[Freeipa-users] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords
I've coded it with python-kerberos and it works. Pretty rough though. --Gelen. From: Gelen James hahaha_...@yahoo.com To: freeipa-de...@redhat.com freeipa-de...@redhat.com Sent: Sunday, May 20, 2012 2:22 AM Subject: Feature request: Web UI for IPA users to reset their own expired passwords The currently assumption is that all IPA users can login into Unix/Linux machines to change their IPA password, or reset their expired password. But this is not available all the time, so a more general alternative -- web UI -- will be more appreciated. The basic requirements are: 1, The web UI accept user's passwords, expired is also accepted. 2, the authentication is based on IPA Kerberos. 3, authenticated regular IPA user can only reset his/her password only. 4, (bonus) authenticated admin users can alter other users' password as well. Thanks. --Gelen___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords
No problem. The code is attached. It is just one python script, with configuration items on the top. Please be reminded that this code is pretty rough and not well-tested as I can not find appropriate documents on how to use python kerberos module. Disclaim: This piece of code just works as a prototype, it is not well-tested, nor DOS attack prove at all, so it could potentially harm or totally destroy someone's authentication system. :( Thanks. --Gelen From: Rob Crittenden rcrit...@redhat.com To: Gelen James hahaha_...@yahoo.com Cc: freeipa-de...@redhat.com freeipa-de...@redhat.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Wednesday, May 23, 2012 12:14 PM Subject: Re: [Freeipa-devel] I've done it by myself and it works -- Re: Feature request: Web UI for IPA users to reset their own expired passwords Gelen James wrote: I've coded it with python-kerberos and it works. Pretty rough though. Is this something you'd be interested in contributing? rob --Gelen. *From:* Gelen James hahaha_...@yahoo.com *To:* freeipa-de...@redhat.com freeipa-de...@redhat.com *Sent:* Sunday, May 20, 2012 2:22 AM *Subject:* Feature request: Web UI for IPA users to reset their own expired passwords The currently assumption is that all IPA users can login into Unix/Linux machines to change their IPA password, or reset their expired password. But this is not available all the time, so a more general alternative -- web UI -- will be more appreciated. The basic requirements are: 1, The web UI accept user's passwords, expired is also accepted. 2, the authentication is based on IPA Kerberos. 3, authenticated regular IPA user can only reset his/her password only. 4, (bonus) authenticated admin users can alter other users' password as well. Thanks. --Gelen ___ Freeipa-devel mailing list freeipa-de...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel kchange.py Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
Hi Rob, Just wonder whether your guys have abandoned IPA 2.1.3 users on Redhat 6.2 or not. :( The IPA replication/restoration procedure/document request has been submitted for more than a week, but I can not see any meaningful work has done for customers although IPA replication and restoration is so vital to users' production IPA reliability! Even when after I've done a lot of investigation work and asking for helps/suggestions, there is still no much attentions paid from you guys. Am I, or any others users here, are just non-paid Q/A IPA team stuff could be ignored for no reasons :) I've mentioned this again and again, and urging IPA team to setup a typical user setup, because only this way you can see what the problems IPA administrators/users are facing and scared of. But unfortunately, we don't have a feeling that you have done so. Thanks. --Gelen From: Gelen James hahaha_...@yahoo.com To: Rob Crittenden rcrit...@redhat.com; Dmitri Pal d...@redhat.com Cc: Freeipa-users@redhat.com Freeipa-users@redhat.com Sent: Sunday, May 20, 2012 12:08 AM Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? Hi Mmitri, Rob and all. Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly. It took me more than one week and still no clues. Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled. The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication? In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first? The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas. [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up [19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [root@B ~]# After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already. on B, ipa-csreplica-manage connect C ipa-csreplica-manage connect D ipa-csreplica-manage del A --force ipactl restart on C, ipa-csreplica-manage del A --force ipactl restart on D, ipa-csreplica-manage del A --force ipactl restart [root@B ~]# ipa-csreplica-manage --password=xxx connect C.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx connect D.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx del C.example.com --force Unable to connect to replica A.example.com, forcing removal Failed to get data from 'A.example.com': Can't contact LDAP server Forcing removal on 'B.example.com' [root@B ~]# After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file. But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
