Re: [Freeipa-users] Help with ipa-replica-manage

2012-05-15 Thread Rich Megginson 

On 05/15/2012 02:49 PM, Ben Ho wrote:

This is the information I retrieved about my server.

*ipa-server-selinux-2.1.3-9.el6.x86_64*
*ipa-client-2.1.3-9.el6.x86_64*
*ipa-server-2.1.3-9.el6.x86_64*
*CentOS release 6.2*
*389-ds-base-1.2.9.14-1.el6_2.2.x86_64*

Thanks again.


Is replication otherwise working?



-Ben


Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 01:00 PM, Ben Ho wrote:

Hello,
  I am pretty new to IPA.  Right now I have three servers that are
running IPA.  I am trying to replicate one server to two other
servers.  I use this command:

ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.
 However, on the second server I get this message in my log files.
 The errors get printed out once every 1 to 5 minutes.

[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt="cn=meToexample1.edu" (example1:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
agmt="cn=meToexample1.edu" (example1:389): Warning: unable to
replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt="cn=meToexample2.edu" (example2:389): Schema replication
update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
agmt="cn=meToexample2.edu" (example2:389): Warning: unable to
replicate schema: rc=1


  Again, I am pretty new to this, so any help or tips would be
appreciated.


What platform and what version of 389-ds-base and ipa-server for all 
of your servers?



  Thanks!

-Ben



___
Freeipa-users mailing list
Freeipa-users@redhat.com  
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)

2012-05-15 Thread Ian Levesque 

On May 15, 2012, at 6:14 PM, Rob Crittenden wrote:

>> # /usr/sbin/ipa-client-install --domain=in.hwlab 
>> --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
>> --server=sbgrid-directory.in.hwlab --unattended
>> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
>> KDC address will be set to fixed value.
>> 
>> Discovery was successful!
>> Hostname: ian-ultra24-dmz.in.hwlab
>> Realm: SBGRID.ORG
>> DNS Domain: in.hwlab
>> IPA Server: sbgrid-directory.in.hwlab
>> BaseDN: dc=sbgrid,dc=org
>> 
>> 
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync.
>> 
>> kinit: Client not found in Kerberos database while getting initial 
>> credentials
>> 
>> Installation failed. Rolling back changes.
>> IPA client is not configured on this system.
>> 
>> Any help would be appreciated.
> 
> Don't set the principal and it will work, just drop the --principal bit. The 
> principal doesn't exist yet which is why things are failing (or more 
> precisely, the principal with that principal key doesn't exist yet).

No luck:

Joining realm failed: Incorrect password.
Installation failed. Rolling back changes.

I thought the point of doing the host-add was to setup a host principal with a 
one-time password. Without specifying the host principal, isn't the 
ipa-client-install trying to use the specified password to auth me, and not the 
host?

Thanks,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] howto modify krb principal attributes without kadmin.local

2012-05-15 Thread Simo Sorce 
On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
> So going through the documentation it's clearly laid out not to use
> kadmin or kadmin.local when using freeipa.  I have been unable to find
> how to replace this functionality in the documentation.
> 
> If I could use kadmin.local on my kdc I would like to run the
> following command
> 
> modprinc +requires_hwauth user
> 
> Am I going to need to extend/modify the krb5 schema to modify
> principals attributes in this way?
> 
For this specific change you can use kadmin.local, but the IPA UI will
not report you anything about it.

The flags part is still a weak point of the Web UI, if you want you can
open a RFE ticket to ask for better support for these flags, we need to
do it at some point we simply haven't yet as we concentrated on more
important and pressing issue this far.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)

2012-05-15 Thread Rob Crittenden 

Ian Levesque wrote:

Hi,

I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts via 
kickstart. Unfortunately, it's not working via kickstart and when I try running the 
commands by hand on a freshly-installed host, it still fails with "kinit: Client not 
found in Kerberos database while getting initial credentials".

The freeipa docs [1] seem to indicate that this is as easy as:

   1) ipa host-add  --password=secret
   2) ensuring ipa-client is installed in the kickstart
   3) running ipa-client-install with the principal set as host/  and 
providing the password

I believe I've done what's required on the server:

# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
  -
  Added host "ian-ultra24-dmz.in.hwlab"
  -
   Host name: ian-ultra24-dmz.in.hwlab
   Keytab: False
   Password: True
   Managed by: ian-ultra24-dmz.in.hwlab

(I've deleted and re-added the host after each ipa-client-install attempt)

And on the client:

# rpm -qa | grep ipa-client
  ipa-client-2.1.3-9.el6.x86_64

# /usr/sbin/ipa-client-install --domain=in.hwlab 
--principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

kinit: Client not found in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any help would be appreciated.


Don't set the principal and it will work, just drop the --principal bit. 
The principal doesn't exist yet which is why things are failing (or more 
precisely, the principal with that principal key doesn't exist yet).


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] howto modify krb principal attributes without kadmin.local

2012-05-15 Thread Thomas Jackson 
So going through the documentation it's clearly laid out not to use kadmin
or kadmin.local when using freeipa.  I have been unable to find how to
replace this functionality in the documentation.

If I could use kadmin.local on my kdc I would like to run the following
command

modprinc +requires_hwauth user

Am I going to need to extend/modify the krb5 schema to modify principals
attributes in this way?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

2012-05-15 Thread Ben Ho 

This is the information I retrieved about my server.
ipa-server-selinux-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64CentOS
 release 6.2389-ds-base-1.2.9.14-1.el6_2.2.x86_64
Thanks again.
-Ben
Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage


  

  
  
On 05/15/2012 01:00 PM, Ben Ho wrote:

  
  
Hello,
  I am pretty new to IPA.  Right now I have three servers
  that are running IPA.  I am trying to replicate one server to
  two other servers.  I use this command:



ipa-replica-manage re-initialize --from example2.edu



  On the first server I need to replicate, it works fine.
   However, on the second server I get this message in my log
  files.  The errors get printed out once every 1 to 5 minutes.



