Re: [Freeipa-users] Unable to Install IPA

2015-02-28 Thread Hadoop Solutions 
Hi Rob,

In this node we have disabled SELinux. Is it cusing this error???

Thanks,
Shaik

On 28 February 2015 at 14:18, Rob Crittenden  wrote:

> Hadoop Solutions wrote:
> > Hi Rob,
> >
> > please find the attached log of /var/log/ipaserver-install.log
> >
> > kindly let me know the solution for this..
>
> Can you see if you have any SElinux failures?
>
> # ausearch -m AVC -ts recent
>
> I see some SELinux errors in the log. Not sure if this is it or not but
> for some reason the dogtag SELinux policy doesn't always install
> correctly. The fix seems to be to re-install the pki-selinux package.
>
> You'll also need to run pkiremove manually after running
> ipa-server-install --uninstall. It doesn't always record the fact that a
> service install is attempted and fails.
>
> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
>
> rob
>
> >
> > Thanks,
> > Shaik
> >
> > On 28 February 2015 at 11:29, Rob Crittenden  > > wrote:
> >
> > Hadoop Solutions wrote:
> > > Hi,
> > >
> > > i am trying to install IPA on RHEL 6, but i am getting following
> errors
> > > while installing the IPA.
> > >
> > > Configuring certificate server (pki-cad): Estimated time 3 minutes
> 30
> > > seconds
> > >   [1/20]: creating certificate server user
> > >   [2/20]: configuring certificate server instance
> > > ipa : CRITICAL failed to configure ca instance Command
> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
> > > sv2lxdpdsedi02.corp.equinix.com
> > 
> > 
> > > -cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE -client_certdb_pwd
> > >  -preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA
> -admin_user
> > > admin -admin_email root@localhost -admin_password 
> -agent_name
> > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> > > -agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host
> > > sv2lxdpdsedi02.corp.equinix.com
> > 
> > 
> > > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
> 
> > > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
> > > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
> > > -subsystem_name pki-cad -token_name internal
> > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
> > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
> > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP
> > > -ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com <
> http://sv2lxdpdsedi02.corp.equinix.com>
> > > ,O=LAB.BDP
> > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP
> > > -ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP
> -external
> > > false -clone false' returned non-zero exit status 255
> > > Configuration of CA failed
> >
> > You'll find more relevant error messages in the full
> > /var/log/ipaserver-install.log and /var/log/pki-ca/debug
> >
> > rob
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] issues with secondary groups? (sssd)

2015-02-28 Thread Janelle 

Hello,

I was wondering - I have searched around and seen a few questions and 
solutions, but nothing I try is fixing my environment.


Things have been working quite well with IPA 4.0.5, simple things with 
auth and logins - some with full ipa-client-install configured, others 
just using LDAP and that is where the strangeness comes from.


with full IPA client integration, secondary groups work just find, as do 
base commands like "id" and "getent". However, the "ldap" users, never 
show the secondary group for their uid?


Any pointers you might suggest? I have tried the sssd.conf of 
"ldap_group_member = uniqeMember" - no change.


a simple secondary group is defined:

dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
cn: web_users
objectClass: ipaobject
objectClass: extensibleobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
member: uid=user5,cn=users,cn=accounts,dc=example,dc=com

and yet with debug_level = 7 -- sssd still says: 
[sdap_process_ghost_members] (0x0400): Group has 0 members

and "id" or "getent" of any of user1..5 just returns the primary GID.

Any ideas? Tips? What else might you want to see?

~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to Install IPA

2015-02-28 Thread Hadoop Solutions 
Hi,

IPA required SELinux enabled on the system?

Thanks,
Shaik

On 28 February 2015 at 16:49, Hadoop Solutions 
wrote:

> Hi Rob,
>
> In this node we have disabled SELinux. Is it cusing this error???
>
> Thanks,
> Shaik
>
> On 28 February 2015 at 14:18, Rob Crittenden  wrote:
>
>> Hadoop Solutions wrote:
>> > Hi Rob,
>> >
>> > please find the attached log of /var/log/ipaserver-install.log
>> >
>> > kindly let me know the solution for this..
>>
>> Can you see if you have any SElinux failures?
>>
>> # ausearch -m AVC -ts recent
>>
>> I see some SELinux errors in the log. Not sure if this is it or not but
>> for some reason the dogtag SELinux policy doesn't always install
>> correctly. The fix seems to be to re-install the pki-selinux package.
>>
>> You'll also need to run pkiremove manually after running
>> ipa-server-install --uninstall. It doesn't always record the fact that a
>> service install is attempted and fails.
>>
>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force
>>
>> rob
>>
>> >
>> > Thanks,
>> > Shaik
>> >
>> > On 28 February 2015 at 11:29, Rob Crittenden > > > wrote:
>> >
>> > Hadoop Solutions wrote:
>> > > Hi,
>> > >
>> > > i am trying to install IPA on RHEL 6, but i am getting following
>> errors
>> > > while installing the IPA.
>> > >
>> > > Configuring certificate server (pki-cad): Estimated time 3
>> minutes 30
>> > > seconds
>> > >   [1/20]: creating certificate server user
>> > >   [2/20]: configuring certificate server instance
>> > > ipa : CRITICAL failed to configure ca instance Command
>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname
>> > > sv2lxdpdsedi02.corp.equinix.com
>> > 
>> > 
>> > > -cs_port 9445 -client_certdb_dir /tmp/tmp-ipQMeE
>> -client_certdb_pwd
>> > >  -preop_pin rYjqarUHssRQtfthaFFT -domain_name IPA
>> -admin_user
>> > > admin -admin_email root@localhost -admin_password 
>> -agent_name
>> > > ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
>> > > -agent_cert_subject CN=ipa-ca-agent,O=LAB.BDP -ldap_host
>> > > sv2lxdpdsedi02.corp.equinix.com
>> > 
>> > 
>> > > -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password
>> 
>> > > -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa
>> > > -key_algorithm SHA256withRSA -save_p12 true -backup_pwd 
>> > > -subsystem_name pki-cad -token_name internal
>> > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
>> > > -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LAB.BDP
>> > > -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LAB.BDP
>> > > -ca_server_cert_subject_name CN=sv2lxdpdsedi02.corp.equinix.com <
>> http://sv2lxdpdsedi02.corp.equinix.com>
>> > > ,O=LAB.BDP
>> > > -ca_audit_signing_cert_subject_name CN=CA Audit,O=LAB.BDP
>> > > -ca_sign_cert_subject_name CN=Certificate Authority,O=LAB.BDP
>> -external
>> > > false -clone false' returned non-zero exit status 255
>> > > Configuration of CA failed
>> >
>> > You'll find more relevant error messages in the full
>> > /var/log/ipaserver-install.log and /var/log/pki-ca/debug
>> >
>> > rob
>> >
>> >
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project