Re: [Freeipa-users] IPA Load Problems?

2013-08-30 Thread Rich Megginson

On 08/30/2013 01:31 PM, John Moyer wrote:

Rob or anyone else,

So while struggling along on this server I just grabbed the logs off 
it and ran that log program with the options you suggested.   There 
are a lot of unindexed requests.   These are the top issues I've 
removed the one username that showed up.


So just to double check what I'm thinking.   I need to create three 
indexes

1. objectclass pres

No, do not create this one

2. objectclass eq

This should already be indexed

3. uid pres

I suppose the UI might be doing this search?


Please let me know if I'm reading this correctly or if I'm way off?


7337(objectclass=inetorgperson)
4597(objectclass=*)
4560  (&(objectclass=inetorgperson)(uid=senior.developer.login))
307 (objectclass=krbticketpolicyaux)
292 (uid=*)



Thanks,
_
John Moyer
Director, IT Operations
*Digital Reasoning Systems, Inc.*
john.mo...@digitalreasoning.com 
Office:703.678.2311
Mobile:240.460.0023
Fax:703.678.2312
www.digitalreasoning.com 

On Aug 28, 2013, at 11:40 AM, Rob Crittenden > wrote:



John Moyer wrote:
So this method of search logs is great, and it shows some indexes 
that would likely highly increase efficiency with my usage.   So, 
are there instructions how to do that?  or do you know off hand how 
to do that?


I'd start with 
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes


Note that you'll want to create the same index on all hosts. This 
configuration is not replicated.


You can see the ones we create in /usr/share/ipa/indices.ldif and 
/usr/share/ipa/updates/20-indices.update


rob




Thanks,
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com 
Office:703.678.2311
Mobile:240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Aug 27, 2013, at 4:45 PM, Rob Crittenden  wrote:


John Moyer wrote:
Wow, this is quite insightful, this is the output from that, it 
looks like there aren't many unindexed searches (319 doesn't seem 
like a lot to me at least).  Do you have any suggestions from this 
output?


There are a slew of options you can provide to logconv.pl. I 
typically use logconv.pl -ula 
/var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis.


rob





Start of Log:27/Aug/2013:02:36:08
End of Log:  27/Aug/2013:12:17:15

Processed Log Time:  9 Hours, 41 Minutes, 7 Seconds

Restarts: 2
Total Connections:45224
SSL Connections:  44735
Peak Concurrent Connections:  76
Total Operations: 132568
Total Results:132737
Overall Performance:  100.0%

Searches: 61318  (1.76/sec)  (105.52/min)
Modifications:277(0.01/sec)  (0.48/min)
Adds: 10 (0.00/sec)  (0.02/min)
Deletes:  12 (0.00/sec)  (0.02/min)
Mod RDNs: 0  (0.00/sec)  (0.00/min)
Compares: 0  (0.00/sec)  (0.00/min)
Binds:62143  (1.78/sec)  (106.94/min)

Proxied Auth Operations:  0
Persistent Searches:  3
Internal Operations:  0
Entry Operations: 0
Extended Operations:  8808
Abandoned Requests:   0
Smart Referrals Received: 0

VLV Operations:   0
VLV Unindexed Searches:   0
SORT Operations:  353

Entire Search Base Queries:   106
Unindexed Searches:   319

FDs Taken:45262
FDs Returned: 45210
Highest FD Taken: 139

Broken Pipes: 0
Connections Reset By Peer:0
Resource Unavailable: 0

Binds:62143
Unbinds:  44539

 LDAP v2 Binds:   2
 LDAP v3 Binds:   62141
 SSL Client Binds:0
 Failed SSL Client Binds: 0
 SASL Binds:  1466
  1458  GSSAPI
  8 EXTERNAL

 Directory Manager Binds: 10
 Anonymous Binds: 1476
 Other Binds: 60657





Thanks,
_
John Moyer
Director, IT Operations
On Aug 27, 2013, at 1:13 PM, Rob Crittenden  
wrote:



John Moyer wrote:

Is there any way to see what fields are index'ed?


$ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 
'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'


Your best bet is to use the logconv.pl tool to examine your logs.

rob



Thanks,
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.

Re: [Freeipa-users] IPA Load Problems?