[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
  agmt="cn=meToexample1.edu" (example1:389): Schema replication
  update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin -
  agmt="cn=meToexample1.edu" (example1:389): Warning: unable to
  replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
  agmt="cn=meToexample2.edu" (example2:389): Schema replication
  update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin -
  agmt="cn=meToexample2.edu" (example2:389): Warning: unable to
  replicate schema: rc=1






  Again, I am pretty new to this, so any help or tips would
  be appreciated.
  



What platform and what version of 389-ds-base and ipa-server for all
of your servers?




  



  Thanks!



-Ben



  
  

  
  

  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA and others

2012-05-15 Thread Steven Jones 
8><--


What do you feel is the biggest struggle?

Is it the base core features, or is it external integration pains for things 
feature that don't exist yet?

8><---

Core functionality is fine and I'm very impressed with the ui and IPA's paper 
capability. You are correct nothing else on paper at least comes close.and 
Ive tried a few things searching for a solution, FDS, 389...Sun's, Novell's 
Oracle's LDAP/IdMs...all ouchGiven time I think IPA will be an award winner 
personallyit will be/is like AD, a gamer changer

:)

The two things that hurt me a lot is yes lack of external integration and fault 
finding.  The former can be "easily" fixed with a depth of docs that will come 
in time. Partially this means I think that RH needs to engage with hardware 
vendors like EMC, Bluearc, Bluecoat (to name my three pain points) to provide 
accurate docs at least and if possible make it easierwith automationIm 
trying to get there and I will write up howtosIm doing NFS and Bluearc at 
present, EMC and Bluecoat soon.  Doesn't help that I lack fundamentals in some 
areasthat isn't IPA's fault.

The biggest obvious issue I have day to day is fault finding IPA, improving 
message codes would be one area to look at

regards

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

2012-05-15 Thread Steven Jones 
firewall?


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Ben Ho [ben1...@hotmail.com]
Sent: Wednesday, 16 May 2012 8:49 a.m.
To: rmegg...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

This is the information I retrieved about my server.

ipa-server-selinux-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
CentOS release 6.2
389-ds-base-1.2.9.14-1.el6_2.2.x86_64

Thanks again.

-Ben


Date: Tue, 15 May 2012 13:15:46 -0600
From: rmegg...@redhat.com
To: ben1...@hotmail.com
CC: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help with ipa-replica-manage

On 05/15/2012 01:00 PM, Ben Ho wrote:
Hello,
  I am pretty new to IPA.  Right now I have three servers that are running IPA. 
 I am trying to replicate one server to two other servers.  I use this command:

ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.  However, on the 
second server I get this message in my log files.  The errors get printed out 
once every 1 to 5 minutes.

[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" 
(example1:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" 
(example1:389): Warning: unable to replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" 
(example2:389): Schema replication update failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" 
(example2:389): Warning: unable to replicate schema: rc=1


  Again, I am pretty new to this, so any help or tips would be appreciated.

What platform and what version of 389-ds-base and ipa-server for all of your 
servers?


  Thanks!

-Ben




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Steven Jones 
Hi,

For me it sounds like you have not configured firefox to use IPA or centos is 
missing a package/rpm. What strikes me as strange is you should get pop ups 
telling/helping you do it.just following them make sit easy.

If you have and it just wont work, I suggest moving to password authentication 
to get you past that problem so you can get on with testing.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Chandan Kumar [chandank.ku...@gmail.com]
Sent: Wednesday, 16 May 2012 2:35 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Help regarding Basic FreeIPA setup

Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that  
Whatever time I do kinit it just does not working for me even for single time.

Also it shows as that I am logged in as u...@freeipa.org In the main back 
ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running "kinit admin" I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.com
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
05/14/12 13:53:58  05/15/12 13:50:30  HTTP/ipaserver.example@example.com
05/14/12 13:54:13  05/15/12 13:50:30  ldap/ipaserver.example@example.com
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help with ipa-replica-manage

2012-05-15 Thread Rich Megginson 

On 05/15/2012 01:00 PM, Ben Ho wrote:

Hello,
  I am pretty new to IPA.  Right now I have three servers that are 
running IPA.  I am trying to replicate one server to two other 
servers.  I use this command:


ipa-replica-manage re-initialize --from example2.edu

  On the first server I need to replicate, it works fine.  However, on 
the second server I get this message in my log files.  The errors get 
printed out once every 1 to 5 minutes.


[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample1.edu" (example1:389): Schema replication update 
failed: Type or value exists
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample1.edu" (example1:389): Warning: unable to 
replicate schema: rc=1
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample2.edu" (example2:389): Schema replication update 
failed: Type or value exists
[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample2.edu" (example2:389): Warning: unable to 
replicate schema: rc=1



  Again, I am pretty new to this, so any help or tips would be 
appreciated.


What platform and what version of 389-ds-base and ipa-server for all of 
your servers?




  Thanks!

