[Freeipa-users] Re: migration command cannot enable user

2018-05-22 Thread barrykfl--- via FreeIPA-users 
 example 1
Operations Error

Some entries were not deleted
Hide details 

   -

   aaron: user not found

example 2

Is it possible to skip the password migration process so user no need
confirm once ( all password harsh transffered so user use same password?

Regards

2018-05-22 2:13 GMT+08:00 Rob Crittenden :

> barry...@gmail.com wrote:
> > all usernames migrated but cannot login even  I
> > used https://your.domain/ipa/migration/
> >   to verified successfully ...It
> > still say password incorrect.
>
> Be sure that user you are binding to the remote server with has read
> access to the userPassword attribute. IPA will not complain if it does
> not get a password set.
>
> > then I want to delete all burtit said no entry when I press del.
>
> Not enough information to help you here. The command-line is easier to
> debug in this regard.
>
> rob
>
> >
> > 2018-05-22 1:36 GMT+08:00 Rob Crittenden  > >:
> >
> > barrykfl--- via FreeIPA-users wrote:
> > > Dear all:
> > >
> > > I used this migration command migrate users but the user does not
> work.
> >
> > How does the user not work? What did you use to confirm it?
> >
> > >
> > > IPA is unable to generate Kerberos keys unless provided
> > > with clear text passwords. All migrated users need to
> > > login at https://your.domain/ipa/migration/
> >  before they
> > > can use their Kerberos accounts.
> > >
> > > even now i want to del it said account not exists,. but can really
> shown
> > > on UI.
> >
> > Can you try on the command-line:
> >
> > % ipa user-show someuser
> > % ipa user-del someuser
> >
> > rob
> >
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OYT2OEHT3HFBZDOWLY7FS3XBASVD6MER/

[Freeipa-users] Re: Major Server Failure

2018-05-22 Thread Mark Reynolds via FreeIPA-users 


On 05/22/2018 05:32 PM, Michael Rainey (Contractor, Code 7320) via
FreeIPA-users wrote:
> The mystery continues.  It seems might be working but in reality it's
> not.  The replica has stopped updating from the master and is unable
> to talk to the LDAP server.  I'm fairly certain this is a certificate
> issue.  However, my certs appear to be valid.
>
> So far, the ipa-replica-manage command using the re-initialize or
> force-sync is not fixing the problem.  Copying the LDAP database from
> the master to the replica has not worked.  Where do I go from here?
>> # ipa-replica-manage list tierod. -v
>> fitch.: replica
>>   last init status: None
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (0) Replica acquired successfully:
>> Incremental update succeeded
>>   last update ended: 2018-05-22 21:19:06+00:00
>> sump.: replica
The directory server access log on (sump) should confirm your theory

But of course I have to ask, is sump actually running?
>>   last init status: -1  - LDAP error: Can't contact LDAP server
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (-1) Problem connecting to replica - LDAP
>> error: Can't contact LDAP server (connection error)
>>   last update ended: 1970-01-01 00:00:00+00:00
>
>
>> # ipa-replica-manage list sump. -v
>> Directory Manager password:
>>
>> tierod.: replica
>>   last init status: None
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (0) Replica acquired successfully:
>> Incremental update succeeded
>>   last update ended: 2018-05-22 21:09:22+00:00
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FYJVSCJVEWU46GDMEBNAZCZCH3UBYBTW/
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VSED3CZFBGVYMIPJ3ASJDFTUGJCAXMNF/

[Freeipa-users] Re: Major Server Failure

2018-05-22 Thread Michael Rainey (Contractor, Code 7320) via FreeIPA-users 
The mystery continues.  It seems might be working but in reality it's 
not.  The replica has stopped updating from the master and is unable to 
talk to the LDAP server.  I'm fairly certain this is a certificate 
issue.  However, my certs appear to be valid.


