[Freeipa-users] Re: autofs.service on NFS clients and servers

[Jochen Hein via FreeIPA-users]

Prasun Gera via FreeIPA-users 
writes:

> The only thing I would be interested in knowing is if there is a
> performance penalty to mounting NFS locally. Ideally, it should be smart
> enough to know that, but I'm not sure if it is.

On my NFS server /home is a local ext4 mount and exportet. The clients
automount it as /zentral.  autofs.zentral contains:

*   -fstype=nfs4,rw,sec=krb5p,soft,rsize=8192,wsize=8192
nfs.example.org:/home/&

When I access /zentral/jochen I get the following mount:

/dev/mapper/home_lv on /zentral/jochen type ext4 
(rw,noatime,errors=remount-ro,data=ordered)

That seems to be a bind mount.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: autofs.service on NFS clients and servers

[Prasun Gera via FreeIPA-users]

The only thing I would be interested in knowing is if there is a
performance penalty to mounting NFS locally. Ideally, it should be smart
enough to know that, but I'm not sure if it is.

On 14 Jul 2017 6:08 pm, "Petros Triantafyllidis"  wrote:

> Thanks a lot for replying,
>   Yes, your suggestion is working. Doesn't seem that elegant though, since
> a partition is mounted several times. However it's practical and I can't
> figure out how else it could be done.
> From mount stats, the first two are from fstab mount and appears only on
> NFS server, while the third is the automount and appears on all NFS clients
> (NFS server included)
>
> /dev/sdb1 on /export/data1 type xfs (rw,relatime,attr2,inode64,noquota)
> /dev/sdb1 on /data1 type xfs (rw,relatime,attr2,inode64,noquota)
> auto.direct on /data1 type autofs (rw,relatime,fd=18,pgrp=34091,
> timeout=300,minproto=5,maxproto=5,direct)
>
> Thanks a lot,
> Petros
>
> On 07/12/2017 01:11 AM, Prasun Gera via FreeIPA-users wrote:
>
> One easy way to resolve your issues it to use different names for the
> export location and the mount location. Your export location is handled by
> fstab, whereas your mount location is handled by autofs. For example, your
> have server1 with /export_data1 and server2 with /export_data2 mounted via
> fstab. NFS + autofs will mount them as /data1 and /data2 on all the clients
> including the NFS servers. Does this work for you ?
>
> On Sun, Jul 2, 2017 at 1:58 PM, Petros Triantafyllidis via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi all,
>>   I am very new to IPA and still a bit before going into production, so
>> apologies in advance.
>>
>> The plan is to have a number of servers that each one shares a space via
>> kerberized nfs4 to the others, which makes all of them NFS clients and
>> servers at the same time. On my attempt to setup automount globally via IdM
>> and sssd, I realized that when a machine is configured as nfs server, it
>> needs autofs.service to be stopped in order to access it's local shares
>> mounted via fstab. If I use /etc/auto.master to mount the local shares
>> instead of fstab, then autofs.service may (actually must) run and
>> everything works properly but, doing so, I don't have the advantage of one
>> central configuration location any more.
>> The preferred scenario for each server would be to mount its local shares
>> via fstab and the remote shares via sssd automount. Am I missing something?
>>
>> Thanks in advance,
>> Petros
>>
>>
> --
> Dr. TRIANTAFYLLIDIS PETROS  E-MAIL: tr...@auth.gr
> ^^  http://users.auth.gr/trian
> Aristotle University - Department of Geophysics, POBox 111,
> 54124 Thessaloniki-GREECE - TEL:+30-2310998585 <+30%20231%20099%208585>, 
> FAX:2310991403
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: autofs.service on NFS clients and servers

[Petros Triantafyllidis via FreeIPA-users]

Thanks a lot for replying,
  Yes, your suggestion is working. Doesn't seem that elegant though, 
since a partition is mounted several times. However it's practical and I 
can't figure out how else it could be done.
From mount stats, the first two are from fstab mount and appears only 
on NFS server, while the third is the automount and appears on all NFS 
clients (NFS server included)


