Re: [Freeipa-users] error install replication

[alireza baghery]

ipasrv# Service SSSD status
sssd is runing
nevertheless i restart service sssd
but problem do not solved

On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote:

 On 02/09/2015 07:42 AM, alireza baghery wrote:
  i check on both server ssh each other's name and ssh successful and
 resolve
  name was also correct on each server
  but i can not login with user admin from ipareplica via ssh
 (root@ipareplica]#
  ssh admin@ipasrv === failed)
 
  [root@ipareplica ~]# ssh ipasrv
  root@ipasrv's password:
  Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
  =log /var/secure
  Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for root from
  10.30.160.20 port 52110 ssh2
  Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session
 opened
  for user root by (uid=0)
  =
  [root@ipasrv ~]# ssh ipareplica
  root@ipareplica's password:
  Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19
 
  ==
  [root@ipareplica ~]# nslookup ipasrv
  Server: 10.30.160.19
  Address:10.30.160.19#53
 
  Name:   ipasrv
  Address: 10.30.160.19
 
  
  [root@ipasrv ~]# nslookup ipareplica
  Server: 127.0.0.1
  Address:127.0.0.1#53
 
  Name:   ipareplica
  Address: 10.30.160.20
  =

 Ok, so ssh is running, you can log in with root. I think that by 99%
 chance,
 your SSSD service is not running on the IPA server. Please check if this
 is the
 case and if yes, please try to (re)start it. If that helped, it would be
 also
 useful to see *why* the SSSD is not running (crash, misconfiguration, ...)

 Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I modify the entry cache size?

[Chris Mohler]

On 02/09/2015 09:48 AM, Rich Megginson wrote:

On 02/08/2015 08:23 PM, Chris Mohler wrote:

Thanks for the reply and the link Rich!

dbmon.sh is a handy tool indeed.

I read the instructions and upped my entry cache size to 2gb because 
I have enough ram.

Everything went well until
|service dirsrv restart

|
|I Got the following errors:
[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests

|
|Oddly enough everything appears to be working. Are these messages safe to 
ignore?
|


This is definitely not related to the cache size.

|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.


rpm -q 389-ds-base

find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 
{} /dev/null \;



|

|Another run of dbmon.sh shows that my entry cache was increased.

|||
|Thanks,
|
|-Chris
|
|
|


On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:


On 02/07/2015 11:25 AM, Chris Mohler wrote:

Hi Everyone. I'm trying to troubleshoot some issues I'm having. I want to 
increase the entry cache size
I'm trying to follow the directions here
/usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 389

dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 20971520

Is this the correct way to do this? How do I find out what the 
cn=/|database_name is supposed to be?
|/


|/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
script will tell you what the names of your databases are.

/|
|/
/|Thanks,
|/
/|-Chris
|/





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project







Thanks again Rich,
I have been having an abundance of issues with my FreeIPA server lately. 
I'm not surprised that error is not related. I was not sure as It has 
not surfaced in my logs before I changed the entry cache size. Possibly 
this will be the clue to get me on the road to recovery.
|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.|
I migrated from OpenLdap about a year ago. So my install is a migration. 
I also recently tried to add a replica. Which prompted me to update the 
schema on the master before it would replicate.



|rpm -q 389-ds-base|

|389-ds-base-1.2.11.15-48.el6_6.x86_64

|
|find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 
{} /dev/null \;|

|
|/etc/dirsrv/slapd-PKI-IPA/schema.bak/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/05rfc2247.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 
'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
SINGLE-VALUE X-ORIGIN 'RFC 2247' )
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-CS-OBERLIN-EDU/schema.bak/00core.ldif:attributeTypes: 
( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-CS-OBERLIN-EDU/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )


Thanks again,
-Chris

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I modify the entry cache size?

[Rich Megginson]

On 02/08/2015 08:23 PM, Chris Mohler wrote:

Thanks for the reply and the link Rich!

dbmon.sh is a handy tool indeed.

I read the instructions and upped my entry cache size to 2gb because I 
have enough ram.

Everything went well until
|service dirsrv restart

|
|I Got the following errors:
[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests

|
|Oddly enough everything appears to be working. Are these messages safe to 
ignore?
|


This is definitely not related to the cache size.

|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.


rpm -q 389-ds-base

find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 {} 
/dev/null \;



|

|Another run of dbmon.sh shows that my entry cache was increased.

|||
|Thanks,
|
|-Chris
|
|
|


On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:


On 02/07/2015 11:25 AM, Chris Mohler wrote:

Hi Everyone. I'm trying to troubleshoot some issues I'm having. I want to 
increase the entry cache size
I'm trying to follow the directions here
/usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 389

dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 20971520

Is this the correct way to do this? How do I find out what the 
cn=/|database_name is supposed to be?
|/


|/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
script will tell you what the names of your databases are.

/|
|/
/|Thanks,
|/
/|-Chris
|/





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

[Chris Mohler]

On 02/09/2015 10:18 AM, Martin Kosek wrote:

On 02/07/2015 12:27 AM, Chris Mohler wrote:

I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called idm

I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times 10 (User
not known to the underlying authentication module) I think this is possibly
unrelated and the topic for another thread.

I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.


on the master idm I ran ipa-replica-prepare and transfered the file to the
future replica ipa Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed

[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress

Update in progress yet not in progress

Update in progress yet not in progress

[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

[error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx

65536) that are know to pop up more with CentOS 6.6.

Hi Martin,
Thanks for the reply and help I appreciate it.


Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.
Good to know. I try to be distro agnostic. I've used Redhat 7.1 then 
went Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess 
I'm equally uncomfortable with either version.


That Said. Is there any reason that I could or should not have a replica 
on a Fedora 21 server and 2nd replica on a Centos 7.1 later? My 
understanding is the more the merrier.



Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?


I tried to setup the replica again just now so I have some fresh logs.

From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 
starting up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries 
set up under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for 
LDAPS requests
[08/Feb/2015:22:14:50 -0500] - Listening on 
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - 
agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update 
failed: Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to 
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with 
total update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total 
update of replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)


To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 
10485760B is less than db size 12115968B; We recommend to increase the

entry cache size nsslapd-cachememsize.

To which I have asked another question how do I change the entry cache 
size

https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.

|[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15/  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests|


|
Thanks again for having a look at my problem,
-Chris
|





-- 
Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

[Martin Kosek]

On 02/09/2015 05:16 PM, Chris Mohler wrote:
 On 02/09/2015 10:18 AM, Martin Kosek wrote:
 On 02/07/2015 12:27 AM, Chris Mohler wrote:
 I'm having some troubles. I have an older IPA install Version 3.0.0. on 
 Centos
 6.6. It's currently the only master for my domain. I have about 4k user
 accounts on here and it's a live system called idm

 I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
 (clients can't auth unless service sssd is restarted multiple times 10 
 (User
 not known to the underlying authentication module) I think this is possibly
 unrelated and the topic for another thread.

 I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's 
 called
 ipa
 Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
 in, so you can also use that platform if you are used to it.

 on the master idm I ran ipa-replica-prepare and transfered the file to 
 the
 future replica ipa Then I ran the install replica script 
 ipa-replica-install
 --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
 Things went well until it failed

 [24/35]: setting up initial replication
 Starting replication, please wait until this has completed.
 Update in progress, 133 seconds elapsed
 Update in progress yet not in progress

 Update in progress yet not in progress

 Update in progress yet not in progress

 [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
 abortedLDAP error: Referral]

 [error] RuntimeError: Failed to start replication

 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.

