Re: [Freeipa-users] DNS configuration
Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek pspa...@redhat.com wrote: On 8.12.2014 05:02, Dmitri Pal wrote: On 12/07/2014 10:10 PM, Matthew Herzog wrote: So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only? IPA DNS can't be a slave so you either delegate a whole zone to it or manage IPA DNS domain via your own DNS server. Generally, slave is not allowed to do any changes so it is useless in your scenario. You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. Did you try that? Petr^2 Spacek On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 09:51 PM, Matthew Herzog wrote: What must be done in or on the ipa server with regard to DNS, if anything? Our DNS works. It works well. We have four Linux DNS servers and two AD domain controllers that also do DNS. So if we already have DNS working well in our domain, why do we want to manage DNS in IPA? Let us keep the discussion on the list. IPA when used with AD trust presents itself as a separate forest. AD thinks that it is working with another AD forest. For that to work we need to follow MSFT rules about relationship between Kerberos realm and DNS domain. AD assumes that for every trusted forest Kerberos realm = DNS domain. IPA makes it easy to do because it has integrated tools to manage IPA DNS domain. If you want to manage it yourself through your DNS you can do it, just more manual operations for you. HTH Thanks Dmitri On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 06:44 PM, Matthew Herzog wrote: Thanks guys. I'm sorry for my delay in responding. Firstly, I was under the impression (from reading the docs) that having named running on IPA server was critical. Properly configured DNS is critical. How you accomplish it is up to you. IPA allows you to have a DNS server that would simplify DNS management but it can be done manually too. This is why DNS is optional. Also, the first question the ipa-server-install script asks is, Do you want to configure integrated DNS (BIND)? . While it's true the default answer is no, it leads one to believe that DNS is central to IPA. Also the ipa-client-install script says, [root@freeipa-poc-client02 ~]# ipa-client-install DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com http://example.com): I can resolve -anything- from the machine using dig or whatever. Ultimately, the reason I started to be concerned about my IPA server's DNS config was because I was not able to authenticate AD accounts to a client machine. I saw a bunch of errors in the client's sssd logs which of course I can't find now. Perhaps it was these . . . (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service sudo replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pam replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service pac replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service bo3.e-bozo.com http://bo3.e-bozo.com replied to ping I'm not allowed onto the AD domain controllers to examine
Re: [Freeipa-users] DNS configuration
On 12/08/2014 08:44 AM, Matthew Herzog wrote: Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. So the approach would be: 1) Install IPA (do not migrate users) 2) Establish trust with AD 3) Start switching client configuration from using LDAP with dsee7 to SSSD pointing to IPA You do not need to migrate users. On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 8.12.2014 05:02, Dmitri Pal wrote: On 12/07/2014 10:10 PM, Matthew Herzog wrote: So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only? IPA DNS can't be a slave so you either delegate a whole zone to it or manage IPA DNS domain via your own DNS server. Generally, slave is not allowed to do any changes so it is useless in your scenario. You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. Did you try that? Petr^2 Spacek On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 09:51 PM, Matthew Herzog wrote: What must be done in or on the ipa server with regard to DNS, if anything? Our DNS works. It works well. We have four Linux DNS servers and two AD domain controllers that also do DNS. So if we already have DNS working well in our domain, why do we want to manage DNS in IPA? Let us keep the discussion on the list. IPA when used with AD trust presents itself as a separate forest. AD thinks that it is working with another AD forest. For that to work we need to follow MSFT rules about relationship between Kerberos realm and DNS domain. AD assumes that for every trusted forest Kerberos realm = DNS domain. IPA makes it easy to do because it has integrated tools to manage IPA DNS domain. If you want to manage it yourself through your DNS you can do it, just more manual operations for you. HTH Thanks Dmitri On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 06:44 PM, Matthew Herzog wrote: Thanks guys. I'm sorry for my delay in responding. Firstly, I was under the impression (from reading the docs) that having named running on IPA server was critical. Properly configured DNS is critical. How you accomplish it is up to you. IPA allows you to have a DNS server that would simplify DNS management but it can be done manually too. This is why DNS is optional. Also, the first question the ipa-server-install script asks is, Do you want to configure integrated DNS (BIND)? . While it's true the default answer is no, it leads one to believe that DNS is central to IPA. Also the ipa-client-install script says, [root@freeipa-poc-client02 ~]# ipa-client-install DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com http://example.com http://example.com): I can resolve -anything- from the machine using dig or whatever. Ultimately, the reason I started to be concerned about my IPA server's DNS config was because I was not able to authenticate AD accounts to a client machine. I saw a bunch of errors in the client's sssd logs which of course I can't find now. Perhaps it was
[Freeipa-users] Problem adding group after update IPA from CentOS 6.6 to 7.0
Hello, I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Now, adding a group from console with command ipa group-add I get this kind of error: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. the same if I add from web gui without specifying GID. Instead if I specify a GID it gets completed, both from console and web gui [root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add --gid 163969 Group name: mynewgroup Description: My New Group --- Added group mynewgroup --- Group name: mynewgroup Description: My New Group GID: 163969 I notice that previously created groups (from command line) in 6.5 got GIDs starting from 163961. The system generated groups admins and editors have 163960 and 163962. my dna config in migrated CentOS 7 server is this: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnaType: uidNumber dnaType: gidNumber dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaScope: dc=localdomain,dc=local dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20141206144811Z modifyTimestamp: 20141206144811Z aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl permission:Modify DNA Range;allow (write) groupdn = ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local;) My CentOS 6.5 server was created with command ipa-server-install without any options And after install, the creation of the first userid got this output [root@infra install]# ipa user-add First name: Gianluca Last name: Cecchi User login [gcecchi]: Added user gcecchi User login: gcecchi First name: Gianluca Last name: Cecchi Full name: Gianluca Cecchi Display name: Gianluca Cecchi Initials: GC Home directory: /home/gcecchi GECOS field: Gianluca Cecchi Login shell: /bin/sh Kerberos principal: gcecchi@LOCALDOMAIN.LOCAL Email address: gcecchi@localdomain.local UID: 163961 GID: 163961 Password: False Kerberos keys available: False So the GID was autoset to 163961 Could it be that sort of dnaNextRange: was not migrated from CentOS 6.5 to CentOS 7.0? I found this kind of information in manual about adding ranges... ldapmodify -x -D cn=Directory Manager -W -h server.example.com -p 389 Enter LDAP Password: *** dn: cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 12340-12350 But I also see in CentOS 7 config thei line that I don't understand... aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl permission:Modify DNA Range;allow (write) groupdn = ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local;) Inside the log file about the required schema update for CentOS 6.5 to be run before creating replica for CentOS 7 I see: 2014-12-06T11:42:10Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn =plugins,cn=config 2014-12-06T11:42:10Z DEBUG - 2014-12-06T11:42:10Z DEBUG Initial value 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG dnathreshold: 500 2014-12-06T11:42:10Z DEBUG cn: Posix IDs 2014-12-06T11:42:10Z DEBUG objectclass: 2014-12-06T11:42:10Z DEBUG top 2014-12-06T11:42:10Z DEBUG extensibleObject 2014-12-06T11:42:10Z DEBUG dnanextvalue: 163968 2014-12-06T11:42:10Z DEBUG dnamagicregen: 999 2014-12-06T11:42:10Z DEBUG dnafilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaI Dobject)) 2014-12-06T11:42:10Z DEBUG dnatype: 2014-12-06T11:42:10Z DEBUG uidNumber 2014-12-06T11:42:10Z DEBUG gidNumber 2014-12-06T11:42:10Z DEBUG dnamaxvalue: 163979 2014-12-06T11:42:10Z DEBUG dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG replace: (|(objectclass=posixAccount)(objectClass=posixGroup)) not found, skipping 2014-12-06T11:42:10Z DEBUG - 2014-12-06T11:42:10Z DEBUG Final value after applying updates 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
Re: [Freeipa-users] DNS configuration
On Mon, 08 Dec 2014 08:58:46 -0500 Dmitri Pal d...@redhat.com wrote: Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Note that if you cannot set up a new DNS domain and this domain is the same as the AD domain then you cannot to the stuff Dmitri describe below. The only way to have accounts on freeipa in this case is to use the winsync method, which has a number of limitation. Also clients will be rather confused when you try to ipa-client-install as they will find AD servers instead of ipa servers, finally you'll have to use a different realm name for the IPA domain, one that doesn't match the AD domain. HTH, Simo. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. So the approach would be: 1) Install IPA (do not migrate users) 2) Establish trust with AD 3) Start switching client configuration from using LDAP with dsee7 to SSSD pointing to IPA You do not need to migrate users. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration
My Linux/LDAP domain is lnx.e-bozo.com. The AD domain is ad.e-bozo.com. This has always been the case. I set up my FreeIPA server in the lnx.e-bozo.com domain using realm LNX.E-BOZO.COM. In light of this, how should I proceed? On Mon, Dec 8, 2014 at 9:48 AM, Simo Sorce s...@redhat.com wrote: On Mon, 08 Dec 2014 08:58:46 -0500 Dmitri Pal d...@redhat.com wrote: Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Note that if you cannot set up a new DNS domain and this domain is the same as the AD domain then you cannot to the stuff Dmitri describe below. The only way to have accounts on freeipa in this case is to use the winsync method, which has a number of limitation. Also clients will be rather confused when you try to ipa-client-install as they will find AD servers instead of ipa servers, finally you'll have to use a different realm name for the IPA domain, one that doesn't match the AD domain. HTH, Simo. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. So the approach would be: 1) Install IPA (do not migrate users) 2) Establish trust with AD 3) Start switching client configuration from using LDAP with dsee7 to SSSD pointing to IPA You do not need to migrate users. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- If life gives you melons, you may be dyslexic. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem adding group after update IPA from CentOS 6.6 to 7.0
On Mon, Dec 8, 2014 at 3:47 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Hello, I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html Now, adding a group from console with command ipa group-add I get this kind of error: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. Based on info on og of CentOS 6.5 system, at the moment I solved the probelm this way and it seems it works. Let me know if you think I misunderstood anything. created /root/dna_addrange.ldif dn: cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 163961-163979 - [root@c7server slapd-LOCALDOMAIN-LOCAL]# ldapmodify -x -D cn=Directory Manager -f /root/dna_addrange.ldif -W Enter LDAP Password: modifying entry cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config Now the group create command automatically insert an unallocated GID 163965: [root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add Group name: testgroup Description: test group per generazione gid --- Added group testgroup --- Group name: testgroup Description: test group per generazione gid GID: 163965 Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration
On 12/08/2014 10:07 AM, Matthew Herzog wrote: My Linux/LDAP domain is lnx.e-bozo.com http://lnx.e-bozo.com. The AD domain is ad.e-bozo.com http://ad.e-bozo.com. This has always been the case. I set up my FreeIPA server in the lnx.e-bozo.com http://lnx.e-bozo.com domain using realm LNX.E-BOZO.COM http://LNX.E-BOZO.COM. In light of this, how should I proceed? If you prefer to continue using your DNS servers then you need to add all DNS records that FreeIPA defined for you at the end of the installation, manually to your DNS. As soon as you did this you should be able to establish the trust. You would need to update your DNS server with any new replicas you add. On Mon, Dec 8, 2014 at 9:48 AM, Simo Sorce s...@redhat.com mailto:s...@redhat.com wrote: On Mon, 08 Dec 2014 08:58:46 -0500 Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Note that if you cannot set up a new DNS domain and this domain is the same as the AD domain then you cannot to the stuff Dmitri describe below. The only way to have accounts on freeipa in this case is to use the winsync method, which has a number of limitation. Also clients will be rather confused when you try to ipa-client-install as they will find AD servers instead of ipa servers, finally you'll have to use a different realm name for the IPA domain, one that doesn't match the AD domain. HTH, Simo. We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. So the approach would be: 1) Install IPA (do not migrate users) 2) Establish trust with AD 3) Start switching client configuration from using LDAP with dsee7 to SSSD pointing to IPA You do not need to migrate users. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- If life gives you melons, you may be dyslexic. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration
On 8.12.2014 14:44, Matthew Herzog wrote: Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Good. Now you should run ipa-server-install *without* --setup-dns, using lnx.e-bozo.com as you IPA domain. It will install full IPA server and spit out DNS zone file. Then you *have to* take this zone file and import it to your existing DNS infrastructure - that will give you fully functional IPA domain lnx.e-bozo.com. Caveat: Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS SRV records for LDAP service in domain lnx.e-bozo.com, i.e. clients connecting to DSEE7 should be (most likely) statically configured with DSEE7 server name. Petr^2 Spacek We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek pspa...@redhat.com wrote: On 8.12.2014 05:02, Dmitri Pal wrote: On 12/07/2014 10:10 PM, Matthew Herzog wrote: So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only? IPA DNS can't be a slave so you either delegate a whole zone to it or manage IPA DNS domain via your own DNS server. Generally, slave is not allowed to do any changes so it is useless in your scenario. You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. Did you try that? Petr^2 Spacek On Sun, Dec 7, 2014 at 9:57 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 09:51 PM, Matthew Herzog wrote: What must be done in or on the ipa server with regard to DNS, if anything? Our DNS works. It works well. We have four Linux DNS servers and two AD domain controllers that also do DNS. So if we already have DNS working well in our domain, why do we want to manage DNS in IPA? Let us keep the discussion on the list. IPA when used with AD trust presents itself as a separate forest. AD thinks that it is working with another AD forest. For that to work we need to follow MSFT rules about relationship between Kerberos realm and DNS domain. AD assumes that for every trusted forest Kerberos realm = DNS domain. IPA makes it easy to do because it has integrated tools to manage IPA DNS domain. If you want to manage it yourself through your DNS you can do it, just more manual operations for you. HTH Thanks Dmitri On Sun, Dec 7, 2014 at 9:44 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 12/07/2014 06:44 PM, Matthew Herzog wrote: Thanks guys. I'm sorry for my delay in responding. Firstly, I was under the impression (from reading the docs) that having named running on IPA server was critical. Properly configured DNS is critical. How you accomplish it is up to you. IPA allows you to have a DNS server that would simplify DNS management but it can be done manually too. This is why DNS is optional. Also, the first question the ipa-server-install script asks is, Do you want to configure integrated DNS (BIND)? . While it's true the default answer is no, it leads one to believe that DNS is central to IPA. Also the ipa-client-install script says, [root@freeipa-poc-client02 ~]# ipa-client-install DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com http://example.com): I can resolve -anything- from the machine using dig or whatever. Ultimately, the reason I started to be concerned about my IPA server's DNS config was because I was not able to authenticate AD accounts to a client machine. I saw a bunch of errors in the client's sssd logs which of course I can't find now. Perhaps it was these . . . (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100): Service nss replied to ping (Thu Dec 4 13:45:23 2014) [sssd] [ping_check] (0x0100):
[Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
Hello,
I finally was able to configure the integration between what in subject.
I have made basic tests and all seems ok.
If anyone wants to test further integration scenarios and also test with
vSPhere 5.5, he/she then can report here and I will crosscheck eventually.
My environment is based on pure vSphere 5.1 that I'm right now using in
trial mode with vcenter server defined as a virtual appliance.
NOTE that there is a bug in this version of vSphere regarding OpenLDAP
integration in vShere WebClient, so that you are unable to change Base DN
for groups after its initial configuration. In case you need to modify that
field, you have to delete and recreate the whole LDAP definition.
The bug is solved in vsphere 5.1 update 1a.
As suggested in other threads on this and other lists, I used slapi-nis
(schema compat) plugin.
Initially I tested it on CentOS 6.6 with IPA 3.0.0-42 and slapi-nis-0.40-4.
I was able to get both users and groups enumeration in vSphere client
(using cn=accounts for bind definition), but then no authentication of
defined users due to inability of IPA 3.0 to do bind on compat tree.
I read on this list that I had to use IPA 3.3 and slapi-nis = 0.47.5, how
is indeed provided now in CentOS 7 with:
ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
slapi-nis-0.52-4.el7.x86_64
So I migrated my IPA test server from CentOS 6.6 to another server in
CentOS 7.0, following the chapter 6 of the detailed guide here (only some
typos and use of systemctl commands for version 6 that should be read as
service commands instead):
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
After update these were my two ldif files to adapt schema compat entries
for vSphere
1) vsphere_usermod.ldif
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
2) vsphere_groupmod.ldif
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute:
uniqueMember=%regsub(%{member},^(.*)accounts(.*),%1compat%2)
-
Applied with the command:
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W
vsphere_usermod.ldif
and
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W
vsphere_groupmod.ldif
Configuration in vSphere Web Client under Identity Sources of
Administration -- Sign-On and Discovery -- Configuration
was this one
Primary server URL: ldaps://c7server.localdomain.local:636
Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
Domain name: localdomain.local
Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
Authentication type: Password
Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
NOTE: vadmin is a normal IPA user I created only for bind with no ESX
permissions (it is only part of the default ipausers IPA group)
NOTE: I used ldaps and as certificate I had to use the file /etc/ipa/ca.crt
on IPA server, after copying to client where running the browser and
renaming it to ca.cer without any modification at all. vSphere accepted it
without any problem.
