent passwd admin'!*
Recognized configuration: SSSD
Changed configuration of /etc/ldap.conf to use hardcoded server name:
rhel6.example.com
NTP enabled
Client configuration complete.

/var/log/secure
May 2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5
May 2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user
mdavidson
May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass; user
unknown
May 2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
May 2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
retrieving information about user mdavidson
May 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
mdavidson from 192.168.1.5 port 52511 ssh2

/var/log/sssd/ldap_child.log
(Wed May 2 11:52:08 2012) [[sssd[ldap_child[3091
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3252
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3253
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3254
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3255
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database
(Wed May 2 12:31:14 2012) [[sssd[ldap_child[3256
[ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
found in Kerberos database


This is the key. sssd can't connect to the IPA server due to this 
Kerberos error which is why the user information is unavailable.


Am I right to to assume you have another Kerberos server (or AD) 
configured using the same realm name on your network? I have the feeling 
sssd is finding the wrong KDC.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Dmitri Pal]

On 05/02/2012 12:43 PM, Matthew Davidson wrote:
> Hi Rob
>
> [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
> --server=rhel6.example.com
> DNS domain 'example.com' is not configured for automatic KDC address
> lookup.
> KDC address will be set to fixed value.
>
> Discovery was successful!
> Hostname: rhel6.example.com
> Realm: EXAMPLE.COM
> DNS Domain: EXAMPLE.COM
> IPA Server: rhel6.example.com
> BaseDN: dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Synchronizing time with KDC...
> Password for ad...@example.com:
>
> Enrolled in IPA realm EXAMPLE.COM
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
> SSSD enabled
> *Unable to find 'admin' user with 'getent passwd admin'!*

1) Do you have admin account on IPA side?
2) Is there a firewall between client and server? Is LDAP and LDAPS
allowed via the FW?

> Recognized configuration: SSSD
> Changed configuration of /etc/ldap.conf to use hardcoded server name:
> rhel6.example.com
> NTP enabled
> Client configuration complete.
>
> /var/log/secure
> May  2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 192.168.1.5
> May  2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid user
> mdavidson
> May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check pass;
> user unknown
> May  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhel6.example.com
> May  2 12:31:19 rhel5 sshd[3250]: pam_succeed_if(sshd:auth): error
> retrieving information about user mdavidson
> May  2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user
> mdavidson from 192.168.1.5 port 52511 ssh2
>
> /var/log/sssd/ldap_child.log
> (Wed May  2 11:52:08 2012) [[sssd[ldap_child[3091
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3252
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3253
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3254
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3255
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
> (Wed May  2 12:31:14 2012) [[sssd[ldap_child[3256
> [ldap_child_get_tgt_sync] (0): Failed to init credentials: Client not
> found in Kerberos database
>
> /var/log/sssd/sssd.log
> (Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0): Monitor received
> Terminated: terminating children
> (Wed May  2 11:34:59 2012) [sssd] [monitor_quit] (0): Monitor received
> Terminated: terminating children
>
> thanks for helping!
> Matt
>
> > Date: Wed, 2 May 2012 11:30:52 -0400
> > From: rcrit...@redhat.com
> > To: m...@mldserviceslex.com
> > CC: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> >
> > Matthew Davidson wrote:
> > > To clarify one point.
> > >
> > > I used the current redhat documents to setup the two systems.
> > >
> > > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
> > >
> > > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
> > >
> > > SSH does not seem to be discussed and that is when I started web
> surfing
> > > in an attempt to fix my problem before reaching out for help.
> >
> > A host service principal is created during enrollment so no additional
> > work should be needed for SSH to work. The problem you're having is
> > related to the fact that user lookup services are failing.
> >
> > Can you look in /var/log/secure and/or /var/log/sssd/* to see if there
> > are any errors reported regarding sssd?
> >
> > What options did you pass to ipa-client-install?
> >
> > rob
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Matthew Davidson]