-Ben



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Help with ipa-replica-manage

2012-05-15 Thread Ben Ho 

Hello,  I am pretty new to IPA.  Right now I have three servers that are 
running IPA.  I am trying to replicate one server to two other servers.  I use 
this command:
ipa-replica-manage re-initialize --from example2.edu
  On the first server I need to replicate, it works fine.  However, on the 
second server I get this message in my log files.  The errors get printed out 
once every 1 to 5 minutes.
[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" 
(example1:389): Schema replication update failed: Type or value 
exists[15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: 
rc=1[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: 
Type or value exists[15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: 
rc=1

  Again, I am pretty new to this, so any help or tips would be appreciated.
  Thanks!
-Ben
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Split enrollment (adding hosts via kickstart)

2012-05-15 Thread Ian Levesque 

On May 15, 2012, at 2:59 PM, Ian Levesque wrote:

> # /usr/sbin/ipa-client-install --domain=in.hwlab 
> --principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
> --server=sbgrid-directory.in.hwlab --unattended
> DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
> KDC address will be set to fixed value.
> 
> Discovery was successful!
> Hostname: ian-ultra24-dmz.in.hwlab
> Realm: SBGRID.ORG
> DNS Domain: in.hwlab
> IPA Server: sbgrid-directory.in.hwlab
> BaseDN: dc=sbgrid,dc=org
> 
> 
> Synchronizing time with KDC...
> Unable to sync time with IPA NTP server, assuming the time is in sync.
> 
> kinit: Client not found in Kerberos database while getting initial credentials
> 
> Installation failed. Rolling back changes.
> IPA client is not configured on this system.


ipaclient-install.log attached.




ipaclient-install.log
Description: Binary data
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Split enrollment (adding hosts via kickstart)

2012-05-15 Thread Ian Levesque 
Hi,

I'm running ipa-server-2.1.3-9, trying to perform our first bulk-add of hosts 
via kickstart. Unfortunately, it's not working via kickstart and when I try 
running the commands by hand on a freshly-installed host, it still fails with 
"kinit: Client not found in Kerberos database while getting initial 
credentials".

The freeipa docs [1] seem to indicate that this is as easy as:

  1) ipa host-add  --password=secret
  2) ensuring ipa-client is installed in the kickstart
  3) running ipa-client-install with the principal set as host/ and 
providing the password

I believe I've done what's required on the server:

# ipa host-add ian-ultra24-dmz.in.hwlab --password=foobar
 -
 Added host "ian-ultra24-dmz.in.hwlab"
 -
  Host name: ian-ultra24-dmz.in.hwlab
  Keytab: False
  Password: True
  Managed by: ian-ultra24-dmz.in.hwlab

(I've deleted and re-added the host after each ipa-client-install attempt)

And on the client:

# rpm -qa | grep ipa-client
 ipa-client-2.1.3-9.el6.x86_64

# /usr/sbin/ipa-client-install --domain=in.hwlab 
--principal=HOST/ian-ultra24-dmz.in.hwlab -w=foobar --realm=SBGRID.ORG 
--server=sbgrid-directory.in.hwlab --unattended
DNS domain 'sbgrid.org' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.

Discovery was successful!
Hostname: ian-ultra24-dmz.in.hwlab
Realm: SBGRID.ORG
DNS Domain: in.hwlab
IPA Server: sbgrid-directory.in.hwlab
BaseDN: dc=sbgrid,dc=org


Synchronizing time with KDC...
Unable to sync time with IPA NTP server, assuming the time is in sync.

kinit: Client not found in Kerberos database while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

Any help would be appreciated.

Thanks!
Ian


--
1. 
http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Thanks -- Re: Bug or feature regarding External Host in IPA net groups?

2012-05-15 Thread Gelen James 
Hi Rob,

 Thanks a lot for confirming the effect and clear and plain explanation of 
'external host' idea. I've filed a feature request type bug as you have 
recommended.  The bug link is here for your reference: Bug 821907 - Feature 
Request: convert once External Hosts into Member Hosts after 
ipa-client-install ..

 I'll follow your steps to test the replication recovery on another thread now.

Thanks again for your help.

--Gelen.





 From: Rob Crittenden 
To: Gelen James  
Cc: "d...@redhat.com" ; "Freeipa-users@redhat.com" 
 
Sent: Tuesday, May 15, 2012 9:41 AM
Subject: Re: [Freeipa-users] Bug or feature regarding External Host in IPA net 
groups?
 
Gelen James wrote:
>
> Hi all,
>
> Not sure whether it is bug or a feature, but when I evaluate the IPA net
> groups, the 'external host' feature brings me some unexpected results.
> I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.
>
> 1, when I added a host into IPA netgroup in command line mode, 'ipa
> netgroup-add-member  --hosts='. When the host is not
> yet installed/configured into an IPA client, it shows in 'external host'
> category, in the output of 'ipa netgroup-find ' command.
> The 'external host' doesn't show up in the Web interface for IPA net
> group. But it does show up when run 'ipa net group-find', or even
> 'getent ' by sssd.
>
> 2, After the 'external host' is configured into an IPA client -- 'ipa
> user-find  proves it' -- it is still reported as 'external host'
> by command 'ipa netgroup-find', and still not show up in web interface
> neither. Could this is a bug?
>
> 3, because of #2 above, when this machine is reconfigured, and removed
> with 'ipa user-del ', it is show up in the containing netgroups
> and nested netgroups, and has to be removed manually. :(
>
> 4, This could be a real bug: You can add an 'external host' with either
> a host's bare name, or FQDN name. Then after the machine is installed,
> and you would like to remove it from 'external host' category with
> command 'ipa user-del ', it will remove the FQDN name entry
> only! and leave the bare name there forever, until you delete the whole
> containing netgroup!
>
> [root@ipaclient02 ~]# ipa netgroup-find external-ng
> ---
> 1 netgroups matched
> ---
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02,
> ipaclient02.mac.example.com
>
> 
> Number of entries returned 1
> 
>
> [root@ipaclient02 ~]# getent netgroup external-ng
> external-ng (dnsmaster.example.com, -, example.com)
> (ipaclient02.mac.example.com, -, example.com)
>
> [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> ---
> Number of members removed 1
> ---
>
> [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> Failed hosts/hostgroups:
> member host: ipaclient02.example.com: This entry is not a member
> ---
> Number of members removed 0
> ---
> [root@ipaclient02 ~]#
>

