[Freeipa-users] Error Starting IPA after crash
Hello, I had a crash due to full disks. I cleared the offending directory (backups and such). But I cannot start IPA. I drilled it down to the DirSrv not starting. Isolating the error I tried just starting the dirsrv service dirsrv start But I'm seeing this in the logs [30/Jan/2013:13:51:40 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:13:51:40 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:06:06 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:06:06 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:08:15 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:08:15 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:14:05 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:14:14:05 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:14:05 -0800] - libdb: unable to join the environment I have a replica that is running; so the heat is off - but is there any way to get this started? Thank you, Christian Hernandez ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error Starting IPA after crash
Rich, Correct, running 6.3 [r...@ipa1.gln.4over.com db]# ps -ef|grep slapd dirsrv4899 1 7 14:25 ?00:05:34 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-4OVER-COM -i /var/run/dirsrv/slapd-4OVER-COM.pid -w /var/run/dirsrv/slapd-4OVER-COM.startpid root 30545 3522 0 15:41 pts/100:00:00 grep slapd The output of the ls command is HUGE with...here is a suppresed output [r...@ipa1.gln.4over.com db]# ls -al /var/lib/dirsrv/slapd-4OVER-COM/db/ | head -25 total 1465384 drwxrwx--- 3 dirsrv dirsrv73728 Jan 30 15:44 . drwxrwx--- 6 dirsrv dirsrv 4096 Jan 14 16:52 .. -rw--- 1 dirsrv dirsrv24576 Jan 30 15:42 __db.001 -rw--- 1 dirsrv dirsrv 1728512 Jan 30 15:44 __db.002 -rw--- 1 dirsrv dirsrv 10002432 Jan 30 15:44 __db.003 -rw--- 1 dirsrv dirsrv 1081344 Jan 30 15:44 __db.004 -rw--- 1 dirsrv dirsrv 8126464 Jan 30 15:44 __db.005 -rw--- 1 dirsrv dirsrv90112 Jan 30 15:44 __db.006 -rw--- 1 dirsrv dirsrv 49 Jan 30 15:42 DBVERSION -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309284 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309285 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309286 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309287 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309288 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309289 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309290 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309291 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309292 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309293 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309294 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309295 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309296 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309297 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309298 I increased the timeout in the /etc/init.d/dirsrv to about 6 to see if it will try and recover. Is there hope to recover this? Or should I just re-install the server and make it a replica (this used to be my master i.e. it was the first IPA server installed in our 3 server setup)? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Wed, Jan 30, 2013 at 3:36 PM, Rich Megginson rmegg...@redhat.com wrote: On 01/30/2013 03:41 PM, Christian Hernandez wrote: Hello, I had a crash due to full disks. I cleared the offending directory (backups and such). But I cannot start IPA. I drilled it down to the DirSrv not starting. Isolating the error I tried just starting the dirsrv service dirsrv start But I'm seeing this in the logs [30/Jan/2013:13:51:40 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:13:51:40 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:06:06 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:06:06 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:08:15 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:08:15 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:14:05 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:14:14:05 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:14:05 -0800] - libdb: unable to join the environment I have a replica that is running; so the heat is off - but is there any way to get this started? I'm assuming you are running on EL6.3? ps -ef|grep slapd ls -al /var/lib/dirsrv/slapd-INST/db Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Error Starting IPA after crash
Just to update... I let the logs be read and now I can start IPA without a problem! Thanks for the help! :) Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Wed, Jan 30, 2013 at 4:01 PM, Rich Megginson rmegg...@redhat.com wrote: On 01/30/2013 04:46 PM, Christian Hernandez wrote: Rich, Correct, running 6.3 [r...@ipa1.gln.4over.com db]# ps -ef|grep slapd dirsrv4899 1 7 14:25 ?00:05:34 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-4OVER-COM -i /var/run/dirsrv/slapd-4OVER-COM.pid -w /var/run/dirsrv/slapd-4OVER-COM.startpid root 30545 3522 0 15:41 pts/100:00:00 grep slapd The output of the ls command is HUGE with...here is a suppresed output [r...