Re: [Freeipa-users] Error during ipa-replica-install
On Mon, Mar 26, 2012 at 8:43 AM, Martin Kosek wrote: > On Sun, 2012-03-25 at 15:55 +0200, Marco Pizzoli wrote: > > Hi Martin, > > > > On Thu, Mar 22, 2012 at 11:50 AM, Martin Kosek > > wrote: > > Hello Marco, > > > > judging from the output you sent, it looks like you had an > > installed > > replica on freeipa03, then stopped it with "ipactl" stop and > > after that > > tried to run ipa-replica-install again - krb5.conf > > and /var/log/messages > > you sent would support this theory. > > > > IPA replica agreement should be first removed with > > "ipa-replica-manage > > del " on freeipa01 and then uninstalled with > > "ipa-server-install --uninstall" before you try to install it > > again. > > > > > > Thanks for your answer. > > I tried what you suggested, but this is what I'm getting now: > > > > > > [root@freeipa01 ~]# ipa-replica-manage -v list > > freeipa01.unix.mydomain.it: master > > freeipa03.unix.mydomain.it: master > > [root@freeipa01 ~]# ipa-replica-manage -v del > > freeipa03.unix.mydomain.it > > Unable to delete replica freeipa03.unix.mydomain.it: {'desc': "Can't > > contact LDAP server"} > > [root@freeipa01 ~]# ps -ef|grep slap > > dirsrv1149 1 0 15:30 ?00:00:01 /usr/sbin/ns-slapd > > -D /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT > > -i /var/run/dirsrv/slapd-UNIX-MYDOMAIN-IT.pid > > -w /var/run/dirsrv/slapd-UNIX-MYDOMAIN-IT.startpid > > pkisrv1150 1 0 15:30 ?00:00:00 /usr/sbin/ns-slapd > > -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid > > -w /var/run/dirsrv/slapd-PKI-IPA.startpid > > > > > > After little investigation (should worth a more descriptive output? > > ^_^) I found the LDAP server being asked was the freeipa03 one. > > Yes, it was not running at the moment I executed the command. > > > > > > I went to freeipa03 and tried to "systemctl start dirsrv.target". > > This is what I have in my /var/log/messages log: > > > > > > Mar 25 15:48:50 freeipa03 systemd[1]: Failed to load environment > > files: No such file or directory > > Mar 25 15:48:50 freeipa03 systemd[1]: dirsrv@UNIX-MYDOMAIN-IT.service > > failed to run 'start' task: No such file or directory > > Mar 25 15:48:50 freeipa03 systemd[1]: Unit > > dirsrv@UNIX-MYDOMAIN-IT.service entered failed state. > > > > > > My dirsrv access and error log files are currently not populated. > > > > > > How can I exit from the tunnel? :-) > > > > > > Thanks in advance again > > Marco > > > > Hello Marco, > > if you want to correctly set up a 2-master configuration, you need to at > first properly remove replica agreements between freeipa01 and freeipa03 > (which are visible in your "ipa-replica-manage list") and then install > the replica on freeipa03: > > # force is needed as freeipa03 is not running > [root@freeipa01 ~]# ipa-replica-manage -v del freeipa03.unix.mydomain.it > --force > # to get a new fresh replica info file: > [root@freeipa01 ~]# ipa-replica-prepare freeipa03.unix.mydomain.it > > # on freeipa03: > [root@freeipa03 ~]# ipa-replica-install > > Does this help? > Yes, it helped a lot! replica deleted. Thanks! Marco > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-client-install error during ipa-replica-install
Hi guys, I'm still working with the beta version. I tried the setup of another replica and this is what I'm getting: [root@freeipa04 ~]# ipa-replica-install --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa04.unix.mydomain.it.gpg Directory Manager (existing master) password: Warning: Hostname (freeipa04.unix.mydomain.it) not found in DNS Run connection check to master Check connection from replica to remote master 'freeipa01.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@unix.mydomain.it password: Execute check on remote master ad...@freeipa01.unix.mydomain.it's password: Check connection from master to remote replica 'freeipa04.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance [17/30]: configuring certmap.conf [18/30]: configure autobind for root [19/30]: configure new location for managed entries [20/30]: restarting directory server [21/30]: setting up initial replication Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [22/30]: adding replication acis [23/30]: setting Auto Member configuration [24/30]: enabling S4U2Proxy delegation [25/30]: initializing group membership [26/30]: adding master entry [27/30]: configuring Posix uid/gid generation [28/30]: enabling compatibility plugin [29/30]: tuning directory server [30/30]: configuring directory to start on boot done configuring dirsrv. Configuring Kerberos KDC: Estimated time 30 seconds [1/9]: adding sasl mappings to the directory [2/9]: writing stash file from DS [3/9]: configuring KDC [4/9]: creating a keytab for the directory [5/9]: creating a keytab for the machine [6/9]: adding the password extension to the directory [7/9]: enable GSSAPI for replication [8/9]: starting the KDC [9/9]: configuring KDC to start on boot done configuring krb5kdc. Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot done configuring ipa_memcached. Configuring the web interface: Estimated time 1 minute [1/13]: disabling mod_ssl in httpd [2/13]: setting mod_nss port to 443 [3/13]: setting mod_nss password file [4/13]: enabling mod_nss renegotiate [5/13]: adding URL rewriting rules [6/13]: configuring httpd [7/13]: setting up ssl [8/13]: publish CA cert [9/13]: creating a keytab for httpd [10/13]: clean up any existing httpd ccache [11/13]: configuring SELinux for httpd [12/13]: restarting httpd [13/13]: configuring httpd to start on boot done configuring httpd. Applying LDAP updates Restarting the directory server Restarting the KDC Restarting the web server Using reverse zone 146.168.192.in-addr.arpa. Configuring named: [1/8]: adding NS record to the zone [2/8]: setting up reverse zone [3/8]: setting up our own record [4/8]: setting up kerberos principal [5/8]: setting up named.conf [6/8]: restarting named [7/8]: configuring named to start on boot [8/8]: changing resolv.conf to point to ourselves done configuring named. Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unat
