date:20160315

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Fraser Tweedale

On Tue, Mar 15, 2016 at 09:39:12AM +, Alessandro De Maria wrote:
> Thank you Martin that's very helpful.
> 
> The annoying thing about cut/paste from web ui is that the cert is not
> wrapped at 60 chars like it should be, but I guess I'll have to wait for
> the save certificate functionality.
> Any idea of then that's planned for?
> 
> Regards
> Alessandro
> 
Hi Alessandro,

The easiest way to get the cert is with the `ipa user-show` (if
it was saved to the IPA direct after issuance, which is controlled
by the `store` option Martin mentioned). E.g.:

ipa user-show alice --out=cert.pem

Which will save alice's certificate(s) to the file `cert.pem`.

If you copy the data from the web UI and save it to a file, the
following will convert it to PEM:

base64 -d < cert.txt | openssl x509 -inform DER > cert.pem

Finally, to configure a profile to issue certificates with a
validity of X days, the relevant profile configuration is:

policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=X
policyset.serverCertSet.2.default.params.startTime=0

Replace `X` above with the desired lifetime in days.  (Note that the
index (`2`, above) may be different for different profiles.)

Cheers,
Fraser

> On 15 March 2016 at 08:50, Martin Babinsky  wrote:
> 
> > On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
> >
> >> Hello,
> >>
> >> I would like to have authenticated users to upload a csr request and
> >> have their certificate automatically signed. Their certificate would
> >> expire in x days.
> >>
> >> Given the short life of the certificate, I would then like them to be
> >> able to easily download the certificate.
> >>
> >> Any suggestion on how to do it?
> >> I would prefer the shell script approach but also having it self
> >> serviced on the web ui would be great.
> >>
> >> Regards
> >>
> >>
> >> --
> >> Alessandro De Maria
> >> alessandro.dema...@gmail.com 
> >>
> >>
> >>
> > Hi Alessandro,
> >
> > for FreeIPA 4.2+ you can use the following links as a guide to set up a
> > custom profile and CA ACL rules so that users can request certificates for
> > themselves:
> >
> > http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
> >
> > https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
> >
> > The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> > cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> > the custom certificate profile, the certificate will be added to the user
> > entry as 'usercertificate;binary' attribute which he can view from
> > CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> > functionality to save the certificate directly to a file is under
> > development).
> >
> > It should be possible to modify the certificate profile to restrict the
> > maximum validity of the issued certificate but I have no knowledge about
> > that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> > with this.
> >
> > --
> > Martin^3 Babinsky
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> -- 
> Alessandro De Maria
> alessandro.dema...@gmail.com

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Harald Dunkel

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 03/15/16 19:21, Jakub Hrozek wrote:
> On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> 
>> Shouldn't it keep on trying, or retry after a few minutes?
> 
> We don't have any such functionality..
> 

Understood. Obviously the dependencies and parameters listed
in sssd.service are not sufficient to guarantee a smooth
system startup for sssd. Except for sssd the system booted
fine, so I wonder what is different with sssd?

>> 
>> sssd is version 1.12.5. Google doesn't mention this problem, so I wonder 
>> what is happening here?
> 
> I would suggest to look into the sssd logs..
> 

I did, of course. There was no error message except

(Sat Feb 27 17:18:53 2016) [sssd] [monitor_cleanup] (0x0010): Error removing 
pidfile! (2 [No such file or directory])

Looking at the time entry it seems this message came up after
the timeout.


Regards
Harri

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJW6GzuAAoJEAqeKp5m04HLFbcH/0+xuE1/f9T1L6mLGVWNKdBL
KKlv4siSHYgF9gUsbaqyDYGpoO6wKeFnj9sFMtD92TX5+JrXttkqTS9VRzIoY3kx
w4lchG83gKqTM10/tjjPHT4eLEviUg9C/AW+JfLUa85wG/hm507JSyYSgF1btRco
Wp6qWlg5D6yaaZdRmJsuqBGotFmaIG88SfXLYxCuJsqnbZi2VA8s3lGkB+wfWHSQ
sztI4uFCvgJjLwCRiwHRPvp5gv1SdOIY04A7du6IFGtaR4+UhNpRn8vev4MWeh8I
uRIhfrbmmO/E+WgcyEIX4C6YqUR7gAMB8/7qNV7Wd9WsZxcLAiXZWqFo5Wh6BJU=
=9CwW
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden


Janelle wrote:

The groups don't go on the 2nd pass because they already went on the
first meant. I meant to reply to this the other day as I have had a lot
of experience with re-running migration. Group membership for an already
existing group, does NOT come over on the 2nd pass. I have found it is
better to start fresh if you want a clean migration. Or, better yet,
gather the group memberships via LDAP and migrate them by hand with a
friendly script. I through one together to do that pretty easily.


