Re: [Freeipa-users] Sync with AD error
Sigbjørn Lie wrote: On 03/11/2011 09:16 PM, Rob Crittenden wrote: Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Can you try running /us/sbin/ipa-ldap-updater? The problem is this didn't run at install so the spot in the DIT to store windows replication agreement info wasn't created, so it couldn't be added (the Failed to create public entry for winsync replica part). Once you've run ipa-ldap-updater you can add the info with something like: ldapmodify -x -D 'cn=directory manager' -W dn: cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com changetype: add objectclass: nsContainer objectclass: ipaConfigObject cn: addc01.ad.testing.com ipaConfigString: winsync:ipasrv01.ix.testing.com ^D to quit Hi, Thank you. I tried this, the ipa-ldap-updater script updated and created quite a few entries and exited without any errors. I then added the info as you suggested, also without any errors. However listing replicas still doesn't work. Actually, running force-sync or re-initialize yells exactly the same error message. # ipa-replica-manage list unexpected error: * not found Hmm, can you provide the output of (you can send privately if you want): kinit admin ldapsearch -Y GSSAPI -b cn=masters,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com and ldapsearch -Y GSSAPI -b cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com There must be an additional entry that wasn't added but I haven't figured out what it is yet. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sync with AD error
On 03/11/2011 03:31 PM, Sigbjørn Lie wrote: > > > On 03/11/2011 09:15 PM, Dmitri Pal wrote: >> On 03/11/2011 03:00 PM, Sigbjørn Lie wrote: >>> Hi, >>> >>> I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a >>> sync agreement with Active Directory. >> Did you upgrade in place or re-installed? >> The recent (a month ago or so) changes moved the location of the >> replication agreements. >> There were a lot of other changes in this area. >> We do not support smooth migration between beta and RCs that would have >> taken too much effort. >> Can you please try on a fresh install? >> >> Thank you >> Dmitri >> >>> Added CA certificate /root/testing-ca.cer to certificate database for >>> ipasrv01.ix.testing.com >>> ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com >>> The user for the Windows PassSync service is >>> uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com >>> Windows PassSync entry exists, not resetting password >>> ipa: INFO: Added new sync agreement, waiting for it to become ready >>> . . . >>> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica >>> acquired successfully: Incremental update succeeded: start: >>> 20110311195207Z: end: 20110311195207Z >>> ipa: INFO: Agreement is ready, starting replication . . . >>> ipa: INFO: Failed to create public entry for winsync replica >>> Starting replication, please wait until this has completed. >>> Update succeeded >>> Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' >>> >>> >>> Now I can't list the sync agreements. All I get is: >>> >>> # ipa-replica-manage list >>> unexpected error: * not found >>> >>> Any ideas? >>> >>> >>> Rgds, >>> Siggi >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >> > > > Hi, > > I upgraded in place. I did the initial installation on the 12th of > February. I think I started out with the first RC. Do I still have to > reinstall? Should be fine then. > > > Rgds, > Siggi > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sync with AD error
On 03/11/2011 09:15 PM, Dmitri Pal wrote: On 03/11/2011 03:00 PM, Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Did you upgrade in place or re-installed? The recent (a month ago or so) changes moved the location of the replication agreements. There were a lot of other changes in this area. We do not support smooth migration between beta and RCs that would have taken too much effort. Can you please try on a fresh install? Thank you Dmitri Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I upgraded in place. I did the initial installation on the 12th of February. I think I started out with the first RC. Do I still have to reinstall? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sync with AD error
On 03/11/2011 09:16 PM, Rob Crittenden wrote: Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Can you try running /us/sbin/ipa-ldap-updater? The problem is this didn't run at install so the spot in the DIT to store windows replication agreement info wasn't created, so it couldn't be added (the Failed to create public entry for winsync replica part). Once you've run ipa-ldap-updater you can add the info with something like: ldapmodify -x -D 'cn=directory manager' -W dn: cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com changetype: add objectclass: nsContainer objectclass: ipaConfigObject cn: addc01.ad.testing.com ipaConfigString: winsync:ipasrv01.ix.testing.com ^D to quit Hi, Thank you. I tried this, the ipa-ldap-updater script updated and created quite a few entries and exited without any errors. I then added the info as you suggested, also without any errors. However listing replicas still doesn't work. Actually, running force-sync or re-initialize yells exactly the same error message. # ipa-replica-manage list unexpected error: * not found Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sync with AD error
