Re: [Freeipa-users] ipa replica installation help
HI List, how can i solve this? is this a bug ,normal behavior or any missing configuration from my end, Till now i didn't get ant clue on this. Regards Ben On Thu, Jan 5, 2017 at 1:21 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote: > > HI > > > > there is no filrewall running on both servers, > > > > [root@zkwipamstr01 ~]# systemctl status firewalld > > ● firewalld.service - firewalld - dynamic firewall daemon > >Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; > > vendor preset: enabled) > >Active: inactive (dead) > > Docs: man:firewalld(1) > > > > [root@zkwipamstr01 ~]# sestatus > > SELinux status: disabled > > > OK, very well. And actually, forget about my idea about connecting > to port 8009 from client - that is not what happens at all. It is > the end of day for me and my brain checked out :/ > > I shall continue analysis of your problem tomorrow. > > Thanks, > Fraser > > > > > On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale <ftwee...@redhat.com> > wrote: > > > > > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote: > > > > HI, > > > > > > > > on master server and replica server, i have enabled ipv6 > > > > > > > > below on master server > > > > > > > > [root@zkwipamstr01 ~]# ip addr | grep inet6 > > > > > > > > inet6 fe80::250:56ff:fea0:3857/64 scope link > > > > > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 > > > > tcp6 0 0 ::1:8009:::* > > > LISTEN > > > > 12692/java > > > > > > > > > > > > after that 8009 is listening on master server. > > > > > > > > on replica side uninstalled ipa and tried to enrolled again. Do i > need to > > > > enable any service replica side? > > > > > > > > [28/44]: restarting directory server > > > > ipa : CRITICAL Failed to restart the directory server > (Command > > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned > non-zero > > > > exit status 1). See the installation log for details. > > > > [29/44]: setting up initial replication > > > > [error] error: [Errno 111] Connection refused > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno > 111] > > > > Connection refused > > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > > > ipa-replica-install command failed. See /var/log/ipareplica-install. > log > > > for > > > > more information > > > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > > > Job for pki-tomcatd@pki-tomcat.service failed because the control > > > process > > > > exited with error code. See "systemctl status > > > pki-tomcatd@pki-tomcat.service" > > > > and "journalctl -xe" for details. > > > > > > > > Still same error. > > > > > > > > is this service restart pki-tomcatd@pki-tomcat only applicable on > master > > > > server? > > > > > > > Yes, because no CA has been created on replica (yet). > > > > > > Can you confirm that your firewall (if any/enabled) on master is > > > letting the traffic from client/replica through to :8009? > > > Executing: ``nc -v $MASTER_IP 8009`` from the client machine > > > suffices to check. > > > > > > Thanks, > > > Fraser > > > > > > > Regards, > > > > Ben > > > > > > > > > > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <pvobo...@redhat.com> > > > wrote: > > > > > > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote: > > > > > > HI > > > > > > > > > > > > yes i did the same and still port is not listening. > > > > > > > > > > > > [root@zkwipamstr01 ~]# cat /etc/hosts > > > > > > 127.0.0.1 localhost localhost.localdomain localhost4 > > > > > localhost4.localdomain4 > > > > > >
Re: [Freeipa-users] ipa replica installation help
HI there is no filrewall running on both servers, [root@zkwipamstr01 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) [root@zkwipamstr01 ~]# sestatus SELinux status: disabled On Thu, Jan 5, 2017 at 1:05 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote: > > HI, > > > > on master server and replica server, i have enabled ipv6 > > > > below on master server > > > > [root@zkwipamstr01 ~]# ip addr | grep inet6 > > > > inet6 fe80::250:56ff:fea0:3857/64 scope link > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 > > tcp6 0 0 ::1:8009:::* > LISTEN > > 12692/java > > > > > > after that 8009 is listening on master server. > > > > on replica side uninstalled ipa and tried to enrolled again. Do i need to > > enable any service replica side? > > > > [28/44]: restarting directory server > > ipa : CRITICAL Failed to restart the directory server (Command > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero > > exit status 1). See the installation log for details. > > [29/44]: setting up initial replication > > [error] error: [Errno 111] Connection refused > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] > > Connection refused > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > ipa-replica-install command failed. See /var/log/ipareplica-install.log > for > > more information > > [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > Job for pki-tomcatd@pki-tomcat.service failed because the control > process > > exited with error code. See "systemctl status > pki-tomcatd@pki-tomcat.service" > > and "journalctl -xe" for details. > > > > Still same error. > > > > is this service restart pki-tomcatd@pki-tomcat only applicable on master > > server? > > > Yes, because no CA has been created on replica (yet). > > Can you confirm that your firewall (if any/enabled) on master is > letting the traffic from client/replica through to :8009? > Executing: ``nc -v $MASTER_IP 8009`` from the client machine > suffices to check. > > Thanks, > Fraser > > > Regards, > > Ben > > > > > > On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <pvobo...@redhat.com> > wrote: > > > > > On 01/05/2017 07:10 AM, Ben .T.George wrote: > > > > HI > > > > > > > > yes i did the same and still port is not listening. > > > > > > > > [root@zkwipamstr01 ~]# cat /etc/hosts > > > > 127.0.0.1 localhost localhost.localdomain localhost4 > > > localhost4.localdomain4 > > > > ::1 localhost localhost.localdomain localhost6 > > > localhost6.localdomain6 > > > > 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw. > > > example.com> > > > > zkwipamstr01 > > > > 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > > > example.com> > > > > zkwiparepa01 > > > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 > > > > > > > > > > > > Regards > > > > Ben > > > > > > Also IPv6 stack needs to be enabled. > > > > > > > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <ftwee...@redhat.com > > > > <mailto:ftwee...@redhat.com>> wrote: > > > > > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote: > > > > > HI > > > > > > > > > > port 8009 is not listening in master server > > > > > > > > > > and i added ::1 localhost localhost.localdomain > localhost6 > > > > > localhost6.localdomain6 in hosts file. > > > > > > > > > > > > > Did you add this to the host file on the master (then `systemctl > > > > restart pki-tomcatd@pki-tomcat` and con
Re: [Freeipa-users] ipa replica installation help
HI, on master server and replica server, i have enabled ipv6 below on master server [root@zkwipamstr01 ~]# ip addr | grep inet6 inet6 fe80::250:56ff:fea0:3857/64 scope link [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 tcp6 0 0 ::1:8009:::*LISTEN 12692/java after that 8009 is listening on master server. on replica side uninstalled ipa and tried to enrolled again. Do i need to enable any service replica side? [28/44]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero exit status 1). See the installation log for details. [29/44]: setting up initial replication [error] error: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] Connection refused ipa.ipapython.install.cli.install_tool(Replica): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@zkwiparepa01 ~]# systemctl restart pki-tomcatd@pki-tomcat Job for pki-tomcatd@pki-tomcat.service failed because the control process exited with error code. See "systemctl status pki-tomcatd@pki-tomcat.service" and "journalctl -xe" for details. Still same error. is this service restart pki-tomcatd@pki-tomcat only applicable on master server? Regards, Ben On Thu, Jan 5, 2017 at 11:12 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 01/05/2017 07:10 AM, Ben .T.George wrote: > > HI > > > > yes i did the same and still port is not listening. > > > > [root@zkwipamstr01 ~]# cat /etc/hosts > > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > > 10.151.4.64 zkwipamstr01.kw.example.com <http://zkwipamstr01.kw. > example.com> > > zkwipamstr01 > > 10.151.4.65 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > zkwiparepa01 > > [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat > > [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 > > > > > > Regards > > Ben > > Also IPv6 stack needs to be enabled. > > > > > On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <ftwee...@redhat.com > > <mailto:ftwee...@redhat.com>> wrote: > > > > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote: > > > HI > > > > > > port 8009 is not listening in master server > > > > > > and i added ::1 localhost localhost.localdomain localhost6 > > > localhost6.localdomain6 in hosts file. > > > > > > > Did you add this to the host file on the master (then `systemctl > > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port > > 8009)? Or just the client you are trying to promote? > > > > It is needed on the master. Won't hurt to make this change to > > /etc/hosts on both machines, though. > > > > HTH, > > Fraser > > > > > still getting same error > > > > > > [28/44]: restarting directory server > > > ipa : CRITICAL Failed to restart the directory server > (Command > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned > non-zero > > > exit status 1). See the installation log for details. > > > [29/44]: setting up initial replication > > > [error] error: [Errno 111] Connection refused > > > Your system may be partly configured. > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno > 111] > > > Connection refused > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > > ipa-replica-install command failed. See > /var/log/ipareplica-install.log for > > > more information > > > > > > > > > Also ipv6 is disabled on both nodes > > > > > > Regards, > > > Ben > > > > > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik < > pvobo...@redhat.com > > <mailto:pvobo...@redhat.com>> wrote: > > > > > > > On 01/04/2017 10:59 AM, Ben .T.George wrote: > >
Re: [Freeipa-users] ipa replica installation help
HI yes i did the same and still port is not listening. [root@zkwipamstr01 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.151.4.64 zkwipamstr01.kw.example.comzkwipamstr01 10.151.4.65 zkwiparepa01.kw.example.comzkwiparepa01 [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat [root@zkwipamstr01 ~]# netstat -tunap | grep 8009 Regards Ben On Thu, Jan 5, 2017 at 9:03 AM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote: > > HI > > > > port 8009 is not listening in master server > > > > and i added ::1 localhost localhost.localdomain localhost6 > > localhost6.localdomain6 in hosts file. > > > > Did you add this to the host file on the master (then `systemctl > restart pki-tomcatd@pki-tomcat` and confirm it is listening on port > 8009)? Or just the client you are trying to promote? > > It is needed on the master. Won't hurt to make this change to > /etc/hosts on both machines, though. > > HTH, > Fraser > > > still getting same error > > > > [28/44]: restarting directory server > > ipa : CRITICAL Failed to restart the directory server (Command > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero > > exit status 1). See the installation log for details. > > [29/44]: setting up initial replication > > [error] error: [Errno 111] Connection refused > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] > > Connection refused > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > ipa-replica-install command failed. See /var/log/ipareplica-install.log > for > > more information > > > > > > Also ipv6 is disabled on both nodes > > > > Regards, > > Ben > > > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <pvobo...@redhat.com> > wrote: > > > > > On 01/04/2017 10:59 AM, Ben .T.George wrote: > > > > HI > > > > > > > > i tried the method mentioned on that document and it end up with > below > > > error. My > > > > DNS is managed by external box and i dont want to create any DNS > record > > > on these > > > > servers. > > > > > > > > and the command which i tried is(non client server) > > > > > > > > ipa-replica-install --principal admin --admin-password P@ssw0rd > --domain > > > > kw.example.com <http://kw.example.com> --server > > > zkwipamstr01.kw.example.com > > > > <http://zkwipamstr01.kw.example.com> > > > > > > > > > > > > > > > > ipa : CRITICAL Failed to restart the directory server > (Command > > > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned > > > non-zero exit > > > > status 1). See the installation log for details. > > > >[29/44]: setting up initial replication > > > >[error] error: [Errno 111] Connection refused > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno > 111] > > > Connection > > > > refused > > > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > > > ipa-replica-install command failed. See /var/log/ipareplica-install. > log > > > for more > > > > information > > > > > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575 > > > > > > To verify that, could you check if master server internally listens on > > > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string > > > near step 27. > > > > > > Usual fix is to add following line to /etc/hosts > > > ::1 localhost localhost.localdomain localhost6 > > > localhost6.localdomain6 > > > > > > > > > > [root@zkwiparepa01 ~]# /bin/systemctl restart > > > dirsrv@KW-EXAMPLE-COM.service > > > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control > > > process exited > > > > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service > " > > > and > > > &
Re: [Freeipa-users] ipa replica installation help
HI anyone please help me to fix this. Regards, Ben On Wed, Jan 4, 2017 at 3:12 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > port 8009 is not listening in master server > > and i added ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 in hosts file. > > still getting same error > > [28/44]: restarting directory server > ipa : CRITICAL Failed to restart the directory server (Command > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero > exit status 1). See the installation log for details. > [29/44]: setting up initial replication > [error] error: [Errno 111] Connection refused > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] > Connection refused > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > > > Also ipv6 is disabled on both nodes > > Regards, > Ben > > On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <pvobo...@redhat.com> wrote: > >> On 01/04/2017 10:59 AM, Ben .T.George wrote: >> > HI >> > >> > i tried the method mentioned on that document and it end up with below >> error. My >> > DNS is managed by external box and i dont want to create any DNS record >> on these >> > servers. >> > >> > and the command which i tried is(non client server) >> > >> > ipa-replica-install --principal admin --admin-password P@ssw0rd >> --domain >> > kw.example.com <http://kw.example.com> --server >> zkwipamstr01.kw.example.com >> > <http://zkwipamstr01.kw.example.com> >> > >> > >> > >> > ipa : CRITICAL Failed to restart the directory server (Command >> > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned >> non-zero exit >> > status 1). See the installation log for details. >> >[29/44]: setting up initial replication >> >[error] error: [Errno 111] Connection refused >> > Your system may be partly configured. >> > Run /usr/sbin/ipa-server-install --uninstall to clean up. >> > >> > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] >> Connection >> > refused >> > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe >> > ipa-replica-install command failed. See /var/log/ipareplica-install.log >> for more >> > information >> >> This looks like bug https://fedorahosted.org/freeipa/ticket/6575 >> >> To verify that, could you check if master server internally listens on >> port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string >> near step 27. >> >> Usual fix is to add following line to /etc/hosts >> ::1 localhost localhost.localdomain localhost6 >> localhost6.localdomain6 >> >> >> > [root@zkwiparepa01 ~]# /bin/systemctl restart >> dirsrv@KW-EXAMPLE-COM.service >> > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control >> process exited >> > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service" >> and >> > "journalctl -xe" for details. >> > >> > [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service >> > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM. >> > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; >> vendor >> > preset: disabled) >> > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46 >> AST; 13s ago >> >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i >> -i >> > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE) >> >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl >> > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) >> > Main PID: 14893 (code=exited, status=1/FAILURE) >> > >> > Jan 04 12:54:46 zkwiparepa01.kw.example.com < >> http://zkwiparepa01.kw.example.com> >> > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error: >> > betxnpostoperation plu...arted >> > Jan 04 12:54:46 zkwiparepa01.kw.example.com < >> http://zkwiparepa01.kw.example.com> >> > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object >> plugin >> > Roles Pl...arted >> > Jan 04 12:54:46 zkwiparepa0
Re: [Freeipa-users] ipa replica installation help
HI port 8009 is not listening in master server and i added ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 in hosts file. still getting same error [28/44]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned non-zero exit status 1). See the installation log for details. [29/44]: setting up initial replication [error] error: [Errno 111] Connection refused Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] Connection refused ipa.ipapython.install.cli.install_tool(Replica): ERRORThe ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Also ipv6 is disabled on both nodes Regards, Ben On Wed, Jan 4, 2017 at 2:05 PM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 01/04/2017 10:59 AM, Ben .T.George wrote: > > HI > > > > i tried the method mentioned on that document and it end up with below > error. My > > DNS is managed by external box and i dont want to create any DNS record > on these > > servers. > > > > and the command which i tried is(non client server) > > > > ipa-replica-install --principal admin --admin-password P@ssw0rd --domain > > kw.example.com <http://kw.example.com> --server > zkwipamstr01.kw.example.com > > <http://zkwipamstr01.kw.example.com> > > > > > > > > ipa : CRITICAL Failed to restart the directory server (Command > > '/bin/systemctl restart dirsrv@KW-EXAMPLE-COM.service' returned > non-zero exit > > status 1). See the installation log for details. > >[29/44]: setting up initial replication > >[error] error: [Errno 111] Connection refused > > Your system may be partly configured. > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > ipa.ipapython.install.cli.install_tool(Replica): ERROR[Errno 111] > Connection > > refused > > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > > ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more > > information > > This looks like bug https://fedorahosted.org/freeipa/ticket/6575 > > To verify that, could you check if master server internally listens on > port 8009 or if ipareplica-install.log contains CA_UNREACHABLE string > near step 27. > > Usual fix is to add following line to /etc/hosts > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > > > > [root@zkwiparepa01 ~]# /bin/systemctl restart > dirsrv@KW-EXAMPLE-COM.service > > Job for dirsrv@KW-EXAMPLE-COM.service failed because the control > process exited > > with error code. See "systemctl status dirsrv@KW-EXAMPLE-COM.service" > and > > "journalctl -xe" for details. > > > > [root@zkwiparepa01 ~]# systemctl status dirsrv@KW-EXAMPLE-COM.service > > ● dirsrv@KW-EXAMPLE-COM.service - 389 Directory Server KW-EXAMPLE-COM. > > Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; > vendor > > preset: disabled) > > Active: failed (Result: exit-code) since Wed 2017-01-04 12:54:46 > AST; 13s ago > >Process: 14893 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i > > /var/run/dirsrv/slapd-%i.pid (code=exited, status=1/FAILURE) > >Process: 14887 ExecStartPre=/usr/sbin/ds_systemd_ask_password_acl > > /etc/dirsrv/slapd-%i/dse.ldif (code=exited, status=0/SUCCESS) > > Main PID: 14893 (code=exited, status=1/FAILURE) > > > > Jan 04 12:54:46 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.177617891 +0300] Error: > > betxnpostoperation plu...arted > > Jan 04 12:54:46 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.178379752 +0300] Error: object > plugin > > Roles Pl...arted > > Jan 04 12:54:46 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179162340 +0300] Error: > preoperation > > plugin su...arted > > Jan 04 12:54:46 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.179993432 +0300] Error: object > plugin USN > > is n...arted > > Jan 04 12:54:46 zkwiparepa01.kw.example.com <http://zkwiparepa01.kw. > example.com> > > ns-slapd[14893]: [04/Jan/2017:12:54:46.181305209 +0300] Error: object > plugin > > Views is.