Hi Mmitri, Rob and all. Thanks for your instructions. I've performed your steps on case#1: replacing failed IPA master. The results, and my confusion and questions, are all detailed below. In general, please setup your own real test environment, and write down the detailed steps one by one clearly. It took me more than one week and still no clues. Frankly, your steps in the formal email are kind of over-simplified for normal IPA users, and not covering how the CA LDAP backend will be handled. The problem is the CA backend. All the replicas still trying to sync to old failed IPA master, even after reboot. Could be that the 'ipa-replica-manage' only manages the user data replication? and 'ipa-csreplica-manage' only handles CA-end replication? In other words, when build, or tear down, IPA replication between two servers, do we need to deal with both replication types with 'ipa-replica-mange' AND 'ipa-csreplica-manage'? If so, then why who should run first? The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same from B,C,D replicas. [19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up [19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS requests [19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:40:50 -0700] NSMMReplicationPlugin - agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null)) [19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) [root@B ~]# After seeing the above messages, I tried to run similar commands for CA replication, it shows that replication agreement (which replication agreement? User data, or CA data ?? ) exists already. on B, ipa-csreplica-manage connect C ipa-csreplica-manage connect D ipa-csreplica-manage del A --force ipactl restart on C, ipa-csreplica-manage del A --force ipactl restart on D, ipa-csreplica-manage del A --force ipactl restart [root@B ~]# ipa-csreplica-manage --password=xxx connect C.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx connect D.example.com This replication agreement already exists. [root@B ~]# [root@B ~]# ipa-csreplica-manage --password=xxx del C.example.com --force Unable to connect to replica A.example.com, forcing removal Failed to get data from 'A.example.com': Can't contact LDAP server Forcing removal on 'B.example.com' [root@B ~]# After restarting IPA services on B, C, D, and now the error messages finally got away from CA errors log file. But we still can not find the CA replication setups. Please see the difference of output from 'ipa-replica-manage' and 'ipa-csreplica-manage': [root@B ~] ipa-replica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-csreplica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-replica-manage list B.example.com C.example.com D.example.com [root@B ~] ipa-csreplica-manage list B.example.com ## Nothing at all! Please have a check and give correct command and sequences for us IPA users. It is such a pain to spend so much time and still can not get restoration work as expected. Even worse is, Have no idea how the 'ipa-replica-manage' and 'ipa-csreplica-manage' work together behind the scene. Thanks a lot. --Gelen From: Rob Crittenden rcrit...@redhat.com To: Robinson Tiemuqinke hahaha_...@yahoo.com Cc: Freeipa-users@redhat.com Freeipa-users@redhat.com; Rich Megginson rmegg...@redhat.com; Dmitri Pal d...@redhat.com Sent: Tuesday, May 15, 2012 9:57 AM Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? Robinson Tiemuqinke wrote: Hi Dmitri, Rich and all, I am a newbie to Redhat IPA, It looks like pretty cool compared with other solutions I've tried before. Thanks a lot for this
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
rebuild the old IPA master A is half success too. The error also happens at CA
replication side.
After replica preparation at replica B, nuke and reinstall old A, and create A
from the replica info file prepared on B, The user LDAP replication works fine.
while the CA replication broken terribly. the error messages on A inside file
/var/log/dirsrv/slapd-PKI-IPA/errors are pasted below:
[20/May/2012:01:17:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[20/May/2012:01:17:36 -0700] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: data for replica o=ipaca does not match
the data in the changelog (replica data (4fb8a7f300040443) changelog
(4fb84ba70056)). Recreating the changelog file. This could affect
replication with replica's consumers in which case the consumers should be
reinitialized.