2013-08-30 Thread John Moyer
I'm sorry that was my top unique filter list not my unindexed list.  Please 
disregard my last email. 


Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Aug 30, 2013, at 3:47 PM, John Moyer  wrote:

> If objectclass eq is already indexed how are these on my top unindexed list?  
>  Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the 
> third and fourth entry?   I apologize if I'm way off as I am new to the 
> intricacies of LDAP indexing. 
> 
> 
> 
> Thanks, 
> _
> John Moyer
> Director, IT Operations
> 
> On Aug 30, 2013, at 3:41 PM, Rich Megginson  wrote:
> 
>> On 08/30/2013 01:31 PM, John Moyer wrote:
>>> Rob or anyone else,  
>>> 
>>> So while struggling along on this server I just grabbed the logs off it and 
>>> ran that log program with the options you suggested.   There are a lot of 
>>> unindexed requests.   These are the top issues I've removed the one 
>>> username that showed up.   
>>> 
>>> So just to double check what I'm thinking.   I need to create three indexes
>>>  1. objectclass pres
>> No, do not create this one
>>>  2. objectclass eq
>> This should already be indexed
>>>  3. uid pres 
>> I suppose the UI might be doing this search?
>>> 
>>> Please let me know if I'm reading this correctly or if I'm way off?   
>>> 
>>> 
>>> 7337(objectclass=inetorgperson)
>>> 4597(objectclass=*)
>>> 4560(&(objectclass=inetorgperson)(uid=senior.developer.login))
>>> 307 (objectclass=krbticketpolicyaux)
>>> 292 (uid=*)
>>> 
>>> 
>>> 
>>> Thanks, 
>>> _
>>> John Moyer
>>> Director, IT Operations
>>> Digital Reasoning Systems, Inc.
>>> john.mo...@digitalreasoning.com
>>> Office: 703.678.2311
>>> Mobile: 240.460.0023
>>> Fax: 703.678.2312
>>> www.digitalreasoning.com
>>> 
>>> On Aug 28, 2013, at 11:40 AM, Rob Crittenden  wrote:
>>> 
 John Moyer wrote:
> So this method of search logs is great, and it shows some indexes that 
> would likely highly increase efficiency with my usage.   So, are there 
> instructions how to do that?  or do you know off hand how to do that?
 
 I'd start with 
 https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes
 
 Note that you'll want to create the same index on all hosts. This 
 configuration is not replicated.
 
 You can see the ones we create in /usr/share/ipa/indices.ldif and 
 /usr/share/ipa/updates/20-indices.update
 
 rob
 
> 
> 
> Thanks,
> _
> John Moyer
> Director, IT Operations
> Digital Reasoning Systems, Inc.
> john.mo...@digitalreasoning.com
> Office: 703.678.2311
> Mobile: 240.460.0023
> Fax:
>703.678.2312
> www.digitalreasoning.com
> 
> On Aug 27, 2013, at 4:45 PM, Rob Crittenden  wrote:
> 
>> John Moyer wrote:
>>> Wow, this is quite insightful, this is the output from that, it looks 
>>> like there aren't many unindexed searches (319 doesn't seem like a lot 
>>> to me at least).  Do you have any suggestions from this output?
>> 
>> There are a slew of options you can provide to logconv.pl. I typically 
>> use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing 
>> search analysis.
>> 
>> rob
>> 
>>> 
>>> 
>>> 
>>> Start of Log:27/Aug/2013:02:36:08
>>> End of Log:  27/Aug/2013:12:17:15
>>> 
>>> Processed Log Time:  9 Hours, 41 Minutes, 7 Seconds
>>> 
>>> Restarts: 2
>>> Total Connections:45224
>>> SSL Connections:  44735
>>> Peak Concurrent Connections:  76
>>> Total Operations: 132568
>>> Total Results:132737
>>> Overall Performance:  100.0%
>>> 
>>> Searches: 61318  (1.76/sec)  (105.52/min)
>>> Modifications:277(0.01/sec)  (0.48/min)
>>> Adds: 10 (0.00/sec)  (0.02/min)
>>> Deletes:  12 (0.00/sec)  (0.02/min)
>>> Mod RDNs: 0  (0.00/sec)  (0.00/min)
>>> Compares: 0  (0.00/sec)  (0.00/min)
>>> Binds:62143  (1.78/sec)  (106.94/min)
>>> 
>>> Proxied Auth Operations:  0
>>> Persistent Searches:  3
>>> Internal Operations:  0
>>> Entry Operations: 0
>>> Extended Operations:  8808
>>> Abandoned R

[Freeipa-users] FreeIPA on Debian

2013-08-30 Thread Dmitri Pal
Hello,

Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.