/dev/sdb1 on /export/data1 type xfs (rw,relatime,attr2,inode64,noquota)
/dev/sdb1 on /data1 type xfs (rw,relatime,attr2,inode64,noquota)
auto.direct on /data1 type autofs 
(rw,relatime,fd=18,pgrp=34091,timeout=300,minproto=5,maxproto=5,direct)


Thanks a lot,
Petros

On 07/12/2017 01:11 AM, Prasun Gera via FreeIPA-users wrote:
One easy way to resolve your issues it to use different names for the 
export location and the mount location. Your export location is 
handled by fstab, whereas your mount location is handled by autofs. 
For example, your have server1 with /export_data1 and server2 with 
/export_data2 mounted via fstab. NFS + autofs will mount them as 
/data1 and /data2 on all the clients including the NFS servers. Does 
this work for you ?


On Sun, Jul 2, 2017 at 1:58 PM, Petros Triantafyllidis via 
FreeIPA-users > wrote:


Hi all,
  I am very new to IPA and still a bit before going into
production, so apologies in advance.

The plan is to have a number of servers that each one shares a
space via kerberized nfs4 to the others, which makes all of them
NFS clients and servers at the same time. On my attempt to setup
automount globally via IdM and sssd, I realized that when a
machine is configured as nfs server, it needs autofs.service to be
stopped in order to access it's local shares mounted via fstab. If
I use /etc/auto.master to mount the local shares instead of fstab,
then autofs.service may (actually must) run and everything works
properly but, doing so, I don't have the advantage of one central
configuration location any more.
The preferred scenario for each server would be to mount its local
shares via fstab and the remote shares via sssd automount. Am I
missing something?

Thanks in advance,
Petros



--
Dr. TRIANTAFYLLIDIS PETROS  E-MAIL: tr...@auth.gr
^^  http://users.auth.gr/trian
Aristotle University - Department of Geophysics, POBox 111,
54124 Thessaloniki-GREECE - TEL:+30-2310998585, FAX:2310991403



smime.p7s
Description: S/MIME Cryptographic Signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: [Freeipa-users]dirsrv will not start, tried cp dse.ldif.startOK to dse.ldif but issue remains.

[Jake via FreeIPA-users]

from Journal, maybe it's kerberos issues 

Jul 14 12:11:28 server02.ipa.example.com named-pkcs11[1041]: Failed to get 
initial credentials (TGT) using principal 'DNS/server02.ipa.example.com' and 
keytab 'FILE:/etc/named.keytab' (Cannot contact any KDC for realm 
'IPA.EXAMPLE.COM') 