My tests at the moment have been ok both in vSphere fat client (5.1
1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this:
- add gcecchi IPA user at top vcenter server permissions level as a virtual
machine user (sample) default role
- verify gcecchi is able to connect both in fat and web clients
- edit settings of the vm VC1 and verify that the add... button in
hardware tab is greyed out
- add the defined esxpower IPA group at VC1 permissions level granting it
the virtual machine power user (sample) role
- logout/login gcecchi and verify nothing changed in his permissions
- add gcecchi to the IPA group esxpower
- logout/login gcecchi and verify the user now can select the add...
button in hardware tab of VC1
- logout gcecchi and remove gcecchi from IPA group esxpower
- login as gcecchi in vSphere and verify that now the add... button is
disabled again
- create an IPA group named esxnestedpower and insert it in esxpower group
- login as gcecchi in vSphere and verify he is still unable to add devices
- modify IPA user gcecchi adding him to esxnestedpower group
- logout/login gcecchi from vSphere and verify that now gcecchi is able to
add device to VC1
NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property for
their group members... I didn't investigate more, but I noticed that for
the system group admins and for newly created groups, instead it was ok...
NOTE: after my migration from IPA 3.0 to 3.3 it seems I lost
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:
Hello,
I finally was able to configure the integration between what in subject.
I have made basic tests and all seems ok.
If anyone wants to test further integration scenarios and also test
with vSPhere 5.5, he/she then can report here and I will crosscheck
eventually.
My environment is based on pure vSphere 5.1 that I'm right now using
in trial mode with vcenter server defined as a virtual appliance.
NOTE that there is a bug in this version of vSphere regarding OpenLDAP
integration in vShere WebClient, so that you are unable to change Base
DN for groups after its initial configuration. In case you need to
modify that field, you have to delete and recreate the whole LDAP
definition.
The bug is solved in vsphere 5.1 update 1a.
As suggested in other threads on this and other lists, I
used slapi-nis (schema compat) plugin.
Initially I tested it on CentOS 6.6 with IPA 3.0.0-42
and slapi-nis-0.40-4.
I was able to get both users and groups enumeration in vSphere client
(using cn=accounts for bind definition), but then no authentication of
defined users due to inability of IPA 3.0 to do bind on compat tree.
I read on this list that I had to use IPA 3.3 and slapi-nis = 0.47.5,
how is indeed provided now in CentOS 7 with:
ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
slapi-nis-0.52-4.el7.x86_64
So I migrated my IPA test server from CentOS 6.6 to another server in
CentOS 7.0, following the chapter 6 of the detailed guide here (only
some typos and use of systemctl commands for version 6 that should
be read as service commands instead):
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
After update these were my two ldif files to adapt schema compat
entries for vSphere
1) vsphere_usermod.ldif
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
2) vsphere_groupmod.ldif
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute:
uniqueMember=%regsub(%{member},^(.*)accounts(.*),%1compat%2)
-
Applied with the command:
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif
-W vsphere_usermod.ldif
and
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif
-W vsphere_groupmod.ldif
Configuration in vSphere Web Client under Identity Sources of
Administration -- Sign-On and Discovery -- Configuration
was this one
Primary server URL: ldaps://c7server.localdomain.local:636
Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
Domain name: localdomain.local
Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
Authentication type: Password
Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
NOTE: vadmin is a normal IPA user I created only for bind with no ESX
permissions (it is only part of the default ipausers IPA group)
NOTE: I used ldaps and as certificate I had to use the file
/etc/ipa/ca.crt on IPA server, after copying to client where running
the browser and renaming it to ca.cer without any modification at all.
vSphere accepted it without any problem.
My tests at the moment have been ok both in vSphere fat client (5.1
1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried
this:
- add gcecchi IPA user at top vcenter server permissions level as a
virtual machine user (sample) default role
- verify gcecchi is able to connect both in fat and web clients
- edit settings of the vm VC1 and verify that the add... button in
hardware tab is greyed out
- add the defined esxpower IPA group at VC1 permissions level granting
it the virtual machine power user (sample) role
- logout/login gcecchi and verify nothing changed in his permissions
- add gcecchi to the IPA group esxpower
- logout/login gcecchi and verify the user now can select the add...
button in hardware tab of VC1
- logout gcecchi and remove gcecchi from IPA group esxpower
- login as gcecchi in vSphere and verify that now the add... button
is disabled again
- create an IPA group named esxnestedpower and insert it in esxpower group
- login as gcecchi in vSphere and verify he is still unable to add devices
- modify IPA user gcecchi adding him to esxnestedpower group
- logout/login gcecchi from vSphere and verify that now gcecchi is
able to add device to VC1
NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
created in IPA 3.0 and CentOS 6.6 didn't get the uniqueMember property
for their group members... I didn't investigate more, but I noticed
that for the system group admins and for
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
OK. I will check requirements to write into The wiki
Il 08/dic/2014 18:36 Dmitri Pal d...@redhat.com ha scritto:
On 12/08/2014 11:44 AM, Gianluca Cecchi wrote:
Hello,
I finally was able to configure the integration between what in subject.
