Re: [Freeipa-users] Debian client installation
On 17.02.2017 17:37, Per Qvindesland wrote: > Hi All > > I have installed free ipa client by using > http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian > which works, but I am unable to get the sudo to work, on debian 7.11 > machines, sssd installed version is 1.9.6 which I think is pretty old. > > Does anyone have any suggestions on how to get sudo to work on debian 7? > perhaps another more updated how to? you need sudo built with sssd support, which that repo is lacking. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing on Ubuntu
On 18.02.2017 03:24, Robert L. Harris wrote: > >I have an Ubuntu 16.04 test system which is currently clean. I'm > trying to install freeipa-server via apt and I'm getting an error about > files missing : > > Setting up freeipa-server (4.3.1-0ubuntu1) ... > Running ipa-server-upgrade... > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > IOError: [Errno 2] No such file or directory: > u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif' > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > dpkg: error processing package freeipa-server (--configure): > subprocess installed post-installation script returned error exit status 1 > dpkg: dependency problems prevent configuration of freeipa-server-dns: > freeipa-server-dns depends on freeipa-server (>= 4.3.1-0ubuntu1); however: > Package freeipa-server is not configured yet. It shouldn't run ipa-server-upgrade on a clean install. What does: python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";' return? -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Installing on Ubuntu
I have an Ubuntu 16.04 test system which is currently clean. I'm trying to install freeipa-server via apt and I'm getting an error about files missing : Setting up freeipa-server (4.3.1-0ubuntu1) ... Running ipa-server-upgrade... IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif' The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information dpkg: error processing package freeipa-server (--configure): subprocess installed post-installation script returned error exit status 1 dpkg: dependency problems prevent configuration of freeipa-server-dns: freeipa-server-dns depends on freeipa-server (>= 4.3.1-0ubuntu1); however: Package freeipa-server is not configured yet. Anyone seen this? The only source I see for these files is the slapd package which conflicts with freeipa. Robert -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Debian client installation
Hi All I have installed free ipa client by using http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian which works, but I am unable to get the sudo to work, on debian 7.11 machines, sssd installed version is 1.9.6 which I think is pretty old. Does anyone have any suggestions on how to get sudo to work on debian 7? perhaps another more updated how to? Regards Per -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to change kerberos key lifetime?
On (16/02/17 18:05), William Muriithi wrote: >> The fact that your desktops are using SSSD changes the situation >> dramatically. >> >> SSSD (with ipa or krb5 provider) obtains ticket for user when he is >> logging-in. >> And can be configured to renew the ticket for the user until the ticket renew >> life time expires. >> >> Given this you can keep ticket life time reasonable short (~1 day) set ticket >> renewable life time to longer period (~2 weeks) and maintain reasonable >> security level without negative impact on user's daily work. >> >> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options >> in sssd-krb5 man page. >> >Thanks a lot. I did actually end up using this. Will wait for a >couple of days and see if anybody if the situation is better and >update you. > >Curious though, why isn't renewal interval setup by default? Is there >a negative consequence of having SSSD renewing tickets by default? I >can't think of any and hence a bit lost on explaining the default >setup Desktop/laptop user usually does not need automatic renewal. They authenticate/login/unlock screen quite often and for each action sssd authenticate against IPA server which automatically get/renew krb5 ticket. Unless machine is offline. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can't add replica: failed to start the directory server