An external host is one that is never expected to be added as a host in 
IPA, however we don't prevent it. There is no reconciliation done if an 
external host is added as an IPA host, as you've seen. If you'd like 
this please file an enhancement request at https://fedorahosted.org/freeipa/

In 3.0 we have added validation of external host names. Whether this 
will prevent a bare name or not I'm not sure. I don't know why we would 
care whether it was fully qualified or not, though yeah, it appears we 
are automatically adding the domain. I tested this in 2.2 and it worked 
as expected, a bare name was deletable.

rob___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 57

2012-05-15 Thread Westerlund Johnny 
-Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>  Are you running FF on windows?
>> Which version of IPA are you using?
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

--
Sent from my iPad
-- next part --
An HTML attachment was scrubbed...
URL: 
<https://www.redhat.com/archives/freeipa-users/attachments/20120515/c047ec25/attachment.html>

--

Message: 2
Date: Tue, 15 May 2012 17:46:15 +0200
From: Adrien Rami 
To: freeipa-users@redhat.com 
Subject: [Freeipa-users] Problem Active Directory Synchronisation:
ipawinsyncuserflatten false
Message-ID: 
Content-Type: text/plain; charset="utf-8"

Hi all,

I introduce myself. I am Adrien Rami and I am Open Source developper.

I work on a project with FreeIPA and I try to sync an Active Directory with 
FreeIPA, with the special case that I want to sync the Organisation Unit.

I set the ipawinsyncuserflatten on false but unfortunately it didn't work.

Is there a way to do this? If yes does someone do that and have some 
information for me?

Best regards

Adrien Rami



-- next part --
An HTML attachment was scrubbed...
URL: 
<https://www.redhat.com/archives/freeipa-users/attachments/20120515/278a9f84/attachment.html>

--

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

End of Freeipa-users Digest, Vol 46, Issue 57
*

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-15 Thread Rob Crittenden 

Robinson Tiemuqinke wrote:

Hi Dmitri, Rich and all,

I am a newbie to Redhat IPA, It looks like pretty cool compared with
other solutions I've tried before. Thanks a lot for this great product! :)

But there are still some things I needs your help. My main question is:
How to restore the IPA setup with a daily machine-level IPA Replica backup?

Please let me explain my IPA setup background and backup/restore goals
trying to reach:

I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup
with Dogtag CA system. It is installed first. Then two IPA replicas are
installed -- with '--setup-ca' options -- for load balancing and
failover purposes.

To describe my problems/objectives, I'll name the IPA Master as machine
A, IPA replicas as B and C. and now I've one more extra IPA replica 'D'
(virtual machine) setup ONLY for backup purposes.
The setup looks like the following, A is the configuration Hub. B,C,D
are siblings.

A
/ | \
B C D

The following are the steps I backup IPA setups and LDAP backends daily
-- it is a whole machine-level backup (through virtual machine D).

1, First, IPA replica D is backed up daily. The backup happens like this:

1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '.
On the Hypervisor which holds virtual machine D, do a daily backup of
the whole virtual disk that D is on.
1.2 turn on the IP replica D again.
1.3 after virtual machine D is up, on D optionally run a
'ipa-replica-manage --force-sync --from ' to sync the IPA databases
forcibly.

Now comes to restore part, which is pretty confusing to me. I've tried
several times, and every times it comes this or that kinds of issues and
so I am wondering that correct steps/ineraction of IPA Master/replicas
are the king :(

2, case #1, A is broken, like disc failure, and then re-imaged after
several days.

2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the
daily backup from IPA replica D?


The first thing you'll need to do is to connect your other replias 
together, either by picking a new hub or adding links to each one. Then 
you'll need to delete the replication agreement to A. You should be left 
with a set of servers that continues to replicate.


So, for arguments sake, we promote B to be the new hub:

On B:

# ipa-replica-manage connect C
# ipa-replica-manage connect D
# ipa-replica-manage del --force A
# ipactl restart

On C:

# ipa-replica-manage del --force A
# ipactl restart

On D:

# ipa-replica-manage del --force A
# ipactl restart

It is unclear what you mean by re-imaged. Are you restoring from backup 
or installing it fresh? I'll assume it is a new install. You'll need to 
prepare a replica file for A and install it as a replica. Then if you 
want to keep A as the primary you'll need to change the replication 
agreements back to it is the hub (using ipa-replica-manage connect and 
disconnect).


When you install the new A server it should get all the changes needed, 
you should be done.


You'll want to check the documentation on promoting a master to verify 
that only one server is the CRL generator (at this point there may be none).



2.2 do I have to check some files on A into subversion immediately after
A was initially installed?


The only thing you really need to save is the cacert.p12 file. This is 
your root CA.



2.3 Please describe the steps. I'll follow exactly and report the results.

3, case #2, A is working, but either B, or C is broken.

3.1 It looks that I don't need the daily backup of D to kick in, is that
right?


No, D is unrelated.


3.2 What are the correct steps on A; and B after it is re-imaged?


On A:
# ipa-replica-manage del B
# ipactl restart
# ipa-replica-prepare B

On B
# ipa-replica-install B

You'll probably need/want to clean RUV, 
http://directory.fedoraproject.org/wiki/Howto:CLEANRUV



3.3 Please describe the steps. I'll follow exactly and report the results.

4, case #3, If some un-expected IPA changes happens on A -- like all
users are deleted by human mistakes --, and even worse, all the changes
are propagated to B and C in minutes.

4.1 How can I recover the IPA setup from daily backup from D?


We have not yet documented how to recover from tombstones or an offline 
replica.



4.2 which IPA master/replicas I should recover first? IPA master A, or
IPA replicas B/C? and then how to recover others left one by one?


If the entries are re-added on any of the replicas it will be propogated 
out.



4.3 Do I have to disconnect replication agreement of B,C,D from A first?


Depends on how 4.1 gets answered which we are still investigating.