 Please help I'm getting nowhere by myself.
 Can you please look on the master you are replicating from and look for 
 errors
 in /var/log/messages or DS errors log?

 Maybe you will see messages like ns-slapd: encoded packet size too big 
 (xx
 65536) that are know to pop up more with CentOS 6.6.
 Hi Martin,
 Thanks for the reply and help I appreciate it.
 
 Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
 in, so you can also use that platform if you are used to it.
 Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
 Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
 uncomfortable with either version.
 
 That Said. Is there any reason that I could or should not have a replica on a
 Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is 
 the
 more the merrier.

It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.

Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.

TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)

 Can you please look on the master you are replicating from and look for 
 errors
 in /var/log/messages or DS errors log?
 
 I tried to setup the replica again just now so I have some fresh logs.
 
 From the Dirserv error log
 [08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 
 starting up
 [08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
 under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
 [08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces 
 port
 389 for LDAP requests
 [08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
 requests
 [08/Feb/2015:22:14:50 -0500] - Listening on
 /var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
 agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed:
 Server is unwilling to perform
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
 replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
 update session.
 [09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
 replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)
 
 To be fair and not duplicate efforts I have had the following error
 [08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B 
 is
 less than db size 12115968B; We recommend to increase the
 entry cache size nsslapd-cachememsize.
 
 To which I have asked another question how do I change the entry cache size
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
 I now get additional errors which I would guess are possibly related.

IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also 

Re: [Freeipa-users] How do I modify the entry cache size?

[Rich Megginson]

On 02/09/2015 08:26 AM, Chris Mohler wrote:

On 02/09/2015 09:48 AM, Rich Megginson wrote:

On 02/08/2015 08:23 PM, Chris Mohler wrote:

Thanks for the reply and the link Rich!

dbmon.sh is a handy tool indeed.

I read the instructions and upped my entry cache size to 2gb because 
I have enough ram.

Everything went well until
|service dirsrv restart

|
|I Got the following errors:
[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests

|
|Oddly enough everything appears to be working. Are these messages safe to 
ignore?
|


This is definitely not related to the cache size.

|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.


rpm -q 389-ds-base

find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 
{} /dev/null \;



|

|Another run of dbmon.sh shows that my entry cache was increased.

|||
|Thanks,
|
|-Chris
|
|
|


On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:


On 02/07/2015 11:25 AM, Chris Mohler wrote:

Hi Everyone. I'm trying to troubleshoot some issues I'm having. I want to 
increase the entry cache size
I'm trying to follow the directions here
/usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 389

dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 20971520

Is this the correct way to do this? How do I find out what the 
cn=/|database_name is supposed to be?
|/


|/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
script will tell you what the names of your databases are.

/|
|/
/|Thanks,
|/
/|-Chris
|/





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project







Thanks again Rich,
I have been having an abundance of issues with my FreeIPA server 
lately. I'm not surprised that error is not related. I was not sure as 
It has not surfaced in my logs before I changed the entry cache size. 
Possibly this will be the clue to get me on the road to recovery.
|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.|
I migrated from OpenLdap about a year ago. So my install is a 
migration. I also recently tried to add a replica. Which prompted me 
to update the schema on the master before it would replicate.


What exactly did you do?  You should not have migrated the standard 
schema from openldap.  Did you have to override the definition of 'dc' 
for some reason?





|rpm -q 389-ds-base|

|389-ds-base-1.2.11.15-48.el6_6.x86_64

|
|find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 
{} /dev/null \;|

|
|/etc/dirsrv/slapd-PKI-IPA/schema.bak/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/05rfc2247.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 
'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
SINGLE-VALUE X-ORIGIN 'RFC 2247' )


This definition is wrong.  Both RFC 2247 and RFC 4519 define 'dc' as 
syntax 1.3.6.1.4.1.1466.115.121.1.26 - that is, 7-bit ASCII only. Do you 
have some application that requires 8-bit or unicode characters (syntax 
1.3.6.1.4.1.1466.115.121.1.15) in domain component names?  If it is 
absolutely required that dc accepts unicode, then you'll have to change 
the matching rules as well, to be unicode compatible: EQUALITY 
caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch - that is, just get rid 
of the IA5.



/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-CS-OBERLIN-EDU/schema.bak/00core.ldif:attributeTypes: 

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

[Martin Kosek]

On 02/07/2015 12:27 AM, Chris Mohler wrote:
 I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
 6.6. It's currently the only master for my domain. I have about 4k user
 accounts on here and it's a live system called idm
 
 I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
 (clients can't auth unless service sssd is restarted multiple times 10 (User
 not known to the underlying authentication module) I think this is possibly
 unrelated and the topic for another thread.
 
 I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's 
 called
 ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.

 
 on the master idm I ran ipa-replica-prepare and transfered the file to the
 future replica ipa Then I ran the install replica script ipa-replica-install
 --setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
 Things went well until it failed
 
 [24/35]: setting up initial replication
 Starting replication, please wait until this has completed.
 Update in progress, 133 seconds elapsed
 Update in progress yet not in progress
 
 Update in progress yet not in progress
 
 Update in progress yet not in progress
 
 [idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
 abortedLDAP error: Referral]
 
 [error] RuntimeError: Failed to start replication
 
 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.
 
 Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx
 65536) that are know to pop up more with CentOS 6.6.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust with Active Directory fails

[Guertin, David S.]

 For Active Directory cross-forest trusts to work, we need following records
 to be in place:
 
 _ldap._tcp.DOMAIN
 _kerberos._udp.DOMAIN
 _kerberos._tcp.DOMAIN
 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
 _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
 _ldap._tcp.dc._msdcs.DOMAIN
 _kerberos._udp.dc._msdcs.DOMAIN
 _kerberos._tcp.dc._msdcs.DOMAIN

I've checked with nslookup, and for the IPA subdomain csns.example.com, all the 
records are in place. For the parent example.com domain, though, the following 
four records are not found:

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.dc._msdcs.example.com

Do these need to be manually added to our DNS records? I've never had to 
manually add an SRV record before. If it matters, we are not using our domain 
controllers as our DNS servers -- we have separate, dedicated DNS servers in 
our environment.

Thanks,

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[Martin Kosek]

On 02/09/2015 03:31 PM, Dmitri Pal wrote:
 On 02/09/2015 08:34 AM, alireza baghery wrote:
 yes try ssh admin@hostname but do not work
 log secure-

 Feb  9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): authentication
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20  user=admin
 Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication
 success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin
 Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access denied for
 user admin: 6 (Permission denied)
 Feb  9 15:42:20 ipasrv sshd[13414]: Failed password for admin from
 10.30.160.20 port 52123 ssh2
 Feb  9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user admin by
 PAM account configuration

 
 Do you have HBAC rules? Does admin have the rights to log via SSH?
 If you changed the default rules it might be that admin is not allowed to log
 via ssh.

Good questions. Also note, that if for some special reasons, you do not want to
make admins log in to your FreeIPA servers, you can always pass
--skip-conncheck to the replica and go straight to the installation, skipping
the firewall check.