Re: [Freeipa-users] Error during ipa-replica-install
Hi Martin, On Thu, Mar 22, 2012 at 11:50 AM, Martin Kosek wrote: > Hello Marco, > > judging from the output you sent, it looks like you had an installed > replica on freeipa03, then stopped it with "ipactl" stop and after that > tried to run ipa-replica-install again - krb5.conf and /var/log/messages > you sent would support this theory. > > IPA replica agreement should be first removed with "ipa-replica-manage > del " on freeipa01 and then uninstalled with > "ipa-server-install --uninstall" before you try to install it again. > Thanks for your answer. I tried what you suggested, but this is what I'm getting now: [root@freeipa01 ~]# ipa-replica-manage -v list freeipa01.unix.mydomain.it: master freeipa03.unix.mydomain.it: master [root@freeipa01 ~]# ipa-replica-manage -v del freeipa03.unix.mydomain.it Unable to delete replica freeipa03.unix.mydomain.it: {'desc': "Can't contact LDAP server"} [root@freeipa01 ~]# ps -ef|grep slap dirsrv1149 1 0 15:30 ?00:00:01 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT -i /var/run/dirsrv/slapd-UNIX-MYDOMAIN-IT.pid -w /var/run/dirsrv/slapd-UNIX-MYDOMAIN-IT.startpid pkisrv1150 1 0 15:30 ?00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-PKI-IPA -i /var/run/dirsrv/slapd-PKI-IPA.pid -w /var/run/dirsrv/slapd-PKI-IPA.startpid After little investigation (should worth a more descriptive output? ^_^) I found the LDAP server being asked was the freeipa03 one. Yes, it was not running at the moment I executed the command. I went to freeipa03 and tried to "systemctl start dirsrv.target". This is what I have in my /var/log/messages log: Mar 25 15:48:50 freeipa03 systemd[1]: Failed to load environment files: No such file or directory Mar 25 15:48:50 freeipa03 systemd[1]: dirsrv@UNIX-MYDOMAIN-IT.servicefailed to run 'start' task: No such file or directory Mar 25 15:48:50 freeipa03 systemd[1]: Unit dirsrv@UNIX-MYDOMAIN-IT.serviceentered failed state. My dirsrv access and error log files are currently not populated. How can I exit from the tunnel? :-) Thanks in advance again Marco > > Martin > > On Tue, 2012-03-20 at 12:58 +0100, Marco Pizzoli wrote: > > Hi guys, > > I'm running this version of FreeIPA: > > > > > > [root@freeipa03 ~]# rpm -qa|grep freeipa > > freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 > > freeipa-server-2.1.90.rc1-0.fc16.x86_64 > > freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 > > freeipa-client-2.1.90.rc1-0.fc16.x86_64 > > freeipa-python-2.1.90.rc1-0.fc16.x86_64 > > > > > > > > > > I'm having this problem: > > > > > > [root@freeipa03 ~]# ipa-replica-install --setup-dns > > --no-forwarders /var/lib/ipa/replica-info-freeipa03.unix.mydomain.it.gpg > > Directory Manager (existing master) password: > > > > > > Run connection check to master > > Check connection from replica to remote master > > 'freeipa01.unix.mydomain.it': > >Directory Service: Unsecure port (389): OK > >Directory Service: Secure port (636): OK > >Kerberos KDC: TCP (88): OK > >Kerberos Kpasswd: TCP (464): OK > >HTTP Server: Unsecure port (80): OK > >HTTP Server: Secure port (443): OK > > > > > > The following list of ports use UDP protocol and would need to be > > checked manually: > >Kerberos KDC: UDP (88): SKIPPED > >Kerberos Kpasswd: UDP (464): SKIPPED > > > > > > Connection from replica to master is OK. > > Start listening on required ports for remote master check > > Get credentials to log in to remote master > > ad...@unix.mydomain.it password: > > > > > > Cannot acquire Kerberos ticket: kinit: Invalid message type while > > getting initial credentials > > > > > > Connection check failed! > > Please fix your network settings according to error messages above. > > If the check results are not valid it can be skipped with > > --skip-conncheck parameter. > > > > > > --- > > I don't have any firewall between freeipa03 and freeipa01. > > > > > > This is what I have in my /var/log/messages file: > > > > > > > > > > Mar 20 12:03:51 freeipa03 sssd: Starting up > > Mar 20 12:03:51 freeipa03 sssd[be[unix.mydomain.it]]: Starting up > > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > > 0.fedora.pool.ntp.org > > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > > 1.fedora.pool.ntp.org > > Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: > > 2.fedora.pool.ntp.org > > Mar 20 12:03:52 f
Re: [Freeipa-users] Constantly failing ipa-client-install
