Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 07:07 PM, Dmitri Pal wrote: On 11/04/2011 04:23 PM, Jimmy wrote: I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Correct. It looks like Scientific Linux is behind as well: The packages on http://ftp.scientificlinux.org/linux/scientific/ are all 2.0.0 forexample http://ftp.scientificlinux.org/linux/scientific/6rolling/x86_64/updates/fastbugs/ipa-client-2.0.0-23.el6_1.1.x86_64.rpm Not sure how they are doing their naming scheme, as they have 6/ 6.1/ 6x/ and 6rolling but they all look pretty much the same. Jimmy You need a newer ipa-client package. The extended operation we used for enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
On 11/04/2011 05:12 PM, Dan Scott wrote:
On Fri, Nov 4, 2011 at 19:07, Rich Megginson wrote:
On 11/04/2011 04:51 PM, Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 18:13, Rob Crittendenwrote:
Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingram
wrote:
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott
wrote:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
Dan-
It looks like you are missing the cn=accounts in your filter:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
You can try this, substituting for your domain:
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.
Thanks for the tip, but it doesn't seem to be working. I run the
command and get a response. It says:
adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete
But the memberOf attributes don't appear (on either server - I have 2
servers replicating).
There are a couple of suspicious errors in the dirsrv log file:
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
The other server contains similar lines and also shows some errors
when I rebooted the first server. But eventually it shows:
Replication bind with GSSAPI auth resumed
So I guess it's all OK?
I don't see any problems there.
Do you have objectclass: inetUser in your user entries?
Yep. That attribute exists for all of the users that I checked.
Find a user that should exist in a group e.g. uid=dscott,...the rest of
the dn...
do a search for the group that should contain that user e.g.
ldapsearch -x dc=example,dc=com '(member=uid=dscott,...the rest of the
dn...)'
Does it return the group entry?
Dan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
On Fri, Nov 4, 2011 at 19:07, Rich Megginson wrote:
> On 11/04/2011 04:51 PM, Dan Scott wrote:
>>
>> Hi,
>>
>> On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote:
>>>
>>> Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingram
wrote:
>
> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott
> wrote:
>>
>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>
>>
>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>> -x
>>
>> In version 2, it looks like the memberOf attributes have been removed
>> from the user entries and the user group membership information is
>> stored only in the 'member' attribute of the individual group entries.
>>
>> Can someone help me modify the above command so that I can find users,
>> using their email address, who are also members of a particular group?
>> Preferably using one command.
>
> Dan-
>
> It looks like you are missing the cn=accounts in your filter:
>
> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>
>
> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
> -x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
>>>
>>> memberof should exist. memberof should be calculated on the fly from the
>>> member information. I'm not sure why you aren't seeing it.
>>>
>>> You can try this, substituting for your domain:
>>>
>>> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
>>> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>>>
>>> This should rebuild the memberof values.
>>
>> Thanks for the tip, but it doesn't seem to be working. I run the
>> command and get a response. It says:
>>
>> adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
>> task, cn=tasks, cn=config"
>> modify complete
>>
>> But the memberOf attributes don't appear (on either server - I have 2
>> servers replicating).
>>
>> There are a couple of suspicious errors in the dirsrv log file:
>>
>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat, dc=example,dc=com
>> [04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
>> entries set up under ou=SUDOers, dc=example,dc=com
>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>>
>> The other server contains similar lines and also shows some errors
>> when I rebooted the first server. But eventually it shows:
>>
>> Replication bind with GSSAPI auth resumed
>>
>> So I guess it's all OK?
>
> I don't see any problems there.
>
> Do you have objectclass: inetUser in your user entries?
Yep. That attribute exists for all of the users that I checked.
Dan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
On 11/04/2011 04:51 PM, Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote:
Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingramwrote:
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott
wrote:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
Dan-
It looks like you are missing the cn=accounts in your filter:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
You can try this, substituting for your domain:
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.
Thanks for the tip, but it doesn't seem to be working. I run the
command and get a response. It says:
adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete
But the memberOf attributes don't appear (on either server - I have 2
servers replicating).
There are a couple of suspicious errors in the dirsrv log file:
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
The other server contains similar lines and also shows some errors
when I rebooted the first server. But eventually it shows:
Replication bind with GSSAPI auth resumed
So I guess it's all OK?
I don't see any problems there.
Do you have objectclass: inetUser in your user entries?