Jul 14 12:11:05 server02.ipa.example.com systemd[1]: Starting 389 Directory 
Server IPA-EXAMPLE-COM 
-- Subject: Unit dirsrv@IPA-EXAMPLE-COM.service has begun start-up 
-- Defined-By: systemd 
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
-- 
-- Unit dirsrv@IPA-EXAMPLE-COM.service has begun starting up. 
Jul 14 12:11:05 server02.ipa.example.com ds_systemd_ask_password_acl[3669]: 
grep: /etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif: No such file or directory 
Jul 14 12:11:05 server02.ipa.example.com ns-slapd[3674]: 
[14/Jul/2017:12:11:05.824429897 -0400] dse - The configuration file 
/etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif was not restored from backup 
/etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif.tmp, error -1 
Jul 14 12:11:05 server02.ipa.example.com ns-slapd[3674]: 
[14/Jul/2017:12:11:05.824786923 -0400] dse - The configuration file 
/etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif was restored from backup 
/etc/dirsrv/slapd-IPA-EXAMPLE-COM/dse.ldif.bak 
Jul 14 12:11:06 server02.ipa.example.com ns-slapd[3674]: 
[14/Jul/2017:12:11:06.614887908 -0400] 389-Directory/1.3.5.10 B2017.145.2037 
starting up 
Jul 14 12:11:06 server02.ipa.example.com ns-slapd[3674]: 
[14/Jul/2017:12:11:06.634027487 -0400] Db home directory is not set. Possibly 
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the 
config file. 
Jul 14 12:11:06 server02.ipa.example.com ns-slapd[3674]: 
[14/Jul/2017:12:11:06.636333131 -0400] Detected Disorderly Shutdown last time 
Directory Server was running, recovering database. 
Jul 14 12:11:06 server02.ipa.example.com kernel: traps: ns-slapd[3674] general 
protection ip:7f05f3c17270 sp:7ffc09641898 error:0 in 
libdb-5.3.so[7f05f3af2000+1b4000] 
Jul 14 12:11:06 server02.ipa.example.com systemd[1]: 
dirsrv@IPA-EXAMPLE-COM.service: main process exited, code=killed, 
status=11/SEGV 
Jul 14 12:11:06 server02.ipa.example.com systemd[1]: Failed to start 389 
Directory Server IPA-EXAMPLE-COM.. 
-- Subject: Unit dirsrv@IPA-EXAMPLE-COM.service has failed 
-- Defined-By: systemd 
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
-- 
-- Unit dirsrv@IPA-EXAMPLE-COM.service has failed. 
-- 
-- The result is failed. 
Jul 14 12:11:06 server02.ipa.example.com systemd[1]: Unit 
dirsrv@IPA-EXAMPLE-COM.service entered failed state. 
Jul 14 12:11:06 server02.ipa.example.com systemd[1]: 
dirsrv@IPA-EXAMPLE-COM.service failed. 
Jul 14 12:11:06 server02.ipa.example.com polkitd[659]: Unregistered 
Authentication Agent for unix-process:3652:239175 (system bus name :1.226, 
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale 
en_US.UTF-8) (disconnected from bus) 
Jul 14 12:11:28 server02.ipa.example.com named-pkcs11[1041]: Failed to get 
initial credentials (TGT) using principal 'DNS/server02.ipa.example.com' and 
keytab 'FILE:/etc/named.keytab' (Cannot contact any KDC for realm 
'IPA.EXAMPLE.COM') 
Jul 14 12:11:28 server02.ipa.example.com named-pkcs11[1041]: ldap_syncrepl will 
reconnect in 60 seconds 
Jul 14 12:12:01 server02.ipa.example.com polkitd[659]: Registered 
Authentication Agent for unix-process:3702:244769 (system bus name :1.231 
[/usr/bin/pkttyagent --notify-fd 5 --fallback], object path 
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) 
Jul 14 12:12:01 server02.ipa.example.com systemd[1]: Starting 389 Directory 
Server IPA-EXAMPLE-COM 
-- Subject: Unit dirsrv@IPA-EXAMPLE-COM.service has begun start-up 
-- Defined-By: systemd 
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
-- 
-- Unit dirsrv@IPA-EXAMPLE-COM.service has begun starting up. 
Jul 14 12:12:02 server02.ipa.example.com ns-slapd[3724]: 
[14/Jul/2017:12:12:02.625503302 -0400] 389-Directory/1.3.5.10 B2017.145.2037 
starting up 
Jul 14 12:12:02 server02.ipa.example.com ns-slapd[3724]: 
[14/Jul/2017:12:12:02.645784373 -0400] Db home directory is not set. Possibly 
nsslapd-directory (optionally nsslapd-db-home-directory) is missing in the 
config file. 
Jul 14 12:12:02 server02.ipa.example.com ns-slapd[3724]: 
[14/Jul/2017:12:12:02.648203339 -0400] Detected Disorderly Shutdown last time 
Directory Server was running, recovering database. 
Jul 14 12:12:02 server02.ipa.example.com kernel: traps: ns-slapd[3724] general 
protection ip:7fd4b627e270 sp:7ffd50c2f528 error:0 in 
libdb-5.3.so[7fd4b6159000+1b4000] 
Jul 14 12:12:02 server02.ipa.example.com systemd[1]: 
dirsrv@IPA-EXAMPLE-COM.service: main process exited, code=killed, 
status=11/SEGV 
Jul 14 12:12:02 server02.ipa.example.com systemd[1]: Failed to start 389 
Directory Server IPA-EXAMPLE-COM.. 
-- Subject: Unit dirsrv@IPA-EXAMPLE-COM.service has failed 
-- Defined-By: systemd 
-- Support: h

[Freeipa-users] dirsrv will not start, tried cp dse.ldif.startOK to dse.ldif but issue remains.

[email--- via FreeIPA-users]

IPA Users, 
I'm not sure when the last time this service was running/working, any ideas are 
appreciated. 

