Re: [Freeipa-users] 'NoneType' object is not iterable when removing broken ipa-server replica
8:53:23.079034 2017] [:error] [pid 19176] File "/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 136, in __init__ [Wed Apr 12 08:53:23.079037 2017] [:error] [pid 19176] self.graphs = _create_topology_graphs(self.api) [Wed Apr 12 08:53:23.079040 2017] [:error] [pid 19176] File "/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 100, in _create_topology_graphs [Wed Apr 12 08:53:23.079043 2017] [:error] [pid 19176] suffix_to_masters = map_masters_to_suffixes(masters) [Wed Apr 12 08:53:23.079045 2017] [:error] [pid 19176] File "/usr/lib/python2.7/site-packages/ipaserver/topology.py", line 83, in map_masters_to_suffixes [Wed Apr 12 08:53:23.079048 2017] [:error] [pid 19176] for suffix_name in managed_suffixes: [Wed Apr 12 08:53:23.079050 2017] [:error] [pid 19176] TypeError: 'NoneType' object is not iterable Thanks, - Original Message - From: "Rob Crittenden" To: "Jake" , "freeipa-users" Sent: Tuesday, April 11, 2017 5:27:51 PM Subject: Re: [Freeipa-users] 'NoneType' object is not iterable when removing broken ipa-server replica Jake wrote: > Help! > I'm having issues removing a bad replica. > > Everytime I run: > > ipa-replica-manage del ipa01.example.com > or > ipa-replica-manage del --force ipa01.example.com > > I get an error: 'NoneType' object is not iterable > > if I try to remove it from the web interface: > > > IPA Error 903: InternalError > > an internal error has occurred I wonder if a traceback is logged in /var/log/httpd/error_log > They're removed from hosts, but I cannot get them our of the existing > topology Not sure what you mean here. > > Is there a "purge this host" button that removes it, ignoring errors if > it's already missing. --force ignore some errors but not unknown errors like this. What version of IPA is this? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 'NoneType' object is not iterable when removing broken ipa-server replica
Help! I'm having issues removing a bad replica. Everytime I run: ipa-replica-manage del ipa01.example.com or ipa-replica-manage del --force ipa0 1 .example.com I get an error: 'NoneType' object is not iterable if I try to remove it from the web interface: IPA Error 903: InternalError an internal error has occurred They're removed from hosts, but I cannot get them our of the existing topology Is there a "purge this host" button that removes it, ignoring errors if it's already missing. Thanks Always, -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] attrlist_replace - attr_replace (nsslapd-referral ????
I have no idea what this means but it is causing issues with a replica Mar 07 10:27:02 dc2-rd-ipa01.ipa.example.com ns-slapd[2266]: [07/Mar/2017:10:27:02.158131947 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://dc1-rd-ipa01.ipa.example.com:389/dc%3Dipa%2Cdc%3Dexample%2Cdc%3Dcom) failed. Mar 07 10:27:02 dc2-rd-ipa01.ipa.example.com ns-slapd[2266]: [07/Mar/2017:10:27:02.161287591 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://dc1-rd-ipa01.ipa.example.com:389/dc%3Dipa%2Cdc%3Dexample%2Cdc%3Dcom) failed. Mar 07 10:27:02 dc2-rd-ipa01.ipa.example.com ns-slapd[2266]: [07/Mar/2017:10:27:02.163705427 -0500] attrlist_replace - attr_replace (nsslapd-referral, ldap://dc1-rd-ipa01.ipa.example.com:389/dc%3Dipa%2Cdc%3Dexample%2Cdc%3Dcom) failed. dc1-rd-ipa.example.com = primary original server dc2-rd-ipa.example.com = replica Any direction is appreciated, I went and reloaded this replica and am receive this same error afterwards. All servers running 4.4.0, most were upgraded from 4.2.0 Thanks, -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Insufficient privileges to promote the server. (ipa replica 4.4.0 / centos7.3)
