Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-07 Thread Jakub Hrozek 
On Fri, Jun 08, 2012 at 11:22:59AM +1000, Cam McK wrote:
> Hello
> 
> Thanks for an awesome product! I have two questions that I can't seem to
> find answers for...
> 
> 1). How long is the delay between changing a HBAC rule and it coming into
> affect on the host machine?
> Currently this information only seems to be updated on the host after an
> 'service sssd reload/restart' also are the HBAC access rules are stored
> within LDAP Directory?

That shouldn't be the case, in fact, the HBAC rules should be refreshed
on each login. Maybe there's a misconfiguration on the client that makes
it go online and then the rules are evaluated from the cache.

Can you raise the debug level in the domain section of sssd.conf,
restart sssd and check for hbac-related debug messages in
/var/log/sssd/sssd_$domain.log ?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Steven Jones 
Hi,

The replica server no long exists, I bare metal kick-started it...so I need to 
get it to rejoin the domain which it wont.

Given all the other issues Im wondering if a totally clean start isnt a plan 
now...

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 8 June 2012 3:02 p.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs

Steven Jones wrote:
> Hi,
>
> Im must not be getting it,
>
> If I am un-installing and the dirsrv has been stopped as part of that 
> process? why does it need to restart?  if Im uninstalling?

Because it needs to stop all the IPA services. The list of services is
stored in LDAP.

> If I run a host del shouldnt that remove all residual info for the ex-replica 
> in the db?

No. It does not remove DNS records or replication agreements.

> Alternatively how do I clean up so I can get the replica to rejoin the domain?

Your best bet is to figure out why the dirsrv instance won't start.

Trying to remove and restore everything manually can be a lot of work.
Figuring out why dirsrv won't start is likely the path of least resistence.

rob

> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Friday, 8 June 2012 10:04 a.m.
> To: Steven Jones
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs
>
> It is hanging because the dirsrv instance isn't starting. Check for
> AVCs, /var/log/messages, dmesg,
> /var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being
> reported.
>
> Steven Jones wrote:
>> NB ipam005 is the renamed ipam002, which despite trying to remove seems to 
>> have residual info in the ldif output eg.,
>>
>> ==
>> [root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif
>> defaultServerList: vuwunicoipam001.ods.vuw.ac.nz 
>> vuwunicoipam002.ods.vuw.ac.nz
>> dn: 
>> cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
>> cn: vuwunicoipam002.ods.vuw.ac.nz
>> dn: 
>> cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
>> dn: 
>> cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
>> dn: 
>> cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
>> dn: 
>> cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
>> dn: 
>> dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
>> dnahostname: vuwunicoipam002.ods.vuw.ac.nz
>> nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
>> pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.
>
> The server wasn't uninstalled, right? Why wouldn't these still be there.
>
> rob
>
>> [root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]#
>> ==
>>
>> I expected a zero return?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> 
>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
>> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
>> Sent: Friday, 8 June 2012 8:47 a.m.
>> Cc: freeipa-users@redhat.com
>> Subject: [Freeipa-users] running ipa-server-install --uninstall hangs
>>
>> Hi,
>>
>> I am trying to fix an ongoing problem with IPA and find that I cannot remove 
>> a replica from the domain...
>>
>> Screenshot attached...
>>
>> I also find that running a host del doesnt work and there is residual info 
>> in an ldif output of that replica...this then stops a bare metal rebuild of 
>> the replica being rejoined to the domain.  If I change the name and IP 
>> however it can be a replica
>>
>> ideas please?
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa server is not version 2 error

2012-06-07 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

I am getting this while trying to join a new client to a IPA domain.


Look in the client install log, there should be more detail there. 
Basically we were given a server to try, we tried it and either we 
couldn't reach it at all or we weren't able to read the version 
information from it. Or we couldn't fetch the CA cert from the web 
server. The log should say which.


rob



um?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Rob Crittenden 

Steven Jones wrote:

Hi,

Im must not be getting it,

If I am un-installing and the dirsrv has been stopped as part of that process? 
why does it need to restart?  if Im uninstalling?


Because it needs to stop all the IPA services. The list of services is 
stored in LDAP.



If I run a host del shouldnt that remove all residual info for the ex-replica 
in the db?


No. It does not remove DNS records or replication agreements.


Alternatively how do I clean up so I can get the replica to rejoin the domain?


Your best bet is to figure out why the dirsrv instance won't start.

