date:20150325

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

I have checked , there is no default.conf. Please suggest.

[root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/
total 8.0K
drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html
-r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt

[root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/
total 28K
-rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html
-rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html
-rw-r--r-- 1 root root  521 Oct 16 15:03 ipa_error.css
-rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js
-rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js
-rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html
[root@ldap-inf-stg-sg1-01 ipa]#





*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma  wrote:

> Hi,
>
> We are getting below error while we are installing IPA Server
> (ipa-server-install --no-ntp).
>
>
> *Configuration of client side components failed!*
> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> ' returned non-zero exit status 1*
>
> Logs indicate below errors:
>
> *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h
> ldap-inf-stg-sg1-01.sd.int  -ZZ -x -D
> cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn
> uid=admin,cn=users,cn=accounts,dc=sd,dc=int*
> *2015-03-25T06:39:59Z DEBUG stdout=*
> *2015-03-25T06:39:59Z DEBUG stderr=*
> *2015-03-25T06:39:59Z DEBUG ldappasswd done*
> *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master
> --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> *
> *2015-03-25T06:40:10Z DEBUG stdout=*
> *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that
> ldap-inf-stg-sg1-01.sd.int  is an IPA
> Server.*
> *This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.*
> *Please make sure the following ports are opened in the firewall settings:*
> * TCP: 80, 88, 389*
> * UDP: 88 (at least one of TCP/UDP ports 88 has to be open)*
> *Also note that following ports are necessary for ipa-client working
> properly after enrollment:*
> * TCP: 464*
> * UDP: 464, 123 (if NTP enabled)*
> *Installation failed. Rolling back changes.*
> *Unconfigured automount client failed: Command 'ipa-client-automount
> --uninstall --debug' returned non-zero exit status 1*
> *Removing Kerberos service principals from /etc/krb5.keytab*
> *Disabling client Kerberos and LDAP configurations*
> *Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted*
> *nscd daemon is not installed, skip configuration*
> *nslcd daemon is not installed, skip configuration*
> *Client uninstall complete.*
>
> *2015-03-25T06:40:10Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
> 614, in run_script*
> *return_value = main_function()*
>
> *  File "/usr/sbin/ipa-server-install", line 1103, in main*
> *sys.exit("Configuration of client side components
> failed!\nipa-client-install returned: " + str(e))*
>
> *2015-03-25T06:40:10Z INFO The ipa-server-install command failed,
> exception: SystemExit: Configuration of client side components failed!*
> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> ' returned non-zero exit status 1*
>
>
>
> This server is on AWS and I can confirm that all above ports are opened.
> Also as it is installing on same server where IPA Server is being
> installed, Port should not be an issue.
>
> Am I missing anything here.
>
>
>
>
> *Best Regards,__*
>
> *Yogesh Sharma*
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

While restarting using ipactl . It is stopping. Any suggestion.

[root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop
Starting dirsrv:
PKI-IPA... [  OK  ]
SD-INT...  [  OK  ]
Stopping CA Service
pki-tomcatd: unrecognized service
Failed to stop CA Service
Stopping HTTP Service
Stopping httpd:[FAILED]
Stopping MEMCACHE Service
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:  [FAILED]
Stopping KDC Service
Stopping Kerberos 5 KDC:   [FAILED]
Stopping Directory Service
Shutting down dirsrv:
PKI-IPA... [  OK  ]
SD-INT...  [  OK  ]
[root@ldap-inf-stg-sg1-01 ys7673]# ipactl start
Starting Directory Service
Starting dirsrv:
PKI-IPA... [  OK  ]
SD-INT...  [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]
Starting CA Service
pki-tomcatd: unrecognized service
Failed to start CA Service
*Shutting down*
*Stopping Kerberos 5 KDC:   [  OK  ]*
*Stopping Kerberos 5 Admin Server:  [  OK  ]*
*Stopping ipa_memcached:[  OK  ]*
*Stopping httpd:[  OK  ]*
*pki-tomcatd: unrecognized service*
*Shutting down dirsrv: *
*PKI-IPA... [  OK  ]*
*SD-INT...  [  OK  ]*
*Aborting ipactl*
[root@ldap-inf-stg-sg1-01 ys7673]

*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 

On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma  wrote:

> I have checked , there is no default.conf. Please suggest.
>
> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/
> total 8.0K
> drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html
> -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt
>
> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/
> total 28K
> -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html
> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html
> -rw-r--r-- 1 root root  521 Oct 16 15:03 ipa_error.css
> -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js
> -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js
> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html
> [root@ldap-inf-stg-sg1-01 ipa]#
>
>
>
>
>
> *Best Regards,__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
>
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
>
>
> On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma  wrote:
>
>> Hi,
>>
>> We are getting below error while we are installing IPA Server
>> (ipa-server-install --no-ntp).
>>
>>
>> *Configuration of client side components failed!*
>> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
>> --on-master --unattended --domain sd.int  --server
>> ldap-inf-stg-sg1-01.sd.int  --realm
>> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
>> ' returned non-zero exit status 1*
>>
>> Logs indicate below errors:
>>
>> *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h
>> ldap-inf-stg-sg1-01.sd.int  -ZZ -x -D
>> cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn
>> uid=admin,cn=users,cn=accounts,dc=sd,dc=int*
>> *2015-03-25T06:39:59Z DEBUG stdout=*
>> *2015-03-25T06:39:59Z DEBUG stderr=*
>> *2015-03-25T06:39:59Z DEBUG ldappasswd done*
>> *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master
>> --unattended --domain sd.int  --server
>> ldap-inf-stg-sg1-01.sd.int  --realm
>> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
>> *
>> *2015-03-25T06:40:10Z DEBUG stdout=*
>> *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that
>> ldap-inf-stg-sg1-01.sd.int  is an IPA
>> Server.*
>> *This may mean that the remote server is not up or is not reachable due
>> to network or firewall settings.*
>> *Please make sure the following ports are opened in the firewall

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

Any suggestion Please.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 1:20 PM, Yogesh Sharma  wrote:

> While restarting using ipactl . It is stopping. Any suggestion.
>
> [root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop
> Starting dirsrv:
> PKI-IPA... [  OK  ]
> SD-INT...  [  OK  ]
> Stopping CA Service
> pki-tomcatd: unrecognized service
> Failed to stop CA Service
> Stopping HTTP Service
> Stopping httpd:[FAILED]
> Stopping MEMCACHE Service
> Stopping KPASSWD Service
> Stopping Kerberos 5 Admin Server:  [FAILED]
> Stopping KDC Service
> Stopping Kerberos 5 KDC:   [FAILED]
> Stopping Directory Service
> Shutting down dirsrv:
> PKI-IPA... [  OK  ]
> SD-INT...  [  OK  ]
> [root@ldap-inf-stg-sg1-01 ys7673]# ipactl start
> Starting Directory Service
> Starting dirsrv:
> PKI-IPA... [  OK  ]
> SD-INT...  [  OK  ]
> Starting KDC Service
> Starting Kerberos 5 KDC:   [  OK  ]
> Starting KPASSWD Service
> Starting Kerberos 5 Admin Server:  [  OK  ]
> Starting MEMCACHE Service
> Starting ipa_memcached:[  OK  ]
> Starting HTTP Service
> Starting httpd:[  OK  ]
> Starting CA Service
> pki-tomcatd: unrecognized service
> Failed to start CA Service
> *Shutting down*
> *Stopping Kerberos 5 KDC:   [  OK  ]*
> *Stopping Kerberos 5 Admin Server:  [  OK  ]*
> *Stopping ipa_memcached:[  OK  ]*
> *Stopping httpd:[  OK  ]*
> *pki-tomcatd: unrecognized service*
> *Shutting down dirsrv: *
> *PKI-IPA... [  OK  ]*
> *SD-INT...  [  OK  ]*
> *Aborting ipactl*
> [root@ldap-inf-stg-sg1-01 ys7673]
>
>
>
>
> *Best Regards,__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
>
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
>
>
> On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma  wrote:
>
>> I have checked , there is no default.conf. Please suggest.
>>
>> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/
>> total 8.0K
>> drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html
>> -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt
>>
>> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/
>> total 28K
>> -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html
>> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html
>> -rw-r--r-- 1 root root  521 Oct 16 15:03 ipa_error.css
>> -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js
>> -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js
>> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html
>> [root@ldap-inf-stg-sg1-01 ipa]#
>>
>>
>>
>>
>>
>> *Best Regards,__*
>>
>> *Yogesh Sharma*
>> *Email: yks0...@gmail.com  | Web: www.initd.in
>> *
>>
>> RHCE, VCE-CIA, RackSpace Cloud U
>> [image: My LinkedIn Profile] 
>>
>>
>> On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma 
>> wrote:
>>
>>> Hi,
>>>
>>> We are getting below error while we are installing IPA Server
>>> (ipa-server-install --no-ntp).
>>>
>>>
>>> *Configuration of client side components failed!*
>>> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
>>> --on-master --unattended --domain sd.int  --server
>>> ldap-inf-stg-sg1-01.sd.int  --realm
>>> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
>>> ' returned non-zero exit status 1*
>>>
>>> Logs indicate below errors:
>>>
>>> *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h
>>> ldap-inf-stg-sg1-01.sd.int  -ZZ -x -D
>>> cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn
>>> uid=admin,cn=users,cn=accounts,dc=sd,dc=int*
>>> *2015-03-25T06:39:59Z DEBUG stdout=*
>>> *2015-03-25T06:39:59Z DEBUG stderr=*
>>> *2015-03-25T06:39:59Z DEBUG ldappasswd done*
>>> *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install
>>> --on-master --unattended --domain sd.int  --server
>>> ldap-inf-stg-sg1-01.sd.int

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-25 Thread John Obaterspok

Hi Jan,

See:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html
https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html

-- john

2015-03-24 17:58 GMT+01:00 Jan Pazdziora :

>
> Hello,
>
> after enabling
>
>
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo
>
> I've installed
>
> freeipa-server bind bind-dyndb-ldap
>
> and run
>
> ipa-server-install --domain example.test
>
> The process failed at
>
>   [3/7]: setting up kerberos principal
>   [4/7]: setting up SoftHSM
>   [error] CalledProcessError: Command ''/usr/bin/softhsm2-util'
> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
> '--so-pin' ' returned non-zero exit status 1
> Unexpected error - see /var/log/ipaserver-install.log for details:
> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
> returned non-zero exit status 1
>
> and the log file ends with
>
> 2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
> 2015-03-24T16:49:51Z DEBUG Initializing tokens
> 2015-03-24T16:49:51Z DEBUG Starting external process
> 2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token'
> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' 
> 2015-03-24T16:49:51Z DEBUG Process finished, return code=1
> 2015-03-24T16:49:51Z DEBUG stdout=
> 2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library.
>
> 2015-03-24T16:49:51Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
> method()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
> line 293, in __setup_softhsm
> ipautil.run(command, nolog=(pin, pin_so,))
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
> in run
> raise CalledProcessError(p.returncode, arg_string, stdout)
> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
> returned non-zero exit status 1
>
> 2015-03-24T16:49:51Z DEBUG   [error] CalledProcessError: Command
> ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC'
> '--pin'  '--so-pin' ' returned non-zero exit status 1
> 2015-03-24T16:49:51Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
> 642, in run_script
> return_value = main_function()
>
>   File "/usr/sbin/ipa-server-install", line 1302, in main
> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
> line 146, in create_instance
> self.start_creation()
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 382, in start_creation
> run_step(full_msg, method)
>
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 372, in run_step
> method()
>
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
> line 293, in __setup_softhsm
> ipautil.run(command, nolog=(pin, pin_so,))
>
>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
> in run
> raise CalledProcessError(p.returncode, arg_string, stdout)
>
> 2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed,
> exception: CalledProcessError: Command ''/usr/bin/softhsm2-util'
> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
> '--so-pin' ' returned non-zero exit status 1
>
> I've found discussion at
>
>
> https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html
>
> which seems related but it seems the issue is back or was never
> properly addressed.
>
> Attempt to run the command manually fails as well:
>
> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util
> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
> '--so-pin' 
> ERROR: Could not load the library.
>
> I see the same bug both on host and in container.
>
> --
> Jan Pazdziora
> Principal Software Engineer, Identity Management Engineering, Red Hat
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-25 Thread Guertin, David S.

>What are the platforms and package versions of SSSD on these clients?

Client 1:
RHEL 6.6
sssd-1.11.6

Client 2:
RHEL 6.6
sssd-1.11.6

Client 3:
RHEL 5.11
sssd-1.5.1

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

I have tried on multiple Platform. Setup the nisdomain and it is resolving,
though it is getting the same error.