[Freeipa-users] ipa replica installation help
HI while trying to create ipa replica, i am getting below error, Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by promoting an existing IPA client. To set up a replica use the following procedure: 1.) set up a client on the host using 'ipa-client-install' 2.) promote the client to replica running 'ipa-replica-install' *without* replica file specified 'ipa-replica-prepare' is allowed only in domain level 0 The ipa-replica-prepare command failed. i have IPA master server without AD integration and DNS is managed by 3rd party appliances. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudo rule implementation
HI, thanks for your information. I have validated logs. i destroyed the current kerberos ticket and re-initiated, then the issue solved. Regards, Ben On Tue, Dec 20, 2016 at 2:24 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Tue, Dec 20, 2016 at 01:19:15PM +0300, Ben .T.George wrote: > > Hi List, > > > > please help me to implement sudo rules. > > > > i have did below steps and still not working for me. > > > > 1. created "Sudo Command Groups" > > 2. Added some command (/bin/yum) and included in sudo group > > 3. created "sudo Rule" on that > > * added sudo Option as "!authenticate" > > * Added User Group. > > * Added one Host > > * And under Run command, selected the Sudo Rule Group. > > 4. entry on nsswitch.conf : sudoers: files sss > > 5. entry on sssd.conf : services = nss, sudo, pam, ssh > > > > and i tried removing "!authenticate" and changed to Anyone, Any Host and > Any > > Command, > > Also under As Whom to Anyone and Any Group > > - I tried logout and login again on client with IPA user which is member > of > > user group. > > > > When i am running yum, getting error that user is not allowed to execute > > command. > > > > > > Please anyone help to correct my steps. > > > > Regards > > Ben > > Please follow: > https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > especially the sudo logs are often helpful to see what rules is sssd > returning to sudo. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Sudo rule implementation
Hi List, please help me to implement sudo rules. i have did below steps and still not working for me. 1. created "Sudo Command Groups" 2. Added some command (/bin/yum) and included in sudo group 3. created "sudo Rule" on that * added sudo Option as "!authenticate" * Added User Group. * Added one Host * And under Run command, selected the Sudo Rule Group. 4. entry on nsswitch.conf : sudoers: files sss 5. entry on sssd.conf : services = nss, sudo, pam, ssh and i tried removing "!authenticate" and changed to Anyone, Any Host and Any Command, Also under As Whom to Anyone and Any Group - I tried logout and login again on client with IPA user which is member of user group. When i am running yum, getting error that user is not allowed to execute command. Please anyone help to correct my steps. Regards Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to implement sudo rules
Hi List, please help me to implement sudo rules. i have did below steps and still not working for me. 1. created "Sudo Command Groups" 2. Added some command (/bin/yum) and included in sudo group 3. created "sudo Rule" on that * added sudo Option as "!authenticate" * Added User Group. * Added one Host * And under Run command, selected the Sudo Rule Group. I tried logout and login again on client with IPA user which is member of user group. When i am running yum, getting error that user is not allowed to execute command. Please anyone help to correct my steps. Regards Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to disable First time password change on IPA user
HI How to disable first time password change on newly created user from web UI Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] From where can i get latest IPA repo for centos
HI List, >From where can i get latest IPA repo for centos. the repo which i was using on copr is not working now. please anyone help me to sort it out. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] freeipa 4.4 online repo is down
Hi List, always https://copr.fedorainfracloud.org/ is down, is there any alternative repo were i can get IPA 4.4? Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Install best practice -
Hi thanks for the reply. "the easiest would be to create a zone and delegating that to the ipa hosts. No other change necessary." can you explain little more. You mean need to create separate DNS zone ? regards, Ben On Sun, May 29, 2016 at 9:11 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Sun, May 29, 2016 at 7:11 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> Hi >> >> I would like to know how can i proceed with best practices >> >> My AD domain is : corp.examle.com.kw >> My DNS (appliances ) : kw.test.com >> >> All my clients are pointed to kw.test.com including AD. >> >> How can i proceed with Free IPA installation? where i need to manage DNS >> of freeipa master server? >> >> >> creating new DNS zone in kw.test.com will be little bit difficult. >> >> which will be best configuration with minimal changes in existing setup. >> > > the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary. > > Not sure if this is a 'best practice', but this is how we have been > running our environment for years without any problems. > > -- > regards, > Natxo > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Install best practice -
Hi I would like to know how can i proceed with best practices My AD domain is : corp.examle.com.kw My DNS (appliances ) : kw.test.com All my clients are pointed to kw.test.com including AD. How can i proceed with Free IPA installation? where i need to manage DNS of freeipa master server? creating new DNS zone in kw.test.com will be little bit difficult. which will be best configuration with minimal changes in existing setup. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
HI Alex. I Am using windows 2008 R2. when i am giving IPA's DNS name and click next, the trust wizard is not going through. But if i am selecting realm trust , atleast the wizard completes. So which AD version is recommended ? Regards, Ben On Fri, May 27, 2016 at 7:05 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 27 May 2016, Ben .T.George wrote: > >> HI >> >> i ran some commands from AD side and the Trust status got changed.Below is >> the command i used on AD >> >> netdom trust /d: /verify >> >> >> Before it was : "waiting for confirmation by remote side" and not it got >> changed to "Trust type: Active Directory domain" >> >> But when i am trying to map AD group, it not going through >> >> >> root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external >> 'MTC_TABS\Domain Users' >> [member user]: >> [member group]: >> Group name: ad_admins_external >> Description: ad_domain admins external map >> Failed members: >> member user: >> *member group: MTC_TABS\Domain Users: trusted domain object not found * >> - >> Number of members added 0 >> - >> >> This is what my trust properties from AD. Trust type is showing as realm >> > It should be 'Forest', not 'realm'. Realm is for plain MIT Kerberos > realm trust which is *not* what IPA provides. > > [image: Inline image 1] >> >> How can i fix this issue. >> > Use correct type of trust when establishing trust on AD side. If your > Windows version does not allow to specify proper trust type, I'm afraid, > there is nothing we can help with. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
HI i ran some commands from AD side and the Trust status got changed.Below is the command i used on AD netdom trust /d: /verify Before it was : "waiting for confirmation by remote side" and not it got changed to "Trust type: Active Directory domain" But when i am trying to map AD group, it not going through root@zkwipamstr01 ~]# ipa group-add-member ad_admins_external --external 'MTC_TABS\Domain Users' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: *member group: MTC_TABS\Domain Users: trusted domain object not found * - Number of members added 0 - This is what my trust properties from AD. Trust type is showing as realm [image: Inline image 1] How can i fix this issue. On Thu, May 26, 2016 at 10:32 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi All > > i have given share key and the status is like below. > > > [root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw" > --trust-secret > Shared secret for the trust: > > Added Active Directory trust for realm "corp.example.com.kw" > > Realm name: corp.example.com.kw > Domain NetBIOS name: MTC_TABS > Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313 > SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, > S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, > S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, > S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 > Trust direction: Trusting forest > Trust type: Active Directory domain > Trust status: Waiting for confirmation by remote side > > > what is this means "Waiting for confirmation by remote side" . how can i > check that. from my AD side, i cannot see the screens shown in that > gif(tutorial) > > Please anyone help me. > > > Thanks & Regards, > Ben > > On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorou...@earthlink.net> > wrote: > >> That looks good. I see you are using an external DNS source for the IPA >> domain, correct? You may need to do some additional steps on the FreeIPA >> server, because by default it will configure BIND and populate resource >> records for the IPA domain (for example, SRV records like _ldap_._ >> tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an >> external DNS, but I'm sure there are some instructions out there. >> >> -Mike >> >> -Original Message- >> From: "Ben .T.George" >> Sent: May 23, 2016 2:22 PM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> in my case i have 2 domains >> >> AD DNS : corp.example.kw.com >> main DNS ( from appliance) : kw.example.com >> >> and all the linux box are pointed to kw.example.com >> >> so i put my IPA server hostname as : ipa.kw.example.com and created A & >> PTR on kw.example.com >> >> is that the correct way? >> >> Regards, >> Ben >> >> On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net >> > wrote: >> >>> Ben, >>> >>> Yes, that is a requirement. Just creating the A & PTR records for you >>> FreeIPA server is not enough. You will need to keep the DNS zones separate >>> too, example: >>> Windows AD Domain: mydomain.com >>> FreeIPA Realm/Domain: subdomain.mydomain.com >>> >>> You cannot have a cross-forest trust between two domains with the same >>> DNS zone name. So if you have a flat DNS namespace, then you will want to >>> plan accordingly to move all the linux boxes that will participate in the >>> FreeIPA domain into the new DNS zone. >>> >>> -Mike >>> >>> -Original Message- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 10:44 AM >>> To: Michael ORourke >>> Cc: freeipa-users >>> Subject: Re: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> HI >>>
Re: [Freeipa-users] What id my AD domain user password not available
Hi All i have given share key and the status is like below. [root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw" --trust-secret Shared secret for the trust: Added Active Directory trust for realm "corp.example.com.kw" Realm name: corp.example.com.kw Domain NetBIOS name: MTC_TABS Domain Security Identifier: S-1-5-21-4225188509-189646935-2695072313 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Waiting for confirmation by remote side what is this means "Waiting for confirmation by remote side" . how can i check that. from my AD side, i cannot see the screens shown in that gif(tutorial) Please anyone help me. Thanks & Regards, Ben On Thu, May 26, 2016 at 7:58 PM, Michael ORourke <mrorou...@earthlink.net> wrote: > That looks good. I see you are using an external DNS source for the IPA > domain, correct? You may need to do some additional steps on the FreeIPA > server, because by default it will configure BIND and populate resource > records for the IPA domain (for example, SRV records like _ldap_._ > tcp.kw.example.com). I'm not familiar with setting up FreeIPA with an > external DNS, but I'm sure there are some instructions out there. > > -Mike > > -Original Message- > From: "Ben .T.George" > Sent: May 23, 2016 2:22 PM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > in my case i have 2 domains > > AD DNS : corp.example.kw.com > main DNS ( from appliance) : kw.example.com > > and all the linux box are pointed to kw.example.com > > so i put my IPA server hostname as : ipa.kw.example.com and created A & > PTR on kw.example.com > > is that the correct way? > > Regards, > Ben > > On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net> > wrote: > >> Ben, >> >> Yes, that is a requirement. Just creating the A & PTR records for you >> FreeIPA server is not enough. You will need to keep the DNS zones separate >> too, example: >> Windows AD Domain: mydomain.com >> FreeIPA Realm/Domain: subdomain.mydomain.com >> >> You cannot have a cross-forest trust between two domains with the same >> DNS zone name. So if you have a flat DNS namespace, then you will want to >> plan accordingly to move all the linux boxes that will participate in the >> FreeIPA domain into the new DNS zone. >> >> -Mike >> >> -Original Message- >> From: "Ben .T.George" >> Sent: May 23, 2016 10:44 AM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> yea that GIf screen i shared with him. but that doesn't show how to take >> shared key. >> >> In my case DNS is handled by 3rd party appliances and from their side >> they created A record for my IPA server. bth forward and reverse is working >> >> is this forwader is mandatory thing from DNS side? >> >> Regards, >> ben >> >> On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net >> > wrote: >> >>> Actually one of his questions doesn't make sense, because last I >>> checked, normal domain users do not have permissions to create a forest >>> trust. >>> I believe the default is a one-way trust, so maybe his concerns about >>> the bi-directional trust is really a non-issue. >>> If he refuses to type in the admin password in a linux console session >>> (extreme paranoia?), then perhaps you could give him a link to the tutorial >>> on using a pre-shared key and have him setup the AD side and give you the >>> key. You don't have to be a Windows expert to do this, just ask your >>> domain admin to do the steps for you. Also, you will need to setup a >>> separate DNS zone and some forwarding rules. Otherwise you are going to >>> have problems. >>
Re: [Freeipa-users] What id my AD domain user password not available
HI in my case i have 2 domains AD DNS : corp.example.kw.com main DNS ( from appliance) : kw.example.com and all the linux box are pointed to kw.example.com so i put my IPA server hostname as : ipa.kw.example.com and created A & PTR on kw.example.com is that the correct way? Regards, Ben On Mon, May 23, 2016 at 8:20 PM, Michael ORourke <mrorou...@earthlink.net> wrote: > Ben, > > Yes, that is a requirement. Just creating the A & PTR records for you > FreeIPA server is not enough. You will need to keep the DNS zones separate > too, example: > Windows AD Domain: mydomain.com > FreeIPA Realm/Domain: subdomain.mydomain.com > > You cannot have a cross-forest trust between two domains with the same DNS > zone name. So if you have a flat DNS namespace, then you will want to plan > accordingly to move all the linux boxes that will participate in the > FreeIPA domain into the new DNS zone. > > -Mike > > -Original Message- > From: "Ben .T.George" > Sent: May 23, 2016 10:44 AM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > yea that GIf screen i shared with him. but that doesn't show how to take > shared key. > > In my case DNS is handled by 3rd party appliances and from their side they > created A record for my IPA server. bth forward and reverse is working > > is this forwader is mandatory thing from DNS side? > > Regards, > ben > > On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> > wrote: > >> Actually one of his questions doesn't make sense, because last I checked, >> normal domain users do not have permissions to create a forest trust. >> I believe the default is a one-way trust, so maybe his concerns about the >> bi-directional trust is really a non-issue. >> If he refuses to type in the admin password in a linux console session >> (extreme paranoia?), then perhaps you could give him a link to the tutorial >> on using a pre-shared key and have him setup the AD side and give you the >> key. You don't have to be a Windows expert to do this, just ask your >> domain admin to do the steps for you. Also, you will need to setup a >> separate DNS zone and some forwarding rules. Otherwise you are going to >> have problems. >> >> -Mike >> >> >> -Original Message- >> From: "Ben .T.George" >> Sent: May 23, 2016 10:07 AM >> To: Michael ORourke >> Cc: freeipa-users >> Subject: Re: [Freeipa-users] What id my AD domain user password not >> available >> >> HI >> >> He is local only but he is asking so many questions. >> >> first of all he is refusing to give domain admin users password . >> >> questions he is asking is: >> >> Is this trust relationship is two directional? If, yes why IPA require >> two directional trust? >> can we build this trust one directional? >> can we achieve this with normal domain user? >> >> and hs is opposing to enter password in command line and i was going >> though the rust using a pre-shared key and its too hard for me to >> understand as i have no windows experience >> >> regards, >> Ben >> >> On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net >> > wrote: >> >>> A couple of ways to go about this. If he is local to you, you could >>> explain that you need to establish a trust with his domain and you need his >>> assistance for a few minutes while you type the command to join, then have >>> him type in the password. You need to assure that the DNS forward/stub >>> zones are setup and working too. If he is remote, you could use some >>> screen share software and share out your desktop and walk him through the >>> part where he has to type the admin password. There is also a way to >>> create a trust using a pre-shared key. That may be more acceptable to >>> him. >>> >>> -Mike >>> >>> -Original Message- >>> From: "Ben .T.George" >>> Sent: May 23, 2016 8:42 AM >>> To: freeipa-users >>> Subject: [Freeipa-users] What id my AD domain user password not >>> available >>> >>> Hi LIst, >>> >>> my Windows domain Admin is not giving domain admin user password. >>> >>> in this case how can i proceed ipa trust-add >>> >>> regards, >>> Ben >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
HI yea that GIf screen i shared with him. but that doesn't show how to take shared key. In my case DNS is handled by 3rd party appliances and from their side they created A record for my IPA server. bth forward and reverse is working is this forwader is mandatory thing from DNS side? Regards, ben On Mon, May 23, 2016 at 5:31 PM, Michael ORourke <mrorou...@earthlink.net> wrote: > Actually one of his questions doesn't make sense, because last I checked, > normal domain users do not have permissions to create a forest trust. > I believe the default is a one-way trust, so maybe his concerns about the > bi-directional trust is really a non-issue. > If he refuses to type in the admin password in a linux console session > (extreme paranoia?), then perhaps you could give him a link to the tutorial > on using a pre-shared key and have him setup the AD side and give you the > key. You don't have to be a Windows expert to do this, just ask your > domain admin to do the steps for you. Also, you will need to setup a > separate DNS zone and some forwarding rules. Otherwise you are going to > have problems. > > -Mike > > > -Original Message- > From: "Ben .T.George" > Sent: May 23, 2016 10:07 AM > To: Michael ORourke > Cc: freeipa-users > Subject: Re: [Freeipa-users] What id my AD domain user password not > available > > HI > > He is local only but he is asking so many questions. > > first of all he is refusing to give domain admin users password . > > questions he is asking is: > > Is this trust relationship is two directional? If, yes why IPA require two > directional trust? > can we build this trust one directional? > can we achieve this with normal domain user? > > and hs is opposing to enter password in command line and i was going > though the rust using a pre-shared key and its too hard for me to > understand as i have no windows experience > > regards, > Ben > > On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> > wrote: > >> A couple of ways to go about this. If he is local to you, you could >> explain that you need to establish a trust with his domain and you need his >> assistance for a few minutes while you type the command to join, then have >> him type in the password. You need to assure that the DNS forward/stub >> zones are setup and working too. If he is remote, you could use some >> screen share software and share out your desktop and walk him through the >> part where he has to type the admin password. There is also a way to >> create a trust using a pre-shared key. That may be more acceptable to >> him. >> >> -Mike >> >> -Original Message- >> From: "Ben .T.George" >> Sent: May 23, 2016 8:42 AM >> To: freeipa-users >> Subject: [Freeipa-users] What id my AD domain user password not available >> >> Hi LIst, >> >> my Windows domain Admin is not giving domain admin user password. >> >> in this case how can i proceed ipa trust-add >> >> regards, >> Ben >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