Trying to remove and restore everything manually can be a lot of work. 
Figuring out why dirsrv won't start is likely the path of least resistence.


rob


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 8 June 2012 10:04 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs

It is hanging because the dirsrv instance isn't starting. Check for
AVCs, /var/log/messages, dmesg,
/var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being
reported.

Steven Jones wrote:

NB ipam005 is the renamed ipam002, which despite trying to remove seems to have 
residual info in the ldif output eg.,

==
[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif
defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz
dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
cn: vuwunicoipam002.ods.vuw.ac.nz
dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
dnahostname: vuwunicoipam002.ods.vuw.ac.nz
nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.


The server wasn't uninstalled, right? Why wouldn't these still be there.

rob


[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]#
==

I expected a zero return?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 8 June 2012 8:47 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] running ipa-server-install --uninstall hangs

Hi,

I am trying to fix an ongoing problem with IPA and find that I cannot remove a 
replica from the domain...

Screenshot attached...

I also find that running a host del doesnt work and there is residual info in 
an ldif output of that replica...this then stops a bare metal rebuild of the 
replica being rejoined to the domain.  If I change the name and IP however it 
can be a replica

ideas please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-07 Thread Steven Jones 
Hi,

1) HBAC update, Ive never seen a delay.so seems to be a few seconds.so 
Im not sure why you ned to restart sssd.

2) I also I think have asked on that.not sure what you are aiming to 
achieve/meanwith having no kdc / ldap stores. I'd like a read only slave 
capability for out in the dmz...and possibly only export certain groups from 
the read/write out to the slavebut maybe Im being overly paranoidbut I 
think AD2008r2? can do that.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Cam McK [tom...@cam34.endjunk.com]
Sent: Friday, 8 June 2012 1:22 p.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] HBAC rule refreshes and read-only slaves

Hello

Thanks for an awesome product! I have two questions that I can't seem to find 
answers for...

1). How long is the delay between changing a HBAC rule and it coming into 
affect on the host machine?
Currently this information only seems to be updated on the host after an 
'service sssd reload/restart' also are the HBAC access rules are stored within 
LDAP Directory?

2). We would also like to use FreeIPA in a trusted network but then have 
perhaps a read-only slave sitting in DMZ with the possibility of not containing 
the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but pam_sss.so 
still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just slurping 
down the required LDAP info?

Many Thanks
Campbell

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] HBAC rule refreshes and read-only slaves

2012-06-07 Thread Cam McK 
Hello

Thanks for an awesome product! I have two questions that I can't seem to
find answers for...

1). How long is the delay between changing a HBAC rule and it coming into
affect on the host machine?
Currently this information only seems to be updated on the host after an
'service sssd reload/restart' also are the HBAC access rules are stored
within LDAP Directory?

2). We would also like to use FreeIPA in a trusted network but then have
perhaps a read-only slave sitting in DMZ with the possibility of not
containing the KDC or LDAP password stores on it, is this possible?
 (Basically authentication being done by a different PAM module, but
pam_sss.so still allowing HBAC via the PAM 'account' directive.)
Is it possible to have a 'regular' LDAP directory (in the DMZ) just
slurping down the required LDAP info?

Many Thanks
Campbell
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Ian Levesque 
On Jun 7, 2012, at 6:46 PM, Nalin Dahyabhai wrote:

> On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote:
>> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:
>> 
>>> ldapsearch -h sbgrid-directory -Y GSSAPI \
>>> -b "cn=Schema Compatibility,cn=plugins,cn=config" \
>>> nsslapd-pluginEnabled
>>> 
>>> The results should look like this:
>>> 
>>> dn: cn=Schema Compatibility,cn=plugins,cn=config
>>> nsslapd-pluginEnabled: off
>>> 
>>> dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
>>> 
>>> dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
>>> 
>>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>>> 
>>> dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> 
>> Hmm, I only get this:
>> 
>> dn: cn=Schema Compatibility,cn=plugins,cn=config
>> nsslapd-pluginEnabled: on
>> 
>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>> 
>> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2
> 
> I don't have an explanation for how it got that way, but you're missing
> some entries, and that probably explains why you don't see compat data
> for groups.
> 
> I'm attaching the LDIF for these entries from my test server, with the
> suffix changed from the one I'm using to yours.  The 'cn=users',
> 'cn=groups', and 'cn=ng' entries should be accepted without issue by
> 'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you
> already have one.
> 
> Normally that'd be the right thing, but if your 'cn=sudoers' entry looks
> different from the one in the LDIF file, you may want to change it as
> well by using 'ldapmodify'.