I have made basic tests and all seems ok.
If anyone wants to test further integration scenarios and also test with
vSPhere 5.5, he/she then can report here and I will crosscheck eventually.
My environment is based on pure vSphere 5.1 that I'm right now using in
trial mode with vcenter server defined as a virtual appliance.
NOTE that there is a bug in this version of vSphere regarding OpenLDAP
integration in vShere WebClient, so that you are unable to change Base DN
for groups after its initial configuration. In case you need to modify that
field, you have to delete and recreate the whole LDAP definition.
The bug is solved in vsphere 5.1 update 1a.
As suggested in other threads on this and other lists, I used slapi-nis
(schema compat) plugin.
Initially I tested it on CentOS 6.6 with IPA 3.0.0-42
and slapi-nis-0.40-4.
I was able to get both users and groups enumeration in vSphere client
(using cn=accounts for bind definition), but then no authentication of
defined users due to inability of IPA 3.0 to do bind on compat tree.
I read on this list that I had to use IPA 3.3 and slapi-nis = 0.47.5,
how is indeed provided now in CentOS 7 with:
ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
slapi-nis-0.52-4.el7.x86_64
So I migrated my IPA test server from CentOS 6.6 to another server in
CentOS 7.0, following the chapter 6 of the detailed guide here (only some
typos and use of systemctl commands for version 6 that should be read as
service commands instead):
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
After update these were my two ldif files to adapt schema compat entries
for vSphere
1) vsphere_usermod.ldif
dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=uniqueMember
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=inetOrgPerson
-
2) vsphere_groupmod.ldif
dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: objectclass=groupOfUniqueNames
-
add: schema-compat-entry-attribute
schema-compat-entry-attribute:
uniqueMember=%regsub(%{member},^(.*)accounts(.*),%1compat%2)
-
Applied with the command:
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W
vsphere_usermod.ldif
and
ldapmodify -x -D cn=Directory Manager -f /root/vsphere_usermod.ldif -W
vsphere_groupmod.ldif
Configuration in vSphere Web Client under Identity Sources of
Administration -- Sign-On and Discovery -- Configuration
was this one
Primary server URL: ldaps://c7server.localdomain.local:636
Base DN for users: cn=users,cn=compat,dc=localdomain,dc=local
Domain name: localdomain.local
Base DN for groups: cn=groups,cn=compat,dc=localdomain,dc=local
Authentication type: Password
Username: uid=vadmin,cn=users,cn=compat,dc=localdomain,dc=local
NOTE: vadmin is a normal IPA user I created only for bind with no ESX
permissions (it is only part of the default ipausers IPA group)
NOTE: I used ldaps and as certificate I had to use the file
/etc/ipa/ca.crt on IPA server, after copying to client where running the
browser and renaming it to ca.cer without any modification at all. vSphere
accepted it without any problem.
My tests at the moment have been ok both in vSphere fat client (5.1
1471691) and vSphere Web Client (Version 5.1.0 Build 869765). I tried this:
- add gcecchi IPA user at top vcenter server permissions level as a
virtual machine user (sample) default role
- verify gcecchi is able to connect both in fat and web clients
- edit settings of the vm VC1 and verify that the add... button in
hardware tab is greyed out
- add the defined esxpower IPA group at VC1 permissions level granting it
the virtual machine power user (sample) role
- logout/login gcecchi and verify nothing changed in his permissions
- add gcecchi to the IPA group esxpower
- logout/login gcecchi and verify the user now can select the add...
button in hardware tab of VC1
- logout gcecchi and remove gcecchi from IPA group esxpower
- login as gcecchi in vSphere and verify that now the add... button is
disabled again
- create an IPA group named esxnestedpower and insert it in esxpower group
- login as gcecchi in vSphere and verify he is still unable to add devices
- modify IPA user gcecchi adding him to esxnestedpower group
- logout/login gcecchi from vSphere and verify that now gcecchi is able to
add device to VC1
NOTE: as my tests began in CentOS 6.6, I noticed that the IPA groups
Re: [Freeipa-users] can't register new clients
I looked through the logs on the server and i see the below error in the apache error log when i try to register a client: [Mon Dec 08 12:20:38 2014] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate I ran ipa-getcert list and everything seems ok (nothing expired) but i'm not sure where to troubleshoot from here. On Fri, Dec 5, 2014 at 7:51 PM, Megan . nagem...@gmail.com wrote: It failed again. [root@cache2-uat ~]# certutil -L -d sql:/etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@cache2-uat ~]# Not sure if its related, but on the directory server in the apache error.log I see the below every time a client tries to register: [Sat Dec 06 00:48:35 2014] [error] SSL Library Error: -12271 SSL client cannot verify your certificate On the directory server i ran ipa-getcert list and the certs seem ok. On Fri, Dec 5, 2014 at 5:10 PM, Rob Crittenden rcrit...@redhat.com wrote: Megan . wrote: Sorry for being unclear. It still fails. Same error. Hmm, strange. Try being explicit about sql: # certutil -L -d sql:/etc/pki/nssdb And if there is a CA cert there, delete it. rob On Dec 5, 2014 4:39 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Megan . wrote: Thanks. I did have an issue last week where i tried to do the client install and it failed because of a firewall issue. Networks has it opened now. I deleted ca.crt before trying again. There doesn't seem to be a certificate in /etc/pki/nssdb for it. [root@data2-uat ipa]# certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI [root@data2-uat ipa]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb certutil: could not find certificate named IPA CA: SEC_ERROR_BAD_DATABASE: security library: bad database. [root@data2-uat ipa]# ls [root@data2-uat ipa]# pwd /etc/ipa [root@data2-uat ipa]# ls -al total 16 drwxr-xr-x. 2 root root 4096 Dec 5 21:16 . drwxr-xr-x. 82 root root 12288 Dec 5 21:16 .. [root@data2-uat ipa]# So trying to install the client again fails or succeeds now? rob On Fri, Dec 5, 2014 at 4:03 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Rob Crittenden wrote: Megan . wrote: Good Day! I am getting an error when i register new clients. libcurl failed to execute the HTTP POST transaction. SSL connect error I can't find anything useful not the internet about the error. Can someone help me troubleshoot? CentOS 6.6 x64 ipa-client-3.0.0-42.el6.centos.x86_64 ipa-server-3.0.0-42.el6.centos.x86_64 curl-7.19.7-40.el6_6.1.x86_64 Do you have NSS_DEFAULT_DB_TYPE set to sql? I don't know that we've done any testing on the client with this set. Never mind, that's not it. The problem is: * NSS error -8054 Which is SEC_ERROR_REUSED_ISSUER_AND_SERIAL So I'd do this: # rm /etc/ipa/ca.crt You may also want to ensure that the IPA CA certificate isn't in /etc/pki/nssdb: # certutil -L -d /etc/pki/nssdb And then perhaps # certutil -D -n 'IPA CA' -d /etc/pki/nssdb rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] DNS configuration