Of course, no guarantees that the installation won't get stuck or crash because
of closed ports in that case.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Trust with Active Directory fails

[Alexander Bokovoy]

On Mon, 09 Feb 2015, Guertin, David S. wrote:

For Active Directory cross-forest trusts to work, we need following records
to be in place:

_ldap._tcp.DOMAIN
_kerberos._udp.DOMAIN
_kerberos._tcp.DOMAIN
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.DOMAIN
_ldap._tcp.dc._msdcs.DOMAIN
_kerberos._udp.dc._msdcs.DOMAIN
_kerberos._tcp.dc._msdcs.DOMAIN


I've checked with nslookup, and for the IPA subdomain csns.example.com, all the 
records are in place. For the parent example.com domain, though, the following 
four records are not found:

_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com
_kerberos._udp.dc._msdcs.example.com

Do these need to be manually added to our DNS records? I've never had
to manually add an SRV record before. If it matters, we are not using
our domain controllers as our DNS servers -- we have separate,
dedicated DNS servers in our environment.

Can you send me (off-list) logs as described in
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I modify the entry cache size?

[Chris Mohler]

On 02/09/2015 11:19 AM, Rich Megginson wrote:

On 02/09/2015 08:26 AM, Chris Mohler wrote:

On 02/09/2015 09:48 AM, Rich Megginson wrote:

On 02/08/2015 08:23 PM, Chris Mohler wrote:

Thanks for the reply and the link Rich!

dbmon.sh is a handy tool indeed.

I read the instructions and upped my entry cache size to 2gb 
because I have enough ram.

Everything went well until
|service dirsrv restart

|
|I Got the following errors:
[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests

|
|Oddly enough everything appears to be working. Are these messages safe to 
ignore?
|


This is definitely not related to the cache size.

|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.


rpm -q 389-ds-base

find /etc/dirsrv -name \*.ldif -exec grep 0.9.2342.19200300.100.1.25 
{} /dev/null \;



|

|Another run of dbmon.sh shows that my entry cache was increased.

|||
|Thanks,
|
|-Chris
|
|
|


On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson rmegg...@redhat.com 
mailto:rmegg...@redhat.com wrote:


On 02/07/2015 11:25 AM, Chris Mohler wrote:

Hi Everyone. I'm trying to troubleshoot some issues I'm having. I want to 
increase the entry cache size
I'm trying to follow the directions here
/usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 389

dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 20971520

Is this the correct way to do this? How do I find out what the 
cn=/|database_name is supposed to be?
|/


|/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
script will tell you what the names of your databases are.

/|
|/
/|Thanks,
|/
/|-Chris
|/





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project







Thanks again Rich,
I have been having an abundance of issues with my FreeIPA server 
lately. I'm not surprised that error is not related. I was not sure 
as It has not surfaced in my logs before I changed the entry cache 
size. Possibly this will be the clue to get me on the road to recovery.
|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.|
I migrated from OpenLdap about a year ago. So my install is a 
migration. I also recently tried to add a replica. Which prompted me 
to update the schema on the master before it would replicate.


What exactly did you do?  You should not have migrated the standard 
schema from openldap.  Did you have to override the definition of 'dc' 
for some reason?





|rpm -q 389-ds-base|

|389-ds-base-1.2.11.15-48.el6_6.x86_64

|
|find /etc/dirsrv -name \*.ldif -exec grep 
0.9.2342.19200300.100.1.25 {} /dev/null \;|

|
|/etc/dirsrv/slapd-PKI-IPA/schema.bak/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/05rfc2247.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 
'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
SINGLE-VALUE X-ORIGIN 'RFC 2247' )


This definition is wrong.  Both RFC 2247 and RFC 4519 define 'dc' as 
syntax 1.3.6.1.4.1.1466.115.121.1.26 - that is, 7-bit ASCII only.  Do 
you have some application that requires 8-bit or unicode characters 
(syntax 1.3.6.1.4.1.1466.115.121.1.15) in domain component names?  If 
it is absolutely required that dc accepts unicode, then you'll have to 
change the matching rules as well, to be unicode compatible: EQUALITY 
caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch - that is, just get 
rid of the IA5.



/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )

Re: [Freeipa-users] User certificates with FreeIPA and another question.

[Christopher Young]

I actually think I can get this going at this time if I can just figure out
how to submit a subca csr to dogtag, sign it, and acquire it.
Documentation on that seems to be hard to come by, but I'm digging to avoid
eating up this thread (and trying to RTFM where possible).  I still stand
by my request for consulting time if anyone has more intimate knowledge,
however if someone can point me in the best direction for getting a openssl
based subca's csr submitted, signed, acquired, I think I can get the rest
going.  Your help would be greatly, greatly appreciated.

Chris

On Mon, Feb 9, 2015 at 12:18 PM, Christopher Young mexigaba...@gmail.com
wrote:

 Would anyone happen to have any guides on how one could get through this
 process?  I'm a one-man IT shop at the moment, so I'm building up a
 tremendous amount of infrastructure at once.  I'm thinking that the option
 of creating a subCA with something simple like openssl would be the best
 option, but figuring out that process in a minimal amount of time is going
 to be tough.

 I'm going to try and give myself some reading assignments and push that
 forward, but if anyone happens to have a good handle on that
 process/commands/etc. and would be interesting in double a couple of hours
 of consulting to me, I would be very interested in listening provided we
 could come up with a reasonable rate/timeframe.  If anyone is interested,
 please contact me directly off-list.

 Thanks again.  These answers/ideas have been most helpful.

 On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek mko...@redhat.com wrote:

 On 02/06/2015 12:53 AM, Christopher Young wrote:
  Obvious next question:  Any plans to implement that functionality or
 advice
  on how one might get some level of functionality for this?  Would it be
  possible to create another command-line based openssl CA that could
 issue
  these but using IPA as the root CA for those?

 As for FreeIPA plans, we plan to vastly improve our flexibility to process
 certificates in next upstream version - FreeIPA 4.2. In next version, one
 should be able to create other certificate profiles (from FreeIPA default
 service cert profile) or even subCAs to do what you want.

 As for current workarounds, you would have to issue and sign a for
 example NSS
 or openssl based subCA and then sign user certs there. But I would leave
 Fraser
 or Jan to tell if this would be really possible.

  I'm just trying to provide a solution for situations where we would
 like to
  utilize client/user cert authentication for situations like secure
 apache
  directory access as well as user VPN certificates.  Any advise or ideas
 are
  great appreciated.
 
  Thanks again!
 
  On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden rcrit...@redhat.com
 wrote:
 
  Christopher Young wrote:
  Some of this might be rudimentary, so I apologize if this is answered
  somewhere, though I've tried to search and have not had much luck...
 
  Basically,  I would like to be able to issue user certificates
 (Subject:
  email=sblblabla@blabla.local) in order to use client SSL security on
  some things.  I'm very new to FreeIPA, but have worked with external
 CAs
  in the past for similar requests, however this is my first entry into
  creating/running a localized CA within an organization.
 
  IPA doesn't issue user certificates yet, only server certificates.
 
  I was wondering if this is possible via the command line, and if so,
 how
  to go about submitting the request and receiving the certificate.  Any
  guidance or assistance would be greatly appreciated!
 
 
  Additionally, just as a matter of cleanliness, is there any way
 possible
  to just completely wipe out the existence of a certificate/request
 from
  FreeIPA.  I have done some trial-and-error and obviously have made
  mistakes that I'd prefer to clean up after.  I've revoked those certs,
  however the perfectionist in me hates seeing them there.  I'm quite
  certain the answer is 'no', but I thought I would ask anyway.
 
  Right, the answer is no. In fact it is a good thing that all
  certificates are accounted for.
 
  rob
 
 
 
 
 



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] admin password is always expired

[Dmitri Pal]

On 02/09/2015 05:35 PM, Roderick Johnstone wrote:

Hi

I seem to have locked myself out of my ipa admin account (on RHEL 
6.6). This is an evaluation instance so not too big a deal, but a good 
learning experience. I suspect its some changes that I made to the 
password policy that caused this.