[20/May/2012:01:17:37 -0700] - slapd started. Listening on All Interfaces port
7389 for LDAP requests
[20/May/2012:01:17:37 -0700] - Listening on All Interfaces port 7390 for LDAPS
requests
[root@A ~]#
check the RUV records shows a number too big: 1091, while all others are
smaller than 100. There are no RUV records to delete/clear.
dn: nsuniqueid=---,o=ipaca
objectClass: top
objectClass: nsTombstone
objectClass: extensibleobject
nsds50ruv: {replicageneration} 4fb8187f0060
nsds50ruv: {replica 97 ldap://B.example.com:7389} 4fb8188600
61 4fb8a7ca00010061
nsds50ruv: {replica 1091 ldap://A.example.com:7389} 4fb8a7c60001044
3 4fb8a8a900010443
nsds50ruv: {replica 91 ldap://C.example.com:7389} 4fb81f5400
5b 4fb84db6005b
nsds50ruv: {replica 86 ldap://D.example.com:7389} 4fb821a600
56 4fb84ba70056
o: ipaca
nsruvReplicaLastModified: {replica 97 ldap://B.example.com:7389}
4fb8a7c7
nsruvReplicaLastModified: {replica 1091 ldap://A.example.com:7389}
4fb8a8a6
nsruvReplicaLastModified: {replica 91 ldap://C.example.com:7389}
nsruvReplicaLastModified: {replica 86 ldap://D.example.com:7389}
Please advise. Thanks.
--Gelen
From: Gelen James hahaha_...@yahoo.com
To: Rob Crittenden rcrit...@redhat.com; Dmitri Pal d...@redhat.com
Cc: Freeipa-users@redhat.com Freeipa-users@redhat.com
Sent: Sunday, May 20, 2012 12:08 AM
Subject: Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas
from daily IPA Replica setup???
Hi Mmitri, Rob and all.
Thanks for your instructions. I've performed your steps on case#1: replacing
failed IPA master. The results, and my confusion and questions, are all
detailed below. In general, please setup your own real test environment, and
write down the detailed steps one by one clearly.
It took me more than one week and still no clues. Frankly, your steps in the
formal email are kind of over-simplified for normal IPA users, and not covering
how the CA LDAP backend will be handled.
The problem is the CA backend. All the replicas still trying to sync to old
failed IPA master, even after reboot.
Could be that the 'ipa-replica-manage' only manages the user data replication?
and 'ipa-csreplica-manage' only handles CA-end replication? In other words,
when build, or tear down, IPA replication between two servers, do we need to
deal with both replication types with 'ipa-replica-mange' AND
'ipa-csreplica-manage'? If so, then why who should run first?
The error messages in /var/log/dirsrv/slapd-PKI-IPA/errors are attached, same
from B,C,D replicas.
[19/May/2012:19:40:48 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up
[19/May/2012:19:40:48 -0700] - slapd started. Listening on All Interfaces port
7389 for LDAP requests
[19/May/2012:19:40:48 -0700] - Listening on All Interfaces port 7390 for LDAPS
requests
[19/May/2012:19:40:50 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:40:50 -0700] NSMMReplicationPlugin -
agmt=cn=cloneAgreement1-B.example.com-pki-ca (A:7389): Replication bind
with SIMPLE auth failed: LDAP error -1 (Can't contact LDAP server) ((null))
[19/May/2012:19:40:57 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:03 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:15 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:41:39 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:42:27 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:44:03 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1 (Can't contact LDAP server)
[19/May/2012:19:47:15 -0700] slapi_ldap_bind - Error: could not send startTLS
request: error -1
[Freeipa-users] HBAC rules take in effect on IPA clients immediately after installation?