The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.

May be it is time to try again?
Let us see why it yet has not happened?

1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.

Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] IPA Load Problems?

2013-08-30 Thread John Moyer
If objectclass eq is already indexed how are these on my top unindexed list?   
Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third 
and fourth entry?   I apologize if I'm way off as I am new to the intricacies 
of LDAP indexing. 



Thanks, 
_
John Moyer
Director, IT Operations

On Aug 30, 2013, at 3:41 PM, Rich Megginson  wrote:

> On 08/30/2013 01:31 PM, John Moyer wrote:
>> Rob or anyone else,  
>> 
>> So while struggling along on this server I just grabbed the logs off it and 
>> ran that log program with the options you suggested.   There are a lot of 
>> unindexed requests.   These are the top issues I've removed the one username 
>> that showed up.   
>> 
>> So just to double check what I'm thinking.   I need to create three indexes
>>  1. objectclass pres
> No, do not create this one
>>  2. objectclass eq
> This should already be indexed
>>  3. uid pres 
> I suppose the UI might be doing this search?
>> 
>> Please let me know if I'm reading this correctly or if I'm way off?   
>> 
>> 
>> 7337(objectclass=inetorgperson)
>> 4597(objectclass=*)
>> 4560(&(objectclass=inetorgperson)(uid=senior.developer.login))
>> 307 (objectclass=krbticketpolicyaux)
>> 292 (uid=*)
>> 
>> 
>> 
>> Thanks, 
>> _
>> John Moyer
>> Director, IT Operations
>> Digital Reasoning Systems, Inc.
>> john.mo...@digitalreasoning.com
>> Office: 703.678.2311
>> Mobile: 240.460.0023
>> Fax: 703.678.2312
>> www.digitalreasoning.com
>> 
>> On Aug 28, 2013, at 11:40 AM, Rob Crittenden  wrote:
>> 
>>> John Moyer wrote:
 So this method of search logs is great, and it shows some indexes that 
 would likely highly increase efficiency with my usage.   So, are there 
 instructions how to do that?  or do you know off hand how to do that?
>>> 
>>> I'd start with 
>>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes
>>> 
>>> Note that you'll want to create the same index on all hosts. This 
>>> configuration is not replicated.
>>> 
>>> You can see the ones we create in /usr/share/ipa/indices.ldif and 
>>> /usr/share/ipa/updates/20-indices.update
>>> 
>>> rob
>>> 
 
 
 Thanks,
 _
 John Moyer
 Director, IT Operations
 Digital Reasoning Systems, Inc.
 john.mo...@digitalreasoning.com
 Office: 703.678.2311
 Mobile: 240.460.0023
 Fax:
703.678.2312
 www.digitalreasoning.com
 
 On Aug 27, 2013, at 4:45 PM, Rob Crittenden  wrote:
 
> John Moyer wrote:
>> Wow, this is quite insightful, this is the output from that, it looks 
>> like there aren't many unindexed searches (319 doesn't seem like a lot 
>> to me at least).  Do you have any suggestions from this output?
> 
> There are a slew of options you can provide to logconv.pl. I typically 
> use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing 
> search analysis.
> 
> rob
> 
>> 
>> 
>> 
>> Start of Log:27/Aug/2013:02:36:08
>> End of Log:  27/Aug/2013:12:17:15
>> 
>> Processed Log Time:  9 Hours, 41 Minutes, 7 Seconds
>> 
>> Restarts: 2
>> Total Connections:45224
>> SSL Connections:  44735
>> Peak Concurrent Connections:  76
>> Total Operations: 132568
>> Total Results:132737
>> Overall Performance:  100.0%
>> 
>> Searches: 61318  (1.76/sec)  (105.52/min)
>> Modifications:277(0.01/sec)  (0.48/min)
>> Adds: 10 (0.00/sec)  (0.02/min)
>> Deletes:  12 (0.00/sec)  (0.02/min)
>> Mod RDNs: 0  (0.00/sec)  (0.00/min)
>> Compares: 0  (0.00/sec)  (0.00/min)
>> Binds:62143  (1.78/sec)  (106.94/min)
>> 
>> Proxied Auth Operations:  0
>> Persistent Searches:  3
>> Internal Operations:  0
>> Entry Operations: 0
>> Extended Operations:  8808
>> Abandoned Requests:   0
>> Smart Referrals Received: 0
>> 
>> VLV Operations:   0
>> VLV Unindexed Searches:   0
>> SORT Operations:  353
>> 
>> Entire Search Base Queries:   106
>> Unindexed Searches:   319
>> 
>> FDs Taken:45262
>> FDs Returned: 45210
>> Highest FD Taken: 139
>> 
>> Broken Pipes: 0
>> Connections Reset By Peer:0
>> Resource Unavailable: 0
>> 
>> Bi