So far, the ipa-replica-manage command using the re-initialize or 
force-sync is not fixing the problem.  Copying the LDAP database from 
the master to the replica has not worked.  Where do I go from here?

# ipa-replica-manage list tierod. -v
fitch.: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: 
Incremental update succeeded

  last update ended: 2018-05-22 21:19:06+00:00
sump.: replica
  last init status: -1  - LDAP error: Can't contact LDAP server
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (-1) Problem connecting to replica - LDAP 
error: Can't contact LDAP server (connection error)

  last update ended: 1970-01-01 00:00:00+00:00




# ipa-replica-manage list sump. -v
Directory Manager password:

tierod.: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: 
Incremental update succeeded

  last update ended: 2018-05-22 21:09:22+00:00

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FYJVSCJVEWU46GDMEBNAZCZCH3UBYBTW/

[Freeipa-users] Re: ipa operation errors from a client, but not servers

2018-05-22 Thread Rob Crittenden via FreeIPA-users 
Kat via FreeIPA-users wrote:
> Now if only I could figure out how this happened??!
> 
> Weirdness indeed. Had to re-install python-gssapi and then reboot the
> server.
> 
> everything working flawlessly now.

rpm -V  might show you if something is corrupted.

rob

> 
> -K
> 
> 
> On 5/22/18 10:24, Alexander Bokovoy wrote:
>> On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
>>> Anyone seen this before? Can't find anything in searches.
>>>
>>> (Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
>>> (Server - ipa-server-4.5.4-10.el7_5.1.x86_64)
>>>
>>> On a client, running RHEL 7.4, and IPA server is RHEL 7.5
>>>
>>>  $ipa user-show freddy --all
>>> ipa: ERROR: ImportError: No module named gssapi
>> it means you have no python-gssapi installed.
>>
>> Which is weird because ipa-client has explicit requirement for
>> python-gssapi.
>>
>> Could you show output of
>>
>> rpm -q --provides ipa-client
>>
>> ?
>>
>>
>>> Traceback (most recent call last):
>>>   File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356,
>>> in run
>>>     api.finalize()
>>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 714, in finalize
>>>     self.__do_if_not_done('load_plugins')
>>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 421, in __do_if_not_done
>>>     getattr(self, name)()
>>>   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>> 592, in load_plugins
>>>     for package in self.packages:
>>>   File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line
>>> 945, in packages
>>>     import ipaclient.remote_plugins
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py",
>>> line 14, in 
>>>     from ipaclient.plugins.rpcclient import rpcclient
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py",
>>> line 32, in 
>>>     from ipalib.rpc import xmlclient, jsonclient
>>>   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in
>>> 
>>>     import gssapi
>>> ImportError: No module named gssapi
>>> ipa: ERROR: an internal error has occurred
>>>
>>> Same command on another host (client) - works flawlessly, but it is
>>> same software.
>>>
>>> Ideas?
>>>
>>> Kat
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-le...@lists.fedorahosted.org
>>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/
>>>
>>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VOM53TPX6LCVLNSIDSV6PM6FZPREBZ5M/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/MPC26T5HVN5EICISAGTWR5WFPCE474GT/

[Freeipa-users] Re: ipa operation errors from a client, but not servers

2018-05-22 Thread Kat via FreeIPA-users 

Now if only I could figure out how this happened??!

Weirdness indeed. Had to re-install python-gssapi and then reboot the 
server.


everything working flawlessly now.

-K


On 5/22/18 10:24, Alexander Bokovoy wrote:

On ti, 22 touko 2018, Kat via FreeIPA-users wrote:

Anyone seen this before? Can't find anything in searches.

(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)

On a client, running RHEL 7.4, and IPA server is RHEL 7.5

 $ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi

it means you have no python-gssapi installed.

Which is weird because ipa-client has explicit requirement for
python-gssapi.

Could you show output of

rpm -q --provides ipa-client

?



Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, 
in run

    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
714, in finalize

    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
421, in __do_if_not_done

    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
592, in load_plugins

    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 
945, in packages

    import ipaclient.remote_plugins
  File 
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 14, in 

    from ipaclient.plugins.rpcclient import rpcclient
  File 
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", 
line 32, in 

    from ipalib.rpc import xmlclient, jsonclient
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in 


    import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred

Same command on another host (client) - works flawlessly, but it is 
same software.


Ideas?

Kat

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VOM53TPX6LCVLNSIDSV6PM6FZPREBZ5M/

[Freeipa-users] Re: Major Server Failure

2018-05-22 Thread Mark Reynolds via FreeIPA-users 


On 05/22/2018 11:24 AM, Michael Rainey (Contractor, Code 7320) via
FreeIPA-users wrote:
> Well I'm sure how this happened.  It looks like I have an Identity
> server that has a replication agreement with itself.  Is there a
> method to help clean this up?
>
>> # ipa-replica-manage list sump. -v
>> Directory Manager password:
>>
>> sump.: replica
>>   last init status: None
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (0) Replica acquired successfully: Unable
>> to aquire replica: the replica has the same Replica ID as this one.
>> Replication is aborting.
This means you have two replicas that are using the same replica id
(nsds5replicaid).  Perhaps this agreement is old and needs to be removed?
>>   last update ended: 1970-01-01 00:00:00+00:00
>> tierod.: replica
>>   last init status: None
>>   last init ended: 1970-01-01 00:00:00+00:00
>>   last update status: Error (0) Replica acquired successfully:
>> Incremental update succeeded
>>   last update ended: 2018-05-22 15:07:23+00:00
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AXI2QXJOYQVAJBQRO54EFAE5B6UL6RKS/

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EEZPRIRMFS2BK6GBKPZUWMIW2SWQRBFW/

[Freeipa-users] Re: ipa operation errors from a client, but not servers

2018-05-22 Thread Kat via FreeIPA-users 
BUT - using your logic - I removed just python-gssapi and re-installed 
it and everything works again.


Should have tried that.

Kat


On 5/22/18 10:24, Alexander Bokovoy wrote:

On ti, 22 touko 2018, Kat via FreeIPA-users wrote:

Anyone seen this before? Can't find anything in searches.

(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)

On a client, running RHEL 7.4, and IPA server is RHEL 7.5

 $ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi

it means you have no python-gssapi installed.

Which is weird because ipa-client has explicit requirement for
python-gssapi.

Could you show output of

rpm -q --provides ipa-client

?



Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, 
in run

    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
714, in finalize

    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
421, in __do_if_not_done

    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
592, in load_plugins

    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 
945, in packages

    import ipaclient.remote_plugins
  File 
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 14, in 

    from ipaclient.plugins.rpcclient import rpcclient
  File 
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", 
line 32, in 

    from ipalib.rpc import xmlclient, jsonclient
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in 


    import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred

Same command on another host (client) - works flawlessly, but it is 
same software.


Ideas?

Kat

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/6H2PGQHQKG5OMMLT5752C4UGAWJKOTH7/

[Freeipa-users] Re: ipa operation errors from a client, but not servers

2018-05-22 Thread Kat via FreeIPA-users 

nope - first thing I looked at. On the client that works:

$ sudo rpm -qa | grep gss

cyrus-sasl-gssapi-2.1.26-21.el7.x86_64
python-gssapi-1.2.0-3.el7.x86_64
gssproxy-0.7.0-4.el7.x86_64

On the broken client:

$ sudo rpm -qa | grep gss

python-gssapi-1.2.0-3.el7.x86_64
gssproxy-0.7.0-4.el7.x86_64
cyrus-sasl-gssapi-2.1.26-21.el7.x86_64

still scratching my head

On 5/22/18 10:24, Alexander Bokovoy wrote:

On ti, 22 touko 2018, Kat via FreeIPA-users wrote:

Anyone seen this before? Can't find anything in searches.