Hi all, Just like to clarify my confusion: Are the HBAC (Host Based Access Control) rules immediately in effect after IPA client software configurations through sssd? Do we have any options inside sssd.conf to enable/disable the HBAC rules per machine (inside IPA domain)? I have this question because some important servers needs to be available all the time, even badly written HBAC rules could block access to all other servers. Another very close question is: what are the scenarios to use '--permit' option to 'ipa-client-install'? the manual says 'Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server.'. So is this the solution to the above problem? Thanks a lot. --Gelen___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] sudo rules in IPA infrastructure
Hi all, Are the sudo rules applied to IPA clients through nss_ldap, instead of sssd? I tried that on Redhat 6.2 clients, and some documents said that sudo rules would work when enabled inside /etc/nslcd.conf, but we need to hack the script /etc/init.d/nslcd.conf a little bit -- basically to mess around the sudo config statement before/after nslcd daemon runs as the latter still can not handle sudo statements very well. Then on 5.8, where nslcd daemon is not available, should we edit /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a lot. --Gelen.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo rules in IPA infrastructure
Hi Stephen, That's very helpful. Thanks a lot. --Gelen From: Stephen Ingram sbing...@gmail.com To: Gelen James hahaha_...@yahoo.com Cc: freeipa-users@redhat.com freeipa-users@redhat.com; Rob Crittenden rcrit...@redhat.com; Rich Megginson rmegg...@redhat.com Sent: Friday, May 18, 2012 2:58 PM Subject: Re: [Freeipa-users] sudo rules in IPA infrastructure On Fri, May 18, 2012 at 2:35 PM, Gelen James hahaha_...@yahoo.com wrote: Hi all, Are the sudo rules applied to IPA clients through nss_ldap, instead of sssd? I tried that on Redhat 6.2 clients, and some documents said that sudo rules would work when enabled inside /etc/nslcd.conf, but we need to hack the script /etc/init.d/nslcd.conf a little bit -- basically to mess around the sudo config statement before/after nslcd daemon runs as the latter still can not handle sudo statements very well. I just got sudo setup on 6.2. You do use /etc/nslcd.conf, but you don't have to install the nslcd daemon to get it working. It just looks to that file for the config. So remove nslcd and then just create the /etc/nslcd.conf from scratch and put in what they specify on the documentation. Make all of the other changes they mention and it will just work! Then on 5.8, where nslcd daemon is not available, should we edit /etc/ldap.conf for nss_ldap and how? Please shed a light on this. Thanks a lot. Type sudo -V to be sure, but look for the ldap.conf path (on my 5.8 it is /etc/ldap.conf). I haven't set this up yet, but I assume that you can just add the config mentioned in the docs to ldap.conf along with all of the other changes and you're off. As it worked perfectly on 6.2, I'm guessing it will also work on 5.8. You can look through bugzilla and see the various discussions about all of this, but suffice it to say there has been a fair amount of discussion as to where to locate this sudo ldap config. I think it is headed for /etc/ldap.sudo or something like that in 6.3, but as long as you put it where sudo is looking for it, everything should work. If you still can't get it to work, Adam Young has written a script that you can look at to explain the process: http://adam.younglogic.com/2011/03/centralized-sudo-with-freeipa/. Steve___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups?
Hi Sumit, Thanks for your quick reply. In the chapter http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/migrating-from-nis.html#nis-import-netgroups, The Netgroup migration script sets '--usercat' and '--hostcat' options to IPA netgroups through 'ipa netgroup-mod' command. More specifically, when IPA imports host based netgroups with triples like (hostA,-,-), (hostB,-,-), The new IPA netgroups are set up with option '--usetcat=all'. Does that means if this IPA netgroup is used in a HBAC rule, then the rule will applied to all users on hostA and hostB. am I right? :) BTW, do I have to turn on the '--usercat' option for NIS netgroup migration? The HBAC rules are defined inside hosts/hostgroups, and no NIS groups are involved, right? I maybe completely wrong here. Thanks. --Gelen From: Sumit Bose sb...@redhat.com To: freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 1:48 AM Subject: Re: [Freeipa-users] Please help: What the purposes of '--usercat' and '--hostcat' options to IPA net groups? On Mon, May 14, 2012 at 07:57:06PM -0700, David Copperfield wrote: Hi all, The online manual says that the '--usercat' means 'User category the rule applies to'; '--hostcat' has the similar explanation. But I still don't understand how that could be used in real life and when/where to use the options. Could anyone please shed a light on this? Thanks a lot. iirc these options where introduced with the host based access control (HBAC) and are used to identify categories/classes of users and hosts in a more general way than using groups or ip-address ranges. I think currently only the keyword 'all' can be used here, which e.g means that an HBAC rule will match for all users or all hosts. In future it is planned to support other categories, e.g. something like 'local' and 'remote' which would catch all users/hosts of the local IPA domain or all users/groups which are coming from remote domains ,respectively. HTH bye, Sumit --David ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Thanks -- Re: Bug or feature regarding External Host in IPA net groups?