@ipa1.gln.4over.com db]# ls -al /var/lib/dirsrv/slapd-4OVER-COM/db/ | head -25 total 1465384 drwxrwx--- 3 dirsrv dirsrv73728 Jan 30 15:44 . drwxrwx--- 6 dirsrv dirsrv 4096 Jan 14 16:52 .. -rw--- 1 dirsrv dirsrv24576 Jan 30 15:42 __db.001 -rw--- 1 dirsrv dirsrv 1728512 Jan 30 15:44 __db.002 -rw--- 1 dirsrv dirsrv 10002432 Jan 30 15:44 __db.003 -rw--- 1 dirsrv dirsrv 1081344 Jan 30 15:44 __db.004 -rw--- 1 dirsrv dirsrv 8126464 Jan 30 15:44 __db.005 -rw--- 1 dirsrv dirsrv90112 Jan 30 15:44 __db.006 -rw--- 1 dirsrv dirsrv 49 Jan 30 15:42 DBVERSION -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309284 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309285 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309286 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309287 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309288 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309289 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309290 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309291 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309292 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309293 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309294 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309295 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309296 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309297 -rw--- 1 dirsrv dirsrv 10485760 Jan 30 15:43 log.309298 I increased the timeout in the /etc/init.d/dirsrv to about 6 to see if it will try and recover. Sounds good. If you have that many log files, it may take a while to recover. Is there hope to recover this? Or should I just re-install the server and make it a replica (this used to be my master i.e. it was the first IPA server installed in our 3 server setup)? Try the increased timeout. Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Wed, Jan 30, 2013 at 3:36 PM, Rich Megginson rmegg...@redhat.comwrote: On 01/30/2013 03:41 PM, Christian Hernandez wrote: Hello, I had a crash due to full disks. I cleared the offending directory (backups and such). But I cannot start IPA. I drilled it down to the DirSrv not starting. Isolating the error I tried just starting the dirsrv service dirsrv start But I'm seeing this in the logs [30/Jan/2013:13:51:40 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:13:51:40 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:06:06 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:06:06 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:08:15 -0800] - Unable to start slapd because it is already running as process 1543 [30/Jan/2013:14:08:15 -0800] - Shutting down due to possible conflicts with other slapd processes [30/Jan/2013:14:14:05 -0800] - 389-Directory/1.2.10.2 B2012.194.51 starting up [30/Jan/2013:14:14:05 -0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [30/Jan/2013:14:14:05 -0800] - libdb: unable to join the environment I have a replica that is running; so the heat is off - but is there any way to get this started? I'm assuming you are running on EL6.3? ps -ef|grep slapd ls -al /var/lib/dirsrv/slapd-INST/db Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Errors with Configuring GitHub
And to answer your questions Rich. GitHub was working with CDS 8.1.0 It looks like IPA is using 389 ns-slapd --version 389 Project 389-Directory/1.2.10.2 B2012.194.51 Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:25 PM, Christian Hernandez christi...@4over.comwrote: Hello Attached is a TCPDUMP. Communication is happening between 192.168.114.95 and 192.168.114.114 Thank you, Christian Hernandez On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Errors with Configuring GitHub
Will Do. I've also put an inquiry into GitHub enterprise to see if there is a way for GitHub not to pass a 0 length sequence. I will take a look at the CPannel to see if I can find something as well. I will update when I have a chance. I couldn't fill a ticket because I do not have a login...and I do not have a login because We are not ready to accept contributions at this time Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:42 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/01/2013 05:25 PM, Christian Hernandez wrote: Hello Attached is a TCPDUMP. Communication is happening between 192.168.114.95 and 192.168.114.114 Thanks. The problem is that 389 doesn't like the fact that the search request includes the control tag but the length is 0. You said you were using CDS 8.1 - if that was centos-ds running on EL5, that used mozldap for the ldap sdk. 389 now uses openldap for the ldap sdk. Looks like there is a slight difference between how mozldap and openldap handle this situation. Please file a ticket at https://fedorahosted.org/389/newticket In the meantime, is there some option in github server to either completely disable LDAP controls in the LDAP search request? Or, alternately, is there a way to add some control to the search request? The goal is to figure out some way to tell github not to pass in a 0 length LDAP control sequence. Thank you, Christian Hernandez On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work
Re: [Freeipa-users] Errors with Configuring GitHub
Oh yes, sorry; we all live in Acronyms :-) Yes centos-ds Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:35 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/01/2013 05:29 PM, Christian Hernandez wrote: And to answer your questions Rich. GitHub was working with CDS 8.1.0 What is CDS? Is that centos-ds? It looks like IPA is using 389 ns-slapd --version 389 Project 389-Directory/1.2.10.2 B2012.194.51 Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:25 PM, Christian Hernandez christi...@4over.comwrote: Hello Attached is a TCPDUMP. Communication is happening between 192.168.114.95 and 192.168.114.114 Thank you, Christian Hernandez On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Backup and Restoration of IPA Server