Right, if a group already exists it is assumed to have either been 
migrated successfully or was a pre-existing group, in either case no 
further action is taken.


rob



~J

On 3/15/16 10:22 AM, Rob Crittenden wrote:

lejeczek wrote:

On 15/03/16 14:14, lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass:
groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou
was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve account locked/disabled status for
posix/samba?

I don't know how it is stored but as lon
g as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob


last - this must most FAQ people wonder - can IPA's 389 backend be
used in the same/similar fashion samba uses ldap? skipping all the
kerberos bits? (samba & IPA on the same one box)
this might be more 389-ds related - in old days I remember DS had
mozldap dedicated toolset, how is it these days? How do users deal
with 389-ds IPA-related bits?

many thanks




now when I've groups migrated I see mappings user-group are lost. Would
it be because my groups did not go in first time together with users?


Need more info. What do you mean by mappings are lost?

rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Jakub Hrozek

On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Hi folks,
> 
> If I reboot my LXC server, then sssd doesn't come up in some containers.
> The logfile of an affected host shows
> 
> - -- Reboot --
> Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security 
> Services Daemon...
> Feb 27 17:17:53 lxc1.example.com sssd[392]: Starting up
> Feb 27 17:17:54 lxc1.example.com sssd[be[471]: Starting up
> Feb 27 17:17:59 lxc1.example.com sssd[485]: Starting up
> Feb 27 17:17:59 lxc1.example.com sssd[487]: Starting up
> Feb 27 17:17:59 lxc1.example.com sssd[486]: Starting up
> Feb 27 17:17:59 lxc1.example.com sssd[484]: Starting up
> Feb 27 17:18:00 lxc1.example.com sssd[488]: Starting up
> Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1
> Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1
> Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 1
> Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 2
> Feb 27 17:18:53 lxc1.example.com systemd[1]: sssd.service start operation 
> timed out. Terminating.
> Feb 27 17:18:53 lxc1.example.com sssd[485]: Shutting down
> Feb 27 17:18:53 lxc1.example.com sssd[484]: Shutting down
> Feb 27 17:18:53 lxc1.example.com sssd[488]: Shutting down
> Feb 27 17:18:53 lxc1.example.com sssd[be[471]: Shutting down
> Feb 27 17:18:53 lxc1.example.com sssd[487]: Shutting down
> Feb 27 17:18:53 lxc1.example.com sssd[486]: Shutting down
> Feb 27 17:18:53 lxc1.example.com systemd[1]: Failed to start System Security 
> Services Daemon.
> Feb 27 17:18:53 lxc1.example.com systemd[1]: Unit sssd.service entered failed 
> state.
> 
> Shouldn't it keep on trying, or retry after a few minutes?

We don't have any such functionality..

> 
> sssd is version 1.12.5. Google doesn't mention this problem, so I
> wonder what is happening here?

I would suggest to look into the sssd logs..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

2016-03-15 Thread thierry bordaz


Hi Daryl,

Thanks again for those logs and info.
It confirms that slapi-nis tree priming delays DS startup (~1min10s). As 
Alexander mentioned it is now fixed with a differed priming.


My understanding is that krb5kdc startup is intense on DS. It is not 
clear why but you may be right it is getting lot of config data. 
Problems are why it fails to start and ipareplica-install do not notice 
that failure.

I will try to reproduce locally.

I wanted to thank you again for all these feedbacks and tests

regards
theirry

On 03/14/2016 08:46 PM, Daryl Fonseca-Holt wrote:

Hello Thierry,

Attached is the pstacks from only the final DS restart. I don't think 
they will show the whole picture.


According to the debug log /var/log/ipareplica-install.log (attached) 
the start of the krb5kdc.service (19:13:16Z) is successful, but the 
krb5kdc log (attach) shows it is unable to fetch the master K/M at 
14:31:31CDT (-5hour offset). This is when the install log shows 
kadmind failing.


In my experience with the master observing top there are two intense 
times for ns-slapd-. The first when it start, of course, and 
the second when krb5kdc starts. I assume this is because krb5kdc must 
get it's configuration and data from the same DS. krb5kdc fails but 
the ipareplica-install script isn't aware of it. Finally 
kadmin.service tries to access krb5kdc and finds that it is dead.


Please note these logs are with Schema Compatability and NIS plugins 
turned off per the other e-mail from Alexander.