Re: [Freeipa-users] IPA Load Problems?

2013-08-30 Thread John Moyer
Rob or anyone else,  

So while struggling along on this server I just grabbed the logs off it and ran 
that log program with the options you suggested.   There are a lot of unindexed 
requests.   These are the top issues I've removed the one username that showed 
up.   

So just to double check what I'm thinking.   I need to create three indexes
1. objectclass pres
2. objecclass eq
3. uid pres 

Please let me know if I'm reading this correctly or if I'm way off?   


7337(objectclass=inetorgperson)
4597(objectclass=*)
4560(&(objectclass=inetorgperson)(uid=senior.developer.login))
307 (objectclass=krbticketpolicyaux)
292 (uid=*)



Thanks, 
_
John Moyer
Director, IT Operations
Digital Reasoning Systems, Inc.
john.mo...@digitalreasoning.com
Office: 703.678.2311
Mobile: 240.460.0023
Fax:703.678.2312
www.digitalreasoning.com

On Aug 28, 2013, at 11:40 AM, Rob Crittenden  wrote:

> John Moyer wrote:
>> So this method of search logs is great, and it shows some indexes that would 
>> likely highly increase efficiency with my usage.   So, are there 
>> instructions how to do that?  or do you know off hand how to do that?
> 
> I'd start with 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes
> 
> Note that you'll want to create the same index on all hosts. This 
> configuration is not replicated.
> 
> You can see the ones we create in /usr/share/ipa/indices.ldif and 
> /usr/share/ipa/updates/20-indices.update
> 
> rob
> 
>> 
>> 
>> Thanks,
>> _
>> John Moyer
>> Director, IT Operations
>> Digital Reasoning Systems, Inc.
>> john.mo...@digitalreasoning.com
>> Office:  703.678.2311
>> Mobile:  240.460.0023
>> Fax: 703.678.2312
>> www.digitalreasoning.com
>> 
>> On Aug 27, 2013, at 4:45 PM, Rob Crittenden  wrote:
>> 
>>> John Moyer wrote:
 Wow, this is quite insightful, this is the output from that, it looks like 
 there aren't many unindexed searches (319 doesn't seem like a lot to me at 
 least).  Do you have any suggestions from this output?
>>> 
>>> There are a slew of options you can provide to logconv.pl. I typically use 
>>> logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search 
>>> analysis.
>>> 
>>> rob
>>> 
 
 
 
 Start of Log:27/Aug/2013:02:36:08
 End of Log:  27/Aug/2013:12:17:15
 
 Processed Log Time:  9 Hours, 41 Minutes, 7 Seconds
 
 Restarts: 2
 Total Connections:45224
 SSL Connections:  44735
 Peak Concurrent Connections:  76
 Total Operations: 132568
 Total Results:132737
 Overall Performance:  100.0%
 
 Searches: 61318  (1.76/sec)  (105.52/min)
 Modifications:277(0.01/sec)  (0.48/min)
 Adds: 10 (0.00/sec)  (0.02/min)
 Deletes:  12 (0.00/sec)  (0.02/min)
 Mod RDNs: 0  (0.00/sec)  (0.00/min)
 Compares: 0  (0.00/sec)  (0.00/min)
 Binds:62143  (1.78/sec)  (106.94/min)
 