Hi Nalin,

Well, that fixed it. I'd love to know what caused this but am grateful indeed 
for your help.

Cheers,
Ian




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa server is not version 2 error

2012-06-07 Thread Steven Jones 
Hi,

I am getting this while trying to join a new client to a IPA domain.

um?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272<>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Nalin Dahyabhai 
On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote:
> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:
> 
> >  ldapsearch -h sbgrid-directory -Y GSSAPI \
> > -b "cn=Schema Compatibility,cn=plugins,cn=config" \
> > nsslapd-pluginEnabled
> > 
> > The results should look like this:
> > 
> >  dn: cn=Schema Compatibility,cn=plugins,cn=config
> >  nsslapd-pluginEnabled: off
> > 
> >  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> > 
> >  dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
> > 
> >  dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> > 
> >  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
> 
> Hmm, I only get this:
> 
> dn: cn=Schema Compatibility,cn=plugins,cn=config
> nsslapd-pluginEnabled: on
> 
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> 
> This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2

I don't have an explanation for how it got that way, but you're missing
some entries, and that probably explains why you don't see compat data
for groups.

I'm attaching the LDIF for these entries from my test server, with the
suffix changed from the one I'm using to yours.  The 'cn=users',
'cn=groups', and 'cn=ng' entries should be accepted without issue by
'ldapadd -c', but it will balk at the 'cn=sudoers' entry, since you
already have one.

Normally that'd be the right thing, but if your 'cn=sudoers' entry looks
different from the one in the LDIF file, you may want to change it as
well by using 'ldapmodify'.

HTH,

Nalin
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=posixGroup
schema-compat-entry-attribute: gidNumber=%{gidNumber}
schema-compat-entry-attribute: memberUid=%{memberUid}
schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
cn: groups
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: objectclass=posixGroup
schema-compat-container-rdn: cn=groups
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org

dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=nisNetgroup
schema-compat-entry-attribute: memberNisNetgroup=%deref_r("member","cn")
schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\
 ",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHo
 st\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",
 \\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\
 \\",\\\"fqdn\\\")\\\")\")","-",",","%ifeq(\"userCategory\",\"all\
 ",\"\",\"%collect(\\\"%deref(\\\"memberUser\\\",\\\"uid\\\")\
 \\",\\\"%deref_r(\\\"member\\\",\\\"uid\\\")\\\",\\\"%deref_r
 (\\\"memberUser\\\",\\\"member\\\",\\\"uid\\\")\\\")\
 ")","-"),%{nisDomainName:-})
schema-compat-check-access: yes
cn: ng
objectClass: top
objectClass: extensibleObject
schema-compat-search-filter: (objectclass=ipaNisNetgroup)
schema-compat-container-rdn: cn=ng
schema-compat-entry-rdn: cn=%{cn}
schema-compat-search-base: cn=ng, cn=alt, dc=sbgrid,dc=org
schema-compat-container-group: cn=compat, dc=sbgrid,dc=org

dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
schema-compat-entry-attribute: objectclass=sudoRole
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex
 ternalUser}")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
 ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
 ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)
 ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\
 "uid\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d
 eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de
 ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex
 ternalHost}")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
 ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
 ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn
 try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"
 fqdn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
 ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr
 y))\",\"cn\")")
schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
 ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
schema-compat-entry

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Steven Jones 
Hi,

Im must not be getting it,

If I am un-installing and the dirsrv has been stopped as part of that process? 
why does it need to restart?  if Im uninstalling? 

If I run a host del shouldnt that remove all residual info for the ex-replica 
in the db?

Alternatively how do I clean up so I can get the replica to rejoin the domain?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 8 June 2012 10:04 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] running ipa-server-install --uninstall hangs

It is hanging because the dirsrv instance isn't starting. Check for
AVCs, /var/log/messages, dmesg,
/var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being
reported.

Steven Jones wrote:
> NB ipam005 is the renamed ipam002, which despite trying to remove seems to 
> have residual info in the ldif output eg.,
>
> ==
> [root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif
> defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz
> dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
> cn: vuwunicoipam002.ods.vuw.ac.nz
> dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
> dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
> dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
> dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
> dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
> dnahostname: vuwunicoipam002.ods.vuw.ac.nz
> nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
> pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.