Hi Rob, Thanks a lot for confirming the effect and clear and plain explanation of 'external host' idea. I've filed a feature request type bug as you have recommended. The bug link is here for your reference: Bug 821907 - Feature Request: convert once External Hosts into Member Hosts after ipa-client-install .. I'll follow your steps to test the replication recovery on another thread now. Thanks again for your help. --Gelen. From: Rob Crittenden rcrit...@redhat.com To: Gelen James hahaha_...@yahoo.com Cc: d...@redhat.com d...@redhat.com; Freeipa-users@redhat.com Freeipa-users@redhat.com Sent: Tuesday, May 15, 2012 9:41 AM Subject: Re: [Freeipa-users] Bug or feature regarding External Host in IPA net groups? Gelen James wrote: Hi all, Not sure whether it is bug or a feature, but when I evaluate the IPA net groups, the 'external host' feature brings me some unexpected results. I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. 1, when I added a host into IPA netgroup in command line mode, 'ipa netgroup-add-member netgroup --hosts=client'. When the host is not yet installed/configured into an IPA client, it shows in 'external host' category, in the output of 'ipa netgroup-find netgroup' command. The 'external host' doesn't show up in the Web interface for IPA net group. But it does show up when run 'ipa net group-find', or even 'getent netgroup' by sssd. 2, After the 'external host' is configured into an IPA client -- 'ipa user-find client proves it' -- it is still reported as 'external host' by command 'ipa netgroup-find', and still not show up in web interface neither. Could this is a bug? 3, because of #2 above, when this machine is reconfigured, and removed with 'ipa user-del client', it is show up in the containing netgroups and nested netgroups, and has to be removed manually. :( 4, This could be a real bug: You can add an 'external host' with either a host's bare name, or FQDN name. Then after the machine is installed, and you would like to remove it from 'external host' category with command 'ipa user-del client', it will remove the FQDN name entry only! and leave the bare name there forever, until you delete the whole containing netgroup! [root@ipaclient02 ~]# ipa netgroup-find external-ng --- 1 netgroups matched --- Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02, ipaclient02.mac.example.com Number of entries returned 1 [root@ipaclient02 ~]# getent netgroup external-ng external-ng (dnsmaster.example.com, -, example.com) (ipaclient02.mac.example.com, -, example.com) [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 --- Number of members removed 1 --- [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 Failed hosts/hostgroups: member host: ipaclient02.example.com: This entry is not a member --- Number of members removed 0 --- [root@ipaclient02 ~]# An external host is one that is never expected to be added as a host in IPA, however we don't prevent it. There is no reconciliation done if an external host is added as an IPA host, as you've seen. If you'd like this please file an enhancement request at https://fedorahosted.org/freeipa/ In 3.0 we have added validation of external host names. Whether this will prevent a bare name or not I'm not sure. I don't know why we would care whether it was fully qualified or not, though yeah, it appears we are automatically adding the domain. I tested this in 2.2 and it worked as expected, a bare name was deletable. rob___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Bug or feature regarding External Host in IPA net groups?
Hi all, Not sure whether it is bug or a feature, but when I evaluate the IPA net groups, the 'external host' feature brings me some unexpected results. I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. 1, when I added a host into IPA netgroup in command line mode, 'ipa netgroup-add-member netgroup --hosts=client'. When the host is not yet installed/configured into an IPA client, it shows in 'external host' category, in the output of 'ipa netgroup-find netgroup' command. The 'external host' doesn't show up in the Web interface for IPA net group. But it does show up when run 'ipa net group-find', or even 'getent netgroup' by sssd. 2, After the 'external host' is configured into an IPA client -- 'ipa user-find client proves it' -- it is still reported as 'external host' by command 'ipa netgroup-find', and still not show up in web interface neither. Could this is a bug? 3, because of #2 above, when this machine is reconfigured, and removed with 'ipa user-del client', it is show up in the containing netgroups and nested netgroups, and has to be removed manually. :( 4, This could be a real bug: You can add an 'external host' with either a host's bare name, or FQDN name. Then after the machine is installed, and you would like to remove it from 'external host' category with command 'ipa user-del client', it will remove the FQDN name entry only! and leave the bare name there forever, until you delete the whole containing netgroup! [root@ipaclient02 ~]# ipa netgroup-find external-ng --- 1 netgroups matched --- Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02, ipaclient02.mac.example.com Number of entries returned 1 [root@ipaclient02 ~]# getent netgroup external-ng external-ng (dnsmaster.example.com, -, example.com) (ipaclient02.mac.example.com, -, example.com) [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 --- Number of members removed 1 --- [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 Failed hosts/hostgroups: member host: ipaclient02.example.com: This entry is not a member --- Number of members removed 0 --- [root@ipaclient02 ~]# --Gelen___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Please help: How to restore IPA Master/Replicas from daily IPA Replica setup???