The admin account has expired and I'm trying to reset the password 
like this:


# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local:  change_password admin@REALM
Enter password for principal admin@REALM:
Re-enter password for principal admin@REALM:
Password for admin@REALM changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin@REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 86400
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this 
allows me to reset the admin password properly, but I'm getting eg:


kadmin.local:  modify_policy -maxlife 90 days global_policy
modify_policy: Plugin does not support the operation while modifying 
policy global_policy.


Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set 
to none, but maybe this is a red herring:


kadmin.local:  get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone


Did you set password expiration for admin manually?
The attribute shows that it is 1906. This makes me think that you set 
your expiration to a big number. However the value rolls over in 2038. 
So you need to make sure what you set translates to a date before 2038.


Why are you using kdamin.local? With IPA it is not supported. There is a 
bunch of IPA commands that do the same.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrade from 3x to 4x cant create first replica.

[Chris Mohler]

On 02/09/2015 11:36 AM, Martin Kosek wrote:

On 02/09/2015 05:16 PM, Chris Mohler wrote:

On 02/09/2015 10:18 AM, Martin Kosek wrote:

On 02/07/2015 12:27 AM, Chris Mohler wrote:

I'm having some troubles. I have an older IPA install Version 3.0.0. on Centos
6.6. It's currently the only master for my domain. I have about 4k user
accounts on here and it's a live system called idm

I'm trying to upgrade to V4.x as I am hoping to fix some issues I am having.
(clients can't auth unless service sssd is restarted multiple times 10 (User
not known to the underlying authentication module) I think this is possibly
unrelated and the topic for another thread.

I created a new VM and installed Fedora Server 21 and FreeIPA 4.1.2 it's called
ipa

Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.


on the master idm I ran ipa-replica-prepare and transfered the file to the
future replica ipa Then I ran the install replica script ipa-replica-install
--setup-ca /home/svradm/replica-info-ipa.cs.oberlin.edu.gpg
Things went well until it failed

[24/35]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 133 seconds elapsed
Update in progress yet not in progress

Update in progress yet not in progress

Update in progress yet not in progress

[idm.cs.oberlin.edu] reports: Update failed! Status: [10 Total update
abortedLDAP error: Referral]

[error] RuntimeError: Failed to start replication

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Please help I'm getting nowhere by myself.

Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

Maybe you will see messages like ns-slapd: encoded packet size too big (xx

65536) that are know to pop up more with CentOS 6.6.

Hi Martin,
Thanks for the reply and help I appreciate it.


Good. Also note that we RHEL/CentOS 7.1 will have FreeIPA 4.0+ version baked
in, so you can also use that platform if you are used to it.

Good to know. I try to be distro agnostic. I've used Redhat 7.1 then went
Solaris, then Ubuntu, Now I'm back for Centos and Fedora. I guess I'm equally
uncomfortable with either version.

That Said. Is there any reason that I could or should not have a replica on a
Fedora 21 server and 2nd replica on a Centos 7.1 later? My understanding is the
more the merrier.

It should just work. Just note that in case of Fedora Server, these are
upstream/Fedora bits which are only tested upstream. So if you for example
break something in Fedora 21 (not likely to happen though ;-) and then get the
change *replicated* to RHEL production instance, I do not think Red Hat support
would be happy with that.

Also, if for example upstream releases FreeIPA 4.2, I would not just plug it in
your production RHEL instance is it would upgrade all the data for 4.2 level -
which should get more downstream testing before Red Hat can rubber stamp it.

TLDR; if you are happy with the upstream level of support (this list/IRC/Trac),
knock yourself out :-)


Can you please look on the master you are replicating from and look for errors
in /var/log/messages or DS errors log?

I tried to setup the replica again just now so I have some fresh logs.

 From the Dirserv error log
[08/Feb/2015:22:14:48 -0500] - 389-Directory/1.2.11.15 B2014.314.1342 starting 
up
[08/Feb/2015:22:14:48 -0500] schema-compat-plugin - warning: no entries set up
under cn=computers, cn=compat,dc=cs,dc=oberlin,dc=edu
[08/Feb/2015:22:14:50 -0500] - slapd started.  Listening on All Interfaces port
389 for LDAP requests
[08/Feb/2015:22:14:50 -0500] - Listening on All Interfaces port 636 for LDAPS
requests
[08/Feb/2015:22:14:50 -0500] - Listening on
/var/run/slapd-CS-OBERLIN-EDU.socket for LDAPI requests
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin -
agmt=cn=meToipa.cs.oberlin.edu (ipa:389): Schema replication update failed:
Server is unwilling to perform
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Warning: unable to
replicate schema to host ipa.cs.oberlin.edu, port 389. Continuing with total
update session.
[09/Feb/2015:10:40:30 -0500] NSMMReplicationPlugin - Beginning total update of
replica agmt=cn=meToipa.cs.oberlin.edu (ipa:389)

To be fair and not duplicate efforts I have had the following error
[08/Feb/2015:08:51:26 -0500] - WARNING: userRoot: entry cache size 10485760B is
less than db size 12115968B; We recommend to increase the
entry cache size nsslapd-cachememsize.

To which I have asked another question how do I change the entry cache size
https://www.redhat.com/archives/freeipa-users/2015-February/msg00114.html
I now get additional errors which I would guess are possibly related.

IMO, they this should not be related (should not break replication). I do not
see anything useful in the error log though. Did you also check
/var/log/messages for the errors log 

Re: [Freeipa-users] User certificates with FreeIPA and another question.

[Christopher Young]

Would anyone happen to have any guides on how one could get through this
process?  I'm a one-man IT shop at the moment, so I'm building up a
tremendous amount of infrastructure at once.  I'm thinking that the option
of creating a subCA with something simple like openssl would be the best
option, but figuring out that process in a minimal amount of time is going
to be tough.

I'm going to try and give myself some reading assignments and push that
forward, but if anyone happens to have a good handle on that
process/commands/etc. and would be interesting in double a couple of hours
of consulting to me, I would be very interested in listening provided we
could come up with a reasonable rate/timeframe.  If anyone is interested,
please contact me directly off-list.

Thanks again.  These answers/ideas have been most helpful.

On Fri, Feb 6, 2015 at 9:30 AM, Martin Kosek mko...@redhat.com wrote:

 On 02/06/2015 12:53 AM, Christopher Young wrote:
  Obvious next question:  Any plans to implement that functionality or
 advice
  on how one might get some level of functionality for this?  Would it be
  possible to create another command-line based openssl CA that could issue
  these but using IPA as the root CA for those?

 As for FreeIPA plans, we plan to vastly improve our flexibility to process
 certificates in next upstream version - FreeIPA 4.2. In next version, one
 should be able to create other certificate profiles (from FreeIPA default
 service cert profile) or even subCAs to do what you want.

 As for current workarounds, you would have to issue and sign a for example
 NSS
 or openssl based subCA and then sign user certs there. But I would leave
 Fraser
 or Jan to tell if this would be really possible.

  I'm just trying to provide a solution for situations where we would like
 to
  utilize client/user cert authentication for situations like secure apache
  directory access as well as user VPN certificates.  Any advise or ideas
 are
  great appreciated.
 
  Thanks again!
 
  On Thu, Feb 5, 2015 at 4:09 PM, Rob Crittenden rcrit...@redhat.com
 wrote:
 
  Christopher Young wrote:
  Some of this might be rudimentary, so I apologize if this is answered
  somewhere, though I've tried to search and have not had much luck...
 