I went through that bugreport, particularly this section... OK, I think I found the error. On the logs I get something like this *before* the failing dirsrv restart: 2017-01-14T03:41:28Z DEBUG [27/44]: retrieving DS Certificate 2017-01-14T03:41:28Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2017-01-14T03:41:28Z DEBUG Starting external process 2017-01-14T03:41:28Z DEBUG args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a 2017-01-14T03:41:28Z DEBUG Process finished, return code=255 2017-01-14T03:41:28Z DEBUG stdout= 2017-01-14T03:41:28Z DEBUG stderr=certutil: Could not find cert: EXAMPLE.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found So, when the process stopped, I run the command again: # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n EXAMPLE.COM IPA CA -a certutil: Could not find cert: EXAMPLE.COM : PR_FILE_NOT_FOUND_ERROR: File not found and thought "wait... something is missing there": # /usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L -n "EXAMPLE.COM IPA CA" -a -BEGIN CERTIFICATE- -END CERTIFICATE- So, could this be the problem? ...and indeed when I run [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d > /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a > [sudo] password for tiemen: > certutil: Could not find cert: IPA.RDMEDIA.COM > : PR_FILE_NOT_FOUND_ERROR: File not found and when I run [tiemen@copernicum ipapython]$ sudo /usr/bin/certutil -d /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n "IPA.RDMEDIA.COM IPA CA" -a -BEGIN CERTIFICATE- -END CERTIFICATE- valid certificate output. Where can I change this command to quote this string? On 16 February 2017 at 17:29, Jeff Goddard wrote: > Might be another instance of this: https://fedorahosted.org/ > freeipa/ticket/6613 > > Jeff > > On Thu, Feb 16, 2017 at 11:21 AM, Tiemen Ruiten > wrote: > >> Hello, >> >> I'm trying to add a third replica to a FreeIPA 4.4 domain (level 1), but >> I'm getting this error: >> >> [tiemen@copernicum ~]$ sudo ipa-replica-install -P admin -w "XX" >>> --mkhomedir --setup-dns --forwarder 8.8.8.8 --forwarder 8.8.4.4 >>> Checking DNS forwarders, please wait ... >>> Run connection check to master >>> Connection check OK >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv). Estimated time: 1 minute >>> [1/44]: creating directory server user >>> [2/44]: creating directory server instance >>> [3/44]: updating configuration in dse.ldif >>> [4/44]: restarting directory server >>> [5/44]: adding default schema >>> [6/44]: enabling memberof plugin >>> [7/44]: enabling winsync plugin >>> [8/44]: configuring replication version plugin >>> [9/44]: enabling IPA enrollment plugin >>> [10/44]: enabling ldapi >>> [11/44]: configuring uniqueness plugin >>> [12/44]: configuring uuid plugin >>> [13/44]: configuring modrdn plugin >>> [14/44]: configuring DNS plugin >>> [15/44]: enabling entryUSN plugin >>> [16/44]: configuring lockout plugin >>> [17/44]: configuring topology plugin >>> [18/44]: creating indices >>> [19/44]: enabling referential integrity plugin >>> [20/44]: configuring certmap.conf >>> [21/44]: configure autobind for root >>> [22/44]: configure new location for managed entries >>> [23/44]: configure dirsrv ccache >>> [24/44]: enabling SASL mapping fallback >>> [25/44]: restarting directory server >>> [26/44]: creating DS keytab >>> [27/44]: retrieving DS Certificate >>> [28/44]: restarting directory server >>> ipa : CRITICAL Failed to restart the directory server (Command >>> '/bin/systemctl restart dirsrv@IPA-RDMEDIA-COM.service' returned >>> non-zero exit status 1). See the installation log for details. >>> [29/44]: setting up initial replication >>> [error] error: [Errno 111] Connection refused >>> Your system may be partly configured. >>> Run /usr/sbin/ipa-server-install --uninstall to clean up. >>> ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] >>> Connection refused >>> ipa.ipapython.install.cli.install_tool(Replica): ERRORThe >>> ipa-replica-install command failed. See /var/log/ipareplica-install.log >>> for more information >> >> >> In /var/log/ipareplica-install.log we find: >> >> 2017-02-16T15:53:59Z DEBUG [27/44]: retrieving DS Certificate >>> 2017-02-16T15:53:59Z DEBUG Loading Index file from >>> '/var/lib/ipa/sysrestore/sysrestore.index' >>> 2017-02-16T15:53:59Z DEBUG Starting external process >>> 2017-02-16T15:53:59Z DEBUG args=/usr/bin/certutil -d >>> /etc/dirsrv/slapd-IPA-RDMEDIA-COM/ -L -n IPA.RDMEDIA.COM IPA CA -a >>> 2017-02-16T15:53:59Z DEBUG Process finished, return code=255 >>> 2017-02-16T15:53:59Z DEBUG stdout= >>> >>> *2017-02-16T15:53:59Z DEBUG stderr=certu