4.4 Please describe the steps. I'll follow exactly and report the results.

I've heard something about tombstone records too, Not sure whether the
problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I
avoid it with correct recovery steps/interactions.


It is RUV that is the problem. This 389-ds wiki page describes how to 
clean up: http://directory.fedoraproject.org/wiki/Howt

Re: [Freeipa-users] Bug or feature regarding External Host in IPA net groups?

2012-05-15 Thread Rob Crittenden 

Gelen James wrote:


Hi all,

Not sure whether it is bug or a feature, but when I evaluate the IPA net
groups, the 'external host' feature brings me some unexpected results.
I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.

1, when I added a host into IPA netgroup in command line mode, 'ipa
netgroup-add-member  --hosts='. When the host is not
yet installed/configured into an IPA client, it shows in 'external host'
category, in the output of 'ipa netgroup-find ' command.
The 'external host' doesn't show up in the Web interface for IPA net
group. But it does show up when run 'ipa net group-find', or even
'getent ' by sssd.

2, After the 'external host' is configured into an IPA client -- 'ipa
user-find  proves it' -- it is still reported as 'external host'
by command 'ipa netgroup-find', and still not show up in web interface
neither. Could this is a bug?

3, because of #2 above, when this machine is reconfigured, and removed
with 'ipa user-del ', it is show up in the containing netgroups
and nested netgroups, and has to be removed manually. :(

4, This could be a real bug: You can add an 'external host' with either
a host's bare name, or FQDN name. Then after the machine is installed,
and you would like to remove it from 'external host' category with
command 'ipa user-del ', it will remove the FQDN name entry
only! and leave the bare name there forever, until you delete the whole
containing netgroup!

[root@ipaclient02 ~]# ipa netgroup-find external-ng
---
1 netgroups matched
---
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02,
ipaclient02.mac.example.com


Number of entries returned 1


[root@ipaclient02 ~]# getent netgroup external-ng
external-ng (dnsmaster.example.com, -, example.com)
(ipaclient02.mac.example.com, -, example.com)

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
--hosts=ipaclient02
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02
---
Number of members removed 1
---

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
--hosts=ipaclient02
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02
Failed hosts/hostgroups:
member host: ipaclient02.example.com: This entry is not a member
---
Number of members removed 0
---
[root@ipaclient02 ~]#



An external host is one that is never expected to be added as a host in 
IPA, however we don't prevent it. There is no reconciliation done if an 
external host is added as an IPA host, as you've seen. If you'd like 
this please file an enhancement request at https://fedorahosted.org/freeipa/


In 3.0 we have added validation of external host names. Whether this 
will prevent a bare name or not I'm not sure. I don't know why we would 
care whether it was fully qualified or not, though yeah, it appears we 
are automatically adding the domain. I tested this in 2.2 and it worked 
as expected, a bare name was deletable.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar 
The kinit does show that the keys are there.

[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/15/12 09:13:35  05/16/12 09:13:32  krbtgt/example@example.com




Thanks
Chandan





On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar wrote:

> Hi,
> I am running the default Firefox that comes with centos 6.2 . I guess that
>  Whatever time I do kinit it just does not working for me even for single
> time.
>
> Also it shows as that I am logged in as u...@freeipa.org In the main
> back ground web page. Not sure whether it's relevant with this error.
>
>
> On Monday, 14 May 2012, Steven Jones wrote:
>
>>  Hi,
>>
>>
>>
>> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
>> connect but thats a safari issue Im sure.
>>
>>
>>
>> After running "kinit admin" I find the kerberos ticket expires about 24
>> hours later so you have to renew?  What you can do if it simply wont
>> work is get IPA to fall back to asking for a password, which is what I have
>> had to set for Windows 7 firefox users.
>>
>>
>>
>> It might depend on which version of firefox, 3 and 10 do work..I
>> think RH say firefox 10 is the long term supported version for them so I'd
>> run that at least.
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>   --
>> *From:* freeipa-users-boun...@redhat.com [
>> freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [
>> chandank.ku...@gmail.com]
>> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
>> *To:* d...@redhat.com
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>>
>>
>> System: Centos 6.2
>> IPA version : ipa-server-2.1.3-9.el6.x86_64
>>
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>
>> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>>
>>> **
>>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>>
>>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>>> considering it for production level.
>>>
>>> Installation went fine, however, I am getting the kerberos key
>>> expiration error at firefox. I am running firefox on the same machine where
>>> I have installed/configured ipa-server. On googling and some help in IRC I
>>> checked documentation to trouble shoot it as this appear to be a known
>>> problem.
>>>
>>> Moreover, I did follow
>>>
>>> http://freeipa.org/page/InstallAndDeploy
>>> http://freeipa.org/page/TroubleshootingGuide
>>>
>>> Fire fox logs
>>>
>>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>>> -1977841888[7fc789f5b040]:   using negotiate-gss
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>>> [challenge=Negotiate]
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
>>> GSS failure.  Minor code may provide more information
>>> SPNEGO cannot find mechanisms to negotiate
>>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>>
>>> [root@ds var]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: ad...@example.com
>>>
>>> Valid starting ExpiresService principal
>>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>>> ipaserver.example@example.com
>>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>>> ipaserver.example@example.com
>>> [root@ds var]#
>>>
>>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>>
>>> at http://fpaste.org/9hXX/
>>>
>>> I am not sure what I am missing though. Appreciate any help.
>>>
>>> Thanks
>>> Chandan
>>>
>>>
>>>
>>>
>>>  Are you running FF on windows?
>>> Which version of IPA are you using?
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
> --
> Sent from my iPad
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem Active Directory Synchronisation: ipawinsyncuserflatten false

2012-05-15 Thread Rich Megginson 

On 05/15/2012 09:46 AM, Adrien Rami wrote:

Hi all,

I introduce myself. I am Adrien Rami and I am Open Source developper.