Any help would be helpful.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 3:42 PM, Yogesh Sharma  wrote:

> Any suggestion Please.
>
>
>
>
> *Best Regards,__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
>
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
>
>
> On Wed, Mar 25, 2015 at 1:20 PM, Yogesh Sharma  wrote:
>
>> While restarting using ipactl . It is stopping. Any suggestion.
>>
>> [root@ldap-inf-stg-sg1-01 ys7673]# ipactl stop
>> Starting dirsrv:
>> PKI-IPA... [  OK  ]
>> SD-INT...  [  OK  ]
>> Stopping CA Service
>> pki-tomcatd: unrecognized service
>> Failed to stop CA Service
>> Stopping HTTP Service
>> Stopping httpd:[FAILED]
>> Stopping MEMCACHE Service
>> Stopping KPASSWD Service
>> Stopping Kerberos 5 Admin Server:  [FAILED]
>> Stopping KDC Service
>> Stopping Kerberos 5 KDC:   [FAILED]
>> Stopping Directory Service
>> Shutting down dirsrv:
>> PKI-IPA... [  OK  ]
>> SD-INT...  [  OK  ]
>> [root@ldap-inf-stg-sg1-01 ys7673]# ipactl start
>> Starting Directory Service
>> Starting dirsrv:
>> PKI-IPA... [  OK  ]
>> SD-INT...  [  OK  ]
>> Starting KDC Service
>> Starting Kerberos 5 KDC:   [  OK  ]
>> Starting KPASSWD Service
>> Starting Kerberos 5 Admin Server:  [  OK  ]
>> Starting MEMCACHE Service
>> Starting ipa_memcached:[  OK  ]
>> Starting HTTP Service
>> Starting httpd:[  OK  ]
>> Starting CA Service
>> pki-tomcatd: unrecognized service
>> Failed to start CA Service
>> *Shutting down*
>> *Stopping Kerberos 5 KDC:   [  OK  ]*
>> *Stopping Kerberos 5 Admin Server:  [  OK  ]*
>> *Stopping ipa_memcached:[  OK  ]*
>> *Stopping httpd:[  OK  ]*
>> *pki-tomcatd: unrecognized service*
>> *Shutting down dirsrv: *
>> *PKI-IPA... [  OK  ]*
>> *SD-INT...  [  OK  ]*
>> *Aborting ipactl*
>> [root@ldap-inf-stg-sg1-01 ys7673]
>>
>>
>>
>>
>> *Best Regards,__*
>>
>> *Yogesh Sharma*
>> *Email: yks0...@gmail.com  | Web: www.initd.in
>> *
>>
>> RHCE, VCE-CIA, RackSpace Cloud U
>> [image: My LinkedIn Profile] 
>>
>>
>> On Wed, Mar 25, 2015 at 12:29 PM, Yogesh Sharma 
>> wrote:
>>
>>> I have checked , there is no default.conf. Please suggest.
>>>
>>> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/
>>> total 8.0K
>>> drwxr-xr-x 2 root root 4.0K Mar 24 13:29 html
>>> -r--r--r-- 1 root root 1.3K Mar 25 06:36 ca.crt
>>>
>>> [root@ldap-inf-stg-sg1-01 ipa]# ls -lrth /etc/ipa/html/
>>> total 28K
>>> -rw-r--r-- 1 root root 1.4K Oct 16 15:03 unauthorized.html
>>> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 ssbrowser.html
>>> -rw-r--r-- 1 root root  521 Oct 16 15:03 ipa_error.css
>>> -rw-r--r-- 1 root root 4.5K Oct 16 15:03 ffconfig_page.js
>>> -rw-r--r-- 1 root root 2.9K Oct 16 15:03 ffconfig.js
>>> -rw-r--r-- 1 root root 3.9K Oct 16 15:03 browserconfig.html
>>> [root@ldap-inf-stg-sg1-01 ipa]#
>>>
>>>
>>>
>>>
>>>
>>> *Best Regards,__*
>>>
>>> *Yogesh Sharma*
>>> *Email: yks0...@gmail.com  | Web: www.initd.in
>>> *
>>>
>>> RHCE, VCE-CIA, RackSpace Cloud U
>>> [image: My LinkedIn Profile] 
>>>
>>>
>>> On Wed, Mar 25, 2015 at 12:16 PM, Yogesh Sharma 
>>> wrote:
>>>
 Hi,

 We are getting below error while we are installing IPA Server
 (ipa-server-install --no-ntp).


 *Configuration of client side components failed!*
 *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
 --on-master --unattended --domain sd.int  --server
 ldap-inf-stg-sg1-01.sd.int  --realm
 SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
 ' returned non-zero exit status 1*

 Logs indicate be

Re: [Freeipa-users] ipa-client-install failure

2015-03-25 Thread Martin Kosek

On 03/24/2015 02:49 PM, Dmitri Pal wrote:
> On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
>> Hi there,
>>
>> All the issues I reported in this long thread are SOLVED.
> 
> Thanks for closing the loop.

Indeed!

> 
>> For completeness, I'm posting here the conclusions.
>>
>> ipa-client-install did enroll the client but failed in several points:
>>
>> $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
>> [...]
>> Synchronizing time with KDC...
>> Unable to sync time with IPA NTP server, assuming the time is in sync. Please
>> check that 123 UDP port is opened.
>> [...]
>> Failed to update DNS records.
>> [...]
>> Could not update DNS SSHFP records.
>> [...]
>> Unable to find 'admin' user with 'getent passwd ad...@hq.example.com
>> '!
>> Unable to reliably detect configuration. Check NSS setup manually.
>> [...]
>> Client configuration complete.
>>
>> There were two distinct problems:
>>
>> 1) NTP sync failed because despite using --force-ntp, chronyd wasn't stopped
>> beforehand. Stopping it manually solved the issue. I believe
>> ipa-client-install stopping chronyd was the intended behaviour, in which case
>> this is perhaps a bug. If it needs to be stopped manually, then it should be
>> documented clearly.
>> The failed NTP sync caused Kerberos to fail, which explains "Unable to find
>> 'admin' user with 'getent passwd ad...@hq.example.com
>> '".
> 
> We should probably file a ticket about this. I am just not sure what exactly 
> it
> should be.

This is a bug, yes. I filed https://fedorahosted.org/freeipa/ticket/4963, it
can be fixed together with other related chronyd changes that David is working 
on.

>> 2) DNS update failed because for some obscure reason I forgot to open port
>> 53/tcp on the server's firewall. Only 53/udp was open. This fooled me,
>> because with 53/udp open, the DNS was almost completely functional. However,
>> updates also require 53/tcp.

I added this as a troubleshooting tip to
http://www.freeipa.org/page/Troubleshooting#Failed_to_update_DNS_records
If you have other ideas how to extend the guide to help your followers, please
feel free to edit it directly or propose improvements.

>> All in all, it was a full 2day digging and debugging. Bright side is, I
>> learned a lot.

Good! freeipa-users mission was successful :-)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Martin Kosek

On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> On 03/24/2015 09:17 PM, Anthony Lanni wrote:
>> While running ipa-server-install, it's failing out at the end with an error
>> regarding the client install on the server. This happens regardless of how I
>> input the options, but here's the latest command:
>>
>> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
>>  -n example.com  -p passwd1 -a
>> passwd2 --hostname=ldap-server-01.example.com
>>  --forwarder=10.0.1.20
>> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
>>
>> Runs through the entire setup and gives me this:
>>
>> [...]
>> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
>> --unattended --domain example.com  --server
>> ldap-server-01.example.com  --realm
>> EXAMPLE.COM  --hostname ldap-server-01.example.com
>> 
>> ipa : DEBUGstdout=
>>
>> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
>> 
>> Realm: EXAMPLE.COM 
>> DNS Domain: example.com 
>> IPA Server: ldap-server-01.example.com 
>> BaseDN: dc=example,dc=com
>> New SSSD config will be created
>> Configured /etc/sssd/sssd.conf
>> Traceback (most recent call last):
>>   File "/usr/sbin/ipa-client-install", line 2377, in 
>> sys.exit(main())
>>   File "/usr/sbin/ipa-client-install", line 2363, in main
>> rval = install(options, env, fstore, statestore)
>>   File "/usr/sbin/ipa-client-install", line 2135, in install
>> delete_persistent_client_session_data(host_principal)
>>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
>> delete_persistent_client_session_data
>> kernel_keyring.del_key(keyname)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
>> 99, in del_key
>> real_key = get_real_key(key)
>>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line
>> 45, in get_real_key
>> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
>> raiseonerr=False)
> 
> Is keyctl installed? Can you run it manually?
> Any SELinux denials?

You are likely hitting
https://fedorahosted.org/freeipa/ticket/3808

Please try installing keyutils before running ipa-server-install. It is fixed
in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
https://bugzilla.redhat.com/show_bug.cgi?id=1205660

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-25 Thread Martin Kosek

Good ones. Also Ccing PetrS and MartinB, who were directly involved in these
features and original thread, for reference

On 03/25/2015 11:46 AM, John Obaterspok wrote:
> Hi Jan,
> 
> See:
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html
> https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html
> 
> -- john
> 
> 2015-03-24 17:58 GMT+01:00 Jan Pazdziora :
> 
>>
>> Hello,
>>
>> after enabling
>>
>>
>> https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo
>>
>> I've installed
>>
>> freeipa-server bind bind-dyndb-ldap
>>
>> and run
>>
>> ipa-server-install --domain example.test
>>
>> The process failed at
>>
>>   [3/7]: setting up kerberos principal
>>   [4/7]: setting up SoftHSM
>>   [error] CalledProcessError: Command ''/usr/bin/softhsm2-util'
>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
>> '--so-pin' ' returned non-zero exit status 1
>> Unexpected error - see /var/log/ipaserver-install.log for details:
>> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
>> returned non-zero exit status 1
>>
>> and the log file ends with
>>
>> 2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
>> 2015-03-24T16:49:51Z DEBUG Initializing tokens
>> 2015-03-24T16:49:51Z DEBUG Starting external process
>> 2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token'
>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' 
>> 2015-03-24T16:49:51Z DEBUG Process finished, return code=1
>> 2015-03-24T16:49:51Z DEBUG stdout=
>> 2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library.
>>
>> 2015-03-24T16:49:51Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>> run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>> method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 293, in __setup_softhsm
>> ipautil.run(command, nolog=(pin, pin_so,))
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
>> in run
>> raise CalledProcessError(p.returncode, arg_string, stdout)
>> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
>> returned non-zero exit status 1
>>
>> 2015-03-24T16:49:51Z DEBUG   [error] CalledProcessError: Command
>> ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC'
>> '--pin'  '--so-pin' ' returned non-zero exit status 1
>> 2015-03-24T16:49:51Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>> 642, in run_script
>> return_value = main_function()
>>
>>   File "/usr/sbin/ipa-server-install", line 1302, in main
>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 146, in create_instance
>> self.start_creation()
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 382, in start_creation
>> run_step(full_msg, method)
>>
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 372, in run_step
>> method()
>>
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>> line 293, in __setup_softhsm
>> ipautil.run(command, nolog=(pin, pin_so,))
>>
>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
>> in run
>> raise CalledProcessError(p.returncode, arg_string, stdout)
>>
>> 2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed,
>> exception: CalledProcessError: Command ''/usr/bin/softhsm2-util'
>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
>> '--so-pin' ' returned non-zero exit status 1
>>
>> I've found discussion at
>>
>>
>> https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html
>>
>> which seems related but it seems the issue is back or was never
>> properly addressed.
>>
>> Attempt to run the command manually fails as well:
>>
>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util
>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
>> '--so-pin' 
>> ERROR: Could not load the library.
>>
>> I see the same bug both on host and in container.
>>
>> --
>> Jan Pazdziora
>> Principal Software Engineer, Identity Management Engineering, Red Hat
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> 