Here are some errors I'm seeing on the client. tail -f sssd_lnx.e-bozo.com.log (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog matthew.her...@gmail.com wrote: I have never seen my IPA servers produce a zone file nor has the install script ever mentioned the creation of such. In fact, I just ran ipa-server-install --uninstall ipa-server-install and there was no mention of a zone file. Where should I look in the file system to be sure? I see nothing in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. (Not my choice.) dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV records. I guess I'll need to add SRV records for all my Linux hosts. On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek pspa...@redhat.com wrote: On 8.12.2014 14:44, Matthew Herzog wrote: Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Good. Now you should run ipa-server-install *without* --setup-dns, using lnx.e-bozo.com as you IPA domain. It will install full IPA server and spit out DNS zone file. Then you *have to* take this zone file and import it to your existing DNS infrastructure - that will give you fully functional IPA domain lnx.e-bozo.com. Caveat: Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS SRV records for LDAP service in domain lnx.e-bozo.com, i.e. clients connecting to DSEE7 should be (most likely) statically configured with DSEE7 server name. Petr^2 Spacek We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek pspa...@redhat.com wrote: On 8.12.2014 05:02, Dmitri Pal wrote: On 12/07/2014 10:10 PM, Matthew Herzog wrote: So should the FreeIPA server be authoritative for the Kerb. realm/DNS domain or can it/should it be a slave DNS server instead? Or caching only?
Re: [Freeipa-users] DNS configuration
OK, I found the generated zoe file in /tmp and it looks sane. Should I add those lines of config to our DNS servers? On Mon, Dec 8, 2014 at 2:10 PM, Matthew Herzog matthew.her...@gmail.com wrote: Here are some errors I'm seeing on the client. tail -f sssd_lnx.e-bozo.com.log (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog matthew.her...@gmail.com wrote: I have never seen my IPA servers produce a zone file nor has the install script ever mentioned the creation of such. In fact, I just ran ipa-server-install --uninstall ipa-server-install and there was no mention of a zone file. Where should I look in the file system to be sure? I see nothing in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. (Not my choice.) dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV records. I guess I'll need to add SRV records for all my Linux hosts. On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek pspa...@redhat.com wrote: On 8.12.2014 14:44, Matthew Herzog wrote: Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Good. Now you should run ipa-server-install *without* --setup-dns, using lnx.e-bozo.com as you IPA domain. It will install full IPA server and spit out DNS zone file. Then you *have to* take this zone file and import it to your existing DNS infrastructure - that will give you fully functional IPA domain lnx.e-bozo.com. Caveat: Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS SRV records for LDAP service in domain lnx.e-bozo.com, i.e. clients connecting to DSEE7 should be (most likely) statically configured with DSEE7 server name. Petr^2 Spacek We have an Oracle dsee7 server doing LDAP for our Linux servers and accounts. We want to migrate to IPA so we don't have to maintain a Linux/LDAP account for every user who needs access to Linux servers. All of our users start with an account in AD and since none of my predecessors knew about Winbind, they set up dsee7. So I'm thinking we'll need to import all our dsee7 accounts AND make it possible for AD users to access the Linux systems without needing to create them in IPA. On Mon, Dec 8, 2014 at 2:56 AM, Petr Spacek
Re: [Freeipa-users] DNS configuration
On 12/08/2014 02:10 PM, Matthew Herzog wrote: Here are some errors I'm seeing on the client. tail -f sssd_lnx.e-bozo.com.log (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com http://lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed What is the version of the client? Please add debug_level=9 to sssd.conf in different sections to rise the verbosity of the log and see what is really going on there. https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog matthew.her...@gmail.com mailto:matthew.her...@gmail.com wrote: I have never seen my IPA servers produce a zone file nor has the install script ever mentioned the creation of such. In fact, I just ran ipa-server-install --uninstall ipa-server-install and there was no mention of a zone file. Where should I look in the file system to be sure? I see nothing in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. (Not my choice.) dsee7 is /not /running Kerberos. dsee7 is /not /configured with SRV records. I guess I'll need to add SRV records for all my Linux hosts. On Mon, Dec 8, 2014 at 10:41 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 8.12.2014 14:44, Matthew Herzog wrote: Petr said, You can run ipa-server-install *without* --setup-dns option and at the end of installation it will produce DNS records which you have to manually add to your existing DNS database. I can't see how this would be useful or which machines I would need to add to our DNS. Perhaps I should have explained that we are not going to set up a new DNS domain for the ipa-managed servers. Good. Now you should run ipa-server-install *without* --setup-dns, using lnx.e-bozo.com http://lnx.e-bozo.com as you IPA domain. It will install full IPA server and spit out DNS zone file. Then you *have to* take this zone file and import it to your existing DNS infrastructure - that will give you fully functional IPA domain lnx.e-bozo.com http://lnx.e-bozo.com. Caveat: Preceding text assumes that 'dsee7' is nor using either Kerberos nor DNS SRV records for LDAP service in domain lnx.e-bozo.com