I work on a project with FreeIPA and I try to sync an Active Directory 
with FreeIPA, with the special case that I want to sync the 
Organisation Unit.


I set the ipawinsyncuserflatten on false but unfortunately it didn't work.

Is there a way to do this? If yes does someone do that and have some 
information for me?


What exactly did you try, and what was the result that you saw?  Note 
that if you create a new ou in AD, that will not sync to IPA.  You must 
create your ou structure on both sides.  And that won't work with IPA 
since IPA expects to have a flat DIT on the IPA side.


Perhaps if you could explain why you want to sync your AD structure to 
IPA, we could suggest some alternatives.




Best regards

Adrien Rami


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

2012-05-15 Thread Gelen James 
Hi Sumit, 


 Thanks for your quick reply.
 
 In the chapter 
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups,
 The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA 
netgroups through 'ipa netgroup-mod' command.

More specifically, when IPA imports host based netgroups with triples like 
(hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option 
'--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, 
then the rule will applied to all users on hostA and hostB. am I right? :)

BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? 
The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are 
involved, right? I maybe completely wrong here.

Thanks.

--Gelen








 From: Sumit Bose 
To: freeipa-users@redhat.com 
Sent: Tuesday, May 15, 2012 1:48 AM
Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and 
'--hostcat' options to IPA net groups?
 
On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote:
> Hi all,
> 
>  The online manual says that the '--usercat' means 'User category the rule 
> applies to';  '--hostcat' has the similar explanation. But I still don't 
> understand how that could be used in real life and when/where to use the 
> options.
> 
>  Could anyone please shed a light on this? Thanks a lot.

iirc these options where introduced with the host based access control
(HBAC) and are used to identify categories/classes of users and hosts
in a more general way than using groups or ip-address ranges. I think
currently only the keyword 'all' can be used here, which e.g means that
an HBAC rule will match for all users or all hosts. In future it is
planned to support other categories, e.g. something like 'local' and
'remote' which would catch all users/hosts of the local IPA domain or
all users/groups which are coming from remote domains ,respectively.

HTH

bye,
Sumit

> 
> --David

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Problem Active Directory Synchronisation: ipawinsyncuserflatten false

2012-05-15 Thread Adrien Rami 
Hi all, 

I introduce myself. I am Adrien Rami and I am Open Source developper.

I work on a project with FreeIPA and I try to sync an Active Directory with 
FreeIPA, with the special case that I want to sync the Organisation Unit.

I set the ipawinsyncuserflatten on false but unfortunately it didn't work.

Is there a way to do this? If yes does someone do that and have some 
information for me?

Best regards

Adrien Rami



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar 
Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that
 Whatever time I do kinit it just does not working for me even for single
time.

Also it shows as that I am logged in as u...@freeipa.org In the main
back ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

>  Hi,
>
>
>
> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
> connect but thats a safari issue Im sure.
>
>
>
> After running "kinit admin" I find the kerberos ticket expires about 24
> hours later so you have to renew?  What you can do if it simply wont
> work is get IPA to fall back to asking for a password, which is what I have
> had to set for Windows 7 firefox users.
>
>
>
> It might depend on which version of firefox, 3 and 10 do work..I think
> RH say firefox 10 is the long term supported version for them so I'd run
> that at least.
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>   --
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of Chandan Kumar [chandank.ku...@gmail.com]
> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
> *To:* d...@redhat.com
> *Cc:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>
>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>
>> **
>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>
>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>> considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key expiration
>> error at firefox. I am running firefox on the same machine where I have
>> installed/configured ipa-server. On googling and some help in IRC I checked
>> documentation to trouble shoot it as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>> -1977841888[7fc789f5b040]:   using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>> [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
>> failure.  Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root@ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com
>>
>> Valid starting ExpiresService principal
>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>> ipaserver.example@example.com
>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>> ipaserver.example@example.com
>> [root@ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>  Are you running FF on windows?
>> Which version of IPA are you using?
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

-- 
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-15 Thread JR Aquino 
I have successfully utilized a similar procedure.  The restoration process is 
the same for both though.

I would be willing to accept the tickets and document the various backup and 
recovery methods.

Though, I'd like Dmitri's feedback on whether or not the team approves of 
making the "official" method of recovery from catastrophic failure be the use 
of frozen vm images.

"Keeping your head in the cloud"
~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
jr.aqu...@citrix.com
http://www.citrixonline.com

On May 15, 2012, at 2:16 AM, "Petr Spacek"  wrote:

> Hello,
> 
> IMHO it *must* be documented very well. Thank for scenario proposal!
> 
> There is a new documentation ticket: 
> https://fedorahosted.org/freeipa/ticket/2758
> 
> Another ticket exists for CA master recovery procedure: 
> https://fedorahosted.org/freeipa/ticket/2749
> 
> Petr^2 Spacek
> 
> On 05/15/2012 01:19 AM, Gelen James wrote:
>> Hi Dimitri,
>> 
>> thanks a lot for your offer. It will be more than appreciated if Rob, or some
>> other talented genius could wiki the steps. The more details, the sooner, and
>> the better. It will help IPA projects and its users dramatically, especially
>> for newbies like me. :)
>> 
>> Thanks again for you, Rob and others for the coming documentation work.
>> 
>> 
>> --Gelen.
>> 
>> --
>> *From:* Dmitri Pal 
>> *To:* Robinson Tiemuqinke 
>> *Cc:* "Freeipa-users@redhat.com" ; Rich Megginson
>> 
>> *Sent:* Monday, May 14, 2012 1:20 PM
>> *Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA
>> Replica setup???
>> 
>> On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:
>>> Hi Dmitri, Rich and all,
>>> 
>>> I am a newbie to Redhat IPA, It looks like pretty cool compared with other
>>> solutions I've tried before. Thanks a lot for this great product! :)
>>> 
>>> But there are still some things I needs your help. My main question is: How
>>> to restore the IPA setup with a daily machine-level IPA Replica backup?
>>> 
>>> Please let me explain my IPA setup background and backup/restore goals
>>> trying to reach:
>>> 
>>> I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with
>>> Dogtag CA system. It is installed first. Then two IPA replicas are installed
>>> -- with '--setup-ca' options -- for load balancing and failover purposes.
>>> 
>>> To describe my problems/objectives, I'll name the IPA Master as machine A,
>>> IPA replicas as B and C. and now I've one more extra IPA replica 'D'
>>> (virtual machine) setup ONLY for backup purposes.
>>> The setup looks like the following, A is the configuration Hub. B,C,D are
>>> siblings.
>>> 
>>> A
>>> / | \
>>> B C D
>>> 
>>> The following are the steps I backup IPA setups and LDAP backends daily --
>>> it is a whole machine-level backup (through virtual machine D).
>>> 
>>> 1, First, IPA replica D is backed up daily. The backup happens like this:
>>> 
>>> 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. On
>>> the Hypervisor which holds virtual machine D, do a daily backup of the whole
>>> virtual disk that D is on.
>>> 1.2 turn on the IP replica D again.
>>> 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage
>>> --force-sync --from ' to sync the IPA databases forcibly.
>>> 
>>> Now comes to restore part, which is pretty confusing to me. I've tried
>>> several times, and every times it comes this or that kinds of issues and so
>>> I am wondering that correct steps/ineraction of IPA Master/replicas are the
>>> king :(
>>> 
>>> 2, case #1, A is broken, like disc failure, and then re-imaged after several
>>> days.
>>> 
>>> 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily
>>> backup from IPA replica D?
>>> 2.2 do I have to check some files on A into subversion immediately after A
>>> was initially installed?
>>> 2.3 Please describe the steps. I'll follow exactly and report the results.
>>> 
>>> 3, case #2, A is working, but either B, or C is broken.
>>> 
>>> 3.1 It looks that I don't need the daily backup of D to kick in, is that 
>>> right?
>>> 3.2 What are the correct steps on A; and B after it is re-imaged?
>>> 3.3 Please describe the steps. I'll follow exactly and report the results.
>>> 
>>> 4, case #3, If some un-expected IPA changes happens on A -- like all users
>>> are deleted by human mistakes --, and even worse, all the changes are
>>> propagated to B and C in minutes.
>>> 
>>> 4.1 How can I recover the IPA setup from daily backup from D?
>>> 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA
>>> replicas B/C? and then how to recover others left one by one?
>>> 4.3 Do I have to disconnect replication agreement of B,C,D from A first?
>>> 4.4 Please describe the steps. I'll follow exactly and

[Freeipa-users] Replica failing to install with ipa and RHEL6.2

2012-05-15 Thread Marc Grimme 
Hello,
until today we had a ipa configuration with two directory servers 
(master/replica) up and running.
But today unfortunately the replica could not synchronize and is since then 
unable to resynchronize.

I removed the replica from the master:
ipa-replica-manage --force del methusalix2.cl.atix

and then recreated the replica:
ipa-replica-prepare methusalix2.cl.atix --ip-address=192.168.3.3
Directory Manager (existing master) password:

Preparing replica for methusalix2.cl.atix from axinfra01-1.cl.atix
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into 
/var/lib/ipa/replica-info-methusalix2.cl.atix.gpg
Adding DNS records for methusalix2.cl.atix
Using reverse zone 3.168.192.in-addr.arpa.

On the replica I then issued the proposed commands:
[root@methusalix2 ~]# scp 
192.168.40.102:/var/lib/ipa/replica-info-methusalix2.cl.atix.gpg /var/lib/ipa/
root@192.168.40.102's password:
Permission denied, please try again.
root@192.168.40.102's password:
replica-info-methusalix2.cl.atix.gpg
 100%   28KB  28.4KB/s   00:00
[root@methusalix2 ~]# ipa-replica-install --debug --setup-dns --forwarder=.. 
--forwarder=.. /var/lib/ipa/replica-info-methusalix2.cl.atix.gpg
root: DEBUG/usr/sbin/ipa-replica-install was invoked with argument 
"/var/lib/ipa/replica-info-methusalix2.cl.atix.gpg" and options: 
{'no_forwarders': False, 'ui_redirect': True, 'reverse_zone': None, 
'unattended': False, 'no_host_dns': False, 'no_reverse': False, 'setup_dns': 
True, 'setup_ca': False, 'forwarders': [CheckedIPAddress('..'), 
CheckedIPAddress('..')], 'debug': True, 'conf_ntp': True, 'skip_conncheck': 
False}
root: DEBUGLoading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'
root: DEBUGLoading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
Directory Manager (existing master) password:

root: DEBUGargs=/usr/bin/gpg --batch --homedir 
/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg --passphrase-fd 0 --yes --no-tty -o 
/tmp/tmpvVcfupipa/files.tar -d /var/lib/ipa/replica-info-methusalix2.cl.atix.gpg
root: DEBUGstdout=
root: DEBUGstderr=gpg: WARNING: unsafe permissions on homedir 
`/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg'
gpg: keyring `/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg/secring.gpg' created
gpg: keyring `/tmp/tmpvVcfupipa/ipa-GEv1oL/.gnupg/pubring.gpg' created
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
..
Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@cl.atix password:

Execute check on remote master
Check connection from master to remote replica 'methusalix2.cl.atix':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: port 80 (80): OK
   HTTP Server: port 443(https) (443): OK

Connection from master to replica is OK.