-- 
Manage your subscription fo

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Martin Kosek

On 03/25/2015 07:46 AM, Yogesh Sharma wrote:
> Hi,
> 
> We are getting below error while we are installing IPA Server
> (ipa-server-install --no-ntp).
> 
> 
> **
> *Configuration of client side components failed!*
> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> ' returned non-zero exit status 1*
> 
> **Logs indicate below errors:
> 
> *2015-03-25T06:39:59Z DEBUG args=/usr/bin/ldappasswd -h
> ldap-inf-stg-sg1-01.sd.int  -ZZ -x -D
> cn=Directory Manager -y /var/lib/ipa/tmpiI0qCS -T /var/lib/ipa/tmp0iYpzn
> uid=admin,cn=users,cn=accounts,dc=sd,dc=int*
> *2015-03-25T06:39:59Z DEBUG stdout=*
> *2015-03-25T06:39:59Z DEBUG stderr=*
> *2015-03-25T06:39:59Z DEBUG ldappasswd done*
> *2015-03-25T06:40:10Z DEBUG args=/usr/sbin/ipa-client-install --on-master
> --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> *
> *2015-03-25T06:40:10Z DEBUG stdout=*
> *2015-03-25T06:40:10Z DEBUG stderr=Failed to verify that
> ldap-inf-stg-sg1-01.sd.int  is an IPA
> Server.*
> *This may mean that the remote server is not up or is not reachable due to
> network or firewall settings.*
> *Please make sure the following ports are opened in the firewall settings:*
> * TCP: 80, 88, 389*
> * UDP: 88 (at least one of TCP/UDP ports 88 has to be open)*
> *Also note that following ports are necessary for ipa-client working
> properly after enrollment:*
> * TCP: 464*
> * UDP: 464, 123 (if NTP enabled)*
> *Installation failed. Rolling back changes.*
> *Unconfigured automount client failed: Command 'ipa-client-automount
> --uninstall --debug' returned non-zero exit status 1*
> *Removing Kerberos service principals from /etc/krb5.keytab*
> *Disabling client Kerberos and LDAP configurations*
> *Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted*
> *nscd daemon is not installed, skip configuration*
> *nslcd daemon is not installed, skip configuration*
> *Client uninstall complete.*
> 
> *2015-03-25T06:40:10Z INFO   File
> "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py", line
> 614, in run_script*
> *return_value = main_function()*
> 
> *  File "/usr/sbin/ipa-server-install", line 1103, in main*
> *sys.exit("Configuration of client side components
> failed!\nipa-client-install returned: " + str(e))*
> 
> *2015-03-25T06:40:10Z INFO The ipa-server-install command failed,
> exception: SystemExit: Configuration of client side components failed!*
> *ipa-client-install returned: Command '/usr/sbin/ipa-client-install
> --on-master --unattended --domain sd.int  --server
> ldap-inf-stg-sg1-01.sd.int  --realm
> SD.INT  --hostname ldap-inf-stg-sg1-01.sd.int
> ' returned non-zero exit status 1*
> 
> **
> 
> 
> This server is on AWS and I can confirm that all above ports are opened.
> Also as it is installing on same server where IPA Server is being
> installed, Port should not be an issue.
> 
> Am I missing anything here. 

Please also share ipaclient-install.log, it should show what is the exact
problem in the client component installation.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

Hi Martin,

Please find the client logs:



2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server': None,
'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'nisdomain':
None, 'prompt_password': False, 'permit': False, 'debug': False,
'preserve_sssd': False, 'uninstall': False}
2015-03-25T12:29:49Z DEBUG missing options might be asked for interactively
later
2015-03-25T12:29:49Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2015-03-25T12:29:49Z DEBUG Loading StateFile from
'/var/lib/ipa-client/sysrestore/sysrestore.state'
2015-03-25T12:29:49Z DEBUG [IPA Discovery]
2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=ldap-inf-stg-sg1-01.sd.int
2015-03-25T12:29:49Z DEBUG Server and domain forced
2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
udp.sd.int.
2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
ldap-inf-stg-sg1-01.sd.int.}
2015-03-25T12:29:49Z DEBUG [LDAP server check]
2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int (realm
sd.int) is an IPA server
2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
ldap-inf-stg-sg1-01.sd.int:389
2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for IPA
2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
context
2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=sd,dc=int (sub)
2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
2015-03-25T12:29:49Z DEBUG Validated servers:
2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
2015-03-25T12:29:49Z DEBUG IPA Server not found
2015-03-25T12:29:49Z DEBUG [IPA Discovery]
2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=ldap-inf-stg-sg1-01.sd.int
2015-03-25T12:29:49Z DEBUG Server and domain forced
2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
udp.sd.int.
2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
ldap-inf-stg-sg1-01.sd.int.}
2015-03-25T12:29:49Z DEBUG [LDAP server check]
2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int (realm
sd.int) is an IPA server
2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
ldap-inf-stg-sg1-01.sd.int:389
2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for IPA
2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
context
2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
dc=sd,dc=int (sub)
2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
2015-03-25T12:29:49Z DEBUG Validated servers:
2015-03-25T12:29:49Z ERROR Failed to verify that ldap-inf-stg-sg1-01.sd.int
is an IPA Server.
2015-03-25T12:29:49Z ERROR This may mean that the remote server is not up
or is not reachable due to network or firewall settings.
2015-03-25T12:29:49Z INFO Please make sure the following ports are opened
in the firewall settings:
 TCP: 80, 88, 389
 UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
 TCP: 464
 UDP: 464, 123 (if NTP enabled)
2015-03-25T12:29:49Z DEBUG (ldap-inf-stg-sg1-01.sd.int: Provided as option)
2015-03-25T12:29:49Z ERROR Installation failed. Rolling back changes.
2015-03-25T12:29:49Z DEBUG Loading I

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-25 Thread Petr Spacek

Hello,

On 25.3.2015 13:38, Martin Kosek wrote:
> Good ones. Also Ccing PetrS and MartinB, who were directly involved in these
> features and original thread, for reference

In meanwhile I have fixed this. As usual, new OpenSSL package in F20 prevented
installation of our custom build OpenSSL from COPR repo.

It should work now, please upgrade your openssl to get this package from COPR:
http://copr.fedoraproject.org/coprs/mkosek/freeipa/build/83148/

Petr^2 Spacek

> On 03/25/2015 11:46 AM, John Obaterspok wrote:
>> Hi Jan,
>>
>> See:
>> https://www.redhat.com/archives/freeipa-users/2015-February/msg00131.html
>> https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html
>>
>> -- john
>>
>> 2015-03-24 17:58 GMT+01:00 Jan Pazdziora :
>>
>>>
>>> Hello,
>>>
>>> after enabling
>>>
>>>
>>> https://copr.fedoraproject.org/coprs/mkosek/freeipa/repo/fedora-20/mkosek-freeipa-fedora-20.repo
>>>
>>> I've installed
>>>
>>> freeipa-server bind bind-dyndb-ldap
>>>
>>> and run
>>>
>>> ipa-server-install --domain example.test
>>>
>>> The process failed at
>>>
>>>   [3/7]: setting up kerberos principal
>>>   [4/7]: setting up SoftHSM
>>>   [error] CalledProcessError: Command ''/usr/bin/softhsm2-util'
>>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
>>> '--so-pin' ' returned non-zero exit status 1
>>> Unexpected error - see /var/log/ipaserver-install.log for details:
>>> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
>>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
>>> returned non-zero exit status 1
>>>
>>> and the log file ends with
>>>
>>> 2015-03-24T16:49:51Z DEBUG Saving SO PIN to /etc/ipa/dnssec/softhsm_pin_so
>>> 2015-03-24T16:49:51Z DEBUG Initializing tokens
>>> 2015-03-24T16:49:51Z DEBUG Starting external process
>>> 2015-03-24T16:49:51Z DEBUG args='/usr/bin/softhsm2-util' '--init-token'
>>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' 
>>> 2015-03-24T16:49:51Z DEBUG Process finished, return code=1
>>> 2015-03-24T16:49:51Z DEBUG stdout=
>>> 2015-03-24T16:49:51Z DEBUG stderr=ERROR: Could not load the library.
>>>
>>> 2015-03-24T16:49:51Z DEBUG Traceback (most recent call last):
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>> run_step(full_msg, method)
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 372, in run_step
>>> method()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>> line 293, in __setup_softhsm
>>> ipautil.run(command, nolog=(pin, pin_so,))
>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
>>> in run
>>> raise CalledProcessError(p.returncode, arg_string, stdout)
>>> CalledProcessError: Command ''/usr/bin/softhsm2-util' '--init-token'
>>> '--slot' '0' '--label' 'ipaDNSSEC' '--pin'  '--so-pin' '
>>> returned non-zero exit status 1
>>>
>>> 2015-03-24T16:49:51Z DEBUG   [error] CalledProcessError: Command
>>> ''/usr/bin/softhsm2-util' '--init-token' '--slot' '0' '--label' 'ipaDNSSEC'
>>> '--pin'  '--so-pin' ' returned non-zero exit status 1
>>> 2015-03-24T16:49:51Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line
>>> 642, in run_script
>>> return_value = main_function()
>>>
>>>   File "/usr/sbin/ipa-server-install", line 1302, in main
>>> dnskeysyncd.create_instance(api.env.host, api.env.realm)
>>>
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>> line 146, in create_instance
>>> self.start_creation()
>>>
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 382, in start_creation
>>> run_step(full_msg, method)
>>>
>>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>>> line 372, in run_step
>>> method()
>>>
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dnskeysyncinstance.py",
>>> line 293, in __setup_softhsm
>>> ipautil.run(command, nolog=(pin, pin_so,))
>>>
>>>   File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 346,
>>> in run
>>> raise CalledProcessError(p.returncode, arg_string, stdout)
>>>
>>> 2015-03-24T16:49:51Z DEBUG The ipa-server-install command failed,
>>> exception: CalledProcessError: Command ''/usr/bin/softhsm2-util'
>>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '--pin' 
>>> '--so-pin' ' returned non-zero exit status 1
>>>
>>> I've found discussion at
>>>
>>>
>>> https://www.redhat.com/archives/freeipa-users/2014-October/msg00362.html
>>>
>>> which seems related but it seems the issue is back or was never
>>> properly addressed.
>>>
>>> Attempt to run the command manually fails as well:
>>>
>>> # SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf /usr/bin/softhsm2-util
>>> '--init-token' '--slot' '0' '--label' 'ipaDNSSEC' '

[Freeipa-users] Requesting a cert for a user as opposed to a service.

2015-03-25 Thread Steve (st33v) Neuharth

Hello,

I hope this is an easy question to answer and forgive me if it has been 
answered before. I’ve read through the documentation on how to request an ssl 
cert and I cannot seem to find a process to request a client cert for a user. 

It seems that all certificates are linked to a kerberos service principal. If 
I’m creating a cert for a user entity, for a VPN client for example, how to I 
link the cert to an actual user account?

thanks for your help,
—steve

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Requesting a cert for a user as opposed to a service.

2015-03-25 Thread Rob Crittenden

Steve (st33v) Neuharth wrote:
> Hello,
> 
> I hope this is an easy question to answer and forgive me if it has been 
> answered before. I’ve read through the documentation on how to request an ssl 
> cert and I cannot seem to find a process to request a client cert for a user. 
> 
> It seems that all certificates are linked to a kerberos service principal. If 
> I’m creating a cert for a user entity, for a VPN client for example, how to I 
> link the cert to an actual user account?
> 
> thanks for your help,
> —steve
> 

IPA doesn't currently support certificates for users. Policies for
service certificates are easy. Policies for user certificates are often
more complex.

It is being worked on.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Requesting a cert for a user as opposed to a service.

2015-03-25 Thread Martin Kosek

On 03/25/2015 02:03 PM, Rob Crittenden wrote:
> Steve (st33v) Neuharth wrote:
>> Hello,
>>
>> I hope this is an easy question to answer and forgive me if it has been 
>> answered before. I’ve read through the documentation on how to request an 
>> ssl cert and I cannot seem to find a process to request a client cert for a 
>> user. 
>>
>> It seems that all certificates are linked to a kerberos service principal. 
>> If I’m creating a cert for a user entity, for a VPN client for example, how 
>> to I link the cert to an actual user account?
>>
>> thanks for your help,
>> —steve
>>
> 
> IPA doesn't currently support certificates for users. Policies for
> service certificates are easy. Policies for user certificates are often
> more complex.
> 
> It is being worked on.

Yup, it should be a FreeIPA 4.2 feature. Please feel free to track
https://fedorahosted.org/freeipa/ticket/4938

Would you be interested to eventually trying some Alpha/Beta version of this
functionality, to warn us about any potential problems of this feature in this
setup? (We are not there yet, just looking if there is an interest)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

I think I got the issue. Realm Name Entry in DNS is added in lower case
rather than UPPER.