Hi Dimitri, thanks a lot for your offer. It will be more than appreciated if Rob, or some other talented genius could wiki the steps. The more details, the sooner, and the better. It will help IPA projects and its users dramatically, especially for newbies like me. :) Thanks again for you, Rob and others for the coming documentation work. --Gelen. From: Dmitri Pal d...@redhat.com To: Robinson Tiemuqinke hahaha_...@yahoo.com Cc: Freeipa-users@redhat.com Freeipa-users@redhat.com; Rich Megginson rmegg...@redhat.com Sent: Monday, May 14, 2012 1:20 PM Subject: Re: Please help: How to restore IPA Master/Replicas from daily IPA Replica setup??? On 05/14/2012 03:48 PM, Robinson Tiemuqinke wrote: Hi Dmitri, Rich and all, I am a newbie to Redhat IPA, It looks like pretty cool compared with other solutions I've tried before. Thanks a lot for this great product! :) But there are still some things I needs your help. My main question is: How to restore the IPA setup with a daily machine-level IPA Replica backup? Please let me explain my IPA setup background and backup/restore goals trying to reach: I'm running IPA 2.1.3 on Redhat Enterprise 6.2. The IPA master is setup with Dogtag CA system. It is installed first. Then two IPA replicas are installed -- with '--setup-ca' options -- for load balancing and failover purposes. To describe my problems/objectives, I'll name the IPA Master as machine A, IPA replicas as B and C. and now I've one more extra IPA replica 'D' (virtual machine) setup ONLY for backup purposes. The setup looks like the following, A is the configuration Hub. B,C,D are siblings. A / | \ B C D The following are the steps I backup IPA setups and LDAP backends daily -- it is a whole machine-level backup (through virtual machine D). 1, First, IPA replica D is backed up daily. The backup happens like this: 1.1 on IP replica D, run 'service IPA stop'. Then run 'shutdown -h D'. On the Hypervisor which holds virtual machine D, do a daily backup of the whole virtual disk that D is on. 1.2 turn on the IP replica D again. 1.3 after virtual machine D is up, on D optionally run a 'ipa-replica-manage --force-sync --from A' to sync the IPA databases forcibly. Now comes to restore part, which is pretty confusing to me. I've tried several times, and every times it comes this or that kinds of issues and so I am wondering that correct steps/ineraction of IPA Master/replicas are the king :( 2, case #1, A is broken, like disc failure, and then re-imaged after several days. 2.1 How to rebuild the IPA Master/Hub A after A is re-imaged, with the daily backup from IPA replica D? 2.2 do I have to check some files on A into subversion immediately after A was initially installed? 2.3 Please describe the steps. I'll follow exactly and report the results. 3, case #2, A is working, but either B, or C is broken. 3.1 It looks that I don't need the daily backup of D to kick in, is that right? 3.2 What are the correct steps on A; and B after it is re-imaged? 3.3 Please describe the steps. I'll follow exactly and report the results. 4, case #3, If some un-expected IPA changes happens on A -- like all users are deleted by human mistakes --, and even worse, all the changes are propagated to B and C in minutes. 4.1 How can I recover the IPA setup from daily backup from D? 4.2 which IPA master/replicas I should recover first? IPA master A, or IPA replicas B/C? and then how to recover others left one by one? 4.3 Do I have to disconnect replication agreement of B,C,D from A first? 4.4 Please describe the steps. I'll follow exactly and report the results. I've heard something about tombstone records too, Not sure whether the problem still exists in 2.1.3, or 2.2.0(on 6.3Beta)? If so, How can I avoid it with correct recovery steps/interactions. Thanks a lot. --Gelen. I can explain it conceptually. Rob is probably best to define the exact sequence and commands. If you A is broken you reinstall it, make it connect to D and init (force sync) A from D. Now you have a new A. If B or C dies you just re-install B or C and init from A. If you lost a lot of data I suggest you start a saved D instance and force-sync A from it and then force sync B and C from A. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