HI He is local only but he is asking so many questions. first of all he is refusing to give domain admin users password . questions he is asking is: Is this trust relationship is two directional? If, yes why IPA require two directional trust? can we build this trust one directional? can we achieve this with normal domain user? and hs is opposing to enter password in command line and i was going though the rust using a pre-shared key and its too hard for me to understand as i have no windows experience regards, Ben On Mon, May 23, 2016 at 4:22 PM, Michael ORourke <mrorou...@earthlink.net> wrote: > A couple of ways to go about this. If he is local to you, you could > explain that you need to establish a trust with his domain and you need his > assistance for a few minutes while you type the command to join, then have > him type in the password. You need to assure that the DNS forward/stub > zones are setup and working too. If he is remote, you could use some > screen share software and share out your desktop and walk him through the > part where he has to type the admin password. There is also a way to > create a trust using a pre-shared key. That may be more acceptable to > him. > > -Mike > > -Original Message- > From: "Ben .T.George" > Sent: May 23, 2016 8:42 AM > To: freeipa-users > Subject: [Freeipa-users] What id my AD domain user password not available > > Hi LIst, > > my Windows domain Admin is not giving domain admin user password. > > in this case how can i proceed ipa trust-add > > regards, > Ben > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] What id my AD domain user password not available
Hi Thanks for your reply. I saw this before but the thing is i cant able to follow up this one as i am not completely getting those steps ipa trust-add --type=ad "ad_domain" --trust-secret Is asking for key and what i need to gave ? And the shown gif screens and current AD windows are different for me. Regards Ben On 23 May 2016 16:13, "Martin Babinsky" <mbabi...@redhat.com> wrote: > On 05/23/2016 02:42 PM, Ben .T.George wrote: > >> Hi LIst, >> >> my Windows domain Admin is not giving domain admin user password. >> >> in this case how can i proceed ipa trust-add >> >> regards, >> Ben >> >> >> > Hi Ben, > > You can ask your AD domain admin to create a shared secret for > establishing trust. See the corresponding chapter in the guide for creating > trusts[1] for more details. > > [1] > http://www.freeipa.org/page/Active_Directory_trust_setup#When_AD_administrator_credentials_aren.27t_available > > -- > Martin^3 Babinsky > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] What id my AD domain user password not available
Hi LIst, my Windows domain Admin is not giving domain admin user password. in this case how can i proceed ipa trust-add regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD users home directory automount
HI, Thanks for the reply. actually i don't want to share from my Trusted AD. My san has cifs and NFS capability. in this case how can i proceed? usually while installing client, i used to give below options ipa-client-install --server global.ipa.local --domain ipa.local --mkhomedir --fixed-primary so whenever user loggedin, it creates home directory automatically under /home/DOMAIN/user. regards, Ben On Wed, May 18, 2016 at 4:00 PM, Michael ORourke <mrorou...@earthlink.net> wrote: > Yes, because you can point the automount maps to whatever device you > want. NFSv4 might be more tricky to setup on a SAN device and may or may > not work depending on the software/firmware of the device. NFSv3 is a well > supported protocol across SAN vendors and you should not have any problems > setting that up. I've used Openfiler on a white-box SAN with home dirs and > automount maps which is working fine for us. > I wonder if you could do some sort of CIFS home dir automount with a SAN > that is joined to an AD domain which is trusted by FreeIPA? Seems like > this would be feasible. > > -Mike > > -Original Message- > From: "Ben .T.George" > Sent: May 18, 2016 7:38 AM > To: freeipa-users > Subject: [Freeipa-users] AD users home directory automount > > HI LIst, > > Is it possible to mount home directories of AD authenticated users from > external source(like san or fileshare) > > Regards, > Ben > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD users home directory automount
HI LIst, Is it possible to mount home directories of AD authenticated users from external source(like san or fileshare) Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version
HI All again repo is down. Regards, Ben On Mon, May 2, 2016 at 2:04 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Mon, 02 May 2016, Ben .T.George wrote: > >> HI >> >> thanks >> >> yes now it's working and yesterday it was not. >> > COPR service SLA is weaker than primary Fedora repositories. Basically, > we have no promise COPR would be available all the time. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
HI So basically RBAC cannot apply against system user (ssh) ? On Mon, May 16, 2016 at 11:29 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Sat, 14 May 2016, Ben .T.George wrote: > >> Hi List, >> >> i have one working setup with HBAC and sudo rules. >> >> I would like to know more about RBAC. like what is RBAC and what can be >> achieved with RBAC. >> >> anyone please share some good topics about this as i am getting so many >> and >> the information's mentioned on those are different. >> > FreeIPA implements RBAC only for accessing data in LDAP. Practically, it > is used to delegate permissions to modify certain attributes of objects > entries stored in LDAP. > > See > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How RBAC defined.
HI Marc, thanks for the explanation. can you please share some kind of implementation guide for this? On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein < marc.boorsht...@tremolosecurity.com> wrote: > > I would like to know more about RBAC. like what is RBAC and what can be > > achieved with RBAC. > > > > anyone please share some good topics about this as i am getting so many > and > > the information's mentioned on those are different. > > I can imagine. RBAC (Role Based Access Control) was created on the > idea that what systems, applications and entitlements you need should > be based on your job function. Its a way of mapping business policies > to to technical authorizations. An example would be that someone in > accounts payable shouldn't have access to the same systems as someone > from accounts receivable. So in RBAC terms you would have a "Role" > called "Accounts Payable" that might map to groups in a directory for > "access to check system" and "access to vendor system" but another > "Role" called Accounts Receivable that has access to other groups. > Then you have something to audit against "Why does someone with Role X > have groups that aren't tied to that role?". > > In practice, this rarely works. Few enterprises do that good of a job > defining the roles and responsibilities for their employees at an HR > level that trying to enforce those roles in technology is hopeless. > Also, RBAC models are very rigid and hard to change so if you need to > grant someone access to a system thats "one off" to get something done > it breaks the entire model (unless your technology can handle it). > What often happens is you get into a situation where every user could > have their own role, completely breaking the RBAC model. > > In my decade plus of identity management implementations across pretty > much every vendor and several industries I can't think of any RBAC > based models that were successful, but several that were complete > failures. I was told going into a meeting at one large customer > "Don't even mention RBAC or the meeting will be ended and we'll be > out." > > Hope that helps > > Thanks > Marc > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How RBAC defined.
Hi List, i have one working setup with HBAC and sudo rules. I would like to know more about RBAC. like what is RBAC and what can be achieved with RBAC. anyone please share some good topics about this as i am getting so many and the information's mentioned on those are different. Thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version
HI thanks yes now it's working and yesterday it was not. regards, Ben On Mon, May 2, 2016 at 1:54 PM, Martin Basti <mba...@redhat.com> wrote: > > > On 01.05.2016 10:24, Ben .T.George wrote: > > Hi All, > > again link for IPA 4.3.1 is offline > > https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ > > > Could it be a temporal copr issue? I see all packages there. > Martin > > > On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> Hi >> >> Wow.Thanks for your fast response. >> >> Regards >> Ben >> On 12 Apr 2016 16:09, "Martin Basti" <mba...@redhat.com> wrote: >> >>> >>> >>> On 12.04.2016 14 <12.04.2016%2014>:59, Ben .T.George wrote: >>> >>> Hi List, >>> >>> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link >>> provided in website is broken. >>> https://www.freeipa.org/page/Releases/4.3.1 >>> >>> please someone give me right package details. >>> >>> Regards, >>> Ben >>> >>> >>> Hello, >>> >>> thank you for report, I fixed the page >>> >>> CentOS repos: >>> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ >>> >>> Martin >>> >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help regarding SUDo rule implementation
HI All sudo rules got worked .actually i tried after 6 hours, what is the default time to get affect this rule affect normally, is there any way to manually pull changes from client? Regards, Ben On Sun, May 1, 2016 at 11:46 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > i have a working setup of FreeIPA 4.3 with AD integrated, I can able to > apply HBAC rules and from client side it's working. > > how can i apply sudo rules to that specific POSIX group. > > i have created sample rue and added 2 commands put option as !authenticate > and attached this rule to client, but still sudo -l is not working > > /etc/nsswitch.conf file has : sudoers: files sss > > and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh > > Thanks & Regards, > Ben > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Help regarding SUDo rule implementation
HI i have a working setup of FreeIPA 4.3 with AD integrated, I can able to apply HBAC rules and from client side it's working. how can i apply sudo rules to that specific POSIX group. i have created sample rue and added 2 commands put option as !authenticate and attached this rule to client, but still sudo -l is not working /etc/nsswitch.conf file has : sudoers: files sss and /etc/sssd/sssd.conf has : services = nss, sudo, pam, ssh Thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] dnsforwardzone-add giving error
HI LIst, i dont; know how to explain this issue. I was trying IPA 4.3.1 while adding DNS, i am getting below error [root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is handled by server(s): corp.kwttestdc.com.kw. and in my resolv.conf , i have given like below: nameserver 127.0.0.1 someone please explan what is the issue and how to fix this one. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] dnsforwardzone-add giving error
HI After reboot i tried the same command and i got below error [root@global ~]# ipa dnsforwardzone-add kwttestdc.com.kw --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS check for domain kwttestdc.com.kw. failed: All nameservers failed to answer the query kwttestdc.com.kw. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. this is the first time i am seeing this error. On Sun, May 1, 2016 at 3:30 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI LIst, > > i dont; know how to explain this issue. I was trying IPA 4.3.1 > > while adding DNS, i am getting below error > > [root@global tmp]# ipa dnsforwardzone-add kwttestdc.com.kw > --forwarder=192.168.37.131 --forward-policy=only > Server will check DNS forwarder(s). > This may take some time, please wait ... > ipa: ERROR: DNS zone kwttestdc.com.kw. already exists in DNS and is > handled by server(s): corp.kwttestdc.com.kw. > > > and in my resolv.conf , i have given like below: > > nameserver 127.0.0.1 > > someone please explan what is the issue and how to fix this one. > > Regards, > Ben > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version
Hi All, again link for IPA 4.3.1 is offline https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ On Tue, Apr 12, 2016 at 4:19 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi > > Wow.Thanks for your fast response. > > Regards > Ben > On 12 Apr 2016 16:09, "Martin Basti" <mba...@redhat.com> wrote: > >> >> >> On 12.04.2016 14:59, Ben .T.George wrote: >> >> Hi List, >> >> Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link >> provided in website is broken. >> https://www.freeipa.org/page/Releases/4.3.1 >> >> please someone give me right package details. >> >> Regards, >> Ben >> >> >> Hello, >> >> thank you for report, I fixed the page >> >> CentOS repos: >> https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-3-centos-7/ >> >> Martin >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
and here is my sssd debug log from client side http://pastebin.com/ud2q3FR5 On Sat, Apr 30, 2016 at 10:06 AM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi > > Adding this this. > > in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this > specific external group and (were these users) > > but while checking the rule from IPA server using hbactest, both users > test passes and showing one rol. but in actual only ben can able to login > to client machine , while jude cannot. > > [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw > <b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd > > *Access granted: True* > > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw > <j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd > > *Access granted: True* > > Matched rules: test_admins > Not matched rules: ad_can_login > Not matched rules: local_admin_can_login > > so my hbac is working partially. How can i fix this. > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> surprisingly i have created some local IPA users and added to same HBAC >> rule, and removed AD grop ad applied this rule to client, and that got >> worked. >> >> How can i make this AD group with HBAC working? >> >> Regards, >> Ben >> >> On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, >>> i cannot able to login to client machine. >>> >>> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> >>> wrote: >>> >>>> HI >>>> >>>> actually i have added Domain Admins and the user ben is not part of >>>> Domain Admins. But when i login to client machine, i am getting below >>>> >>>> -sh-4.2$ id >>>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104( >>>> b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw >>>> ),1827800513(*domain us...@kwttestdc.com.kw >>>> <us...@kwttestdc.com.kw>*),1827801105(sudo >>>> adm...@kwttestdc.com.kw) >>>> >>>> >>>> >>>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >>>> wrote: >>>> >>>>> HI >>>>> >>>>> while explaning here it went wrong. actually i did is" >>>>> Added external group to POSIX group" >>>>> >>>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>>>> wrote: >>>>> >>>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>>> > HI, >>>>>> > >>>>>> > "The other is that the groups might not show up on the client (do >>>>>> they?)" >>>>>> >>>>>> id $user. >>>>>> >>>>>> But I think Alexander noticed the root cause. >>>>>> >>>>>> > >>>>>> > how can i check that. >>>>>> > >>>>>> > Thanks >>>>>> > Ben >>>>>> > >>>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>>>> wrote: >>>>>> > >>>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>>> > > > Hi List, >>>>>> > > > >>>>>> > > > I have working setup of one AD, one IPA server and one client >>>>>> server. by >>>>>> > > > default i can login to client server by using AD username. >>>>>> > > > >>>>>> > > > i want to apply HBAC rules against this client server. For that >>>>>> i have >>>>>> > > done >>>>>> > > > below steps. >>>>>> > > > >>>>>> > > > 1. created External group in IPA erver >>>>>> > > > 2. created local POSIX group n IPA server >>>>>> > > > 3. Added AD group to external group >>>>>> > > > 4. added POSIX group to external group. >>>>>> > > > >>>>>> > > > After that have created HBAC rule by adding both local and >>>>>> external IPA >>>>>> > > > groups, added sshd as service and selected service group as >>>>>> sudo. >>>>>> > > > >>>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>>> and while >>>>>> > > > testing HBAC from web, i am getting access denied . >>>>>> > > >>>>>> > > Sorry, not enough info. >>>>>> > > >>>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>>> well. >>>>>> > > The other is that the groups might not show up on the client (do >>>>>> they?) >>>>>> > > >>>>>> > > Anyway, it might be good idea to follow >>>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>>> > > >>>>>> > > -- >>>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> > > Go to http://freeipa.org for more info on the project >>>>>> > > >>>>>> >>>>> >>>>> >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