Thanks,
Dan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
On 11/04/2011 04:23 PM, Jimmy wrote: > > I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I > guess the proper fix is to use the SL packages Adam referenced? Correct. > Jimmy > > > You need a newer ipa-client package. The extended operation we > used for enrollment changed. This was fixed in ipa-client-2.0-9.1 > in RHEL 6.0. > > rob > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
Hi,
On Fri, Nov 4, 2011 at 18:13, Rob Crittenden wrote:
> Dan Scott wrote:
>>
>> Hi,
>>
>> On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote:
>>>
>>> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott
>>> wrote:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
>>>
>>> Dan-
>>>
>>> It looks like you are missing the cn=accounts in your filter:
>>>
>>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>>>
>>> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
>>> -x ...
>>
>> Thanks for spotting that, it was an error from when I was removing my
>> domain information.
>>
>> However, the problem remains that the memberOf attributes don't exist
>> in FreeIPA V2, so I need to figure out another way to do the search.
>>
>> Thanks,
>>
>> Dan
>
> memberof should exist. memberof should be calculated on the fly from the
> member information. I'm not sure why you aren't seeing it.
>
> You can try this, substituting for your domain:
>
> # /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
> manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
>
> This should rebuild the memberof values.
Thanks for the tip, but it doesn't seem to be working. I run the
command and get a response. It says:
adding new entry "cn=memberOf_fixup_2011_11_4_18_46_11, cn=memberOf
task, cn=tasks, cn=config"
modify complete
But the memberOf attributes don't appear (on either server - I have 2
servers replicating).
There are a couple of suspicious errors in the dirsrv log file:
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under cn=ng, cn=compat, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] schema-compat-plugin - warning: no
entries set up under ou=SUDOers, dc=example,dc=com
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
[04/Nov/2011:18:30:53 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=example,dc=com--no CoS Templates found, which
should be added before the CoS Definition.
The other server contains similar lines and also shows some errors
when I rebooted the first server. But eventually it shows:
Replication bind with GSSAPI auth resumed
So I guess it's all OK?
Thanks,
Dan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
Dan Scott wrote:
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote:
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
Dan-
It looks like you are missing the cn=accounts in your filter:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
memberof should exist. memberof should be calculated on the fly from the
member information. I'm not sure why you aren't seeing it.
You can try this, substituting for your domain:
# /var/lib/dirsrv/scripts-EXAMPLE-COM/fixup-memberof.pl -D 'cn=directory
manager' -w - -b dc=example,dc=com -f "(objectclass=*)" -v
This should rebuild the memberof values.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
On Fri, Nov 4, 2011 at 3:05 PM, Dan Scott wrote: > Thanks for spotting that, it was an error from when I was removing my > domain information. > > However, the problem remains that the memberOf attributes don't exist > in FreeIPA V2, so I need to figure out another way to do the search. Maybe everything didn't come across correctly in the upgrade. memberOf attributes *do* exist in v2. I know because I'm using them at this very moment. Have you searched your tree to see how everything was converted? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
Hi,
On Fri, Nov 4, 2011 at 17:38, Stephen Ingram wrote:
> On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote:
>> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
>> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
>> -x
>>
>> In version 2, it looks like the memberOf attributes have been removed
>> from the user entries and the user group membership information is
>> stored only in the 'member' attribute of the individual group entries.
>>
>> Can someone help me modify the above command so that I can find users,
>> using their email address, who are also members of a particular group?
>> Preferably using one command.
>
> Dan-
>
> It looks like you are missing the cn=accounts in your filter:
>
> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
> "(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
> -x ...
Thanks for spotting that, it was an error from when I was removing my
domain information.
However, the problem remains that the memberOf attributes don't exist
in FreeIPA V2, so I need to figure out another way to do the search.
Thanks,
Dan
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] LDAP search for email address of user in a particular group
On Fri, Nov 4, 2011 at 2:12 PM, Dan Scott wrote:
> ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
> "(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
> -x
>
> In version 2, it looks like the memberOf attributes have been removed
> from the user entries and the user group membership information is
> stored only in the 'member' attribute of the individual group entries.
>
> Can someone help me modify the above command so that I can find users,
> using their email address, who are also members of a particular group?
> Preferably using one command.
Dan-
It looks like you are missing the cn=accounts in your filter:
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&mail=${email_address})(memberOf=cn=usergroup,cn=groups,cn=accounts,dc=example,dc=com)"
-x ...