IPA Version: ipa-server-4.4.0-14.el7.centos.7.x86_64 

ipa-server-upgrade 
Upgrading IPA: 
[1/8]: saving configuration 
[2/8]: disabling listeners 
[3/8]: enabling DS global lock 
[4/8]: starting directory server 
[error] CalledProcessError: Command '/bin/systemctl start 
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 
[cleanup]: stopping directory server 
[cleanup]: restoring configuration 
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command 
ipa-server-upgrade manually. 
Unexpected error - see /var/log/ipaupgrade.log for details: 
CalledProcessError: Command '/bin/systemctl start 
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more 
information 



#tail -n 100 /var/log/ipaupgrade.log 

2017-07-14T16:03:53Z DEBUG stderr=Job for dirsrv@IPA-EXAMPLE-COM.service failed 
because a fatal signal was delivered to the control process. See "systemctl 
status dirsrv@IPA-EXAMPLE-COM.service" and "journalctl -xe" for details. 

2017-07-14T16:03:53Z DEBUG Traceback (most recent call last): 
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, 
in start_creation 
run_step(full_msg, method) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, 
in run_step 
method() 
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 94, in __start 
services.service(self.service_name).start(self.serverid, ldapi=True) 
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
157, in start 
instance_name, capture_output=capture_output, wait=wait) 
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 285, 
in start 
skip_output=not capture_output) 
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run 
raise CalledProcessError(p.returncode, arg_string, str(output)) 
CalledProcessError: Command '/bin/systemctl start 
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 

2017-07-14T16:03:53Z DEBUG [error] CalledProcessError: Command '/bin/systemctl 
start dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 
2017-07-14T16:03:53Z DEBUG [cleanup]: stopping directory server 
2017-07-14T16:03:53Z DEBUG Starting external process 
2017-07-14T16:03:53Z DEBUG args=/bin/systemctl stop 
dirsrv@IPA-EXAMPLE-COM.service 
2017-07-14T16:03:53Z DEBUG Process finished, return code=0 
2017-07-14T16:03:53Z DEBUG stdout= 
2017-07-14T16:03:53Z DEBUG stderr= 
2017-07-14T16:03:53Z DEBUG duration: 0 seconds 
2017-07-14T16:03:53Z DEBUG [cleanup]: restoring configuration 
2017-07-14T16:03:53Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Saving StateFile to 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state' 
2017-07-14T16:03:53Z DEBUG duration: 0 seconds 
2017-07-14T16:03:53Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 
2017-07-14T16:03:53Z DEBUG File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute 
return_value = self.run() 
File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 46, in run 
server.upgrade() 
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1846, in upgrade 
data_upgrade.create_instance() 
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 119, in create_instance 
show_service_name=False) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 449, 
in start_creation 
run_step(full_msg, method) 
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 439, 
in run_step 
method() 
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", 
line 94, in __start 
services.service(self.service_name).start(self.serverid, ldapi=True) 
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 
157, in start 
instance_name, capture_output=capture_output, wait=wait) 
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 285, 
in start 
skip_output=not capture_output) 
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 494, in run 
raise CalledProcessError(p.returncode, arg_string, str(output)) 

2017-07-14T16:03:53Z DEBUG The ipa-server

[Freeipa-users] Re: [Freeipa-users]Re: IPA Servers will not start - dirsrv [Solved]

[email--- via FreeIPA-users]

Copied over the dse.ldif.startOK to dse.ldif and it started. Thank You, 



From: "freeipa-users"  
To: "freeipa-users"  
Cc: "Ludwig Krispenz"  
Sent: Friday, July 14, 2017 10:35:55 AM 
Subject: [Freeipa-users]Re: IPA Servers will not start - dirsrv 

looks like you lost your configuration files dse.ldif and its backup as well 
could you check what you have in /etc/dirsrv/slapd- 

you can try to copy one of the *dse.ldif* to dse.ldif and try to restart, but 
that file maybe up to date. 