I also Snapshot Cold. Since I have many replicas; it's really no big deal in shutting down an IPA server for a few seconds to get a quiescent snapshot Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Sun, Feb 3, 2013 at 12:17 PM, Steven Jones steven.jo...@vuw.ac.nzwrote: Hi, The problem I had with snapshots is I found if snapshoting hot they got confused and the users all doubled on some replicas, on others replication broke...very weird... So snapshot cold. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Monday, 4 February 2013 7:01 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Backup and Restoration of IPA Server On 02/03/2013 12:10 PM, Rajnesh Kumar Siwal wrote: As the IPA server has been the backbone of any Company, is there any recommended approach for Backup/Restore. Please suggest the best approach how to backup and rebuilt the server from scratch and restore the IPA Server. For redundancy we recommend running several replicas so that if you loose one you can easily redeploy. It you want, you can run one of the replicas in a VM and take snapshots of the whole system. A more fine grained Backup/Restore procedure is on the roadmap for the next release. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Errors with Configuring GitHub
I have provided some feedback to GitHub enterprise. Hopefully they provide something meaningful - or if there is an update in Ruby; that they'll support some sort of patch. Thank you, Christian Hernandez On Sun, Feb 3, 2013 at 3:25 PM, Simo Sorce sso...@redhat.com wrote: (sorry for top posting, travelling) Christian, I think I have seen this once before from a user trying to use a (IIRC) ruby ldap library to connect to 389ds, he also reported at the time the same thing was working on older 389ds. If I recall correctly it is an actual bug in the client code, but went undetected for long because the older 389 ds was less strict. I am sorry I do not have more details right now. Simo. -- Oh yes, sorry; we all live in Acronyms :-) Yes centos-ds Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:35 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 05:29 PM, Christian Hernandez wrote: And to answer your questions Rich. GitHub was working with CDS 8.1.0 What is CDS? Is that centos-ds? It looks like IPA is using 389 ns-slapd --version 389 Project 389-Directory/1.2.10.2 B2012.194.51 Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 4:25 PM, Christian Hernandez christi...@4over.com wrote: Hello Attached is a TCPDUMP. Communication is happening between 192.168.114.95 and 192.168.114.114 Thank you, Christian Hernandez On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan/2013:15:41:35 -0800] conn=29453 op=-1 fd=241 closed - B1 Anyone has run into this? Looks like DS is receiving some LDAP controls that it doesn't know how to process. Does this work with any other LDAP server? Can you run wireshark/tshark and capture the network traffic? I'd like to see what the BER looks like. Also, I haven't tried connecting with TLS because I don't know where to find the cert! So if someone can point me in the right direction there I would appreciate it :) Thank you, Christian Hernandez ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Feb 1, 2013 at 12:57 PM, Rich Megginson rmegg...@redhat.comwrote: On 02/01/2013 01:42 PM, Christian Hernandez wrote: We are trying to configure our internal GitHub server to use Our IPA server's LDAP for user logins. We successfully configured it; but users can't seem to login. So, before you ask, yes we do have an active support case with githubenterprise about this; but wanted to see if anyone else ran into the same issue. Attached is the screenshot of the config. This is the errors I'm seeing in the DirSrv logs [25/Jan/2013:15:41:35 -0800] conn=29453 fd=241 slot=241 connection from 192.168.114.95 to 192.168.114.114 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 BIND dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com method=128 version=3 [25/Jan/2013:15:41:35 -0800] conn=29453 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=4over,dc=com [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 SRCH base= scope=2 filter=(uid=chrish), failed to decode LDAP controls [25/Jan/2013:15:41:35 -0800] conn=29453 op=1 RESULT err=2 tag=101 nentries=0 etime=0 [25/Jan
Re: [Freeipa-users] Testing out FreeIPA
IPA is in the default CentOS repos last I recall Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Wed, Feb 6, 2013 at 12:13 PM, Shawn taaj.sh...@gmail.com wrote: Is their any centos5/centos6 packages available? -- *- Shawn Taaj* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA not authenticating - SSSD issue maybe
Hello, From time to time we are getting complaints that I can sum up as I cannot log in to server X Here is a spinet of the /var/log/sssd/sssd_DOMAIN.log ... *(Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, NULL) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM]]] [be_pam_handler] (0x0100): Sending result [0][4OVER.COM] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM]]] [be_get_account_info] (0x0100): Got request for [3][1][name=tradeftp] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM]]] [sdap_initgr_nested_search] (0x0040): Search for group cn=ipausers,cn=groups,cn=accounts,dc=4over,dc=com, returned 0 results. Skipping * Here (more interesting) is the krb log file *(Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [trade...@4over.com] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [krb5_child_setup] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [krb5_set_canonicalize] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Apr 15 09:36:54 2013) [[sssd[krb5_child[17855 [krb5_child_setup] (0x0100): Not using FAST. (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862 [unpack_buffer] (0x0100): cmd [241] uid [6676] gid [104] validate [true] offline [false] UPN [trade...@4over.com] (Mon Apr 15 09:36:56 2013) [[sssd[krb5_child[17862 [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_6676_0CTKUc] keytab: [/etc/krb5.keytab]