The server wasn't uninstalled, right? Why wouldn't these still be there.

rob

> [root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]#
> ==
>
> I expected a zero return?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> 
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
> Sent: Friday, 8 June 2012 8:47 a.m.
> Cc: freeipa-users@redhat.com
> Subject: [Freeipa-users] running ipa-server-install --uninstall hangs
>
> Hi,
>
> I am trying to fix an ongoing problem with IPA and find that I cannot remove 
> a replica from the domain...
>
> Screenshot attached...
>
> I also find that running a host del doesnt work and there is residual info in 
> an ldif output of that replica...this then stops a bare metal rebuild of the 
> replica being rejoined to the domain.  If I change the name and IP however it 
> can be a replica
>
> ideas please?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Ian Levesque 

On Jun 7, 2012, at 6:01 PM, Rob Crittenden wrote:

> What does ipa-compat-manage status say?


Plugin Enabled

~irl

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Rob Crittenden 
It is hanging because the dirsrv instance isn't starting. Check for 
AVCs, /var/log/messages, dmesg, 
/var/log/dirsrv/slapd-YOURINSTANCE/errors to see if any errors are being 
reported.


Steven Jones wrote:

NB ipam005 is the renamed ipam002, which despite trying to remove seems to have 
residual info in the ldif output eg.,

==
[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif
defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz
dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
cn: vuwunicoipam002.ods.vuw.ac.nz
dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
dnahostname: vuwunicoipam002.ods.vuw.ac.nz
nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.


The server wasn't uninstalled, right? Why wouldn't these still be there.

rob


[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]#
==

I expected a zero return?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 8 June 2012 8:47 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] running ipa-server-install --uninstall hangs

Hi,

I am trying to fix an ongoing problem with IPA and find that I cannot remove a 
replica from the domain...

Screenshot attached...

I also find that running a host del doesnt work and there is residual info in 
an ldif output of that replica...this then stops a bare metal rebuild of the 
replica being rejoined to the domain.  If I change the name and IP however it 
can be a replica

ideas please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Rob Crittenden 

Ian Levesque wrote:


On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:


  ldapsearch -h sbgrid-directory -Y GSSAPI \
-b "cn=Schema Compatibility,cn=plugins,cn=config" \
nsslapd-pluginEnabled

The results should look like this:

  dn: cn=Schema Compatibility,cn=plugins,cn=config
  nsslapd-pluginEnabled: off

  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config




Hmm, I only get this:

dn: cn=Schema Compatibility,cn=plugins,cn=config
nsslapd-pluginEnabled: on

dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2

Thanks again,
Ian


What does ipa-compat-manage status say?

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Ian Levesque 

On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:

>  ldapsearch -h sbgrid-directory -Y GSSAPI \
>   -b "cn=Schema Compatibility,cn=plugins,cn=config" \
>   nsslapd-pluginEnabled
> 
> The results should look like this:
> 
>  dn: cn=Schema Compatibility,cn=plugins,cn=config
>  nsslapd-pluginEnabled: off
> 
>  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
> 
>  dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config
> 
>  dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> 
>  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config



Hmm, I only get this:

dn: cn=Schema Compatibility,cn=plugins,cn=config
nsslapd-pluginEnabled: on

dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

This is ipa-server-2.1.3-9.el6.x86_64 on RHEL 6.2

Thanks again,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Nalin Dahyabhai 
On Thu, Jun 07, 2012 at 05:44:16PM -0400, Nalin Dahyabhai wrote:
> The results should look like this:
> 
>   dn: cn=Schema Compatibility,cn=plugins,cn=config
>   nsslapd-pluginEnabled: off

Yeah, that second line should be "nsslapd-pluginEnabled: on".

*facepalm*

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Nalin Dahyabhai 
On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote:
> # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org
> No such object (32)
> Matched DN: dc=sbgrid,dc=org

This result suggests that the plugin isn't running.  Can you
double-check by searching (as either the directory administrator or the
IPA administrator) to verify that the plugin is enabled and configured
to serve up group information?  The search looks like:

  kinit admin
  ldapsearch -h sbgrid-directory -Y GSSAPI \
-b "cn=Schema Compatibility,cn=plugins,cn=config" \
nsslapd-pluginEnabled

The results should look like this:

  dn: cn=Schema Compatibility,cn=plugins,cn=config
  nsslapd-pluginEnabled: off

  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config

  dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config

If you drill down and read the whole cn=groups configuration entry, it
should look like this:

  dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
  schema-compat-entry-attribute: objectclass=posixGroup
  schema-compat-entry-attribute: gidNumber=%{gidNumber}
  schema-compat-entry-attribute: memberUid=%{memberUid}
  schema-compat-entry-attribute: memberUid=%deref_r("member","uid")
  cn: groups
  objectClass: top
  objectClass: extensibleObject
  schema-compat-search-filter: objectclass=posixGroup
  schema-compat-container-rdn: cn=groups
  schema-compat-entry-rdn: cn=%{cn}
  schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org
  schema-compat-container-group: cn=compat, dc=sbgrid,dc=org