Hi Rob
[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM 
--server=rhel6.example.comDNS domain 'example.com' is not configured for 
automatic KDC address lookup.KDC address will be set to fixed value.
Discovery was successful!Hostname: rhel6.example.comRealm: EXAMPLE.COMDNS 
Domain: EXAMPLE.COMIPA Server: rhel6.example.comBaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yesUser authorized to 
enroll computers: adminSynchronizing time with KDC...Password for 
ad...@example.com:
Enrolled in IPA realm EXAMPLE.COMCreated /etc/ipa/default.confConfigured 
/etc/sssd/sssd.confConfigured /etc/krb5.conf for IPA realm EXAMPLE.COMSSSD 
enabledUnable to find 'admin' user with 'getent passwd admin'!Recognized 
configuration: SSSDChanged configuration of /etc/ldap.conf to use hardcoded 
server name: rhel6.example.comNTP enabledClient configuration complete.
/var/log/secureMay  2 12:31:14 rhel5 sshd[3250]: Invalid user mdavidson from 
192.168.1.5May  2 12:31:14 rhel5 sshd[3251]: input_userauth_request: invalid 
user mdavidsonMay  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): check 
pass; user unknownMay  2 12:31:19 rhel5 sshd[3250]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=rhel6.example.comMay  2 12:31:19 rhel5 sshd[3250]: 
pam_succeed_if(sshd:auth): error retrieving information about user mdavidsonMay 
 2 12:31:21 rhel5 sshd[3250]: Failed password for invalid user mdavidson from 
192.168.1.5 port 52511 ssh2
/var/log/sssd/ldap_child.log(Wed May  2 11:52:08 2012) 
[[sssd[ldap_child[3091 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database(Wed May  2 12:31:14 2012) 
[[sssd[ldap_child[3252 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database(Wed May  2 12:31:14 2012) 
[[sssd[ldap_child[3253 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database(Wed May  2 12:31:14 2012) 
[[sssd[ldap_child[3254 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database(Wed May  2 12:31:14 2012) 
[[sssd[ldap_child[3255 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database(Wed May  2 12:31:14 2012) 
[[sssd[ldap_child[3256 [ldap_child_get_tgt_sync] (0): Failed to init 
credentials: Client not found in Kerberos database
/var/log/sssd/sssd.log(Tue May  1 13:53:26 2012) [sssd] [monitor_quit] (0): 
Monitor received Terminated: terminating children(Wed May  2 11:34:59 2012) 
[sssd] [monitor_quit] (0): Monitor received Terminated: terminating children
thanks for helping!Matt
> Date: Wed, 2 May 2012 11:30:52 -0400
> From: rcrit...@redhat.com
> To: m...@mldserviceslex.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
> 
> Matthew Davidson wrote:
> > To clarify one point.
> >
> > I used the current redhat documents to setup the two systems.
> >
> > Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
> >
> > Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
> >
> > SSH does not seem to be discussed and that is when I started web surfing
> > in an attempt to fix my problem before reaching out for help.
> 
> A host service principal is created during enrollment so no additional 
> work should be needed for SSH to work. The problem you're having is 
> related to the fact that user lookup services are failing.
> 
> Can you look in /var/log/secure and/or /var/log/sssd/* to see if there 
> are any errors reported regarding sssd?
> 
> What options did you pass to ipa-client-install?
> 
> rob
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Error in Installation - unable to create CA

[Rob Crittenden]

shabahang elmian wrote:

Hello,
I would be thankful if some one can help me to resolve the problem.


We need to see /var/log/ipaserver-install.log and potentially 
/var/log/pki-ca/debug to determine what the problem is.


It would appear that the CA process didn't start.

