[Freeipa-users] ui login error and questions about replication
hi, The systems are uptodate F19 KVM guests. I'm trying to login the web ui with no success: Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and configured http://ipa31.bph.cxn/ipa/config/unauthorized.html the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Then after a while something happens and it starts working. In logs: On the primary node: [05/Nov/2013:12:19:06 +0100] NSMMReplicationPlugin - agmt=cn=meToipa12.bpo.cxn (ipa12:389): Replication bind with GSSAPI auth resumed On the secondary node: [05/Nov/2013:12:31:25 +0100] csngen_new_csn - Warning: too much time skew (-1658 secs). Current seqnum=3 [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=a [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-812 secs). Current seqnum=1 [05/Nov/2013:12:45:35 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=1 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=4 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-801 secs). Current seqnum=1 [05/Nov/2013:12:45:49 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=1 Date shows up the same system time on both machines: Tue Nov 5 12:59:29 CET 2013 I called as primary the machine that was installed initially and secondary is the one that was deployed by replication. Finally, I have some questions:) 1. How can this happen, what's the problem? Is it something about the design, I screwed up something, or maybe the virtualization layer..? How can I avoid it and if it happens, how can I fix it immediately? 2. What is the difference between 'primary' and 'secondary'. What does happen, if the primary machine gets destroyed? 4. How many master can I use? 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? 6. If a client is installed with ipa-client-install using A1 and A1 gets lost, does the client know, where it needs to connect (failover..)? 7. Can I install slave (read-only) replicas so clients access them only for queries and for changes (like pw change) they access master servers? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On Tue, 05 Nov 2013, Tamas Papp wrote: hi, The systems are uptodate F19 KVM guests. I'm trying to login the web ui with no success: Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and configured http://ipa31.bph.cxn/ipa/config/unauthorized.html the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Then after a while something happens and it starts working. In logs: On the primary node: [05/Nov/2013:12:19:06 +0100] NSMMReplicationPlugin - agmt=cn=meToipa12.bpo.cxn (ipa12:389): Replication bind with GSSAPI auth resumed On the secondary node: [05/Nov/2013:12:31:25 +0100] csngen_new_csn - Warning: too much time skew (-1658 secs). Current seqnum=3 [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=a [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-812 secs). Current seqnum=1 [05/Nov/2013:12:45:35 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=1 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=4 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-801 secs). Current seqnum=1 [05/Nov/2013:12:45:49 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=1 Date shows up the same system time on both machines: Tue Nov 5 12:59:29 CET 2013 I called as primary the machine that was installed initially and secondary is the one that was deployed by replication. Virtual Machines are known to have issues with keeping time in sync. Finally, I have some questions:) 1. How can this happen, what's the problem? Is it something about the design, I screwed up something, or maybe the virtualization layer..? How can I avoid it and if it happens, how can I fix it immediately? It is virtualization/time issue. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization_for_Desktops/2.2/html/Administration_Guide/chap-Virtualization-KVM_guest_timing_management.html 2. What is the difference between 'primary' and 'secondary'. What does happen, if the primary machine gets destroyed? In IPA all replicas are the same, they only would differ by the paths they sync with each other and by presence of integrated CA (if any). If you have deployed original IPA server with integrated CA, then your other replicas better to have at least one with CA configured to allow proper recovery in case primary one is destroyed. 4. How many master can I use? Technically there could be 65536 different masters in 389-ds replication topology. 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume from the above that B1 does not know about B2 (and vice versa)? Once connectivity between sites A and B restored, all unreplicated data will be replicated. There could be conflicts if there were changes on both sides during the split but majority of them are solved automatically by 389-ds. 6. If a client is installed with ipa-client-install using A1 and A1 gets lost, does the client know, where it needs to connect (failover..)? IPA server which was used to enroll the host will be primary one (A1 in your example). There is failover in sssd.conf to use SRV records of the domain, and trying servers in the order returned by the SRV records. 7. Can I install slave (read-only) replicas so clients access them only for queries and for changes (like pw change) they access master servers? No read-only replicas available for IPA. All replicas are read-write and propagate changes across replication paths as defined in replication agreements. All IPA servers are really masters, thus we have multi-master replication rather than master-slave. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 06:04 AM, Alexander Bokovoy wrote: On Tue, 05 Nov 2013, Tamas Papp wrote: hi, The systems are uptodate F19 KVM guests. I'm trying to login the web ui with no success: Your session has expired. Please re-login. To login with Kerberos, please make sure you have valid tickets (obtainable via kinit) and configured http://ipa31.bph.cxn/ipa/config/unauthorized.html the browser correctly, then click Login. To login with username and password, enter them in the fields below then click Login. Then after a while something happens and it starts working. In logs: On the primary node: [05/Nov/2013:12:19:06 +0100] NSMMReplicationPlugin - agmt=cn=meToipa12.bpo.cxn (ipa12:389): Replication bind with GSSAPI auth resumed On the secondary node: [05/Nov/2013:12:31:25 +0100] csngen_new_csn - Warning: too much time skew (-1658 secs). Current seqnum=3 [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=a [05/Nov/2013:12:45:33 +0100] csngen_new_csn - Warning: too much time skew (-812 secs). Current seqnum=1 [05/Nov/2013:12:45:35 +0100] csngen_new_csn - Warning: too much time skew (-811 secs). Current seqnum=1 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=4 [05/Nov/2013:12:45:47 +0100] csngen_new_csn - Warning: too much time skew (-801 secs). Current seqnum=1 [05/Nov/2013:12:45:49 +0100] csngen_new_csn - Warning: too much time skew (-800 secs). Current seqnum=1 https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? Date shows up the same system time on both machines: Tue Nov 5 12:59:29 CET 2013 I called as primary the machine that was installed initially and secondary is the one that was deployed by replication. Virtual Machines are known to have issues with keeping time in sync. Finally, I have some questions:) 1. How can this happen, what's the problem? Is it something about the design, I screwed up something, or maybe the virtualization layer..? How can I avoid it and if it happens, how can I fix it immediately? It is virtualization/time issue. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization_for_Desktops/2.2/html/Administration_Guide/chap-Virtualization-KVM_guest_timing_management.html 2. What is the difference between 'primary' and 'secondary'. What does happen, if the primary machine gets destroyed? In IPA all replicas are the same, they only would differ by the paths they sync with each other and by presence of integrated CA (if any). If you have deployed original IPA server with integrated CA, then your other replicas better to have at least one with CA configured to allow proper recovery in case primary one is destroyed. 4. How many master can I use? Technically there could be 65536 different masters in 389-ds replication topology. 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume from the above that B1 does not know about B2 (and vice versa)? Once connectivity between sites A and B restored, all unreplicated data will be replicated. There could be conflicts if there were changes on both sides during the split but majority of them are solved automatically by 389-ds. 6. If a client is installed with ipa-client-install using A1 and A1 gets lost, does the client know, where it needs to connect (failover..)? IPA server which was used to enroll the host will be primary one (A1 in your example). There is failover in sssd.conf to use SRV records of the domain, and trying servers in the order returned by the SRV records. 7. Can I install slave (read-only) replicas so clients access them only for queries and for changes (like pw change) they access master servers? No read-only replicas available for IPA. All replicas are read-write and propagate changes across replication paths as defined in replication agreements. All IPA servers are really masters, thus we have multi-master replication rather than master-slave. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
Hi, I'm pushing to get password and user synchronization from AD to FreeIPA at the company I work for. Our windows administrators are very nervous about installing the PassSync service on their AD-controllers, and have asked me to provide a reference contact, meaning someone they could ask some questions about the service. I have asked Red Hat support about this, but they point me to their upstream project. So would anyone in here be willing to answer (by email) a few questions and concerns that our windows admins have regarding synchronization from AD? Long shot, but worth a try :) Please give me a shout on qwe...@melt.se if you're willing to help out. Thanks! Best regards, EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
On 11/05/2013 08:05 AM, EP wrote: Hi, I'm pushing to get password and user synchronization from AD to FreeIPA at the company I work for. Our windows administrators are very nervous about installing the PassSync service on their AD-controllers, and have asked me to provide a reference contact, meaning someone they could ask some questions about the service. Just send the questions to freeipa-users. I'm sure we would all be curious to see what the questions are. An existing user of PassSync might not want to be pulled into an open ended QA session and troubleshooting session, but would probably be willing to answer a few public questions. I have asked Red Hat support about this, but they point me to their upstream project. Are you a Red Hat Customer? If so, please contact me by direct email. I would like to follow up with you privately about the extent of your experience with support. So would anyone in here be willing to answer (by email) a few questions and concerns that our windows admins have regarding synchronization from AD? Just send them to the freeipa-users list? Long shot, but worth a try :) Please give me a shout on qwe...@melt.se if you're willing to help out. Thanks! Best regards, EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Got a minute to help a n00b w/IPA server on CentOS 6.4?