dropped the '-p admin' and not it works, first time I've had that happen. Thanks From: "Martin Basti" To: "Jake" , "freeipa-users" Sent: Tuesday, March 7, 2017 12:57:13 PM Subject: Re: [Freeipa-users] Insufficient privileges to promote the server. (ipa replica 4.4.0 / centos7.3) On 07.03.2017 18:36, Jake wrote: dirserv wasn't running and couldn't get running so I went to rebuild the replica and now I get this? replica is a fresh install, I removed the replica from ipa with $ ipa-replica-manage del dc1-rd-ipa02.ipa.example.com --force --cleanup on the master c05-rd-ipa01.ipa.example.com 2017-03-07T17:32:18Z DEBUG Created connection context.ldap2_85375504 2017-03-07T17:32:18Z DEBUG raw: domainlevel_get(version=u'2.213') 2017-03-07T17:32:18Z DEBUG domainlevel_get(version=u'2.213') 2017-03-07T17:32:18Z DEBUG flushing [ ldaps://c05-rd-ipa02.ipa.example.com | ldaps://c05-rd-ipa02.ipa.example.com ] from SchemaCache 2017-03-07T17:32:18Z DEBUG retrieving schema for SchemaCache url= [ ldaps://c05-rd-ipa02.ipa.example.com | ldaps://c05-rd-ipa02.ipa.example.com ] conn= 2017-03-07T17:32:18Z DEBUG raw: hostgroup_find(None, cn=u'ipaservers', version=u'2.213', host=[u'dc1-rd-ipa02.ipa.example.com']) 2017-03-07T17:32:18Z DEBUG hostgroup_find(None, cn=u'ipaservers', all=False, raw=False, version=u'2.213', no_members=True, pkey_only=False, host=(u'dc1-rd-ipa02.ipa.example.com',)) 2017-03-07T17:32:18Z DEBUG Destroyed connection context.ldap2_85375504 2017-03-07T17:32:18Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in run self.validate() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in validate for nothing in self._validator(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in _configure next(validator) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1712, in main promote_check(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1311, in promote_chec
[Freeipa-users] Insufficient privileges to promote the server. (ipa replica 4.4.0 / centos7.3)
dirserv wasn't running and couldn't get running so I went to rebuild the
replica and now I get this?
replica is a fresh install, I removed the replica from ipa with
$ ipa-replica-manage del dc1-rd-ipa02.ipa.example.com --force --cleanup
on the master c05-rd-ipa01.ipa.example.com
2017-03-07T17:32:18Z DEBUG Created connection context.ldap2_85375504
2017-03-07T17:32:18Z DEBUG raw: domainlevel_get(version=u'2.213')
2017-03-07T17:32:18Z DEBUG domainlevel_get(version=u'2.213')
2017-03-07T17:32:18Z DEBUG flushing ldaps://c05-rd-ipa02.ipa.example.com from
SchemaCache
2017-03-07T17:32:18Z DEBUG retrieving schema for SchemaCache
url=ldaps://c05-rd-ipa02.ipa.example.com conn=
2017-03-07T17:32:18Z DEBUG raw: hostgroup_find(None, cn=u'ipaservers',
version=u'2.213', host=[u'dc1-rd-ipa02.ipa.example.com'])
2017-03-07T17:32:18Z DEBUG hostgroup_find(None, cn=u'ipaservers', all=False,
raw=False, version=u'2.213', no_members=True, pkey_only=False,
host=(u'dc1-rd-ipa02.ipa.example.com',))
2017-03-07T17:32:18Z DEBUG Destroyed connection context.ldap2_85375504
2017-03-07T17:32:18Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in
run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 308, in
run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 317, in
validate
for nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in
__runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in
_handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in
__runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 564, in
_configure
next(validator)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in
__runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in
_handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in
_handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in
_handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in
_handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in
__runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63,
in _install
for nothing in self._installer(self.parent):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1712, in main
promote_check(self)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 364, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 386, in decorated
func(installer)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
line 1311, in promote_check
sys.exit("\nInsufficient privileges to promote the server.")
2017-03-07T17:32:18Z DEBUG The ipa-replica-install command failed, exception:
SystemExit:
Insufficient privileges to promote the server.
2017-03-07T17:32:18Z ERROR
Insufficient privileges to promote the server.
