date:20150810

[Freeipa-users] Sudden replication failure

2015-08-10 Thread Burke Rosen


Hello,

I'm running two replicated freeIPA servers. One of them spontaneously 
failed. After taking the misbehaving server down, the remaining 
replicant handled everything fine. I restored the system to its original 
working state by uninstalling ipa-server from the non-functional server 
and re-replicating from the working server. All is well, but I am trying 
to figure out what might have caused the problem in the first place. 
Below are first few (presumably) relevant lines of the the error log. 
Can someone help me interpret them?


Thank you,

-Burke Rosen


[08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file 
ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing 
replication. This server: 2010061412 remote server: (null).
[08/Aug/2015:04:11:08 -0700] NSMMReplicationPlugin - 
agmt=cn=meToip133.kmlab.local (ip133:389): Unable to receive the 
response for a startReplication extended operation to consumer (Can't 
contact LDAP server). Will retry later.
[08/Aug/2015:04:11:12 -0700] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is 
not connected)
[08/Aug/2015:04:11:12 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP 
server)
[08/Aug/2015:04:11:18 -0700] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is 
not connected)
[08/Aug/2015:04:11:19 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP 
server)
[08/Aug/2015:04:11:30 -0700] slapd_ldap_sasl_interactive_bind - Error: 
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is 
not connected)
[08/Aug/2015:04:11:30 -0700] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP 
server)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Different domain enrollment

2015-08-10 Thread Dewangga Bachrul Alam

Hello!

I'm having problem with different hostname with primary domain on ipa
server. For example, my primary domain is mydomain.co.id, and then if
the server hostname using mydomain.co.id, the dns discover was sucessfully.

The problem come if the client hostname using different domain, for
example anotherdomain.com, the dns discovery was failed. Is there any
way to solve it? Should I enter it manually?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-08-10 Thread Christopher Lamb

The next route I will try - is the one Youeen took, using ipa-adtrust

From:   Matt . yamakasi@gmail.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com freeipa-users@redhat.com
Date:   10.08.2015 10:03
Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Chris,

Okay this is good to hear.

But don't we want a IPA managed Scheme ?

When I did a ipa-adtrust-install --add-sids it also wanted a local
installed Samba and I wonder why.

Good that we make some progres on making it all clear.

Cheers,

Matt

2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com:
 ldapsam + the samba extensions, pretty much as described in the
Techslaves
 article. Once I have a draft for the wiki page, I will mail you.

 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   09.08.2015 21:17
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

 Hi,

 Yes I know about anything but which way did you use now ?

 2015-08-09 20:56 GMT+02:00 Christopher Lamb
christopher.l...@ch.ibm.com:
 Hi Matt

 I am on OEL 7.1. - so anything that works on that should be good for
RHEL
 and Centos 7.x

 I intend to add a how-to to the FreeIPA Wiki over the next few days. As
 we
 have suggested earlier, we will likely end up with several, one for each
 of
 the possible integration paths.

 Chris

 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   09.08.2015 16:45
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

 Hi Chris,

 This sounds great!

 What are you using now, both CentOS ? So Samba and FreeIPA ?

 Maybe it's good to explain which way you used now in steps too, so we
 can combine or create multiple howto's ?

 At least we are going somewhere!

 Thanks,

 Matt

 2015-08-09 14:54 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 My test integration of FreeIPA 4.x and Samba 4.x with the good old
 Samba
 Schema extensions) is up and working, almost flawlessly.

 I can add users and groups via the FreeIPA CLI, and they get the
correct
 ObjectClasses / attributes required for Samba.

 So far I have not yet bothered to try the extensions to the WebUI,
 because
 it is currently giving me the classic Your session has expired. Please
 re-login. error which renders the WebUI useless.

 The only problem I have so far encountered managing Samba / FreeIPA
 users
 via FreeIPA CLI commands is with the handling of the attribute
 sambaPwdLastSet. This is the subject of an existing thread, also
updated
 today.

 There is also an existing alternative to hacking group.py, using Class
 of
 Service (Cos) documented in this thread from February 2015

 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html
 .
 I have not yet tried it, but it sounds reasonable.

 Chris

 From:   Matt . yamakasi@gmail.com
 To: Christopher Lamb/Switzerland/IBM@IBMCH
 Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn
 PIOLET piole...@gmail.com
 Date:   06.08.2015 16:19
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
IPA

 Hi Chris,

 OK, than we might create two different versions of the wiki, I think
 this is nice.