 Proxied Auth Operations:  0
 Persistent Searches:  3
 Internal Operations:  0
 Entry Operations: 0
 Extended Operations:  8808
 Abandoned Requests:   0
 Smart Referrals Received: 0
 
 VLV Operations:   0
 VLV Unindexed Searches:   0
 SORT Operations:  353
 
 Entire Search Base Queries:   106
 Unindexed Searches:   319
 
 FDs Taken:45262
 FDs Returned: 45210
 Highest FD Taken: 139
 
 Broken Pipes: 0
 Connections Reset By Peer:0
 Resource Unavailable: 0
 
 Binds:62143
 Unbinds:  44539
 
  LDAP v2 Binds:   2
  LDAP v3 Binds:   62141
  SSL Client Binds:0
  Failed SSL Client Binds: 0
  SASL Binds:  1466
   1458  GSSAPI
   8 EXTERNAL
 
  Directory Manager Binds: 10
  Anonymous Binds: 1476
  Other Binds: 60657
 
 
 
 
 
 Thanks,
 _
 John Moyer
 Director, IT Operations
 On Aug 27, 2013, at 1:13 PM, Rob Crittenden  wrote:
 
> John Moyer wrote:
>> Is there any way to see what fields are index'ed?
> 
> $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 
> 'cn=index,cn=userRoo

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Jakub Hrozek
On Fri, Aug 30, 2013 at 03:54:54PM +0200, Michał Dwużnik wrote:
> Ok, I somehow assumed certs are very much needed for ldaps...
> 

Well, for most operations the SSSD uses GSSAPI authentication. Only when
passwords are migrated, we do an LDAP bind with StartTLS.

> In the meantime, I set up a debian wheezy machine to try the freeipa-client
> from debs.
> 
> I managed to get working ipa-client (with a few quirks...- default nss
> database needed to be created) with packages from
> deb http://apt.numeezy.fr wheezy main
> deb-src http://apt.numeezy.fr wheezy main.
> So now I have a ready set of debian-like configs for wheezy, making it work
> with squeeze seems easier now (it comes with learning, too...)
> 
> I must admit ipa-client debug option is lovely as a step-by-step guide for
> trying by hand :>
> 
> Going back to thinking whether to try getting ipa on squeeze or getting the
> legacy software working with squeeze...
> (some of the scientists seem to be the happiest if the system is totally
> unchanged for some 20 years...).
> 
> 
> Regards
> Michal
> 
> PS:I do see hope for rooting out the last instance of NIS on the campus :>

Terminate it with extreme prejudice :-)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Michał Dwużnik
Ok, I somehow assumed certs are very much needed for ldaps...

In the meantime, I set up a debian wheezy machine to try the freeipa-client
from debs.

I managed to get working ipa-client (with a few quirks...- default nss
database needed to be created) with packages from
deb http://apt.numeezy.fr wheezy main
deb-src http://apt.numeezy.fr wheezy main.
So now I have a ready set of debian-like configs for wheezy, making it work
with squeeze seems easier now (it comes with learning, too...)

I must admit ipa-client debug option is lovely as a step-by-step guide for
trying by hand :>

Going back to thinking whether to try getting ipa on squeeze or getting the
legacy software working with squeeze...
(some of the scientists seem to be the happiest if the system is totally
unchanged for some 20 years...).


Regards
Michal

PS:I do see hope for rooting out the last instance of NIS on the campus :>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Rob Crittenden

Bret Wortman wrote:

Still odder ... I went ahead and tried to delete the agreement:

[ipamaster]# ipa-replica-manage del ipamaster3.foo.net
 --force
'ipamaster.foo.net ' has no replication
agreement for 'ipamaster3.foo.net '
[ipamaster]#

Dug back into the script and realized upon further reading (and widening
my read to more of the code) that found was being set True elsewhere --
where it was complaining about how ipamaster knew about ipamaster3
already. Fair enough. So I hopped on over there and removed it. Which
worked. And now the script proceeds much better.

Guess the third cup of coffee helped.

CA configuration still failed, though, at the same place as before
(though executed as part of ipa-replica-install --setup-ca this time):

[2/17]: configuring certificate server instance
ipa   : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpnq_J4d' returned non-zero exit status 1

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed.