Hi John, On Sat, Mar 24, 2012 at 9:35 PM, John Dennis wrote: > On 03/24/2012 01:11 PM, Marco Pizzoli wrote: > >> Hi guys, >> I'm wirking with 2.1.90-rc1 and I'm getting always this error during a >> client enrollment: >> >> [root@myhostname ~]# ipa-client-install --enable-dns-updates >> --principal=admin --password=mypassword --ssh-trust-dns --mkhomedir >> Discovery was successful! >> Hostname: >> myhostname.server.unix.**mydomain.it<http://myhostname.server.unix.mydomain.it> >> <http://myhostname.server.**unix.mydomain.it<http://myhostname.server.unix.mydomain.it> >> > >> Realm: UNIX.MYDOMAIN.IT <http://UNIX.MYDOMAIN.IT> >> DNS Domain: unix.mydomain.it <http://unix.mydomain.it> >> IPA Server: freeipa01.unix.mydomain.it <http://freeipa01.unix.** >> mydomain.it <http://freeipa01.unix.mydomain.it>> >> >> BaseDN: dc=unix,dc=mydomain,dc=it >> >> >> Continue to configure the system with these values? [no]: yes >> Synchronizing time with KDC... >> >> Enrolled in IPA realm UNIX.MYDOMAIN.IT <http://UNIX.MYDOMAIN.IT> >> >> Created /etc/ipa/default.conf >> Traceback (most recent call last): >> File "/usr/sbin/ipa-client-install"**, line 1527, in >> sys.exit(main()) >> File "/usr/sbin/ipa-client-install"**, line 1514, in main >> rval = install(options, env, fstore, statestore) >> File "/usr/sbin/ipa-client-install"**, line 1327, in install >> api.finalize() >> File "/usr/lib/python2.7/site-**packages/ipalib/plugable.py", line 659, >> in finalize >> self.__do_if_not_done('load_**plugins') >> File "/usr/lib/python2.7/site-**packages/ipalib/plugable.py", line 452, >> in __do_if_not_done >> getattr(self, name)() >> File "/usr/lib/python2.7/site-**packages/ipalib/plugable.py", line 598, >> in load_plugins >> self.import_plugins('ipalib') >> File "/usr/lib/python2.7/site-**packages/ipalib/plugable.py", line 649, >> in import_plugins >> raise e >> ImportError: No module named krbV >> >> Could you help me? >> >> Thanks as usual >> Marco >> > > Sounds like you don't have the python-krbV RPM installed. > > $ sudo yum install python-krbV > > should fix it. > > What version of freeipa-client do you have? > > $ rpm -q freeipa-client > > Does it require python-krbV? > > rpm -q --requires freeipa-client > [root@ myhostname ~]# rpm -q freeipa-client freeipa-client-2.1.90.rc1-0.fc16.x86_64 [root@myhostname ~]# rpm -q --requires freeipa-client /usr/bin/python authconfig bind-utils certmonger >= 0.26 cyrus-sasl-gssapi(x86-64) freeipa-python = 2.1.90.rc1-0.fc16 krb5-workstation libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.8)(64bit) libcom_err.so.2()(64bit) libcurl >= 7.21.7-2 libcurl.so.4()(64bit) libk5crypto.so.3()(64bit) libk5crypto.so.3(k5crypto_3_MIT)(64bit) libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit) liblber-2.4.so.2()(64bit) libldap-2.4.so.2()(64bit) libpopt.so.0()(64bit) libpopt.so.0(LIBPOPT_0)(64bit) libsasl2.so.2()(64bit) libxmlrpc.so.3()(64bit) libxmlrpc_client.so.3()(64bit) libxmlrpc_util.so.3()(64bit) nss-tools ntp oddjob-mkhomedir pam_krb5 python(abi) = 2.7 python-ldap rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PartialHardlinkSets) <= 4.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rtld(GNU_HASH) sssd >= 1.8.0 wget xmlrpc-c >= 1.27.4 rpmlib(PayloadIsXz) <= 5.2-1 I installed the package python-krbV as you suggested and it did the trick! Thanks > > I think we might have introduced a dependency on python-krbV in the client > code we weren't aware of and need to fix this. If that's true would you > please file a bug here: > > https://fedorahosted.org/**freeipa/ <https://fedorahosted.org/freeipa/> > > Done. https://fedorahosted.org/freeipa/ticket/2577 > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Error during ipa-replica-install
Hi guys, I'm running this version of FreeIPA: [root@freeipa03 ~]# rpm -qa|grep freeipa freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 freeipa-server-2.1.90.rc1-0.fc16.x86_64 freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 freeipa-client-2.1.90.rc1-0.fc16.x86_64 freeipa-python-2.1.90.rc1-0.fc16.x86_64 I'm having this problem: [root@freeipa03 ~]# ipa-replica-install --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa03.unix.mydomain.it.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'freeipa01.unix.mydomain.it': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@unix.mydomain.it password: Cannot acquire Kerberos ticket: kinit: Invalid message type while getting initial credentials Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. --- I don't have any firewall between freeipa03 and freeipa01. This is what I have in my /var/log/messages file: Mar 20 12:03:51 freeipa03 sssd: Starting up Mar 20 12:03:51 freeipa03 sssd[be[unix.mydomain.it]]: Starting up Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 ntpd_intres[773]: host name not found: 2.fedora.pool.ntp.org Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully called chroot(). Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Successfully dropped remaining capabilities. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service file /services/ssh.service. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Loading service file /services/udisks.service. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Network interface enumeration completed. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Registering HINFO record with values 'X86_64'/'LINUX'. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Server startup complete. Host name is freeipa03.local. Local service cookie is 3668475942. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service "freeipa03" (/services/udisks.service) successfully established. Mar 20 12:03:52 freeipa03 avahi-daemon[734]: Service "freeipa03" (/services/ssh.service) successfully established. Mar 20 12:03:52 freeipa03 systemd-logind[764]: New seat seat0. Mar 20 12:03:53 freeipa03 sssd[pam]: Starting up Mar 20 12:03:53 freeipa03 sssd[nss]: Starting up Mar 20 12:03:53 freeipa03 network[765]: Bringing up loopback interface: [ OK ] Mar 20 12:03:54 freeipa03 kernel: [ 25.724015] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None Mar 20 12:03:55 freeipa03 avahi-daemon[734]: Registering new address record for fe80::20c:29ff:fedc:9788 on eth0.*. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.146.134. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: New relevant interface eth0.IPv4 for mDNS. Mar 20 12:03:56 freeipa03 avahi-daemon[734]: Registering new address record for 192.168.146.134 on eth0.IPv4. Mar 20 12:03:56 freeipa03 network[765]: Bringing up interface eth0: [ OK ] Mar 20 12:03:57 freeipa03 kernel: [ 28.697268] 8021q: 802.1Q VLAN Support v1.8 Mar 20 12:03:57 freeipa03 kernel: [ 28.697283] 8021q: adding VLAN 0 to HW filter on device eth0 Mar 20 12:03:57 freeipa03 rpc.statd[994]: Version 1.2.5 starting Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 4 eth0 192.168.146.134 UDP 123 Mar 20 12:03:57 freeipa03 ntpd[741]: Listen normally on 5 eth0 fe80::20c:29ff:fedc:9788 UDP 123 Mar 20 12:03:57 freeipa03 ntpd[741]: peers refreshed Mar 20 12:03:57 freeipa03 sm-notify[995]: Version 1.2.5 starting Mar 20 12:03:58 freeipa03 systemd[1]: PID file /run/sendmail.pid not readable (yet?) after start. Mar 20 12:04:04 freeipa03 ntpd_intres[773]: host name not found: 0.fedora.pool.ntp.org Mar 20 12:04:07 freeipa03 systemd[1]: PID file /var/run/krb5kdc.pid not readable (yet?) after start. Mar 20 12:04:09 freeipa03 ntpd_intres[773]: host name not found: 1.fedora.pool.ntp.org Mar 20 12:04:10 freeipa03 named[1113]: starting BIND 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16 -u named Mar 20 12:04:10 freeipa03 named[1113]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Tue, Mar 20, 2012 at 1:32 PM, Dmitri Pal wrote: > ** > On 03/20/2012 05:19 AM, Marco Pizzoli wrote: > > > > On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal wrote: > >> On 03/19/2012 06:54 PM, Marco Pizzoli wrote: >> >> >> >> On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden wrote: >> >>> Marco Pizzoli wrote: >>> >>>> >>>> >>>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden >>> <mailto:rcrit...@redhat.com>> wrote: >>>> >>>>Dmitri Pal wrote: >>>> >>>>On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >>>> >>>>Hi guys, >>>>I'm trying to migrate my ldap user base to freeipa. I'm >>>>using the last >>>>Release Candidate. >>>> >>>>I already changed "ipa config-mod --enable-migration=TRUE" >>>>This is what I have: >>>> >>>>ipa -v migrate-ds >>>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it < >>>> http://mydc2.it> >>>><http://mydc2.it>" >>>>--user-container="ou=people,__dc=mydc1,dc=mydc2.it >>>><http://mydc2.it> >>>><http://mydc2.it>" --user-objectclass=__inetOrgPerson >>>>--group-container="ou=groups,__dc=mydc1,dc=mydc2.it >>>><http://mydc2.it> <http://mydc2.it>" >>>>--group-objectclass=posixGroup >>>>--base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it> >>>> >>>><http://mydc2.it>" --with-compat ldap://ldap01 >>>> >>>>ipa: INFO: trying >>>> https://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>><https://freeipa01.unix.mydomain.it/ipa/xml> >>>>Password: >>>>ipa: INFO: Forwarding 'migrate_ds' to server >>>> u'http://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>><http://freeipa01.unix.mydomain.it/ipa/xml>' >>>>ipa: ERROR: Container for group not found at >>>>ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >>>><http://mydc2.it> >>>> >>>> >>>>I looked at my ldap server logs and I found out that the >>>> search >>>>executed has scope=1. Actually both for users and groups. >>>>This is a >>>>problem for me, in having a lot of subtrees (ou) in which my >>>>users and >>>>groups are. Is there a way to manage this? >>>> >>>>Thanks in advance >>>>Marco >>>> >>>>P.s. As a side note, I suppose there's a typo in the verbose >>>>message I >>>>obtain in my output: >>>>ipa: INFO: Forwarding 'migrate_ds' to server >>>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml >>>> >>>><http://freeipa01.unix.mydomain.it/ipa/xml>' >>>> >>>> >>>>Please open tickets for both issues. >>>> >>>> >>>>Well, I don't think either is a bug. >>>> >>>>If you have users/groups in multiple places you'll need to migrate >>>>them individually for now. It is safe to run migrate-ds multiple >>>>times, existing users are not migrated. >>>> >>>> >>>> I just re-executed by specifing a nested ou for my groups. >>>> This is what I got: >>>> >>>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml >>>> ipa: INFO: Forwarding 'migrate_ds' to server >>>> u'http://freeipa01.unix.csebo.it/ipa/xml' >>>> --- >>>> migrate-ds: >>>> --- >>>> Migrated: >>>> Failed user: >>>> fw03075_no: Type or value exists: >>>> [other users listed] >>>> Failed group: >>>> pdbac32: Type or value exists: >>>> [other groups listed] >>>> -- >>>> Passwords have
Re: [Freeipa-users] [Freeipa-devel] FreeIPA beta1: SELinux prohibits memcached