I've noticed on a running master I can prevent this type of failure by 
manually starting dirsrv (systemctl start dirsrv@.service), 
watch top until all threads of ns-slapd have settled, then systemctl 
start krb5kdc.service, again watching top until ns-slapd threads have 
settled down before systemctl start kadmin.service.  This kind of 
manual intervention is is not possible when running the 
ipareplica-install script.


I will look into introducing a delay at the completion of the dirsrv 
and krb5kdc systemd units and see if I can accommodate 
ipareplica-install. Just as an experiment for now. I need to advance 
the project into High Availability testing but cannot do so without a 
functioning replica.


Regards, Daryl

On 03/14/16 09:20, thierry bordaz wrote:

Hi Daryl,

Thanks for all the data. I will look at the pstacks. A first look 
shows that you capture import, bind... so may be a complete 
ipa-replica-install session.
I will try to retrieve the specific startup time to see what was 
going on at that time.
If you have the time to monitor only startup, it will help me 
shrinking the set of pstacks.
Startup of DS last > 1min. If you may start DS and as soon as the 
ns-slapd process is launched, do regular pstacks. Then when you are 
able to send a simple ldapsearch (ldapsearch -x -b "" -s base), you 
may stop taking pstacks.


thanks
thierry

On 03/14/2016 03:06 PM, Daryl Fonseca-Holt wrote:

Hi Thierry,

I moved the old logs into a subdirectory called try1. I did the 
recommended ipa-server-install --uninstall. Tried the replica 
install again. Failed during kadmind start like the previous time.


The log from ipa-replica-install (with -d) is at 
http://home.cc.umanitoba.ca/~fonsecah/ipa/ipareplica-install.log
The console script (mostly the same as the log but with my entries) 
is at 
http://home.cc.umanitoba.ca/~fonsecah/ipa/ipa-replica-install.console
The 5 second pstacks are at 
http://home.cc.umanitoba.ca/~fonsecah/ipa/slapd-pstacks.console


Thanks, Daryl


On 03/11/16 02:40, thierry bordaz wrote:

Hello Deryl,

My understanding is that ns-slapd is first slow to startup.
Then when krb5kdc is starting it may load ns-slapd.

We identified krb5kdc may be impacted by the number of users
accounts.
From the ns-slapd errors log it is not clear why it is so slow
to start.

Would you provide the ns-slapd  access logs from that period.
Also in order to know where ns-slapd is spending time, it would
really help if you can get regular (each 5s) pstacks (with
389-ds-debuginfo), during DS startup and then later during
krb5kdc startup.

best regards
thierry


On 03/10/2016 11:10 PM, Daryl Fonseca-Holt wrote:

Environment:
  RHEL 7.2
  IPA 4.2.0-15
  nss 3.19.1-19
  389-ds-base 1.3.4.0-26
  sssd 1.13.0-40


I've encountered this problem in IPA 3.0.0 but hoped it was 
addressed in 4.2.0.


Trying to set up a replica of a master with 150,000+ user 
accounts, NIS and Schema Compatability enabled on the master.


During ipa-replica-install it attempts to start IPA. dirsrv 
starts, krb5kdc starts, but then kadmind fails because krb5kdc has 
gone missing.


This happens during restart of IPA in version 3.0.0 too. There it 
can be overcome by manually starting each component of IPA _but_ 
waiting until ns-slapd- has settled down (as seen from 
top) before starting krb5kdc. I also think that the startup of 
krb5kdc loads the LDAP instance quite a bit.


There is a problem in the startu

[Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Harald Dunkel

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi folks,

If I reboot my LXC server, then sssd doesn't come up in some containers.
The logfile of an affected host shows

- -- Reboot --
Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security Services 
Daemon...
Feb 27 17:17:53 lxc1.example.com sssd[392]: Starting up
Feb 27 17:17:54 lxc1.example.com sssd[be[471]: Starting up
Feb 27 17:17:59 lxc1.example.com sssd[485]: Starting up
Feb 27 17:17:59 lxc1.example.com sssd[487]: Starting up
Feb 27 17:17:59 lxc1.example.com sssd[486]: Starting up
Feb 27 17:17:59 lxc1.example.com sssd[484]: Starting up
Feb 27 17:18:00 lxc1.example.com sssd[488]: Starting up
Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1
Feb 27 17:18:13 lxc1.example.com sssd_be[471]: GSSAPI client step 1
Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 1
Feb 27 17:18:15 lxc1.example.com sssd_be[471]: GSSAPI client step 2
Feb 27 17:18:53 lxc1.example.com systemd[1]: sssd.service start operation timed 
out. Terminating.
Feb 27 17:18:53 lxc1.example.com sssd[485]: Shutting down
Feb 27 17:18:53 lxc1.example.com sssd[484]: Shutting down
Feb 27 17:18:53 lxc1.example.com sssd[488]: Shutting down
Feb 27 17:18:53 lxc1.example.com sssd[be[471]: Shutting down
Feb 27 17:18:53 lxc1.example.com sssd[487]: Shutting down
Feb 27 17:18:53 lxc1.example.com sssd[486]: Shutting down
Feb 27 17:18:53 lxc1.example.com systemd[1]: Failed to start System Security 
Services Daemon.
Feb 27 17:18:53 lxc1.example.com systemd[1]: Unit sssd.service entered failed 
state.