/This/ time, I'm not going to run the --uninstall command until someone
on the team tells me to do so


Ok. What we'll need to see is the full /var/log/ipareplica-install.log 
and the CA debug log from /var/log/pki/pki-tomcat/ca/debug. The CA team 
sometimes wants the debug log from the master you're cloning from too. 
You can send these to me out of band if you'd like, the debug logs in 
particular tend to be humongous.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Bret Wortman
On Fri, Aug 30, 2013 at 5:03 AM, Petr Viktorin  wrote:

> On 08/30/2013 10:23 AM, Bret Wortman wrote:
>
>> Morning update. I made the change Rob suggested to
>> /etc/ipa/default.conf, which appeared to work, but didn't quite. It
>> asked me to back out the whole server installation and start over:
>>
>> [ipamaster2]# ipa-ca-install --skip-conncheck
>> replica-info-ipamaster2.foo.**net.gpg
>> Directory Manager (existing master) password:
>>
>> COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes
>> 30 seconds
>>[1/16]: creating certificate server user
>>[2/16]: configuring certificate server instance
>> ipa : CRITICAL failed to configure ca instance Command
>> '/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit
>> status 1
>>
>> Your system may be partly configured.
>> Run/usr/sbin/ipa-server-**install --uninstall to clean up.
>>
>
> Can you look into /var/log/ipareplica-ca-**install.log? It should have
> more information on what caused pkispawn to fail.
>
> Here's what it looks like:

Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.


2013-08-30T07:37:24Z DEBUG stderr=pkispawn : WARNING .. unable to
validate security domain user/password through REST interface. Interface
not available
pkispawn : ERROR.. Exception from Java Configuration Servlet:
Failed to obtain installation token from security domain:
java.lang.NullPointerException

2013-08-30T07:37:24Z CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exist status
1
2013-08-30T07:37:24Z INFO   File
"/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
619, in run_script
return_value = main_function()

  File "/usr/sbin/ipa-ca-install", line 182, in main
config, dogtag_master_ds_port, postinstall=True)
:
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 744, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
2013-08-30T07:37:24Z INFO The ipa-ca-install command failed, exception:
RuntimeError: Configuration of CA Failed


>  Configuration of CA failed.
>> [ipamaster2]#
>>
>> Which uninstallation & cleanup I did.
>>
>> Now, when trying to re-install the
>> replica file:
>>
>> [ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
>> /var/lib/ipa/replica-info-**ipamaster2.foo.net.gpg
>> Directory manager (existing master) password:
>>
>> Run connection check to master
>> Check connection from replica to remote master 'ipamaster.foo.net
>> ':
>>
>> Directory Service: Unsecure port (389): OK
>> Directory Service: Secure port (686): OK
>> Kerberos KDC: TCP (88): OK
>> Kerberos Kpasswd: TCP (464): OK
>> HTTP Server: Unsecure port (80): OK
>> HTTP Server: Secure port (443): OK
>>
>> The followign list of ports use UDP protocol and would need to be
>> checked manually:
>> Kerberos KDC: UDP (88): SKIPPED
>> Kerberos Kpasswd: UDP (464): SKIPPED
>>
>> Connection from replica to master is OK.
>> Start listening on required ports for remote master check
>> Get credentials to log in to remote master
>> ad...@foo.net  password:
>>
>>
>> Check SSH connection to remote master
>> Execute check on remote master
>> Check connection from master to remote replica 'ipamaster2.foo.net
>> ':
>>
>> Directory Service: Unsecure port (389): OK
>> Directory Service: Secure port (686): OK
>> Kerberos KDC: TCP (88): OK
>> Kerberos KDC: UDP (88): OK
>> Kerberos Kpasswd: TCP (464): OK
>> Kerberos Kpasswd: UDP (464): OK
>> HTTP Server: Unsecure port (80): OK
>> HTTP Server: Secure port (443): OK
>>
>> Connection from master to replica is OK.
>>
>> Connection check OK
>> The host ipamaster2.foo.net  already exists
>>
>> on the master server.
>> You should remove it before proceeding:
>>  % ipa host-del ipamaster2.foo.net 
>>
>> ipa : ERRORCould not resolve hostname ipamaster.foo.net
>>  using DNS Clients may not function properly.
>>
>> Please check your DNS setup. (Note that this check queries IPA DNS
>> directly and ignores /etc/hosts.)
>> Continue? [no]: *yes*
>> [ipamaster2]# host ipamaster.foo.net 
>> ipamaster.foo.net  has address 1.2.3.4
>>
>>
>> No matter what answer I give to the "Continue?" prompt, it just exits.
>> "nslookup" returns the same value, and I have three different
>> nameservers configured for this host (including ipamaster and two of the
>> older replicas).
>>
>
> The error that caused the installation to fail is that 
> ipamaster2.foo.netalready exists on the master server.
>
> The DNS warning and its "Continue?" prompt is unrelated, but the order of
> the output is very confusing. I've filed t

Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Petr Viktorin

On 08/30/2013 10:23 AM, Bret Wortman wrote:

Morning update. I made the change Rob suggested to
/etc/ipa/default.conf, which appeared to work, but didn't quite. It
asked me to back out the whole server installation and start over:

[ipamaster2]# ipa-ca-install --skip-conncheck
replica-info-ipamaster2.foo.net.gpg
Directory Manager (existing master) password:

COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes
30 seconds
   [1/16]: creating certificate server user
   [2/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1

Your system may be partly configured.
Run/usr/sbin/ipa-server-install --uninstall to clean up.


Can you look into /var/log/ipareplica-ca-install.log? It should have 
more information on what caused pkispawn to fail.



Configuration of CA failed.
[ipamaster2]#

Which uninstallation & cleanup I did.

Now, when trying to re-install the
replica file:

[ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
/var/lib/ipa/replica-info-ipamaster2.foo.net.gpg
Directory manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipamaster.foo.net
':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (686): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK

The followign list of ports use UDP protocol and would need to be
checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@foo.net  password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipamaster2.foo.net
':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (686): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
The host ipamaster2.foo.net  already exists
on the master server.
You should remove it before proceeding:
 % ipa host-del ipamaster2.foo.net 
ipa : ERRORCould not resolve hostname ipamaster.foo.net
 using DNS Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS
directly and ignores /etc/hosts.)
Continue? [no]: *yes*
[ipamaster2]# host ipamaster.foo.net 
ipamaster.foo.net  has address 1.2.3.4

No matter what answer I give to the "Continue?" prompt, it just exits.
"nslookup" returns the same value, and I have three different
nameservers configured for this host (including ipamaster and two of the
older replicas).


The error that caused the installation to fail is that 
ipamaster2.foo.net already exists on the master server.


The DNS warning and its "Continue?" prompt is unrelated, but the order 
of the output is very confusing. I've filed ticket 3889 for this.
Anyway, to do this DNS resolution check you'd need to explicitly ask for 
the IPA server:

$ dig @ipamaster.foo.net ipamaster2.foo.net


And this message is the one that has prompted me to want to delete hosts
before installing in the past, Simo.

Any thoughts on how best to proceed now?


I believe you do need to delete he host at this point, but I'd rather 
have Rob or Simo confirm.



*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Bret Wortman wrote:

Okay, I got the cacert.p12 (turns out it was taking my
passphrase, but
the messages looked like errors to my addled eyes). This system
is on a
different network, so getting the file transferred would take me
about
24 hours. Is there something I can get that'll tell you what you
need
but is plaintext?


Ok, that's fine.

Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This
will let it get past the error and it should install a CA. I'm
trying to think worst case scenario what it might do and I'm not
coming up with anything. I think the worst that happens is that
adding a CA fails later.

rob


I tried this and hope this subset of information is helpful:

# openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys
# cat cacert.pem.bdw
Bag Attribu

Re: [Freeipa-users] setting up a client on Debian squeeze

2013-08-30 Thread Jakub Hrozek
On Thu, Aug 29, 2013 at 10:04:43PM -0400, Rob Crittenden wrote:
> Michał Dwużnik wrote:
> >Sorry for quick continuation...
> >
> >Certificate added to nss DB in /etc/pki
> >certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
> >
> >sssd configured according to
> >http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
> >
> >How do I test now, before changing PAM options that the pieces fit together?
> 
> Perhaps exercise nss with:
> 
> % id admin
> % getent passwd admin
> % getent group admin
> 
> You can substitute admin for any IPA user or group.
> 
> And really you can skip the cert step if you want. Unless you have
> something that will use it we put a cert on the system as a
> convenience right now. There isn't currently anything using it by
> default.
> 
> rob