Hi Martin, On Tue, Mar 20, 2012 at 1:02 PM, Martin Kosek wrote: > On Tue, 2012-03-20 at 12:44 +0100, Marco Pizzoli wrote: > > Hi guys, > > I don't know if you already know this, but in my logs I can find this: > > > > > > Mar 20 12:14:47 freeipa01 setroubleshoot: SELinux is > > preventing /usr/bin/memcached from create access on the sock_file > > ipa_memcached. For complete SELinux messages. run sealert -l > > 85b51f4e-3f2e-4e7d-819f-1efb04836de3 > > > > > > I'm running: > > > > > > [root@freeipa01 ipa]# rpm -qa|grep freeipa > > freeipa-server-selinux-2.1.90.rc1-0.fc16.x86_64 > > freeipa-client-2.1.90.rc1-0.fc16.x86_64 > > freeipa-server-2.1.90.rc1-0.fc16.x86_64 > > freeipa-admintools-2.1.90.rc1-0.fc16.x86_64 > > freeipa-python-2.1.90.rc1-0.fc16.x86_64 > > > > > > HTH > >Marco > > Hello Marco, > > there is a SELinux policy where this issue is fixed: > > https://admin.fedoraproject.org/updates/FEDORA-2012-2733/selinux-policy-3.10.0-80.fc16 > > Its still in updates-testing though. This is an appropriate BZ: > https://bugzilla.redhat.com/show_bug.cgi?id=783592 Thanks for your answer. Just to be aligned, actually it's not still available on the updates-testing channel too. I see on the cli that I cannot update to that release and by looking at the link you posted I see it has still to be pushed -> current state: pending. Thanks again Marco > > > It requires "httpd_manage_ipa" SELinux boolean to be set, upstream > FreeIPA bits already sets it automatically during installation. > > Martin > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Tue, Mar 20, 2012 at 12:14 AM, Dmitri Pal wrote: > ** > On 03/19/2012 06:54 PM, Marco Pizzoli wrote: > > > > On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden wrote: > >> Marco Pizzoli wrote: >> >>> >>> >>> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden >> <mailto:rcrit...@redhat.com>> wrote: >>> >>>Dmitri Pal wrote: >>> >>>On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >>> >>>Hi guys, >>>I'm trying to migrate my ldap user base to freeipa. I'm >>>using the last >>>Release Candidate. >>> >>>I already changed "ipa config-mod --enable-migration=TRUE" >>>This is what I have: >>> >>>ipa -v migrate-ds >>> --bind-dn="cn=manager,dc=__mydc1,dc=mydc2.it < >>> http://mydc2.it> >>><http://mydc2.it>" >>>--user-container="ou=people,__dc=mydc1,dc=mydc2.it >>><http://mydc2.it> >>><http://mydc2.it>" --user-objectclass=__inetOrgPerson >>>--group-container="ou=groups,__dc=mydc1,dc=mydc2.it >>><http://mydc2.it> <http://mydc2.it>" >>>--group-objectclass=posixGroup >>>--base-dn="dc=mydc1,dc=mydc2.__it <http://mydc2.it> >>> >>><http://mydc2.it>" --with-compat ldap://ldap01 >>> >>>ipa: INFO: trying >>> https://freeipa01.unix.__mydomain.it/ipa/xml >>> >>><https://freeipa01.unix.mydomain.it/ipa/xml> >>>Password: >>>ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.__mydomain.it/ipa/xml >>> >>><http://freeipa01.unix.mydomain.it/ipa/xml>' >>>ipa: ERROR: Container for group not found at >>>ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >>><http://mydc2.it> >>> >>> >>>I looked at my ldap server logs and I found out that the >>> search >>>executed has scope=1. Actually both for users and groups. >>>This is a >>>problem for me, in having a lot of subtrees (ou) in which my >>>users and >>>groups are. Is there a way to manage this? >>> >>>Thanks in advance >>>Marco >>> >>>P.s. As a side note, I suppose there's a typo in the verbose >>>message I >>>obtain in my output: >>>ipa: INFO: Forwarding 'migrate_ds' to server >>> *u*'http://freeipa01.unix.__mydomain.it/ipa/xml >>> >>><http://freeipa01.unix.mydomain.it/ipa/xml>' >>> >>> >>>Please open tickets for both issues. >>> >>> >>>Well, I don't think either is a bug. >>> >>>If you have users/groups in multiple places you'll need to migrate >>>them individually for now. It is safe to run migrate-ds multiple >>>times, existing users are not migrated. >>> >>> >>> I just re-executed by specifing a nested ou for my groups. >>> This is what I got: >>> >>> ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.csebo.it/ipa/xml' >>> --- >>> migrate-ds: >>> --- >>> Migrated: >>> Failed user: >>> fw03075_no: Type or value exists: >>> [other users listed] >>> Failed group: >>> pdbac32: Type or value exists: >>> [other groups listed] >>> -- >>> Passwords have been migrated in pre-hashed format. >>> IPA is unable to generate Kerberos keys unless provided >>> with clear text passwords. All migrated users need to >>> login at https://your.domain/ipa/migration/ before they >>> can use their Kerberos accounts. >>> >>> I don't understand what it's trying to telling me. >>> On my FreeIPA ldap server I don't see any imported user. >>> >>> What's my fault here? >>> >&g
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Mon, Mar 19, 2012 at 8:31 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> >> >> On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: >> >>Dmitri Pal wrote: >> >>On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >> >>Hi guys, >>I'm trying to migrate my ldap user base to freeipa. I'm >>using the last >>Release Candidate. >> >>I already changed "ipa config-mod --enable-migration=TRUE" >>This is what I have: >> >>ipa -v migrate-ds >>--bind-dn="cn=manager,dc=__**mydc1,dc=mydc2.it < >> http://mydc2.it> >><http://mydc2.it>" >>--user-container="ou=people,__**dc=mydc1,dc=mydc2.it >><http://mydc2.it> >><http://mydc2.it>" --user-objectclass=__**inetOrgPerson >>--group-container="ou=groups,_**_dc=mydc1,dc=mydc2.it >><http://mydc2.it> <http://mydc2.it>" >>--group-objectclass=posixGroup >>--base-dn="dc=mydc1,dc=mydc2._**_it <http://mydc2.it> >> >><http://mydc2.it>" --with-compat ldap://ldap01 >> >>ipa: INFO: trying >> >> https://freeipa01.unix.__mydom**ain.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <https://freeipa01.unix.**mydomain.it/ipa/xml<https://freeipa01.unix.mydomain.it/ipa/xml> >> > >>Password: >>ipa: INFO: Forwarding 'migrate_ds' to server >> >> u'http://freeipa01.unix.__mydo**main.