Re: [Freeipa-users] dead in the water IPA server

2012-05-14 Thread JR Aquino 
On May 13, 2012, at 2:39 PM, "Steven Jones" 
mailto:steven.jo...@vuw.ac.nz>> wrote:

Hi,

I have what I'm told are 6.3 rpms on ipa2 and no its not fixed, the memory leak 
kills a server in 48 hours.  I also find I have a problem with rebooting, IPA 
doesnt survive a reboot, so I cant even cron a reboot nightly.

Right now both are in a bad way and I need to reboot them..

:(

The interesting thing is I have a test setup that is stable, yet has the same 
rpmsso Im flumixt'd, maybe its something Ive done, but I cant think 
whatits bod standard as far as I know

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


When I was having similar problems, it turned out to be due to a few different 
factors...

* my cache was too low, was being exceeded and triggering a leak in 389
* I discovered a bug in managed entries that caused the plugin to fire if _any_ 
change occurred to a managed object. As opposed to firing only when relivent 
attributes changed.
* I also had a great deal of churning happening from slapi-nis in competition 
with the MemberOf plugin...

Here is my bug, it was fixed in Fedora, but perhaps it is still a problem in 
RHEL: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=771493



From: freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Saturday, 12 May 2012 9:29 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] dead in the water IPA server

On 05/07/2012 05:05 PM, Rich Megginson wrote:
On 05/07/2012 02:55 PM, Steven Jones wrote:

Hi,

Yes I have a memory leak see attached graphs

Yes looks like the killer killed slapd...dont know what caused this 
yetif its the "killer" looks like its decided to kill slapd or slapd 
was going to kill the system anyway so it may have done the right thing.

Looks like I have 3 days between reboots if i dont IPA losses the plot big 
timevery bad news..I will I think slow IPA deployment here at this 
timethis cant be deployed for us as it is, I cant even test as if 
something doesn't work I don't know if its my configuring error or an 
inconsistent IPA.

:/

Thanks for this info I will pursue this through RH support for a perm fix, 
adding more memory doesn't strike me as the solution, 4gb of ram for 3~4 users 
and about 6 client machines seems a lot.

Right.  See https://fedorahosted.org/389/ticket/51 and especially all of the 
comments to https://bugzilla.redhat.com/show_bug.cgi?id=697701

You will need to closely monitor your entry cache usage.


As far as I see the ticket is fixed upstream and is in testing for 6.3.
Is this the correct understanding?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Monday, 7 May 2012 9:45 p.m.
To: Steven Jones
Cc: Jan Cholasta; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] dead in the water IPA server

This sound very much the same as the issue I've been having. Did you check to 
see if it was the
directory server that consumed all of your memory too?

https://www.redhat.com/archives/freeipa-users/2012-April/msg00139.html


Regards,
Siggi




On Mon, May 7, 2012 11:32, Jan Cholasta wrote:


Hi,


It seems that your system ate all the available memory and the kernel
decided to kill a directory server instance to free some. The kernel agent 
responsible for this is
called the out-of-memory killer, you can read more about it and how to 
configure it not to kill
important processes here: http://lwn.net/Articles/317814/

On 7.5.2012 02:22, Steven Jones wrote:



Interesting memory message.as attached


I take it it isnt good?  cant login that is for sure so whatever is behind the 
web gui is dead
if nothing else...


regards

Steven Jones


Technical Specialist - Linux RHCE


Victoria University, Wellington, NZ


0064 4 463 6272




--
Jan Cholasta


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to car

Re: [Freeipa-users] FreeIPA and others

2012-05-14 Thread JR Aquino 

On May 14, 2012, at 9:50 PM, "Steven Jones"  wrote:

> 8><-
> 
> Mileage may vary.
> 
> I for one have found no suitable scalable substitute for FreeIPA.
> 
> 8><--
> 
> Sure but depends on capability and experience, I for one am 
> struggling.while significantly easier than say 389 (which I gave up on), 
> its still a huge step up...
> 

I agree that it doesn't solve /all/ problems (yet) ;)

However, I have looked for a very very long time to find a scalable LDAP 
implementation with integrated Kerberos and RBAC/HBAC.  I've had numerous 
personal discussions with the creators /maintainers of openldap, pam_ldap, 
sudo, and some of the MIT-Kerb folk along my way.

Because no one else had solve those problems, I was actually in the middle of 
writing my own solution when I stumbled onto FeeIPA... 