Re: [Freeipa-users] IPA not authenticating - SSSD issue maybe
We are running 1.9.2 Looks like 3.0 is available for my build of CentOS ~ Any suggestions on how to proceed to updating? Is Multimaster replication sustained during updating? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 11:29 AM, Rob Crittenden rcrit...@redhat.comwrote: Christian Hernandez wrote: Hello, From time to time we are getting complaints that I can sum up as I cannot log in to server X Here is a spinet of the /var/log/sssd/sssd_DOMAIN.log ... /(Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM http://4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com http://mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_all] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, NULL) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][4OVER.COM http://4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][4OVER.COM http://4OVER.COM] (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): command: PAM_SETCRED (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): domain: 4OVER.COM http://4OVER.COM (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): user: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): service: vsftpd (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): tty: ftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): ruser: tradeftp (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): rhost: mammoth.4over.com http://mammoth.4over.com (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): authtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): newauthtok size: 0 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): priv: 1 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [pam_print_data] (0x0100): cli_pid: 17841 (Mon Apr 15 09:36:59 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_pam_handler] (0x0100): Sending result [0][4OVER.COM http://4OVER.COM ] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM http://4OVER.COM]]] [be_get_account_info] (0x0100): Got request for [3][1][name=tradeftp] (Mon Apr 15 09:37:00 2013) [sssd[be[4OVER.COM http
Re: [Freeipa-users] IPA not authenticating - SSSD issue maybe
Okay, So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)... But I think may be replication broke? [r...@ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= ipa1.gln.4over.com Invalid password Any ideas? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: There are some odd errors in ldap_child.log but it seems to cover a later period than the other logs (not being able to bind using its keytab is a bad thing). I think what you'll want to do, and this may be relatively tough, is try to correlate these failures with the 389-ds access log and the KDC logs to see if there are equivalent failures at around the same times. I agree, the ldap_child failing usually indicates an issue with the keytab and/or the KDC. The ldap_child functionality is roughly equivalent to kinit -k. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not authenticating - SSSD issue maybe
Yes; I verified that both forward and reverse DNS match on all nodes. Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal d...@redhat.com wrote: On 04/15/2013 08:41 PM, Christian Hernandez wrote: Yup, looks like replication is broken =\ [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect ipa1.la3.4over.com Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com Failed to get data from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com: master ipa1.gln.4over.com: master ipa1.da2.4over.com: master Do the machines resolve each other correctly? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez christi...@4over.com wrote: Okay, So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)... But I think may be replication broke? [r...@ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= ipa1.gln.4over.com Invalid password Any ideas? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek jhro...@redhat.comwrote: On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: There are some odd errors in ldap_child.log but it seems to cover a later period than the other logs (not being able to bind using its keytab is a bad thing). I think what you'll want to do, and this may be relatively tough, is try to correlate these failures with the 389-ds access log and the KDC logs to see if there are equivalent failures at around the same times. I agree, the ldap_child failing usually indicates an issue with the keytab and/or the KDC. The ldap_child functionality is roughly equivalent to kinit -k. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not authenticating - SSSD issue maybe