  Basically,  I would like to be able to issue user certificates
 (Subject:
  email=sblblabla@blabla.local) in order to use client SSL security on
  some things.  I'm very new to FreeIPA, but have worked with external
 CAs
  in the past for similar requests, however this is my first entry into
  creating/running a localized CA within an organization.
 
  IPA doesn't issue user certificates yet, only server certificates.
 
  I was wondering if this is possible via the command line, and if so,
 how
  to go about submitting the request and receiving the certificate.  Any
  guidance or assistance would be greatly appreciated!
 
 
  Additionally, just as a matter of cleanliness, is there any way
 possible
  to just completely wipe out the existence of a certificate/request from
  FreeIPA.  I have done some trial-and-error and obviously have made
  mistakes that I'd prefer to clean up after.  I've revoked those certs,
  however the perfectionist in me hates seeing them there.  I'm quite
  certain the answer is 'no', but I thought I would ask anyway.
 
  Right, the answer is no. In fact it is a good thing that all
  certificates are accounted for.
 
  rob
 
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Heads up - FC20 softhsm -2.0.0b1-8 rpm from mkosek/freeipa copr appears to be broken

[Michael Lasevich]

To save a day of torture to those of you still on FC20 and using
mkosek-freeipa copr repo - it appears that the package (
http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/fedora-20-x86_64/softhsm-2.0.0b1-8.fc20/softhsm-2.0.0b1-8.fc20.x86_64.rpm)
is somehow broken.

Once installed, you get Error: Could not load the library. no matter what
you do with softhsm2-utll. You will also not going to be able to
start/restart the ipa service because DNS is not functional.

I have rebuilt the rpm from the source rpm and things seem to be working.

Hope this helps someone to not have a day of hair pulling. You have been
warned :-)

-M
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I modify the entry cache size?

[Rob Crittenden]

Rich Megginson wrote:
 On 02/09/2015 12:13 PM, Chris Mohler wrote:
 On 02/09/2015 11:19 AM, Rich Megginson wrote:
 On 02/09/2015 08:26 AM, Chris Mohler wrote:
 On 02/09/2015 09:48 AM, Rich Megginson wrote:
 On 02/08/2015 08:23 PM, Chris Mohler wrote:
 Thanks for the reply and the link Rich!

 dbmon.sh is a handy tool indeed.

 I read the instructions and upped my entry cache size to 2gb
 because I have enough ram.
 Everything went well until
 |service dirsrv restart

 |
 |I Got the following errors:
 [06/Feb/2015:10:07:35 -0500] - slapd stopped.
 [06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY 
 matching rule [caseIgnoreIA5Match] is not compatible with the syntax 
 [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
 [06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR 
 matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the 
 syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
 [06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15 
 http://1.2.11.15 B2014.314.1342 starting up
 [06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All 
 Interfaces port 7389 for LDAP requests
 [06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for 
 LDAPS requests

 |
 |Oddly enough everything appears to be working. Are these messages safe 
 to ignore?
 |

 This is definitely not related to the cache size.

 |Not sure what the problem is - looks like something has done an
 override of the standard schema definition of dc. 
 http://tools.ietf.org/html/rfc4519 defines it with syntax
 1.3.6.1.4.1.1466.115.121.1.26.

 rpm -q 389-ds-base

 find /etc/dirsrv -name \*.ldif -exec grep
 0.9.2342.19200300.100.1.25 {} /dev/null \;


 |
 |Another run of dbmon.sh shows that my entry cache was increased. 

 |||
 |Thanks,
 |
 |-Chris
 |
 |
 |


 On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson
 rmegg...@redhat.com mailto:rmegg...@redhat.com wrote:

 On 02/07/2015 11:25 AM, Chris Mohler wrote:
 Hi Everyone. I'm trying to troubleshoot some issues I'm having. I 
 want to increase the entry cache size
 I'm trying to follow the directions here
 /usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 
 389 

 dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
 changetype: modify
 replace: nsslapd-cachememsize
 nsslapd-cachememsize: 20971520

 Is this the correct way to do this? How do I find out what the 
 cn=/|database_name is supposed to be?
 |/

 |/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
 script will tell you what the names of your databases are.
 /|
 |/
 /|Thanks,
 |/
 /|-Chris
 |/




 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project





 Thanks again Rich,
 I have been having an abundance of issues with my FreeIPA server
 lately. I'm not surprised that error is not related. I was not sure
 as It has not surfaced in my logs before I changed the entry cache
 size. Possibly this will be the clue to get me on the road to recovery.
  
 |Not sure what the problem is - looks like something has done an
 override of the standard schema definition of dc. 
 http://tools.ietf.org/html/rfc4519 defines it with syntax
 1.3.6.1.4.1.1466.115.121.1.26.|
 I migrated from OpenLdap about a year ago. So my install is a
 migration. I also recently tried to add a replica. Which prompted me
 to update the schema on the master before it would replicate.

 What exactly did you do?  You should not have migrated the standard
 schema from openldap.  Did you have to override the definition of
 'dc' for some reason?


 |rpm -q 389-ds-base|
 |389-ds-base-1.2.11.15-48.el6_6.x86_64

 |
 |find /etc/dirsrv -name \*.ldif -exec grep
 0.9.2342.19200300.100.1.25 {} /dev/null \;|
 |
 |/etc/dirsrv/slapd-PKI-IPA/schema.bak/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-PKI-IPA/schema/00core.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
 /etc/dirsrv/slapd-PKI-IPA/schema/05rfc2247.ldif:attributeTypes: (
 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC
 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR
 caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
 SINGLE-VALUE X-ORIGIN 'RFC 2247' )

 This definition is wrong.  Both RFC 2247 and RFC 4519 define 'dc' as
 syntax 1.3.6.1.4.1.1466.115.121.1.26 - that is, 7-bit ASCII only.  Do
 you have some application that requires 8-bit or unicode characters
 (syntax 1.3.6.1.4.1.1466.115.121.1.15) in domain component names?  If
 it is absolutely required that dc accepts unicode, then you'll have
 to change the matching rules as well, to be unicode compatible:
 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch - that is,
 just get rid of the IA5.


 

Re: [Freeipa-users] Real-time replication status (RFE)?

[Innes, Duncan]

For sure Rob.  It's a dirty hack to get the information that we
desperately needed at one point.

We had a pretty severe issue with our IPA servers a while back which was
eventually solved by reinstalling all but the initial IPA server,
deleting the old replication agreements and building the new ones back
up.  This page was of high value at that time.  It's still useful for an
occasional check of the status.

D

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: 06 February 2015 14:06
To: Innes, Duncan; Baird, Josh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Real-time replication status (RFE)?

Innes, Duncan wrote:
 Check:
 
 https://gist.github.com/duncaninnes/c91985822be9782df581
 
 which contains 2 scripts based on:
 
 http://directory.fedoraproject.org/docs/389ds/howto/howto-replicationm
 on
 itoring.html
 
 I just expanded it to cope with a list of servers, then version 2 
 sorts by last end, last start, hostname.  This version allows me to 
 see more clearly if a certain replication is out of date.  Could have 
 done a sort by column and added a refresh button, or automatic 
 refresh, but that wasn't the immediate aim.  Since then it's just 
 stuck, so could do with some love from any suitably minded persons.  
 It also doesn't gracefully handle situations where one server in the 
 list is offline, or taking too long to respond.
 