Shouldn't it keep on trying, or retry after a few minutes?

sssd is version 1.12.5. Google doesn't mention this problem, so I
wonder what is happening here?


Every insightful comment is highly appreciated
Harri
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJW6ElpAAoJEAqeKp5m04HL5kEH/03uUy+kyoLqrDpndZALEX0f
3XHFZryUNaJTUjQwtKe6tywmaKWcreQwZamwAFNxEQloGzhXiseAJ5LFNoP1KNuk
qDdYji4cpRczpP1E7TvNdKahqEXCSeUSLEKzreR9ZYfQb+/pxlFxR/yTvIPlZhMG
Wg1ckXfKh4jDfR5PTR1FdmdzvGCOg/GUhjQs1av+jJ0OQhSnQyfDFJOXM0HfyQv2
sDh6wNL2SAlQ9rPtLxF9mBLYkgZK9ibQ8uhA2FuF5noeuie/za5SouqlwlnWy/Ji
8NOgrmKB+nSAfcmeGB26aosHqaFoKX/mgrcYAbCwDFNnZXzBEEumWmlULKH5h8w=
=gPWc
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Janelle

The groups don't go on the 2nd pass because they already went on the 
first meant. I meant to reply to this the other day as I have had a lot 
of experience with re-running migration. Group membership for an already 
existing group, does NOT come over on the 2nd pass. I have found it is 
better to start fresh if you want a clean migration. Or, better yet, 
gather the group memberships via LDAP and migrate them by hand with a 
friendly script. I through one together to do that pretty easily.


~J

On 3/15/16 10:22 AM, Rob Crittenden wrote:

lejeczek wrote:

On 15/03/16 14:14, lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search 
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: 
groupofuniquenames,

groupofnames)

I see users went in but later I realized that current samba's ou 
was

"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve account locked/disabled status for
posix/samba?

I don't know how it is stored but as lon
g as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob


last - this must most FAQ people wonder - can IPA's 389 backend be
used in the same/similar fashion samba uses ldap? skipping all the
kerberos bits? (samba & IPA on the same one box)
this might be more 389-ds related - in old days I remember DS had
mozldap dedicated toolset, how is it these days? How do users deal
with 389-ds IPA-related bits?

many thanks




now when I've groups migrated I see mappings user-group are lost. Would
it be because my groups did not go in first time together with users?


Need more info. What do you mean by mappings are lost?

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden


lejeczek wrote:

On 15/03/16 15:57, Rob Crittenden wrote:

lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve account locked/disabled status for
posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob

I don't think it works, I guess it matters how ipa tools map these
attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked users I wonder
how this works.
If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
unless "Account disabled" is for something else.


IPA/389-ds uses nsAccountLock to lock accounts.

and in my case it could not work for I had (anybody sane would too)
hashed pass in ldap userdb, am I right?


What won't work? Migrated user passwords will work just fine.


If one has hundreds of user s/he thinks, o! it'd be great to keep that
account enabled/disabled status - would there be a way around it?


IPA isn't designed to be an LDAP backend for Samba so there isn't a lot 
of direct integration with the schema. You could write a plugin to keep 
the two attributes in sync.


For those already migrated it should be pretty easy to write an LDAP 
search to find them and then for each user call ipa user-disable 


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden


lejeczek wrote:

On 15/03/16 14:14, lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve account locked/disabled status for
posix/samba?

I don't know how it is stored but as lon
g as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob


last - this must most FAQ people wonder - can IPA's 389 backend be
used in the same/similar fashion samba uses ldap? skipping all the
kerberos bits? (samba & IPA on the same one box)
this might be more 389-ds related - in old days I remember DS had
mozldap dedicated toolset, how is it these days? How do users deal
with 389-ds IPA-related bits?

many thanks




now when I've groups migrated I see mappings user-group are lost. Would
it be because my groups did not go in first time together with users?