Re: [Freeipa-users] DNS configuration
OK, I deserve a slap. I had forgotten to set up the two-way trust again since the ipa-server-install --uninstall reinstall. That's back in place. So I found Sumit Bose's https://www.youtube.com/watch?v=infot4cmZgM and realized I could not add groups to any new, external user group using the ipa server's web interface. Error in the GUI is, E-BOZO.COM\Domain Users: invalid 'truster domain object': no trusted domain matched the specified flat name. On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog matthew.her...@gmail.com wrote: sssd_hostname.log (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sysdb_search_groups] (0x2000): No such entry (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sdap_process_result] (0x2000): Trace: sh[0x17b0030], connected[1], ops[(nil)], ldap[0x17ab240] (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x178eb70 (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog matthew.her...@gmail.com wrote: ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has 3.3.3 IPA) On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal d...@redhat.com wrote: On 12/08/2014 02:10 PM, Matthew Herzog wrote: Here are some errors I'm seeing on the client. tail -f sssd_lnx.e-bozo.com.log (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed What is the version of the client? Please add debug_level=9 to sssd.conf in different sections to rise the verbosity of the log and see what is really going on there. https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog matthew.her...@gmail.com wrote: I have never seen my IPA servers produce a zone file nor has the install script ever mentioned the creation of such. In fact, I just ran ipa-server-install --uninstall ipa-server-install and there was no mention of a zone file. Where should I look in the file system to be sure? I see nothing in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's yum repo. (Not my choice.) dsee7 is *not *running Kerberos. dsee7 is *not *configured with SRV records. I guess I'll need to add SRV records for all my Linux hosts.
Re: [Freeipa-users] DNS configuration
Also, I just realized the AD I'm trying to connect to is of type Windows 2000. Yay! On Mon, Dec 8, 2014 at 5:54 PM, Matthew Herzog matthew.her...@gmail.com wrote: OK, I deserve a slap. I had forgotten to set up the two-way trust again since the ipa-server-install --uninstall reinstall. That's back in place. So I found Sumit Bose's https://www.youtube.com/watch?v=infot4cmZgM and realized I could not add groups to any new, external user group using the ipa server's web interface. Error in the GUI is, E-BOZO.COM\Domain Users: invalid 'truster domain object': no trusted domain matched the specified flat name. On Mon, Dec 8, 2014 at 2:49 PM, Matthew Herzog matthew.her...@gmail.com wrote: sssd_hostname.log (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sysdb_search_groups] (0x2000): No such entry (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sdap_process_result] (0x2000): Trace: sh[0x17b0030], connected[1], ops[(nil)], ldap[0x17ab240] (Mon Dec 8 14:46:54 2014) [sssd[be[bo3.e-bozo.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x178eb70 (Mon Dec 8 14:46:57 2014) [sssd[be[bo3.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. On Mon, Dec 8, 2014 at 2:32 PM, Matthew Herzog matthew.her...@gmail.com wrote: ipa-client-3.0.0-42.el6.x86_64 on OEL 6.5 (server has 3.3.3 IPA) On Mon, Dec 8, 2014 at 2:26 PM, Dmitri Pal d...@redhat.com wrote: On 12/08/2014 02:10 PM, Matthew Herzog wrote: Here are some errors I'm seeing on the client. tail -f sssd_lnx.e-bozo.com.log (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:20 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_message_handler] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Dec 8 14:03:30 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x1e72ad0 (Mon Dec 8 14:03:40 2014) [sssd[be[lnx.e-bozo.com]]] [sbus_dispatch] (0x4000): Dispatching. [root@freeipa-poc-client02 sssd]# tail -f sssd_ssh.log (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:09 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_dp_init] (0x0010): Failed to connect to monitor services. (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [sss_process_init] (0x0010): fatal error setting up backend connector (Sun Dec 7 19:32:16 2014) [sssd[ssh]] [ssh_process_init] (0x0010): sss_process_init() failed What is the version of the client? Please add debug_level=9 to sssd.conf in different sections to rise the verbosity of the log and see what is really going on there. https://fedorahosted.org/sssd/wiki/FAQ#BasicsofTroubleshooting On Mon, Dec 8, 2014 at 11:48 AM, Matthew Herzog matthew.her...@gmail.com wrote: I have never seen my IPA servers produce a zone file nor has the install script ever mentioned the creation of such. In fact, I just ran ipa-server-install --uninstall ipa-server-install and there was no mention of a zone file. Where should I look in the file system to be sure? I see nothing in /var/named. I'm using 3.3.3 IPA on Oracle Linux from Oracle's
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: OK. I will check requirements to write into The wiki When I try to login with my Fedora OpenID account and choose as nickname my real name and press login actually it indefinitely remains on the blank page http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName without enabling me to log in and begin to write anything. Tried from both Chrome and Fedora (on my Fedora 20 system) Similar problems when I used to use zanata to write oVirt Italian translation, but in that case with some difficulty I finally was able then to log in and begin to work... no way here This OpenID thing doesn't seem very usable in my opinion... Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On Tue, Dec 9, 2014 at 12:50 AM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Tried from both Chrome and Fedora (on my Fedora 20 system) Correct: Tried from both Chrome and Firefox (on my Fedora 20 system) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] vSphere 5.1 and FreeIPA 3.3 on CentOS 7 finally works! [How I did it...]