2017-03-07T17:32:18Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication
Worked. Thank You! - Original Message - From: "Rob Crittenden" To: "Jake" , "freeipa-users" Sent: Friday, January 6, 2017 3:24:35 PM Subject: Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication Jake wrote: > Hey All, > > I need to reinstall the replica ipa03.ipa.example.com after > ipa-server-install --uninstall, however. > > > ipa-replica-install replica-info-ipa03.example.com.gpg > Directory Manager (existing master) password: > > The host ipa03.example.com already exists on the master server. > You should remove it before proceeding: > % ipa host-del ipa03.example.com > ipa.ipapython.install.cli.install_tool(Replica): ERRORThe > ipa-replica-install command failed. See /var/log/ipareplica-install.log > for more information > > So on the master I ran: > > ipa-replica-manage del ipa03.ipa.example.com > ' ipa01.ipa.example.com' has no replication agreement for ' > ipa03.ipa.example.com' > > ipa host-del ipa03.ipa.example.com > ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or > disabled Try ipa-replica-manage del ipa03.ipa.example.com --force --cleanup You may still need to delete the host entry but the first command should mark it as not a master. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] unable to add or remove replica after prepare and failed replication
Hey All,
I need to reinstall the replica ipa03.ipa.example.com after ipa-server-install
--uninstall, however.
ipa-replica-install replica-info-ipa03.example.com.gpg
Directory Manager (existing master) password:
The host ipa03.example.com already exists on the master server.
You should remove it before proceeding:
% ipa host-del ipa03.example.com
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install
command failed. See /var/log/ipareplica-install.log for more information
So on the master I ran:
ipa-replica-manage del ipa03.ipa.example.com
' ipa01 .ipa. example.com ' has no replication agreement for ' ipa0 3 .ipa.
example.com '
ipa host-del ipa03.ipa.example.com
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
disabled
Help?
Thanks Again,
- Jake
2017-01-06T19:40:45Z DEBUG Logging to /var/log/ipareplica-install.log
2017-01-06T19:40:45Z DEBUG ipa-replica-install was invoked with arguments
['replica-info-ipa03.example.com.gpg'] and options: {'no_dns_sshfp': None,
'skip_schema_check': None, 'setup_kra': None, 'ip_addresses': None,
'mkhomedir': None, 'http_cert_files': None, 'ssh_trust_dns': None,
'reverse_zones': None, 'no_forwarders': None, 'keytab': None, 'no_ntp': None,
'domain_name': None, 'http_cert_name': None, 'dirsrv_cert_files': None,
'no_dnssec_validation': None, 'no_reverse': None, 'unattended': False,
'auto_reverse': None, 'auto_forwarders': None, 'no_host_dns': None, 'no_sshd':
None, 'no_ui_redirect': None, 'dirsrv_config_file': None, 'forwarders': None,
'verbose': False, 'setup_ca': None, 'realm_name': None, 'skip_conncheck': None,
'no_ssh': None, 'forward_policy': None, 'dirsrv_cert_name': None, 'quiet':
False, 'server': None, 'setup_dns': None, 'host_name': None, 'log_file': None,
'allow_zone_overlap': None}
2017-01-06T19:40:45Z DEBUG IPA version 4.4.0-14.el7.centos.1.1
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/usr/sbin/selinuxenabled
2017-01-06T19:40:45Z DEBUG Process finished, return code=0
2017-01-06T19:40:45Z DEBUG stdout=
2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:45Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-06T19:40:45Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG httpd is not configured
2017-01-06T19:40:45Z DEBUG kadmin is not configured
2017-01-06T19:40:45Z DEBUG dirsrv is not configured
2017-01-06T19:40:45Z DEBUG pki-tomcatd is not configured
2017-01-06T19:40:45Z DEBUG install is not configured
2017-01-06T19:40:45Z DEBUG krb5kdc is not configured
2017-01-06T19:40:45Z DEBUG ntpd is not configured
2017-01-06T19:40:45Z DEBUG named is not configured
2017-01-06T19:40:45Z DEBUG ipa_memcached is not configured
2017-01-06T19:40:45Z DEBUG filestore is tracking no files
2017-01-06T19:40:45Z DEBUG Loading Index file from
'/var/lib/ipa-client/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG Loading StateFile from
'/var/lib/ipa/sysrestore/sysrestore.state'
2017-01-06T19:40:45Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/usr/sbin/httpd -t -D DUMP_VHOSTS
2017-01-06T19:40:45Z DEBUG Process finished, return code=0
2017-01-06T19:40:45Z DEBUG stdout=VirtualHost configuration:
*:8443 ipa03.example.com (/etc/httpd/conf.d/nss.conf:83)
2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2017-01-06T19:40:45Z DEBUG Process finished, return code=1
2017-01-06T19:40:45Z DEBUG stdout=
2017-01-06T19:40:45Z DEBUG stderr=Failed to get unit file state for
chronyd.service: No such file or directory
2017-01-06T19:40:45Z DEBUG Starting external process
2017-01-06T19:40:45Z DEBUG args=/bin/systemctl is-active chronyd.service
2017-01-06T19:40:45Z DEBUG Process finished, return code=3
2017-01-06T19:40:45Z DEBUG stdout=unknown
2017-01-06T19:40:45Z DEBUG stderr=
2017-01-06T19:40:48Z DEBUG Starting external process
2017-01-06T19:40:48Z DEBUG args=/usr/bin/gpg-agent --batch --homedir
/tmp/tmpnJnWiQipa/ipa-iUdnBL/.gnupg --daemon /usr/bin/gpg --batch --homedir
/tmp/tmpnJnWiQipa/ipa-iUdnBL/.gnupg --passphrase-fd 0 --yes --no-tty -o
/tmp/tmpnJnWiQipa/files.tar -d replica-info-ipa03.example.com.gpg
2017-01-06T19:40:48Z DEBUG Process finished, return code=0
2017-01-06T19:40:48Z DEBUG Starting ex
[Freeipa-users] Should IPA Replica DNS SOA Serials match?