Need more info. What do you mean by mappings are lost?

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek


On 15/03/16 14:14, lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any 
result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: 
groupofuniquenames,

groupofnames)

I see users went in but later I realized that current 
samba's ou was

"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in 
IPA.
thanks Rob, may I ask why process by defaults looks up 
only objectclass:

groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from 
ldap+samba.


Lastly, is there a way to preserve account 
locked/disabled status for

posix/samba?

I don't know how it is stored but as lon
g as the schema is available in
IPA then the values should be preserved on migration 
unless the

attributes are associated with a blacklisted objectclass.

rob

last - this must most FAQ people wonder - can IPA's 389 
backend be used in the same/similar fashion samba uses 
ldap? skipping all the kerberos bits? (samba & IPA on the 
same one box)
this might be more 389-ds related - in old days I remember 
DS had mozldap dedicated toolset, how is it these days? 
How do users deal with 389-ds IPA-related bits?


many thanks



now when I've groups migrated I see mappings user-group are 
lost. Would it be because my groups did not go in first time 
together with users?



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek


On 15/03/16 15:57, Rob Crittenden wrote:

lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any 
result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: 
groupofuniquenames,

groupofnames)

I see users went in but later I realized that current 
samba's ou was

"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in 
IPA.
thanks Rob, may I ask why process by defaults looks up 
only objectclass:

groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from 
ldap+samba.


Lastly, is there a way to preserve account 
locked/disabled status for

posix/samba?
I don't know how it is stored but as long as the schema 
is available in
IPA then the values should be preserved on migration 
unless the

attributes are associated with a blacklisted objectclass.

rob
I don't think it works, I guess it matters how ipa tools 
map these

attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked 
users I wonder

how this works.
If I had posix !passwd in my ldap userdb then it's not 
reflected in IPA,

unless "Account disabled" is for something else.


IPA/389-ds uses nsAccountLock to lock accounts.
and in my case it could not work for I had (anybody sane 
would too) hashed pass in ldap userdb, am I right?
If one has hundreds of user s/he thinks, o! it'd be great to 
keep that account enabled/disabled status - would there be a 
way around it?


rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden


lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve  account locked/disabled status for
posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob

I don't think it works, I guess it matters how ipa tools map these
attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked users I wonder
how this works.
If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
unless "Account disabled" is for something else.


IPA/389-ds uses nsAccountLock to lock accounts.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek


On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve  account locked/disabled status for
posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob
I don't think it works, I guess it matters how ipa tools map 
these attributes, I'm particularly looking at:

ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked 
users I wonder how this works.
If I had posix !passwd in my ldap userdb then it's not 
reflected in IPA, unless "Account disabled" is for something 
else.



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Alexander Bokovoy


On Tue, 15 Mar 2016, lejeczek wrote:

On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve  account locked/disabled status for
posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob

last - this must most FAQ people wonder - can IPA's 389 backend be 
used in the same/similar fashion samba uses ldap? skipping all the 
kerberos bits? (samba & IPA on the same one box)

For Samba and IPA on the same box, this is configured properly with
ipa-adtrust-install.

It uses ipasam PASSDB module instead of ldapsam. This module knows IPA
LDAP schema and is capable to do more than ldapsam, but effectively you
can use resulting Samba setup in the same way as you do with ldapsam.

The configuration is:

1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora)
2. Run ipa-adtrust-install to configure both IPA and Samba.
3. Use 'net conf' tool to manage shares.
4. Use POSIX ACLs to set up access rights on the file system. See
https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for inspiration.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek


On 15/03/16 13:42, Rob Crittenden wrote:

lejeczek wrote:

On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.

thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.


Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.


Lastly, is there a way to preserve  account locked/disabled status for
posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob

last - this must most FAQ people wonder - can IPA's 389 
backend be used in the same/similar fashion samba uses ldap? 
skipping all the kerberos bits? (samba & IPA on the same one 
box)
this might be more 389-ds related - in old days I remember 
DS had mozldap dedicated toolset, how is it these days? How 
do users deal with 389-ds IPA-related bits?


many thanks



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden

lejeczek wrote:
> On 14/03/16 17:06, Rob Crittenden wrote:
>> lejeczek wrote:
>>> with...
>>>
>>> ipa: ERROR: group LDAP search did not return any result (search base:
>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
>>> groupofnames)
>>>
>>> I see users went in but later I realized that current samba's ou was
>>> "group" not groups.
>>> Can I just re-run migrations?
>> Yes. It will skip over anything that already exists in IPA.
> thanks Rob, may I ask why process by defaults looks up only objectclass:
> groupofuniquenames, groupofnames?