Steve
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] LDAP search for email address of user in a particular group
Hi,
I've just migrated a couple of servers from FreeIPA 1.2 to 2.1. I'm
almost done. I just have a few custom LDAP searches to migrate.
With the old system, I was trying to look users who are in a
particular group by their email address i.e.
ldapsearch -b cn=users,cn=accounts,dc=example,dc=com
"(&(mail=${email_address})(memberOf=cn=usergroup,cn=groups,dc=example,dc=com"
-x
In version 2, it looks like the memberOf attributes have been removed
from the user entries and the user group membership information is
stored only in the 'member' attribute of the individual group entries.
Can someone help me modify the above command so that I can find users,
using their email address, who are also members of a particular group?
Preferably using one command.
Thanks,
Dan Scott
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
I see. I have ipa-client-2.0-9.el6.x86_64 on the CentOS 6 client. I guess the proper fix is to use the SL packages Adam referenced? Jimmy > > You need a newer ipa-client package. The extended operation we used for > enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0. > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : NEEDED_PREAUTH:
ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
You need a newer ipa-client package. The extended operation we used for
enrollment changed. This was fixed in ipa-client-2.0-9.1 in RHEL 6.0.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
I don't know if I was clear on the issue- the FreeIPA server is running on
Fedora 15, the client is CentOS 6. If your suggestion still applies I will
look into the SL packages.
Thanks- J
On Fri, Nov 4, 2011 at 3:12 PM, Adam Young wrote:
> CentOS is far behind RHEL. Many of the issues you will find have been
> fixed in released versions of IPA. This one is due, I think to an earlier
> issue with directory server that has since been upgraded.
>
> You might want to see if the versions shipped with Scientifix Linux work
> better for you, but it is going to be quite a few packages. Aside from
> freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others.
>
>
>
>
>
>
>
> On 11/04/2011 03:04 PM, Jimmy wrote:
>
> I'm running the ipa-client-install on a CentOS 6 client and get this
> error:
>
> [root@kudzu ~]# ipa-client-install
> Discovery was successful!
> Realm: PDH.CSP
> DNS Domain: pdh.csp
> IPA Server: csp-idm.pdh.csp
> BaseDN: dc=pdh,dc=csp
>
> Continue to configure the system with these values? [no]: yes
> Principal: admin
> Password for ad...@pdh.csp:
> Joining realm failed: Operation failed! unsupported extended operation
> child exited with 9
> Certificate subject base is: O=PDH.CSP
>
> The only logs I see on the server are here:
>
> Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
> {18 17 16 23}) 192.168.201.199: NEEDED_PREAUTH: ad...@pdh.csp for
> krbtgt/pdh@pdh.csp, Additional pre-authentication required
> Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for HTTP/csp-idm.pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
> {18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18
> ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
> Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
> 17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
> tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
>
>
>
> ___
> Freeipa-users mailing
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client-install error
CentOS is far behind RHEL. Many of the issues you will find have been
fixed in released versions of IPA. This one is due, I think to an
earlier issue with directory server that has since been upgraded.
You might want to see if the versions shipped with Scientifix Linux work
better for you, but it is going to be quite a few packages. Aside from
freeipa* it will be xmlrpc, 38-ds-base and DNS dyndb and possibly others.
On 11/04/2011 03:04 PM, Jimmy wrote:
I'm running the ipa-client-install on a CentOS 6 client and get this
error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 :
NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional
pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199 : ISSUE: authtime
1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.102 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.201.199 : ISSUE:
authtime 1320432800, etypes {rep=18 tkt=18 ses=18}, ad...@pdh.csp for
ldap/csp-idm.pdh@pdh.csp
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install error
I'm running the ipa-client-install on a CentOS 6 client and get this error:
[root@kudzu ~]# ipa-client-install
Discovery was successful!