Details on your versions of ipa-server and pki-ca would be helpful too.

rob



Shabahang


*From:* shabahang elmian 
*To:* Rob Crittenden 
*Cc:* "freeipa-users@redhat.com" 
*Sent:* Sunday, April 29, 2012 12:21 PM
*Subject:* Re: [Freeipa-users] Error in Installation - unable to create CA

[2012-04-23 17:07:32] [debug]
set_owner_group_on_directory_contents(/var/lib/pki-ca/alias, pkiuser,
pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/cert8.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/key3.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug]
set_owner_group(/var/lib/pki-ca/alias/secmod.db, pkiuser, pkiuser)
[2012-04-23 17:07:32] [debug] Processing PKI security modules for
'/var/lib/pki-ca' ...
[2012-04-23 17:07:32] [debug] Attempting to add hardware security
modules to system if applicable ...
[2012-04-23 17:07:32] [debug] module name: lunasa lib:
/usr/lunasa/lib/libCryptoki2_64.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] module name: nfast lib:
/opt/nfast/toolkits/pkcs11/libcknfast.so DOES NOT EXIST!
[2012-04-23 17:07:32] [debug] configuring SELinux ...
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9180. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9701. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9443. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9444. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9446. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9445. Port already defined otherwise.
[2012-04-23 17:07:34] [error] Failed setting selinux context
pki_ca_port_t for 9447. Port already defined otherwise.
[2012-04-23 17:07:34] [debug] Selinux contexts already set. No need to
run semanage.
[2012-04-23 17:07:34] [debug] Running restorecon commands
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/java/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/usr/share/java/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /usr/share/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/usr/share/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/lib/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/lib/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/run/pki
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/run/pki)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /var/log/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/var/log/pki-ca)
[2012-04-23 17:07:34] [debug] /sbin/restorecon -F -R /etc/pki-ca
[2012-04-23 17:07:34] [debug] run_command(/sbin/restorecon -F -R
/etc/pki-ca)
[2012-04-23 17:07:34] [debug] Installation manifest:
/var/lib/pki-ca/install_info
[2012-04-23 17:07:34] [debug] The following was performed:
Installed Files:
/etc/pki-ca/CS.cfg
...
.
.
/var/lib/pki-ca/webapps/ca/WEB-INF/lib/xml-commons-resolver.jar
Removed Items:
/etc/pki-ca/noise
/etc/pki-ca/pfile

[2012-04-23 17:07:34] [debug] run_command(/bin/systemctl restart
pki-cad@pki-ca.service)
[2012-04-23 17:07:34] [error] FAILED run_command("/bin/systemctl restart
pki-cad@pki-ca.service"), exit status=1 output="Job failed. See system
logs and 'systemctl status' for details."
[2012-04-23 17:07:34] [log] Configuration Wizard listening on
https://ipa.mtnirancell.ir:9445/ca/admin/console/config/login?pin=OiqLyU0CQxx8MRRZpuGs
[2012-04-23 17:07:34] [log] After configuration, the server can be
operated by the command:
/bin/systemctl restart pki-cad@pki-ca.service
[root@ipa ~]#

[root@ipa system]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and
configuration!

Are you sure you want to continue with the uninstall procedure? [no]: y
Shutting down all IPA services
Removing IPA client configuration
Unconfiguring ntpd
Unconfiguring CA directory server
[root@ipa system]#
[root@ipa system]#
[root@ipa system]# > /var/log/audit/audit.log
[root@ipa system]#
[root@ipa system]#
[root@ipa system]# ipa-server-install --setup-dns

The log file for this installation can be found in
/var/log/ipaserver-install.log
==
This program will set up the FreeIPA Server.

This includes:
* Configure a stand-alone CA (dogtag) for certific

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Rob Crittenden]

Matthew Davidson wrote:

To clarify one point.

I used the current redhat documents to setup the two systems.

Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US

Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US

SSH does not seem to be discussed and that is when I started web surfing
in an attempt to fix my problem before reaching out for help.


A host service principal is created during enrollment so no additional 
work should be needed for SSH to work. The problem you're having is 
related to the fact that user lookup services are failing.


Can you look in /var/log/secure and/or /var/log/sssd/* to see if there 
are any errors reported regarding sssd?