It is conservative but this is why it can be overridden.

> Is there a reason it skips ldap+samba typical posixGroup &
> sambaGroupMapping?

We haven't had many (any?) reports of migrating from ldap+samba.

> Lastly, is there a way to preserve  account locked/disabled status for
> posix/samba?

I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to authenticate using freeipa client

2016-03-15 Thread Rakesh Rajasekharan

yes the space was indeed the culprit... i cleaned up some and login works
fine now..

Thanks !!

On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose  wrote:

> On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote:
> > I set up freeipa in my environment and works perfectly.
> >
> > But just on one host , I am not able to authenticate. I get a permission
> > denied eror.
> >
> > The sssd version I have is 1.12
> >
> > the krb5_child log does point to some error,
> > krb5_child.log
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> > (0x2000): No old ccache
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> > (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set]
> > keytab: [/etc/krb5.keytab]
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> > [k5c_precreate_ccache] (0x4000): Recreating ccache
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast]
> > (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com]
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> > [find_principal_in_keytab] (0x4000): Trying to find principal host/
> > 1.1@test.com in keytab.
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal]
> > (0x1000): Principal matched to the sample (host/1.1@test.com).
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times]
> > (0x1000): FAST ccache must be recreated
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> > (0x0200): Trying to become user [0][0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> > (0x0200): Already user [0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> [check_fast_ccache]
> > (0x2000): Running as [0][0].
> > (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache]
> > (0x4000): Initializing ccache of type [FILE]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [check_fast_ccache]
> > (0x0200): FAST TGT was successfully recreated!
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user]
> > (0x0200): Trying to become user [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000):
> > Running as [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup]
> > (0x2000): Running as [5102][701].
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_lifetime_options] (0x0100): Cannot read
> [SSSD_KRB5_RENEWABLE_LIFETIME]
> > from environment.
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> > environment.
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
> [true]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400):
> > Will perform online auth
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child]
> > (0x1000): Attempting to get a TGT
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt]
> > (0x0400): Attempting kinit for realm [TEST.COM]
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting
> > initial credentials for q-tempu...@test.com
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor
> > ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving
> > host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/
> TEST.COM
> > \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> > with result: -1765328243/Matching credential not found
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending
> > request (189 bytes) to TEST.COM
> >
> > (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> > [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating
> > TCP connection to stre
> > (END)
>
> Does the krb5_child.log really ends here? If yes, any change the disk is
> full?
>
> bye,
> Sumit
>
> >
> >
> > And here are the contents from sssd_domain.log
> > sssd_test.com
> > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data]
> (0x0100):
> > domain: test.com
> > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data]
> (0x0100):
> > user: q-tempuser
> > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data]
> (0x0100):
> > service: sshd
> > (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data]
> (0x0100):
> > tty:

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

2016-03-15 Thread Ludwig Krispenz



On 03/14/2016 05:33 PM, Andrew E. Bruno wrote:

On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote:

On 03/12/2016 04:02 PM, Andrew E. Bruno wrote:

On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote:

On 03/09/2016 05:51 PM, Andrew E. Bruno wrote:

On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote:

[09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog program - 
_cl5NewDBFile: PR_DeleteSemaphore: 
/var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/ed35d212-2cb811e5-af63d574-de3f6355.sema;
 NSPR error - -5943

if ds is cleanly shutdown this file should be removed, if ds is killed it
remains and should be recreated at restart, which fails. could you try
another stop, remove the file manually and start again ?

We had our replicas crash again. Curious if it's safe to delete the
other db files as well:

ls -alh /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/
   30  DBVERSION
6.8G  ed35d212-2cb811e5-af63d574-de3f6355_55a955910004.db
0  ed35d212-2cb811e5-af63d574-de3f6355.sema
  18M  f32bb356-2cb811e5-af63d574-de3f6355_55a955ca0060.db
0  f32bb356-2cb811e5-af63d574-de3f6355.sema


Should all these files be deleted if the ds is cleanly shutdown? or should we
only remove the *.sema files.

the *.db file contains the data of the changelog, if you delete them you
start with a new cl and could get into replication problems requiring
reinitialization. you normally shoul not delete them.
The .sema is used to control how many threads can concurrently access the
cl, it should be recreated at restart, so it is safe to delete them after a
crash.

Sounds good..thanks. We deleted the .sema files after the crash and the
replicas came back up ok.


If you getting frequent crashes, we shoul try to find the reason for the
crashes, could you try to get a core file ?

