Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote: > It's hard to tell with the obfuscation, but is your DOMAIN the same as > the one handled by the domain controller vm-mapsdc2? Indeed, it is > You can only have one Kerberos realm named DOMAIN. How do they know about each other? > For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, > you will not be able to have it coexist with an IPA server controlling > the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? > If it's an oldschool NT type domain you should be OK, but if it's > Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On 08/08/2012 05:42 PM, Rob Ogilvie wrote: On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote: It's hard to tell with the obfuscation, but is your DOMAIN the same as the one handled by the domain controller vm-mapsdc2? Indeed, it is You can only have one Kerberos realm named DOMAIN. How do they know about each other? There are DNS SRV records for Kerberos KDC and realm names. Original Kerberos documentation mentions DNS is in: http://web.mit.edu/kerberos/www/krb5-1.10/krb5-1.10.2/doc/krb5-admin.html#Using-DNS Kerberos principles (not only DNS) are described in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Using_Kerberos.html For example, if you have the windows domain/Kerb realm MYCOMPANY.COM, you will not be able to have it coexist with an IPA server controlling the realm MYCOMPANY.COM. That's quite unfortunate. How can I work around this? Can I create the realm BLAH.MYCOMPANY.COM or maybe even NOTMYCOMPANY.COM without a DNS domain to match, or will I need to interface with the DNS admins? Is there a good document that describes the nature of these realms and their relation to DNS? Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). You can configure each all servers and client statically with /etc/krb5.conf, but it is error-prone and not scalable. Configuration with AD and IPA with same domain name is not supported, because it confuses Kerberos libraries. Petr^2 Spacek If it's an oldschool NT type domain you should be OK, but if it's Active Directory (which uses Kerberos) you can't do it. It's an Active Directory domain. Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek wrote: > Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > SRV records (or let IPA to manage it). Absolutely, this is the best way. > You can configure each all servers and client statically with > /etc/krb5.conf, but it is error-prone and not scalable. You *could* use something like puppet to manage your krb5.conf files (I have to with our AIX machines.) Also, it's important to note that your REALM does NOT need to match your dns domain name It's a convenience, and it's very, very helpful to do so, but it is possible to have a REALM called "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with that, but I know you can do it in straight up Kerberos. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
Rob, you may want to read through this whole FAQ, but this one covers what I'm talking about: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On 08/08/2012 07:27 PM, Rob Ogilvie wrote: On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper SRV records (or let IPA to manage it). Ugh, I hope this doesn't end up pushing us back to NIS. If I can get our infrastructure guys to buy off on making a unix.mycompany.com subdomain in DNS, would I need to move all the hosts to be under that subdomain in DNS? I have some services Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV records and leave this subdomain without hosts (maybe except IPA servers ...). It is not necessary to rename all hosts. Problem is simple - Kerberos libraries have to know where KDCs are located - and DNS is standardized way how to accomplish it. Let me quote another reply from this thread: On 08/08/2012 06:14 PM, KodaK wrote: > You*could* use something like puppet to manage your krb5.conf files > (I have to with our AIX machines.) > > Also, it's important to note that your REALM does NOT need to match > your dns domain name > It's a convenience, and it's very, very helpful to do so, but it is > possible to have a REALM called > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with > that, but I know you > can do it in straight up Kerberos. configured that are difficult to rename the DNS domain of. Could, for instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM realm, given a MYCOMPANY.COM realm also exists? Yes, it could. I could then put some SRV records into the subdomain's zone to point the kerberos stuff to the IPA server, change the domain on the IPA server, change the realm on the IPA server, re-register clients, and everything would be happy? I get lost in the renaming part. Can you describe your idea in bigger detail? Ugh... actually... now that I think about this, I don't think I want half my servers in a unix subdomain in DNS, which means DNS and realm wouldn't match... Thoughts? Aside from rebuilding the infrastructure I've built already? :-) Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. IMHO it is simplest way. This limitation comes from Kerberos: You are trying to use *single domain name* for *two independent Kerberos realms* - it is principally not possible. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote: > On 08/08/2012 07:27 PM, Rob Ogilvie wrote: > > On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote: > >> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper > >> SRV records (or let IPA to manage it). > > > > Ugh, I hope this doesn't end up pushing us back to NIS. > > > > If I can get our infrastructure guys to buy off on making a > > unix.mycompany.com subdomain in DNS, would I need to move all the > > hosts to be under that subdomain in DNS? I have some services > > Definitely not. You can create subdomain UNIX.MYCOMPANY.COM, fill it with SRV > records and leave this subdomain without hosts (maybe except IPA servers > ...). > It is not necessary to rename all hosts. > > Problem is simple - Kerberos libraries have to know where KDCs are located - > and DNS is standardized way how to accomplish it. > > Let me quote another reply from this thread: > On 08/08/2012 06:14 PM, KodaK wrote: > > You*could* use something like puppet to manage your krb5.conf files > > (I have to with our AIX machines.) > > > > Also, it's important to note that your REALM does NOT need to match > > your dns domain name > > It's a convenience, and it's very, very helpful to do so, but it is > > possible to have a REALM called > > "MIDDLEEARTH" if you wanted. I'm not sure how IPA would deal with > > that, but I know you > > can do it in straight up Kerberos. > > > > configured that are difficult to rename the DNS domain of. Could, for > > instance, host-one.mycompany.com be part of the UNIX.MYCOMPANY.COM > > realm, given a MYCOMPANY.COM realm also exists? > > Yes, it could. > > > > > I could then put some SRV records into the subdomain's zone to point > > the kerberos stuff to the IPA server, change the domain on the IPA > > server, change the realm on the IPA server, re-register clients, and > > everything would be happy? > > I get lost in the renaming part. Can you describe your idea in bigger detail? > > > > > Ugh... actually... now that I think about this, I don't think I want > > half my servers in a unix subdomain in DNS, which means DNS and realm > > wouldn't match... > > > > Thoughts? Aside from rebuilding the infrastructure I've built already? :-) > > Let all machines in MYCOMPANY.COM and use IPA realm UNIX.MYCOMPANY.COM. > IMHO it is simplest way. > > > This limitation comes from Kerberos: You are trying to use *single domain > name* for *two independent Kerberos realms* - it is principally not possible. I just need to pint one one problem with leaving all machines under MYDOMAIN.COM, and that is if you later want to make a trust (option available starting from ipa 3.0) between the AD realm and the IPA realm, the machines in the mydomain.com domain will not be able to be accessed by the users of the AD realm. That is because the machines joined to the AD realm will think that the mydomain.com machines are always served up by the AD domain. On the IPA side you amy also have so issues as you will not be able to tell IPA clients that they need to ask the AD KDC for the hosts under mydomain.com So ultimately, I would put as many machines as you can under UNIX.MYDOMAIN.COM, to minimize confusion in case later on you want to establish a trust between the AD domain and the IPA domain. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
So here's my plan, then... let me know if it seems like it'll make sense? -I'm going to uninstall everything IPA from the IPA server (ovm-auth.mycompany.com) after I unregister the client machines. -I'm going to set up the IPA server with a new realm; UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record up there for that? If so, what?) -I'm going to try registering testserver.mycompany.com server as part of the UNIX.MYCOMPANY.COM realm. Sound reasonable and/or sane? :-) Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] cannot find name for user ID
An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with "cannot find name for user ID" etc. etc. for all groups they are a member of id returns nothing but the numbers, and a getent passwd returns nothing, when running as the user. However, as root a getent passwd works. I am taking a look through logs and haven't found much so far, another user experienced a similar issue and a ipa-client-install --uninstall and reinstall (this is starting to feel like windows :) did the trick for them, however it has not solved the issue for me. I have also cleared the sssd cache, and given that process a kick to no avail. Firewall rules have not changed, and I assume the ipa-client-install process would have failed if a firewall issue was present. After increasing sssd logging levels I see a lot of requests for the user in the sssd logs, but no returns, not that I know if the logging is supposed to log the return. This is on a RHEL 5.8 client: ipa-client-2.1.3-2.el5_8 sssd-1.5.1-49.el5_8.1 Connecting to a RHEL 6.3 IPA server. Any ideas? -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > So here's my plan, then... let me know if it seems like it'll make sense? > > -I'm going to uninstall everything IPA from the IPA server > (ovm-auth.mycompany.com) after I unregister the client machines. > > -I'm going to set up the IPA server with a new realm; > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > up there for that? If so, what?) If your DNS people want to manually mange DNS for you then they need to create the unix.mydomain.com zone and manually create SRV and TXT records for kerberos and ldap IPA servers. If they want to avoid having to manage DNS for you they can delegate the subdomain to you and you can install DNS integration in IPA so critical DNS record are automatically managed for you. For tests you can also just use the FreeIPA intyegrate DNS server and create your own DNS server there the forwards to your official DNS servers for any query out of unix.mydomain.com (you point it to your current DNS server when install ask for forwarders). If you do this you will have to point your IPA clients to your IPA server for DNS. And unless you get a zone delegation only machine spointing directly at your server in their resolv.conf will be able to see the unix.mydomain.com zone. > -I'm going to try registering testserver.mycompany.com server as part > of the UNIX.MYCOMPANY.COM realm. > > Sound reasonable and/or sane? :-) for the ipa server it should be in the unix.mydomain.com DNS zone to be useful. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > -I'm going to set up the IPA server with a new realm; > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > up there for that? If so, what?) > > If your DNS people want to manually mange DNS for you then they need to > create the unix.mydomain.com zone and manually create SRV and TXT > records for kerberos and ldap IPA servers. Is there a doc that explains what those SRV and TXT records need to look like? > > -I'm going to try registering testserver.mycompany.com server as part > > of the UNIX.MYCOMPANY.COM realm. > > > > Sound reasonable and/or sane? :-) > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > useful. The IPA server needs to be part of the unix.mycompany.com domain, then, and the IPA clients do not? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: > > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: > > > -I'm going to set up the IPA server with a new realm; > > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record > > > up there for that? If so, what?) > > > > If your DNS people want to manually mange DNS for you then they need to > > create the unix.mydomain.com zone and manually create SRV and TXT > > records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like? When you install freeipa it will generate a zone file if DNS is not installed as well, that's probably the most complete example. > > > -I'm going to try registering testserver.mycompany.com server as part > > > of the UNIX.MYCOMPANY.COM realm. > > > > > > Sound reasonable and/or sane? :-) > > > > for the ipa server it should be in the unix.mydomain.com DNS zone to be > > useful. > > The IPA server needs to be part of the unix.mycompany.com domain, > then, and the IPA clients do not? The simplest setup is when all clients are part of the same DNS zone which is not shared with an AD setup. Unlike AD we do not force all client to be positioned in the same DNS zone, however if you have clients not belonging to the same DNS domain you may have to change the krb5.conf file on all members of the realm to add additional [domain_realm] mappings so that you can tell that clients in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm and its KDC. We are going to make it simpler to add these domains centrally in FreeIPA and have SSSD automatically provide these appings on all clients, but this work is being done in v 3.0. For now it needs to be manually configured on each client. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie wrote: > On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote: >> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote: >> > -I'm going to set up the IPA server with a new realm; >> > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record >> > up there for that? If so, what?) >> >> If your DNS people want to manually mange DNS for you then they need to >> create the unix.mydomain.com zone and manually create SRV and TXT >> records for kerberos and ldap IPA servers. > > Is there a doc that explains what those SRV and TXT records need to look like? If you're not familiar with this document then you need to spend some quality time with it: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html :) In it you'll find: If a DNS server is already configured in the network, then the configuration in the IPA-generated file can be added to the existing DNS zone file. This allows IPA clients to find LDAP and Kerberos servers that are required for them to participate in the IPA domain. For example, this DNS zone configuration is created for an IPA server with the KDC and DNS servers all on the same machine in the EXAMPLE.COM realm: ; ldap servers _ldap._tcp IN SRV 0 100 389ipaserver.example.com. ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos._udp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._tcp IN SRV 0 100 88 ipaserver.example.com. _kerberos-master._udp IN SRV 0 100 88 ipaserver.example.com. _kpasswd._tcp IN SRV 0 100 464ipaserver.example.com. _kpasswd._udp IN SRV 0 100 464ipaserver.example.com. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 12:33 PM, KodaK wrote: > If you're not familiar with this document then you need to spend some > quality time with it: > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html That is, as a matter of fact, the guide I've been using. I fear it was written with the assumption readers understood IPA realms couldn't easily coexist with Active Directory domains. Reading through the installation guide, I see no mention of needing a separate realm for IPA... it's probably assumed we know that already? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Dogtag reinitialization
Is there any way to completely reinitialize the Dogtag instance atomically? My PKI-IPA directory looks like this: > ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca' > 'objectClass=*' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: objectClass=* > # requesting: ALL > # > > # ipaca > dn: o=ipaca > objectClass: top > objectClass: organization > o: ipaca > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 It's like that on both my master and replica, and my backups don't go back far enough. I think something happened during replica management, but I'm not sure. I haven't used the full range of PKI features up to this point, so this isn't a huge issue for me just yet. In any case, I imagine it will become a big deal at some point, if not for my usage, for management of the IPA instance as a whole. So, how can I fix this? I do have the private key, if that's any use. -- - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Simple question about replication promotion
We had a rather severe issue last night on our primary IPA server(ver 2.2.0), but the replica is still happily plugging along, which very nice. My question is, there is very, very little I can do with the 'master'. From what I've read, there ins't any replicaton, and I just want to verify that a replica is just another master, assuming you're not using the CA option. If so, when I rebuild the primary server, do I just configure it to be a replica to what was the secondary? Thanks, Rolf Brusletto ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] New FreeIPA Install; Testing for Proof of Concept
On Wed, Aug 8, 2012 at 12:31 PM, Simo Sorce wrote: > Unlike AD we do not force all client to be positioned in the same DNS > zone, however if you have clients not belonging to the same DNS domain > you may have to change the krb5.conf file on all members of the realm to > add additional [domain_realm] mappings so that you can tell that clients > in zone foo.net are also to be looked for in the UNIX.MYDOMAIN.COM realm > and its KDC. I just, as a test, with no DNS set up for this, ran things with DNS being mycompany.com, and the IPA domain being set up as ovm.mycompany.com and realm of OVM.MYCOMPANY.COM, and everything appears to be working great. The only piece is the ipa-client-install needs to specify the (non-DNS) domain, realm, and server, but that's no problem for me at all... Any thoughts about problems I might see? Rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Simple question about replication promotion
Hi, I lost my master so did a db2ldif on the replica and then a ldif2db on the master and it seemed to work fine. Its been more stable than the replicas which are on their 2nd rebuild in that many months... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rolf Brusletto [r...@glptrading.com] Sent: Thursday, 9 August 2012 5:10 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Simple question about replication promotion We had a rather severe issue last night on our primary IPA server(ver 2.2.0), but the replica is still happily plugging along, which very nice. My question is, there is very, very little I can do with the 'master'. From what I've read, there ins't any replicaton, and I just want to verify that a replica is just another master, assuming you're not using the CA option. If so, when I rebuild the primary server, do I just configure it to be a replica to what was the secondary? Thanks, Rolf Brusletto ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] 2 factor authentication
Hi Is there anyway to use something like a hardware key with IPA for select users (such as myself)? So the idea is I not only have a password but a piece of hardware I need to login to my secure desktop. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > An interesting problem has popped up and I am not sure where the issue > lies. Users logging in are presented with "cannot find name for user ID" > etc. etc. for all groups they are a member of > > id returns nothing but the numbers, and a getent passwd > returns nothing, when running as the user. > > However, as root a getent passwd works. > > I am taking a look through logs and haven't found much so far, another > user experienced a similar issue and a ipa-client-install --uninstall > and reinstall (this is starting to feel like windows :) did the trick > for them, however it has not solved the issue for me. > > I have also cleared the sssd cache, and given that process a kick to no > avail. > > Firewall rules have not changed, and I assume the ipa-client-install > process would have failed if a firewall issue was present. > > After increasing sssd logging levels I see a lot of requests for the > user in the sssd logs, but no returns, not that I know if the logging is > supposed to log the return. > > This is on a RHEL 5.8 client: > ipa-client-2.1.3-2.el5_8 > sssd-1.5.1-49.el5_8.1 > > Connecting to a RHEL 6.3 IPA server. > > Any ideas? > > -Erinn > Hi Erinn, The requests for the user you saw were only in the sssd_nss log or did they make it to the sssd_$domain.log as well? Can you paste sanitized contents of both, please? I can't think of a reason to make lookups work only as root, that's really strange. Can you check for AVC denials? Can you also check the permissions on /var/lib/sss/pipes/nss ? It should be 0666. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Yes it is very odd. I have had a rash of system with SELinux labelling issues, so I ran a restorecon on the file system to no avail, as well I set SELinux to permissive mode, again no help there. Permissions appear correct: srw-rw-rw- 1 root root0 Aug 8 18:35 nss srw-rw-rw- 1 root root0 Aug 8 18:35 pam Is there a simple way to sanitize these log files? -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] 2 factor authentication
Steven Jones wrote: Hi Is there anyway to use something like a hardware key with IPA for select users (such as myself)? So the idea is I not only have a password but a piece of hardware I need to login to my secure desktop. We're looking into 2 factor auth but it isn't supported yet. You might want to follow the authhub project, https://fedorahosted.org/AuthHub/ rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Simple question about replication promotion
Rolf Brusletto wrote: We had a rather severe issue last night on our primary IPA server(ver 2.2.0), but the replica is still happily plugging along, which very nice. My question is, there is very, very little I can do with the 'master'. From what I've read, there ins't any replicaton, and I just want to verify that a replica is just another master, assuming you're not using the CA option. If so, when I rebuild the primary server, do I just configure it to be a replica to what was the secondary? Just to be clear, you installed the original server with a dogtag CA installed? And then you created a replica but didn't configure a CA on it? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dogtag reinitialization
Lucas Yamanishi wrote: Is there any way to completely reinitialize the Dogtag instance atomically? My PKI-IPA directory looks like this: ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca' 'objectClass=*' Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: objectClass=* # requesting: ALL # # ipaca dn: o=ipaca objectClass: top objectClass: organization o: ipaca # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 It's like that on both my master and replica, and my backups don't go back far enough. I think something happened during replica management, but I'm not sure. I haven't used the full range of PKI features up to this point, so this isn't a huge issue for me just yet. In any case, I imagine it will become a big deal at some point, if not for my usage, for management of the IPA instance as a whole. So, how can I fix this? I do have the private key, if that's any use. I'm not sure what would cause every single entry to be removed. Do the logs shed any light on this? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA 2.2 Windows 2008R2 sync
Rich Megginson wrote: On 08/03/2012 09:50 AM, Baptiste AGASSE wrote: Hi, Hi all, i've a problem with winsync between ipa 2.2 on centos 6.3 and Active directory 2008R2. I'm following this documentation to enable synchronization: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html There is nothing on this page about running certutil? Which link talks about certutil? Links present in the documentation talk about commands and options for certutil but i don't see anything about this error. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html I agree, I don't think this is necessary either. I'm not sure if this originated in the 389-ds docs or we provided Deon (or David) with bad information long ago. rob Can one of the IPA developers explain why it is necessary to install the IPA CA certificate into the Windows Cert Store in order to get Winsync/PassSync working? I don't believe it is necessary. For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active Directory and IPA CA Certificates I a newbie on Microsoft OSes, but I don't understand why certutil don't find my file. I will ask on a microsoft forum. Regards When i run as admin 'certutil -installcert -v -config "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" c:\Users\John\Documents\ipa-ca.crt' it returns (translated from french) : CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) CertUtil: Specified file not found someone saw this issue ? Have a nice day. Regards. Baptiste. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Dogtag reinitialization