2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT 
,cn=kerberos,dc=sd,dc=int
2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int

Will try changing the Realm and see if it resovled.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma  wrote:

> Hi Martin,
>
> Please find the client logs:
>
>
>
> 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
> True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
> 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server': None,
> 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
> 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
> 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
> 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'nisdomain':
> None, 'prompt_password': False, 'permit': False, 'debug': False,
> 'preserve_sssd': False, 'uninstall': False}
> 2015-03-25T12:29:49Z DEBUG missing options might be asked for
> interactively later
> 2015-03-25T12:29:49Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2015-03-25T12:29:49Z DEBUG Loading StateFile from
> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
> ldap-inf-stg-sg1-01.sd.int
> 2015-03-25T12:29:49Z DEBUG Server and domain forced
> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
> udp.sd.int.
> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
> udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
> ldap-inf-stg-sg1-01.sd.int.}
> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
> (realm sd.int) is an IPA server
> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
> ldap-inf-stg-sg1-01.sd.int:389
> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
> IPA
> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
> context
> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
> dc=sd,dc=int (sub)
> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
> 2015-03-25T12:29:49Z DEBUG Validated servers:
> 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
> 2015-03-25T12:29:49Z DEBUG IPA Server not found
> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
> ldap-inf-stg-sg1-01.sd.int
> 2015-03-25T12:29:49Z DEBUG Server and domain forced
> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
> udp.sd.int.
> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
> udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
> ldap-inf-stg-sg1-01.sd.int.}
> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
> (realm sd.int) is an IPA server
> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
> ldap-inf-stg-sg1-01.sd.int:389
> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
> IPA
> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
> context
> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
> dc=sd,dc=int (sub)
> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
> doma

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Martin Kosek

Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket:

https://fedorahosted.org/freeipa/ticket/

Please let us know if the DNS update fixed the error.

Martin

On 03/25/2015 02:11 PM, Yogesh Sharma wrote:
> I think I got the issue. Realm Name Entry in DNS is added in lower case
> rather than UPPER.
> 
> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT 
> ,cn=kerberos,dc=sd,dc=int
> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
> 
> Will try changing the Realm and see if it resovled.
> 
> 
> 
> 
> *Best Regards,__*
> 
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
> 
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
> 
> 
> On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma  wrote:
> 
>> Hi Martin,
>>
>> Please find the client logs:
>>
>>
>>
>> 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
>> options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
>> True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
>> 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server': None,
>> 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
>> 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
>> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
>> 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
>> 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None, 'nisdomain':
>> None, 'prompt_password': False, 'permit': False, 'debug': False,
>> 'preserve_sssd': False, 'uninstall': False}
>> 2015-03-25T12:29:49Z DEBUG missing options might be asked for
>> interactively later
>> 2015-03-25T12:29:49Z DEBUG Loading Index file from
>> '/var/lib/ipa-client/sysrestore/sysrestore.index'
>> 2015-03-25T12:29:49Z DEBUG Loading StateFile from
>> '/var/lib/ipa-client/sysrestore/sysrestore.state'
>> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
>> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
>> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
>> ldap-inf-stg-sg1-01.sd.int
>> 2015-03-25T12:29:49Z DEBUG Server and domain forced
>> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
>> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
>> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
>> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
>> udp.sd.int.
>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
>> udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
>> ldap-inf-stg-sg1-01.sd.int.}
>> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
>> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
>> (realm sd.int) is an IPA server
>> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
>> ldap-inf-stg-sg1-01.sd.int:389
>> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
>> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
>> IPA
>> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
>> context
>> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
>> dc=sd,dc=int (sub)
>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND; server=None,
>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
>> 2015-03-25T12:29:49Z DEBUG Validated servers:
>> 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
>> 2015-03-25T12:29:49Z DEBUG IPA Server not found
>> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
>> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
>> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
>> ldap-inf-stg-sg1-01.sd.int
>> 2015-03-25T12:29:49Z DEBUG Server and domain forced
>> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
>> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _kerberos.sd.int.
>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
>> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
>> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
>> udp.sd.int.
>> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
>> udp.sd.int.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
>> ldap-inf-stg-sg1-01.sd.int.}
>> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
>> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
>> (realm sd.int) is an IPA server
>> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
>> ldap-inf-stg-sg1-01.sd.int:389
>> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
>> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,d

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

Hi Martin,

Finally, the issue has resolved. :)

Is there RPM available to install latest IPA version in CentOS or at least
4.0.2 version.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek  wrote:

> Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket:
>
> https://fedorahosted.org/freeipa/ticket/
>
> Please let us know if the DNS update fixed the error.
>
> Martin
>
> On 03/25/2015 02:11 PM, Yogesh Sharma wrote:
> > I think I got the issue. Realm Name Entry in DNS is added in lower case
> > rather than UPPER.
> >
> > 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT 
> > ,cn=kerberos,dc=sd,dc=int
> > 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
> server=None,
> > domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
> >
> > Will try changing the Realm and see if it resovled.
> >
> >
> >
> >
> > *Best Regards,__*
> >
> > *Yogesh Sharma*
> > *Email: yks0...@gmail.com  | Web: www.initd.in
> > *
> >
> > RHCE, VCE-CIA, RackSpace Cloud U
> > [image: My LinkedIn Profile] 
> >
> >
> > On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma 
> wrote:
> >
> >> Hi Martin,
> >>
> >> Please find the client logs:
> >>
> >>
> >>
> >> 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
> >> options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
> >> True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
> >> 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server':
> None,
> >> 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
> >> 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
> >> False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
> >> 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
> >> 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None,
> 'nisdomain':
> >> None, 'prompt_password': False, 'permit': False, 'debug': False,
> >> 'preserve_sssd': False, 'uninstall': False}
> >> 2015-03-25T12:29:49Z DEBUG missing options might be asked for
> >> interactively later
> >> 2015-03-25T12:29:49Z DEBUG Loading Index file from
> >> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> >> 2015-03-25T12:29:49Z DEBUG Loading StateFile from
> >> '/var/lib/ipa-client/sysrestore/sysrestore.state'
> >> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
> >> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
> >> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
> >> ldap-inf-stg-sg1-01.sd.int
> >> 2015-03-25T12:29:49Z DEBUG Server and domain forced
> >> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
> >> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
> kerberos.sd.int.
> >> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
> >> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
> >> 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
> >> udp.sd.int.
> >> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
> >> udp.sd.int
> .,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
> >> ldap-inf-stg-sg1-01.sd.int.}
> >> 2015-03-25T12:29:49Z DEBUG [LDAP server check]
> >> 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
> >> (realm sd.int) is an IPA server
> >> 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
> >> ldap-inf-stg-sg1-01.sd.int:389
> >> 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
> >> 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
> >> IPA
> >> 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
> >> context
> >> 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
> >> dc=sd,dc=int (sub)
> >> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
> >> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
> server=None,
> >> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
> >> 2015-03-25T12:29:49Z DEBUG Validated servers:
> >> 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
> >> 2015-03-25T12:29:49Z DEBUG IPA Server not found
> >> 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
> >> 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
> >> servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
> >> ldap-inf-stg-sg1-01.sd.int
> >> 2015-03-25T12:29:49Z DEBUG Server and domain forced
> >> 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
> >> 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
> kerberos.sd.int.
> >> 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
> >> kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
> >> 2015

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Martin Kosek

This should be in the official RHEL-7.1/CentOS-7.1 repos.

Or you can try our upstream CentOS-7 based Copr repo:

https://copr.fedoraproject.org/coprs/mkosek/freeipa/

On 03/25/2015 02:30 PM, Yogesh Sharma wrote:
> Hi Martin,
> 
> Finally, the issue has resolved. :)
> 
> Is there RPM available to install latest IPA version in CentOS or at least
> 4.0.2 version.
> 
> 
> 
> 
> *Best Regards,__*
> 
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
> *
> 
> RHCE, VCE-CIA, RackSpace Cloud U
> [image: My LinkedIn Profile] 
> 
> 
> On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek  wrote:
> 
>> Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket:
>>
>> https://fedorahosted.org/freeipa/ticket/
>>
>> Please let us know if the DNS update fixed the error.
>>
>> Martin
>>
>> On 03/25/2015 02:11 PM, Yogesh Sharma wrote:
>>> I think I got the issue. Realm Name Entry in DNS is added in lower case
>>> rather than UPPER.
>>>
>>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT 
>>> ,cn=kerberos,dc=sd,dc=int
>>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
>> server=None,
>>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
>>>
>>> Will try changing the Realm and see if it resovled.
>>>
>>>
>>>
>>>
>>> *Best Regards,__*
>>>
>>> *Yogesh Sharma*
>>> *Email: yks0...@gmail.com  | Web: www.initd.in
>>> *
>>>
>>> RHCE, VCE-CIA, RackSpace Cloud U
>>> [image: My LinkedIn Profile] 
>>>
>>>
>>> On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma 
>> wrote:
>>>
 Hi Martin,

 Please find the client logs:



 2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked with
 options: {'domain': 'sd.int', 'force': False, 'krb5_offline_passwords':
 True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
 'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server':
>> None,
 'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
 'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
 False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
 'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
 'conf_ssh': True, 'force_join': False, 'ca_cert_file': None,
>> 'nisdomain':
 None, 'prompt_password': False, 'permit': False, 'debug': False,
 'preserve_sssd': False, 'uninstall': False}
 2015-03-25T12:29:49Z DEBUG missing options might be asked for
 interactively later
 2015-03-25T12:29:49Z DEBUG Loading Index file from
 '/var/lib/ipa-client/sysrestore/sysrestore.index'
 2015-03-25T12:29:49Z DEBUG Loading StateFile from
 '/var/lib/ipa-client/sysrestore/sysrestore.state'
 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
 servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
 ldap-inf-stg-sg1-01.sd.int
 2015-03-25T12:29:49Z DEBUG Server and domain forced
 2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
 2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
>> kerberos.sd.int.
 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
 kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
 2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
 udp.sd.int.
 2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_kerberos._
 udp.sd.int
>> .,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
 ldap-inf-stg-sg1-01.sd.int.}
 2015-03-25T12:29:49Z DEBUG [LDAP server check]
 2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
 (realm sd.int) is an IPA server
 2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
 ldap-inf-stg-sg1-01.sd.int:389
 2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
 2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is for
 IPA
 2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid IPA
 context
 2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer) in
 dc=sd,dc=int (sub)
 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
>> server=None,
 domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
 2015-03-25T12:29:49Z DEBUG Validated servers:
 2015-03-25T12:29:49Z DEBUG will use discovered domain: sd.int
 2015-03-25T12:29:49Z DEBUG IPA Server not found
 2015-03-25T12:29:49Z DEBUG [IPA Discovery]
 2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
 servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
 ldap-inf-stg-sg1-01.sd.int
 2015-03-25T12:29:49Z DEBUG Server and domain forced

Re: [Freeipa-users] Configuration of client side components failed! on IPA Server

2015-03-25 Thread Yogesh Sharma

Thanks Martin for the help.




*Best Regards,__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
*

RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile] 


On Wed, Mar 25, 2015 at 7:07 PM, Martin Kosek  wrote:

> This should be in the official RHEL-7.1/CentOS-7.1 repos.
>
> Or you can try our upstream CentOS-7 based Copr repo:
>
> https://copr.fedoraproject.org/coprs/mkosek/freeipa/
>
> On 03/25/2015 02:30 PM, Yogesh Sharma wrote:
> > Hi Martin,
> >
> > Finally, the issue has resolved. :)
> >
> > Is there RPM available to install latest IPA version in CentOS or at
> least
> > 4.0.2 version.
> >
> >
> >
> >
> > *Best Regards,__*
> >
> > *Yogesh Sharma*
> > *Email: yks0...@gmail.com  | Web: www.initd.in
> > *
> >
> > RHCE, VCE-CIA, RackSpace Cloud U
> > [image: My LinkedIn Profile] 
> >
> >
> > On Wed, Mar 25, 2015 at 6:43 PM, Martin Kosek  wrote:
> >
> >> Ah, may be. This is an issue we fixed in FreeIPA 4.0.2. Upstream ticket:
> >>
> >> https://fedorahosted.org/freeipa/ticket/
> >>
> >> Please let us know if the DNS update fixed the error.
> >>
> >> Martin
> >>
> >> On 03/25/2015 02:11 PM, Yogesh Sharma wrote:
> >>> I think I got the issue. Realm Name Entry in DNS is added in lower case
> >>> rather than UPPER.
> >>>
> >>> 2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT 
> >>> ,cn=kerberos,dc=sd,dc=int
> >>> 2015-03-25T12:29:49Z DEBUG Discovery result: REALM_NOT_FOUND;
> >> server=None,
> >>> domain=sd.int, kdc=ldap-inf-stg-sg1-01.sd.int, basedn=dc=sd,dc=int
> >>>
> >>> Will try changing the Realm and see if it resovled.
> >>>
> >>>
> >>>
> >>>
> >>> *Best Regards,__*
> >>>
> >>> *Yogesh Sharma*
> >>> *Email: yks0...@gmail.com  | Web: www.initd.in
> >>> *
> >>>
> >>> RHCE, VCE-CIA, RackSpace Cloud U
> >>> [image: My LinkedIn Profile] 
> >>>
> >>>
> >>> On Wed, Mar 25, 2015 at 6:13 PM, Yogesh Sharma 
> >> wrote:
> >>>
>  Hi Martin,
> 
>  Please find the client logs:
> 
> 
> 
>  2015-03-25T12:29:49Z DEBUG /usr/sbin/ipa-client-install was invoked
> with
>  options: {'domain': 'sd.int', 'force': False,
> 'krb5_offline_passwords':
>  True, 'primary': False, 'mkhomedir': False, 'create_sshfp': True,
>  'conf_sshd': True, 'conf_ntp': True, 'on_master': True, 'ntp_server':
> >> None,
>  'server': ['ldap-inf-stg-sg1-01.sd.int'], 'no_nisdomain': False,
>  'principal': None, 'hostname': 'ldap-inf-stg-sg1-01.sd.int', 'no_ac':
>  False, 'unattended': True, 'sssd': True, 'trust_sshfp': False,
>  'realm_name': 'SD.INT', 'dns_updates': False, 'conf_sudo': True,
>  'conf_ssh': True, 'force_join': False, 'ca_cert_file': None,
> >> 'nisdomain':
>  None, 'prompt_password': False, 'permit': False, 'debug': False,
>  'preserve_sssd': False, 'uninstall': False}
>  2015-03-25T12:29:49Z DEBUG missing options might be asked for
>  interactively later
>  2015-03-25T12:29:49Z DEBUG Loading Index file from
>  '/var/lib/ipa-client/sysrestore/sysrestore.index'
>  2015-03-25T12:29:49Z DEBUG Loading StateFile from
>  '/var/lib/ipa-client/sysrestore/sysrestore.state'
>  2015-03-25T12:29:49Z DEBUG [IPA Discovery]
>  2015-03-25T12:29:49Z DEBUG Starting IPA discovery with domain=sd.int,
>  servers=['ldap-inf-stg-sg1-01.sd.int'], hostname=
>  ldap-inf-stg-sg1-01.sd.int
>  2015-03-25T12:29:49Z DEBUG Server and domain forced
>  2015-03-25T12:29:49Z DEBUG [Kerberos realm search]
>  2015-03-25T12:29:49Z DEBUG Search DNS for TXT record of _
> >> kerberos.sd.int.
>  2015-03-25T12:29:49Z DEBUG DNS record found: DNSResult::name:_
>  kerberos.sd.int.,type:16,class:1,rdata={data:sd.int}
>  2015-03-25T12:29:49Z DEBUG Search DNS for SRV record of _kerberos._
>  udp.sd.int.
>  2015-03-25T12:29:49Z DEBUG DNS record found:
> DNSResult::name:_kerberos._
>  udp.sd.int
> >> .,type:33,class:1,rdata={priority:0,port:88,weight:100,server:
>  ldap-inf-stg-sg1-01.sd.int.}
>  2015-03-25T12:29:49Z DEBUG [LDAP server check]
>  2015-03-25T12:29:49Z DEBUG Verifying that ldap-inf-stg-sg1-01.sd.int
>  (realm sd.int) is an IPA server
>  2015-03-25T12:29:49Z DEBUG Init LDAP connection with: ldap://
>  ldap-inf-stg-sg1-01.sd.int:389
>  2015-03-25T12:29:49Z DEBUG Search LDAP server for IPA base DN
>  2015-03-25T12:29:49Z DEBUG Check if naming context 'dc=sd,dc=int' is
> for
>  IPA
>  2015-03-25T12:29:49Z DEBUG Naming context 'dc=sd,dc=int' is a valid
> IPA
>  context
>  2015-03-25T12:29:49Z DEBUG Search for (objectClass=krbRealmContainer)
> in
>  dc=sd,dc=int (sub)
>  2015-03-25T12:29:49Z DEBUG Found: cn=SD.INT,cn=kerberos,dc=sd,dc=int
>  2015-03-25T12:2

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-25 Thread Guertin, David S.

Follow-up: today I tried clearing the sssd cache and restarting sssd on all 
three clients, and all three lost their AD users:

# rm -f /var/lib/sss/db/*
# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
# id 'MIDD\juser'
id: MIDD\juser: No such user

David Guertin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fedora 20 upstream repo ipa-server-install fails

2015-03-25 Thread Jan Pazdziora

On Wed, Mar 25, 2015 at 01:45:41PM +0100, Petr Spacek wrote:
> 
> On 25.3.2015 13:38, Martin Kosek wrote:
> > Good ones. Also Ccing PetrS and MartinB, who were directly involved in these
> > features and original thread, for reference
> 
> In meanwhile I have fixed this. As usual, new OpenSSL package in F20 prevented
> installation of our custom build OpenSSL from COPR repo.
> 
> It should work now, please upgrade your openssl to get this package from COPR:
> http://copr.fedoraproject.org/coprs/mkosek/freeipa/build/83148/

I confirm that my containers with Fedora 20 upstream IPA now work.

Thank you for the prompt fix!

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-25 Thread Simo Sorce

On Wed, 2015-03-25 at 14:46 +, Guertin, David S. wrote:
> Follow-up: today I tried clearing the sssd cache and restarting sssd on all 
> three clients, and all three lost their AD users:
> 
> # rm -f /var/lib/sss/db/*
> # service sssd restart
> Stopping sssd: [  OK  ]
> Starting sssd: [  OK  ]
> # id 'MIDD\juser'
> id: MIDD\juser: No such user
> 
> David Guertin
> 

This is normal, users are "loaded in" when they actually try to Log In.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Having Issues with Dogtag After Updating IPA and Rebooting

2015-03-25 Thread Endi Sukma Dewata

Hi Michael,

It took longer than expected, but I finally managed to create the build:

https://edewata.fedorapeople.org/files/pki-common-9.0.3-39.el6_6.noarch.rpm

Please install it and retry the operation. I have not tried this myself, 
but it should generate more useful information.

Please let me know the exception that you see in /var/log/pki-ca/debug. 
Thanks.

--
Endi S. Dewata

On 3/24/2015 7:21 PM, Michael Pawlak wrote:

Endi,

Any word on the build?

*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com 
C: 408.316.2154

On Mon, Mar 23, 2015 at 2:55 PM, Michael Pawlak mailto:m...@colovore.com>> wrote:

Endi,

I could test that.

*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com 
C: 408.316.2154 

On Mon, Mar 23, 2015 at 1:36 PM, Endi Sukma Dewata
mailto:edew...@redhat.com>> wrote:

Thanks for the info. The transaction log doesn't indicate the
cause of the problem either. I might need to provide a custom
build that generates more useful information. Would you be able
to test that? Thanks.

--
Endi S. Dewata

- Original Message -
 > Endi,
 >
 > 1. I am currently using CentOS 6.5.
 >
 > 2. Below are the package versions.
 >
 > Former:
 > Don't have that information available
 >
 > Current:
 > pki-java-tools-9.0.3-38.el6_6.noarch
 > pki-silent-9.0.3-38.el6_6.noarch
 > ipa-pki-common-theme-9.0.3-7.el6.noarch
 > pki-ca-9.0.3-38.el6_6.noarch
 > pki-setup-9.0.3-38.el6_6.noarch
 > pki-native-tools-9.0.3-38.el6_6.x86_64
 > pki-util-9.0.3-38.el6_6.noarch
 > pki-selinux-9.0.3-38.el6_6.noarch
 > pki-common-9.0.3-38.el6_6.noarch
 > ipa-pki-ca-theme-9.0.3-7.el6.noarch
 > pki-symkey-9.0.3-38.el6_6.x86_64
 >
 > 3. Attached
 >
 > *Michael Pawlak*
 > Web Systems Administrator | Colovore LLC
 > E: m...@colovore.com 
 > C: 408.316.2154 
 >   
 >
 > On Mon, Mar 23, 2015 at 12:14 PM, Endi Sukma Dewata
mailto:edew...@redhat.com>>
 > wrote:
 > >
 > > Hi,
 > >
 > > Unfortunately the code doesn't log the exact cause of the
problem. I need
 > > some additional info:
 > >
 > > 1. Which platform are you using?
 > > 2. What are the versions of the pki-* packages before and
after upgrade?
 > > 3. Please provide the /etc/pki-ca/CS.cfg and
/var/log/pki-ca/transactions.
 > >
 > > Thanks.
 > >
 > > --
 > > Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-25 Thread Coy Hile

When I look at the SPEC file for freeipa-4.1.3, I see requirements  
around Systemd.  Is that really a hard requirement, or is it possible  
to run newer FreeIPA (that is to say 4.x) on a host that hasn't been  
infested by systemd (such as CentOS 6, for example)?  At the moment,  
I'm speaking completely of the server components.


thanks,
-c

--
Coy Hile
coy.h...@coyhile.com

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-25 Thread Rob Crittenden

Coy Hile wrote:
> When I look at the SPEC file for freeipa-4.1.3, I see requirements
> around Systemd.  Is that really a hard requirement, or is it possible to
> run newer FreeIPA (that is to say 4.x) on a host that hasn't been
> infested by systemd (such as CentOS 6, for example)?  At the moment, I'm
> speaking completely of the server components.

There are a slew of major dependencies that prevent IPA 4.x from working
in RHEL/CentOS 6. It would be quite non-trivial to try to backport
everything needed.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

2015-03-25 Thread Anthony Lanni

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.

Thanks very much, Martin and Dmitri!

thx
anthony

On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek  wrote:

> On 03/25/2015 04:11 AM, Dmitri Pal wrote:
> > On 03/24/2015 09:17 PM, Anthony Lanni wrote:
> >> While running ipa-server-install, it's failing out at the end with an
> error
> >> regarding the client install on the server. This happens regardless of
> how I
> >> input the options, but here's the latest command:
> >>
> >> ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM
> >>  -n example.com  -p passwd1 -a
> >> passwd2 --hostname=ldap-server-01.example.com
> >>  --forwarder=10.0.1.20
> >> --forwarder=10.0.1.21 --reverse-zone=1.0.10.in-addr.arpa. -d
> >>
> >> Runs through the entire setup and gives me this:
> >>
> >> [...]
> >> ipa : DEBUG  args=/usr/sbin/ipa-client-install --on-master
> >> --unattended --domain example.com  --server
> >> ldap-server-01.example.com  --realm
> >> EXAMPLE.COM  --hostname ldap-server-01.example.com
> >> 
> >> ipa : DEBUGstdout=
> >>
> >> ipa : DEBUGstderr=Hostname: ldap-server-01.example.com
> >> 
> >> Realm: EXAMPLE.COM 
> >> DNS Domain: example.com 
> >> IPA Server: ldap-server-01.example.com <
> http://ldap-server-01.example.com>
> >> BaseDN: dc=example,dc=com
> >> New SSSD config will be created
> >> Configured /etc/sssd/sssd.conf
> >> Traceback (most recent call last):
> >>   File "/usr/sbin/ipa-client-install", line 2377, in 
> >> sys.exit(main())
> >>   File "/usr/sbin/ipa-client-install", line 2363, in main
> >> rval = install(options, env, fstore, statestore)
> >>   File "/usr/sbin/ipa-client-install", line 2135, in install
> >> delete_persistent_client_session_data(host_principal)
> >>   File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
> >> delete_persistent_client_session_data
> >> kernel_keyring.del_key(keyname)
> >>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> line
> >> 99, in del_key
> >> real_key = get_real_key(key)
> >>   File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py",
> line
> >> 45, in get_real_key
> >> (stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE,
> key],
> >> raiseonerr=False)
> >
> > Is keyctl installed? Can you run it manually?
> > Any SELinux denials?
>
> You are likely hitting
> https://fedorahosted.org/freeipa/ticket/3808
>
> Please try installing keyutils before running ipa-server-install. It is
> fixed
> in RHEL-7, I filed us a RHEL-6 ticket, to fix it in this platform also:
> https://bugzilla.redhat.com/show_bug.cgi?id=1205660
>
> Martin
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Having Issues with Dogtag After Updating IPA and Rebooting

2015-03-25 Thread Michael Pawlak

Endi,

Due to time constraints, we turned up another IPA server, migrated all DNS
and users and turned down this host. So, I think at this point installing
the package would be moot. Thanks for your help anyways.