Hey All, I currently have 4 ipa 4.2 masters and none of the SOA Serials match, is this expected behavior of bind-ldap? ipa01 - 1483710336 ipa02 - 1483709696 ipa03 - 1483730432 ipa04 - 1483714048 Thanks! -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can't establish a trust to AD
4.2 is a one-way trust, by design. http://www.freeipa.org/page/V4/One-way_trust -Jake From: "Denis Müller" To: "freeipa-users" Sent: Thursday, November 24, 2016 7:48:50 AM Subject: [Freeipa-users] Can't establish a trust to AD Hello Guys, we need help to establish a trust from freeipa to ad. Ad users should be able to access to linux environment, but linux users not to ad environment. our setup: AD Domain: domain.com, there we have two AD-Controllers installed wird Windows Server 2008. All users are managed here. IPA Domain: wop.domain.com. We would like to sync users from ad to a specific group to provide user-management in linux environments. In this subdomain we have 2 ipa-servers: ipa01.wop.domain.com and ipa02.domain.com Ipa version on both servers is: VERSION: 4.2.0, API_VERSION: 2.156 Both serves have "ipa-server-trust-ad" installed. [ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful kinit admin works as expected ! DNS konfiguration: IPA-Side: [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._udp.wop.domain.com 0 100 88 ipa02.wop.domain.com. 0 100 88 ipa01.wop.domain.com. [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t TXT _kerberos.wop.domain.com "WOP.DOMAIN.COM" [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.wop.domain.com. 0 100 88 ipa02.wop.domain.com. 0 100 88 ipa01.wop.domain.com. [ [ mailto:root@ipa01 | root@ipa01 ] ~]# dig +short -t SRV _kerberos._tcp.dc._msdcs.wop.domain.com. 0 100 88 ipa01.wop.domain.com. 0 100 88 ipa02.wop.domain.com. AD-Side: C:\Users\demueller>nslookup Standardserver: dc2.domain.com Address: 192.168.3.9 > set type=SRV > _kerberos._udp.wop.domain.com. Server: dc2.domain.com Address: 192.168.3.9 Nicht autorisierende Antwort: _kerberos._udp.wop.domain.com SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipa01.wop.domainc.om _kerberos._udp.wop.rto.de SRV service location: priority = 0 weight = 100 port = 88 svr hostname = ipa02.wop.domain.com ipa01.wop.domain.com internet address = 192.168.11.75 ipa02.wop.domainc.om internet address = 192.168.11.106 DNS looks fine, firewall too. Providing trust:ipa trust-add --type=ad rto.de --trust-secret --server=dc2.domain.com As a Result: [ [ mailto:root@ipa01 | root@ipa01 ] ~]# ipa trustdomain-find domain.com Domain name: domain.com Domain NetBIOS name: DOMAIN (It should be DC2, right?) Domain Security Identifier: S-1-5-21-746137067-2052111302-1801674531 Domain enabled: True - ipa trust-fetch-domain domain.com Logging: [Thu Nov 24 13:43:44.167918 2016] [:error] [pid 9123] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin@WOP.DOMAIN ] .COM: ping(): SUCCESS [Thu Nov 24 13:43:44.306718 2016] [:error] [pid 9124] ipa: INFO: [jsonserver_session] [ file://admin%40wop.domain/ | admin@WOP.DOMAIN ] .COM: trustdomain_find(u'domain.com', None, all=False, raw=False, version=u'2.156', pkey_only=False): SUCCESS [Thu Nov 24 13:45:16.662862 2016] [:error] [pid 9123] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot contact any KDC for realm 'WOP.DOMAIN.COM) I can't understand the problem. On AD side we create a trust certifiacte as explained hear: [ http://www.freeipa.org/page/Active_Directory_trust_setup | http://www.freeipa.org/page/Active_Directory_trust_setup ] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2)