Greetings! I only recently stumbled upon FreeIPA and am salivating at the mouth (sorry for the gross mental picture!) in excitement. Twice now, I've tried to install IPA server on a Centos 6.4 VPS at DigitalOceanhttps://www.digitalocean.com/price-comparison-chart/?refcode=47494ed444e1; only to helplessly watch the install process hang at some point after executing sudo ipa-server-install. My 'Google skillz' are failing me in that I've only been able to find these tutorials (neither of which, unfortunately, address the issue I'm encountering): - http://www.howtoforge.com/installing-freeipa-with-replication - http://sgros.blogspot.com/2012/06/installing-freeipa-on-minimal-centos.html - http://www.server-world.info/en/note?os=CentOS_6p=ipa 1.) Does anyone know of any good documentation out there on deploying IPA server on CentOS (or, is it not advisable to do such a thing)? I'm relatively 'green' in the Linux world and got started by diving into Ubuntu. 2.) Is it possible to run a production server with IPA server on Ubuntu? Since stumbling onto FreeIPA, I've finally started looking into Fedora. While Fedora looks very interesting, most of the Internet-chatter I've encountered seems to recommend CentOS over Fedora for (RedHat-alternative) production servers. 3.) Any reason why a production server could not have IPA server on Fedora? TIA! -Pablo vDevices.com http://vdevices.com/ | Providing Hosted IT Solutions for Lawyers Other Mobile Professionals ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA and AD, pass sync, different cn
Hello everyone! Please, explain me a one thing. I have a that kind situation: In our company we have two domains - AD for everyone and FreeIPA for developers and servers. They have a different dn. Freeipa have dn=privatedomain,dn=loc, AD have dn=publicdomain,dn=com. But we have a same users login. Question: Can I sync password between AD and FreeIPA by password synchronization tool? --- With best regards, Many Thanks! Anton. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and AD, pass sync, different cn
On 11/05/2013 08:29 AM, Антон Костенко wrote: Hello everyone! Please, explain me a one thing. I have a that kind situation: In our company we have two domains - AD for everyone and FreeIPA for developers and servers. They have a different dn. Freeipa have dn=privatedomain,dn=loc, AD have dn=publicdomain,dn=com. But we have a same users login. Question: Can I sync password between AD and FreeIPA by password synchronization tool? Yes. --- With best regards, Many Thanks! Anton. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
Hi, They had a phone session with Red Hat first line support, so they are feeling quite safe with the solution itself (in theory). What they're after now is more or less some end user testimonials... perhaps a few of you PassSync users out there could write a couple of lines about your experience with the product. Like how long you've used it, size if your organization, general good or bad experience... I believe that could calm the nervous minds of our AD admins :) //EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
On 11/05/2013 08:45 AM, EP wrote: Hi, They had a phone session with Red Hat first line support, so they are feeling quite safe with the solution itself (in theory). What they're after now is more or less some end user testimonials... perhaps a few of you PassSync users out there could write a couple of lines about your experience with the product. Like how long you've used it, size if your organization, general good or bad experience... I believe that could calm the nervous minds of our AD admins :) Note: this is why the preferred solution going forward is cross domain trust between FreeIPA and AD - no passwords to sync, no packages to install on precious AD machines. //EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA and AD, pass sync, different cn
On Tue, 2013-11-05 at 08:36 -0700, Rich Megginson wrote: On 11/05/2013 08:29 AM, Антон Костенко wrote: Question: Can I sync password between AD and FreeIPA by password synchronization tool? Yes. To give a little bit more guidance, you may read on it here: http://docs.fedoraproject.org/en-US/Fedora/18/html-single/FreeIPA_Guide/index.html#active-directory Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Got a minute to help a n00b w/IPA server on CentOS 6.4?