(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)

On a client, running RHEL 7.4, and IPA server is RHEL 7.5

 $ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi

it means you have no python-gssapi installed.

Which is weird because ipa-client has explicit requirement for
python-gssapi.

Could you show output of

rpm -q --provides ipa-client

?



Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, 
in run

    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
714, in finalize

    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
421, in __do_if_not_done

    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
592, in load_plugins

    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 
945, in packages

    import ipaclient.remote_plugins
  File 
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 14, in 

    from ipaclient.plugins.rpcclient import rpcclient
  File 
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", 
line 32, in 

    from ipalib.rpc import xmlclient, jsonclient
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in 


    import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred

Same command on another host (client) - works flawlessly, but it is 
same software.


Ideas?

Kat

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/6TDMCXNDRSPUDOYVSWUTFS4IUO2IBBEX/

[Freeipa-users] Re: Major Server Failure

2018-05-22 Thread Michael Rainey (Contractor, Code 7320) via FreeIPA-users 
Well I'm sure how this happened.  It looks like I have an Identity 
server that has a replication agreement with itself.  Is there a method 
to help clean this up?



# ipa-replica-manage list sump. -v
Directory Manager password:

sump.: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Unable 
to aquire replica: the replica has the same Replica ID as this one. 
Replication is aborting.

  last update ended: 1970-01-01 00:00:00+00:00
tierod.: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: 
Incremental update succeeded

  last update ended: 2018-05-22 15:07:23+00:00


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AXI2QXJOYQVAJBQRO54EFAE5B6UL6RKS/

[Freeipa-users] Re: ipa operation errors from a client, but not servers

2018-05-22 Thread Alexander Bokovoy via FreeIPA-users 

On ti, 22 touko 2018, Kat via FreeIPA-users wrote:

Anyone seen this before? Can't find anything in searches.

(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)

On a client, running RHEL 7.4, and IPA server is RHEL 7.5

 $ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi

it means you have no python-gssapi installed.

Which is weird because ipa-client has explicit requirement for
python-gssapi.

Could you show output of

rpm -q --provides ipa-client

?



Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, in run
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
714, in finalize

    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
421, in __do_if_not_done

    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 
592, in load_plugins

    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 
945, in packages

    import ipaclient.remote_plugins
  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 14, in 

    from ipaclient.plugins.rpcclient import rpcclient
  File 
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", 
line 32, in 

    from ipalib.rpc import xmlclient, jsonclient
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in 


    import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred

Same command on another host (client) - works flawlessly, but it is 
same software.


Ideas?

Kat

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/6MQ5K7SYXZVNPO5EOQWHAXDTZ7S3AV7G/

[Freeipa-users] ipa operation errors from a client, but not servers

2018-05-22 Thread Kat via FreeIPA-users 

Anyone seen this before? Can't find anything in searches.

(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)

On a client, running RHEL 7.4, and IPA server is RHEL 7.5

 $ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1356, in run
    api.finalize()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, 
in finalize

    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, 
in __do_if_not_done

    getattr(self, name)()
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, 
in load_plugins

    for package in self.packages:
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 945, 
in packages

    import ipaclient.remote_plugins
  File 
"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", 
line 14, in 

    from ipaclient.plugins.rpcclient import rpcclient
  File 
"/usr/lib/python2.7/site-packages/ipaclient/plugins/rpcclient.py", line 
32, in 

    from ipalib.rpc import xmlclient, jsonclient
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 45, in 


    import gssapi
ImportError: No module named gssapi
ipa: ERROR: an internal error has occurred

Same command on another host (client) - works flawlessly, but it is same 
software.


Ideas?

Kat

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/TLLLQNP7G5BVY7FOER6QRYH2FA5LZ5RR/

[Freeipa-users] Re: PKI with IPA

2018-05-22 Thread Rob Crittenden via FreeIPA-users 
Maciej Drobniuch via FreeIPA-users wrote:
> Hey Fraser,
> 
> That it is in CRL format. 