What options did you pass to ipa-client-install?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability

[Jakub Hrozek]

On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote:
> 
> Sorry about not supplying the versions!
> On the redhat 6.2 server:
> ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64
> Red Hat 5.8ipa-client-2.1.3-1.el5
> I have looked over various documents and not had much luck.
> ThanksMatt

That's what I was suggesting. Your server is an IPAv2 server, but the
documentation you were following was an IPAv1 document.

Here is a link to the "Identity Management Guide" and the chapter that
describes how to enroll a client in particular:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Matthew Davidson]

To clarify one point.
I used the current redhat documents to setup the two systems.

Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US

Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US

SSH does not seem to be discussed and that is when I started web surfing in an 
attempt to fix my problem before reaching out for help.

thanks,Matt

> Date: Wed, 2 May 2012 10:17:02 -0400
> From: rcrit...@redhat.com
> To: m...@mldserviceslex.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
> Matthew Davidson wrote:
> > Greetings,
> >
> > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6
> > server.
> >
> > The first problem was at the install.
> >
> > yum install ipa-client ipa-admintools
> >
> > *No ipa-admintools! The RHEL5 system is registered with Red Hat and I
> > have searched the web.*
>
> There is no admin tools package for 5.x. Only a client enrollment script
> is availab.e
>
> > But I went ahead with the installation and I have joined RHEL5 to the
> > domain.
> >
> > From the command line.
> >
> > kinit mdavidson will log in.
> >
> > klist
> >
> > Ticket cache: FILE:/tmp/krb5cc_0
> >
> > Default principal: mdavid...@example.com 
> >
> > Looks good but I cannot setup ssh and ssh is essential.
> >
> > I assume it’s because I cannot perform this part of the steps.
> >
> > http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise
> > Linux 5 IPA client for incoming SSH connections:
> >
> > The IPA client installation process configures the NTP service by
> > default, but you should ensure that time on the IPA client and server is
> > synchronized. If it is not, run the following commands on the IPA client:
> >
> > # service ntpd stop
> >
> > # ntpdate -s -p 8 -u ipaserver.example.com
> >
> > # service ntpd start
> >
> > Note
> >
> > The ntpdate command does not work if ntpd is running.
> >
> > Obtain a Kerberos ticket for the admin user.
> >
> > # kinit admin
> >
> > Add a host service principal on the IPA client.
> >
> > # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa:
> > command not found)*
> >
> > Retrieve the keytab.
> >
> > # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com
> > -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)*
>
> These instructions are for IPA v1. I don't know why you get an error
> message about ipa not found when running ipa- though.
>
> The client installer should have already created a host service
> principal. Run: klist -kt /etc/krb5.keytab to see what keys are available.
>
> When you ran ipa-client-install were any errors reported?
>
> It appears that basic nss services aren't working. Can you do:
>
> id mdavidson
> getent passwd mdavidson
>
> If these don't work then sssd won't either (nor anything else).
>
> rob
>
> >
> > From RHEL5 /var/log/secure:
> >
> > May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from
> > 192.168.1.110
> >
> > May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid
> > user mdavidson
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=rhel6.example.com
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > DNS works.
> >
> > ntpd is running.
> >
> > I checked all the configuration files.
> >
> > I have searched for ipa-admintools and I’m sure this is why I cannot run
> > the ipa commands in step 1.5.
> >
> > What am I missing? Any thoughts or suggestions?
> >
> > Matt
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
  

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

[Matthew Davidson]

"Run: klist -kt /etc/krb5.keytab to see what keys are available." It shows the 
master server and itself.
"When you ran ipa-client-install were any errors reported?" None
It appears that basic nss services aren't working. Can you do:
id mdavidsonid: mdavidson: No such user
getent passwd mdavidsonreturns nothing.
ThanksMatt