Pablo Carranza wrote: Greetings! I only recently stumbled upon FreeIPA and am salivating at the mouth (sorry for the gross mental picture!) in excitement. Twice now, I've tried to install IPA server on a Centos 6.4 VPS at DigitalOcean https://www.digitalocean.com/price-comparison-chart/?refcode=47494ed444e1; only to helplessly watch the install process hang at some point after executing sudo ipa-server-install. My 'Google skillz' are failing me in that I've only been able to find these tutorials (neither of which, unfortunately, address the issue I'm encountering): * http://www.howtoforge.com/installing-freeipa-with-replication * http://sgros.blogspot.com/2012/06/installing-freeipa-on-minimal-centos.html * http://www.server-world.info/en/note?os=CentOS_6p=ipa 1.) Does anyone know of any good documentation out there on deploying IPA server on CentOS (or, is it not advisable to do such a thing)? It should be fine, lots of folks do it. The RHEL documentation is probably your best bet. See the Identity Management Guide here, https://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/?locale=en-US To diagnose the hanging installer we'd need to see the server install log, /var/log/ipaserver-install.log. I'm relatively 'green' in the Linux world and got started by diving into Ubuntu. 2.) Is it possible to run a production server with IPA server on Ubuntu? Since stumbling onto FreeIPA, I've finally started looking into Fedora. While Fedora looks very interesting, most of the Internet-chatter I've encountered seems to recommend CentOS over Fedora for (RedHat-alternative) production servers. No. The dependencies we need are not there yet, though it is being worked on. 3.) Any reason why a production server could not have IPA server on Fedora? It can work and some people have done it but Fedora moves quickly with a release every 6 months or so which is too fast moving for some. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
On 11/05/2013 10:45 AM, EP wrote: Hi, They had a phone session with Red Hat first line support, so they are feeling quite safe with the solution itself (in theory). What they're after now is more or less some end user testimonials... perhaps a few of you PassSync users out there could write a couple of lines about your experience with the product. Like how long you've used it, size if your organization, general good or bad experience... I believe that could calm the nervous minds of our AD admins :) //EP ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We find it extremely difficult to get such testimonials and the reason is that it is a part of the core security infra and people do not like to talk about it or not legally allowed to. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Requesting contact with users running PassSync AD - FreeIPA
Thanks for your answers so far. A question about cross realm trusts though: This requires the AD servers to be available when doing a login via FreeIPA, right? Or is FreeIPA caching information from AD? We don't want Linux logins to be dependent on a windows server being available, that won't end well :) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Revisiting ILO
I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course, doesn't exist. IPA uses uid=username, but as far as I can tell I can't tell ILO to use a different username attribute. It doesn't even look like it's trying to use a username attribute. I've tried to force it to look for uid=jebalicki by using uid=jebalicki in the login field, but that fails too. The errors in the errors log look like this: [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 And the access log looks like this: [05/Nov/2013:13:32:06 -0600] conn=214941 fd=438 slot=438 SSL connection from 10.200.10.192 to 10.200.16.170 [05/Nov/2013:13:32:06 -0600] conn=214941 SSL 256-bit AES [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 BIND dn=uid=jebalicki method=128 version=2 [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 RESULT err=32 tag=97 nentries=0 etime=0 [05/Nov/2013:13:32:06 -0600] conn=214941 op=1 BIND dn=CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com method=128 version=2 [05/Nov/2013:13:32:07 -0600] conn=214941 op=1 RESULT err=32 tag=97 nentries=0 etime=1 [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 UNBIND [05/Nov/2013:13:32:07 -0600] conn=214941 op=2 fd=438 closed - U1 [05/Nov/2013:13:32:07
Re: [Freeipa-users] Revisiting ILO