Details: ipa-client-install --version 4.2.0 sssd --version 1.13.0 krb5-config --version Kerberos 5 release 1.13.2 cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) I hope this helps, also can I disable the allow-all rule per-host? Thanks, Jake From: "Lachlan Musicman" Cc: "freeipa-users" Sent: Tuesday, November 1, 2016 7:04:45 PM Subject: Re: [Freeipa-users] HBAC Troubleshooting (IPA 4.2) Jake, I've seen this behaviour and am still struggling to find a solution. The version of underlying OS and sssd are useful to know fwiw. To trouble shoot HBAC: - in *target machine* sssd.conf, add debug_level=7 to each stanza (can go as high as 9, but I believe 7 will be sufficient) - restart sssd - clear logs in /var/log/sssd/ either by deleting or by logrotate - make an attempt to login/perform allowed action that gets denied - read logs to see what happened - I like to run `ipa hbactest --user= --host= --service` on the IPA node to confirm that the HBAC rules are correct - I sometimes also install ipa-tools on the target host and confirm that the above command gives same and correct answer - note that successful results from this command may not translate to successful application of HBAC on the target host in reality. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 2 November 2016 at 09:41, Jake < [ mailto:free...@jacobdevans.com | free...@jacobdevans.com ] > wrote: Hey All, I'm having some issues tracing HBAC policies, it seems whenever I disable the allow_all policy, I'm no longer able to access services I have allowed in my more-specific hbac policy. What are the troubleshooting steps (logs) I can run on the client to see what is being denied and by what policy, Is this all done with sssd? Thank You, -Jake -- Manage your subscription for the Freeipa-users mailing list: [ https://www.redhat.com/mailman/listinfo/freeipa-users | https://www.redhat.com/mailman/listinfo/freeipa-users ] Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Service discovery and selection for IPA
Hey All, Quick question on IPA Service discover and selection (ldap/kerberos in ad trust). Do IPA clients ping results of SRV records to determine which server they send requests (for ldap/kerberos specifically)? I have 8 AD Domain controllers, 2 in each location, and 4 ipa servers (2 in each of 2 locations), it seems the ipa servers rarely choose the local ad controllers, is there a way to adjust this? Must I setup something like geo-dns with different service weights per subnet? Thanks! ~Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] HBAC Troubleshooting (IPA 4.2)
Hey All, I'm having some issues tracing HBAC policies, it seems whenever I disable the allow_all policy, I'm no longer able to access services I have allowed in my more-specific hbac policy. What are the troubleshooting steps (logs) I can run on the client to see what is being denied and by what policy, Is this all done with sssd? Thank You, -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Allow external AD users on webui
Sorry for the late reply, I've seen this on the mailing list a few times and wondered it myselfthis was my solution: IPA has an option to use RADIUS password, which you can also override the username. So for those users that are allowed to manage IPA, we have google-auth and freeradius gateways setup with a user-override. for example. jev...@ipa.example.com has radius user of jev...@ad.example.com I log into the webui with jev...@ipa.example.com with my password for jev...@ad.example.com (and in my case, I add my google auth OTP) Does this help? -Jake - Original Message - From: "Alexander Bokovoy" To: "Troels Hansen" Cc: "freeipa-users" Sent: Monday, October 31, 2016 3:59:36 AM Subject: Re: [Freeipa-users] Allow external AD users on webui On ma, 31 loka 2016, Troels Hansen wrote: >- On Oct 31, 2016, at 8:33 AM, Alexander Bokovoy aboko...@redhat.com wrote: > > >> You make it sound as if it is a done deal. It is not, there is a number >> of changes that yet not figured out how to do in an efficient way. >> >> It is in our pipeline for 4.5. It is understandable that people ask for >> this feature. It is also should be clear to you had it been a simple >> thing, it would have been implemented already. >> >> If you want to see a progress, subscribe to the ticket. > >Hi Alexander > >It was in no way a critics of the FreeIPA team. I'm well aware of the >work being out into this product from the core team, and appreciate >every new release, but also not really able to help much with the >development, only testing and feedback. That's why I asked you to subscribe to the ticket. Once the changes will be ready, you could help with testing them. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] unable to add or remove host (exists but doesn't exist) 4.2