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Ian Levesque 

On Jun 7, 2012, at 5:27 PM, Nalin Dahyabhai wrote:

> On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote:
>> Hello,
>> 
>> I've read that the schema compatibility plugin should provide a vanilla RFC 
>> 2307 view of groups with memberUid attributes. I need this for our OS X 
>> clients, which don't seem capable of understanding the RFC 2307bis format of 
>> member DNs.
>> 
>> So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's 
>> loaded via `ipa-compat-manage status`. I restarted the directory server.
>> 
>> However, I don't get memberUid attributes. I've seen some docs that say 
>> "cn=compat" should be added to the default base, but that returns nothing:
>> 
>>  ldapsearch -LLL -x -h sbgrid-directory -b 
>> cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders
>>  No such object (32)
>>  Matched DN: dc=sbgrid,dc=org
> 
> Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base.  We 
> don't put a "cn=accounts" container under cn=compat by default.

Hi Nalin - thanks for the tip; unfortunately, there doesn't appear to be 
anything in cn=compat:

# ldapsearch -LLL -x -h sbgrid-directory -b cn=groups,cn=compat,dc=sbgrid,dc=org
No such object (32)
Matched DN: dc=sbgrid,dc=org

# ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org
No such object (32)
Matched DN: dc=sbgrid,dc=org

Best regards,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Nalin Dahyabhai 
On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote:
> Hello,
> 
> I've read that the schema compatibility plugin should provide a vanilla RFC 
> 2307 view of groups with memberUid attributes. I need this for our OS X 
> clients, which don't seem capable of understanding the RFC 2307bis format of 
> member DNs.
> 
> So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's 
> loaded via `ipa-compat-manage status`. I restarted the directory server.
> 
> However, I don't get memberUid attributes. I've seen some docs that say 
> "cn=compat" should be added to the default base, but that returns nothing:
> 
>   ldapsearch -LLL -x -h sbgrid-directory -b 
> cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders
>   No such object (32)
>   Matched DN: dc=sbgrid,dc=org

Try using "cn=groups,cn=compat,dc=sbgrid,dc=org" as the search base.  We 
don't put a "cn=accounts" container under cn=compat by default.

HTH,

Nalin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Steven Jones 
NB ipam005 is the renamed ipam002, which despite trying to remove seems to have 
residual info in the ldif output eg.,

==
[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# grep ipam002 userroot.ldif 
defaultServerList: vuwunicoipam001.ods.vuw.ac.nz vuwunicoipam002.ods.vuw.ac.nz
dn: cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc=vuw,dc
cn: vuwunicoipam002.ods.vuw.ac.nz
dn: cn=KDC,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: cn=KPASSWD,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=od
dn: cn=HTTP,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,d
dn: cn=DNS,cn=vuwunicoipam002.ods.vuw.ac.nz,cn=masters,cn=ipa,cn=etc,dc=ods,dc
dn: dnaHostname=vuwunicoipam002.ods.vuw.ac.nz+dnaPortNum=389,cn=posix-ids,cn=d
dnahostname: vuwunicoipam002.ods.vuw.ac.nz
nSRecord: vuwunicoipam002.ods.vuw.ac.nz.
pTRRecord: vuwunicoipam002.ods.vuw.ac.nz.
[root@vuwunicoipam005 slapd-ODS-VUW-AC-NZ]# 
==

I expected a zero return?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 8 June 2012 8:47 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] running ipa-server-install --uninstall hangs

Hi,

I am trying to fix an ongoing problem with IPA and find that I cannot remove a 
replica from the domain...

Screenshot attached...

I also find that running a host del doesnt work and there is residual info in 
an ldif output of that replica...this then stops a bare metal rebuild of the 
replica being rejoined to the domain.  If I change the name and IP however it 
can be a replica

ideas please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] running ipa-server-install --uninstall hangs

2012-06-07 Thread Steven Jones 
This is the uninstall log.