If I use the whole connection string: uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com I can authenticate. On Tue, Nov 5, 2013 at 1:40 PM, KodaK sako...@gmail.com wrote: I'm attempting to get HP ILO authenticating against IPA again. I've configured the user context in ILO as: cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com When ILO tries to connect, it sends the string: CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com Which, of course, doesn't exist. IPA uses uid=username, but as far as I can tell I can't tell ILO to use a different username attribute. It doesn't even look like it's trying to use a username attribute. I've tried to force it to look for uid=jebalicki by using uid=jebalicki in the login field, but that fails too. The errors in the errors log look like this: [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry jebalicki: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:22:05 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry uid=jebalicki: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_preop - [file ipa_lockout.c, line 645]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 [05/Nov/2013:13:27:39 -0600] ipalockout_postop - [file ipa_lockout.c, line 421]: Failed to retrieve entry CN=uid=jebalicki,cn=users,cn=accounts,dc=unix,dc=magellanhealth,dc=com: 32 And the access log looks like this: [05/Nov/2013:13:32:06 -0600] conn=214941 fd=438 slot=438 SSL connection from 10.200.10.192 to 10.200.16.170 [05/Nov/2013:13:32:06 -0600] conn=214941 SSL 256-bit AES [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 BIND dn=uid=jebalicki method=128 version=2 [05/Nov/2013:13:32:06 -0600] conn=214941 op=0 RESULT err=32 tag=97 nentries=0 etime=0 [05/Nov/2013:13:32:06 -0600] conn=214941 op=1 BIND
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ What I really don't understand, why I cannot login to ui (or to an installed client machine) if the replication doesn't work. Is it a normal behaviour? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 09:09 PM, Rob Crittenden wrote: Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. You see the same time NOW. The logs were reflecting a difference at that time. I saw the same, when the log messages appeared. Is there a way to get the time it sees from the other side? I tried this, but no joy. Still not good:/ What I really don't understand, why I cannot login to ui (or to an installed client machine) if the replication doesn't work. Is it a normal behaviour? These issues are probably not related, unless perhaps the time skew is also throwing off the Kerberos tickets and/or session cache in the IPA framework. You didn't say how you were trying to log into the UI. Are you using Kerberos or the form-based authentication? Latter. There is no kerberos configured on my computer. But I've also tried with ssh on a normal computer. Both failed. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 01:03 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ Can you describe the exact steps you took, on all replicas? What I really don't understand, why I cannot login to ui (or to an installed client machine) if the replication doesn't work. Is it a normal behaviour? Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. You see the same time NOW. The logs were reflecting a difference at that time. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ What I really don't understand, why I cannot login to ui (or to an installed client machine) if the replication doesn't work. Is it a normal behaviour? These issues are probably not related, unless perhaps the time skew is also throwing off the Kerberos tickets and/or session cache in the IPA framework. You didn't say how you were trying to log into the UI. Are you using Kerberos or the form-based authentication? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 09:20 PM, Tamas Papp wrote: On 11/05/2013 09:09 PM, Rob Crittenden wrote: Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. You see the same time NOW. The logs were reflecting a difference at that time. I saw the same, when the log messages appeared. Is there a way to get the time it sees from the other side? I tried this, but no joy. Still not good:/ What I really don't understand, why I cannot login to ui (or to an installed client machine) if the replication doesn't work. Is it a normal behaviour? These issues are probably not related, unless perhaps the time skew is also throwing off the Kerberos tickets and/or session cache in the IPA framework. You didn't say how you were trying to log into the UI. Are you using Kerberos or the form-based authentication? Latter. There