This time we had two replicas crash and ns-slapd wasn't running so we
couldn't grab a pstack. Here's a snip from the error logs right before
the crash (not sure if this is related or not):

[11/Mar/2016:09:57:56 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No 
original_tombstone for changenumber=11573832,cn=changelog!!
[11/Mar/2016:09:57:57 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No 
original_tombstone for changenumber=11575824,cn=changelog!!
[11/Mar/2016:09:57:58 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No 
original_tombstone for changenumber=11575851,cn=changelog!!
[11/Mar/2016:10:00:28 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[11/Mar/2016:10:00:28 -0500] NSMMReplicationPlugin - changelog program - 
_cl5CompactDBs: failed to compact 986efe12-71b811e5-9d33a516-e778e883; db error 
- 12 Cannot allocate memory
[11/Mar/2016:10:02:07 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[11/Mar/2016:10:02:07 -0500] - compactdb: failed to compact changelog; db error 
- 12 Cannot allocate memory
don't know if this is related to your crashes, but compation of 
changelog was running, probably for some time, and finally failed. The 
idea behind compaction is to compact a fragmented btree and reclaim some 
space, but it uses a transaction for the complete operation and lock 
every page accessed. This can be time consuming, blocking other txns, 
and run out of locks.


There are two options to address this, either increase the number of 
configured db locks (problem is there is no good hint how much locks 
will be needed), or disable changelog compaction, by setting:

dn: cn=changelog5,cn=config
..
nsslapd-changelogcompactdb-interval: 0


I would disable compaction, I don't think there is much benefit (in my 
memory BDB compaction was slow and not very effective) and it is better 
to avoid the side effects

[11/Mar/2016:12:36:18 -0500] - slapd_poll(377) timed out
[11/Mar/2016:13:06:17 -0500] - slapd_poll(377) timed out

We just upgraded to ipa 4.2 centos 7.2 and if we see anymore crashes
we'll try and get more info.

Thanks again.

--Andrew




--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Alessandro De Maria

Thank you Martin that's very helpful.

The annoying thing about cut/paste from web ui is that the cert is not
wrapped at 60 chars like it should be, but I guess I'll have to wait for
the save certificate functionality.
Any idea of then that's planned for?

Regards
Alessandro

On 15 March 2016 at 08:50, Martin Babinsky  wrote:

> On 03/15/2016 08:39 AM, Alessandro De Maria wrote:
>
>> Hello,
>>
>> I would like to have authenticated users to upload a csr request and
>> have their certificate automatically signed. Their certificate would
>> expire in x days.
>>
>> Given the short life of the certificate, I would then like them to be
>> able to easily download the certificate.
>>
>> Any suggestion on how to do it?
>> I would prefer the shell script approach but also having it self
>> serviced on the web ui would be great.
>>
>> Regards
>>
>>
>> --
>> Alessandro De Maria
>> alessandro.dema...@gmail.com 
>>
>>
>>
> Hi Alessandro,
>
> for FreeIPA 4.2+ you can use the following links as a guide to set up a
> custom profile and CA ACL rules so that users can request certificates for
> themselves:
>
> http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
>
> https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/
>
> The user then can generate CSR request e.g. using OpenSSL and use 'ipa
> cert-request' to send it to IPA CA. If you specify 'store=True' when adding
> the custom certificate profile, the certificate will be added to the user
> entry as 'usercertificate;binary' attribute which he can view from
> CLI/WebUI as PEM and save it to a file by copy-pasting it (The
> functionality to save the certificate directly to a file is under
> development).
>
> It should be possible to modify the certificate profile to restrict the
> maximum validity of the issued certificate but I have no knowledge about
> that. I have CC'ed Fraser Tweedale (the blog post author), he may help you
> with this.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
Alessandro De Maria
alessandro.dema...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek


On 14/03/16 17:06, Rob Crittenden wrote:

lejeczek wrote:

with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?

Yes. It will skip over anything that already exists in IPA.
thanks Rob, may I ask why process by defaults looks up only 
objectclass: groupofuniquenames, groupofnames?
Is there a reason it skips ldap+samba typical posixGroup & 
sambaGroupMapping?
Lastly, is there a way to preserve  account locked/disabled 
status for posix/samba?

rob




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Martin Babinsky

On 03/15/2016 08:39 AM, Alessandro De Maria wrote:

Hello,

I would like to have authenticated users to upload a csr request and
have their certificate automatically signed. Their certificate would
expire in x days.

Given the short life of the certificate, I would then like them to be
able to easily download the certificate.

Any suggestion on how to do it?
I would prefer the shell script approach but also having it self
serviced on the web ui would be great.