=
[root@vuwunicoipam005 log]# tail ipaserver-uninstall.log 

  File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py", line 
191, in start
self.service.start(instance_name, capture_output=capture_output)

  File "/usr/lib/python2.6/site-packages/ipapython/platform/redhat.py", line 
44, in start
ipautil.run(["/sbin/service", self.service_name, "start", instance_name], 
capture_output=capture_output)

  File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 273, in run
raise CalledProcessError(p.returncode, args)

[root@vuwunicoipam005 log]# 



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Friday, 8 June 2012 8:47 a.m.
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] running ipa-server-install --uninstall hangs

Hi,

I am trying to fix an ongoing problem with IPA and find that I cannot remove a 
replica from the domain...

Screenshot attached...

I also find that running a host del doesnt work and there is residual info in 
an ldif output of that replica...this then stops a bare metal rebuild of the 
replica being rejoined to the domain.  If I change the name and IP however it 
can be a replica

ideas please?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Serving RFC2307 to OS X clients

2012-06-07 Thread Ian Levesque 
Hello,

I've read that the schema compatibility plugin should provide a vanilla RFC 
2307 view of groups with memberUid attributes. I need this for our OS X 
clients, which don't seem capable of understanding the RFC 2307bis format of 
member DNs.

So, I enabled the plugin using `ipa-compat-manage enable` and ensured it's 
loaded via `ipa-compat-manage status`. I restarted the directory server.

However, I don't get memberUid attributes. I've seen some docs that say 
"cn=compat" should be added to the default base, but that returns nothing:

  ldapsearch -LLL -x -h sbgrid-directory -b 
cn=groups,cn=accounts,cn=compat,dc=sbgrid,dc=org cn=builders
  No such object (32)
  Matched DN: dc=sbgrid,dc=org

When I search the default base, things look unchanged (obviously, no memberUid 
here):

  ldapsearch -LLL -x -h sbgrid-directory -b 
cn=groups,cn=accounts,dc=sbgrid,dc=org cn=builders | grep member
  member: uid=ian,cn=users,cn=accounts,dc=sbgrid,dc=org

I seem to remember when I first setup the FreeIPA server, there *was* a 
cn=compat tree... did disabling it at some point cause it to stop working?

Best,
Ian

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] DNS logs - named.run

2012-06-07 Thread Petr Spacek 

On 06/01/2012 08:17 PM, Jimmy wrote:

Our DNS topology is a very simple, out of the box, FreeIPA config. Our systems
are configured to run independently at completely disparate locations, so
there is very little to the topology besides forward and reverse zones for the
networks served at each site. There are no slaves, and this is the only zone
that has this issue. This is logged in the file /var/named/data/named.run .
DNS has not been modified directly through ldap, only through IPA interfaces.

Thanks,
Jimmy

Currently I could completely rebuild the system and push out the new config to
the sites, but if there is some way to fix this on a running server or get
more debug info to the maillist to possibly find the fix I would greatly
prefer that.


I found the bug in bind-dyndb-ldap. This error message is logged only for 
zones without idnsUpdatePolicy attribute, right?


There is a ticket for that problem.
https://fedorahosted.org/bind-dyndb-ldap/ticket/79

Workaround:
Define idnsUpdatePolicy attribute (e.g. "grant E.EXAMPLE krb5-self * A;") and 
set idnsAllowDynUpdate to FALSE. Dynamic updates will remain disabled and 
error message will not be logged.


Thanks for reporting the bug.

Petr^2 Spacek




On Fri, Jun 1, 2012 at 11:45 AM, Petr Spacek mailto:pspa...@redhat.com>> wrote:

On 05/31/2012 07:24 PM, Jimmy wrote:

This message repeats numerous times per minute:

zone myzone.info/IN : zone serial (2012150501
) unchanged. zone may fail
to transfer to slaves.

I even went into the admin page and changed the serial manually to see
if I could get past the message but it just changed the message to
this:

zone myzone.info/IN : zone serial (2012150502
) unchanged. zone may fail
to transfer to slaves.

Why does IPA report this?

Thanks.


Hello,

can you describe your DNS topology?
Where is it logged?
Is it on a *slave* server?
How to reproduce it?

Current IPA doesn't maintain SOA serial number for updates made directly
in LDAP (but nsupdate works). Zone transfers are totally broken for that
reason.

Fix is on the roadmap: We are discussing how to solve this problem in
thread
https://www.redhat.com/__archives/freeipa-devel/2012-__May/msg00044.html
.

Petr^2 Spacek

_
Freeipa-users mailing list
Freeipa-users@redhat.com 
https://www.redhat.com/__mailman/listinfo/freeipa-users





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users