is no kerberos configured on my computer. But I've also tried with ssh on a normal computer. Both failed. Recently I'm able to login to the UI. I made couple of changes, but probably this was the tricky one: One of the host machine was configured to UTC. So I changed the VM configuration as well: From clock offset='localtime'/ to clock offset='utc'/ Before this change the 'RTC time:' line was lacking from the output of timedatectl and after the VM reboot the default time was wrong (though it could be fixed by ntpdate easily). After reboot it seems to be working, but: [05/Nov/2013:23:33:24 +0100] csngen_new_csn - Warning: too much time skew (-2852 secs). Current seqnum=1 [05/Nov/2013:23:33:24 +0100] NSMMReplicationPlugin - agmt=cn=meToipa12.bpo.cxn (ipa12:389): Replication bind with GSSAPI auth resumed [05/Nov/2013:23:33:24 +0100] csngen_new_csn - Warning: too much time skew (-2853 secs). Current seqnum=1 [05/Nov/2013:23:33:25 +0100] csngen_new_csn - Warning: too much time skew (-2853 secs). Current seqnum=1 [[05/Nov/2013:23:33:51 +0100] csngen_new_csn - Warning: too much time skew (-2828 secs). Current seqnum=1 [05/Nov/2013:23:33:51 +0100] csngen_new_csn - Warning: too much time skew (-2829 secs). Current seqnum=1 [05/Nov/2013:23:33:51 +0100] csngen_new_csn - Warning: too much time skew (-2830 secs). Current seqnum=1 [05/Nov/2013:23:33:53 +0100] csngen_new_csn - Warning: too much time skew (-2829 secs). Current seqnum=1 [05/Nov/2013:23:35:14 +0100] csngen_new_csn - Warning: too much time skew (-2749 secs). Current seqnum=1 [05/Nov/2013:23:35:14 +0100] csngen_new_csn - Warning: too much time skew (-2750 secs). Current seqnum=1 [05/Nov/2013:23:35:23 +0100] csngen_new_csn - Warning: too much time skew (-2742 secs). Current seqnum=1 [05/Nov/2013:23:35:23 +0100] csngen_new_csn - Warning: too much time skew (-2743 secs). Current seqnum=1 # ldapsearch -x -D cn=directory manager -W |grep -i nsslapd-ignore-time-skew Enter LDAP Password: No I don't understand, why it was resumed and why it is working in spite of skewed time. And still I don't understand, why I cannot login, when the replication is not working. tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 09:25 PM, Rich Megginson wrote: On 11/05/2013 01:03 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ Can you describe the exact steps you took, on all replicas? I created ldif files: # cat replication_ignore-time-skew.ldif dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on Then: $ ldapmodify -x -D cn=directory manager -W -f replication_ignore-time-skew.ldif But I don't see the changes: # ldapsearch -x|grep -i ignore # Probably you realized, I'm not an ldap expert:) But I assume it's because it doesn't exist right now, therefore it should be add ot modify? I don't wan't to try it now, because currently it's working. Maybe when it gets fail again. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. Eventually you were right, it looks, that the problem is related to the virtualization, thanks for the tip. Although I wouldn't say, it's because of messy VMs. It definitely must be a software bug or misconfiguration, otherwise a VM should always looks the same as a bare metal machine. Actually in my specific case I don't see the reason, why it is working with clock offset='utc'/ and not with clock offset='localtime'/ if the time in the VM synchronized after bootup. It looks a software bug to me. But using UTC on (only) one machine is definitely a misconfiguration:) Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
On 11/05/2013 04:23 PM, Tamas Papp wrote: On 11/05/2013 09:25 PM, Rich Megginson wrote: On 11/05/2013 01:03 PM, Tamas Papp wrote: On 11/05/2013 03:58 PM, Rich Megginson wrote: On 11/05/2013 07:53 AM, Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: https://fedorahosted.org/389/ticket/47516 This has been fixed upstream and in some releases - to allow replication to proceed despite excessive clock skew - what is your 389-ds-base version and platform? What is the clock skewed? The date and time is the same on both machines. VMs are notorious for having the clocks get out of sync - even temporarily. What do you mean by this? I definitely see the same time on the machines. Also I can see in the log, that the replication is resumed. There is no messages about the broken replication after the resume message. freeipa-admintools-3.3.2-1.fc19.x86_64 freeipa-client-3.3.2-1.fc19.x86_64 freeipa-python-3.3.2-1.fc19.x86_64 freeipa-server-3.3.2-1.fc19.x86_64 libipa_hbac-1.11.1-4.fc19.x86_64 