Sigbjørn Lie wrote: Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Can you try running /us/sbin/ipa-ldap-updater? The problem is this didn't run at install so the spot in the DIT to store windows replication agreement info wasn't created, so it couldn't be added (the Failed to create public entry for winsync replica part). Once you've run ipa-ldap-updater you can add the info with something like: ldapmodify -x -D 'cn=directory manager' -W dn: cn=addc01.ad.testing.com,cn=replicas,cn=ipa,cn=etc,dc=ix,dc=testing,dc=com changetype: add objectclass: nsContainer objectclass: ipaConfigObject cn: addc01.ad.testing.com ipaConfigString: winsync:ipasrv01.ix.testing.com ^D to quit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sync with AD error
On 03/11/2011 03:00 PM, Sigbjørn Lie wrote: > Hi, > > I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a > sync agreement with Active Directory. Did you upgrade in place or re-installed? The recent (a month ago or so) changes moved the location of the replication agreements. There were a lot of other changes in this area. We do not support smooth migration between beta and RCs that would have taken too much effort. Can you please try on a fresh install? Thank you Dmitri > > Added CA certificate /root/testing-ca.cer to certificate database for > ipasrv01.ix.testing.com > ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com > Windows PassSync entry exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica > acquired successfully: Incremental update succeeded: start: > 20110311195207Z: end: 20110311195207Z > ipa: INFO: Agreement is ready, starting replication . . . > ipa: INFO: Failed to create public entry for winsync replica > Starting replication, please wait until this has completed. > Update succeeded > Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' > > > Now I can't list the sync agreements. All I get is: > > # ipa-replica-manage list > unexpected error: * not found > > Any ideas? > > > Rgds, > Siggi > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sync with AD error
Hi, I just upgraded my FreeIPA @ F14 to 2.0.0.rc3, and attempted to add a sync agreement with Active Directory. Added CA certificate /root/testing-ca.cer to certificate database for ipasrv01.ix.testing.com ipa: INFO: AD Suffix is: DC=ad,DC=testing,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ix,dc=testing,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update succeeded: start: 20110311195207Z: end: 20110311195207Z ipa: INFO: Agreement is ready, starting replication . . . ipa: INFO: Failed to create public entry for winsync replica Starting replication, please wait until this has completed. Update succeeded Connected 'ipasrv01.ix.testing.com' to 'addc01.ad.testing.com' Now I can't list the sync agreements. All I get is: # ipa-replica-manage list unexpected error: * not found Any ideas? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Repository error
De: "Rob Crittenden" rcrit...@redhat.com > Sylvain PANNETRAT wrote: >> Hello, >> I try to update a fedora 14 client, and get: >> >> http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primar >> y.xml.gz: >> [Errno -1] Metadata file does not match checksum >> After yum clean all, i get: >> freeipa-devel/primary | 8.8 kB 00:00 >> >> http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primar >> y.xml.gz: >> [Errno -1] Metadata file does not match checksum >> Essai d'un autre miroir. >> Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno >> 256] No more mirrors to try. >> What can I do ? >> Regards, >> Sylvain PANNETRAT > > Try cleaning the yum cache for the repo. > > yum clean --disablerepo=* --enablerepo=freeipa-devel all > > rob > I made: yum clean --disablerepo=* --enablerepo=freeipa-devel all with the same error. I change my proxy to another squid, and now it's OK Thanks Sylvain PANNETRAT ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Repository error
Sylvain PANNETRAT wrote: Hello, I try to update a fedora 14 client, and get: http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum After yum clean all, i get: freeipa-devel/primary | 8.8 kB 00:00 http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Essai d'un autre miroir. Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno 256] No more mirrors to try. What can I do ? Regards, Sylvain PANNETRAT Try cleaning the yum cache for the repo. yum clean --disablerepo=* --enablerepo=freeipa-devel all rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Repository error