 Both scripts are put in /var/www/cgi-bin on one of my IPA servers, and

 accessed via:
 
 https://ipa01.example.com/cgi-bin/monitor2.pl
 
 for example.  Not sure if I modified the httpd configs - it's a while 
 ago that I sorted it out.
 
 HTH
 
 Duncan

We try to avoid using Directory Manager as much as possible which is one
of the reasons we haven't done something like this already. I'd
definitely recommend using startTLS for your bind, at a minimum.

The issue starts with the fact that we don't have a hostgroup consisting
of all IPA masters maintained automatically so there is no easy way to
do delegation. You could do this manually if you wanted though,
something like:

# ipa hostgroup-add ipamasters --desc='Manual list of IPA masters'
# ipa hostgroup-add-member --hosts=ipa1.example.com ipamasters # ipa
hostgroup-add-member --hosts=ipa2.example.com ipamasters

Now create a role that with a privilege to be able to read replication
agreements (and add and delete them too, so be aware).

# ipa role-add ipamasters --desc='IPA Masters'
# ipa role-add-privilege --privileges='Replication Administrators'
ipamasters
# ipa role-add-member --hostgroup=ipamasters ipamasters

You can test this with:

# kinit -kt /etc/krb5.keytab
# ldapsearch -Y GSSAPI -b 'cn=mapping tree,cn=config'
'(objectclass=nsDS5ReplicationAgreement)'

You'd just need to the ipamasters hostgroup up-to-date, and considering
that this list probably stabilizes over time, shouldn't be a ton of
effort.

rob

 -Original Message-
 From: Baird, Josh [mailto:jba...@follett.com]
 Sent: 05 February 2015 17:08
 To: Innes, Duncan; Rob Crittenden; freeipa-users@redhat.com
 Subject: RE: [Freeipa-users] Real-time replication status (RFE)?
 
 That would be great, thanks!
 
 Josh
 
 -Original Message-
 From: Innes, Duncan [mailto:duncan.in...@virginmoney.com]
 Sent: Thursday, February 05, 2015 11:34 AM
 To: Rob Crittenden; Baird, Josh; freeipa-users@redhat.com
 Subject: RE: [Freeipa-users] Real-time replication status (RFE)?

 The screen mockup in that ticket is based on a Perl script that I 
 stuck in cgi-bin to pull just those stats off each IPA server I have 
 and display them.  Can share the code if you're interested.

 D

 -Original Message-
 From: freeipa-users-boun...@redhat.com 
 [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden
 Sent: 05 February 2015 14:19
 To: Baird, Josh; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] Real-time replication status (RFE)?

 Baird, Josh wrote:
 Hi,

 I'm looking for an easy way to validate that all replication
 agreements are functioning correctly between all of my IPA masters 
 and
 
 replicas.  I am aware that I can run 'ipa-replica-manage list -v' 
 from
 
 each IPA master, but I was looking for something more centralized 
 that
 
 could give me a replication health report for all masters/replicas.
 Ideally, this type of feature would be exposed in the UI and would 
 also include information or insight into the status of any IPA - AD

 trust relationships.

 Am I missing a feature that already exists?  If not, is there
 something like this on the IPA roadmap?

 This is being tracked in https://fedorahosted.org/freeipa/ticket/4390

 It depends on some other work being done first.

 rob

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

 This message has been checked for viruses and spam by the Virgin 
 Money
 
 email scanning system powered by Messagelabs.

 This 

Re: [Freeipa-users] error install replication

[Martin Kosek]

Did you try the ssh admin@`hostname` command? It should show if ssh to admin
via SSSDFreeIPA really works.

On 02/09/2015 11:18 AM, alireza baghery wrote:
 account admin recognize and show uid gid and groups
 On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com wrote:
 
 Ok. When on the server, does

 # id admin

 or ssh admin@`hostname` work? Maybe it does not recognize the admin
 user.

 On 02/09/2015 09:29 AM, alireza baghery wrote:
 ipasrv# Service SSSD status
 sssd is runing
 nevertheless i restart service sssd
 but problem do not solved

 On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote:

 On 02/09/2015 07:42 AM, alireza baghery wrote:
 i check on both server ssh each other's name and ssh successful and
 resolve
 name was also correct on each server
 but i can not login with user admin from ipareplica via ssh
 (root@ipareplica]#
 ssh admin@ipasrv === failed)

 [root@ipareplica ~]# ssh ipasrv
 root@ipasrv's password:
 Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
 =log /var/secure
 Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for root from
 10.30.160.20 port 52110 ssh2
 Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session
 opened
 for user root by (uid=0)
 =
 [root@ipasrv ~]# ssh ipareplica
 root@ipareplica's password:
 Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19

 ==
 [root@ipareplica ~]# nslookup ipasrv
 Server: 10.30.160.19
 Address:10.30.160.19#53

 Name:   ipasrv
 Address: 10.30.160.19

 
 [root@ipasrv ~]# nslookup ipareplica
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   ipareplica
 Address: 10.30.160.20
 =

 Ok, so ssh is running, you can log in with root. I think that by 99%
 chance,
 your SSSD service is not running on the IPA server. Please check if this
 is the
 case and if yes, please try to (re)start it. If that helped, it would be
 also
 useful to see *why* the SSSD is not running (crash, misconfiguration,
 ...)

 Martin






 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[alireza baghery]

yes try ssh admin@hostname but do not work
log secure-

Feb  9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20  user=admin
Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 user=admin
Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access denied
for user admin: 6 (Permission denied)
Feb  9 15:42:20 ipasrv sshd[13414]: Failed password for admin from
10.30.160.20 port 52123 ssh2
Feb  9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user admin by
PAM account configuration


On Mon, Feb 9, 2015 at 3:20 PM, Martin Kosek mko...@redhat.com wrote:

 Did you try the ssh admin@`hostname` command? It should show if ssh to
 admin
 via SSSDFreeIPA really works.

 On 02/09/2015 11:18 AM, alireza baghery wrote:
  account admin recognize and show uid gid and groups
  On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com wrote:
 
  Ok. When on the server, does
 
  # id admin
 
  or ssh admin@`hostname` work? Maybe it does not recognize the admin
  user.
 
  On 02/09/2015 09:29 AM, alireza baghery wrote:
  ipasrv# Service SSSD status
  sssd is runing
  nevertheless i restart service sssd
  but problem do not solved
 
  On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com
 wrote:
 
  On 02/09/2015 07:42 AM, alireza baghery wrote:
  i check on both server ssh each other's name and ssh successful and
  resolve
  name was also correct on each server
  but i can not login with user admin from ipareplica via ssh
  (root@ipareplica]#
  ssh admin@ipasrv === failed)
 
  [root@ipareplica ~]# ssh ipasrv
  root@ipasrv's password:
  Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
  =log /var/secure
  Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for root from
  10.30.160.20 port 52110 ssh2
  Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session
  opened
  for user root by (uid=0)
  =
  [root@ipasrv ~]# ssh ipareplica
  root@ipareplica's password:
  Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19
 
  ==
  [root@ipareplica ~]# nslookup ipasrv
  Server: 10.30.160.19
  Address:10.30.160.19#53
 
  Name:   ipasrv
  Address: 10.30.160.19
 
  
  [root@ipasrv ~]# nslookup ipareplica
  Server: 127.0.0.1
  Address:127.0.0.1#53
 
  Name:   ipareplica
  Address: 10.30.160.20
  =
 
  Ok, so ssh is running, you can log in with root. I think that by 99%
  chance,
  your SSSD service is not running on the IPA server. Please check if
 this
  is the
  case and if yes, please try to (re)start it. If that helped, it would
 be
  also
  useful to see *why* the SSSD is not running (crash, misconfiguration,
  ...)
 