One of my tech's had an issue adding a machine, now it seems to be stuck. it can neither be added or removed -bash-4.2$ ipa host-add server100 .example.com --force ipa: ERROR: host with name " server100 .example.com " already exists -bash-4.2$ ipa host-del server100 .example.com ipa: ERROR: server100.example.com: host not found IP web client gives this error: Operations Error Some operations failed. [ https://c05-rd-ipa01.ipa.clarkinc.io/ipa/ui/# | Hide details ] * server100.example.com: host not found Attempts to delete it via webui Operations Error Some entries were not deleted [ https://c05-rd-ipa01.ipa.clarkinc.io/ipa/ui/# | Hide details ] * server100.example.com : host not found -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)
This was very helpful, Thank You! Thank You, Jacob D. Evans Cloud Consultant 717.417.8324 - Original Message - From: "Alexander Bokovoy" To: "Jake" Cc: freeipa-users@redhat.com Sent: Thursday, August 4, 2016 1:46:51 AM Subject: Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17) On Wed, 03 Aug 2016, Jake wrote: >Hello All, >I'm new to FreeIPA and am having some issues with my endpoints. > >First attempts to login as usern...@legacy.example.org always fail with: >Logs on client: >sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 >sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org >[preauth] > >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][name=username] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1003][1][name=NOUSER] >[sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): >sysdb_search_object_by_uuid did not return a single result. >[sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to >canonicalize name, using [NOUSER]. >[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): >Object not found, ending request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve >users >[sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): >Object not found, ending request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,0,Account info lookup failed >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][idnumber=1644425765] >[sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): >ldap_extended_operation result: No such object(32), (null). >[sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request >failed. >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 0,0,Success (Success) > >running the command 'getent password usern...@legacy.example.org' on the ipa >server works fine > >Logs from server: >[sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for >[0x1001][1][name=username] >[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain >lookup failed, will try to reset sudomain.. >[sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] >finished successfully. >[sssd[be[ipa.example.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup >of service 'legacy.example.org' as 'neutral' >[sssd[be[ipa.example.com]]] [fo_set_port_status] (0x0100): Marking port 0 of >server '(no name)' as 'neutral' >[sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0040): >ipa_get_*_acct request failed: [1432158262]: Subdomain is inactive. >[sssd[be[ipa.example.com]]] [ipa_subdomain_account_done] (0x0040): >ipa_get_*_acct request failed: 1432158262 >[sssd[be[ipa.example.com]]] [ipa_account_info_error_text] (0x0020): Bug: >dp_error is OK on failed request >[sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. >Returned 3,1432158262,Account info lookup failed > > >Stuff: >(4) IPA Masters at ipa.example.com &
[Freeipa-users] Does FreeIPA require ICMP to be allowed? Can it cause login speed issues?