On 12/08/2014 06:50 PM, Gianluca Cecchi wrote: On Mon, Dec 8, 2014 at 7:17 PM, Gianluca Cecchi gianluca.cec...@gmail.com mailto:gianluca.cec...@gmail.com wrote: OK. I will check requirements to write into The wiki When I try to login with my Fedora OpenID account and choose as nickname my real name and press login actually it indefinitely remains on the blank page http://www.freeipa.org/page/Special:OpenIDLogin/ChooseName without enabling me to log in and begin to write anything. Tried from both Chrome and Fedora (on my Fedora 20 system) Similar problems when I used to use zanata to write oVirt Italian translation, but in that case with some difficulty I finally was able then to log in and begin to work... no way here This OpenID thing doesn't seem very usable in my opinion... Gianluca Do you manage to pass the Fedora OpenID prompt? Are you authenticating with gialluhttps://giallu.fedorapeople.org login? Is it on the redirect from fedora to wiki when you are stuck or it is some other point of the sequence? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] CA Replication Installation Failing
Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? Thanks in advance, Les From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Tuesday, 2 December 2014 6:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.commailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Copyright (C) 2007 Red Hat, Inc. All rights reserved. END COPYRIGHT BLOCK -- response paneladmin/console/config/restorekeycertpanel.vm/panel res/ updateStatusfailure/updateStatus password/ errorStringThe pkcs12 file is not
Re: [Freeipa-users] CA Replication Installation Failing
On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? Did you generate a new replica package or use the original one? May be the problem is that the cert that is in that package already expired? Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. Thanks in advance, Les *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Les Stott *Sent:* Tuesday, 2 December 2014 6:17 PM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.com mailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed = Additional excerpt from the log file /var/log/ipareplica-ca-install.log at the point of failure = # Attempting to connect to: serverb.mydomain.com:9445 Connected. Posting Query = https://serverb.mydomain.com:9445//ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 https://serverb.mydomain.com:9445/ca/admin/console/config/wizard?p=7op=nextxml=true__password=path=ca.p12 RESPONSE STATUS: HTTP/1.1 200 OK RESPONSE HEADER: Server: Apache-Coyote/1.1 RESPONSE HEADER: Content-Type: application/xml;charset=UTF-8 RESPONSE HEADER: Date: Tue, 02 Dec 2014 05:44:19 GMT RESPONSE HEADER: Connection: close ?xml version=1.0 encoding=UTF-8? !-- BEGIN COPYRIGHT BLOCK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY
Re: [Freeipa-users] CA Replication Installation Failing
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 09, 2014 3:49 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] CA Replication Installation Failing On 12/08/2014 11:04 PM, Les Stott wrote: Does anyone have any ideas on the below errors when trying to add CA replication to an existing replica? People who might be able to help are or PTO right now. Is your installation older than 2 years? No, December 2013 was when it was originally built. Did you generate a new replica package or use the original one? I used the original replica file for serverb, based on instructions i came across. I can try regenerating the replica file. Interestingly, now that you mention it, servera had to be restored a couple of months back. Perhaps this is an issue and regenerating the replica file for serverb will be required. I will try this. May be the problem is that the cert that is in that package already expired? original replica file was created on Dec 16 2013. Cert is not set to expire until 2015-12-17. Just a thought... The simplest workaround IMO would be to prepare Server C, install it with CA and then decommission replica B. Do not forget to clean replication agreements on master. But that would be work around, would not solve this specific problem, it will kill it. I actually do have serverc and serverd. I planned to have CA replication on at least 2 other servers, but held off on trying on serverc due to issues with serverb. I'll report back what i find after regenerating the replica file and re-trying to setup CA replication. Thanks, Les Thanks in advance, Les From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Les Stott Sent: Tuesday, 2 December 2014 6:17 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] CA Replication Installation Failing Hi All, I have RHEL6 with ipa servers running standard ipa server 3.0.0-42. Pki components are also standard version 9.0.3-38. Servera is the master Serverb is the replica Both have been running for many, many months. Serverb was initially setup as a replica, but not a CA replica. I am now trying to add CA Replication to serverb but it is failing midway through and I cannot figure out why. Annoyingly, I used the same method/command to setup a CA replica on test servers and it completed without issue. Here is what I get….(for the sake of brevity, I am excluding the lines for connection check which were all OK) = /usr/sbin/ipa-ca-install /var/lib/ipa/replica-info-serverb.mydomain.com.gpg Directory Manager (existing master) password: Get credentials to log in to remote master ad...@mydomain.commailto:ad...@mydomain.com password: Execute check on remote master Connection check OK Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance [3/3]: restarting directory server Done configuring directory server for the CA (pkids). Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/16]: creating certificate server user [2/16]: creating pki-ca instance [3/16]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname serverb.mydomain.com -cs_port 9445 -client_certdb_dir /tmp/tmp-t3aHM7 -client_certdb_pwd -preop_pin exoyO2y7bawG5yjZMACM -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MYDOMAIN.COM -ldap_host serverb.mydomain.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MYDOMAIN.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MYDOMAIN.COM -ca_server_cert_subject_name CN=serverb.mydomain.com,O=MYDOMAIN.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MYDOMAIN.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MYDOMAIN.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname servera.mydomain.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://servera.mydomain.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed =
