Re: [Freeipa-users] report abuse

[Alexander Bokovoy]

On su, 15 tammi 2017, Jeff Clay wrote:

Not sure how this stuff is usually reported, but the person below needs removed 
from the group.

This is a spam bot and it is *not* on the list of subscribers. We ran
few experiments to find out that, you can check mailing list archives.

The spam bot actually mines the mailing list archives and sends emails
based on that one.

We could close down mail archives from the non-subscribers. As a negative
result, search engines will not be able to index it and this will reduce
your ability to search FreeIPA-related solutions via search engines.





Begin forwarded message:

From: Mary Noel 
Subject: Re: [Freeipa-users] 32 bit netmask detection and error during install
Date: January 15, 2017 at 8:18:57 PM CST
To: jeffc...@gmail.com
Reply-To: Mary Noel 

okk, let's start chating with something that will make me wet for you...


On Mon, Jan 16, 2017 at 8:18 AM, Jeff Clay > wrote:






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] report abuse

[Jeff Clay]

Not sure how this stuff is usually reported, but the person below needs removed 
from the group.

> Begin forwarded message:
> 
> From: Mary Noel 
> Subject: Re: [Freeipa-users] 32 bit netmask detection and error during install
> Date: January 15, 2017 at 8:18:57 PM CST
> To: jeffc...@gmail.com
> Reply-To: Mary Noel 
> 
> okk, let's start chating with something that will make me wet for you...
> 
> 
> On Mon, Jan 16, 2017 at 8:18 AM, Jeff Clay  > wrote:
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 32 bit netmask detection and error during install

[Jeff Clay]

I’m trying to install FreeIPA on CentOS 7. The server I’m using is a Google 
Cloud Compute Engine instance. For some reason, they assign all instances a /32 
bit netmask on the internal interface even though you have your own private /20 
subnet. 
When installing freeipa on these vm's, you get the error "Error: Invalid IP 
Address 10.128.0.5: cannot use IP network address 10.128.0.5”

Here are the settings for the interface.
eth0: flags=4163  mtu 1460
inet 10.128.0.5  netmask 255.255.255.255  broadcast 10.128.0.5
ether 42:01:0a:80:00:05  txqueuelen 1000  (Ethernet)
RX packets 17904  bytes 116212393 (110.8 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 19001  bytes 3287390 (3.1 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

How can I bypass that error and should /32 mask detection really be there?

Thanks,

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

On 15/01/2017 19:15, Brian Candler wrote:

On FreeIPA host:  tcpdump -i eth0 -nnv -s0 port 53 and host x.x.x.x

where x.x.x.x is IP address of the 2008R2 server, and assuming eth0 is 
the NIC.


See if any DNS queries arrive at the FreeIPA server. If no: then the 
problem is with the 2008R2 server, or the network in between. If yes: 
then see if FreeIPA is answering the queries or not.




The  packets are getting back  That has being stablished already.

I am looking for possible reasons it would disregard the answer, but 
accept when using a non-freeipa bind9 one.


-rsd

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

[Daniel Schimpfoessl]

Anything else I should look for?

2017-01-11 22:33 GMT-06:00 Daniel Schimpfoessl :

> Flo,
>
> these are all the errors found:
> grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g' |
> sort -n | uniq -c | sort -n
>   2 RESULT err=6
>  95 RESULT err=32
> 200 RESULT err=14
>2105 RESULT err=0
>
>
> 2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud :
>
>> On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>
>>> From the logs:
>>> /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>> ... a few warnings about cache size, NSACLPLugin and schema-compat-plugin
>>> [04/Jan/2017:12:14:21.392642021 -0600] slapd started.  Listening on All
>>> Interfaces port 389 for LDAP requests
>>>
>>> /var/log/dirsrv/slapd-DOMAIN-COM/access
>>> ... lots of entries, not sure what to look for some lines contain RESULT
>>> with err!=0
>>> [04/Jan/2017:12:18:01.753400307 -0600] conn=5 op=243 RESULT err=32
>>> tag=101 nentries=0 etime=0
>>> [04/Jan/2017:12:18:01.786928085 -0600] conn=44 op=1 RESULT err=14 tag=97
>>> nentries=0 etime=0, SASL bind in progress
>>>
>>> Hi Daniel,
>>
>> are there any RESULT err=48 that could correspond to the error seen on
>> pki logs?
>>
>> Flo
>>
>> /var/log/dirsrv/slapd-DOMAIN-COM/errors
>>> [04/Jan/2017:12:19:25.566022098 -0600] slapd shutting down - signaling
>>> operation threads - op stack size 5 max work q size 2 max work q stack
>>> size 2
>>> [04/Jan/2017:12:19:25.572566622 -0600] slapd shutting down - closing
>>> down internal subsystems and plugins
>>>
>>>
>>> 2017-01-04 8:38 GMT-06:00 Daniel Schimpfoessl >> >:
>>>
>>> Do you have a list of all log files involved in IPA?
>>> Would be good to consolidate them into ELK for analysis.
>>>
>>> 2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud >> >:
>>>
>>>
>>> On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote:
>>>
>>> Thanks for your reply.
>>>
>>> This was the initial error I asked for help a while ago and
>>> did not get
>>> resolved. Further digging showed the recent errors.
>>> The service was running (using ipactl start --force) and
>>> only after a
>>> restart I am getting a stack trace for two primary messages:
>>>
>>> Could not connect to LDAP server host wwgwho01.webwim.com
>>> 
>>>  port 636 Error
>>> netscape.ldap.LDAPException:
>>> Authentication failed (48)
>>> ...
>>>
>>> Internal Database Error encountered: Could not connect to
>>> LDAP server
>>> host wwgwho01.webwim.com 
>>>  port 636 Error
>>> netscape.ldap.LDAPException: Authentication failed (48)
>>> ...
>>>
>>> and finally:
>>> [02/Jan/2017:12:20:34][localhost-startStop-1]:
>>> CMSEngine.shutdown()
>>>
>>>
>>> 2017-01-02 3:45 GMT-06:00 Florence Blanc-Renaud
>>> 
>>> >>:
>>>
>>> systemctl start pki-tomcatd@pki-tomcat.service
>>>
>>>
>>>
>>> Hi Daniel,
>>>
>>> the next step would be to understand the root cause of this
>>> "Authentication failed (48)" error. Note the exact time of this
>>> log and look for a corresponding log in the LDAP server logs
>>> (/var/log/dirsrv/slapd-DOMAIN-COM/access), probably a failing
>>> BIND with err=48. This may help diagnose the issue (if we can
>>> see which certificate is used for the bind or if there is a
>>> specific error message).
>>>
>>> For the record, a successful bind over SSL would produce this
>>> type of log where we can see the certificate subject and the
>>> user mapped to this certificate:
>>> [...] conn=47 fd=84 slot=84 SSL connection from 10.34.58.150 to
>>> 10.34.58.150
>>> [...] conn=47 TLS1.2 128-bit AES; client CN=CA
>>> Subsystem,O=DOMAIN.COM ; issuer
>>> CN=Certificate Authority,O=DOMAIN.COM 
>>> [...] conn=47 TLS1.2 client bound as
>>> uid=pkidbuser,ou=people,o=ipaca
>>> [...] conn=47 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL
>>> [...] conn=47 op=0 RESULT err=0 tag=97 nentries=0 etime=0
>>> dn="uid=pkidbuser,ou=people,o=ipaca"
>>>
>>> Flo
>>>
>>>
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Brian Candler]

On 14/01/2017 20:01, Raul Dias wrote:


I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.

A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS query.
This server works fine with my old bind server, google's dns server 
(8.8.8.8), but not FreeIPA's.
Using wireshark, I can see the the response gets to this host, but is 
simply ignored.  Clocks are in sync.


Not sure if the problem is in the FreeIPA's side, probably not.

Any ideas?


On FreeIPA host:  tcpdump -i eth0 -nnv -s0 port 53 and host x.x.x.x

where x.x.x.x is IP address of the 2008R2 server, and assuming eth0 is 
the NIC.


See if any DNS queries arrive at the FreeIPA server. If no: then the 
problem is with the 2008R2 server, or the network in between. If yes: 
then see if FreeIPA is answering the queries or not.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows Server can't use FreeIPA's DNS server

[Raul Dias]

On 14/01/2017 22:08, Fil Di Noto wrote:
Sounds more like a client problem (firewall, hosts file, network 
settings/routes)

Unfortunally not that I have found.


Other clients are able to resolve against the IPA server?

yes.
You are seeing the response come back on a packet capture taken from 
the windows server?

yes.


If yes to both of those, maybe the windows server thinks the IPA 
server is not who it says it is.
How does windows verifies this?  Note that there is no active directory 
in place or domain/remote authentication from the windows point of 
view.  Windows is using it only as an plain DNS server.


Note that there is another windows server (2008) that works fine. This 
one is 2008 r2 (if it matters).


Is the IPA server hostname/domain name the same as a previous windows 
host? If so that is probably not good.


On Sat, Jan 14, 2017 at 12:01 PM, Raul Dias > wrote:


Hello,

I am migrating a network to FreeIPA. LDAP, NFS, no Active Directory.

A Windows Server 2008 R2, cannot use FreeIPAs bind to resolve DNS
query.
This server works fine with my old bind server, google's dns
server (8.8.8.8), but not FreeIPA's.
Using wireshark, I can see the the response gets to this host, but
is simply ignored.  Clocks are in sync.

Not sure if the problem is in the FreeIPA's side, probably not.

Any ideas?

-rsd

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Go to http://freeipa.org for more info on the project




--
Att. Raul Dias

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Not able to replicate user keys across master and client

[Brian Candler]

On 12/01/2017 10:59, hirofumi.morik...@accenture.com wrote:


Let me further clarify the question that is asked by Niraj below.

Currently, we have 1 master FreeIPA server and 1 client server. 
Evaluating your product for production deployment


Master and client connectivity is established and when creating the 
user in the web console, it is indeed creating the user in the client 
machine


However, When we add public key through the web console below, this 
key is not created(or transfered) to the client machine




That's correct: it doesn't copy them anywhere, nor is it supposed to.

Instead, the keys sit in the FreeIPA LDAP database. When you install the 
ipa-client package on a host, it configures sshd so it communicates via 
sssd to query the authorized keys in LDAP.  You will find:


# /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

# /etc/sssd/sssd.conf
[sssd]
services = nss, pam, ssh, sudo

That means you have central control of your authorized_keys with 
FreeIPA, without copying them onto every hosts' filesystem.


You also have central control of your user accounts, group memberships, 
uid and gid mappings, sudo policy, host access policy (i.e. which users 
are allowed to login to which hosts), ...  All this is done via sssd and 
LDAP as well.


HTH,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error while issuing ipa-replica-install

[Carlos Silva]

In case someone stumbles in the message because it has the same problem,
all the debugging and solution found is in this ticket:
https://fedorahosted.org/freeipa/ticket/6613
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project