 I'm still figuring out why I get that:

 IPA Error 4205: ObjectclassViolation

 missing attribute sambaGroupType required by object class
 sambaGroupMapping

 Matt

 2015-08-06 16:09 GMT+02:00 Christopher Lamb
 christopher.l...@ch.ibm.com:
 Hi Matt

 As far as I can make out, there are at least 2 viable Samba / FreeIPA
 integration paths.

 The route I took is suited where there is no Active Directory
involved:
 In
 my case all the Windows, OSX and Linux clients are islands that sit on
 the
 same network.

 The route that Youenn has taken (unless I have got completely the
wrong
 end
 of the stick) requires Active Directory in the architecture.

 Chris

 From:   Matt . yamakasi@gmail.com
 To: Youenn PIOLET piole...@gmail.com
 Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
 freeipa-users@redhat.com freeipa-users@redhat.com
 Date:   06.08.2015 14:42
 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against
 IPA

 Hi,

 OK, this sounds already quite logical, but I'm still refering to the
 old howto we found earlier, does that one still apply somewhere or not
 at all ?

 Thanks,

 Matt

 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com:
 Hey guys,

 I'll try to make a tutorial soon, sorry I'm quite in a rush these
 days :)

 General idea:

 On FreeIPA (4.1)
 - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier
 attribude, also known as SID)
 - regenerate each user password to build ipaNTHash attribute, not
here
 by
 default on users
 - use your ldap browser to check

Re: [Freeipa-users] Concerning the krb5.conf

2015-08-10 Thread bahan w

Hello.

I don't know if you receive my previous mail, but thank you for your answer.

I have two additionnal question then :
- Concerning the master_kdc line, is it better to put here the physical
machine or even to remove it if it is optional ?
- Do you know how I can check which one of these three servers is currently
used per server with this krb5.conf ? I need to check how I can
resynchronize the last server.

Best regards.

Bahan

On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Fri, 07 Aug 2015, bahan w wrote:

 Hello !

 We are using freeipa version 3 and we are encountering a problem in our
 environment.
 We have one master kdc and two replicas.

 On the different linux servers on our environment, we have the following
 krb5.conf (I modified the hostname for NDA) :

 ###
 #File modified by ipa-client-install

 includedir /var/lib/sss/pubconf/krb5.include.d/

 [libdefaults]
 default_realm = MYREALM
 dns_lookup_realm = false
 dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

 [realms]
  MYREALM = {
kdc = host1.mydomain:88
kdc = host2.mydomain:88
kdc = host3.mydomain:88
master_kdc = host2.mydomain:88
admin_server = host2.mydomain:749
default_domain mydomain
pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

 [domain_realm]
  .mydomain = MYREALM
  mydomain = MYREALM
  .myrealm = MYREALM
  myrealm = MYREALM
 ###

 host1 is a physical machine
 host2 and host3 are VM.

 So I have some questions :
 Q1 - Does it make sense to put the line master_kdc and admin_server to the
 host2, which is a VM instead of the host1 which is a physical machine ?

 According to manual page of 'krb5.conf',
 ---
 master_kdc:
 Identifies  the  master  KDC(s). Currently, this tag is used in only
 one case: If an attempt to get credentials fails because of an invalid
 password, the client software will attempt to contact the master KDC, in
 case the user's password has just been changed, and the updated database
 has not been propagated to the slave servers yet.
 ---

 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day
 actions in IPA.


 Q2 - When I try to connect to the UI of host1, I can enter my
 login/password and it works. When I try to connect to the UI of host2, I
 have an error message saying my password is incorrect. When I try to
 connect to the UI of host3, it works. Does it mean host1 and host3 are
 synchronized but host2 is not ?

 Most likely, yes.


 Q3. Does the two last lines make sense ? I mean what is the exact usage of
 the paragraph [domain_realm] ? Does it mean : if I try to connect to a
 server with the domain listed in this list, then I will try to contact the
 realm associated ?

 Since you disabled DNS discovery of realm based on the DNS domain,
 Kerberos library will perform some logic to find out which realm
 corresponds to the domain. domain_realm section helps here.

 krb5.conf manual page has clear explanation how the section is designed
 to work.

 --
 / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Sudden replication failure

[Freeipa-users] Different domain enrollment

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Re: [Freeipa-users] Concerning the krb5.conf

4 matches

Site Navigation

Mail list logo

Footer information