> Date: Wed, 2 May 2012 10:17:02 -0400
> From: rcrit...@redhat.com
> To: m...@mldserviceslex.com
> CC: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 and red hat 6 compatability
>
> Matthew Davidson wrote:
> > Greetings,
> >
> > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6
> > server.
> >
> > The first problem was at the install.
> >
> > yum install ipa-client ipa-admintools
> >
> > *No ipa-admintools! The RHEL5 system is registered with Red Hat and I
> > have searched the web.*
>
> There is no admin tools package for 5.x. Only a client enrollment script
> is availab.e
>
> > But I went ahead with the installation and I have joined RHEL5 to the
> > domain.
> >
> > From the command line.
> >
> > kinit mdavidson will log in.
> >
> > klist
> >
> > Ticket cache: FILE:/tmp/krb5cc_0
> >
> > Default principal: mdavid...@example.com 
> >
> > Looks good but I cannot setup ssh and ssh is essential.
> >
> > I assume it’s because I cannot perform this part of the steps.
> >
> > http://bit.ly/Ivxxwj : Procedure 1.5. To configure a Red Hat Enterprise
> > Linux 5 IPA client for incoming SSH connections:
> >
> > The IPA client installation process configures the NTP service by
> > default, but you should ensure that time on the IPA client and server is
> > synchronized. If it is not, run the following commands on the IPA client:
> >
> > # service ntpd stop
> >
> > # ntpdate -s -p 8 -u ipaserver.example.com
> >
> > # service ntpd start
> >
> > Note
> >
> > The ntpdate command does not work if ntpd is running.
> >
> > Obtain a Kerberos ticket for the admin user.
> >
> > # kinit admin
> >
> > Add a host service principal on the IPA client.
> >
> > # ipa-addservice host/ipaclient.example.com *(My error is -bash: ipa:
> > command not found)*
> >
> > Retrieve the keytab.
> >
> > # ipa-getkeytab -s ipaserver.example.com -p host/ipaclient.example.com
> > -k /etc/krb5.keytab *(My error is -bash: ipa: command not found)*
>
> These instructions are for IPA v1. I don't know why you get an error
> message about ipa not found when running ipa- though.
>
> The client installer should have already created a host service
> principal. Run: klist -kt /etc/krb5.keytab to see what keys are available.
>
> When you ran ipa-client-install were any errors reported?
>
> It appears that basic nss services aren't working. Can you do:
>
> id mdavidson
> getent passwd mdavidson
>
> If these don't work then sssd won't either (nor anything else).
>
> rob
>
> >
> > From RHEL5 /var/log/secure:
> >
> > May 1 14:09:41 wkylexsys21 sshd[2984]: Invalid user mdavidson from
> > 192.168.1.110
> >
> > May 1 14:09:41 wkylexsys21 sshd[2985]: input_userauth_request: invalid
> > user mdavidson
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_unix(sshd:auth):
> > authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> > rhost=rhel6.example.com
> >
> > May 1 14:09:46 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:09:48 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:04 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:10:09 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:10:10 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_unix(sshd:auth): check pass;
> > user unknown
> >
> > May 1 14:10:22 wkylexsys21 sshd[2984]: pam_succeed_if(sshd:auth): error
> > retrieving information about user mdavidson
> >
> > May 1 14:10:24 wkylexsys21 sshd[2984]: Failed password for invalid user
> > mdavidson from 192.168.1.110 port 58959 ssh2
> >
> > DNS works.
> >
> > ntpd is running.
> >
> > I checked all the configuration files.
> >
> > I have searched for ipa-admintools and I’m sure this is why I cannot run
> > the ipa commands in step 1.5.
> >
> > What am I missing? Any thoughts or suggestions?
> >
> > Matt
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
  

_

Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability

[Matthew Davidson]

Sorry about not supplying the versions!
On the redhat 6.2 server:
ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64
Red Hat 5.8ipa-client-2.1.3-1.el5
I have looked over various documents and not had much luck.
ThanksMatt