Hi Adding this this. in AD i habe added 2 users , ben and jude. In my HBAC rule, i pointed this specific external group and (were these users) but while checking the rule from IPA server using hbactest, both users test passes and showing one rol. but in actual only ben can able to login to client machine , while jude cannot. [root@freeipa ~]# ipa hbactest --user *b...@kwttestdc.com.kw <b...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd *Access granted: True* Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root@freeipa ~]# ipa hbactest --user* j...@kwttestdc.com.kw <j...@kwttestdc.com.kw>* --host client.kwttestdc.com.kw --service sshd *Access granted: True* Matched rules: test_admins Not matched rules: ad_can_login Not matched rules: local_admin_can_login so my hbac is working partially. How can i fix this. Regards, Ben On Fri, Apr 29, 2016 at 7:27 PM, Ben .T.George <bentech4...@gmail.com> wrote: > surprisingly i have created some local IPA users and added to same HBAC > rule, and removed AD grop ad applied this rule to client, and that got > worked. > > How can i make this AD group with HBAC working? > > Regards, > Ben > > On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, >> i cannot able to login to client machine. >> >> On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> actually i have added Domain Admins and the user ben is not part of >>> Domain Admins. But when i login to client machine, i am getting below >>> >>> -sh-4.2$ id >>> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) >>> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain >>> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo >>> adm...@kwttestdc.com.kw) >>> >>> >>> >>> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >>> wrote: >>> >>>> HI >>>> >>>> while explaning here it went wrong. actually i did is" >>>> Added external group to POSIX group" >>>> >>>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>>> wrote: >>>> >>>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>>> > HI, >>>>> > >>>>> > "The other is that the groups might not show up on the client (do >>>>> they?)" >>>>> >>>>> id $user. >>>>> >>>>> But I think Alexander noticed the root cause. >>>>> >>>>> > >>>>> > how can i check that. >>>>> > >>>>> > Thanks >>>>> > Ben >>>>> > >>>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>>> wrote: >>>>> > >>>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>>> > > > Hi List, >>>>> > > > >>>>> > > > I have working setup of one AD, one IPA server and one client >>>>> server. by >>>>> > > > default i can login to client server by using AD username. >>>>> > > > >>>>> > > > i want to apply HBAC rules against this client server. For that >>>>> i have >>>>> > > done >>>>> > > > below steps. >>>>> > > > >>>>> > > > 1. created External group in IPA erver >>>>> > > > 2. created local POSIX group n IPA server >>>>> > > > 3. Added AD group to external group >>>>> > > > 4. added POSIX group to external group. >>>>> > > > >>>>> > > > After that have created HBAC rule by adding both local and >>>>> external IPA >>>>> > > > groups, added sshd as service and selected service group as sudo. >>>>> > > > >>>>> > > > i have applied this HBAC rule to client server and from web UI >>>>> and while >>>>> > > > testing HBAC from web, i am getting access denied . >>>>> > > >>>>> > > Sorry, not enough info. >>>>> > > >>>>> > > One guess would be that you need to add the "sudo-i" service as >>>>> well. >>>>> > > The other is that the groups might not show up on the client (do >>>>> they?) >>>>> > > >>>>> > > Anyway, it might be good idea to follow >>>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>>> > > >>>>> > > -- >>>>> > > Manage your subscription for the Freeipa-users mailing list: >>>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> > > Go to http://freeipa.org for more info on the project >>>>> > > >>>>> >>>> >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
HI All this issue has solved On Sat, Apr 30, 2016 at 9:16 AM, Ben .T.George <bentech4...@gmail.com> wrote: > when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am > getting below error in error_log > > [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed > to call com.redhat.idm.trust.fetch_domains helper.DBus exception is > org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible > causes include: the remote application did not send a reply, the message > bus security policy blocked the reply, the reply timeout expired, or the > network connection was broken.. > [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: > [jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u' > kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'): > ServerCommandError > > On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> Hi >> >> Anyone please help me to fix this issue. >> >> i have created new group in AD( 4 hours back) and while i was mapping >> this group as --external, i am getting below error. >> >> >> *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external >> --desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD >> Administrators-External"* >> *--* >> *Added group "ad_admins_external"* >> *--* >> * Group name: ad_admins_external* >> * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD >> Administrators-External* >> *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external >> --external "KWTTESTDC\test admins"* >> *[member user]:* >> *[member group]:* >> * Group name: ad_admins_external* >> * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD >> Administrators-External* >> * Failed members:* >> *member user:* >> *member group: KWTTESTDC\test admins: Cannot find specified domain or >> server name* >> *-* >> *Number of members added 0* >> - >> >> >> >> On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> Hi >>> >>> while issuing ipa trust-fetch-domains, i am getting below error. >>> >>> i have created new security group in AD and i want to add this to >>> external group. >>> >>> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" >>> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from >>> trusted fo rest >>> failed. See details in the error_log >>> >>> help me to fi/expalin more about this error >>> >>> Regards >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
when i am running ipa trust-fetch-domains "kwttestdc.com.kw" , i am getting below error in error_log [Sat Apr 30 09:14:25.107449 2016] [:error] [pid 2666] ipa: ERROR: Failed to call com.redhat.idm.trust.fetch_domains helper.DBus exception is org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.. [Sat Apr 30 09:14:25.108353 2016] [:error] [pid 2666] ipa: INFO: [jsonserver_session] admin@IDM.LOCAL: trust_fetch_domains(u'kwttestdc.com.kw', rights=False, all=False, raw=False, version=u'2.156'): ServerCommandError On Sat, Apr 30, 2016 at 12:00 AM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi > > Anyone please help me to fix this issue. > > i have created new group in AD( 4 hours back) and while i was mapping this > group as --external, i am getting below error. > > > *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external > --desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD > Administrators-External"* > *--* > *Added group "ad_admins_external"* > *--* > * Group name: ad_admins_external* > * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD > Administrators-External* > *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external > --external "KWTTESTDC\test admins"* > *[member user]:* > *[member group]:* > * Group name: ad_admins_external* > * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD > Administrators-External* > * Failed members:* > *member user:* > *member group: KWTTESTDC\test admins: Cannot find specified domain or > server name* > *-* > *Number of members added 0* > - > > > > On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> Hi >> >> while issuing ipa trust-fetch-domains, i am getting below error. >> >> i have created new security group in AD and i want to add this to >> external group. >> >> [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" >> ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from >> trusted fo rest >> failed. See details in the error_log >> >> help me to fi/expalin more about this error >> >> Regards >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
Hi Anyone please help me to fix this issue. i have created new group in AD( 4 hours back) and while i was mapping this group as --external, i am getting below error. *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc "KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD Administrators-External"* *--* *Added group "ad_admins_external"* *--* * Group name: ad_admins_external* * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD Administrators-External* *[root@freeipa sysctl.d]# ipa group-add-member ad_admins_external --external "KWTTESTDC\test admins"* *[member user]:* *[member group]:* * Group name: ad_admins_external* * Description: KWTTESTDC.com.KW <http://KWTTESTDC.com.KW> AD Administrators-External* * Failed members:* *member user:* *member group: KWTTESTDC\test admins: Cannot find specified domain or server name* *-* *Number of members added 0* --------- On Fri, Apr 29, 2016 at 4:41 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi > > while issuing ipa trust-fetch-domains, i am getting below error. > > i have created new security group in AD and i want to add this to external > group. > > [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" > ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from > trusted fo rest > failed. See details in the error_log > > help me to fi/expalin more about this error > > Regards > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, > i cannot able to login to client machine. > > On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> actually i have added Domain Admins and the user ben is not part of >> Domain Admins. But when i login to client machine, i am getting below >> >> -sh-4.2$ id >> uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) >> groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain >> us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo >> adm...@kwttestdc.com.kw) >> >> >> >> On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> >> wrote: >> >>> HI >>> >>> while explaning here it went wrong. actually i did is" >>> Added external group to POSIX group" >>> >>> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> >>>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>>> > HI, >>>> > >>>> > "The other is that the groups might not show up on the client (do >>>> they?)" >>>> >>>> id $user. >>>> >>>> But I think Alexander noticed the root cause. >>>> >>>> > >>>> > how can i check that. >>>> > >>>> > Thanks >>>> > Ben >>>> > >>>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>>> wrote: >>>> > >>>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>>> > > > Hi List, >>>> > > > >>>> > > > I have working setup of one AD, one IPA server and one client >>>> server. by >>>> > > > default i can login to client server by using AD username. >>>> > > > >>>> > > > i want to apply HBAC rules against this client server. For that i >>>> have >>>> > > done >>>> > > > below steps. >>>> > > > >>>> > > > 1. created External group in IPA erver >>>> > > > 2. created local POSIX group n IPA server >>>> > > > 3. Added AD group to external group >>>> > > > 4. added POSIX group to external group. >>>> > > > >>>> > > > After that have created HBAC rule by adding both local and >>>> external IPA >>>> > > > groups, added sshd as service and selected service group as sudo. >>>> > > > >>>> > > > i have applied this HBAC rule to client server and from web UI >>>> and while >>>> > > > testing HBAC from web, i am getting access denied . >>>> > > >>>> > > Sorry, not enough info. >>>> > > >>>> > > One guess would be that you need to add the "sudo-i" service as >>>> well. >>>> > > The other is that the groups might not show up on the client (do >>>> they?) >>>> > > >>>> > > Anyway, it might be good idea to follow >>>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>>> > > >>>> > > -- >>>> > > Manage your subscription for the Freeipa-users mailing list: >>>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>>> > > Go to http://freeipa.org for more info on the project >>>> > > >>>> >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
HI If i disable allow_all <https://freeipa.idm.local/ipa/ui/#allow_all> rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But when i login to client machine, i am getting below > > -sh-4.2$ id > uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) > groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain > us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo > adm...@kwttestdc.com.kw) > > > > On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> > wrote: > >> HI >> >> while explaning here it went wrong. actually i did is" >> Added external group to POSIX group" >> >> On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: >> >>> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >>> > HI, >>> > >>> > "The other is that the groups might not show up on the client (do >>> they?)" >>> >>> id $user. >>> >>> But I think Alexander noticed the root cause. >>> >>> > >>> > how can i check that. >>> > >>> > Thanks >>> > Ben >>> > >>> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >>> wrote: >>> > >>> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >>> > > > Hi List, >>> > > > >>> > > > I have working setup of one AD, one IPA server and one client >>> server. by >>> > > > default i can login to client server by using AD username. >>> > > > >>> > > > i want to apply HBAC rules against this client server. For that i >>> have >>> > > done >>> > > > below steps. >>> > > > >>> > > > 1. created External group in IPA erver >>> > > > 2. created local POSIX group n IPA server >>> > > > 3. Added AD group to external group >>> > > > 4. added POSIX group to external group. >>> > > > >>> > > > After that have created HBAC rule by adding both local and >>> external IPA >>> > > > groups, added sshd as service and selected service group as sudo. >>> > > > >>> > > > i have applied this HBAC rule to client server and from web UI and >>> while >>> > > > testing HBAC from web, i am getting access denied . >>> > > >>> > > Sorry, not enough info. >>> > > >>> > > One guess would be that you need to add the "sudo-i" service as well. >>> > > The other is that the groups might not show up on the client (do >>> they?) >>> > > >>> > > Anyway, it might be good idea to follow >>> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >>> > > >>> > > -- >>> > > Manage your subscription for the Freeipa-users mailing list: >>> > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > Go to http://freeipa.org for more info on the project >>> > > >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain us...@kwttestdc.com.kw <us...@kwttestdc.com.kw>*),1827801105(sudo adm...@kwttestdc.com.kw) On Fri, Apr 29, 2016 at 6:58 PM, Ben .T.George <bentech4...@gmail.com> wrote: > HI > > while explaning here it went wrong. actually i did is" > Added external group to POSIX group" > > On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > >> On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: >> > HI, >> > >> > "The other is that the groups might not show up on the client (do >> they?)" >> >> id $user. >> >> But I think Alexander noticed the root cause. >> >> > >> > how can i check that. >> > >> > Thanks >> > Ben >> > >> > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> >> wrote: >> > >> > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: >> > > > Hi List, >> > > > >> > > > I have working setup of one AD, one IPA server and one client >> server. by >> > > > default i can login to client server by using AD username. >> > > > >> > > > i want to apply HBAC rules against this client server. For that i >> have >> > > done >> > > > below steps. >> > > > >> > > > 1. created External group in IPA erver >> > > > 2. created local POSIX group n IPA server >> > > > 3. Added AD group to external group >> > > > 4. added POSIX group to external group. >> > > > >> > > > After that have created HBAC rule by adding both local and >> external IPA >> > > > groups, added sshd as service and selected service group as sudo. >> > > > >> > > > i have applied this HBAC rule to client server and from web UI and >> while >> > > > testing HBAC from web, i am getting access denied . >> > > >> > > Sorry, not enough info. >> > > >> > > One guess would be that you need to add the "sudo-i" service as well. >> > > The other is that the groups might not show up on the client (do >> they?) >> > > >> > > Anyway, it might be good idea to follow >> > > https://fedorahosted.org/sssd/wiki/Troubleshooting >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show up on the client (do they?)" > > id $user. > > But I think Alexander noticed the root cause. > > > > > how can i check that. > > > > Thanks > > Ben > > > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> > wrote: > > > > > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > > > Hi List, > > > > > > > > I have working setup of one AD, one IPA server and one client > server. by > > > > default i can login to client server by using AD username. > > > > > > > > i want to apply HBAC rules against this client server. For that i > have > > > done > > > > below steps. > > > > > > > > 1. created External group in IPA erver > > > > 2. created local POSIX group n IPA server > > > > 3. Added AD group to external group > > > > 4. added POSIX group to external group. > > > > > > > > After that have created HBAC rule by adding both local and external > IPA > > > > groups, added sshd as service and selected service group as sudo. > > > > > > > > i have applied this HBAC rule to client server and from web UI and > while > > > > testing HBAC from web, i am getting access denied . > > > > > > Sorry, not enough info. > > > > > > One guess would be that you need to add the "sudo-i" service as well. > > > The other is that the groups might not show up on the client (do they?) > > > > > > Anyway, it might be good idea to follow > > > https://fedorahosted.org/sssd/wiki/Troubleshooting > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
Hi I have created 2 fresh users now and i was running below, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found but i can able to test with old users, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\Administrator" --host `hostname` --service sshd Access granted: True Matched rules: allow_all Not matched rules: ad_can_login Not matched rules: local_admin_can_login [root@freeipa log]# ipa hbactest --user "KWTTESTDC\ben" --host `hostname` --service sshd Access granted: True Matched rules: ad_can_login Matched rules: allow_all Not matched rules: local_admin_can_login Is there any sync time for trust.? when i was trying ipa trust-fetch-domains, i am getting below [root@freeipa log]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted forest failed. See details in the error_log Thanks & Regards, Ben On Fri, Apr 29, 2016 at 6:33 PM, Ben .T.George <bentech4...@gmail.com> wrote: > Hi Alex, > > yea my mistake. > > i was following u this > > > http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources > > > > On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Fri, 29 Apr 2016, Ben .T.George wrote: >> >>> Hi List, >>> >>> I have working setup of one AD, one IPA server and one client server. by >>> default i can login to client server by using AD username. >>> >>> i want to apply HBAC rules against this client server. For that i have >>> done >>> below steps. >>> >>> 1. created External group in IPA erver >>> 2. created local POSIX group n IPA server >>> 3. Added AD group to external group >>> 4. added POSIX group to external group. >>> >> You should have added external group to POSIX group, not the other way >> around. >> >> -- >> / Alexander Bokovoy >> > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: > >> Hi List, >> >> I have working setup of one AD, one IPA server and one client server. by >> default i can login to client server by using AD username. >> >> i want to apply HBAC rules against this client server. For that i have >> done >> below steps. >> >> 1. created External group in IPA erver >> 2. created local POSIX group n IPA server >> 3. Added AD group to external group >> 4. added POSIX group to external group. >> > You should have added external group to POSIX group, not the other way > around. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC with Active directory group is not working
HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup of one AD, one IPA server and one client server. by > > default i can login to client server by using AD username. > > > > i want to apply HBAC rules against this client server. For that i have > done > > below steps. > > > > 1. created External group in IPA erver > > 2. created local POSIX group n IPA server > > 3. Added AD group to external group > > 4. added POSIX group to external group. > > > > After that have created HBAC rule by adding both local and external IPA > > groups, added sshd as service and selected service group as sudo. > > > > i have applied this HBAC rule to client server and from web UI and while > > testing HBAC from web, i am getting access denied . > > Sorry, not enough info. > > One guess would be that you need to add the "sudo-i" service as well. > The other is that the groups might not show up on the client (do they?) > > Anyway, it might be good idea to follow > https://fedorahosted.org/sssd/wiki/Troubleshooting > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC with Active directory group is not working
Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External group in IPA erver 2. created local POSIX group n IPA server 3. Added AD group to external group 4. added POSIX group to external group. After that have created HBAC rule by adding both local and external IPA groups, added sshd as service and selected service group as sudo. i have applied this HBAC rule to client server and from web UI and while testing HBAC from web, i am getting access denied . How can i implement HBAC with Active directory user group. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa trust-fetch-domains failing.