Hello, I try to update a fedora 14 client, and get: http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum After yum clean all, i get: freeipa-devel/primary | 8.8 kB 00:00 http://freeipa.com/downloads/devel/rpms/F14/x86_64/repodata/primary.xml.gz: [Errno -1] Metadata file does not match checksum Essai d'un autre miroir. Erreur : failure: repodata/primary.xml.gz from freeipa-devel: [Errno 256] No more mirrors to try. What can I do ? Regards, Sylvain PANNETRAT ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
Simo Sorce wrote: - Original Message - Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/fed14-64-ipacl03.ipa.ac...@ipa.ac .NZ] not found in keytab [default] (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:41 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [sss_krb5_verify_keytab_ex] (0): Principal [host/Fed14-64-ipacl03.ipa.ac.nz@IPA.A C.NZ] not found in keytab [default] (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [setup_child] (0): Could not verify keytab (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [load_backend_module] (0): Error (14) in module (ipa) initialization (sssm_ipa_id _init)! (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [be_process_init] (0): fatal error initializing data providers (Fri Mar 11 12:47:42 2011) [sssd[be[ipa.ac.nz]]] [main] (0): Could not initialize backend [14] [root@Fed14-64-ipacl03 sssd]# root@Fed14-64-ipacl03 sssd]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz 1 host/fed14-64-ipacl03.ipa.ac...@ipa.ac.nz [root@Fed14-64-ipacl03 sssd]# ? Caught Steven on IRC, this was a case of hostname being mixed case, which confuses kerberos libraries as they are case-sensitive and expect all lowercase names for hosts. This would not have been a problem if sssd just used the first key in the keytab instead of trying to guess the principal name in advance. (Yeah being stingy, no pressure Stephen :-) Simo. Simo, this probably explain why the keytab isn't disabled on the server when he uninstalls the client. I'll make sure that gets tested as part of ticket 1080. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 07:26 PM, Dmitri Pal wrote: > On 03/10/2011 06:30 PM, Steven Jones wrote: >> My problem is "To troubleshoot we need logs. There are all sorts of >> logs and configuration files on the server and on the client." > On the client: > > Config: 1) /etc/sssd/sssd.conf 2) /etc/pam.d/system-auth-ac 3) > /etc/nsswitch.conf > > Logs /var/log/sssd The most interesting one is sssd_default.log but > you can include all of them. /var/log/ipaclient-install.log > /var/log/ipaclient-uninstall.log Just a correction, it wouldn't be sssd_default.log. It would be sssd_.log. The ipa-client doesn't set up the 'default' domain, it names it after the IPA domain. So it's possible you've been looking at the wrong log. (This could also explain your comment about zero-length logs earlier). Sorry for the confusion. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157egACgkQeiVVYja6o6NMeQCfaq3Or5XENZp97ORVyRqE/awa h1QAniJllm1U19aSj3ryXPo3SbbqD5p+ =w27/ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to authenticate a client user against IPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/10/2011 06:30 PM, Steven Jones wrote: > My problem is "To troubleshoot we need logs. There are all sorts of > logs and configuration files on the server and on the client." > > Thats just it.I dont know where to look.its simply not > documentedso what I need is for someone to tell me what logs you > needand how to make the system log reliably.. for instance > debug_level = 9 in the sssd.conf still produces 0 length logs on > client1so there is nothing to report > If that's happening, then it likely means that SSSD was never started (or not restarted after adding debug_level=9; SSSD doesn't autodetect this change). Please try 'service sssd restart' > It may well be my problems stems from trying to use RHEL6 svr and KVM > with fedora 14 clients inside it which I am finding very flakyI > may need to blow it away and move the test bed to vmware ESXi. > > Or maybe indeed I am serially doing something wrong. > > I am trying again to setup client 3, what selinux is telling me is > ipa-submit is trying to open krb5.keytab > > I will test and maybe turn selinux off, if i can figur eout how! > As root, run 'setenforce 0'. This will set SELinux into "permissive" mode. It will still report SELinux errors, but it won't prevent the functionality. Please keep an eye on any such errors and report them to us. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk157WkACgkQeiVVYja6o6M3oACeIb9tbVL8A7PMWcbrqfQedykZ cnUAoJGIa9lvGbPJbg1fecogYYwU4VWk =E+gl -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