Looks like I've narrowed it down to...something... [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.gln.4over.com Failed to get data from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list ipa1.da2.4over.com ipa1.gln.4over.com: replica ipa1.la3.4over.com: replica [r...@ipa1.la3.4over.com ~]# ipa-replica-manage list $(hostname) ipa1.da2.4over.com: replica ipa1.gln.4over.com: replica [r...@ipa1.la3.4over.com ~]# rpm -qa |egrep '389|ipa' ipa-admintools-3.0.0-26.el6_4.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-26.el6_4.2.x86_64 libipa_hbac-python-1.9.2-82.4.el6_4.x86_64 389-ds-base-libs-1.2.11.15-12.el6_4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 libipa_hbac-1.9.2-82.4.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 389-ds-base-1.2.11.15-12.el6_4.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 Although when I try to remove the replication agreement...I can't =\ [r...@ipa1.la3.4over.com ~]# ipa-replica-manage disconnect $(hostname) ipa1.gln.4over.com Failed to get list of agreements from 'ipa1.gln.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 6:58 PM, Christian Hernandez christi...@4over.comwrote: Yes; I verified that both forward and reverse DNS match on all nodes. Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 6:21 PM, Dmitri Pal d...@redhat.com wrote: On 04/15/2013 08:41 PM, Christian Hernandez wrote: Yup, looks like replication is broken =\ [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage disconnect ipa1.la3.4over.com Failed to get list of agreements from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com Failed to get data from 'ipa1.la3.4over.com': Invalid credentials SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context [r...@ipa1.gln.4over.com ipa]# ipa-replica-manage list ipa1.la3.4over.com: master ipa1.gln.4over.com: master ipa1.da2.4over.com: master Do the machines resolve each other correctly? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 4:58 PM, Christian Hernandez christi...@4over.com wrote: Okay, So I tried to update to the newest version. Update went okay and users can authenticate (as far as I can tell)... But I think may be replication broke? [r...@ipa1.da2.4over.com log]# ipa-replica-manage force-sync --from= ipa1.gln.4over.com Invalid password Any ideas? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Apr 15, 2013 at 4:19 PM, Jakub Hrozek jhro...@redhat.comwrote: On Mon, Apr 15, 2013 at 02:29:18PM -0400, Rob Crittenden wrote: There are some odd errors in ldap_child.log but it seems to cover a later period than the other logs (not being able to bind using its keytab is a bad thing). I think what you'll want to do, and this may be relatively tough, is try to correlate these failures with the 389-ds access log and the KDC logs to see if there are equivalent failures at around the same times. I agree, the ldap_child failing usually indicates an issue with the keytab and/or the KDC. The ldap_child functionality is roughly equivalent to kinit -k. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users
Re: [Freeipa-users] Replicas
Not sure if anyone noticed that the site is down http://www.freeipa.org/ Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Tue, May 14, 2013 at 9:16 AM, Andrew Tranquada andrew.tranqu...@mailtrust.com wrote: understood thank you From: Simo Sorce [sso...@redhat.com] Sent: Tuesday, May 14, 2013 10:54 AM To: Andrew Tranquada Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replicas - Original Message - Awesome thank you. note, we recommend no more than 4 replication agreements per master, so you should create a topology keeping this in mind (IE do not make 19 servers all have a replication agreement with 1). Simo. From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, May 14, 2013 10:05 AM To: Andrew Tranquada; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Replicas Andrew Tranquada wrote: Hello everyone. Is there a limit to the number of replicas you may have? Are there any documents detailing scaling limits for freeIPA? The maximum number of masters tested is 20. There is nothing in the code to prevent more, and there are users that have more. For scaling and performance I'd start with the 389-ds documentation. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc. * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Form Based Login
Looks like like for Form Based Login isn't appearing What's the URL for form based login? Can I access it directly via a URL? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Form Based Login
Hi Martin, The page _is_ showing up...but there is no link for form based auth ...before there was a link for form based authentication Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Fri, Jan 10, 2014 at 1:07 AM, Martin Kosek mko...@redhat.com wrote: On 01/10/2014 04:45 AM, Christian Hernandez wrote: Looks like like for Form Based Login isn't appearing What's the URL for form based login? Can I access it directly via a URL? Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com What do you mean by isn't appearing? You type FreeIPA server FQDN and you are not redirected to the Web UI URL? The URL should be as following: https://fqdn.of.your.ipa.server/ipa/ui/ Or does it mean you are redirected, but receive a blank page instead? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Keberos and LDAP password
From what I understand I use currently... You can use just LDAP...I'm currently using LDAP/KRB where supported...and just straight LDAP on applications that don't support KRB Thank you, Christian Hernandez 1225 Los Angeles Street Glendale, CA 91204 Phone: 877-782-2737 ext. 4566 Fax: 818-265-3152 christi...@4over.com mailto:christi...@4over.com www.4over.com http://www.4over.com On Mon, Jan 13, 2014 at 2:04 PM, Bob harv...@gmail.com wrote: I'm very new to IPA. I run a ODSEE and I need to add in krb5. ODSEE allows us to store the KRB5 data in ldap, but there is no easy means of keeping the LDAP and Kerberos password in sync for a given account. I understand that IPA supplies Kerberos services. But is the krb5 password the same password that a LDAP bind would use. Meaning I have many applications that can not use Kerberos, but can use LDAP. Can these applications use IPA and expect that a given user account will have the LDAP password kept in sync with the krb5 password? thanks, Bob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users