Ludwig 

On 07/14/2017 04:22 PM, email--- via FreeIPA-users wrote: 



IPA-Users, 

We relocated a rack recently across the states and are no longer able to start 
dirsrv389. 

sudo ipactl start 
Starting Directory Service 
Failed to start Directory Service: Command '/bin/systemctl start [ 
mailto:dirsrv@IPA-EXAMPLE-COM.service | dirsrv@IPA-EXAMPLE-COM.service ] ' 
returned non-zero exit status 1 


Thousands of log entries: 

ns-slapd[15125]: [14/Jul/2017:09:09:11.167235367 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167240900 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167245957 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167250923 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167256433 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167261853 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167268487 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 

These servers were offline for 2-3 weeks, do they have the same tombstone 
effect as windows ad controllers? 

Any other information I can provide? 

Thanks 
-Jake 


___
FreeIPA-users mailing list -- [ mailto:freeipa-users@lists.fedorahosted.org | 
freeipa-users@lists.fedorahosted.org ] To unsubscribe send an email to [ 
mailto:freeipa-users-le...@lists.fedorahosted.org | 
freeipa-users-le...@lists.fedorahosted.org ] 



-- 
Red Hat GmbH, [ http://www.de.redhat.com/ | http://www.de.redhat.com/ ] , 
Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander 

___ 
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org 
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgThat 

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[bogusmaster--- via FreeIPA-users]

> On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users 
> wrote:
> 
> yes, but I think this is only a side effect. SSSD cannot resolve a
> global catalog server. Does
> 
> dig SRV _gc._tcp.td.mydomain.com
> 
> return anything when called on the IPA server?

It didn't. I've added a DNS entry and now it works like this:
dig +short SRV _gc._tcp.td.mydomain.com
0 100 389 dc.td.mydomain.com.

Now when I clear server's cache by removing the files in /var/lib/sss/db/ and 
restart sssd daemon it apparently behaves as it should - ad_users group that I 
use for HBAC for AD users gets updated. sss_cache -E doesn't work for me and I 
have to delete cache files manually. I will test group membership propagation a 
little bit more to be 100% sure, though.

Is there any other way for these changes to propagate without a restart? I have 
this entry in sssd.conf: entry_cache_timeout = 60 but it doesn't seem to work.

Best,
Bart

> 
> It is most probably the GID of the 'Domain Users' group of the AD
> domain.
> 
> 
> Please remove the entry again, it might cause all kind of irritations.
I've removed that, it was just for the testing purpose.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: IPA Servers will not start - dirsrv

[Ludwig Krispenz via FreeIPA-users]

looks like you lost your configuration files dse.ldif and its backup as well
could you check what you have in /etc/dirsrv/slapd-

you can try to copy one of the *dse.ldif* to dse.ldif and try to 
restart, but that file maybe up to date.


Ludwig

On 07/14/2017 04:22 PM, email--- via FreeIPA-users wrote:

IPA-Users,

We relocated a rack recently across the states and are no longer able 
to start dirsrv389.


sudo ipactl start
Starting Directory Service
Failed to start Directory Service: Command '/bin/systemctl start 
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1



Thousands of log entries:

ns-slapd[15125]: [14/Jul/2017:09:09:11.167235367 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167240900 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167245957 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167250923 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167256433 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167261853 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes
ns-slapd[15125]: [14/Jul/2017:09:09:11.167268487 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes


These servers were offline for 2-3 weeks, do they have the same 
tombstone effect as windows ad controllers?


Any other information I can provide?

Thanks
-Jake


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] IPA Servers will not start - dirsrv

[email--- via FreeIPA-users]

IPA-Users, 

We relocated a rack recently across the states and are no longer able to start 
dirsrv389. 

sudo ipactl start 
Starting Directory Service 
Failed to start Directory Service: Command '/bin/systemctl start 
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1 


Thousands of log entries: 

ns-slapd[15125]: [14/Jul/2017:09:09:11.167235367 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167240900 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167245957 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167250923 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167256433 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167261853 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 
ns-slapd[15125]: [14/Jul/2017:09:09:11.167268487 -0400] 
valueset_value_syntax_cmp: slapi_attr_values2keys_sv failed for type 
attributetypes 

These servers were offline for 2-3 weeks, do they have the same tombstone 
effect as windows ad controllers? 

Any other information I can provide? 