> Date: Wed, 2 May 2012 16:07:42 +0200
> From: jhro...@redhat.com
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability
>
> On Wed, May 02, 2012 at 09:52:50AM -0400, Matthew Davidson wrote:
> >
> > Greetings,
> > Trying to get a Red Hat 5.8 server installed as a client to my Red Hat 6 
> > server.
> > The first problem was at the install.
> > yum install ipa-client ipa-admintools
> > No ipa-admintools! The RHEL5 system is registered with Red Hat and I have 
> > searched the web.
> > But I went ahead with the installation and I have joined RHEL5 to the 
> > domain.
> > >From the command line.
> > kinit mdavidson will log in.klistTicket cache: FILE:/tmp/krb5cc_0Default 
> > principal: mdavid...@example.com
> > Looks good but I cannot setup ssh and ssh is essential.
> > I assume it’s because I cannot perform this part of the steps.
> > http://bit.ly/Ivxxwj :
>
> Is your server IPAv1 or v2? The documentation link you provided points
> to v1 documentation.
>
> IIRC IPAv1 is not supported anymore..
>
> Here is a link to the IPAv2 docs:
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
  

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Martin Kosek]

On Wed, 2012-05-02 at 09:44 -0400, Rob Crittenden wrote:
> Steven Jones wrote:
> > So this opens a chicken and egg?
> >
> > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
> > older 6.2 clients will break?  but I cant upgrade the clients until after 
> > the servers are doneif so that is a huge and ugly looking task that is 
> > one way
> 
> No, that's not the problem at all. Enrolled clients will work as 
> expected. New 6.3 clients can enroll with a 6.3 server. Based on the log 
> it looks like a 6.3 client can't enroll with a 6.2 server but I'm still 
> investigating. We'll fix it if needed.
> 
> rob

I just sent a patch for this issue to freeipa-devel list. The problem
was in the TGT forwarding as mentioned earlier in this thread. The
patched client can now join an older IPA server. But ipa command still
won't work properly as its API is higher that the server's.

Martin


> 
> >
> > regards
> >
> > Steven Jones
> >
> > Technical Specialist - Linux RHCE
> >
> > Victoria University, Wellington, NZ
> >
> > 0064 4 463 6272
> >
> > 
> > From: Rob Crittenden [rcrit...@redhat.com]
> > Sent: Wednesday, 2 May 2012 1:19 a.m.
> > To: Steven Jones
> > Cc: freeipa-users@redhat.com
> > Subject: Re: [Freeipa-users] ipa-client install error
> >
> > Steven Jones wrote:
> >> I made a slight oops, I just upgraded a long un-used vm on my desktop from 
> >> 6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite 
> >> is down I cant correct this so I tried to add the 6.3beta client to IPA on 
> >> 6.2 and I get an error.
> >>
> >> ==
> >> [root@rhel664ws01 ~]# ipa-client-install --mkhomedir
> >> Discovery was successful!
> >> Hostname: rhel664ws01.ods.vuw.ac.nz
> >> Realm: ODS.VUW.AC.NZ
> >> DNS Domain: ods.vuw.ac.nz
> >> IPA Server: vuwunicoipam002.ods.vuw.ac.nz
> >> BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz
> >>
> >>
> >> Continue to configure the system with these values? [no]: yes
> >> User authorized to enroll computers: admjonesst1
> >> Synchronizing time with KDC...
> >> Unable to sync time with IPA NTP server, assuming the time is in sync.
> >> Password for admjones...@ods.vuw.ac.nz:
> >>
> >> Enrolled in IPA realm ODS.VUW.AC.NZ
> >> Created /etc/ipa/default.conf
> >> Unable to activate the SSH service in SSSD config.
> >> Please make sure you have SSSD built with SSH support installed.
> >> Configure SSH support manually in /etc/sssd/sssd.conf.
> >> Configured /etc/sssd/sssd.conf
> >> Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
> >> Traceback (most recent call last):
> >> File "/usr/sbin/ipa-client-install", line 1534, in
> >>   sys.exit(main())
> >> File "/usr/sbin/ipa-client-install", line 1521, in main
> >>   rval = install(options, env, fstore, statestore)
> >> File "/usr/sbin/ipa-client-install", line 1358, in install
> >>   api.Backend.xmlclient.connect()
> >> File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in 
> >> connect
> >>   conn = self.create_connection(*args, **kw)
> >> File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
> >> create_connection
> >>   raise errors.KerberosError(major=str(krberr), minor='')
> >> ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
> >> credentials/
> >> [root@rhel664ws01 ~]#
> >> ===
> >>
> >> Is this expected when trying to connect 6.3beta? ie its simply not 
> >> compatible?
> >>
> >
> > The newer 2.2 client cannot connect to an older 2.1 server because it
> > isn't going to send the TGT that the 2.1 server requires. We should
> > handle this better, I've opened a ticket to track this:
> > https://fedorahosted.org/freeipa/ticket/2697
> >
> > rob
> >
> 
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Rob Crittenden]