root: DEBUGargs=/usr/sbin/ipa-replica-conncheck --master 
axinfra01-1.cl.atix --auto-master-check --realm CL.ATIX --principal admin 
--hostname methusalix2.cl.atix
Connection check OK   
root: DEBUGimporting all plugin modules in 
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
root: DEBUGimporting plugin module 
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
root: DEBUGimp

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Simo Sorce 
On Mon, 2012-05-14 at 19:11 -0400, Dmitri Pal wrote:
> On 05/14/2012 05:25 PM, Chandan Kumar wrote:
> >
> > System: Centos 6.2
> > IPA version : ipa-server-2.1.3-9.el6.x86_64
> >
> >
> > Thanks
> > Chandan
> >
> >
> 
> I am not sure but seems like something is not properly configured with
> the browser.
> I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
> on a working configuration.
> But I will defer to experts.
> 
Firefox always uses SPNEGO.
HEre what fails is the init_sec_context, I assume the user does not have
a kerberos ticket, so spengo fails to find valid credentials for any of
the supported mechs and punts.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???

2012-05-15 Thread Petr Spacek 

Hello,

IMHO it *must* be documented very well. Thank for scenario proposal!

There is a new documentation ticket: 
https://fedorahosted.org/freeipa/ticket/2758

Another ticket exists for CA master recovery procedure: 
https://fedorahosted.org/freeipa/ticket/2749


Petr^2 Spacek

On 05/15/2012 01:19 AM, Gelen James wrote:

Hi Dimitri,

thanks a lot for your offer. It will be more than appreciated if Rob, or some
other talented genius could wiki the steps. The more details, the sooner, and
the better. It will help IPA projects and its users dramatically, especially
for newbies like me. :)

Thanks again for you, Rob and others for the coming documentation work.


--Gelen.

--
*From:* Dmitri Pal 
*To:* Robinson Tiemuqinke 
*Cc:* "Freeipa-users@redhat.com" ; Rich Megginson

*Sent:* Monday, May 14, 2012 1:20 PM
*Subject:* Re: Please help: How to restore IPA Master/Replicas from daily IPA
Replica setup???

On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote:

Hi Dmitri, Rich and all,

I am a newbie to Redhat IPA, It looks like pretty cool compared with other
solutions I've tried before. Thanks a lot for this great product! :)

But there are still some things I needs your help. My main question is: How
to restore the IPA setup with a daily machine-level IPA Replica backup?

Please let me explain my IPA setup background and backup/restore goals
trying to reach:

I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with
Dogtag CA system. It is installed first. Then two IPA replicas are installed
-- with '--setup-ca' options -- for load balancing and failover purposes.

To describe my problems/objectives, I'll name the IPA Master as machine A,
IPA replicas as B and C. and now I've one more extra IPA replica 'D'
(virtual machine) setup ONLY for backup purposes.
The setup looks like the following, A is the configuration Hub. B,C,D are
siblings.

A
/ | \
B C D

The following are the steps I backup IPA setups and LDAP backends daily --
it is a whole machine-level backup (through virtual machine D).

1, First, IPA replica D is backed up daily. The backup happens like this:

1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h '. On
the Hypervisor which holds virtual machine D, do a daily backup of the whole
virtual disk that D is on.
1.2 turn on the IP replica D again.
1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage
--force-sync --from ' to sync the IPA databases forcibly.

Now comes to restore part, which is pretty confusing to me. I've tried
several times, and every times it comes this or that kinds of issues and so
I am wondering that correct steps/ineraction of IPA Master/replicas are the
king :(

2, case #1, A is broken, like disc failure, and then re-imaged after several
days.

2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily
backup from IPA replica D?
2.2 do I have to check some files on A into subversion immediately after A
was initially installed?
2.3 Please describe the steps. I'll follow exactly and report the results.

3, case #2, A is working, but either B, or C is broken.

3.1 It looks that I don't need the daily backup of D to kick in, is that right?
3.2 What are the correct steps on A; and B after it is re-imaged?
3.3 Please describe the steps. I'll follow exactly and report the results.

4, case #3, If some un-expected IPA changes happens on A -- like all users
are deleted by human mistakes --, and even worse, all the changes are
propagated to B and C in minutes.

4.1 How can I recover the IPA setup from daily backup from D?
4.2 which IPA master/replicas I should recover first? IPA master A, or IPA
replicas B/C? and then how to recover others left one by one?
4.3 Do I have to disconnect replication agreement of B,C,D from A first?
4.4 Please describe the steps. I'll follow exactly and report the results.

I've heard something about tombstone records too, Not sure whether the
problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid
it with correct recovery steps/interactions.

Thanks a lot.

--Gelen.


I can explain it conceptually. Rob is probably best to define the exact
sequence and commands.

If you A is broken you reinstall it, make it connect to D and init (force
sync) A from D. Now you have a new A.

If B or C dies you just re-install B or C and init from A.

If you lost a lot of data I suggest you start a saved D instance and
force-sync A from it and then force sync B and C from A.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/  






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing

Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?

2012-05-15 Thread Sumit Bose 
On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote:
> Hi all,
> 
>  The online manual says that the '--usercat' means 'User category the rule 
> applies to';  '--hostcat' has the similar explanation. But I still don't 
> understand how that could be used in real life and when/where to use the 
> options.
> 
>  Could anyone please shed a light on this? Thanks a lot.

iirc these options where introduced with the host based access control
(HBAC) and are used to identify categories/classes of users and hosts
in a more general way than using groups or ip-address ranges. I think
currently only the keyword 'all' can be used here, which e.g means that
an HBAC rule will match for all users or all hosts. In future it is
planned to support other categories, e.g. something like 'local' and
'remote' which would catch all users/hosts of the local IPA domain or
all users/groups which are coming from remote domains ,respectively.

HTH

bye,
Sumit

> 
> --David

> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users