*Michael Pawlak*
Web Systems Administrator | Colovore LLC
E: m...@colovore.com
C: 408.316.2154
  

On Wed, Mar 25, 2015 at 9:00 AM, Endi Sukma Dewata 
wrote:

> Hi Michael,
>
> It took longer than expected, but I finally managed to create the build:
>
> https://edewata.fedorapeople.org/files/pki-common-9.0.3-39.
> el6_6.noarch.rpm
>
> Please install it and retry the operation. I have not tried this myself,
> but it should generate more useful information.
>
> Please let me know the exception that you see in /var/log/pki-ca/debug.
> Thanks.
>
> --
> Endi S. Dewata
>
> On 3/24/2015 7:21 PM, Michael Pawlak wrote:
>
>> Endi,
>>
>> Any word on the build?
>>
>> *Michael Pawlak*
>> Web Systems Administrator | Colovore LLC
>> E: m...@colovore.com 
>> C: 408.316.2154
>> 
>>
>> On Mon, Mar 23, 2015 at 2:55 PM, Michael Pawlak > > wrote:
>>
>> Endi,
>>
>> I could test that.
>>
>> *Michael Pawlak*
>> Web Systems Administrator | Colovore LLC
>> E: m...@colovore.com 
>> C: 408.316.2154 
>> 
>>
>> On Mon, Mar 23, 2015 at 1:36 PM, Endi Sukma Dewata
>> mailto:edew...@redhat.com>> wrote:
>>
>> Thanks for the info. The transaction log doesn't indicate the
>> cause of the problem either. I might need to provide a custom
>> build that generates more useful information. Would you be able
>> to test that? Thanks.
>>
>> --
>> Endi S. Dewata
>>
>> - Original Message -
>>  > Endi,
>>  >
>>  > 1. I am currently using CentOS 6.5.
>>  >
>>  > 2. Below are the package versions.
>>  >
>>  > Former:
>>  > Don't have that information available
>>  >
>>  > Current:
>>  > pki-java-tools-9.0.3-38.el6_6.noarch
>>  > pki-silent-9.0.3-38.el6_6.noarch
>>  > ipa-pki-common-theme-9.0.3-7.el6.noarch
>>  > pki-ca-9.0.3-38.el6_6.noarch
>>  > pki-setup-9.0.3-38.el6_6.noarch
>>  > pki-native-tools-9.0.3-38.el6_6.x86_64
>>  > pki-util-9.0.3-38.el6_6.noarch
>>  > pki-selinux-9.0.3-38.el6_6.noarch
>>  > pki-common-9.0.3-38.el6_6.noarch
>>  > ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>  > pki-symkey-9.0.3-38.el6_6.x86_64
>>  >
>>  > 3. Attached
>>  >
>>  > *Michael Pawlak*
>>  > Web Systems Administrator | Colovore LLC
>>  > E: m...@colovore.com 
>>  > C: 408.316.2154 
>>  >   
>>  >
>>  > On Mon, Mar 23, 2015 at 12:14 PM, Endi Sukma Dewata
>> mailto:edew...@redhat.com>>
>>  > wrote:
>>  > >
>>  > > Hi,
>>  > >
>>  > > Unfortunately the code doesn't log the exact cause of the
>> problem. I need
>>  > > some additional info:
>>  > >
>>  > > 1. Which platform are you using?
>>  > > 2. What are the versions of the pki-* packages before and
>> after upgrade?
>>  > > 3. Please provide the /etc/pki-ca/CS.cfg and
>> /var/log/pki-ca/transactions.
>>  > >
>>  > > Thanks.
>>  > >
>>  > > --
>>  > > Endi S. Dewata
>>
>>
>>
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode

2015-03-25 Thread Bobby Prins


> On Mar 24, 2015, at 17:11, Dmitri Pal  wrote:
> 
> On 03/24/2015 11:45 AM, Bobby Prins wrote:
>>> - Oorspronkelijk bericht -
>>> Van: "Alexander Bokovoy" 
>>> Aan: "Bobby Prins" 
>>> Cc: d...@redhat.com, freeipa-users@redhat.com
>>> Verzonden: Dinsdag 24 maart 2015 15:13:38
>>> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
>>> ipa_server_mode
>>> 
>>> On Tue, 24 Mar 2015, Bobby Prins wrote:
> - Oorspronkelijk bericht -
> Van: "Alexander Bokovoy" 
> Aan: "Bobby Prins" 
> Cc: d...@redhat.com, freeipa-users@redhat.com
> Verzonden: Maandag 23 maart 2015 16:44:47
> Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in 
> ipa_server_mode
> 
> ...
> 
> Can you show relevant parts of /var/log/dirsrv/slapd-EXAMPLE-CORP/access
> and sssd logs from IPA master (with debug_level = 10) at least in
> [domain], [nss], and [pam] sections.
> 
> You need to filter dirsrv logs by connection coming from AIX IP address
> and then by conn= where number is the same number as the one
> with IP address line.
> 
> When authenticating, AIX would talk to IPA LDAP server to compat tree
> and slapi-nis plugin which serves compat tree would do PAM
> authentication as service system-auth where SSSD on IPA master will do
> the actual authentication work.
> 
> --
> / Alexander Bokovoy
 Here you can see the DS connection from AIX:
 [24/Mar/2015:12:53:19 +0100] conn=96 fd=110 slot=110 connection from 
 192.168.140.107 to 192.168.140.133
 [24/Mar/2015:12:53:20 +0100] conn=96 op=0 BIND 
 dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp" 
 method=128 version=3
 [24/Mar/2015:12:53:43 +0100] conn=96 op=0 RESULT err=0 tag=97 nentries=0 
 etime=24 
 dn="uid=bpr...@example.corp,cn=users,cn=compat,dc=unix,dc=example,dc=corp"
 [24/Mar/2015:12:53:43 +0100] conn=96 op=-1 fd=110 closed - B1
 
 As you can see it also takes quite some time to process the login.
 Could that be a problem?
>>> 24 seconds sounds like bprins2example.com is a member of few groups with
>>> big amount of members. On the other hand, BIND operation result is 0
>>> (success) and it doesn't look like AIX dropped the connection, at least
>>> there is no ABANDON within the context of this connection so AIX did not
>>> cancel the request by itself.
>>> 
>>> How long does it take on AIX side to report the inability to login? Is
>>> this time longer or shorter the one reported in etime= value on RESULT
>>> line above?
>>> 
 The SSSD log files are a bit large with debug_level set to 10 and it
 will take me some time to strip all customer data from it. Any log
 events in particular you would like to see?
>>> https://fedorahosted.org/sssd/wiki/Troubleshooting has explanation for
>>> some times of issues you might find in the SSSD logs. I'd be interested
>>> in "Common AD provider issues", "Troubleshooting authentication,
>>> password change and access control".
>>> 
>>> -- 
>>> / Alexander Bokovoy
>> The inability to login is reported in about the same time as the number of 
>> seconds you would find in the etime= field of the RESULT line.
>> 
>> I checked the "Common AD provider issues" and "Troubleshooting 
>> authentication, password change and access control" sections on the SSSD 
>> Troubleshooting page. None of the issues reported there seem to be 
>> applicable in my situation.
>> 
>> PAM logging on AIX:
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_start(login bpr...@example.corp)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(1)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(2)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(5)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(3)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(4)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(8)
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_authenticate()
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: load_modules: 
>> /usr/lib/security/pam_aix
>> Mar 24 16:23:10 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> load_function: successful load of pam_sm_authenticate
>> Mar 24 16:23:22 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_set_item(6)
>> Mar 24 16:23:37 tst01 auth|security:debug /usr/sbin/getty PAM: 
>> pam_authenticate: error Authentication failed
> 
> Seems like 15 sec timeout on the AIX side.
> Can you try with a user that does not have that many groups and see if that 
> works?
> If it does then we should assume it is an AIX side timeout and focus on 
> making sure the data gets over to IPA within this timeout.
I need to do some more testing.. Did not hav

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-25 Thread Rob Crittenden

sipazzo wrote:
> Ok I finally was able to get a sandbox environment up to test the cert
> replacement. When I ran this stepgot to the cert request steps:
> ipa-getcert request -d /etc/dirsrv/slapd-IPADOMAIN-COM -n Server-Cert -p
> /etc/dirsrv/slapd-IPADOMAIN-COM/pwdfile.txt -C
> '/usr/lib64/ipa/certmonger/restart_dirsrv IPADOMAIN-COM' -N
> CN=idm2-corp.ipadomain.com -K ldap/ipa2-corp.ipadomain@ipadomain.com
> 
> I got a message saying the cert at same location is already used by
> request with nickname "20140729215511" , same when I ran it for
> /etc/httpd/alias. I continued on anyway but when I get to this step:

You need to tell certmonger to stop tracking the existing GoDaddy certs,
not that they would have been renewable anyway.

You may also need to remove them from the NSS database(s) using
something like:

# certutil -D -n 'nickname' -d /path/to/db

I think the subject will be different enough that it may be ok as-is.

The other errors are due to the fact that no certificate was issued.

rob

> 
>  # certutil -V -u V -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM
> 
> I get an error:
> certutil: could not find certificate named "Server-Cert":
> PR_FILE_NOT_FOUND_ERROR: File not found
> 
> Although running certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM/,
> returns this:
> 
> Certificate Nickname Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> GD_CACT,C,C
> IPADOMAIN.COM IPA CA  CT,,
> NWF_GD   u,u,u
> 
> 
> Showing that the IPA Dogtag cert is now listed whereas it was not
> previously. 
> 
> 
> 
> *From:* sipazzo 
> *To:* Rob Crittenden ; "freeipa-users@redhat.com"
> 
> *Sent:* Friday, March 13, 2015 1:32 PM
> *Subject:* Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
> 
> This environment is over 350 servers, many of which are in production so
> I may have to wait a bit for change management approval to attempt to
> resolve this issue, particularly if you think it might break something. 
> I will keep you updated on my progress. Thank you much.
> 
> 
> 
> 
> *From:* sipazzo 
> *To:* Rob Crittenden 
> *Cc:* "freeipa-users@redhat.com" 
> *Sent:* Friday, March 13, 2015 9:21 AM
> *Subject:* Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
> 
> 
> 
> 
> 
> -Original Message-
> From: freeipa-users-boun...@redhat.com
> 
> [mailto:freeipa-users-boun...@redhat.com
> ] On Behalf Of Rob Crittenden
> Sent: Thursday, March 12, 2015 1:52 PM
> To: sipazzo; freeipa-users@redhat.com 
> Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers
> 
> sipazzo wrote:
>> I do have other CAs (just not the master but it is available offline
>> if
>> needed)
> 
> To be clear, all IPA servers are masters, some just run more services
> than others. It sounds like you have at least one CA available which
> should be sufficient.
> 
>> Directory server is running
>> The apache web server is running and I can get to the gui ipa
>> cert-show 1 works
> 
> Ok. I guess the place to start is to get certs for Apache and 389-ds,
> then we can see about using these new certs.
> 
> In the thread you showed that the IPA 389-ds doesn't have a Server-Cert
> nickname. You'll want to do the same for /etc/httpd/alias before running
> the following commands otherwise you could end up with non-functional
> server.
> 
> These should get IPA certs for 389-ds and Apache. You'll need to edit
> these commands to match your environment:
> 
> # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -p
> /etc/httpd/alias/pwdfile.txt -C /usr/lib64/ipa/certmonger/restart_httpd
> -N CN=ipa.example.com -K HTTP/ipa.example@example.com
> 
> 
> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -p
> /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt -C
> '/usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE-COM' -N
> CN=ipa.example.com -K ldap/ipa.example@example.com
> 
> 
> I'd do them one at a time and wait until the cert is issued and tracked.
> This will restart both Apache and 389-ds but it shouldn't affect
> operation because the certs won't be used yet.
> 
> You then need to get the old CA cert and put it into the right places.
> Since it is already in the PKI-IPA NSS database let's fetch it from
> there. For giggles you should probably save whatever the contents of
> /etc/ipa/ca.crt are before-hand.
> 
> # certutil -L -d /etc/dirsrv/slapd-PKI-IPA -n 'IPADOMAIN.COM IPA CA' -a
>> /etc/ipa/ca.crt
> 
> Now add that to the Apache an

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

2015-03-25 Thread Dmitri Pal


On 03/25/2015 01:41 PM, Rob Crittenden wrote:

Coy Hile wrote:

When I look at the SPEC file for freeipa-4.1.3, I see requirements
around Systemd.  Is that really a hard requirement, or is it possible to
run newer FreeIPA (that is to say 4.x) on a host that hasn't been
infested by systemd (such as CentOS 6, for example)?  At the moment, I'm
speaking completely of the server components.

There are a slew of major dependencies that prevent IPA 4.x from working
in RHEL/CentOS 6. It would be quite non-trivial to try to backport
everything needed.

rob

systemd is just one of the next generation technologies we had to deal 
with but it we had to deal with we took advantage of it.
As Rob said 4.x depends on many component that are not portable back to 
RHEL/CentOS 6.