For example, Pam_ldap expect(s/ed) that every user object contain an attribute 
entry for every single host they are allowed to log into Doesn't quite 
scale when you have to manage complex mixtures of thousands of users to 
thousands of hosts...

What do you feel is the biggest struggle?

Is it the base core features, or is it external integration pains for things 
feature that don't exist yet?

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrixonline.com
http://www.citrixonline.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Steven Jones 
Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running "kinit admin" I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal 
mailto:d...@redhat.com>> wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.com
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  
krbtgt/example@example.com
05/14/12 13:53:58  05/15/12 13:50:30  
HTTP/ipaserver.example@example.com
05/14/12 13:54:13  05/15/12 13:50:30  
ldap/ipaserver.example@example.com
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-14 Thread Steven Jones 
8><-

Mileage may vary.

I for one have found no suitable scalable substitute for FreeIPA.

8><--

Sure but depends on capability and experience, I for one am 
struggling.while significantly easier than say 389 (which I gave up on), 
its still a huge step up...

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

2012-05-14 Thread David Copperfield 
Hi all,

 The online manual says that the '--usercat' means 'User category the rule 
applies to';  '--hostcat' has the similar explanation. But I still don't 
understand how that could be used in real life and when/where to use the 
options.

 Could anyone please shed a light on this? Thanks a lot.

--David___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-14 Thread Gelen James 
Hi Dimitri,

 thanks a lot for your offer. It will be more than appreciated if Rob, or some 
other talented genius could wiki the steps. The more details, the sooner, and 
the better. It will help IPA projects and its users dramatically, especially 
for newbies like me. :)

Thanks again for you, Rob and others for the coming documentation work.


--Gelen. 



 From: Dmitri Pal 
To: Robinson Tiemuqinke  
Cc: "Freeipa-users@redhat.com" ; Rich Megginson 
 
Sent: Monday, May 14, 2012 1:20 PM
Subject: Re: Please help: How to restore IPA Master/Replicas from daily IPA 
Replica setup???
 

On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: 
Hi Dmitri, Rich and all,
>
>
> I am a newbie to Redhat IPA, It looks like pretty cool compared with other 
>solutions I've tried before. Thanks a lot for this great product! :)
>
>
> But there are still some things I needs your help. My main question is: How 
>to restore the IPA setup with a daily machine-level IPA Replica backup?
>
>
> Please let me explain my IPA setup background and backup/restore goals trying 
>to reach:
>
>
> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with 
>Dogtag CA system. It is installed first. Then two IPA replicas are installed 
>-- with '--setup-ca' options -- for load balancing and failover purposes.
>
>
> To describe my problems/objectives, I'll name the IPA Master as machine A, 
>IPA replicas as B and C. and now I've one more extra IPA replica 'D' (virtual 
>machine) setup ONLY for backup purposes.
>  
>  The setup looks like the following, A is the configuration Hub. B,C,D are 
>siblings.
>
>
>    A
>   /  |  \   
> B  C  D
>
>
> The following are the steps I backup IPA setups and LDAP backends daily -- it 
>is a whole machine-level backup (through virtual machine D).
>
>
>1, First, IPA replica D is backed up daily. The backup happens like this: 
>
>
>   1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.  
>On the Hypervisor which holds virtual machine D, do a daily backup of the 
>whole virtual disk that D is on. 
>   1.2 turn on the IP replica D again.
>   1.3 after virtual machine D is up, on D optionally run a 
>'ipa-replica-manage --force-sync --from ' to sync the IPA databases 
>forcibly.
>
>
>Now comes to restore part, which is pretty confusing to me. I've tried several 
>times, and every times it comes this or that kinds of issues and so I am 
>wondering that correct steps/ineraction of IPA Master/replicas are the king :(
>
>
> 2, case #1, A is broken, like disc failure, and then re-imaged after several 
>days.
>
>
>   2.1  How to rebuild the IPA Master/Hub A after A is re-imaged, with the 
>daily backup from IPA replica D?
>
>   2.2  do I have to check some files on A into subversion immediately after A 
>was initially installed?
>   2.3  Please describe the steps. I'll follow exactly and report the results.
>
>
>3, case #2, A is working, but either B, or C is broken.
>
>
>  3.1 It looks that I don't need the daily backup of D to kick in, is that 
>right?
>  3.2 What are the correct steps on A; and B after it is re-imaged?
>  3.3  Please describe the steps. I'll follow exactly and report the results.
>
>
>4, case #3, If  some un-expected IPA changes happens on A -- like all users 
>are deleted by human mistakes --, and even worse, all the changes are 
>propagated to B and C in minutes.
>
>
>  4.1 How can I recover the IPA setup from daily backup from D?
>  4.2 which IPA master/replicas I should recover first? IPA master A, or IPA 
>replicas B/C? and then how to recover others left one by one?
>  4.3 Do I have to disconnect replication agreement of B,C,D from A first?  
>  4.4  Please describe the steps. I'll follow exactly and report the results.
>
>
> I've heard something about tombstone records too, Not sure whether the 
>problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid it 
>with correct recovery steps/interactions.
>
>
>Thanks a lot. 
>
>
>--Gelen.
I can explain it conceptually. Rob is probably best to define the
exact sequence and commands.

If you A is broken you reinstall it, make it connect to D and init
(force sync) A from D. Now you have a new A.

If B or C dies you just re-install B or C and init from A.

If you lost a lot of data I suggest you start a saved D instance and
force-sync A from it and then force sync B and C from A.

-- 
Thank you,
Dmitri Pal Sr. Engineering Manager IPA project,
Red Hat Inc. ---
Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Dmitri Pal 
On 05/14/2012 05:25 PM, Chandan Kumar wrote:
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>

I am not sure but seems like something is not properly configured with
the browser.
I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
on a working configuration.
But I will defer to experts.

>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  > wrote:
>
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>> I am a newbie in IPA and was experimenting it on my couple of VMs
>> before considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key
>> expiration error at firefox. I am running firefox on the same
>> machine where I have installed/configured ipa-server. On googling
>> and some help in IRC I checked documentation to trouble shoot it
>> as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>> 
>> -1977841888[7fc789f5b040]:   using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]:
>> nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed:
>> Unspecified GSS failure.  Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root@ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com 
>>
>> Valid starting ExpiresService principal
>> 05/14/12 13:50:32  05/15/12 13:50:30 
>> krbtgt/example@example.com 
>> 05/14/12 13:53:58  05/15/12 13:50:30 
>> HTTP/ipaserver.example@example.com
>> 
>> 05/14/12 13:54:13  05/15/12 13:50:30 
>> ldap/ipaserver.example@example.com
>> 
>> [root@ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ 
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Bug or feature regarding External Host in IPA net groups?

2012-05-14 Thread Gelen James 


Hi all,

  Not sure whether it is bug or a feature, but when I evaluate the IPA net 
groups, the 'external host' feature brings me some unexpected results. I'll 
listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.

 1, when I added a host into IPA netgroup in command line mode, 'ipa 
netgroup-add-member   --hosts='. When the host is not yet 
installed/configured into an IPA client, it shows in 'external host' category, 
in the output of 'ipa netgroup-find ' command.
 
  The 'external host' doesn't show up in the Web interface for IPA net group. 
But it does show up when run 'ipa net group-find', or even 'getent ' 
by sssd.

2, After the 'external host' is configured into an IPA client -- 'ipa user-find 
 proves it' -- it is still reported as 'external host' by command 'ipa 
netgroup-find', and still not show up in web interface neither. Could this is a 
bug?

3, because of #2 above, when this machine is reconfigured, and removed with 
'ipa user-del ', it is show up in the containing netgroups and nested 
netgroups, and has to be removed manually. :(

4, This could be a real bug: You can add an 'external host' with either a 
host's bare name, or FQDN name. Then after the machine is installed, and you 
would like to remove it from 'external host' category with command 'ipa 
user-del ', it will remove the FQDN name entry only! and leave the bare 
name there forever, until you delete the whole containing netgroup!

[root@ipaclient02 ~]# ipa netgroup-find external-ng
---
1 netgroups matched
---
  Netgroup name: external-ng
  Description: netgroup for external hosts
  NIS domain name: example.com
  Member of netgroups: nest-external-ng
  External host: dnsmaster.example.com, ipaclient02, ipaclient02.mac.example.com


Number of entries returned 1


[root@ipaclient02 ~]# getent netgroup external-ng
external-ng           (dnsmaster.example.com, -, example.com) 
(ipaclient02.mac.example.com, -, example.com)

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02
  Netgroup name: external-ng
  Description: netgroup for external hosts
  NIS domain name: example.com
  Member of netgroups: nest-external-ng
  External host: dnsmaster.example.com, ipaclient02
---
Number of members removed 1
---