  Martin
 
 
 
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[alireza baghery]

account admin recognize and show uid gid and groups
On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com wrote:

 Ok. When on the server, does

 # id admin

 or ssh admin@`hostname` work? Maybe it does not recognize the admin
 user.

 On 02/09/2015 09:29 AM, alireza baghery wrote:
  ipasrv# Service SSSD status
  sssd is runing
  nevertheless i restart service sssd
  but problem do not solved
 
  On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote:
 
  On 02/09/2015 07:42 AM, alireza baghery wrote:
  i check on both server ssh each other's name and ssh successful and
  resolve
  name was also correct on each server
  but i can not login with user admin from ipareplica via ssh
  (root@ipareplica]#
  ssh admin@ipasrv === failed)
 
  [root@ipareplica ~]# ssh ipasrv
  root@ipasrv's password:
  Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
  =log /var/secure
  Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for root from
  10.30.160.20 port 52110 ssh2
  Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session
  opened
  for user root by (uid=0)
  =
  [root@ipasrv ~]# ssh ipareplica
  root@ipareplica's password:
  Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19
 
  ==
  [root@ipareplica ~]# nslookup ipasrv
  Server: 10.30.160.19
  Address:10.30.160.19#53
 
  Name:   ipasrv
  Address: 10.30.160.19
 
  
  [root@ipasrv ~]# nslookup ipareplica
  Server: 127.0.0.1
  Address:127.0.0.1#53
 
  Name:   ipareplica
  Address: 10.30.160.20
  =
 
  Ok, so ssh is running, you can log in with root. I think that by 99%
  chance,
  your SSSD service is not running on the IPA server. Please check if this
  is the
  case and if yes, please try to (re)start it. If that helped, it would be
  also
  useful to see *why* the SSSD is not running (crash, misconfiguration,
 ...)
 
  Martin
 
 
 
 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[Martin Kosek]

Ok. When on the server, does

# id admin

or ssh admin@`hostname` work? Maybe it does not recognize the admin user.

On 02/09/2015 09:29 AM, alireza baghery wrote:
 ipasrv# Service SSSD status
 sssd is runing
 nevertheless i restart service sssd
 but problem do not solved
 
 On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek mko...@redhat.com wrote:
 
 On 02/09/2015 07:42 AM, alireza baghery wrote:
 i check on both server ssh each other's name and ssh successful and
 resolve
 name was also correct on each server
 but i can not login with user admin from ipareplica via ssh
 (root@ipareplica]#
 ssh admin@ipasrv === failed)

 [root@ipareplica ~]# ssh ipasrv
 root@ipasrv's password:
 Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
 =log /var/secure
 Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for root from
 10.30.160.20 port 52110 ssh2
 Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session): session
 opened
 for user root by (uid=0)
 =
 [root@ipasrv ~]# ssh ipareplica
 root@ipareplica's password:
 Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19

 ==
 [root@ipareplica ~]# nslookup ipasrv
 Server: 10.30.160.19
 Address:10.30.160.19#53

 Name:   ipasrv
 Address: 10.30.160.19

 
 [root@ipasrv ~]# nslookup ipareplica
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   ipareplica
 Address: 10.30.160.20
 =

 Ok, so ssh is running, you can log in with root. I think that by 99%
 chance,
 your SSSD service is not running on the IPA server. Please check if this
 is the
 case and if yes, please try to (re)start it. If that helped, it would be
 also
 useful to see *why* the SSSD is not running (crash, misconfiguration, ...)

 Martin

 
 
 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] How do I modify the entry cache size?

[Rich Megginson]

On 02/09/2015 12:13 PM, Chris Mohler wrote:

On 02/09/2015 11:19 AM, Rich Megginson wrote:

On 02/09/2015 08:26 AM, Chris Mohler wrote:

On 02/09/2015 09:48 AM, Rich Megginson wrote:

On 02/08/2015 08:23 PM, Chris Mohler wrote:

Thanks for the reply and the link Rich!

dbmon.sh is a handy tool indeed.

I read the instructions and upped my entry cache size to 2gb 
because I have enough ram.

Everything went well until
|service dirsrv restart

|
|I Got the following errors:
[06/Feb/2015:10:07:35 -0500] - slapd stopped.
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the EQUALITY matching 
rule [caseIgnoreIA5Match] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] attr_syntax_create - Error: the SUBSTR matching 
rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax 
[1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[06/Feb/2015:10:07:37 -0500] - 389-Directory/1.2.11.15  http://1.2.11.15  
B2014.314.1342 starting up
[06/Feb/2015:10:07:37 -0500] - slapd started.  Listening on All Interfaces port 
7389 for LDAP requests
[06/Feb/2015:10:07:37 -0500] - Listening on All Interfaces port 7390 for LDAPS 
requests

|
|Oddly enough everything appears to be working. Are these messages safe to 
ignore?
|


This is definitely not related to the cache size.

|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.


rpm -q 389-ds-base

find /etc/dirsrv -name \*.ldif -exec grep 
0.9.2342.19200300.100.1.25 {} /dev/null \;



|

|Another run of dbmon.sh shows that my entry cache was increased.

|||
|Thanks,
|
|-Chris
|
|
|


On Sun, Feb 8, 2015 at 5:58 PM, Rich Megginson 
rmegg...@redhat.com mailto:rmegg...@redhat.com wrote:


On 02/07/2015 11:25 AM, Chris Mohler wrote:

Hi Everyone. I'm trying to troubleshoot some issues I'm having. I want to 
increase the entry cache size
I'm trying to follow the directions here
/usr/lib/mozldap/ldapmodify -D cn=directory manager -w secret -p 389

dn: cn=/|database_name|/, cn=ldbm database, cn=plugins, cn=config
changetype: modify
replace: nsslapd-cachememsize
nsslapd-cachememsize: 20971520

Is this the correct way to do this? How do I find out what the 
cn=/|database_name is supposed to be?
|/


|/see /|https://github.com/richm/scripts/wiki/dbmon.sh - the
script will tell you what the names of your databases are.

/|
|/
/|Thanks,
|/
/|-Chris
|/





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project







Thanks again Rich,
I have been having an abundance of issues with my FreeIPA server 
lately. I'm not surprised that error is not related. I was not sure 
as It has not surfaced in my logs before I changed the entry cache 
size. Possibly this will be the clue to get me on the road to recovery.
|Not sure what the problem is - looks like something has done an 
override of the standard schema definition of dc. 
http://tools.ietf.org/html/rfc4519 defines it with syntax 
1.3.6.1.4.1.1466.115.121.1.26.|
I migrated from OpenLdap about a year ago. So my install is a 
migration. I also recently tried to add a replica. Which prompted me 
to update the schema on the master before it would replicate.


What exactly did you do?  You should not have migrated the standard 
schema from openldap.  Did you have to override the definition of 
'dc' for some reason?





|rpm -q 389-ds-base|

|389-ds-base-1.2.11.15-48.el6_6.x86_64

|
|find /etc/dirsrv -name \*.ldif -exec grep 
0.9.2342.19200300.100.1.25 {} /dev/null \;|

|
|/etc/dirsrv/slapd-PKI-IPA/schema.bak/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/slapd-PKI-IPA/schema/05rfc2247.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) DESC 
'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR 
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 
SINGLE-VALUE X-ORIGIN 'RFC 2247' )


This definition is wrong.  Both RFC 2247 and RFC 4519 define 'dc' as 
syntax 1.3.6.1.4.1.1466.115.121.1.26 - that is, 7-bit ASCII only.  Do 
you have some application that requires 8-bit or unicode characters 
(syntax 1.3.6.1.4.1.1466.115.121.1.15) in domain component names?  If 
it is absolutely required that dc accepts unicode, then you'll have 
to change the matching rules as well, to be unicode compatible: 
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch - that is, 
just get rid of the IA5.