Please consider Fedora 21/RHEL 7.1/CentOS 7.1 if you want to run latest 
bits.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Clients are reading AD info inconsistently

2015-03-25 Thread Dmitri Pal


On 03/25/2015 11:44 AM, Simo Sorce wrote:

On Wed, 2015-03-25 at 14:46 +, Guertin, David S. wrote:

Follow-up: today I tried clearing the sssd cache and restarting sssd on all 
three clients, and all three lost their AD users:

# rm -f /var/lib/sss/db/*
# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]
# id 'MIDD\juser'
id: MIDD\juser: No such user

David Guertin


This is normal, users are "loaded in" when they actually try to Log In.

Simo.

Yes. The ability to look up AD users that never authenticated was added 
in 7.1 and 6.7 (i.e. SSSD 1.12)


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind-dyndb-ldap vs DLZ

2015-03-25 Thread Jorgen Lundman

Thanks for your email, (I have included the ML in this reply)

We run Solaris with bind+DLZ+ldap on the DNS servers, and are looking at
better performance. Which means evaluating bind-dyndb-ldap. I did some
minor tweaks to compile bind-dyndb on Solaris.

Since we already have large systems running in production, with
provisioning, and support tools, it is unlikely we would change the schema.
It would probably be less work for me to fork bind-dyndb and massage it
into handling DLZ schema directly.

But before that, we are just evaluating bind-dyndb to decide if it fits
with our systems.

I loaded the 300k zones we have in DLZ-LDAP, into bind-dyndb schema (Just
SOA records with a single ARecord).

[1]
The first issue is that to start named takes about 50 mins. This is a bit
of an issue as there is no resolving while it is starting. This seems to be
the same delay each time I start it. slapd is running on localhost, and is
otherwise idle. It is just a large syncrepl for 300k records, always
starting from epoch...

[2]
Is it supposed to be able to use the "dump-file" on exit for faster loads?
Perhaps I broke something while porting it to Solaris. I see it create
directories for each zone, only to create an empty "keys" directory. In
addition to that, having 300k entries in one directory might need hashing.
ZFS is ok with it, but it tends to slow down.

However, once it is loaded, it is much faster than DLZ+LDAP. Previous
system would see about 300qps. (All zones, plus
/usr/share/dict/words+".com" with dnsperf)

bind-dyndb gave the same benchmarking test 18796qps.

Now, interestingly, I can also define a DLZ+LDAP line in named.conf after
the bind-dyndb. This has the effect that while bind-dyndb is taking 50 mins
to start up, it will resolve names using DLZ+LDAP. Sure, at the worse qps
of course, but it is at least resolving.

[3]
However, that has a side-effect that, once bind-dyndb is loaded, it will
also query DLZ+LDAP on negative entries. Thus decreasing the performance to
3884qps.  Wonder if there is a way to have bind-dyndb ignore DLZ+LDAP /once
it has loaded/.

That is our current situation.

Sincerely,

Lund

ps. There are some minor faults in the example.ldif, like
"idnsName=example.com"'s idnsName is "ipatest.com". And is missing NSRecord.

Petr Spacek wrote:
> On 25.3.2015 04:45, Jorgen Lundman wrote:
>>
>> Hey Petr,
>>
>> Your name came up on the DLZ list a while back and I was interested in
>> bind-dyndb-ldap. We run DLZ-LDAP here, and after this weeks DDOS
>> firefighting we are looking at increasing our qps.
>>
>> At the moment, each BIND-DLZ-LDAP server can do about 200qps, which is
>> pretty low. But for authoritative it has been sufficient until now. I have
>> fixed DLZ-LDAP, enabling MULTITHREADED (it is off by default for some
>> reason) but still, it has to query the DB each time. The thing refuses to
>> use more than 130MB of cache, each server has 32GB so that is a bit
>> annoying. :)
>>
>> Biggest issue with bind-dyndb-ldap is the schema difference to DLZ's
>> schema.  Most items can probably be handled with straight keyword rename,
>> but one of the larger differences is that bind-dyndb-ldap handles multiple
>> "ARecord" for one entry, whereas DLZ uses that odd "A1,DNSHostName=foo" and
>> "A2,DNSHostName=foo" to do multiples.
>>
>> Do you know if anyone has already looked at DLZ to bind-dyndb-ldap
>> migration? I suppose as a test case (to see what qps I can get), I can
>> convert the DLZ LDAP into zone files, then back to bind-dyndb-ldap schema
>> using your supplied scripts.
>>
>> If you have time, drop me a line.
> 
> Hello!
> 
> As far as I know there is no DLZ->bind-dyndb-ldap convertor.
> 
> I would say that an easiest way is to do AXFR from DLZ-backed zone, save it to
> a file and feed the zone file into
> https://github.com/pspacek/zone2dyndb-ldif
> 
> IMHO it is not worth to develop special DLZ->bind-dyndb-ldap convertor because
> we can always use zone file format as intermediate step.
> 
> LDAP schema used by bind-dyndb-ldap is described on:
> https://fedorahosted.org/bind-dyndb-ldap/wiki/LDAPSchema
> 
> 
> If you have any further questions please contact freeipa-users@redhat.com
> mailing list so everyone including search engines can see it :-)
> 
> Thank you for understanding and have a nice day!
> 

-- 
Jorgen Lundman   | 
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo| +81 (0)90-5578-8500  (cell)
Japan| +81 (0)3 -3375-1767  (home)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread g . fer . ordas


Hi

I am setting up a plain and simple sssd service against my FreeIPA 
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the 
client box is ubuntu: Ubuntu 12.04.5 LTS


The Users and Credentials are being Synched out of an AD Server (the 
passwords happened to be transferred using the PassSync Service)


Now.. I wanted to setup a very simple sssd service (not the FreeIPA 
client service)
And so far I succeeded on synching the users along with the passwords 
using SSSD.


Now, Trying to get the sudo access sorted I cannot see that working, and 
I came across some documentation mentioning SSSD is NOT currently 
supporting IPA schema for the SUDOers

if that is the case

Can anybody point me to the right document or procedure in terms of 
getting also the sudoers installed?


Would be possible , somehow, to have this sorted WITHOUT using the 
ipa-client?


many thanks!


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread Dmitri Pal


On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:

Hi

I am setting up a plain and simple sssd service against my FreeIPA 
Server.
The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the 
client box is ubuntu: Ubuntu 12.04.5 LTS


The Users and Credentials are being Synched out of an AD Server (the 
passwords happened to be transferred using the PassSync Service)


Now.. I wanted to setup a very simple sssd service (not the FreeIPA 
client service)
And so far I succeeded on synching the users along with the passwords 
using SSSD.


Now, Trying to get the sudo access sorted I cannot see that working, 
and I came across some documentation mentioning SSSD is NOT currently 
supporting IPA schema for the SUDOers

if that is the case

Can anybody point me to the right document or procedure in terms of 
getting also the sudoers installed?


Would be possible , somehow, to have this sorted WITHOUT using the 
ipa-client?


many thanks!



http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] subjectAlternitiveName for webservice

2015-03-25 Thread Matt .

OK, quite clear but I think that is not going to help me, if you ask
me, I might be wrong here as this is what I get:

# wget https://ldap.mydomain.tld/ipa/json
--2015-03-26 01:22:51--  https://ldap.mydomain.tld/ipa/json
Resolving ldap.mydomain.tld (ldap.mydomain.tld)... 10.100.0.250
Connecting to ldap.mydomain.tld
(ldap.mydomain.tld)|10.100.0.250|:443... connected.
ERROR: cannot verify ldap.mydomain.tld's certificate, issued by
'/O=MYDOMAIN.TLD/CN=Certificate Authority':
  Self-signed certificate encountered.
ERROR: certificate common name 'ldap-01.mydomain.tld' doesn't
match requested host name 'ldap.mydomain.tld'.
To connect to ldap.mydomain.tld insecurely, use `--no-check-certificate'.

(I used the gui that actually worked quite OK following the docs,
tried your version also but got stuck as I did it on the IPA server,
need to recheck that)

I think this happens because I use the ca.crt from /etc/ipa/ca.crt and
the one I generated in the same file. I need to have them both in my
curl certificate.

I might be wrong here, but this is where I'm at.

Thanks again for your patience.

Matt



2015-03-20 15:39 GMT+01:00 Rob Crittenden :
> Matt . wrote:
>> The right way to sequest a SAN, this seems to need some extra config file ?
>
> Like I said before, use certmonger, it makes life easier.
>
> I'll create a new host balancer.example.com with a HTTP service. I'll
> generate a cert with a SAN for idp.example.com in that service. I'm
> generating the cert on idp.example.com, hence the service-add-host bit.
>
> On 4.1 (freeipa-server-4.1.3-2.fc22.x86_64)
>
> # kinit admin
> # ipa host-add balancer.example.com
> # ipa service-add HTTP/balancer.example.com --force
> # ipa service-add-host --hosts=idp.example.com HTTP/balancer.example.com
> # ipa-getcert request -f /etc/pki/tls/certs/balancer.pem -k
> /etc/pki/tls/private/balancer.key -N CN=balancer.example.com -K
> HTTP/balancer.example.com -D idp.example.com
> # getcert list -i  until it goes to MONITORING
> # openssl x509 -text -in /etc/pki/tls/certs/balancer.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 11 (0xb)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=EXAMPLE.COM, CN=Certificate Authority
> Validity
> Not Before: Mar 20 14:29:33 2015 GMT
> Not After : Mar 20 14:29:33 2017 GMT
> Subject: O=EXAMPLE.COM, CN=balancer.example.com
> [SNIP]
> X509v3 extensions:
> [SNIP]
> X509v3 Subject Alternative Name:
> DNS:idp.example.com, othername:,
> othername:
> [SNIP]
>
> SAN was definitely not supported in 3.0. Not sure about 3.3, should work
> in 4.0+.
>
> rob
>
>>
>> 2015-03-19 15:04 GMT+01:00 Rob Crittenden :
>>> Matt . wrote:
 Isn't this documented well (yet) ?
>>>
>>> Is what documented yet?
>>>
>>> rob
>>>

 The RH docs are always very detailed about it, but I'm not sure
 here... I see solutions but not 100% from A to Z to make sure we do it
 the proper way.

 2015-03-12 16:59 GMT+01:00 Matt . :
> Not worried, I need to try.
>
> I think it's not an issue as we use persistance for the connection. We
> only do some user adding/chaging stuff, nothing really fancy but it
> needs to be decent. As persistence comes in I think we don't have to
> worry about it, we discussed that here earlier as I remember.
>
> Or do I ?
>
> Something else; did you had a nice PTO ?
>
> 2015-03-12 15:54 GMT+01:00 Rob Crittenden :
>> Matt . wrote:
>>> Hi,
>>>
>>> Security wise I can understand that.
>>>
>>> Yes I have read about that... but that would let me use the
>>> loadbalancer to connect ? I was not sure if the SAN would "connect" as
>>> "other" host.
>>
>> Kerberos through a load balancer can be a problem. Is this what you're
>> worried about?
>>
>> rob
>>
>>>
>>> 2015-03-12 15:07 GMT+01:00 Rob Crittenden :
 Matt . wrote:
> Hi Guys,
>
> Is Rob able to look at this ? I hope he has some sparetime as I'm
> kinda stuck with this issue.

 Wildcard certs are not supported.

 You can request a SAN with certmonger using -D . That will work
 with IPA 4.x for sure, maybe 3.3.5.

 rob

>
> Thanks!
>
>
>
> 2015-03-08 12:30 GMT+01:00 Matt . :
>> I'm reviewing some things.
>>
>> When I'm using a loadbalancer, which I prefer in this setup I need to
>> have the same certificates on both servers. Maybe a wildcard for my
>> domain could do instead of having only both fqdn's of the servers
>> including the loadbalancer's fqdn.
>>
>> But the question remains, how?
>>
>>
>>
>> 2015-03-07 10:37 GMT+01:00 Matt . :
>>> Hi,
>>>
>>> I will balance with IP persistan

[Freeipa-users] clarification on expired password behaviour

2015-03-25 Thread Les Stott

Hi All,

Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.

I also have freeradius installed which is used for network devices (cisco, 
brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store 
in FreeIPA as an authentication backend.

All is working fine.

But I would like clarification on the following...

A user account in freeipa is showing up as having an expired password. This is 
confirmed by logging into the freeipa web interface or ssh and seeing a prompt 
to change password immediately.

If I choose to not set the password, it remains expired.

Now, if I try to access a network device that is using radius based auth, using 
the account with the expired password, it successfully logs in even though the 
password is expired.