Realm: PDH.CSP
DNS Domain: pdh.csp
IPA Server: csp-idm.pdh.csp
BaseDN: dc=pdh,dc=csp
Continue to configure the system with these values? [no]: yes
Principal: admin
Password for ad...@pdh.csp:
Joining realm failed: Operation failed! unsupported extended operation
child exited with 9
Certificate subject base is: O=PDH.CSP
The only logs I see on the server are here:
Nov 04 18:52:55 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: NEEDED_PREAUTH: ad...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Nov 04 18:53:20 csp-idm.pdh.csp krb5kdc[5354](info): AS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for HTTP/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (1 etypes
{18}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18 tkt=18
ses=18}, ad...@pdh.csp for krbtgt/pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.102: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
Nov 04 18:53:21 csp-idm.pdh.csp krb5kdc[5354](info): TGS_REQ (4 etypes {18
17 16 23}) 192.168.201.199: ISSUE: authtime 1320432800, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for ldap/csp-idm.pdh@pdh.csp
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
tomasz.napier...@allegro.pl wrote: On 4 lis 2011, at 14:52, Rob Crittenden wrote: Can you provide more context from the client install log (or the whole log)? Sure: http://pastie.org/2810505 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Regards, I'm not really sure what is going on. It could be that there is some interference from the v1 server but we pass enough arguments into the client installer that it shouldn't need to do muhc. It would help if you instrumented ipa-client-install to display the value of ret when it is failing so we can know specifically why it failed. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On Fri, 2011-11-04 at 17:07 +0100, tomasz.napier...@allegro.pl wrote: > On 4 lis 2011, at 16:57, Simo Sorce wrote: > > > Not necessarily related to your problem, but in general I would > strongly > > suggest all freeipa users to: > > > > a) use domain names that are longer than a single component > > (for example in your case 'ipa.dc2' instead of just 'dc2') > > > > b) let the kerberos realm exactly match the domain name. > > (In your case let it be 'IPA.DC2') > > > > We do not enforce these rules but not following them can cause you > > additional headaches in some cases. > > > I know that from 1.x deployment. Unfortunately adding another domain > would completely destroy our infrastructure management tools ;) > You seem to be in one of those corner cases for which we decided to not enforce those rule programmatically ... Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On 4 lis 2011, at 16:57, Simo Sorce wrote: > Not necessarily related to your problem, but in general I would strongly > suggest all freeipa users to: > > a) use domain names that are longer than a single component > (for example in your case 'ipa.dc2' instead of just 'dc2') > > b) let the kerberos realm exactly match the domain name. > (In your case let it be 'IPA.DC2') > > We do not enforce these rules but not following them can cause you > additional headaches in some cases. I know that from 1.x deployment. Unfortunately adding another domain would completely destroy our infrastructure management tools ;) Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On Fri, 2011-11-04 at 16:43 +0100, tomasz.napier...@allegro.pl wrote: > On 4 lis 2011, at 14:52, Rob Crittenden wrote: > > > Can you provide more context from the client install log (or the whole log)? > > > Sure: > http://pastie.org/2810505 > > One more thing:in that domain (.dc2) there is already working IPA 1.x, and we > have DNS entries pointing to that installation. It might be KDC autodiscovery > issue, but how can I disable auto discovery? Not necessarily related to your problem, but in general I would strongly suggest all freeipa users to: a) use domain names that are longer than a single component (for example in your case 'ipa.dc2' instead of just 'dc2') b) let the kerberos realm exactly match the domain name. (In your case let it be 'IPA.DC2') We do not enforce these rules but not following them can cause you additional headaches in some cases. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
On 4 lis 2011, at 14:52, Rob Crittenden wrote: > Can you provide more context from the client install log (or the whole log)? Sure: http://pastie.org/2810505 One more thing:in that domain (.dc2) there is already working IPA 1.x, and we have DNS entries pointing to that installation. It might be KDC autodiscovery issue, but how can I disable auto discovery? Regards, -- Tomasz Z. Napierała Systems Architecture Engineer, IT Infrastructure Department Allegro Team http://www.allegro.pl/ Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul. Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości 33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995. smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem installing client on server
tomasz.napier...@allegro.pl wrote:
Hi,
We are (again) evaluationg FreeIPA 2.x and I run into troubles installing
client on ipa server. It happend before on other server, but I thought it might
be due to the fact, that FreeIPA was installed and uninstalled there for
several times. This time it's a fresh install.
[root@ipa20-test ~]# rpm -qa |grep freeipa
freeipa-client-2.1.3-2.fc15.x86_64
freeipa-admintools-2.1.3-2.fc15.x86_64
freeipa-server-selinux-2.1.3-2.fc15.x86_64
freeipa-python-2.1.3-2.fc15.x86_64
freeipa-server-2.1.3-2.fc15.x86_64
Last lines form output:
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master
--unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname
ipa20-test.dc2' returned non-zero exit status 1
Launching it agian:
[root@ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended
--domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2
Failed to verify that ipa20-test.dc2 is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
ipaclient-install..og:
2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389
2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN
2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA
2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context
2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in
dc=gatech(sub)
2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech',
{'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes':
['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal',
'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal',
'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4',
'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge':
['604800']})]
2011-11-04 14:11:18,817 DEBUG will use domain: dc2
2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2
Anyone have a clue what might be the reason?
Regards,
Can you provide more context from the client install log (or the whole log)?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem installing client on server
Hi,
We are (again) evaluationg FreeIPA 2.x and I run into troubles installing
client on ipa server. It happend before on other server, but I thought it might
be due to the fact, that FreeIPA was installed and uninstalled there for
several times. This time it's a fresh install.
[root@ipa20-test ~]# rpm -qa |grep freeipa
freeipa-client-2.1.3-2.fc15.x86_64
freeipa-admintools-2.1.3-2.fc15.x86_64
freeipa-server-selinux-2.1.3-2.fc15.x86_64
freeipa-python-2.1.3-2.fc15.x86_64
freeipa-server-2.1.3-2.fc15.x86_64
Last lines form output:
done configuring dirsrv.
Restarting the directory server
Restarting the KDC
Restarting the web server
Sample zone file for bind has been created in /tmp/sample.zone.iQ1QBH.db
Configuration of client side components failed!
ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master
--unattended --domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname
ipa20-test.dc2' returned non-zero exit status 1
Launching it agian:
[root@ipa20-test ~]# /usr/sbin/ipa-client-install --on-master --unattended
--domain dc2 --server ipa20-test.dc2 --realm GATECH --hostname ipa20-test.dc2
Failed to verify that ipa20-test.dc2 is an IPA Server.
This may mean that the remote server is not up or is not reachable
due to network or firewall settings.
Installation failed. Rolling back changes.
IPA client is not configured on this system.
ipaclient-install..og:
2011-11-04 14:11:18,799 DEBUG Init ldap with: ldap://ipa20-test.dc2:389
2011-11-04 14:11:18,812 DEBUG Search LDAP server for IPA base DN
2011-11-04 14:11:18,814 DEBUG Check if naming context 'dc=gatech' is for IPA
2011-11-04 14:11:18,815 DEBUG Naming context 'dc=gatech' is a valid IPA context
2011-11-04 14:11:18,815 DEBUG Search for (objectClass=krbRealmContainer) in
dc=gatech(sub)
2011-11-04 14:11:18,816 DEBUG Found: [('cn=GATECH,cn=kerberos,dc=gatech',
{'krbSubTrees': ['dc=gatech'], 'cn': ['GATECH'], 'krbDefaultEncSaltTypes':
['aes256-cts:special', 'aes128-cts:special', 'des3-hmac-sha1:special',
'arcfour-hmac:special'], 'objectClass': ['top', 'krbrealmcontainer',
'krbticketpolicyaux'], 'krbSearchScope': ['2'], 'krbSupportedEncSaltTypes':
['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal',
'aes128-cts:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special',
'arcfour-hmac:normal', 'arcfour-hmac:special', 'des-hmac-sha1:normal',
'des-cbc-md5:normal', 'des-cbc-crc:normal', 'des-cbc-crc:v4',
'des-cbc-crc:afs3'], 'krbMaxTicketLife': ['86400'], 'krbMaxRenewableAge':
['604800']})]
2011-11-04 14:11:18,817 DEBUG will use domain: dc2
2011-11-04 14:11:18,817 DEBUG will use server: ipa20-test.dc2
Anyone have a clue what might be the reason?
Regards,
--
Tomasz Z. Napierała
Systems Architecture Engineer,
IT Infrastructure Department
Allegro Team
http://www.allegro.pl/
Grupa Allegro Sp. z o.o. z siedzibą w Poznaniu, 60-324 Poznań, przy ul.
Marcelińskiej 90, wpisana do rejestru przedsiębiorców prowadzonego przez Sąd
Rejonowy Poznań - Nowe Miasto i Wilda, Wydział VIII Gospodarczy Krajowego
Rejestru Sądowego pod numerem KRS 268796, o kapitale zakładowym w wysokości
33 474 500 zł, posiadająca numer identyfikacji podatkowej NIP: 5272525995.
smime.p7s
Description: S/MIME cryptographic signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