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >> >' >>ipa: ERROR: Container for group not found at >>ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >><http://mydc2.it> >> >> >>I looked at my ldap server logs and I found out that the search >>executed has scope=1. Actually both for users and groups. >>This is a >>problem for me, in having a lot of subtrees (ou) in which my >>users and >>groups are. Is there a way to manage this? >> >>Thanks in advance >>Marco >> >>P.s. As a side note, I suppose there's a typo in the verbose >>message I >>obtain in my output: >>ipa: INFO: Forwarding 'migrate_ds' to server >> >> *u*'http://freeipa01.unix.__my**domain.it/ipa/xml<http://mydomain.it/ipa/xml> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >> >' >> >> >>Please open tickets for both issues. >> >> >>Well, I don't think either is a bug. >> >>If you have users/groups in multiple places you'll need to migrate >>them individually for now. It is safe to run migrate-ds multiple >>times, existing users are not migrated. >> >> >> I just re-executed by specifing a nested ou for my groups. >> This is what I got: >> >> ipa: INFO: trying >> https://freeipa01.unix.csebo.**it/ipa/xml<https://freeipa01.unix.csebo.it/ipa/xml> >> ipa: INFO: Forwarding 'migrate_ds' to server >> u'http://freeipa01.unix.csebo.**it/ipa/xml<http://freeipa01.unix.csebo.it/ipa/xml> >> ' >> --- >> migrate-ds: >> --- >> Migrated: >> Failed user: >> fw03075_no: Type or value exists: >> [other users listed] >> Failed group: >> pdbac32: Type or value exists: >> [other groups listed] >> -- >> Passwords have been migrated in pre-hashed format. >> IPA is unable to generate Kerberos keys unless provided >> with clear text passwords. All migrated users need to >> login at >> https://your.domain/ipa/**migration/<https://your.domain/ipa/migration/>before >> they >> can use their Kerberos accounts. >> >> I don't understand what it's trying to telling me. >> On my FreeIPA ldap server I don't see any imported user. >> >> What's my fault here? >> >> >>The u is a pytho
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
Hi On Mon, Mar 19, 2012 at 6:44 PM, Simo Sorce wrote: > On Mon, 2012-03-19 at 12:36 -0400, Simo Sorce wrote: > > On Mon, 2012-03-19 at 14:46 +0100, Marco Pizzoli wrote: > > > > > > > > > On Mon, Mar 19, 2012 at 2:32 PM, Simo Sorce wrote: > > > On Mon, 2012-03-19 at 13:51 +0100, Marco Pizzoli wrote: > > > > > > > > In attachment. You can find only one, but all of them are > > > equivalent > > > > from this point. > > > > They are indeed seen as structural, even if my added schema > > > file > > > > declare them as auxiliary. > > > > > > > > > Can you attach the (sanitized) schema file you added to > > > 389ds ? > > > > > > Already done on this thread. See my previous mail to Dmitri. > > > > > > > > > Also can you run a ldapsearch command and search in the > > > 'cn=schema' > > > base ? This will give you back what 389ds sends to a client. > > > > > > > > > This command searches for everything but uses an attribute > > > filter to > > > show only the objectclasses: > > > ldapsearch -x -h server -b 'cn=schema' 'objectClasses' > > > > > > No need to attach everything return, just edit the result and > > > attach > > > only the results for your calsses. > > > > > > Ok, here it is: > > > [root@freeipa01 ~]# ldapsearch -h 127.0.0.1 -x -D"cn=Directory > > > Manager" -s base -W -b "cn=schema" "objectClasses"|perl -0pe > > > 's/\n //g' > > > > > > objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' > > > DESC 'Definizione di attributi specifici per gli utenti XXX' > > > STRUCTURAL MAY xxxUfficio ) > > > objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' > > > DESC 'Definizione di attributi specifici per i gruppi XXX' STRUCTURAL > > > MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo ) ) > > > objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.4 NAME 'xxxWebminAttributes' > > > DESC 'Definizione di attributi specifici per gli oggetti Webmin' > > > STRUCTURAL MAY xxxWebminAmbiente ) > > > objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME > > > 'xxxDB2GroupsAttributes' DESC 'Definizione di attributi specifici per > > > i gruppi DB2' STRUCTURAL MAY xxxDB2GruppiPrivilegi ) > > > objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.1 NAME 'xxxAttributes' DESC > > > 'Definizione di attributi specifici per utilizzo interno' STRUCTURAL > > > MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo $ > > > xxxDB2GruppiPrivilegi ) ) > > > > > > > > > By seeing this output, I just checked again and I confirm that in my > > > file /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif they are > > > still AUXILIARY. > > > > This is odd, indeed, I will resurrect the bug you opened with a better > > description, > > thanks. > > Marco, > I discussed this briefly with Nathan and it seem that it may be a parser > error. 