Regards

--
Alessandro De Maria
alessandro.dema...@gmail.com

Hi Alessandro,

for FreeIPA 4.2+ you can use the following links as a guide to set up a
custom profile and CA ACL rules so that users can request certificates
for themselves:

http://www.freeipa.org/page/V4/User_Certificates#How_to_Test
https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

The user then can generate CSR request e.g. using OpenSSL and use 'ipa
cert-request' to send it to IPA CA. If you specify 'store=True' when
adding the custom certificate profile, the certificate will be added to
the user entry as 'usercertificate;binary' attribute which he can view
from CLI/WebUI as PEM and save it to a file by copy-pasting it (The
functionality to save the certificate directly to a file is under
development).

It should be possible to modify the certificate profile to restrict the
maximum validity of the issued certificate but I have no knowledge about
that. I have CC'ed Fraser Tweedale (the blog post author), he may help
you with this.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to authenticate using freeipa client

2016-03-15 Thread Sumit Bose

On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote:
> I set up freeipa in my environment and works perfectly.
> 
> But just on one host , I am not able to authenticate. I get a permission
> denied eror.
> 
> The sssd version I have is 1.12
> 
> the krb5_child log does point to some error,
> krb5_child.log
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> (0x2000): No old ccache
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_5102_XX] old_ccname: [not set]
> keytab: [/etc/krb5.keytab]
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [k5c_setup_fast]
> (0x0100): SSSD_KRB5_FAST_PRINCIPAL is set to [host/1.1@test.com]
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862
> [find_principal_in_keytab] (0x4000): Trying to find principal host/
> 1.1@test.com in keytab.
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [match_principal]
> (0x1000): Principal matched to the sample (host/1.1@test.com).
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11862 [get_tgt_times]
> (0x1000): FAST ccache must be recreated
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> (0x0200): Trying to become user [0][0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [become_user]
> (0x0200): Already user [0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864 [check_fast_ccache]
> (0x2000): Running as [0][0].
> (Mon Mar 14 12:02:27 2016) [[sssd[krb5_child[11864
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11864 [create_ccache]
> (0x4000): Initializing ccache of type [FILE]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [check_fast_ccache]
> (0x0200): FAST TGT was successfully recreated!
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [become_user]
> (0x0200): Trying to become user [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x2000):
> Running as [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [k5c_setup]
> (0x2000): Running as [5102][701].
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [main] (0x0400):
> Will perform online auth
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862 [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [TEST.COM]
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18425: Getting
> initial credentials for q-tempu...@test.com
> 
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18471: FAST armor
> ccache: MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> 
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18502: Retrieving
> host/1.1@test.com -> krb5_ccache_conf_data/fast_avail/krbtgt\/TEST.COM
> \@TEST.COM@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TEST.COM
> with result: -1765328243/Matching credential not found
> 
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.18545: Sending
> request (189 bytes) to TEST.COM
> 
> (Mon Mar 14 12:02:28 2016) [[sssd[krb5_child[11862
> [sss_child_krb5_trace_cb] (0x4000): [11862] 1457956948.187.36: Initiating
> TCP connection to stre
> (END)

Does the krb5_child.log really ends here? If yes, any change the disk is
full?

bye,
Sumit

> 
> 
> And here are the contents from sssd_domain.log
> sssd_test.com
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> domain: test.com
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> user: q-tempuser
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> service: sshd
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> tty: ssh
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> ruser:
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> rhost: 127.0.0.1
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):
> authtok type: 1
> (Mon Mar 14 11:57:12 2016) [sssd[be[test.com]]] [pam_print_data] (0x0100):

[Freeipa-users] User certificate workflow

2016-03-15 Thread Alessandro De Maria

Hello,

I would like to have authenticated users to upload a csr request and have
their certificate automatically signed. Their certificate would expire in x
days.

Given the short life of the certificate, I would then like them to be able
to easily download the certificate.

Any suggestion on how to do it?
I would prefer the shell script approach but also having it self serviced
on the web ui would be great.

Regards



-- 
Alessandro De Maria
alessandro.dema...@gmail.com
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User certificate workflow

Re: [Freeipa-users] sssd.service start operation timed out

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] sssd.service start operation timed out

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

[Freeipa-users] sssd.service start operation timed out

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] unable to authenticate using freeipa client

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

Re: [Freeipa-users] User certificate workflow

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

Re: [Freeipa-users] User certificate workflow

Re: [Freeipa-users] unable to authenticate using freeipa client

[Freeipa-users] User certificate workflow

23 matches

Site Navigation

Mail list logo

Footer information