/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 
0.9.2342.19200300.100.1.25 NAME ( 

[Freeipa-users] admin password is always expired

[Roderick Johnstone]

Hi

I seem to have locked myself out of my ipa admin account (on RHEL 6.6). 
This is an evaluation instance so not too big a deal, but a good 
learning experience. I suspect its some changes that I made to the 
password policy that caused this.


The admin account has expired and I'm trying to reset the password like 
this:


# kadmin.local
Authenticating as principal root/admin@REALM with password.
kadmin.local:  change_password admin@REALM
Enter password for principal admin@REALM:
Re-enter password for principal admin@REALM:
Password for admin@REALM changed.
kadmin.local:  q

where REALM is my realm.

Then when I try to authenticate as admin:

# kinit admin
Password for admin@REALM:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password has expired while getting initial credentials

and the password is not reset.

This is what the password policy looks like at the moment:

kadmin.local:  get_policy global_policy
Policy: global_policy
Maximum password life: 86400
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 0
Number of old keys kept: 0
Reference count: 0
Maximum password failures before lockout: 6
Password failure count reset interval: 0 days 00:01:00
Password lockout duration: 0 days 00:10:00

I'm trying to set this back to the defaults in the hope that this allows 
me to reset the admin password properly, but I'm getting eg:


kadmin.local:  modify_policy -maxlife 90 days global_policy
modify_policy: Plugin does not support the operation while modifying 
policy global_policy.


Am I on the right track to fixing the admin password problem?

What am I doing wrong in trying to repair the password policy?

Actually when I do the following it looks strange that Policy is set to 
none, but maybe this is a red herring:


kadmin.local:  get_principal admin
Principal: admin@REALM
Expiration date: [never]
Last password change: Mon Feb 09 18:28:09 GMT 2015
Password expiration date: Tue May 22 11:59:53 GMT 1906
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Feb 09 18:28:09 GMT 2015 (kadmind@REALM)
Last successful authentication: Mon Feb 09 18:27:00 GMT 2015
Last failed authentication: Mon Feb 09 18:25:24 GMT 2015
Failed password attempts: 0
Number of keys: 4
Key: vno 16, aes256-cts-hmac-sha1-96, Version 5
Key: vno 16, aes128-cts-hmac-sha1-96, Version 5
Key: vno 16, des3-cbc-sha1, Version 5
Key: vno 16, arcfour-hmac, Version 5
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


Thanks for any help in diagnosing this issue or fixing it.

Roderick Johnstone

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[Dmitri Pal]

On 02/09/2015 08:34 AM, alireza baghery wrote:

yes try ssh admin@hostname but do not work
log secure-

Feb  9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): 
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=10.30.160.20  user=admin
Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication 
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20 
user=admin
Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access 
denied for user admin: 6 (Permission denied)
Feb  9 15:42:20 ipasrv sshd[13414]: Failed password for admin from 
10.30.160.20 port 52123 ssh2
Feb  9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user 
admin by PAM account configuration




Do you have HBAC rules? Does admin have the rights to log via SSH?
If you changed the default rules it might be that admin is not allowed 
to log via ssh.




On Mon, Feb 9, 2015 at 3:20 PM, Martin Kosek mko...@redhat.com 
mailto:mko...@redhat.com wrote:


Did you try the ssh admin@`hostname` command? It should show if
ssh to admin
via SSSDFreeIPA really works.

On 02/09/2015 11:18 AM, alireza baghery wrote:
 account admin recognize and show uid gid and groups
 On Feb 9, 2015 1:42 PM, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:

 Ok. When on the server, does

 # id admin

 or ssh admin@`hostname` work? Maybe it does not recognize the
admin
 user.

 On 02/09/2015 09:29 AM, alireza baghery wrote:
 ipasrv# Service SSSD status
 sssd is runing
 nevertheless i restart service sssd
 but problem do not solved

 On Mon, Feb 9, 2015 at 11:19 AM, Martin Kosek
mko...@redhat.com mailto:mko...@redhat.com wrote:

 On 02/09/2015 07:42 AM, alireza baghery wrote:
 i check on both server ssh each other's name and ssh
successful and
 resolve
 name was also correct on each server
 but i can not login with user admin from ipareplica via ssh
 (root@ipareplica]#
 ssh admin@ipasrv === failed)

 [root@ipareplica ~]# ssh ipasrv
 root@ipasrv's password:
 Last login: Mon Feb  9 09:49:54 2015 from 10.30.160.20
 =log /var/secure
 Feb  9 09:50:29 ipasrv sshd[12076]: Accepted password for
root from
 10.30.160.20 port 52110 ssh2
 Feb  9 09:50:29 ipasrv sshd[12076]: pam_unix(sshd:session):
session
 opened
 for user root by (uid=0)
 =
 [root@ipasrv ~]# ssh ipareplica
 root@ipareplica's password:
 Last login: Mon Feb  9 09:50:20 2015 from 10.30.160.19

 ==
 [root@ipareplica ~]# nslookup ipasrv
 Server: 10.30.160.19
 Address:10.30.160.19#53

 Name:   ipasrv
 Address: 10.30.160.19

 
 [root@ipasrv ~]# nslookup ipareplica
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   ipareplica
 Address: 10.30.160.20
 =

 Ok, so ssh is running, you can log in with root. I think that
by 99%
 chance,
 your SSSD service is not running on the IPA server. Please
check if this
 is the
 case and if yes, please try to (re)start it. If that helped,
it would be
 also
 useful to see *why* the SSSD is not running (crash,
misconfiguration,
 ...)

 Martin














--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] error install replication

[alireza baghery]

thanks

On Mon, Feb 9, 2015 at 6:42 PM, Martin Kosek mko...@redhat.com wrote:

 On 02/09/2015 03:31 PM, Dmitri Pal wrote:
  On 02/09/2015 08:34 AM, alireza baghery wrote:
  yes try ssh admin@hostname but do not work
  log secure-
 
  Feb  9 15:42:20 ipasrv sshd[13414]: pam_unix(sshd:auth): authentication
  failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20
 user=admin
  Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:auth): authentication
  success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.30.160.20
 user=admin
  Feb  9 15:42:20 ipasrv sshd[13414]: pam_sss(sshd:account): Access
 denied for
  user admin: 6 (Permission denied)
  Feb  9 15:42:20 ipasrv sshd[13414]: Failed password for admin from
  10.30.160.20 port 52123 ssh2
  Feb  9 15:42:20 ipasrv sshd[13415]: fatal: Access denied for user admin
 by
  PAM account configuration
 
 
  Do you have HBAC rules? Does admin have the rights to log via SSH?
  If you changed the default rules it might be that admin is not allowed
 to log
  via ssh.

 Good questions. Also note, that if for some special reasons, you do not
 want to
 make admins log in to your FreeIPA servers, you can always pass
 --skip-conncheck to the replica and go straight to the installation,
 skipping
 the firewall check.

 Of course, no guarantees that the installation won't get stuck or crash
 because
 of closed ports in that case.

 Martin

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project