Is this normal? i.e. a password can still be used even if it's in an expired 
state?

I understand that going via radius using freeipa as an ldap backend is not the 
normal process.

Is there a way to make password authentication fail if a password is expired 
when used in this scenario?

Thanks in advance,

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] clarification on expired password behaviour

2015-03-25 Thread Dmitri Pal


On 03/25/2015 09:14 PM, Les Stott wrote:


Hi All,

Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.

I also have freeradius installed which is used for network devices 
(cisco, brocade, f5, ucs etc) to authenticate users. Freeradius is 
using the ldap store in FreeIPA as an authentication backend.


All is working fine.

But I would like clarification on the following...

A user account in freeipa is showing up as having an expired password. 
This is confirmed by logging into the freeipa web interface or ssh and 
seeing a prompt to change password immediately.


If I choose to not set the password, it remains expired.

Now, if I try to access a network device that is using radius based 
auth, using the account with the expired password, it successfully 
logs in even though the password is expired.


Is this normal? i.e. a password can still be used even if it's in an 
expired state?


I understand that going via radius using freeipa as an ldap backend is 
not the normal process.


Is there a way to make password authentication fail if a password is 
expired when used in this scenario?


Thanks in advance,

Regards,

Les






https://fedorahosted.org/freeipa/ticket/1539

You can see the details in the ticket.

The workaround will be to use kinit instead of LDAP for authentication 
in freeradius or use pam and leverage SSSD as an IPA client on the 
RADIUS server.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread Gonzalo Fernandez Ordas

Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?
Otherwise i have to drop freeipa and get back to 389_ds as still seems fully 
ldap sssd compatible.

Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being  sudo the last tiny bit 
to get sorted which is hugely frustrated.

Thanks for all the support 
Sent from Type Mail



On Mar 25, 2015, 5:35 PM, at 5:35 PM, Dmitri Pal  wrote:
>On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:
>> Hi
>>
>> I am setting up a plain and simple sssd service against my FreeIPA 
>> Server.
>> The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the 
>> client box is ubuntu: Ubuntu 12.04.5 LTS
>>
>> The Users and Credentials are being Synched out of an AD Server (the 
>> passwords happened to be transferred using the PassSync Service)
>>
>> Now.. I wanted to setup a very simple sssd service (not the FreeIPA 
>> client service)
>> And so far I succeeded on synching the users along with the passwords
>
>> using SSSD.
>>
>> Now, Trying to get the sudo access sorted I cannot see that working, 
>> and I came across some documentation mentioning SSSD is NOT currently
>
>> supporting IPA schema for the SUDOers
>> if that is the case
>>
>> Can anybody point me to the right document or procedure in terms of 
>> getting also the sudoers installed?
>>
>> Would be possible , somehow, to have this sorted WITHOUT using the 
>> ipa-client?
>>
>> many thanks!
>>
>>
>http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
>
>-- 
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager IdM portfolio
>Red Hat, Inc.
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread Dmitri Pal


On 03/25/2015 10:41 PM, Gonzalo Fernandez Ordas wrote:


Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?



It is possible.
The doc has guidelines. Are they not clear?

Otherwise i have to drop freeipa and get back to 389_ds as still seems 
fully ldap sssd compatible.


Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being  sudo the last 
tiny bit to get sorted which is hugely frustrated.


Thanks for all the support
Sent from Type Mail 

On Mar 25, 2015, at 5:35 PM, Dmitri Pal > wrote:


On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:

Hi I am setting up a plain and simple sssd service against my
FreeIPA Server. The FreeIPA Server is a Centos 7.1 box with
IPA version 4.1 and the client box is ubuntu: Ubuntu 12.04.5
LTS The Users and Credentials are being Synched out of an AD
Server (the passwords happened to be transferred using the
PassSync Service) Now.. I wanted to setup a very simple sssd
service (not the FreeIPA client service) And so far I
succeeded on synching the users along with the passwords using
SSSD. Now, Trying to get the sudo access sorted I cannot see
that working, and I came across some documentation mentioning
SSSD is NOT currently supporting IPA schema for the SUDOers if
that is the case Can anybody point me to the right document or
procedure in terms of getting also the sudoers installed?
Would be possible , somehow, to have this sorted WITHOUT using
the ipa-client? many thanks!



http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread Rob Crittenden

Gonzalo Fernandez Ordas wrote:
> Exactly the document i was having a look at.
> In simple words,is possible to work this around and how,?
> Otherwise i have to drop freeipa and get back to 389_ds as still seems
> fully ldap sssd compatible.
> 
> Have you got any doc clearly stating how to get this done?
> I really invested many days on reaching this far being  sudo the last
> tiny bit to get sorted which is hugely frustrated.

How to configure sudo largely depends on the version of SSSD you have in
Ubuntu. I'm not sure how configuring SSSD is going to affect your choice
of server though. If you still use SSSD the same problem will exist
regardless, right?

rob

> 
> Thanks for all the support
> Sent from Type Mail 
> 
> On Mar 25, 2015, at 5:35 PM, Dmitri Pal  > wrote:
> 
> On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:
> 
> Hi
> 
> I am setting up a plain and simple sssd service against my FreeIPA
> Server.
> The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
> client box is ubuntu: Ubuntu 12.04.5 LTS
> 
> The Users and Credentials are being Synched out of an AD Server
> (the
> passwords happened to be transferred using the PassSync Service)
> 
> Now.. I wanted to setup a very simple sssd service (not the FreeIPA
> client service)
> And so far I succeeded on synching the users along with the
> passwords
> using SSSD.
> 
> Now, Trying to get the sudo access sorted I cannot see that
> working,
> and I came across some documentation mentioning SSSD is NOT
> currently
> supporting IPA schema for the SUDOers
> if that is the case
> 
> Can anybody point me to the right document or procedure in terms of
> getting also the sudoers installed?
> 
> Would be possible , somehow, to have this sorted WITHOUT using the
> ipa-client?
> 
> many thanks!
> 
> 
> 
> http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to Install IPA

2015-03-25 Thread Shaik M

Hi,

I have stopped working on IPA and we are using 389-DS.

Thanks,
Shaik

On 24 March 2015 at 03:21, Endi Sukma Dewata  wrote:

> On 3/3/2015 8:19 AM, Endi Sukma Dewata wrote:
>
>> On 2/28/2015 1:01 PM, Hadoop Solutions wrote:
>>
>>> Hi Rob,
>>>
>>> please find the attached log of /var/log/ipaserver-install.log
>>>
>>> kindly let me know the solution for this..
>>>
>>> Thanks,
>>> Shaik
>>>
>>
>> Hi,
>>
>> I see this near the bottom of the ipaserver-install.log.
>>
>> #
>> Attempting to connect to: sv2lxdpdsedi02.corp.equinix.com:9445
>> Connected.
>> Posting Query =
>> https://sv2lxdpdsedi02.corp.equinix.com:9445//ca/admin/
>> console/config/wizard?p=9&op=next&xml=true&host=
>> sv2lxdpdsedi02.corp.equinix.com&port=7389&binddn=cn%
>> 3DDirectory+Manager&__bindpwd=&basedn=o%3Dipaca&
>> database=ipaca&display=%24displayStr
>>
>> RESPONSE STATUS:  HTTP/1.1 404 Not Found
>> RESPONSE HEADER:  Server: Apache-Coyote/1.1
>> RESPONSE HEADER:  Content-Type: text/html;charset=UTF-8
>> RESPONSE HEADER:  Date: Sat, 28 Feb 2015 05:57:35 GMT
>> RESPONSE HEADER:  Connection: close
>> ERROR: unable to parse xml
>> ERROR XML =
>> ERROR: Tag='updateStatus' has no values
>> Error in LdapConnectionPanel(): updateStatus value is null
>> ERROR: ConfigureCA: LdapConnectionPanel() failure
>> ERROR: unable to create CA
>>
>> ###
>>
>> 2015-02-28T05:57:35Z DEBUG stderr=[Fatal Error] :-1:-1: Premature end of
>> file.
>> org.xml.sax.SAXParseException: Premature end of file.
>> at org.apache.xerces.parsers.DOMParser.parse(xerces-j2-2.7.1.jar.so)
>> at
>> org.apache.xerces.jaxp.DocumentBuilderImpl.parse(xerces-j2-2.7.1.jar.so)
>> at javax.xml.parsers.DocumentBuilder.parse(libgcj.so.10)
>> at ParseXML.parse(ParseXML.java:258)
>> at ConfigureCA.getStatus(ConfigureCA.java:205)
>> at ConfigureCA.checkStatus(ConfigureCA.java:221)
>> at ConfigureCA.checkStatus(ConfigureCA.java:216)
>> at ConfigureCA.LdapConnectionPanel(ConfigureCA.java:510)
>> at ConfigureCA.ConfigureCAInstance(ConfigureCA.java:1225)
>> at ConfigureCA.main(ConfigureCA.java:1672)
>>
>> Could you post the /var/log/pki-ca/debug? Thanks.
>>
>>
> Hi, if this is still a problem please let me know. Thanks.
>
> --
> Endi S. Dewata
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] clarification on expired password behaviour

2015-03-25 Thread Les Stott

From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Thursday, 26 March 2015 12:52 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] clarification on expired password behaviour

On 03/25/2015 09:14 PM, Les Stott wrote:
Hi All,

Running freeipa 3.0.0.42 on rhel 6.6, all standard packages.

I also have freeradius installed which is used for network devices (cisco, 
brocade, f5, ucs etc) to authenticate users. Freeradius is using the ldap store 
in FreeIPA as an authentication backend.

All is working fine.

But I would like clarification on the following...

A user account in freeipa is showing up as having an expired password. This is 
confirmed by logging into the freeipa web interface or ssh and seeing a prompt 
to change password immediately.

If I choose to not set the password, it remains expired.

Now, if I try to access a network device that is using radius based auth, using 
the account with the expired password, it successfully logs in even though the 
password is expired.

Is this normal? i.e. a password can still be used even if it's in an expired 
state?

I understand that going via radius using freeipa as an ldap backend is not the 
normal process.

Is there a way to make password authentication fail if a password is expired 
when used in this scenario?

Thanks in advance,

Regards,

Les

https://fedorahosted.org/freeipa/ticket/1539

You can see the details in the ticket.

The workaround will be to use kinit instead of LDAP for authentication in 
freeradius or use pam and leverage SSSD as an IPA client on the RADIUS server.

Thanks Dmitri.

In fact the radius server is installed on the freeipa server and talks locally 
via loopback.

I will look at kinit and sssd options.

Regards,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu sssd client -- FreeIPA Server fed from AD

2015-03-25 Thread Gonzalo Fernandez Ordas


I have to test a few options to see how I can overcome that issue.
A pity as I nearly got everything setup in full.
Any findings I will get back to the list as this might be relevant for 
other users.



On 25/03/2015 19:56, Rob Crittenden wrote:

Gonzalo Fernandez Ordas wrote:

Exactly the document i was having a look at.
In simple words,is possible to work this around and how,?
Otherwise i have to drop freeipa and get back to 389_ds as still seems
fully ldap sssd compatible.

Have you got any doc clearly stating how to get this done?
I really invested many days on reaching this far being  sudo the last
tiny bit to get sorted which is hugely frustrated.

How to configure sudo largely depends on the version of SSSD you have in
Ubuntu. I'm not sure how configuring SSSD is going to affect your choice
of server though. If you still use SSSD the same problem will exist
regardless, right?

rob


Thanks for all the support
Sent from Type Mail 

On Mar 25, 2015, at 5:35 PM, Dmitri Pal mailto:d...@redhat.com>> wrote:

 On 03/25/2015 08:32 PM, g.fer.or...@unicyber.co.uk wrote:

 Hi

 I am setting up a plain and simple sssd service against my FreeIPA
 Server.
 The FreeIPA Server is a Centos 7.1 box with IPA version 4.1 and the
 client box is ubuntu: Ubuntu 12.04.5 LTS

 The Users and Credentials are being Synched out of an AD Server
 (the
 passwords happened to be transferred using the PassSync Service)

 Now.. I wanted to setup a very simple sssd service (not the FreeIPA
 client service)
 And so far I succeeded on synching the users along with the
 passwords
 using SSSD.

 Now, Trying to get the sudo access sorted I cannot see that
 working,
 and I came across some documentation mentioning SSSD is NOT
 currently
 supporting IPA schema for the SUDOers
 if that is the case

 Can anybody point me to the right document or procedure in terms of
 getting also the sudoers installed?

 Would be possible , somehow, to have this sorted WITHOUT using the
 ipa-client?

 many thanks!



 http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

44 matches

Mail list logo