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02
  Netgroup name: external-ng
  Description: netgroup for external hosts
  NIS domain name: example.com
  Member of netgroups: nest-external-ng
  External host: dnsmaster.example.com, ipaclient02
  Failed hosts/hostgroups: 
    member host: ipaclient02.example.com: This entry is not a member
---
Number of members removed 0
---
[root@ipaclient02 ~]# 

--Gelen___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Chandan Kumar 
System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:

> **
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>
> I am a newbie in IPA and was experimenting it on my couple of VMs before
> considering it for production level.
>
> Installation went fine, however, I am getting the kerberos key expiration
> error at firefox. I am running firefox on the same machine where I have
> installed/configured ipa-server. On googling and some help in IRC I checked
> documentation to trouble shoot it as this appear to be a known problem.
>
> Moreover, I did follow
>
> http://freeipa.org/page/InstallAndDeploy
> http://freeipa.org/page/TroubleshootingGuide
>
> Fire fox logs
>
> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
> -1977841888[7fc789f5b040]:   using negotiate-gss
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
> failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> [root@ds var]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com
>
> Valid starting ExpiresService principal
> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
> ipaserver.example@example.com
> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
> ipaserver.example@example.com
> [root@ds var]#
>
> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> at http://fpaste.org/9hXX/
>
> I am not sure what I am missing though. Appreciate any help.
>
> Thanks
> Chandan
>
>
>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Dmitri Pal 
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
> I am a newbie in IPA and was experimenting it on my couple of VMs
> before considering it for production level.
>
> Installation went fine, however, I am getting the kerberos key
> expiration error at firefox. I am running firefox on the same machine
> where I have installed/configured ipa-server. On googling and some
> help in IRC I checked documentation to trouble shoot it as this appear
> to be a known problem.
>
> Moreover, I did follow
>
> http://freeipa.org/page/InstallAndDeploy
> http://freeipa.org/page/TroubleshootingGuide
>
> Fire fox logs
>
> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
> 
> -1977841888[7fc789f5b040]:   using negotiate-gss
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
> GSS failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> [root@ds var]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com 
>
> Valid starting ExpiresService principal
> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
> 
> 05/14/12 13:53:58  05/15/12 13:50:30 
> HTTP/ipaserver.example@example.com
> 
> 05/14/12 13:54:13  05/15/12 13:50:30 
> ldap/ipaserver.example@example.com
> 
> [root@ds var]#
>
> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> at http://fpaste.org/9hXX/
>
> I am not sure what I am missing though. Appreciate any help.
>
> Thanks
> Chandan
>
>
>

Are you running FF on windows?
Which version of IPA are you using?


>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-14 Thread Dmitri Pal 
On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:
> Hi Dmitri, Rich and all,
>
>  I am a newbie to Redhat IPA, It looks like pretty cool compared with
> other solutions I've tried before. Thanks a lot for this great product! :)
>
>  But there are still some things I needs your help. My main question
> is: How to restore the IPA setup with a daily machine-level IPA
> Replica backup?
>
>  Please let me explain my IPA setup background and backup/restore
> goals trying to reach:
>
>  I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is
> setup with Dogtag CA system. It is installed first. Then two IPA
> replicas are installed -- with '--setup-ca' options -- for load
> balancing and failover purposes.
>
>  To describe my problems/objectives, I'll name the IPA Master as
> machine A, IPA replicas as B and C. and now I've one more extra IPA
> replica 'D' (virtual machine) setup ONLY for backup purposes.
>   
>   The setup looks like the following, A is the configuration Hub.
> B,C,D are siblings.
>
> A
>/  |  \   
>  B  C  D
>
>  The following are the steps I backup IPA setups and LDAP backends
> daily -- it is a whole machine-level backup (through virtual machine D).
>
> 1, First, IPA replica D is backed up daily. The backup happens like this: 
>
>1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h
> '.  On the Hypervisor which holds virtual machine D, do a daily
> backup of the whole virtual disk that D is on. 
>1.2 turn on the IP replica D again.
>1.3 after virtual machine D is up, on D optionally run a
> 'ipa-replica-manage --force-sync --from ' to sync the IPA databases
> forcibly.
>
> Now comes to restore part, which is pretty confusing to me. I've tried
> several times, and every times it comes this or that kinds of issues
> and so I am wondering that correct steps/ineraction of IPA
> Master/replicas are the king :(
>
>  2, case #1, A is broken, like disc failure, and then re-imaged after
> several days.
>
>2.1  How to rebuild the IPA Master/Hub A after A is re-imaged, with
> the daily backup from IPA replica D?
>2.2  do I have to check some files on A into subversion immediately
> after A was initially installed?
>2.3  Please describe the steps. I'll follow exactly and report the
> results.
>
> 3, case #2, A is working, but either B, or C is broken.
>
>   3.1 It looks that I don't need the daily backup of D to kick in, is
> that right?
>   3.2 What are the correct steps on A; and B after it is re-imaged?
>   3.3  Please describe the steps. I'll follow exactly and report the
> results.
>
> 4, case #3, If  some un-expected IPA changes happens on A -- like all
> users are deleted by human mistakes --, and even worse, all the
> changes are propagated to B and C in minutes.
>
>   4.1 How can I recover the IPA setup from daily backup from D?
>   4.2 which IPA master/replicas I should recover first? IPA master A,
> or IPA replicas B/C? and then how to recover others left one by one?
>   4.3 Do I have to disconnect replication agreement of B,C,D from A
> first?  
>   4.4  Please describe the steps. I'll follow exactly and report the
> results.
>
>  I've heard something about tombstone records too, Not sure whether
> the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How
> can I avoid it with correct recovery steps/interactions.
>
> Thanks a lot. 
>
> --Gelen.

I can explain it conceptually. Rob is probably best to define the exact
sequence and commands.

If you A is broken you reinstall it, make it connect to D and init
(force sync) A from D. Now you have a new A.

If B or C dies you just re-install B or C and init from A.

If you lost a lot of data I suggest you start a saved D instance and
force-sync A from it and then force sync B and C from A.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-14 Thread Robinson Tiemuqinke 
Hi Dmitri, Rich and all,

 I am a newbie to Redhat IPA, It looks like pretty cool compared with other 
solutions I've tried before. Thanks a lot for this great product! :)

 But there are still some things I needs your help. My main question is: How to 
restore the IPA setup with a daily machine-level IPA Replica backup?

 Please let me explain my IPA setup background and backup/restore goals trying 
to reach:

 I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with 
Dogtag CA system. It is installed first. Then two IPA replicas are installed -- 
with '--setup-ca' options -- for load balancing and failover purposes.

 To describe my problems/objectives, I'll name the IPA Master as machine A, IPA 
replicas as B and C. and now I've one more extra IPA replica 'D' (virtual 
machine) setup ONLY for backup purposes.
  
  The setup looks like the following, A is the configuration Hub. B,C,D are 
siblings.

    A
   /  |  \   
 B  C  D

 The following are the steps I backup IPA setups and LDAP backends daily -- it 
is a whole machine-level backup (through virtual machine D).

1, First, IPA replica D is backed up daily. The backup happens like this: 

   1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.  On 
the Hypervisor which holds virtual machine D, do a daily backup of the whole 
virtual disk that D is on. 
   1.2 turn on the IP replica D again.
   1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage 
--force-sync --from ' to sync the IPA databases forcibly.

Now comes to restore part, which is pretty confusing to me. I've tried several 
times, and every times it comes this or that kinds of issues and so I am 
wondering that correct steps/ineraction of IPA Master/replicas are the king :(

 2, case #1, A is broken, like disc failure, and then re-imaged after several 
days.

   2.1  How to rebuild the IPA Master/Hub A after A is re-imaged, with the 
daily backup from IPA replica D?

   2.2  do I have to check some files on A into subversion immediately after A 
was initially installed?
   2.3  Please describe the steps. I'll follow exactly and report the results.

3, case #2, A is working, but either B, or C is broken.

  3.1 It looks that I don't need the daily backup of D to kick in, is that 
right?
  3.2 What are the correct steps on A; and B after it is re-imaged?
  3.3  Please describe the steps. I'll follow exactly and report the results.

4, case #3, If  some un-expected IPA changes happens on A -- like all users are 
deleted by human mistakes --, and even worse, all the changes are propagated to 
B and C in minutes.

  4.1 How can I recover the IPA setup from daily backup from D?
  4.2 which IPA master/replicas I should recover first? IPA master A, or IPA 
replicas B/C? and then how to recover others left one by one?
  4.3 Do I have to disconnect replication agreement of B,C,D from A first?  
  4.4  Please describe the steps. I'll follow exactly and report the results.

 I've heard something about tombstone records too, Not sure whether the problem 
still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid it with 
correct recovery steps/interactions.

Thanks a lot. 

--Gelen.___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install

2012-05-14 Thread Rob Crittenden 

pasqual milvaques wrote:

the people frrm ubuntu pointed me to this bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on

exit

but the client doesn't join completly the domain because in the system
there is no system wide nss database:

New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad
database.

Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in 
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
"-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
in run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned
non-zero exit status 255
pasqual@ubuntuprovesfreeipa:~$

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a
password file called pwdfile.txt that resides in the server but I'm not
sure with what to do now. perhaps the password must be blank. any idea?


It isn't mandatory to set a password, there isn't one by default in 
Fedora installations. If you do set a password and place it in a file 
you can pass the file location with -f. Arguably a password in a file is 
about as secure as a password-less database: for both you are relying on 
FS permissions (and perhaps SELinux if configured).


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-14 Thread JR Aquino 
On May 13, 2012, at 11:13 PM, Jan-Frode Myklebust wrote:

> On Mon, May 14, 2012 at 03:53:34AM +, JR Aquino wrote:
>> 
>> I currently run over 21 (soon to be 42) Production FreeIPA servers. These 
>> are globally dispersed in every major continent.
>> They support over 5,000 servers (Mostly RHEL with some Fedora, and Ubuntu 
>> mixed in), 1,000 Networking devices (Cisco and Juniper) and around 2,000 
>> users.
> 
> Could you please say something about how you're connecting the Cisco's and
> Juniper's to IPA ? LDAP backend for radius/ACS, or something else ?

Yes, there is a Cisco ACS acting as a middle man between providing Tacacs / 
Radius where appropriate.


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jakub Hrozek 
On Mon, May 14, 2012 at 02:09:25PM +0200, Jan-Frode Myklebust wrote:
> On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote:
> > 
> > IPA has a concept of automount locations. 
> 
> Do these locations have anything to do with the Locality/Location
> strings in the HOST SETTINGS, so that we don't have to modify each
> client's sssd.conf for setting the ipa_automount_location ?

No, AFAIK there's no relation between the two.

Please note that the sssd/autofs integration is a tech preview in RHEL 6.3
and only present in SSSD 1.8 and later. You'd also want to add "autofs"
to the list of active services and create a [autofs] section in sssd.conf.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jan-Frode Myklebust 
On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote:
> 
> IPA has a concept of automount locations. 

Do these locations have anything to do with the Locality/Location
strings in the HOST SETTINGS, so that we don't have to modify each
client's sssd.conf for setting the ipa_automount_location ?


  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jan-Frode Myklebust 
On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote:
> 
> IPA has a concept of automount locations. See ipa help automount for
> more info..here is a basic example, cut-n-pasted from a test setup
> of mine, except for obfuscated host names. This setup creates two locations
> exporting the same tree /share/mirror from different servers:


Perfect, thanks for the location explanation!




  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install

2012-05-14 Thread pasqual milvaques 

the people frrm ubuntu pointed me to this bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on

exit

but the client doesn't join completly the domain because in the system 
there is no system wide nss database:


New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t 
CT,C,C -a -i /etc/ipa/ca.crt

root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad 
database.


Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 1292, in 
sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA 
CA", "-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
  File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 
273, in run

raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d 
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned 
non-zero exit status 255

pasqual@ubuntuprovesfreeipa:~$

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a 
password file called pwdfile.txt that resides in the server but I'm not 
sure with what to do now. perhaps the password must be blank. any idea?


thanks



Al 11/05/12 16:40, En/na pasqual milvaques ha escrit:
I'have download and compiled some versions of gnutls and this is the 
result:

gnutls-2.8.5: works
gnutls-2.12.19: fail
gnutls-3.0.19: fail

this must affect distributions in which ldaps connections are based in 
gnutls (I only know debian and ubuntu).


the problem can be tested with this command:
gnutls-cli -d 4 -p 636 freeipaserver.linux.gva.es

in you have a problematic gnutls version the command would end with 
these lines:

...
|<3>| HSK[0x9bb40d0]: CLIENT HELLO was sent [151 bytes]
|<4>| REC[0x9bb40d0]: Sending Packet[0] Handshake(22) with length: 151
|<4>| REC[0x9bb40d0]: Sent Packet[1] Handshake(22) with length: 156
|<2>| ASSERT: gnutls_buffers.c:640
|<2>| ASSERT: gnutls_record.c:969
|<2>| ASSERT: gnutls_handshake.c:2762
*** Fatal error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[0x9bb40d0]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x9bb40d0]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
|<4>| REC[0x9bb40d0]: Epoch #0 freed
|<4>| REC[0x9bb40d0]: Epoch #1 freed
pasqual@ubuntuprovesfreeipa:~/gnutls-2.12.19$

any idea in how to make this work?

Al 11/05/12 13:16, En/na pasqual milvaques ha escrit:
I'm trying to join an ubuntu 12.04 machine to freeipa domain 
installed in a centos 6.2 machine and it seems there is some problem 
with the tls negotiacion. ubuntu 12.04 uses gnutls instead of openssl 
so the problem could be there but  I don't know how to solve it. with 
the ldapsearch command I can also reproduce the fail


I have opened this ubuntu bug as freeipa now has a native client 
package: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/997990


any idea?

this is the log of the operation:

pasqual@ubuntuprovesfreeipa:~$ sudo ipa-client-install -d 
--enable-dns-updates

[sudo] password for pasqual:
root : DEBUG /usr/sbin/ipa-client-install was invoked with options: 
{'conf_ntp': True, 'domain': None, 'uninstall': False, 'force': 
False, 'sssd': True, 'krb5_offline_passwords': True, 'hostname': 
None, 'permit': False, 'server': None, 'prompt_password': False, 
'mkhomedir': False, 'dns_updates': True, 'preserve_sssd': False, 
'debug': True, 'on_master': False, 'ntp_server': None, 'realm_name': 
None, 'unattended': None, 'principal': None}

root : DEBUG missing options might be asked for interactively later

root : DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root : DEBUG Loading StateFile from 
'/var/lib/ipa-client/sysrestore/sysrestore.state'

root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG [ipadnssearchldap(linux.gva.es)]
root : DEBUG [ipadnssearchldap(gva.es)]
root : DEBUG [ipadnssearchldap(es)]
root : DEBUG Domain not found
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): 
linux.gva.es

root : DEBUG will use domain: linux.gva.es

root : DEBUG [ipadnssearchldap]
root : DEBUG IPA Server not found
DNS discovery failed to find the IPA

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jakub Hrozek 
On Mon, May 14, 2012 at 09:01:34AM +0200, Jan-Frode Myklebust wrote:
> We have two datacenters, site-A and site-B, and would like to server the
> users' home directories from a local NFS-server at each location to avoid
> cross site mounts. Is this something the automount maps in IPA can help
> us with ?
> 
> Or do we need to do tricks like having the users' home directory under
> /Home/$username and symlink /Home -> /srv/site-A/ on site-A and vice
> versa ?

IPA has a concept of automount locations. See ipa help automount for
more info..here is a basic example, cut-n-pasted from a test setup
of mine, except for obfuscated host names. This setup creates two locations
exporting the same tree /share/mirror from different servers:

ipa automountlocation-add Brno
ipa automountmap-add Brno auto.share
ipa automountkey-add Brno auto.master --key=/share --info=auto.share
ipa automountkey-add Brno auto.share --key=mirror 
--info="filer.in.brno:/mirror/"

ipa automountlocation-add Boston
ipa automountmap-add Boston auto.share
ipa automountkey-add Boston auto.master --key=/share --info=auto.share
ipa automountkey-add Boston auto.share --key=mirror 
--info="filer.in.boston:/mirror"

That should also work with the username wildcard, if not, it's a bug.

On the client, set the search base to the respective location:
SEARCH_BASE="cn=brno,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
...or, for clients in Boston:
SEARCH_BASE="cn=boston,cn=automount,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"

If you're using the SSSD to fetch autofs maps, all you need to set on
the client is ipa_automount_location = Brno (or Boston) and set "sss" as
the autofs map source in nsswitch.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Different automount for different locations

2012-05-14 Thread Jan-Frode Myklebust 
We have two datacenters, site-A and site-B, and would like to server the
users' home directories from a local NFS-server at each location to avoid
cross site mounts. Is this something the automount maps in IPA can help
us with ?

Or do we need to do tricks like having the users' home directory under
/Home/$username and symlink /Home -> /srv/site-A/ on site-A and vice
versa ?


  -jf

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users