Thanks 
-Jake 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to login as user

[Callum Guy via FreeIPA-users]

Thanks for that Jakub.

Following a review of the output I've found that this is simply a known
conflict with OTP:

https://www.freeipa.org/page/V4/OTP#kinit_Method


On Fri, Jul 14, 2017 at 9:20 AM Jakub Hrozek  wrote:

> On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users
> wrote:
> > Hi Jakub,
> >
> > Apologies for hijacking the thread but you reminded me of a longstanding
> > issue - I can't manually use kinit on my client nodes. As I operate a
> jump
> > server that means I get a ticket on first login but when i login to other
> > client systems the ticket gives me entry but doesn't follow me. When I
> try
> > to run kinit for my user the following message is printed:
> >
> > $ kinit callum
> > kinit: Generic preauthentication failure while getting initial
> credentials
> >
> > Not a single local log entry is generated. Any ideas?
>
> kinit doesn't generate logs unless you set the KRB5_TRACE variable, e.g.
> KRB5_TRACE=/dev/stderr kinit callum
>
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[Sumit Bose via FreeIPA-users]

On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users 
wrote:
> > Can you do a test on the server by calling
> > 
> > id username(a)ad.domain
> > 
> > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> > well?
> I uploaded these files to the same place as before - goo.gl/hiFHKE. They have 
> SERVER prefix in their names.
> 
> > In the id output all groups should have a GID and a name, if there are
> > groups with only a GID this might have caused the issue on the client as
> > well.
> 
> This could be root cause of the issues with rules propagation, because:
> groups j...@td.mydomain.com
> j...@td.mydomain.com : j...@td.mydomain.com groups: cannot find name for 
> group ID 752600513 752600513

yes, but I think this is only a side effect. SSSD cannot resolve a
global catalog server. Does

dig SRV _gc._tcp.td.mydomain.com

return anything when called on the IPA server?

> 
> Interestingly, ipa group-find doesn't show a group with that id, nor do I 
> recognize adding a group with such ID. 

It is most probably the GID of the 'Domain Users' group of the AD
domain.

> I tried to resolve it by adding a group with such ID locally on the server, 
> but it didn't change anything except for the result of groups command above.

Please remove the entry again, it might cause all kind of irritations.

bye,
Sumit

> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[bogusmaster--- via FreeIPA-users]

I also observed one peculiar thing when it comes to group membership of the 
group which is used in my HBAC rule.
When I issue getent group ad_users on the server, I get:
ad_users:*:101025:j...@td.mydomain.com

In the FreeIPA's web UI membership looks like follows:

External member

S-1-5-21-4217214799-1184961203-849681438-1104

S-1-5-21-4217214799-1184961203-849681438-

j...@td.mydomain.com

and ipa group-find returns these members:
Group name: ad_users_external
Description: ad_domain users external map
External member: S-1-5-21-4217214799-1184961203-849681438-1121, 
S-1-5-21-4217214799-1184961203-849681438-1104, 
S-1-5-21-4217214799-1184961203-849681438-

Could it also be that due to what is displayed in the FreeIPA's UI other two 
members are not returned correctly by the getent command?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Replication and SSL certs

[Mark Haney via FreeIPA-users]

On 07/13/2017 09:57 PM, Fraser Tweedale wrote:

OK, I think I understand.

ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
set up with a certificate issued by the IPA CA, which your browser
does not trust.

There are two ways forward here:

1.  You can use ipa-server-certinstall to install a 3rd-party (i.e.
not issued by the IPA CA but by a CA trusted by clients - including
browsers - in your organisation) certificate for the HTTP service.
This seems to be how ipa0 is set up so you might want to do that for
consistency.

2.  Add the IPA CA certificate to your browser as a trusted CA.  If
you need all clients (including users' browsers) in your
organisation to trust certs issued by your FreeIPA CA, then you need
to work out how to push the IPA CA out to all of them, or you need
to chain the IPA CA to a CA that they already trust (e.g.
organisations with Active Directory often chain their IPA CA up to
the AD CA).


