Re: [Freeipa-users] dirsrv@PKI-IPA.service disappeared

2012-09-08 Thread Tomasz 'Zen' Napierała 

On Sep 8, 2012, at 1:35 AM, Dmitri Pal  wrote:

> On 07/26/2012 09:57 AM, Tomasz 'Zen' Napierała wrote:
>> Hi,
>> 
>> After upgrade from F16 to F17 FreeIPA 2.2.0.1 on secondary servers 
>> dirsrv@PKI-IPA.service disappeared.
>> There is an entry for it in systemd, but no config files, etc. 
>> 
>> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: dirsrv@PKI-IPA.service 
>> failed to run 'start' task: No such file or directory
>> /var/log/messages:Jul 24 19:50:56 ldap-XX systemd[1]: Unit 
>> dirsrv@PKI-IPA.service entered failed state.
>> 
>> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: dirsrv@PKI-IPA.service 
>> failed to run 'start' task: No such file or directory
>> /var/log/messages:Jul 26 13:28:01 ldap-XY systemd[1]: Unit 
>> dirsrv@PKI-IPA.service entered failed state.
>> 
>> I upgraded two replicas and then master during 2 days. What ca I do to fix 
>> that problem?
>> 
>> Regards,
> Sorry I do not see any reply. Was this issue resolved?


Not really, I didn't have time to investigate that, I created new replicas ;)

Regards,
-- 
Tomasz 'Zen' Napierała
tom...@napierala.org





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] HBAC Test - web vs command line - returns different results

2012-09-08 Thread Dmitri Pal 
On 08/31/2012 09:33 AM, Michael Mercier wrote:
> Hello,
>
> I seem to be having a problem with the HBAC test:
>
> Versions:
> [root@ipaserver ipatest]# rpm -qa|grep ^ipa
> ipa-server-2.2.0-16.el6.x86_64
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-python-2.2.0-16.el6.x86_64
> ipa-admintools-2.2.0-16.el6.x86_64
> ipa-server-selinux-2.2.0-16.el6.x86_64
> ipa-client-2.2.0-16.el6.x86_64
>
>
> On the web console:
>
> Browse to HBAC TEST
>
> Who: mike
> Accessing: pix.beta.local
> Via service: tac_plus
> From: ipaclient.beta.local (correct me if I am wrong, but I don't believe 
> this has any effect)
> Rules: tacacs
>
> Run Test -> Access Granted with matched rules showing tacacs
>
> On the command line:
>
> ipa hbactest
> User name: mike
> Target Host: pix.beta.local
> Service: tac_plus
> -
> Access granted: False
> -
>   Not matched rules: tacacs
>
> tacacs rule:
> General: Enabled
> Who: user group: ciscoadmin -> mike is a member
> accessing: cisco-devices -> pix.beta.local is a member
> Via Service: tac_plus
> From: any host
>
> NOTE: tacacs is the only enabled rule, allow_all has been disabled (but is 
> still present)
>
> Any ideas?
>
> Thanks,
> Mike
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
I do not know whether this issue was resolved. Hope it was on the IRC or
in some other way.

The problem above is related to the "from host" I believe.
Please do not use the "from host". The whole concept is a bit broken and
not reliable.
Please let me know if you need more details or you already found this
info from mail archives and docs. 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] errors when one ipa server down

2012-09-08 Thread Dmitri Pal 
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
> Michael Mercier wrote:
>>
>> On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
>>
>>> On 09/07/2012 12:42 PM, Michael Mercier wrote:
 On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:

> On 09/06/2012 10:40 AM, Michael Mercier wrote:
>> Hello,
>>
>> I have experienced some odd connectivity issues using MMR with
>> FreeIPA (all systems CentOS 6.3).  I have 2 ipa servers
>> (ipaserver / ipaserver2) setup using MMR.
>>
>> [root@ipaserver ~]#ipa-replica-manage list
>> ipaserver.mpls.local: master
>> ipaserver2.mpls.local: master
>> [root@ipaserver ~]# rpm -qa|grep ipa
>> libipa_hbac-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>>
>>
>> [root@ipaserver2 ~]#ipa-replica-manage list
>> ipaserver.mpls.local: master
>> ipaserver2.mpls.local: master
>> [root@ipaserver2 ~]# rpm -qa|grep ipa
>> ipa-client-2.2.0-16.el6.x86_64
>> ipa-server-2.2.0-16.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>> libipa_hbac-1.8.0-32.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-admintools-2.2.0-16.el6.x86_64
>> ipa-server-selinux-2.2.0-16.el6.x86_64
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>>
>>
>> [mike@ipaclient ~]$ rpm -qa|grep ipa
>> ipa-admintools-2.2.0-16.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-python-2.2.0-16.el6.x86_64
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> libipa_hbac-1.8.0-32.el6.x86_64
>>
>>
>> I have a webserver (zenoss) using kerberos authentication.
>>
>> [root@zenoss ~]# rpm -qa|grep ipa
>> libipa_hbac-1.8.0-32.el6.x86_64
>> libipa_hbac-python-1.8.0-32.el6.x86_64
>> ipa-python-2.2.0-16.el6.x86_64
>> ipa-client-2.2.0-16.el6.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>> ipa-admintools-2.2.0-16.el6.x86_64
>>
>> 
>>   SSLRequireSSL
>>   AuthType Kerberos
>>   AuthName "Kerberos Login"
>>
>>   KrbMethodK5Passwd Off
>>   KrbAuthRealms MPLS.LOCAL
>>   KrbSaveCredentials on
>>   KrbServiceName HTTP
>>   Krb5KeyTab /etc/http/conf.d/http.keytab
>>
>>   AuthLDAPUrl "ldap://ipaserver.mpls.local
>> ipaserver2.mpls.local/dc=mpls,dc=local?krbPrincipalName"
>>   RequestHeader set X_REMOTE_USER %{remoteUser}e
>>   require ldap-group
>> cn=zenuser,cn=groups,cn=accounts,dc=mpls,dc=local
>> 
>>
>>
>> With both ipaserver and ipaserver2 'up', if I connect to
>> https://zenoss.mpls.local from ipaclient using firefox, I am
>> successfully connected.  If on ipaserver I do a 'ifdown eth0' and
>> attempt another connection, it fails.  I have also noticed the
>> following:
>>
>> 1. I am unable to use the ipaserver2 management interface when
>> ipaserver is unavailable.
>> 2. It takes a longer period of time to do a kinit
>>
>> If the I then perform:
>> [root@ipaserver ~]#ifup eth0
>>
>> [root@ipaserver2 ~]#ifdown eth0
>>
>> [mike@ipaclient ~]$kinit
>> kinit: Cannot contact any KDC for realm 'MPLS.LOCAL' while
>> getting initial credentials
>>
>> [root@ipaserver2 ~]#ifup eth0
>>
>> [mike@ipaclient ~]$ kinit
>> Password for mike@MPLS.LOCAL:
>> [mike@ipaclient ~]$
>>
>> [root@ipaserver2 ~]#ifdown eth0
>>
>> .. wait number of minutes
>>
>> ipaclient screen locks - type password - after a short delay (~7
>> seconds) screen unlock compeletes
>>
>> [mike@ipaclient ~]$kinit
>> Password for mike@MPLS.LOCAL:
>> [mike@ipaclient ~]$
>>
>> Any ideas?
>>
>> Thanks,
>> Mike
> This seems to be some DNS problem.
> You client does not see the second replica and might have some name
> resolution timeouts.
>
> Please check your dns setup and krb5.conf on the client.
>
> To help more we need more details about you client configuration
> DNS and
> kerberos.
 Hi,

 Additional information...

 [root@zenoss ~]#more /etc/resolv.conf
 search mpls.local
 domain mpls.local
 nameserver 172.16.112.5
 nameserver 172.16.112.8

 [root@zenoss ~]# more /etc/krb5.conf
 #File modified by ipa-client-install

 [libdefaults]
   default_realm = MPLS.LOCAL
   dns_lookup_realm = true
   dns_lookup_kdc = true
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes

 [realms]
   MPLS.LOCAL