Re: [Freeipa-users] strange error from EL 7 install?
On Mon, Oct 13, 2014 at 10:08:55PM -0700, Janelle wrote: Actually, I did find a fix and forgot to post. I was able to mirror the COPR repo, and after reviewing it, found that simply removing the pki-base...fc21 directory, and regenning the repo data with createrepo, fixed the problem. It drops the version of PKI back to the 10.1 branch and that resolved the dependencies. Hope this helps, Janelle Glad you were able to find a fix. Of course, we will still need to fix the 10.2 build, so thanks for reporting! Fraser On 10/13/14 9:48 PM, Fraser Tweedale wrote: On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote: After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base: linux.mirrors.es.net * extras: mirrors.usinternet.com * updates: centos.host-engine.com pki-base.noarch 10.2.0-3.el7.centos freeipa pki-ca.noarch 10.2.0-3.el7.centos freeipa pki-server.noarch 10.2.0-3.el7.centos freeipa pki-tools.x86_64 10.2.0-3.el7.centos freeipa slapi-nis.x86_64 0.54-1.el7.centosfreeipa and: if you select yes: --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be an update -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem Hi Janelle, Looks like the COPR moved from Dogtag 10.1 to 10.2 on 8 Oct, and 10.2 declares a dependency on Jackson which is not in EPEL. The dependency causing the probelm (jackson-jaxrs-json-provider) was introduced at commit 32d71bb. I'm not sure on the right approach to fixing this but I've copied pki-devel who will be able to help. Fraser On 10/13/14 9:18 AM, Janelle wrote: Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa) Requires: jackson-jaxrs-json-provider and yet, I have never had that issue until this weekend. :-( Any help? Janelle -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. SSSD writes separate log files per each section, so you need to look at /var/log/sssd/sssd_mydomain.com.log for [domain/mydomain.com] and /var/log/sssd/sssd_nss.log for nss section. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. In FreeIPA in Fedora we switched off ipausers being a POSIX group. FreeIPA supports POSIX and non-POSIX groups; the latter is for grouping purposes as groups can be nested in FreeIPA. 'ipausers' is the group every user is a member of but it is not a POSIX group anymore so it has less effect on performance in large deployments (tens of thousands users in the same group). So it is expected. The group named as a username is a user-private group which is maintained automatically per each user. It has the same GID as user's UID. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? This morning the /ipa/crl dir still had the lists of 28th June 2013 in the crl generator host. In my test environment running centos 7 the files get updated, so I think a process is nut running. But which one? Going to the /ca/ee/ca/getCRL?op=getCRL crlIssuingPoint=MasterCRL gives me the up to date CRL. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. 14-Oct-14 10:23, Orkhan Gasimov пишет: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries ldap_tls_cacert = /etc/ssl/ca.crt enumerate = True #to enumerate users and groups [sssd] enumerate = True services = nss, pam, sudo config_file_version = 2 domains = mydomain.com [nss] [pam] [sudo] - Interestingly enough the [nss] section is empty, just as shown in the post at FreeBSD forums. 3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side the post from FreeBSD forums for the client side): - home directories are not automatically created on the IPA server; - id command output shows correct uid, but the group of any IPA user doesn`t show as ipausers - instead, the group name is the same as username, + something like context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023. 4. Here is the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) Cheers, Fraser 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. You have basic problem of DNS resolution at the FreeBSD client side: (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) ... (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. Make sure your DNS infrastructure is actually working. Run following on FreeBSD side: dig SRV _ldap._tcp.eurosel.az dig SRV _kerberos._tcp.eurosel.az and fix either your resolver or DNS server to properly resolve SRV records for IPA domain (assuming eurosel.az is your IPA domain). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Thanks for taking time to find a solution. 1. Location of log files is /var/log/sssd , I just didn`t know that each section of sssd.conf file produced its own log file: /var/log/sssd/sssd_your.domain.log /var/log/sssd/sssd_nss.log 2. For the client side, here again the list of snapshots taken from my FreeBSD VM when I installed necessary ports, maybe these snapshots will provide some additional info on sssd behavior: clean_install starting_sssd_install krb5_choice_added_LDAP openldap24-sasl-client_choice_added_FETCH_GSSAPI cyrus-sasl2_choice_defaults bind_choice_added_GSSAPI_MIT sssd_installation_finished sudo_installed_with_INSULTS_LDAP_SSSD cyrus-sasl2-gssapi_choice_added_MIT all_ports_installed_directories_created all_configs_applied_sssd_started 3. For the server side, one thing that I had to do differently when adding the client to the server, is I used the --force option, as the server complained about the host not having a DNS A record (I don`t run DNS server on IPA server). 14-Oct-14 12:48, Fraser Tweedale пишет: On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log: https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. Hi Orkhan, Thanks for the logs. What were their actual locations? I'm going to try and reproduce your setup and see whether I get the same outcome. I have been building and installing the ports as indicated in the forum post, and one thing I have noticed is that there are a lot of configuration options on some of the important ports - perhaps there was an important option that the author forgot to mention. It is the end of the day for me, but sssd is now installed so I should let you know tomorrow whether I am running into the same issues as you, or whether I find success. (As a side node: once I get to a working setup I will create and publish a pkg(8) repo with the needed ports built with the correct options and make.conf variables. This should make it easier and certainly quicker to use FreeBSD as a FreeIPA client.) Cheers, Fraser 14-Oct-14 00:32, Lukas Slebodnik пишет: On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146 For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the IPA server, although ldapsearch works fine. I followed the instructions exactly (+ configured ldap.conf started sssd) and didn`t get errors anywhere, all steps completed successfully. My setup: 2 VMs, one is the FreeIPA server (on Fedora 20), the other is a FreeBSD client (on FreeBSD 10.0). IPA server is configured as written in the IPA Quick Start Quide, it has no integrated DNS server. Both VMs have identical /etc/hosts file: ::1localhost 127.0.0.1 localhost 192.168.1.10 ipa1.mydomain.com ipa1 192.168.1.30 bsd1.mydomain.com bsd1 Seems like some instructions in etc/nsswitch.conf file, like group: files sss and passwd: files sss have no effect. Does anybody tried this setup, what could be wrong with it? I can provide outputs of any commands if necessary. If I shouldn`t have asked this question here, please advise me where to ask. Any hint on what to do will be highly appreciated! Hi, I think SSSD logs would be the best start.. Put debug_level=7 into the [domain] section, restart SSSD and then check out /var/log/sssd/*.log debug_level = 7 can be put into nss section as well. Could you share your sssd configuration file /usr/local/etc/sssd.conf? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I tried to avoid setting up a third VM to serve as a DNS server for my test scenario. Thought it would be possible to set up working FreeIPA client-server interaction with just 2 VMs correct hostnames /etc/hosts files in them. Do I correctly understand your idea that it`s a MUST to set up a DNS server to facilitate FreeIPA client-server interaction? Or there`s a way to do it with just 2 VMs and no DNS server? 14-Oct-14 12:50, Alexander Bokovoy пишет: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: With help from Alexander Bokovoy I found correct log destinations: sssd-domain-log:https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log sssd-nss-log:https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log These files are from my second Fedora - FreeBSD setup, they have different domain name, but everything else is identical. Interestingly enough, there are lines in sssd_nss.log telling that there are no users or groups in the domain. But as I said, I can ssh to the IPA server as an IPA user. You have basic problem of DNS resolution at the FreeBSD client side: (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) ... (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA' (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Oct 14 12:09:04 2014) [sssd[be[eurosel.az]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. Make sure your DNS infrastructure is actually working. Run following on FreeBSD side: dig SRV _ldap._tcp.eurosel.az dig SRV _kerberos._tcp.eurosel.az and fix either your resolver or DNS server to properly resolve SRV records for IPA domain (assuming eurosel.az is your IPA domain). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: I tried to avoid setting up a third VM to serve as a DNS server for my test scenario. Thought it would be possible to set up working FreeIPA client-server interaction with just 2 VMs correct hostnames /etc/hosts files in them. Many applications rely on service discovery based on DNS. In particular, SSSD uses this approach if you don't set explicitly servers for LDAP, Kerberos, IPA, etc. See sssd-ldap(5), sssd-krb5(5), sssd-ipa(5), section 'SERVICE DISCOVERY'. The mechanism is described in RFC 2782. It becomes even more important for cases like integration with Active Directory where AD side relies on DNS service discovery unconditionally. IPA has integrated DNS server, all you needed to do is to run 'ipa-server-install --setup-dns' or 'ipa-dns-install' afterwards. If you don't want to use IPA-provided DNS server, at the end of ipa-server-install a sample DNS zone was generated to show what records need to be added to your DNS zone. Do I correctly understand your idea that it`s a MUST to set up a DNS server to facilitate FreeIPA client-server interaction? Or there`s a way to do it with just 2 VMs and no DNS server? Use integrated DNS server in FreeIPA server, this is supported way of doing it. FreeIPA then will make it manageable through its tools -- be it command line interface or web UI. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I`ll try such a test setup, then share information about results. 14-Oct-14 15:04, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have comment before the optiona and not on the same line :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Please don`t hesitate to explain a little clearer. 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved' [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) DNS discovery of IPA server failed, becuase you just configured few hostnames in /etc/hosts You can add IP address or hostname to the option ipa_server e.g. ipa_server = _srv_, vm-120.eurosel.az BTW In my opinion, it is better to have
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = mydomain.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.mydomain.com chpass_provider = ipa ipa_server = _srv_ #our FreeIPA server has DNS SRV entries [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az' ... [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully. 2. My original sssd.conf (without debugs) is as follows (exact copy of what was shown in the post at FreeBSD forums): - [domain/mydomain.com] cache_credentials = True krb5_store_password_if_offline
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf sssd process fails to start. But
Re: [Freeipa-users] Replace Self-Signed Cert
quest monger wrote: makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. IPA 3.x includes a command, ipa-server-certinstall, which will do what you need. This can be a bumpy process with clients and such which is why Dmitri suggested using 4.1, but it should still basically work. It depends greatly on whether the CA issuing the certs is already known by clients (for example being a default CA shipped by NSS and openssl). But I'd step cautiously and ask a lot of questions before you proceed. The IPA certificates are not self-signed. They are issued by a CA controlled by IPA. I think your admin's concerns are related to users getting an unknown CA/cert error. It can be confusing and can train users to accept any SSL certificate they see which is bad. There are some downsides to not using the IPA CA: - no automatic renewal of certificates. This means you need to manually monitor your infrastructure and renew the certificates before they expire. Otherwise your identity infrastructure could go down. - for every replica you set up you will need to get a web and ldap certificate in advance rob On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that. I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. AFAIU the biggest issue will be with the clients. I suspect that they might be quite confused if you just drop in the certs from the 3rd party. If you noticed the page has the following line: The certificate in mysite.crt must be signed by the CA used when installing FreeIPA. I think it should say by external CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an existing install. On Mon, Oct 13, 2014 at 3:24 PM, quest monger quest.mon...@gmail.com mailto:quest.mon...@gmail.com wrote: I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients. Why do you want to do this? rob Do I get it right that you installed IPA using self-signed certificate and now want to change it? What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA? The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering
Re: [Freeipa-users] sysctl and/or limits.conf?
Janelle wrote: Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a master to be able to create another replicate? Am I missing something obvious here? Every IPA install is a master. The only distinction between servers are the optional services of DNS and a CA. So don't get confused by replica vs master. Once an IPA server is up it is a master. We don't recommend any one master to have more than 4 agreements. Each agreement adds a bit more load on the server to calculate the differences to send to each one, so you want to keep it reasonable. I'd recommend making a map of your topology to ensure that no master ends up alone, or one ends up being overloaded. You can use ipa-replica-manage to control the replication topology. By default a single agreement is set up between a new master and the one that created it. Any master can create a new master. As you do your installations be sure to have at least 2 masters with a CA on it to avoid a single point of failure. rob Thank you, ~Janelle On 10/13/14 3:18 PM, Dmitri Pal wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
Hi Rob, Thanks for that - it clears up one point - and explains why the replica manage command shows all masters, but what I don't understand is how to get the CA to a replica once it is created? I don't see anything in the docs on that. Am I missing something very obvious here? I am coming from the AD world and trying to replace it, so please excuse my ignorance in this area. thanks Janelle On 10/14/14 6:48 AM, Rob Crittenden wrote: Janelle wrote: Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a master to be able to create another replicate? Am I missing something obvious here? Every IPA install is a master. The only distinction between servers are the optional services of DNS and a CA. So don't get confused by replica vs master. Once an IPA server is up it is a master. We don't recommend any one master to have more than 4 agreements. Each agreement adds a bit more load on the server to calculate the differences to send to each one, so you want to keep it reasonable. I'd recommend making a map of your topology to ensure that no master ends up alone, or one ends up being overloaded. You can use ipa-replica-manage to control the replication topology. By default a single agreement is set up between a new master and the one that created it. Any master can create a new master. As you do your installations be sure to have at least 2 masters with a CA on it to avoid a single point of failure. rob Thank you, ~Janelle On 10/13/14 3:18 PM, Dmitri Pal wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] sysctl and/or limits.conf?
Janelle wrote: Hi Rob, Thanks for that - it clears up one point - and explains why the replica manage command shows all masters, but what I don't understand is how to get the CA to a replica once it is created? I don't see anything in the docs on that. Am I missing something very obvious here? I am coming from the AD world and trying to replace it, so please excuse my ignorance in this area. ipa-ca-install rob thanks Janelle On 10/14/14 6:48 AM, Rob Crittenden wrote: Janelle wrote: Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a master to be able to create another replicate? Am I missing something obvious here? Every IPA install is a master. The only distinction between servers are the optional services of DNS and a CA. So don't get confused by replica vs master. Once an IPA server is up it is a master. We don't recommend any one master to have more than 4 agreements. Each agreement adds a bit more load on the server to calculate the differences to send to each one, so you want to keep it reasonable. I'd recommend making a map of your topology to ensure that no master ends up alone, or one ends up being overloaded. You can use ipa-replica-manage to control the replication topology. By default a single agreement is set up between a new master and the one that created it. Any master can create a new master. As you do your installations be sure to have at least 2 masters with a CA on it to avoid a single point of failure. rob Thank you, ~Janelle On 10/13/14 3:18 PM, Dmitri Pal wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talking to 3-4 masters/replicas. Are there any formulas to follow? thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James I do not think it is easy automatable. Please see http://www.freeipa.org/page/Deployment_Recommendations and part about replicas. If 3000 in one datacenter then 3 is good enough or 4 if you are very LDAP heavy (some applications are like Jira for example). If you have 2 data center I would go for 2+2. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange error from EL 7 install?
On (14/10/14 16:03), Fraser Tweedale wrote: On Mon, Oct 13, 2014 at 10:08:55PM -0700, Janelle wrote: Actually, I did find a fix and forgot to post. I was able to mirror the COPR repo, and after reviewing it, found that simply removing the pki-base...fc21 directory, and regenning the repo data with createrepo, fixed the problem. It drops the version of PKI back to the 10.1 branch and that resolved the dependencies. Hope this helps, Janelle Glad you were able to find a fix. Of course, we will still need to fix the 10.2 build, so thanks for reporting! If dogtag team adds new dependency you will not be able to fix 10.2 build. I am able to install pki-base-10.2 on fedora 21 without any problem. So ther isn't problem in pki-base. The problem is with backporting pki-base to el7. The package jackson-jaxrs-json-provider should be backported to el7 as well. (or someone should package jackson-jaxrs-json-provider in epel7) If we don't want to have the latest packages from fedora in COPR repo then the other option is to have minimal required version of packages in COPR repo. It would reduce count of backported packages. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On 14.10.2014 15:06, Alexander Bokovoy wrote: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. Again - in production it is unnecessary to change resolv.conf if you have proper NS records in place. Petr^2 Spacek 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA theoretically can work without DNS records but it requires very careful configuration on clients and is strongly discouraged. If you want to do quick dirty test, do this: $ ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server + specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) + change /etc/resolv.conf on *all* clients to point to IPA server *This is a dirty trick* and it will not work unless all your clients has the IPA server in resolv.conf. It will most likely break when you try to use AD trust with AD clients etc. *In production environment* you should add NS records for ipa.eurosel.az domain to the parent DNS zone to create proper delegation. In that case you don't need to fiddle with resolv.conf on all clients. Let me know if you need further assistance. Petr^2 Spacek 14-Oct-14 12:58, Lukas Slebodnik пишет: On (14/10/14 10:23), Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
Ok, friends, you helped me to understand one thing. My test scenario with 2 VMs and no DNS server introduces problems with DNS resolution, which seems to be almost necessary. So now I have 2 tasks: 1) properly configure IPA server to work with DNS; 2) make a FreeBSD host (which is a non-native client for FreeIPA) join an IPA domain. As problems of the first task can be errantly considered to be problems of the second task, I'll change my approach. First I'll try to set up a Fedora FreeIPA server with DNS and add a native Fedora FreeIPA client to it. (I guess a Fedora client: 1) should be easier to set up; 2) is guaranteed to work if configured properly.) Then I'll try to add a FreeBSD client to my working setup and see if the post at FreeBSD forums leads to a working solution. I'll share the results with you, however it may take some time before I set up a working Fedora IPA server - Fedora IPA client setup. If you have any links to proved-to-work tutorials (either in text or video format), please share. Отправлено от Blue Mail На 23:47, 14.10.2014, в 23:47, Petr Spacek pspa...@redhat.com написал:пOn 14.10.2014 15:06, Alexander Bokovoy wrote: On Tue, 14 Oct 2014, Orkhan Gasimov wrote: So which way do I go? 1) Change the server VM`s hostname from ipa1.eurosel.az to ipa1.ipa.eurosel.az prior to issuing IPA installation command 2) or leave my hostname and contents of /etc/hosts file intact and specify a different FQDN and domain part of the IPA server after issuing IPA installation command? Yes, I know - this is a question Homer Simpson would ask. Allocate ipa.eurosel.az domain zone to FreeIPA and install FreeIPA with integrated DNS. Essentially, (1), with domain=ipa.eurosel.az, realm IPA.EUROSEL.AZ. If you want later to see how this setup scales, all you would need to do is to make sure the other clients would use ipa1.ipa.eurosel.az as a resolver. Again - in production it is unnecessary to change resolv.conf if you have proper NS records in place. Petr^2 Spacek 14-Oct-14 17:43, Petr Spacek пишет: On 14.10.2014 13:48, Orkhan Gasimov wrote: I need further assistance with this moment: specify IPA domain name which is sub-domain of you existing domain (e.g. ipa.eurosel.az) . Currently my FreeIPA server's hostname is ipa1.eurosel.az, and client's hostname is bsd1.eurosel.az. So when running this command: ipa-server-install --setup-dns --forwarder ip address of your *existing* DNS server, the installation program detects the hostname of the VM (ipa1.eurosel.az) and offers it as IPA server FQDN; then it offers eurosel.az as the domain name. I can make changes right during the installation process (FQDN = ipa1.ipa.eurosel.az domain = ipa.eurosel.az), but then there will be a conflict with the real hostname and records in the /etc/hosts file. On the other hand, if I change the hostname of the server VM to ipa1.ipa.eurosel.az prior to running the IPA installation program, then the installation program will offer my server an FQDN of ipa1.ipa.eurosel.az and a domain name of ipa.eurosel.az. But doesn`t it mean that my client`s hostname should also be changed to bsd1.ipa.eurosel.az? I`d like to avoid this, because in production I won`t be able to change the domain part of FQDN for hundreds of clients. Clients don't need to be in the same domain as IPA. The IPA domain in DNS is necessary to store 'metadata' like SRV and TXT records etc. You can even experiment with IPA servers which are not in the IPA domain but I'm not sure how much it was tested. Alexander can add more details about records required for AD integration and how it should work with clients which are not in the IPA domain. Petr^2 Spacek 14-Oct-14 16:29, Petr Spacek пишет: On 14.10.2014 11:49, Orkhan Gasimov wrote: I suspected that problems could arise with DNS, and here they are... In fact, this entire string: ipa_server = _srv_ #our FreeIPA server has DNS SRV entries was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data withgetent passwd or getent group commands. They I uncommented it and restarted sssd, but things remained the same. Now your advice is: ...add IP address or hostname to the option ipa_server, but you use an arbitrary name like vm-120.eurosel.az. Could you please explain which host`s FQDN I should put there? If I use ipa1.eurosel.az, then sssd won`t start (complains about ...Looping detected inside krb5_get_in_tkt...). If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction? IPA
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Tue, Oct 14, 2014 at 03:13:06PM +0200, Lukas Slebodnik wrote:
On (14/10/14 17:48), Fraser Tweedale wrote:
On Tue, Oct 14, 2014 at 12:34:09PM +0500, Orkhan Gasimov wrote:
With help from Alexander Bokovoy I found correct log destinations:
sssd-domain-log:
https://cloud.mail.ru/public/1e803a00989e%2Fsssd_eurosel.az.log
sssd-nss-log: https://cloud.mail.ru/public/ae41ae3b44b6%2Fsssd_nss.log
These files are from my second Fedora - FreeBSD setup, they have different
domain name, but everything else is identical.
Interestingly enough, there are lines in sssd_nss.log telling that there
are
no users or groups in the domain. But as I said, I can ssh to the IPA
server
as an IPA user.
Hi Orkhan,
Thanks for the logs. What were their actual locations?
I'm going to try and reproduce your setup and see whether I get the
same outcome. I have been building and installing the ports as
indicated in the forum post, and one thing I have noticed is that
there are a lot of configuration options on some of the important
ports - perhaps there was an important option that the author forgot
to mention.
You needn't build sssd from ports. You can install sssd with pkg utility.
The only necessary step is to build openldap client with SASL support,
because default version of openldap client is build without SASL support.
sssd cannot initialize ipa_provider with openldap libraries without SASL
support. On the other hand, {ldap,krb5,ad} providers can be used without any
problem.
The steps, how to build openldap client with SASL support, are described
in freebsd forum.
It is the end of the day for me, but sssd is now installed so I
should let you know tomorrow whether I am running into the same
issues as you, or whether I find success.
(As a side node: once I get to a working setup I will create and
publish a pkg(8) repo with the needed ports built with the correct
options and make.conf variables. This should make it easier and
certainly quicker to use FreeBSD as a FreeIPA client.)
I am not sure what you are trying to do. Everything is described on forum.
If there isn't something clear feel free to send rephrased(updated) version of
howto. I can contact an author of that post.
Since there are non-default options and make variables to be set, is
it not desirable that there be a pkg(8) repository people can use to
install the packages needed for ipa integration?
I think it is desirable. It is easy to thanks to
ports-mgmt/poudriere.
Fraser
LS
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