Hey Guys, Can anyone tell me if there are issues caused by blocking ICMP requests between ipa clients, ipa servers and ad servers? We typically filter ICMP between all systems. Also, if anyone has good documentation as to what ports are required between each I'd really appreciate it! >From IPA Server to AD Server (trust) >From IPA Client to IPA Server >From IPA Client to AD Server (if any, unsure if kerberos/ldap is needed here >or not on v4) >From AD Client to IPA Client (ad users on windows machines accessing ipa >client over ssh with kerberos gssapi) Thanks! Have a good weekend! -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] unable to auth to IPA Web panel as trusted user (4.2)
Hey All, I've added external enterprise admins to my local admins group, however I cannot authenticate to the IPA web interface (nor can I request kerberos spn's to generate dogtag certs even if authenticated on a ipa client). Is it possible to use external ldap credentials to manage the IPA Admin panel as well as request certs, if so what group/roles must I add. Thank You! -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] kerberos auth from windows (windows 10 to cent7 with ipa4.2)
Hey All, Has anyone come across this issue when attempting to use kerberos auth from windows. PS C:\Users\jevans> ssh -V OpenSSH_7.1p2, OpenSSL 1.0.2h 3 May 2016 running command: ssh ipaclient.ipa.example.com -K -v -oGSSAPIDelegateCredentials=yes -oGSSAPIAuthentication=yes debug1: Next authentication method: gssapi-with-mic debug1: Miscellaneous failure (see text) unable to find realm of host JEVANS debug1: Miscellaneous failure (see text) unable to find realm of host JEVANS debug2: we did not send a packet, disable method I have kerberos delegation enabled for my computer account, my machine is joined to a trusted AD and I'm attempting to auth with that trusted user. Thank You, -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)
Jakub, Resolved seems to be working (I swear restarting sssd and adding the debug line does some magic), the sssd performance blog worked out quite well. I did not need to make any changes to my trust relationship, re-running the ad trust setup steps and restarting sssd did the trick. Thank You! - Original Message - From: "Jakub Hrozek" To: "Jake" Cc: freeipa-users@redhat.com Sent: Thursday, August 4, 2016 3:48:14 AM Subject: Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17) On Wed, Aug 03, 2016 at 08:38:00PM -0400, Jake wrote: > Thanks Jakub, > turns out 'getent password usern...@legacy.example.org' only works on 1 of > the 4 ipa servers (the one I created the domain trust with). OK, then we need to first fix all the servers before proceeding to the clients. > > I re-ran ipa-adtrust-install on them and no change, is there a similar post I > can follow to correct these & retrace my steps or does the trust need > configured on each. For IPA: http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust For SSSD: https://fedorahosted.org/sssd/wiki/Troubleshooting I would personally start with looking into the SSSD logs on the server that is misbehaving. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)
Thanks Jakub, turns out 'getent password usern...@legacy.example.org' only works on 1 of the 4 ipa servers (the one I created the domain trust with). I re-ran ipa-adtrust-install on them and no change, is there a similar post I can follow to correct these & retrace my steps or does the trust need configured on each. Thank You, -Jake - Original Message - From: "Jakub Hrozek" To: "Jake" Cc: freeipa-users@redhat.com Sent: Wednesday, August 3, 2016 3:51:26 PM Subject: Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17) > On 3 Aug 2016, at 20:14, Jake wrote: > > Hello All, > I'm new to FreeIPA and am having some issues with my endpoints. > > First attempts to login as usern...@legacy.example.org always fail with: > Logs on client: > sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 > sshd[3771]: input_userauth_request: invalid user usern...@legacy.example.org > [preauth] > > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][name=username] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1003][1][name=NOUSER] > [sssd[be[ipa.example.com]]] [sysdb_get_real_name] (0x0040): > sysdb_search_object_by_uuid did not return a single result. > [sssd[be[ipa.example.com]]] [groups_by_user_done] (0x0040): Failed to > canonicalize name, using [NOUSER]. > [sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): > Object not found, ending request > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 3,0,Account info lookup failed > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [sdap_get_users_done] (0x0040): Failed to > retrieve users > [sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): > Object not found, ending request > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 3,0,Account info lookup failed > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][idnumber=1644425765] > [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): > ldap_extended_operation result: No such object(32), (null). > [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop > request failed. OK, here looking up an ID failed. It would be interesting to see what happened with this lookup on the server. Normally I try to truncate the logs on both the server and the client, then run: date; id $username; date that allows to correlate logs from the server and the client and better pinpoint what fails.. > [sssd[be[ipa.example.com]]] [acctinfo_callback] (0x0100): Request processed. > Returned 0,0,Success (Success) > > running the command 'getent password usern...@legacy.example.org' on the ipa > server works fine > > Logs from server: > [sssd[be[ipa.example.com]]] [be_get_account_info] (0x0200): Got request for > [0x1001][1][name=username] > [sssd[be[ipa.example.com]]] [ipa_srv_ad_acct_lookup_done] (0x0080): Sudomain > lookup failed, will try to reset sudomain.. This log line doesn't look so successful :-) but as long as the server returns 'something' from the cache, the client should grab it > [sssd[be[ipa.example.com]]] [child_sig_handler] (0x0100): child [26269] > finished successfully. > [sssd[be[ipa.example.com]]] [set_srv_data_status] (0x
[Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)
.github.com/JakeDEvans/ed34098b96b6e061095da85e1db58d70 all other configs unmodified. Also, is it normal that the login is very slow? Thanks All, -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