Steven Jones wrote:

So this opens a chicken and egg?

ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 
6.2 clients will break?  but I cant upgrade the clients until after the servers 
are doneif so that is a huge and ugly looking task that is one way


No, that's not the problem at all. Enrolled clients will work as 
expected. New 6.3 clients can enroll with a 6.3 server. Based on the log 
it looks like a 6.3 client can't enroll with a 6.2 server but I'm still 
investigating. We'll fix it if needed.


rob



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 2 May 2012 1:19 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client install error

Steven Jones wrote:

I made a slight oops, I just upgraded a long un-used vm on my desktop from 
6.2beta to 6.3beta instead of 6.2 by mistake. Anyway  since our satellite is 
down I cant correct this so I tried to add the 6.3beta client to IPA on 6.2 and 
I get an error.

==
[root@rhel664ws01 ~]# ipa-client-install --mkhomedir
Discovery was successful!
Hostname: rhel664ws01.ods.vuw.ac.nz
Realm: ODS.VUW.AC.NZ
DNS Domain: ods.vuw.ac.nz
IPA Server: vuwunicoipam002.ods.vuw.ac.nz
BaseDN: dc=ods,dc=vuw,dc=ac,dc=nz


Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admjonesst1
Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.
Password for admjones...@ods.vuw.ac.nz:

Enrolled in IPA realm ODS.VUW.AC.NZ
Created /etc/ipa/default.conf
Unable to activate the SSH service in SSSD config.
Please make sure you have SSSD built with SSH support installed.
Configure SSH support manually in /etc/sssd/sssd.conf.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm ODS.VUW.AC.NZ
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1534, in
  sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1521, in main
  rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1358, in install
  api.Backend.xmlclient.connect()
File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in 
connect
  conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 410, in 
create_connection
  raise errors.KerberosError(major=str(krberr), minor='')
ipalib.errors.KerberosError: Kerberos error: did not receive Kerberos 
credentials/
[root@rhel664ws01 ~]#
===

Is this expected when trying to connect 6.3beta? ie its simply not compatible?



The newer 2.2 client cannot connect to an older 2.1 server because it
isn't going to send the TGT that the 2.1 server requires. We should
handle this better, I've opened a ticket to track this:
https://fedorahosted.org/freeipa/ticket/2697

rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client install error

[Martin Kosek]

On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
> On 05/01/2012 06:15 PM, Steven Jones wrote:
> > So this opens a chicken and egg?
> >
> > ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the 
> > older 6.2 clients will break?  but I cant upgrade the clients until after 
> > the servers are doneif so that is a huge and ugly looking task that is 
> > one way.
> >
> 
> Yes this is a serious problem. Thank you for uncovering it.
> Current plan is to: provide a fix for the older clients to be able to
> connect to 2.2 via errata.
> Make sure that the 2.2 client can connect to the 2.1 server.
> 
> Thanks
> Dmitri

I am working on a patch for ipa-client-install which should make it
capable of joining an older IPA server.

BTW, I always thought that the proper upgrade scenario is to upgrade the
servers to the new version first and then upgrade the clients. The issue
here is that the new IPA clients won't be able to use "ipa" command to
control the old server because they have a higher API version and the
old server would not support it.

The combination of older IPA client (e.g. 2.1) and new server (e.g. 2.2)
should be OK as we maintain backwards compatibility.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users