Yeah, I got it figured out.  For some reason, I expected /all/ the SSL 
certs to be carried over when I went through the steps to build the 
replica server.  All of the /internal/ IPA ones did just fine. It seems 
that the wildcard cert that we're using for securing the Web interface 
did not (and probably doesn't for anyone else).  We have a GoDaddy 
signed wildcard SSL cert we use for any web interface (we're HTTPS-only 
now).  The process to setup the IPA replica didn't include that cert 
when I ran 'ipa-replica-install ipa0.gpg'.  So, I had to copy the CA 
bundle, .crt &.key files and manually install them using 
ipa-cacert-manage and ipa-server-certinstall.


I sort of expected the replica to be an identical replica in all 
settings, but maybe that was too high an expectation.  Regardless, I 
have it configured and working properly, so I can move onto putting it 
into production.


--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.ha...@neonova.net
www.neonova.net
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[bogusmaster--- via FreeIPA-users]

> Can you do a test on the server by calling
> 
> id username(a)ad.domain
> 
> and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> well?
I uploaded these files to the same place as before - goo.gl/hiFHKE. They have 
SERVER prefix in their names.

> In the id output all groups should have a GID and a name, if there are
> groups with only a GID this might have caused the issue on the client as
> well.

This could be root cause of the issues with rules propagation, because:
groups j...@td.mydomain.com
j...@td.mydomain.com : j...@td.mydomain.com groups: cannot find name for group 
ID 752600513 752600513

Interestingly, ipa group-find doesn't show a group with that id, nor do I 
recognize adding a group with such ID. 
I tried to resolve it by adding a group with such ID locally on the server, but 
it didn't change anything except for the result of groups command above.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to login as user

[Jakub Hrozek via FreeIPA-users]

On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote:
> Hi Jakub,
> 
> Apologies for hijacking the thread but you reminded me of a longstanding
> issue - I can't manually use kinit on my client nodes. As I operate a jump
> server that means I get a ticket on first login but when i login to other
> client systems the ticket gives me entry but doesn't follow me. When I try
> to run kinit for my user the following message is printed:
> 
> $ kinit callum
> kinit: Generic preauthentication failure while getting initial credentials
> 
> Not a single local log entry is generated. Any ideas?

kinit doesn't generate logs unless you set the KRB5_TRACE variable, e.g.
KRB5_TRACE=/dev/stderr kinit callum
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Unable to login as user

[Callum Guy via FreeIPA-users]

Hi Jakub,

Apologies for hijacking the thread but you reminded me of a longstanding
issue - I can't manually use kinit on my client nodes. As I operate a jump
server that means I get a ticket on first login but when i login to other
client systems the ticket gives me entry but doesn't follow me. When I try
to run kinit for my user the following message is printed:

$ kinit callum
kinit: Generic preauthentication failure while getting initial credentials

Not a single local log entry is generated. Any ideas?

Thanks,


On Fri, Jul 14, 2017 at 7:22 AM Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via
> FreeIPA-users wrote:
> > Hi,
> >
> > I am getting an error logging into a FreeIPA server from a new FreeIPA
> client. I have reset the password for the user using "kinit admin" but
> still no joy. Is there another password that is needing to be set?.
> >
> > Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Password has expired
> > Jul 14 13:53:41 ipa-client [sssd[krb5_child[2457]]]: Decrypt integrity
> check failed
> > Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Password has expired
> > Jul 14 13:54:40 ipa-client [sssd[krb5_child[2466]]]: Decrypt integrity
> check failed
>
> sssd should have prompted you for the new password.. The "Decrypt
> integrity check failed" sounds like the wrong password was entered,
> though.
>
> does kinit $user work?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: HBAC rules / ssh keys for AD users not working right away

[Sumit Bose via FreeIPA-users]

On Thu, Jul 13, 2017 at 07:22:58PM -, bogusmaster--- via FreeIPA-users 
wrote:
> I've uploaded them here: goo.gl/hiFHKE

Thanks.

[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such 
object(32), (null).

This indicates that the user cannot be found on the server. There are
two reasons for this. Either the user itself cannot be looked up at all
or the group memberships cannot be resolved completely.

Can you do a test on the server by calling

id username@ad.domain

and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
well?

In the id output all groups should have a GID and a name, if there are
groups with only a GID this might have caused the issue on the client as
well.

bye,
Sumit

> 
> Thank you,
> Bart
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org