On the client, one piece of functionality where you need the cert are
password migrations from LDAP to IPA. I don't think that's your case,
though.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Bret Wortman
Morning update. I made the change Rob suggested to /etc/ipa/default.conf,
which appeared to work, but didn't quite. It asked me to back out the whole
server installation and start over:

[ipamaster2]# ipa-ca-install --skip-conncheck
replica-info-ipamaster2.foo.net.gpg
Directory Manager (existing master) password:

COnfiguring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
  [1/16]: creating certificate server user
  [2/16]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
'/usr/sbin/pkispawn -s CA -f /tmp/tmpVC28HP' returned non-zero exit status 1

Your system may be partly configured.
Run/usr/sbin/ipa-server-install --uninstall to clean up.

Configuration of CA failed.
[ipamaster2]#

Which uninstallation & cleanup I did. Now, when trying to re-install the
replica file:

[ipamaster2]# ipa-replica-install --setup-dns --no-forwarders --setup-ca
/var/lib/ipa/replica-info-ipamaster2.foo.net.gpg
Directory manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ipamaster.foo.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (686): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The followign list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@foo.net password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'ipamaster2.foo.net':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (686): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
The host ipamaster2.foo.net already exists on the master server.
You should remove it before proceeding:
% ipa host-del ipamaster2.foo.net
ipa : ERRORCould not resolve hostname ipamaster.foo.net using
DNS Clients may not function properly. Please check your DNS setup. (Note
that this check queries IPA DNS directly and ignores /etc/hosts.)
Continue? [no]: *yes*
[ipamaster2]# host ipamaster.foo.net
ipamaster.foo.net has address 1.2.3.4

No matter what answer I give to the "Continue?" prompt, it just exits.
"nslookup" returns the same value, and I have three different nameservers
configured for this host (including ipamaster and two of the older
replicas).

And this message is the one that has prompted me to want to delete hosts
before installing in the past, Simo.

Any thoughts on how best to proceed now?


*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret


On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden  wrote:

> Bret Wortman wrote:
>
>> Okay, I got the cacert.p12 (turns out it was taking my passphrase, but
>> the messages looked like errors to my addled eyes). This system is on a
>> different network, so getting the file transferred would take me about
>> 24 hours. Is there something I can get that'll tell you what you need
>> but is plaintext?
>>
>
> Ok, that's fine.
>
> Try this. Set ra_plugin to dogtag in /etc/ipa/default.conf. This will let
> it get past the error and it should install a CA. I'm trying to think worst
> case scenario what it might do and I'm not coming up with anything. I think
> the worst that happens is that adding a CA fails later.
>
> rob
>
>
>> I tried this and hope this subset of information is helpful:
>>
>> # openssl pkcs12 -in cacert.p12 -out cacert.pem.bdw -cacerts -nokeys
>> # cat cacert.pem.bdw
>> Bag Attributes: 
>> subject=/O=FOO.NET/CN=**Certificate  <
>> http://FOO.NET/CN=Certificate**> Authority/
>> issuer=/O=FOO.NET/CN=**Certificate  <
>> http://FOO.NET/CN=Certificate**> Authority
>>
>> -BEGIN CERTIFICATE-
>> MIIDgzCCA...
>> ...Iwk4r
>> -END CERTIFICATE-
>> # openssl pkcs12 -in cacert.p12 -out cert.pem.bdw -clcerts -nokeys
>> # cat cert.pem.bdw
>> Bag Attributes:
>>  localKeyID: 82 81 2D 6E 5C 13 43 9A 5F BB C8 4D F5 6B DE 6C A7 2E 53
>> 88
>>  friendlyName: caSigningCert cert-pki-ca
>> subject=/O=FOO.NET/CN=**Certificate  <
>> http://FOO.NET/CN=Certificate**> Authority
>> issuer=/O=FOO.NET/CN=**Certificate  <
>> http://FOO.NET/CN=Certificate**> Authority
>>
>> -BEGIN CERTIFICATE-
>> MIIDgzCCA...
>> ...Iwk4r
>> -END CERTIFICATE-
>> Bag Attributes:
>>  localKeyID: 88 BF DF 56 30 BB A9 47 12 D4 5F 7B AE 39 DC BF CF F5 92
>> 22
>