Hi while issuing ipa trust-fetch-domains, i am getting below error. i have created new security group in AD and i want to add this to external group. [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted fo rest failed. See details in the error_log help me to fi/expalin more about this error Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC implementation help
HI Thanks for your reply. can i do this external group mapping from web UI? On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one client joined. > > > > i want to implement HBAC rules against this client. can anyone please > share > > me good articles of implementing HBAC from web UI. > > I'm not sure about the web UI, but as a general rule you'll want to add > an external group (created with --external) as a member of a POSIX group > and reference the POSIX group in the HBAC rule. The AD members should be > added as members of the external group. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC implementation help
Hi List, i have a working setup of IPA with AD integrated and one client joined. i want to implement HBAC rules against this client. can anyone please share me good articles of implementing HBAC from web UI. Thanks & Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] error while adding conditional forwarder for AD domain
Hi LIst, getting below error while adding conditional forwarder for AD domain on IPA [root@ipa ~]# ipa dnsforwardzone-add ad.example.com --forwarder=192.168.37.131 --forward-policy=only Server will check DNS forwarder(s). This may take some time, please wait ... ipa: ERROR: DNS check for domain ad.example.com. failed: All nameservers failed to answer the query ad.example.com. IN SOA: Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered The DNS operation timed out.; Server 127.0.0.1 UDP port 53 anwered SERVFAIL. how to fix this issue. Operating system : CentOs 7.2 IPA VERSION: 4.3.1, API_VERSION: 2.164 Thanks & Regards Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Good IPA implementation guide
Hi Thanks. i have istalled IPA server with "ipa-server-install". kinit admin is working for me. now i need to start integrating with active directory. Thanks & Regards, Ben On Tue, Apr 12, 2016 at 9:30 PM, Baird, Josh <jba...@follett.com> wrote: > You can refer to the ‘Identity Management’ section in the RHEL > documentation: > > > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ > > > > Josh > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Ben .T.George > *Sent:* Tuesday, April 12, 2016 2:18 PM > *To:* freeipa-users <freeipa-users@redhat.com> > *Subject:* [Freeipa-users] Good IPA implementation guide > > > > Hi List, > > > > anyone please send me some refference to IPA server installation with > active directory integration guide. > > > > I would like to install latest IPA version in RHEL 7. > > > > Thanks & Regards, > > Ben > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] From where can i get repo details for FreeIPA 4.3.1 version
Hi List, Ffrom where can i get repo details for FreeIPA 4.3.1 version. the link provided in website is broken. https://www.freeipa.org/page/Releases/4.3.1 please someone give me right package details. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] krb5kdc: Server error
HI Traino, thanks for the info i have checked the hots and confirmed that entry was ip FQDN Alias format And the DNS everything is working [root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ; dig @mha.local ${i}.SUN.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v ^; | egrep _ _ldap._tcp.SUN.LOCAL. 21965 IN SRV 0 100 389 kwtprsolipa01.sun.local. _kerberos._tcp.SUN.LOCAL. 1957 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos._udp.SUN.LOCAL. 86400 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._tcp.SUN.LOCAL. 86400 IN SRV 0 100 88 kwtprsolipa01.sun.local. _kerberos-master._udp.SUN.LOCAL. 9112 IN SRV0 100 88 kwtprsolipa01.sun.local. _ntp._udp.SUN.LOCAL.86400 IN SRV 0 100 123 kwtprsolipa01.sun.local. [root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ; dig @mha.local ${i}.MHA.LOCAL srv +nocmd +noquestion +nocomments +nostats +noaa +noadditional +noauthority; done | egrep -v ^; | egrep _ _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 dxbprdc002.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 kwtprdc001.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 dxbprdc001.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 rusmosprdc002.mha.local. _ldap._tcp.MHA.LOCAL. 600 IN SRV 0 100 389 kwtprdc002.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc001.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc002.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc001.mha.local. _kerberos._tcp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc002.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 kwtprdc001.mha.local. _kerberos._udp.MHA.LOCAL. 600 IN SRV 0 100 88 dxbprdc001.mha.local. [root@kwtprsolipa01 slapd-SUN-LOCAL]# host 172.16.99.99 99.99.16.172.in-addr.arpa domain name pointer kwtprsolipa01.sun.local. [root@kwtprsolipa01 slapd-SUN-LOCAL]# host kwtprsolipa01.sun.local kwtprsolipa01.sun.local has address 172.16.99.99 [root@kwtprsolipa01 slapd-SUN-LOCAL]# host mha.local mha.local has address 172.16.98.171 mha.local has address 172.16.100.180 mha.local has address 10.10.10.11 mha.local has address 10.10.10.10 [root@kwtprsolipa01 slapd-SUN-LOCAL]# dig kwtprsolipa01.sun.local ; DiG 9.9.4-RedHat-9.9.4-18.el7 kwtprsolipa01.sun.local ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23767 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;kwtprsolipa01.sun.local. IN A ;; ANSWER SECTION: kwtprsolipa01.sun.local. 38 IN A 172.16.99.99 ;; Query time: 0 msec ;; SERVER: 172.16.100.180#53(172.16.100.180) ;; WHEN: Wed Apr 08 13:54:02 AST 2015 ;; MSG SIZE rcvd: 68 On Wed, Apr 8, 2015 at 1:27 PM, Traiano Welcome trai...@gmail.com wrote: Hi Ben On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George bentech4...@gmail.com wrote: HI i am getting krb5kdc: Server error on ligs: krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL and the ipactl status is taking long time. Web interface is not able to athenticate. If i issue ipactl restart, noting is happening to solve this issue currently i am restarting full server.. How can i fix this? Check the tail-end of this thread: https://www.redhat.com/archives/freeipa-users/2015-April/msg00011.html You may want to begin by checking /etc/hosts for the right format (ip address fqdn hostname). DNS is probably the very next thing you want to check... thoroughly. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] krb5kdc: Server error
HI i am getting krb5kdc: Server error on ligs: krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL and the ipactl status is taking long time. Web interface is not able to athenticate. If i issue ipactl restart, noting is happening to solve this issue currently i am restarting full server.. How can i fix this? Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Your session has expired. Please re-login.
HI i was facing the same issue last week and it got fixed now. always user WUI from firefox. install Kerbros plugin and certificate from ipa help page check time(ntp) Destroy and recreate ticket (Kdestroy kinit admin) restart krb5kdc,sssd httpd services restart ipactl (ipactl restart) check ipactl status also. Regards, Ben On Fri, Apr 3, 2015 at 1:19 PM, Andrew Holway andrew.hol...@gmail.com wrote: Hello, Trying to log into the Gui I just get Your session has expired. Please re-login. Everything else appears to be working. I cannot find any useful logs. Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Your session has expired. Please re-login.
no, it's because of wrong ticket i guess. try the steps and let us know the output On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway andrew.hol...@gmail.com wrote: On Friday, 3 April 2015, Ben .T.George bentech4...@gmail.com wrote: HI i was facing the same issue last week and it got fixed now. always user WUI from firefox. install Kerbros plugin and certificate from ipa help page Hi George, Thanks for the advice. Did you discover the root of the problem? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
everything is default. but now the issue solved after many restart,kinit ipactl restart don't still don't know how it got fixed Regards, Ben On Wed, Apr 1, 2015 at 8:31 PM, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Just to be sure, the policies for ticket lifetimes are still set to their defaults, right? Is there anything in the server-side logs (/var/log/krb5kdc.log, /var/log/httpd/error_log) that might shed some light on things, perhaps after having set debug=True in the [global] section of the server's /etc/ipa/default.conf and restarted the httpd service? Nalin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 12:32 PM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web interface always giving Your session has expired. Please re-login.
HI i have checked from chrome and got 401 error: This is what exactly i reported 3 weeks back :( http://s1.postimg.org/41ik3o1hr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:45 PM, Ben .T.George bentech4...@gmail.com wrote: HI yes i have creared cache. tried from different browsers, tried from portable browser, configure kerbros plugin in firefox this is what i got from inspect: http://s9.postimg.org/51c5809xr/kerb.jpg Regards, Ben On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote: On 04/01/2015 12:32 PM, Ben .T.George wrote: Hi I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1 everything is working including AD trust. but my web interface always giving Your session has expired. Please re-login. i faced the issue before that time i destroyed kerbros ticket (Kdestroy) and initiated again(kinit admin). after that it got worked. but now i did all the exercises ans still not working please anyone solved this issue. or is this a known bug? if i open the page from chorm browser, i am getting another login screen like .htacess login. If i gave password, it re-appering again Regards, Ben Have you cleaned you browser cache data? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i give set of users to one particular host
HI i have compiled the pam_access modules successfuly and copied access.conf to /etc/security folder. i included other account requiredpam_access.so and added -:ben b...@infra.com:ALL but still user ben can able to access the machine anyone achieved this? On Tue, Mar 24, 2015 at 9:19 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: please anyone share bit more information on this like real example As we've said many times before, we have very little real experience on Solaris. We do the best we can and sometimes that is going to be in the form of bread crumbs that may be usable to finding your way to a solution. Access control via PAM is a very-well understood problem on Solaris. Once you have users and groups via nss then IPA is largely out of the equation. The OS vendor or Solaris-specific groups will know how to do this far better than us. If you find a detailed answer I'd be happy to add it to the freeIPA wiki. rob On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Dmitri Pal wrote: On 03/24/2015 01:15 PM, Ben .T.George wrote: Hi current stage is AD users can able to login to solaris box. But i don't up to what level i can control the user. i don't think to there is much pan modules in solaris. still i cannot able to make home directory with pam. I think pam_groupdn (if available on Solaris) might help but I could not find a clear example to share with you here. I'd suggest looking at pam_access. rob On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com mailto:d...@redhat.com wrote: On 03/24/2015 07:20 AM, Ben .T.George wrote: HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks Regards, Ben You can create a group in IPA and make Solaris check that group at the access phase of PAM if Solaris is capable of checking groups this way. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how can i give set of users to one particular host
HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i give set of users to one particular host
please anyone share bit more information on this like real example On Tue, Mar 24, 2015 at 9:03 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 03/24/2015 01:15 PM, Ben .T.George wrote: Hi current stage is AD users can able to login to solaris box. But i don't up to what level i can control the user. i don't think to there is much pan modules in solaris. still i cannot able to make home directory with pam. I think pam_groupdn (if available on Solaris) might help but I could not find a clear example to share with you here. I'd suggest looking at pam_access. rob On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 03/24/2015 07:20 AM, Ben .T.George wrote: HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks Regards, Ben You can create a group in IPA and make Solaris check that group at the access phase of PAM if Solaris is capable of checking groups this way. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i give set of users to one particular host
Hi current stage is AD users can able to login to solaris box. But i don't up to what level i can control the user. i don't think to there is much pan modules in solaris. still i cannot able to make home directory with pam. On Tue, Mar 24, 2015 at 4:42 PM, Dmitri Pal d...@redhat.com wrote: On 03/24/2015 07:20 AM, Ben .T.George wrote: HI i am using IPA 3.3 and my client is solaris 10. how can i give only some set of users to this client without creating user group in ad? thanks Regards, Ben You can create a group in IPA and make Solaris check that group at the access phase of PAM if Solaris is capable of checking groups this way. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA 3.3 AD- Solaris is working but solaris local users cannot able to login
HI i created the home directory manually and copied the profile. i tried to access the solaris box from putty and still it's not accepting password. On Mon, Mar 23, 2015 at 11:03 AM, Ben .T.George bentech4...@gmail.com wrote: HI List finally after soo much struggling now i can able to login solaris box as AD user. but auto home directory creation still have issue. for that i need to compile some modules. The issue i am facing is i cannot able to login to solaris box after editing pam.conf file.here is the conf file bash-3.2# cat /etc/pam.conf # #ident @(#)pam.conf 1.3211/04/08 SMI # # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_ldap.so.1 debug login auth sufficient pam_krb5.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 #login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krshauth required pam_unix_cred.so.1 krshauth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so.1 other auth sufficient pam_ldap.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account sufficient pam_krb5.so.1 other account sufficient pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # #other session requiredpam_mkhomedir.so.1 skel=/etc/skel/ umask=0027 #other session requiredpam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 # Password construction requirements apply to all users. # Remove force_check to have the traditional authorized administrator # bypass of construction requirements. other password requisite pam_authtok_check.so.1 force_check other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the EXAMPLES section. # please anyone help me to fix this issue. Thanks Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 3.3 AD- Solaris is working but solaris local users cannot able to login
HI List finally after soo much struggling now i can able to login solaris box as AD user. but auto home directory creation still have issue. for that i need to compile some modules. The issue i am facing is i cannot able to login to solaris box after editing pam.conf file.here is the conf file bash-3.2# cat /etc/pam.conf # #ident @(#)pam.conf 1.3211/04/08 SMI # # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_ldap.so.1 debug login auth sufficient pam_krb5.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 #login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krshauth required pam_unix_cred.so.1 krshauth required pam_krb5.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so.1 other auth sufficient pam_ldap.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount requiredpam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account sufficient pam_krb5.so.1 other account sufficient pam_ldap.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # #other session requiredpam_mkhomedir.so.1 skel=/etc/skel/ umask=0027 #other session requiredpam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 # Password construction requirements apply to all users. # Remove force_check to have the traditional authorized administrator # bypass of construction requirements. other password requisite pam_authtok_check.so.1 force_check other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the EXAMPLES section. # please anyone help me to fix this issue. Thanks Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
Hi i am getting ipa: ERROR: CIFS server communication error: code -1073741771, while doing [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741771, message NT_STATUS_OBJECT_NAME_COLLISION (both may be None) i am using centos 7 and IPA 4.1.2 IPA Server [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com kwtpocpbis02.solaris.com has address 172.16.107.135 [root@kwtpocpbis02 ~]# host 172.16.107.135 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com. AD [root@kwtpocpbis02 ~]# host 172.16.107.250 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com. [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com kwtipaad001.infra.com has address 172.16.107.250 debugging is enabled and this is i am getting on error_log INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:kwtpocpbis02.solaris.com[,] Mapped to DCERPC endpoint \pipe\lsarpc added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for ad...@solaris.com will expire in 81540 secs gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc request data: [] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 [0030] 00 00 00 00 00 00 00 02 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 00 00 00 00 rpc request data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 0C 00 .. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 02 00 0C 00 00 00 0E 00 10 00 04 00 02 00 [0010] 16 00 18 00 08 00 02 00 16 00 18 00 0C 00 02 00 [0020] 15 00 00 00 5F 89 A9 B4 86 30 6C 9D B4 09 10 02 _... .0l. [0030] 10 00 02 00 08 00 00 00 00 00 00 00 07 00 00 00 [0040] 53 00 4F 00 4C 00 41 00 52 00 49 00 53 00 00 00 S.O.L.A. R.I.S... [0050] 0C 00 00 00 00 00 00 00 0B 00 00 00 73 00 6F 00 s.o. [0060] 6C 00 61 00 72 00 69 00 73 00 2E 00 63 00 6F 00 l.a.r.i. s...c.o. [0070] 6D 00 00 00 0C 00 00 00 00 00 00 00 0B 00 00 00 m... [0080] 73 00 6F 00 6C 00 61 00 72 00 69 00 73 00 2E 00 s.o.l.a. r.i.s... [0090] 63 00 6F 00 6D 00 00 00 04 00 00 00 01 04 00 00 c.o.m... [00A0] 00 00 00 05 15 00 00 00 5F 89 A9 B4 86 30 6C 9D _0l. [00B0] B4 09 10 02 00 00 00 00 rpc request data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 06 00 .. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2,