Then yes.

rob

> 
> BR
> Maciej
> 
> On Fri, May 18, 2018 at 6:18 AM, Fraser Tweedale  > wrote:
> 
> Hi Maciej,
> 
> I concur with the answers in Rob's reply.  But I have one question.
> 
> On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via
> FreeIPA-users wrote:
> > 3. How can I export the IPA revocation list so it's compliant with 
> servers
> > (CRL format)
> >
> What do you mean by "compliant with servers"?
> 
> Thanks,
> Fraser
> 
> 
> 
> 
> -- 
> Best regards
> 
> Maciej Drobniuch
> Network Security Engineer
> Collective-Sense,LLC
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OBZIFSVTPD3A3URKPVIEJJFPBB75EK65/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/F2SXQGLQ2K4KPUOOKHNDQ5U2FBM2YQ5T/

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Andrew Meyer via FreeIPA-users 
What about on CentOS 7? 

On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users 
 wrote:
 

 On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 17 touko 2018, Andrew Meyer wrote:
> > So I followed the directions to add it to my dev freeipa servers,
> > restarted the httpd.  But when I go to log in  at
> > https://myserver/idp as admin or myself, I get 401 Unauthorized no
> > matter what.  This is what I need to install the server: sudo
> > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
> I do not run Ipsilon on the same machine as IPA master and do not
> recommend that. Use a separate IPA client.

It used to work fairly well in 2015:

    https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine

and I've used it for number of demos and testing.

However, at least with Fedora 28, it will fail simply because FreeIPA
is python3 and Ipsilon is python2, and wsgi does not like mixing the
two.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/


   ___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FTZKURPBI2H2YFEQKA36TSUX735CXX4A/

[Freeipa-users] Re: ipsilon

2018-05-22 Thread Jan Pazdziora via FreeIPA-users 
On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> On to, 17 touko 2018, Andrew Meyer wrote:
> > So I followed the directions to add it to my dev freeipa servers,
> > restarted the httpd.  But when I go to log in  at
> > https://myserver/idp as admin or myself, I get 401 Unauthorized no
> > matter what.  This is what I need to install the server: sudo
> > ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
> I do not run Ipsilon on the same machine as IPA master and do not
> recommend that. Use a separate IPA client.

It used to work fairly well in 2015:

https://www.adelton.com/freeipa/freeipa-ipsilon-single-machine

and I've used it for number of demos and testing.

However, at least with Fedora 28, it will fail simply because FreeIPA
is python3 and Ipsilon is python2, and wsgi does not like mixing the
two.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HARK4W4OWO5M4DPBNL7C6OK5CY3JWCKD/

[Freeipa-users] Re: Overall users experience with Free-IPA

2018-05-22 Thread Duncan Colhoun via FreeIPA-users 
Thanks - very helpful
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3UUAMGKPL2M4ATSBIMU6C2UL2ZCTKJCK/

[Freeipa-users] Re: Overall users experience with Free-IPA

2018-05-22 Thread Duncan Colhoun via FreeIPA-users 
Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VUOPARUEAB52HRV3FDIBDWHRHNN2ZXDP/

[Freeipa-users] Re: PKI with IPA

2018-05-22 Thread Maciej Drobniuch via FreeIPA-users 
Hey Fraser,

That it is in CRL format.

BR
Maciej

On Fri, May 18, 2018 at 6:18 AM, Fraser Tweedale 
wrote:

> Hi Maciej,
>
> I concur with the answers in Rob's reply.  But I have one question.
>
> On Thu, May 17, 2018 at 04:03:36PM +0200, Maciej Drobniuch via
> FreeIPA-users wrote:
> > 3. How can I export the IPA revocation list so it's compliant with
> servers
> > (CRL format)
> >
> What do you mean by "compliant with servers"?
>
> Thanks,
> Fraser
>



-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OBZIFSVTPD3A3URKPVIEJJFPBB75EK65/