libipa_hbac-python-1.11.1-4.fc19.x86_64 sssd-ipa-1.11.1-4.fc19.x86_64 389-ds-base-libs-1.3.1.12-1.fc19.x86_64 389-ds-base-1.3.1.12-1.fc19.x86_64 Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux Fedora 19. How can I fix it? ldapmodify -x -D cn=directory manager -W EOF dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on EOF Do this on all of your servers. I tried this, but no joy. Still not good:/ Can you describe the exact steps you took, on all replicas? I created ldif files: # cat replication_ignore-time-skew.ldif dn: cn=config changetype: modify replace: nsslapd-ignore-time-skew nsslapd-ignore-time-skew: on Then: $ ldapmodify -x -D cn=directory manager -W -f replication_ignore-time-skew.ldif But I don't see the changes: # ldapsearch -x|grep -i ignore ldapsearch -x -D cn=directory manager -W -s base -b cn=config 'objectclass=*' nsslapd-ignore-time-skew # Probably you realized, I'm not an ldap expert:) But I assume it's because it doesn't exist right now, therefore it should be add ot modify? It is always ok to do a changetype: modify replace I don't wan't to try it now, because currently it's working. Maybe when it gets fail again. Ok. Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ui login error and questions about replication
Tamas Papp wrote: On 11/05/2013 03:17 PM, Rich Megginson wrote: 2. What is the difference between 'primary' and 'secondary'. What does happen, if the primary machine gets destroyed? In IPA all replicas are the same, they only would differ by the paths they sync with each other and by presence of integrated CA (if any). Do I need CA in normal cases or is it just an additional and optional service? In other words is this CA the same as used by replicas and clients and the UI..etc? Yes and since you are planning for replication you should plan to have at least one of the replica have a CA on it as well to avoid a single point of failure. If you have deployed original IPA server with integrated CA, then your other replicas better to have at least one with CA configured to allow proper recovery in case primary one is destroyed. Is there any caveats to not deploy CA on all replicas as a simples solution? You don't need a CA on every single replica, but you probably want at least two. 4. How many master can I use? Technically there could be 65536 different masters in 389-ds replication topology. Perfect! The 389-ds team has fully QA'd 20 masters at a time, so keep that in mind. Also, replication is not free. It requires space to store the changes to send out, CPU time to calculate whom to send what and network bandwidth to share the data. Each master you add increases this workload. Not to mention any administrative burden of running a lot of masters. 5. If I have a network like this: A1__B1 A2 B2 A2 and B1,2 are replicated from A1 If the connection gets lost between A and B site, are B1 and 2 (and A1,2) replicated fine? I assume from the above that B1 does not know about B2 (and vice versa)? Well, that is actually one of the questions. B1 and B2 are on the same sites and failover nodes from point of view of clients. You can manage the replication topology with ipa-replica-manage connect and disconnect. So if you want B1 and B2 connected you can do that. Once connectivity between sites A and B restored, all unreplicated data will be replicated. There could be conflicts if there were changes on both sides during the split but majority of them are solved automatically by 389-ds. The main question is that B1 and B2 are not replicated to each other automatically? What about the case if A1 -- replication -- A2 --- replication --- B1 -- replication -- B2 If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized? Especially automatically...? Is there such a failover configuration? No, the masters only replicate to the ones you tell them to, so if B1 went away forever then B2 would never get any other updates unless you explicitly made a connection to A1 or A2. 6. If a client is installed with ipa-client-install using A1 and A1 gets lost, does the client know, where it needs to connect (failover..)? IPA server which was used to enroll the host will be primary one (A1 in your example). There is failover in sssd.conf to use SRV records of the domain, and trying servers in the order returned by the SRV records. Ahh. Then if I use external DNS, I need to configure these srv records manually, that's all, right? Right. 7. Can I install slave (read-only) replicas so clients access them only for queries and for changes (like pw change) they access master servers? No read-only replicas available for IPA. All replicas are read-write and propagate changes across replication paths as defined in replication agreements. All IPA servers are really masters, thus we have multi-master replication rather than master-slave. Perfect, thanks for the clarification! Thanks, tamas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] External CA
Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_cert_file=/root/server.pem --external_ca_file=/root/cacert.pem -p testtest -P testtest -r MELTWATER.COM Which runs this as part of the process: /usr/bin/pkisilent ConfigureCA -cs_hostname vagrant-centos-6.meltwater.com-cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password testtest -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM -ldap_host vagrant-centos-6.meltwater.com-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password testtest -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O= MELTWATER.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O= MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MELTWATER.COM -ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com,O= MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O= MELTWATER.COM -ca_sign_cert_subject_name CN=Certificate Authority,O= MELTWATER.COM -external true -ext_ca_cert_file /root/server.pem -ext_ca_cert_chain_file /root/cacert.pem All this results in this in the log: errorStringFailed to create pkcs12 file./errorString [snip] Error in BackupPanel(): updateStatus value is null ERROR: ConfigureCA: BackupPanel() failure ERROR: unable to create CA Interestingly adding the option -save_p12 false to the pkisilent command above results in: importCert string: importing with nickname: ipa-ca-agent Already logged into to DB ERROR:exception importing cert Security library failed to decode certificate package: (-8183) security library: improperly formatted DER-encoded message. ERROR: AdminCertImportPanel() during cert import ERROR: ConfigureCA: AdminCertImportPanel() failure ERROR: unable to create CA While the option change seemed innocent, I honestly don't know if its crucial to the install or not. Anyhow, things don't really progress anyway. I followed the documentation by signing the /root/ipa.csr with a test, internal CA but somehow I can't get the install to proceed. [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/emailAddress=t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ [snip] [root@vagrant-centos-6 CA]# cat /root/cacert.pem -BEGIN CERTIFICATE- MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM MAoGA1UECwwDb3BzMRwwGgYD [snip] Any help would be welcome. -- William Leese Production Engineer, Operations, Asia Pacific Meltwater Group m: +81 80 4946 0329 skype: william.leese1 w: meltwater.com This email and any attachment(s) is intended for and confidential to the addressee. If you are neither the addressee nor an authorized recipient for the addressee, please notify us of receipt, delete this message from your system and do not use, copy or disseminate the information in, or attached to it, in any way. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reverse DNS and replicas
Of course, as soon as I send this I notice the --no-host-dns. Figures. On Tue, Nov 5, 2013 at 11:33 PM, Brett Foster fost...@edgeandvertex.orgwrote: Alright -- I'm stumped. What is the motivation for requiring reverse lookups for replicas? Is there a way to turn the check off? Others ideas? Here's what I got: I set up freeipa server and client. The systems are connected over OpenVPN to create a private network between clients and server (10.5.x.x). Traffic to 10.5.0.x subset is routed over VPN; otherwise traffic uses the local network connection (including DNS servers provided over DHCP). For better or worse, I found myself exposing the internal addresses via the public interface of the FreeIPA server. This, however, makes it impossible to do the reverse lookup of internal servers. Clients and freeipa server appear to be happy with this arrangement. Replica not so much. FreeIPA Server: 10.5.0.1 FreeIPA Replica: 10.5.0.2 Client 1: 10.5.0.3 Client 2: 10.5.0.4 and so on... Error: 2013-11-06T06:53:41Z DEBUG Check reverse address of 10.5.0.1 2013-11-06T06:53:46Z DEBUG Check failed: [Errno 1] Unknown host 2013-11-06T06:53:46Z DEBUG The ipa-replica-install command failed, exception: HostReverseLookupError: Unable to resolve the reverse ip address, check /etc/hosts or DNS name resolution Brett ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