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
HI thanks for the reply i have created PTR record for IPA server under reverse lookup zone manually and ipa server resolving from AD how can i solve trhis issue.? On Wed, Mar 18, 2015 at 12:15 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: Hi i am getting ipa: ERROR: CIFS server communication error: code -1073741771, while doing [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741771, message NT_STATUS_OBJECT_NAME_COLLISION (both may be None) i am using centos 7 and IPA 4.1.2 NT_STATUS_OBJECT_NAME_COLLISION means AD thinks you have hosts in AD that belong to the solaris.com domain which 'trust-ad' operation claims to belong to IPA realm. AD denies operating the trust in this case. IPA Server [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com kwtpocpbis02.solaris.com has address 172.16.107.135 [root@kwtpocpbis02 ~]# host 172.16.107.135 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com. AD [root@kwtpocpbis02 ~]# host 172.16.107.250 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com. [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com kwtipaad001.infra.com has address 172.16.107.250 debugging is enabled and this is i am getting on error_log INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:kwtpocpbis02.solaris.com[,] Mapped to DCERPC endpoint \pipe\lsarpc added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for ad...@solaris.com will expire in 81540 secs gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc request data: [] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 [0030] 00 00 00 00 00 00 00 02 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 00 00 00 00 rpc request data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 0C 00 .. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 02 00 0C 00 00 00 0E 00 10 00 04 00 02 00 [0010] 16 00 18 00 08 00 02 00 16 00 18 00 0C 00 02 00 [0020] 15 00 00 00 5F 89 A9 B4 86 30 6C 9D B4 09 10 02 _... .0l. [0030] 10 00 02 00 08 00 00 00 00 00 00 00 07 00 00 00 [0040] 53 00 4F 00 4C 00 41 00 52 00 49 00 53 00 00 00 S.O.L.A. R.I.S... [0050] 0C 00 00 00 00 00 00 00 0B 00 00 00 73 00 6F 00 s.o. [0060] 6C 00 61 00 72 00 69 00 73 00 2E 00 63 00 6F 00 l.a.r.i. s...c.o. [0070] 6D 00 00 00 0C 00 00 00 00 00 00 00 0B 00 00 00 m... [0080] 73
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
HI i saw the this in BZ and it's closed my mentioning it's got resolved on RHEL/Centos 7. But i am already using 7 . please anyone help me to fix this? Regards, Nem On Wed, Mar 18, 2015 at 11:19 AM, Ben .T.George bentech4...@gmail.com wrote: Hi i am getting ipa: ERROR: CIFS server communication error: code -1073741771, while doing [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741771, message NT_STATUS_OBJECT_NAME_COLLISION (both may be None) i am using centos 7 and IPA 4.1.2 IPA Server [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com kwtpocpbis02.solaris.com has address 172.16.107.135 [root@kwtpocpbis02 ~]# host 172.16.107.135 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com. AD [root@kwtpocpbis02 ~]# host 172.16.107.250 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com. [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com kwtipaad001.infra.com has address 172.16.107.250 debugging is enabled and this is i am getting on error_log INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:kwtpocpbis02.solaris.com[,] Mapped to DCERPC endpoint \pipe\lsarpc added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for ad...@solaris.com will expire in 81540 secs gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc request data: [] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 [0030] 00 00 00 00 00 00 00 02 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 00 00 00 00 rpc request data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 0C 00 .. num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=46, this_data=46, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 02 00 0C 00 00 00 0E 00 10 00 04 00 02 00 [0010] 16 00 18 00 08 00 02 00 16 00 18 00 0C 00 02 00 [0020] 15 00 00 00 5F 89 A9 B4 86 30 6C 9D B4 09 10 02 _... .0l. [0030] 10 00 02 00 08 00 00 00 00 00 00 00 07 00 00 00 [0040] 53 00 4F 00 4C 00 41 00 52 00 49 00 53 00 00 00 S.O.L.A. R.I.S... [0050] 0C 00 00 00 00 00 00 00 0B 00 00 00 73 00 6F 00 s.o. [0060] 6C 00 61 00 72 00 69 00 73 00 2E 00 63 00 6F 00 l.a.r.i. s...c.o. [0070] 6D 00 00 00 0C 00 00 00 00 00 00 00 0B 00 00 00 m... [0080] 73 00 6F 00 6C 00 61 00 72 00 69 00 73 00 2E 00 s.o.l.a. r.i.s... [0090] 63 00 6F 00 6D 00 00 00 04 00 00 00 01 04 00 00 c.o.m... [00A0] 00 00 00 05 15 00 00 00 5F 89 A9 B4 86 30 6C 9D
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
this is the result from AD C:\Users\Administratornslookup Default Server: localhost Address: 127.0.0.1 set type=srv _ldap._tcp.infra.com Server: localhost Address: 127.0.0.1 _ldap._tcp.infra.comSRV service location: priority = 0 weight = 100 port = 389 svr hostname = kwtipaad001.infra.com kwtipaad001.infra.com internet address = 172.16.107.250 _ldap._tcp.solaris.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: _ldap._tcp.solaris.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = kwtpocpbis02.solaris.com kwtpocpbis02.solaris.cominternet address = 172.16.107.135 On Wed, Mar 18, 2015 at 12:21 PM, Ben .T.George bentech4...@gmail.com wrote: HI thanks for the reply i have created PTR record for IPA server under reverse lookup zone manually and ipa server resolving from AD how can i solve trhis issue.? On Wed, Mar 18, 2015 at 12:15 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: Hi i am getting ipa: ERROR: CIFS server communication error: code -1073741771, while doing [root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin Administrator --password Active Directory domain administrator's password: ipa: ERROR: CIFS server communication error: code -1073741771, message NT_STATUS_OBJECT_NAME_COLLISION (both may be None) i am using centos 7 and IPA 4.1.2 NT_STATUS_OBJECT_NAME_COLLISION means AD thinks you have hosts in AD that belong to the solaris.com domain which 'trust-ad' operation claims to belong to IPA realm. AD denies operating the trust in this case. IPA Server [root@kwtpocpbis02 ~]# host kwtpocpbis02.solaris.com kwtpocpbis02.solaris.com has address 172.16.107.135 [root@kwtpocpbis02 ~]# host 172.16.107.135 135.107.16.172.in-addr.arpa domain name pointer kwtpocpbis02.solaris.com . AD [root@kwtpocpbis02 ~]# host 172.16.107.250 250.107.16.172.in-addr.arpa domain name pointer kwtipaad001.infra.com. [root@kwtpocpbis02 ~]# host kwtipaad001.infra.com kwtipaad001.infra.com has address 172.16.107.250 debugging is enabled and this is i am getting on error_log INFO: Current debug levels: all: 11 tdb: 11 printdrivers: 11 lanman: 11 smb: 11 rpc_parse: 11 rpc_srv: 11 rpc_cli: 11 passdb: 11 sam: 11 auth: 11 winbind: 11 vfs: 11 idmap: 11 quota: 11 acls: 11 locking: 11 msdfs: 11 dmapi: 11 registry: 11 scavenger: 11 dns: 11 ldb: 11 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered Using binding ncacn_np:kwtpocpbis02.solaris.com[,] Mapped to DCERPC endpoint \pipe\lsarpc added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 added interface eno1628 ip=172.16.107.135 bcast=172.16.107.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 663430 SO_RCVBUF = 261942 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Ticket in credentials cache for ad...@solaris.com will expire in 81540 secs gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=72, this_data=72, max_data=65535, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc request data: [] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 [0030] 00 00 00 00 00 00 00 02 num_setup=2, max_setup=0, param_total=0, this_param=0, max_param=0, data_total=80, this_data=80, max_data=4280, param_offset=84, param_pad=2, param_disp=0, data_offset=84, data_pad=0, data_disp=0 rpc reply data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 00 00 00 00 rpc request data: [] 00 00 00 00 0D 00 00 00 00 00 00 00 09 55 BC 34 .U.4 [0010] 2E 0F 00 00 0C 00
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
did that and the result is [root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn Enter LDAP Password: ldap_bind: No such object (32) You have new mail in /var/spool/mail/root On Wed, Mar 18, 2015 at 12:59 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: no, this is new host-name i am choosed. anyway how to check is there any existing solaris.com in AD, under DNS management, i cannot see anything You can search with ldapsearch, something like this, from IPA master: ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
no, this is new host-name i am choosed. anyway how to check is there any existing solaris.com in AD, under DNS management, i cannot see anything Regards, Ben On Wed, Mar 18, 2015 at 12:45 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: HI i saw this ticket and' 13 months old https://fedorahosted.org/freeipa/ticket/4202 is this fixed? i think the mentioned patch is for 3.3 This is fixed. Do you have any host in .solaris.com that is joined your AD in infra.com? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa: ERROR: CIFS server communication error: code -1073741771,
ok thanks now the output is something different [root@kwtpocpbis02 ~]# ldapsearch -h 172.16.107.250 -D administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=* solaris.com)' dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=infra,dc=com with scope subtree # filter: (serviceprincipalname=*solaris.com) # requesting: dn # # search reference ref: ldap://ForestDnsZones.infra.com/DC=ForestDnsZones,DC=infra,DC=com # search reference ref: ldap://DomainDnsZones.infra.com/DC=DomainDnsZones,DC=infra,DC=com # search reference ref: ldap://infra.com/CN=Configuration,DC=infra,DC=com # search result search: 2 result: 0 Success # numResponses: 4 # numReferences: 3 You have new mail in /var/spool/mail/root but there is no solaris.com in this output On Wed, Mar 18, 2015 at 1:38 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: did that and the result is [root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn Enter LDAP Password: ldap_bind: No such object (32) You have new mail in /var/spool/mail/root Ah, sorry, you need to add -h option to specify LDAP server host (your AD DC). On Wed, Mar 18, 2015 at 12:59 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 18 Mar 2015, Ben .T.George wrote: no, this is new host-name i am choosed. anyway how to check is there any existing solaris.com in AD, under DNS management, i cannot see anything You can search with ldapsearch, something like this, from IPA master: ldapsearch -D administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Only one AD user can able to login to IPA server
HI List i was following this link : http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions to setup IPA server my IPA version is 4.1.2 every setps in this tutorials was passed without any error even *Allow access for users from AD domain to protected resources* went successfully my current issue is only one user called ben can able to login to ipa server.please check below: [root@kwtpocpbis01 ~]# getent passwd b...@infra.com b...@infra.com:*:531001104:531001104:ben:/home/infra.com/ben: [root@kwtpocpbis01 ~]# getent passwd bo...@infra.com [root@kwtpocpbis01 ~]# getent passwd administra...@infra.com [root@kwtpocpbis01 ~]# the users ben bobby are on same group (Domain users). but bobby cannot able to login to IPA and not getting any information while querying please help me to fix this issue. i don't know where i need to troubleshoot this issue. thanks Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Only one AD user can able to login to IPA server
HI i have enabled debug here is my sssd.conf [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kwtpocpbis01.solaris.local chpass_provider = ipa ipa_server = kwtpocpbis01.solaris.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = solaris.local debug_level = 6 [nss] homedir_substring = /home debug_level = 6 [pam] [sudo] [autofs] [ssh] [pac] [ifp] LOGS: sssd.log: (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging solaris.local (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Tue Mar 17 12:45:34 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service sudo replied to ping (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service solaris.local replied to ping (Tue Mar 17 12:45:34 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping error_log: [root@kwtpocpbis01 ~]# tail -f /var/log/httpd/error_log [Tue Mar 17 11:26:25.458878 2015] [:error] [pid 15175] ipa: INFO: *** PROCESS START *** [Tue Mar 17 11:26:25.603536 2015] [:error] [pid 15176] ipa: DEBUG: session_auth_duration: 0:20:00 [Tue Mar 17 11:26:25.609112 2015] [:error] [pid 15176] ipa: DEBUG: session_auth_duration: 0:20:00 [Tue Mar 17 11:26:25.655477 2015] [:error] [pid 15176] ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' [Tue Mar 17 11:26:25.655597 2015] [:error] [pid 15176] ipa: DEBUG: session_auth_duration: 0:20:00 [Tue Mar 17 11:26:25.681652 2015] [:error] [pid 15176] ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' [Tue Mar 17 11:26:25.681849 2015] [:error] [pid 15176] ipa: DEBUG: session_auth_duration: 0:20:00 [Tue Mar 17 11:26:25.754351 2015] [:error] [pid 15176] ipa: INFO: *** PROCESS START *** p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported attribute [Tue Mar 17 11:26:28.847563 2015] [:warn] [pid 15377] NSSProtocol: Unknown protocol 'tlsv1.2' not supported secure: [root@kwtpocpbis01 log]# tail -f secure Mar 17 12:35:41 kwtpocpbis01 sshd[15714]: subsystem request for sftp by user root Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: Accepted password for root from 10.18.2.130 port 64141 ssh2 Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: pam_unix(sshd:session): session opened for user root by (uid=0) Mar 17 12:35:44 kwtpocpbis01 sshd[15736]: subsystem request for sftp by user root Mar 17 12:39:12 kwtpocpbis01 sshd[14507]: pam_unix(sshd:session): session closed for user root Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: Invalid user bo...@infra.com from 10.18.2.130 Mar 17 12:40:57 kwtpocpbis01 sshd[15816]: input_userauth_request: invalid user bo...@infra.com [preauth] Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): check pass; user unknown Mar 17 12:41:02 kwtpocpbis01 sshd[15816]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.18.2.130 Mar 17 12:41:04 kwtpocpbis01 sshd[15816]: Failed password for invalid user bo...@infra.com from 10.18.2.130 port 64470 ssh2 Mar 17 12:44:56 kwtpocpbis01 sshd[15840]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.18.2.130 user=b...@infra.com Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.18.2.130 user=b...@infra.com Mar 17 12:44:57 kwtpocpbis01 sshd[15840]: Accepted password for b...@infra.com from 10.18.2.130 port 64782 ssh2 Mar 17 12:44:59 kwtpocpbis01 sshd[15840]: pam_unix(sshd:session): session opened for user b...@infra.com by (uid=0) On Tue, Mar 17, 2015 at 12:09 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote: HI List i was following this link : http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions to setup IPA server my IPA version is 4.1.2 every setps in this tutorials was passed without any error even *Allow access for users from AD domain to protected resources* went successfully my current issue is only one user called ben can able to login to ipa server.please check below: [root@kwtpocpbis01 ~]# getent passwd b...@infra.com b...@infra.com
Re: [Freeipa-users] Only one AD user can able to login to IPA server
Hi all how can i fix this issue.? even i tried to trust add AD again. that too failed. from where i need to troubleshoot ? On Tue, Mar 17, 2015 at 3:02 PM, Ben .T.George bentech4...@gmail.com wrote: Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab contains no suitable keys for host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial credentials i destroyed and re-created. but still same On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote: here is separated logs: tail -f sssd_solaris.local.log Thank you, see inline: (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Decrypt integrity check failed], expired on [0] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'kwtpocpbis01.solaris.local' as 'not working' (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'kwtpocpbis01.solaris.local' as 'not working' (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f6b7d2c3140], connected[1], ops[(nil)], ldap[0x7f6b7d265a00], destructor_lock[0], release_memory[0] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [check_online_callback] (0x0100): Backend returned: (3, 0, NULL) [Internal Error (Success)] So it seems the keytab is wrong, you can also test the keytab validity with kinit -k.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Only one AD user can able to login to IPA server
HI i have changed like this: [root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kwtpocpbis01.solaris.local chpass_provider = ipa ipa_server = kwtpocpbis01.solaris.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 10 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 debug_level = 5 domains = solaris.local [nss] homedir_substring = /home debug_level = 6 [pam] debug_level = 10 [sudo] debug_level = 5 [autofs] debug_level = 5 [ssh] debug_level = 5 [pac] debug_level = 5 [ifp] but sssd.log looks same. (Tue Mar 17 14:23:13 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging solaris.local (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging nss (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging sudo (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging pam (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging ssh (Tue Mar 17 14:23:23 2015) [sssd] [service_send_ping] (0x0100): Pinging pac (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service sudo replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service ssh replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service pam replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service solaris.local replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service pac replied to ping (Tue Mar 17 14:23:23 2015) [sssd] [ping_check] (0x0100): Service nss replied to ping On Tue, Mar 17, 2015 at 1:27 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Mar 17, 2015 at 12:57:27PM +0300, Ben .T.George wrote: HI i have enabled debug here is my sssd.conf [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kwtpocpbis01.solaris.local chpass_provider = ipa ipa_server = kwtpocpbis01.solaris.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt Please also add debug_level to this section, not just [sssd] and [nss] [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = solaris.local debug_level = 6 [nss] homedir_substring = /home debug_level = 6 [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Only one AD user can able to login to IPA server
Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [get_server_status] (0x1000): Status of server 'kwtpocpbis01.solaris.local' is 'name not resolved' (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [get_server_status] (0x1000): Status of server 'kwtpocpbis01.solaris.local' is 'name not resolved' (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [resolv_is_address] (0x4000): [kwtpocpbis01.solaris.local] does not look like an IP address (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [resolv_gethostbyname_step] (0x2000): Querying files (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'kwtpocpbis01.solaris.local' in files (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [set_server_common_status] (0x0100): Marking server 'kwtpocpbis01.solaris.local' as 'resolving name' (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [set_server_common_status] (0x0100): Marking server 'kwtpocpbis01.solaris.local' as 'name resolved' (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [be_resolve_server_process] (0x0200): Found address for server kwtpocpbis01.solaris.local: [172.16.107.244] TTL 7200 (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sss_ldap_init_send] (0x4000): Using file descriptor [22] for LDAP connection. (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://kwtpocpbis01.solaris.local:389/??base] with fd [22]. (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_print_server] (0x2000): Searching 172.16.107.244 (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [ad_online_cb] (0x0400): The AD provider is online (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [sdap_id_op_connect_step] (0x4000): waiting for connection to complete (Tue Mar 17 14:33:30 2015) [sssd[be[solaris.local]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. On Tue, Mar 17, 2015 at 2:23 PM, Ben .T.George bentech4...@gmail.com wrote: HI i have changed like this: [root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf [domain/solaris.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = solaris.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = kwtpocpbis01.solaris.local chpass_provider = ipa ipa_server = kwtpocpbis01.solaris.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 10 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 debug_level = 5 domains = solaris.local [nss] homedir_substring = /home debug_level = 6 [pam
Re: [Freeipa-users] Only one AD user can able to login to IPA server
Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab contains no suitable keys for host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial credentials i destroyed and re-created. but still same On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote: here is separated logs: tail -f sssd_solaris.local.log Thank you, see inline: (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Decrypt integrity check failed], expired on [0] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed) (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'kwtpocpbis01.solaris.local' as 'not working' (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'kwtpocpbis01.solaris.local' as 'not working' (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_handle_release] (0x2000): Trace: sh[0x7f6b7d2c3140], connected[1], ops[(nil)], ldap[0x7f6b7d265a00], destructor_lock[0], release_memory[0] (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [check_online_callback] (0x0100): Backend returned: (3, 0, NULL) [Internal Error (Success)] So it seems the keytab is wrong, you can also test the keytab validity with kinit -k.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Only one AD user can able to login to IPA server
: LSA_POLICY_CREATE_PRIVILEGE 0: LSA_POLICY_SET_DEFAULT_QUOTA_LIMITS 0: LSA_POLICY_SET_AUDIT_REQUIREMENTS 0: LSA_POLICY_AUDIT_LOG_ADMIN 0: LSA_POLICY_SERVER_ADMIN 0: LSA_POLICY_LOOKUP_NAMES 0: LSA_POLICY_NOTIFICATION rpc request data: [] 00 00 02 00 01 00 00 00 00 00 00 00 01 00 00 00 [0010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0020] 00 00 00 00 00 00 00 00 04 00 02 00 00 00 00 00 [0030] 00 00 00 00 00 00 00 02 s4_tevent: Schedule immediate event dcerpc_io_trigger: 0x7f5a642b3a00 s4_tevent: Added timed event dcerpc_timeout_handler: 0x7f5a64093810 s4_tevent: Run immediate event dcerpc_io_trigger: 0x7f5a642b3a00 s4_tevent: Schedule immediate event dcerpc_io_trigger: 0x7f5a642b3a00 s4_tevent: Run immediate event dcerpc_io_trigger: 0x7f5a642b3a00 rpc fault: WERR_ACCESS_DENIED s4_tevent: Destroying timer event 0x7f5a64093810 dcerpc_timeout_handler s4_tevent: Schedule immediate event tevent_req_trigger: 0x7f5a64093560 s4_tevent: Run immediate event tevent_req_trigger: 0x7f5a64093560 [Wed Mar 18 08:10:19.541586 2015] [:error] [pid 15176] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Wed Mar 18 08:10:19.541617 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 349, in wsgi_execute [Wed Mar 18 08:10:19.541624 2015] [:error] [pid 15176] result = self.Command[name](*args, **options) [Wed Mar 18 08:10:19.541627 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 439, in __call__ [Wed Mar 18 08:10:19.541631 2015] [:error] [pid 15176] ret = self.run(*args, **options) [Wed Mar 18 08:10:19.541634 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 754, in run [Wed Mar 18 08:10:19.541637 2015] [:error] [pid 15176] return self.execute(*args, **options) [Wed Mar 18 08:10:19.541640 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 472, in execute [Wed Mar 18 08:10:19.541643 2015] [:error] [pid 15176] full_join = self.validate_options(*keys, **options) [Wed Mar 18 08:10:19.541646 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line 582, in validate_options [Wed Mar 18 08:10:19.541650 2015] [:error] [pid 15176] self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api) [Wed Mar 18 08:10:19.541656 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 1127, in __init__ [Wed Mar 18 08:10:19.541660 2015] [:error] [pid 15176] self.__populate_local_domain() [Wed Mar 18 08:10:19.541663 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 1136, in __populate_local_domain [Wed Mar 18 08:10:19.541666 2015] [:error] [pid 15176] ld.retrieve(installutils.get_fqdn()) [Wed Mar 18 08:10:19.541669 2015] [:error] [pid 15176] File /usr/lib/python2.7/site-packages/ipaserver/dcerpc.py, line 826, in retrieve [Wed Mar 18 08:10:19.541672 2015] [:error] [pid 15176] raise assess_dcerpc_exception(num=num, message=message) [Wed Mar 18 08:10:19.541675 2015] [:error] [pid 15176] ACIError: Insufficient access: Gettext('CIFS server denied your credentials', domain='ipa', localedir=None) [Wed Mar 18 08:10:19.541678 2015] [:error] [pid 15176] [Wed Mar 18 08:10:19.541970 2015] [:error] [pid 15176] ipa: INFO: [jsonserver_session] admin@SOLARIS.LOCAL: trust_add(u'infra.com', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.113'): ACIError [Wed Mar 18 08:10:19.542594 2015] [:error] [pid 15176] ipa: DEBUG: reading ccache data from file /var/run/ipa_memcached/krbcc_15176 [Wed Mar 18 08:10:19.542847 2015] [:error] [pid 15176] ipa: DEBUG: store session: session_id=15b334c24b28c1e228c1e843efb0bf86 start_timestamp=2015-03-18T08:06:18 access_timestamp=2015-03-18T08:10:19 expiration_timestamp=2015-03-18T08:30:17 [Wed Mar 18 08:10:19.545479 2015] [:error] [pid 15176] ipa: DEBUG: Destroyed connection context.ldap2 On Tue, Mar 17, 2015 at 9:30 PM, Alexander Bokovoy aboko...@redhat.com wrote: On Tue, 17 Mar 2015, Ben .T.George wrote: Hi i did kinit [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab kinit: Keytab contains no suitable keys for host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial credentials i destroyed and re-created. but still same What did you destroy? kdestroy was the command i was talking about Why did you need to touch /etc/dirsrv/ds.keytab at all? It contains key for ldap/kwtpocpbis01.solaris.local@SOLARIS.LOCAL that your LDAP server is using. It has nothing to do with your host/... principal. If your sssd cannot authenticate against AD DC, it means trust is *not* working and anything else
Re: [Freeipa-users] solaris 10 ad authentication happening with only one user
HI the user Ben is from Ad, how can i assign shell to that user.? Regards, Ben On Sun, Mar 15, 2015 at 7:14 PM, Gianluca Cecchi gianluca.cec...@gmail.com wrote: Il 15/Mar/2015 11:04 Ben .T.George bentech4...@gmail.com ha scritto: here is the getent passwd: skipped nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben: auth:x:64348:64348:auth auth:/home/auth:/bin/sh shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash admin:x:64340:64340:Administrator:/home/admin:/bin/bash user ben is from AD and can able to su to that user.i have tried with other users and it's not happening. AD authentication is working some level and it restricted to only one user. b...@infra.com:x:531001104:531001104:ben:/home/infra.com/ben: auth:x:64348:64348:auth auth:/home/auth:/bin/sh shyam:x:64347:64347:shyam A:/export/home/shyam:/bin/bash jude:x:64346:64346:jude joseph:/export/home/jude:/bin/bash admin:x:64340:64340:Administrator:/home/admin:/bin/bash other than user ben all other users are local IPA users. how can i troubleshot this issue To be able to login, the user needs to have a shell that is the last field of the passed line that in your case is empty for Ben Gianluca -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] solaris to free IPA user issue
HI i am using free ipa 4.1.2 on centos 7. from root user, i can able to switch to IPA user : su ben but from any other user if i try that, it's asking for password. if i gave the correct passord also, its not accepting .This is what i am getting bash-3.2$ su jude Password: su: Sorry and on log : Mar 15 11:21:05 kwtpocpbis02.solaris.local su: [ID 810491 auth.crit] 'su jude' failed for root on /dev/pts/1 please help me to fic this issue.. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI i tried both method and still it's not creating the home directories regards, Ben On Wed, Mar 11, 2015 at 11:35 PM, sipazzo sipa...@yahoo.com wrote: This is how use the automounter to automatically create home directories for ipa users under /export/home/ and mount them under /home/ on Solaris 10, as well as copy over the profile files and assign appropriate owner and group: We first created a service account called auth in ipa to allow ldap lookups with no password expiration On the clients create a mkhomedir script in /usr/local/adm (or where ever you like): #!/bin/ksh -p HOMEDIRPATH=/home PHYSICALDIRPATH=/export/home hdir=~$1 phdir=$PHYSICALDIRPATH/$1 if [ -d $phdir ]; then echo localhost:$phdir exit fi mkdir -p $phdir #Perform ldap lookup to get user and group of logged in user GID=`ldapsearch -h idmserver.example.com -D uid=auth,cn=users,cn=accounts,dc=example,d c=com -w 'authpassword' -b cn=users,cn=accounts,dc=example,dc=com (uid=$1) | grep gid | cut -d -f2` #Copy profile files cp /etc/skel/.bash_profile $phdir/.bash_profile cp /etc/skel/.bashrc $phdir/.bashrc cp /etc/skel/.profile $phdir/.profile cp /etc/skel/.vimrc $phdir/.vimrc #Change the owner and group to logged in user chown -R $1:$GID $phdir echo localhost:$phdir ##END You need to change permissions on the mkhomedir script to 755 Login to client directly as root so you can move home directories around (edit /etc/ssh/sshd_config if needed to allow this) Ensure no one else is logged in Ensure nothing else is mounted in /export/home Copy home directories to /export/home rsync -av /home/ /export/home/ Add this line to the /etc/auto_master file so the mkhomedir script runs at login /home /usr/local/adm/mkhomedir Remove original /home/ directories rm -rf /home/* Restart autofs so the change takes effect svcadm restart autofs Make sure you change your sshd_config back if you don't wish to allow root ssh access. -- *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Ben .T.George *Sent:* Wednesday, March 11, 2015 11:22 AM *To:* dpal *Cc:* freeipa-users *Subject:* Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login from BZ While we value your interest in IPA Solaris support, the implementation of the DUA profile is not on our nearest schedule at the moment. We lack both knowledge and resources to focus on integration with Solaris. This is where we need a help (ideally patches) and contribution from the community to help us push these features in. I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. What I think that we can work on is to work together on http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 ... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you? this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI Siggi, thanks for the detailed information. how can i apply this DUA profile? can you please give me the steps to apply this. my current stage is, i can able to login to solaris 10 box with AD user. only thing from command like without - in su Regards, Ben On Thu, Mar 12, 2015 at 4:00 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Hi, Yes the DUA profile needs manually editing and updating as IPA servers are added or removed. Ideally this would be managed by ipa-replica-manage, however as I was advised in the BZ, Red Hat does not have the knowledge or resources to focus on integration with Solaris, which is understandable. :) The DUA profile I’ve uploaded to the BZ is a copy (with server names edited), of the DUA profile I1ve used at several environments when configuring Solaris 10 to work with IPA, so unless there are typos I haven’t discovered, it would work ok. :) As for the auto mount, Linux uses “.” between auto and the map name, such as auto.master, auto.home, etc. And Solaris uses “_” between the auto and the map name, such as auto_master, auto_home. This can be worked around in the DUA profile by adding a searchServiceDescriptor for each auto mounter map, such as serviceSearchDescriptor: auto_master:automountMapName=auto.master,cn=defualt,cn=automount,dc=ix,dc=test,dc=com”. What I found as the best middle ground here, was to keep the master name auto.master and have a serviceSearchDescriptor in the DUA profile for auto.master, and have the remaining maps in IPA with “_”as the separator. This works the best as Linux will look for auto.master by default, and be happy with the other maps being referred to with “_”as separator. Solaris seem to require that all the maps use “_”as seperator, unless serviceSearchDescriptor entries are added for each map. I hope this was what you we’re looking for? Regards, Siggi On 11 Mar 2015, at 19:39, Dmitri Pal d...@redhat.com wrote: Hello, Is there any chance you can help this guy on the FreeIPA list? Thanks Dmitri Original Message Subject: Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login Date: Wed, 11 Mar 2015 21:22:02 +0300 From: Ben .T.George bentech4...@gmail.com bentech4...@gmail.com Reply-To: bentech4...@gmail.com To: dpal d...@redhat.com d...@redhat.com CC: freeipa-users freeipa-users@redhat.com freeipa-users@redhat.com from BZ While we value your interest in IPA Solaris support, the implementation of the DUA profile is not on our nearest schedule at the moment. We lack both knowledge and resources to focus on integration with Solaris. This is where we need a help (ideally patches) and contribution from the community to help us push these features in. I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. What I think that we can work on is to work together onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 ... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you? this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
Hi Naxto, i think your solutions will work in my case. sems like both os's are same. using opensolaris anyway let me try this and will let you know the status Thanks regards, Ben On Wed, Mar 11, 2015 at 10:51 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join automount is not a technology that automatically creates directories, it just automatically mounts them on demand. I'm not aware of a way to automatically create directories on new-user logins in Solaris. I have not used 'official' solaris but using omnios (open solaris derivative) I have used this with their automounter: http://omnios.omniti.com/wiki.php/GeneralAdministration#Addinglocalusers Quite nifty. It should work with solaris as well (well, maybe with a little work). -- regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
from BZ While we value your interest in IPA Solaris support, the implementation of the DUA profile is not on our nearest schedule at the moment. We lack both knowledge and resources to focus on integration with Solaris. This is where we need a help (ideally patches) and contribution from the community to help us push these features in. I checked your example DUAConfigProfile and I think it cannot be just added to FreeIPA right away. E.g. for defaultServerList or preferredServerList, you would need to expand installers and ipa-replica-manage to handle these lists and update them when replica is added or updated to prevent it being outdated. printers or aliases serviceSearchDescriptor refers to objects not being available and so on. It is not as straightforward as it seems. What I think that we can work on is to work together onhttp://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10 ... and add all the steps needed to make IPA work on Solaris 10. I could for example prepare an updated page and you could review it. Would that work for you? this what i followed util now. but's not authenticate with AD, IPA user can login on solaris box On Wed, Mar 11, 2015 at 9:11 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:56 PM, Ben .T.George wrote: HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Have you found the BZ? They are very detailed. https://bugzilla.redhat.com/show_bug.cgi?id=815515 The DUA profile is attached to the bug. Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI yea , i saw that mail thread and he claims that he achieved somehow. but not clear. and the steps mentioned is too technical for me. :) as i am very new to IPA it's bit confusing. later that thread also closed without proper explanation. i think you guys can contact him to change existing wiki :) as there are many solaris related documents which is pretty old. anyway still waiting for rply Regards, Ben On Wed, Mar 11, 2015 at 8:49 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 01:18 PM, Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request comes, it didn't. i don't think no one did full solaris integration util now as i asked many questions related to that. now i am little bit confident up to this level. and if everything is working fine, i will try to create automated script for IPA join I really do not know Solaris that well. There are some threads from this and last week about Solaris. You can find them in the mail archive for March. There are pointers to wikis and bugzillas in those threads. The bugzilla bugs have some extended info on how to configure Solaris clients. They were pretty detailed. May be they have the automount info you are looking for. Regards, Ben On Wed, Mar 11, 2015 at 7:32 PM, Dmitri Pal d...@redhat.com wrote: On 03/11/2015 09:50 AM, Ben .T.George wrote: HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 All the options are still there. The menus got re-arranged a bit. Hopefully someone with a Solaris knowledge will help you with the rest. please anyone tell me where it is and how can i achieve this regards, Ben -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how can i create home directories automatically on solaris while IPA user login
HI i can able to reach upto level that IPA user can able to login on solaris box, but how can i create home directories automatically on solaris while IPA user login. even i change the shell in IPA web interface that is getting affected. i saw some option in IPA 3.3 web interface like automount and that is not in IPA 4.1.2 please anyone tell me where it is and how can i achieve this regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
HI thanks sure this is the only place i can ask questions :) but i don't know from where i am getting that basic authentication window like .htaccess based. i think when i tried from chome only i got this window On Mon, Mar 9, 2015 at 2:21 PM, Martin Kosek mko...@redhat.com wrote: Ok, thanks for information. I would still love to know the real root cause, but we will now find it now I assume. Of this issue re-appears, let us know :-) Thanks, Martin On 03/09/2015 09:10 AM, Ben .T.George wrote: Hi Martin, thanks for your replay. yesterday i did lot of this to fix this issue. the issue has been solved by kdestroy and re-initiate the ticket. after that restarted ipa service, it got worked Regards, ben On Mon, Mar 9, 2015 at 10:57 AM, Martin Kosek mko...@redhat.com wrote: Thanks for all the data. So it looks like your browser properly forward the session cookie, but it is not recognized on the server even though it was stored before. Especially these lines are strange: [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=2015-03-08T13:36:29 ... [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating empty session data We know that ipa_memcached is running. Can you please also check if there are no SELinux errors in /var/log/audit/audit.log preveting Apache from looking up the session data? Thanks, Martin On 03/08/2015 11:44 AM, Ben .T.George wrote: i was inspecting the page and got below response. http://s21.postimg.org/itv5hf0h3/asdasd.jpg http://s3.postimg.org/f6knomt1f/Capture.jpg please anyone help me to solve this issue. i just want to create one local user in IPA On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com wrote: I enabled debugging mode on default.conf and this is what i am getting on error_log [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client 172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI login_password.__call__: [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL' [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG: stdout=Password for admin@SOLARIS.LOCAL: [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004] [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit: principal=admin@SOLARIS.LOCAL returncode=0, stderr= [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG: Cleanup the armor ccache [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908647 2015] [:error
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
Hi Martin, thanks for your replay. yesterday i did lot of this to fix this issue. the issue has been solved by kdestroy and re-initiate the ticket. after that restarted ipa service, it got worked Regards, ben On Mon, Mar 9, 2015 at 10:57 AM, Martin Kosek mko...@redhat.com wrote: Thanks for all the data. So it looks like your browser properly forward the session cookie, but it is not recognized on the server even though it was stored before. Especially these lines are strange: [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=2015-03-08T13:36:29 ... [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating empty session data We know that ipa_memcached is running. Can you please also check if there are no SELinux errors in /var/log/audit/audit.log preveting Apache from looking up the session data? Thanks, Martin On 03/08/2015 11:44 AM, Ben .T.George wrote: i was inspecting the page and got below response. http://s21.postimg.org/itv5hf0h3/asdasd.jpg http://s3.postimg.org/f6knomt1f/Capture.jpg please anyone help me to solve this issue. i just want to create one local user in IPA On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com wrote: I enabled debugging mode on default.conf and this is what i am getting on error_log [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client 172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI login_password.__call__: [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL' [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG: stdout=Password for admin@SOLARIS.LOCAL: [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004] [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit: principal=admin@SOLARIS.LOCAL returncode=0, stderr= [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG: Cleanup the armor ccache [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908647 2015] [:error] [pid 3004] ipa: DEBUG: found session data in cache with id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908728 2015] [:error] [pid 3004] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name=FILE:/var/run/ipa_memcached/krbcc_3004 session_id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908824 2015] [:error] [pid 3004] ipa: DEBUG: reading ccache data from file /var/run/ipa_memcached/krbcc_3004 [Sun Mar 08 13:16:29.909319 2015] [:error] [pid 3004] ipa: DEBUG: get_credential_times: principal=krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
this is the error mesage i am getting on httpd/error_log [Sun Mar 08 13:02:02.965470 2015] [auth_kerb:error] [pid 2922] [client 172.16.107 .250:60005] gss_accept_sec_context() failed: An unsupported mechanism was request ed (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ On Sun, Mar 8, 2015 at 12:48 PM, Ben .T.George bentech4...@gmail.com wrote: Hi i checked the services and below is my output [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep ipa_memcached apache2079 1 0 11:11 ?00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid root 2801 2504 0 12:48 pts/000:00:00 grep --color=auto ipa_memcached [root@kwtpocpbis01 ipa_memcached]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
Hi i checked the services and below is my output [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep ipa_memcached apache2079 1 0 11:11 ?00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid root 2801 2504 0 12:48 pts/000:00:00 grep --color=auto ipa_memcached [root@kwtpocpbis01 ipa_memcached]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
access_timestamp=2015-03-08T13:16:29 expiration_timestamp=1970-01-01T03:00:00 [Sun Mar 08 13:16:29.922191 2015] [:error] [pid 3003] ipa: DEBUG: no ccache, need login [Sun Mar 08 13:16:29.922265 2015] [:error] [pid 3003] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login On Sun, Mar 8, 2015 at 1:02 PM, Ben .T.George bentech4...@gmail.com wrote: this is the error mesage i am getting on httpd/error_log [Sun Mar 08 13:02:02.965470 2015] [auth_kerb:error] [pid 2922] [client 172.16.107 .250:60005] gss_accept_sec_context() failed: An unsupported mechanism was request ed (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ On Sun, Mar 8, 2015 at 12:48 PM, Ben .T.George bentech4...@gmail.com wrote: Hi i checked the services and below is my output [root@kwtpocpbis01 ipa_memcached]# ps -ef | grep ipa_memcached apache2079 1 0 11:11 ?00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid root 2801 2504 0 12:48 pts/000:00:00 grep --color=auto ipa_memcached [root@kwtpocpbis01 ipa_memcached]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful On Sun, Mar 8, 2015 at 10:54 AM, Ben .T.George bentech4...@gmail.com wrote: HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
HI i have free IPA 4.1.2 installed. my web ui always giving Your session has expired. Please re-login. even i tried from different computer.different browsers.. how can i fix this.? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA web ui always giving Your session has expired. Please re-login.
i was inspecting the page and got below response. http://s21.postimg.org/itv5hf0h3/asdasd.jpg http://s3.postimg.org/f6knomt1f/Capture.jpg please anyone help me to solve this issue. i just want to create one local user in IPA On Sun, Mar 8, 2015 at 1:17 PM, Ben .T.George bentech4...@gmail.com wrote: I enabled debugging mode on default.conf and this is what i am getting on error_log [Sun Mar 08 13:16:18.204363 2015] [auth_kerb:error] [pid 3065] [client 172.16.107.250:60088] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error), referer: https://kwtpocpbis01.solaris.local/ipa/ui/ [Sun Mar 08 13:16:29.849339 2015] [:error] [pid 3004] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.849458 2015] [:error] [pid 3004] ipa: DEBUG: WSGI login_password.__call__: [Sun Mar 08 13:16:29.849683 2015] [:error] [pid 3004] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Sun Mar 08 13:16:29.849830 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.849923 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/kwtpocpbis01.solaris.local@SOLARIS.LOCAL' [Sun Mar 08 13:16:29.868747 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.868858 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.868955 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.869120 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.869204 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kinit' 'admin@SOLARIS.LOCAL' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.902181 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.902269 2015] [:error] [pid 3004] ipa: DEBUG: stdout=Password for admin@SOLARIS.LOCAL: [Sun Mar 08 13:16:29.902278 2015] [:error] [pid 3004] [Sun Mar 08 13:16:29.902328 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.902427 2015] [:error] [pid 3004] ipa: DEBUG: kinit: principal=admin@SOLARIS.LOCAL returncode=0, stderr= [Sun Mar 08 13:16:29.902483 2015] [:error] [pid 3004] ipa: DEBUG: Cleanup the armor ccache [Sun Mar 08 13:16:29.902560 2015] [:error] [pid 3004] ipa: DEBUG: Starting external process [Sun Mar 08 13:16:29.902621 2015] [:error] [pid 3004] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Sun Mar 08 13:16:29.908045 2015] [:error] [pid 3004] ipa: DEBUG: Process finished, return code=0 [Sun Mar 08 13:16:29.908121 2015] [:error] [pid 3004] ipa: DEBUG: stdout= [Sun Mar 08 13:16:29.908173 2015] [:error] [pid 3004] ipa: DEBUG: stderr= [Sun Mar 08 13:16:29.908348 2015] [:error] [pid 3004] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908647 2015] [:error] [pid 3004] ipa: DEBUG: found session data in cache with id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908728 2015] [:error] [pid 3004] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name=FILE:/var/run/ipa_memcached/krbcc_3004 session_id=4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.908824 2015] [:error] [pid 3004] ipa: DEBUG: reading ccache data from file /var/run/ipa_memcached/krbcc_3004 [Sun Mar 08 13:16:29.909319 2015] [:error] [pid 3004] ipa: DEBUG: get_credential_times: principal=krbtgt/SOLARIS.LOCAL@SOLARIS.LOCAL, authtime=03/08/15 13:16:29, starttime=03/08/15 13:16:29, endtime=03/09/15 13:16:29, renew_till=01/01/70 03:00:00 [Sun Mar 08 13:16:29.909415 2015] [:error] [pid 3004] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_3004 endtime=1425896189 (03/09/15 13:16:29) [Sun Mar 08 13:16:29.909538 2015] [:error] [pid 3004] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=1200 max_age=1425895889 expiration=1425810989.91 (2015-03-08T13:36:29) [Sun Mar 08 13:16:29.909637 2015] [:error] [pid 3004] ipa: DEBUG: store session: session_id=4803e184cecb42f2e326391dbb09443d start_timestamp=2015-03-08T13:15:12 access_timestamp=2015-03-08T13:16:29 expiration_timestamp=2015-03-08T13:36:29 [Sun Mar 08 13:16:29.910004 2015] [:error] [pid 3004] ipa: DEBUG: release_ipa_ccache: KRB5CCNAME environment variable not set [Sun Mar 08 13:16:29.921259 2015] [:error] [pid 3003] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sun Mar 08 13:16:29.921351 2015] [:error] [pid 3003] ipa: DEBUG: WSGI jsonserver_session.__call__: [Sun Mar 08 13:16:29.921519 2015] [:error] [pid 3003] ipa: DEBUG: found session cookie_id = 4803e184cecb42f2e326391dbb09443d [Sun Mar 08 13:16:29.921731 2015] [:error] [pid 3003] ipa: DEBUG: no session data in cache with id=4803e184cecb42f2e326391dbb09443d, generating empty session data [Sun Mar 08 13:16:29.921875 2015
[Freeipa-users] how can i configure solaris10 as freeIPA 4.1.2 client
Hi list i have working IPA server were AD users can login to IPA server how can i configure solaris 10 as IPA 4.1.2 client.? i saw many tutorials in IPA domain and got confused . Which one i need to follow currently i am trying with X86 version of solaris and later i need to try on SPARC based. Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Trust is successful and getting error while creating groups.
Hi i have re-installed everything . my current versions are Centos 7 with IPA 4.1 i followed this tutorial: http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup when i fetch , it went successful: *[root@kwtpocpbis01 ~]# ipa trustdomain-find infra.com http://infra.com* * Domain name: infra.com http://infra.com* * Domain NetBIOS name: INFRA* * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* * Domain enabled: True* ** *Number of entries returned 1* ** *[root@kwtpocpbis01 ~]# ipa trustdomain-find infra.com http://infra.com* * Domain name: infra.com http://infra.com* * Domain NetBIOS name: INFRA* * Domain Security Identifier: S-1-5-21-191287045-4012216658-3592112898* * Domain enabled: True* ** *Number of entries returned 1* ** when i gone through Allow access for users from AD domain to protected resources, i am getting errors, *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com http://infra.com users external map' ad_users_external --external* *---* *Added group ad_users_external* *---* * Group name: ad_users_external* * Description: infra.com http://infra.com users external map* *[root@kwtpocpbis01 ~]# ipa group-add --desc='infra.com http://infra.com users' ad_users* *--* *Added group ad_users* *--* * Group name: ad_users* * Description: infra.com http://infra.com users* * GID: 64345* *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users_external --external 'INFRA\Domain Users'* *[member user]:* *[member group]:* * Group name: ad_users_external* * Description: infra.com http://infra.com users external map* * Failed members:* *member user:* *member group: INFRA\Domain Users: trusted domain object not found* *-* *Number of members added 0* *-* *[root@kwtpocpbis01 ~]# ipa group-add-member ad_users --groups ad_users_external* * Group name: ad_users* * Description: infra.com http://infra.com users* * GID: 64345* * Member groups: ad_users_external* *-* *Number of members added 1* *-* please help me to solve this issue: below error is getting on httpd/error_log while trying : *ipa group-add-member ad_users_external --external 'INFRA\Domain Users'* *[Thu Mar 05 11:36:37.371594 2015] [:error] [pid 4090] ipa: WARNING: Search on AD DC kwtipaad001.infra.com:3268 http://kwtipaad001.infra.com:3268 failed with: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid)* *[Thu Mar 05 11:36:37.374280 2015] [:error] [pid 4090] ipa: INFO: [jsonserver_kerb] admin@SOLARIS.LOCAL: group_add_member(u'ad_users_external', ipaexternalmember=(u'INFRADomain Users',), all=False, raw=False, version=u'2.113', no_members=False): SUCCESS* Thanks Regards, Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project