I wouldn't even know what to look for. /var/lib/dirsrv/slapd-PKI-IPA/error is like a debug log. All I can tell you is that I ran "ipa-csreplica-manage re-initialize --from master" on my replica, then on my "master" a few minutes later. - *question everything*learn something*answer nothing* Lucas Yamanishi -- Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A On 08/08/2012 05:36 PM, Rob Crittenden wrote: > Lucas Yamanishi wrote: >> Is there any way to completely reinitialize the Dogtag instance >> atomically? >> >> My PKI-IPA directory looks like this: >> >>> ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b >>> 'o=ipaca' 'objectClass=*' >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: objectClass=* >>> # requesting: ALL >>> # >>> >>> # ipaca >>> dn: o=ipaca >>> objectClass: top >>> objectClass: organization >>> o: ipaca >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >> >> It's like that on both my master and replica, and my backups don't go >> back far enough. I think something happened during replica management, >> but I'm not sure. I haven't used the full range of PKI features up to >> this point, so this isn't a huge issue for me just yet. In any case, I >> imagine it will become a big deal at some point, if not for my usage, >> for management of the IPA instance as a whole. >> >> So, how can I fix this? I do have the private key, if that's any use. > > I'm not sure what would cause every single entry to be removed. Do the > logs shed any light on this? > > rob > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Server
free...@noboost.org wrote: Hi All, NOTE: I posted this on the 389 forum, they rightly suggested this is most likely and IPA issue. Spec: Redhat Enterprise Linux 6.3 x64 - ipa-server-2.2.0-16.el6.x86_64 - 389-ds-base-1.2.10.2-18.el6_3.x86_64 - 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64 We had a simple (but quite drammatic) issue the other day. Our backup script simply does a cold backup of the 389 Directory Server, however this time it didn't start back up. Script simply runs: /etc/init.d/ipa stop Error from Log: [31/Jul/2012:02:00:38 +1000] - slapd stopped. [31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on All Interfaces port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.) Is there anyway to work out why this happened? Is this an IPA issue that is known about? When I did a manual restart in the morning it was fine. The backups even worked perfectly last night too. Sounds like a bug in the ipa shutdown script? Does your backup script do any logging? I see a 5 second window between shutdown and start up. Is it possible your database backed up that quickly? It would seem that ns-slapd reported itself as stopped but it still had a process hanging around with the port open. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fedora 17 FreeIPA Replica not starting up
After installing a replica on a fresh up to date install of FC17, everything seems fine until a reboot. FreeIPA is running on the new machine, etc. But after the reboot ldap doesn't start on it's own and can't be made to start manually. The origional FreeIPA instance, same software versions, is runny just fine. Release: 1.fc17 Arch: x86_64 FreeIPA Version: 2.2.0 here is the short error. I can post more if this symptom isn't enough. (I've replaced the names of my actual machines and domain) #> ipactl start Starting Directory Service Failed to read data from Directory Service: Unknown error when retrieving list of services from LDAP: [Errno 2] No such file or directory Shutting down #> tail -20 /var/log/messages Aug 8 23:56:04 replica systemd[1]: dirsrv@PKI-IPA.service: control process exited, code=exited status=1 Aug 8 23:56:04 replica systemd[1]: Unit dirsrv@PKI-IPA.service entered failed state. Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Aug 9 00:00:16 replica dbus[610]: [system] Activating service name='net.reactivated.Fprint' (using servicehelper) Aug 9 00:00:16 replica dbus-daemon[610]: Launching FprintObject Aug 9 00:00:16 replica dbus-daemon[610]: dbus[610]: [system] Successfully activated service 'net.reactivated.Fprint' Aug 9 00:00:16 replica dbus[610]: [system] Successfully activated service 'net.reactivated.Fprint' Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: D-Bus service launched with name: net.reactivated.Fprint Aug 9 00:00:16 replica dbus-daemon[610]: ** Message: entering main loop Aug 9 00:00:46 replica dbus-daemon[610]: ** Message: No devices in use, exit Aug 9 00:05:01 replica ns-slapd[2265]: [09/Aug/2012:00:05:01 -0600] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PIVOTVFX-NET/dse.ldif. It is mandatory. Aug 9 00:05:01 replica systemd[1]: dirsrv@EXAMPLE-COM.service: control process exited, code=exited status=1 Aug 9 00:05:01 replica systemd[1]: Unit dirsrv@EXAMPLE-COM.service entered failed state. Aug 9 00:05:01 replica ns-slapd[2266]: [09/Aug/2012:00:05:01 -0600] startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory. Aug 9 00:05:01 replica systemd[1]: dirsrv@PKI-IPA.service: control process exited, code=exited status=1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users