[Freeipa-users] Sudden replication failure
Hello, I'm running two replicated freeIPA servers. One of them spontaneously failed. After taking the misbehaving server down, the remaining replicant handled everything fine. I restored the system to its original working state by uninstalling ipa-server from the non-functional server and re-replicating from the working server. All is well, but I am trying to figure out what might have caused the problem in the first place. Below are first few (presumably) relevant lines of the the error log. Can someone help me interpret them? Thank you, -Burke Rosen [08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: 2010061412 remote server: (null). [08/Aug/2015:04:11:08 -0700] NSMMReplicationPlugin - agmt=cn=meToip133.kmlab.local (ip133:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [08/Aug/2015:04:11:12 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:12 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [08/Aug/2015:04:11:18 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:19 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) [08/Aug/2015:04:11:30 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not connected) [08/Aug/2015:04:11:30 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -1 (Can't contact LDAP server) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Different domain enrollment
Hello! I'm having problem with different hostname with primary domain on ipa server. For example, my primary domain is mydomain.co.id, and then if the server hostname using mydomain.co.id, the dns discover was sucessfully. The problem come if the client hostname using different domain, for example anotherdomain.com, the dns discovery was failed. Is there any way to solve it? Should I enter it manually? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
The next route I will try - is the one Youeen took, using ipa-adtrust From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 10.08.2015 10:03 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, Okay this is good to hear. But don't we want a IPA managed Scheme ? When I did a ipa-adtrust-install --add-sids it also wanted a local installed Samba and I wonder why. Good that we make some progres on making it all clear. Cheers, Matt 2015-08-10 6:12 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: ldapsam + the samba extensions, pretty much as described in the Techslaves article. Once I have a draft for the wiki page, I will mail you. From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 21:17 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over the next few days. As we have suggested earlier, we will likely end up with several, one for each of the possible integration paths. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 09.08.2015 16:45 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt My test integration of FreeIPA 4.x and Samba 4.x with the good old Samba Schema extensions) is up and working, almost flawlessly. I can add users and groups via the FreeIPA CLI, and they get the correct ObjectClasses / attributes required for Samba. So far I have not yet bothered to try the extensions to the WebUI, because it is currently giving me the classic Your session has expired. Please re-login. error which renders the WebUI useless. The only problem I have so far encountered managing Samba / FreeIPA users via FreeIPA CLI commands is with the handling of the attribute sambaPwdLastSet. This is the subject of an existing thread, also updated today. There is also an existing alternative to hacking group.py, using Class of Service (Cos) documented in this thread from February 2015 https://www.redhat.com/archives/freeipa-users/2015-February/msg00172.html . I have not yet tried it, but it sounds reasonable. Chris From: Matt . yamakasi@gmail.com To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com freeipa-users@redhat.com, Youenn PIOLET piole...@gmail.com Date: 06.08.2015 16:19 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt As far as I can make out, there are at least 2 viable Samba / FreeIPA integration paths. The route I took is suited where there is no Active Directory involved: In my case all the Windows, OSX and Linux clients are islands that sit on the same network. The route that Youenn has taken (unless I have got completely the wrong end of the stick) requires Active Directory in the architecture. Chris From: Matt . yamakasi@gmail.com To: Youenn PIOLET piole...@gmail.com Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com freeipa-users@redhat.com Date: 06.08.2015 14:42 Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite in a rush these days :) General idea: On FreeIPA (4.1) - `ipa-adtrust-install --add-sids` (creates ipaNTsecurityidentifier attribude, also known as SID) - regenerate each user password to build ipaNTHash attribute, not here by default on users - use your ldap browser to check
Re: [Freeipa-users] Concerning the krb5.conf
Hello. I don't know if you receive my previous mail, but thank you for your answer. I have two additionnal question then : - Concerning the master_kdc line, is it better to put here the physical machine or even to remove it if it is optional ? - Do you know how I can check which one of these three servers is currently used per server with this krb5.conf ? I need to check how I can resynchronize the last server. Best regards. Bahan On Fri, Aug 7, 2015 at 11:05 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 07 Aug 2015, bahan w wrote: Hello ! We are using freeipa version 3 and we are encountering a problem in our environment. We have one master kdc and two replicas. On the different linux servers on our environment, we have the following krb5.conf (I modified the hostname for NDA) : ### #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = MYREALM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 24h forwardable = yes [realms] MYREALM = { kdc = host1.mydomain:88 kdc = host2.mydomain:88 kdc = host3.mydomain:88 master_kdc = host2.mydomain:88 admin_server = host2.mydomain:749 default_domain mydomain pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .mydomain = MYREALM mydomain = MYREALM .myrealm = MYREALM myrealm = MYREALM ### host1 is a physical machine host2 and host3 are VM. So I have some questions : Q1 - Does it make sense to put the line master_kdc and admin_server to the host2, which is a VM instead of the host1 which is a physical machine ? According to manual page of 'krb5.conf', --- master_kdc: Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and the updated database has not been propagated to the slave servers yet. --- 'admin_kdc' is what kadmin is using, so it is irrelevant for day to day actions in IPA. Q2 - When I try to connect to the UI of host1, I can enter my login/password and it works. When I try to connect to the UI of host2, I have an error message saying my password is incorrect. When I try to connect to the UI of host3, it works. Does it mean host1 and host3 are synchronized but host2 is not ? Most likely, yes. Q3. Does the two last lines make sense ? I mean what is the exact usage of the paragraph [domain_realm] ? Does it mean : if I try to connect to a server with the domain listed in this list, then I will try to contact the realm associated ? Since you disabled DNS discovery of realm based on the DNS domain, Kerberos library will perform some logic to find out which realm corresponds to the domain. domain_realm section helps here. krb5.conf manual page has clear explanation how the section is designed to work. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project