389DS parser is quite strict and wants the various definitions in > the precise order they are defined in the RFCs. I guess that means that > if you reorder where you define the type (AUXILIARY/STRUCTURAL) in the > string you'll get the right behavior. As Is I think AUXILIARY is simply > ignored because it is int eh wrong position and the default STRUCTURAL > is used. > If you can change your schema file to define AUS/STR in the right order > (see other IPA ldif file for hints) and can confirm it is ano ordering > problem we can open a documentation bug to explain this behavior until > the underlying parser is improved to better handle random ordered > definitions. > Yes, I modified the position of the "SUP top AUXILIARY" part and now it's ok!! My use case was in converting a working OpenLDAP schema file with the script published on the 389-ds wiki[1]. I would ask/suggest/like/appreciate it being improved for dealing with this thing too... I'm not a programmer, in that case I would offer to do it... :-/ [1] http://directory.fedoraproject.org/download/ol-macro-expand.pl > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Mon, Mar 19, 2012 at 2:42 PM, Rob Crittenden wrote: > Dmitri Pal wrote: > >> On 03/17/2012 07:36 AM, Marco Pizzoli wrote: >> >>> Hi guys, >>> I'm trying to migrate my ldap user base to freeipa. I'm using the last >>> Release Candidate. >>> >>> I already changed "ipa config-mod --enable-migration=TRUE" >>> This is what I have: >>> >>> ipa -v migrate-ds --bind-dn="cn=manager,dc=**mydc1,dc=mydc2.it >>> <http://mydc2.it>" --user-container="ou=people,**dc=mydc1,dc=mydc2.it >>> <http://mydc2.it>" --user-objectclass=**inetOrgPerson >>> --group-container="ou=groups,**dc=mydc1,dc=mydc2.it <http://mydc2.it>" >>> --group-objectclass=posixGroup >>> --base-dn="dc=mydc1,dc=mydc2.**it<http://mydc2.it> >>> <http://mydc2.it>" --with-compat ldap://ldap01 >>> >>> ipa: INFO: trying >>> https://freeipa01.unix.**mydomain.it/ipa/xml<https://freeipa01.unix.mydomain.it/ipa/xml> >>> Password: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> u'http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >>> ' >>> ipa: ERROR: Container for group not found at >>> ou=groups,dc=mydc1,dc=mydc2.it <http://mydc2.it> >>> >>> >>> I looked at my ldap server logs and I found out that the search >>> executed has scope=1. Actually both for users and groups. This is a >>> problem for me, in having a lot of subtrees (ou) in which my users and >>> groups are. Is there a way to manage this? >>> >>> Thanks in advance >>> Marco >>> >>> P.s. As a side note, I suppose there's a typo in the verbose message I >>> obtain in my output: >>> ipa: INFO: Forwarding 'migrate_ds' to server >>> *u*'http://freeipa01.unix.**mydomain.it/ipa/xml<http://freeipa01.unix.mydomain.it/ipa/xml> >>> ' >>> >> >> Please open tickets for both issues. >> > > Well, I don't think either is a bug. > > If you have users/groups in multiple places you'll need to migrate them > individually for now. It is safe to run migrate-ds multiple times, existing > users are not migrated. > I just re-executed by specifing a nested ou for my groups. This is what I got: ipa: INFO: trying https://freeipa01.unix.csebo.it/ipa/xml ipa: INFO: Forwarding 'migrate_ds' to server u' http://freeipa01.unix.csebo.it/ipa/xml' --- migrate-ds: --- Migrated: Failed user: fw03075_no: Type or value exists: [other users listed] Failed group: pdbac32: Type or value exists: [other groups listed] -- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. I don't understand what it's trying to telling me. On my FreeIPA ldap server I don't see any imported user. What's my fault here? > > The u is a python-ism for unicode. This is not a bug. > Please, could you give a little more detail on this? It's only a hint on what that data represents in a Python variable? Thanks again Marco > > rob > > > __**_ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
On Mon, Mar 19, 2012 at 2:32 PM, Simo Sorce wrote: > On Mon, 2012-03-19 at 13:51 +0100, Marco Pizzoli wrote: > > > > In attachment. You can find only one, but all of them are equivalent > > from this point. > > They are indeed seen as structural, even if my added schema file > > declare them as auxiliary. > > Can you attach the (sanitized) schema file you added to 389ds ? > Already done on this thread. See my previous mail to Dmitri. Also can you run a ldapsearch command and search in the 'cn=schema' > base ? This will give you back what 389ds sends to a client. > This command searches for everything but uses an attribute filter to > show only the objectclasses: > ldapsearch -x -h server -b 'cn=schema' 'objectClasses' > > No need to attach everything return, just edit the result and attach > only the results for your calsses. > Ok, here it is: [root@freeipa01 ~]# ldapsearch -h 127.0.0.1 -x -D"cn=Directory Manager" -s base -W -b "cn=schema" "objectClasses"|perl -0pe 's/\n //g' objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' DESC 'Definizione di attributi specifici per gli utenti XXX' STRUCTURAL MAY xxxUfficio ) objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' DESC 'Definizione di attributi specifici per i gruppi XXX' STRUCTURAL MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo ) ) objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.4 NAME 'xxxWebminAttributes' DESC 'Definizione di attributi specifici per gli oggetti Webmin' STRUCTURAL MAY xxxWebminAmbiente ) objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' DESC 'Definizione di attributi specifici per i gruppi DB2' STRUCTURAL MAY xxxDB2GruppiPrivilegi ) objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.1 NAME 'xxxAttributes' DESC 'Definizione di attributi specifici per utilizzo interno' STRUCTURAL MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo $ xxxDB2GruppiPrivilegi ) ) By seeing this output, I just checked again and I confirm that in my file /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif they are still AUXILIARY. Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Mon, Mar 19, 2012 at 1:43 PM, Simo Sorce wrote: > On Sun, 2012-03-18 at 18:33 +0100, Marco Pizzoli wrote: > > > > > > On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal wrote: > > On 03/17/2012 07:36 AM, Marco Pizzoli wrote: > > > Hi guys, > > > I'm trying to migrate my ldap user base to freeipa. I'm > > > using the last Release Candidate. > > > > > > I already changed "ipa config-mod --enable-migration=TRUE" > > > This is what I have: > > > > > > ipa -v migrate-ds > > > --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it" > > > --user-container="ou=people,dc=mydc1,dc=mydc2.it" > > > --user-objectclass=inetOrgPerson > > > --group-container="ou=groups,dc=mydc1,dc=mydc2.it" > > > --group-objectclass=posixGroup > > > --base-dn="dc=mydc1,dc=mydc2.it" --with-compat ldap://ldap01 > > > ipa: INFO: trying https://freeipa01.unix.mydomain.it/ipa/xml > > > Password: > > > ipa: INFO: Forwarding 'migrate_ds' to server > > > u'http://freeipa01.unix.mydomain.it/ipa/xml' > > > ipa: ERROR: Container for group not found at > > > ou=groups,dc=mydc1,dc=mydc2.it > > > > > > I looked at my ldap server logs and I found out that the > > > search executed has scope=1. Actually both for users and > > > groups. This is a problem for me, in having a lot of > > > subtrees (ou) in which my users and groups are. Is there a > > > way to manage this? > > > > > > Thanks in advance > > > Marco > > > > > > P.s. As a side note, I suppose there's a typo in the verbose > > > message I obtain in my output: > > > ipa: INFO: Forwarding 'migrate_ds' to server > > > u'http://freeipa01.unix.mydomain.it/ipa/xml' > > > > > > Please open tickets for both issues. > > > > > > Done: > > https://fedorahosted.org/freeipa/ticket/2547 > > https://fedorahosted.org/freeipa/ticket/2546 > > > > Do you have a hint on how to manage to do this import in the meantime? > > Every manual step is ok for me. > > Maybe you can try performing a new migration for each of the subtrees > you have in your source tree, assuming it is a reasonable number, by > reconfiguring the migrate-ds bases between each run. > Yes, I was thinking the same... :-) To be able to script "ipa migrate-ds", I would need a parameter for setting the password on the CLI. I suppose it isn't there by design, right? Thanks again Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
On Mon, Mar 19, 2012 at 1:15 PM, Simo Sorce wrote: > On Sun, 2012-03-18 at 13:59 +0100, Marco Pizzoli wrote: > > Hi Simo, > > > > On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce wrote: > > On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote: > > > Hi guys, > > > > > > I extended my set of LDAP objectClasses associated to users > > by adding > > > my new objectClass to my cn=ipaConfig LDAP entry, the > > > ipaUserObjectClasses attribute. > > > Then, I created a new user with the web ui and I see the new > > > objectClass associated with that user, but as structural > > instead of > > > auxiliary. I don't know why, could you help me? > > > > > > Same thing happened for my groups. I added 3 objectClasses > > and now I > > > see all of them as structural. I would understand an answer: > > all > > > objectClasses eventually result as structural, but so why, > > for > > > example, the ipaObject is still an auxiliary objectClass? > > > > > > The objectClass type depends on the schema. It is not > > something that > > changes after you assign it to an object. > > > > Yes, your answer surely does make sense. > > > > My question was triggered by the fact that, AFAICS, not all > > objectClasses are structural as well. > > In fact I can see that, for my group object, the objectClass > > "ipaobject" has been defined as auxiliary, while others structural. > > For users, I see that *only my objectClass* is defined as structural. > > All others as auxiliary. > > > > In attachment you can see 2 images that immediately represent what I'm > > trying to explain. > > > > If this was the intended behaviour, I would be really interested in > > knowing what is the rationale behind this. > > Only curiousity, as usual :-) > > Objectclasses have no structureal/auxiliary "attribute" in an object, > it's your ldap browser that is returning the labeling by (I guess ) > searching the schema. > Exact. I admit I have not been so clear in my explanation. > I guess your object is getting it wrong, or the schema you defined in > 389ds has these classes marked structural. > > > search the schema with your browser and see how it identify these > classes ? > In attachment. You can find only one, but all of them are equivalent from this point. They are indeed seen as structural, even if my added schema file declare them as auxiliary. > I see you also opened a bug, but it makes little sense to me. I will > close it as invalid for now, unless there is evidence 389ds returns the > wrong type from the schema tree. > Ok, I agree. Thanks as usual Marco > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > <>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in "ipa migrate-ds" procedure
On Sun, Mar 18, 2012 at 5:49 PM, Dmitri Pal wrote: > ** > On 03/17/2012 07:36 AM, Marco Pizzoli wrote: > > Hi guys, > I'm trying to migrate my ldap user base to freeipa. I'm using the last > Release Candidate. > > I already changed "ipa config-mod --enable-migration=TRUE" > This is what I have: > > ipa -v migrate-ds --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it" > --user-container="ou=people,dc=mydc1,dc=mydc2.it" > --user-objectclass=inetOrgPerson --group-container="ou=groups,dc=mydc1,dc= > mydc2.it" --group-objectclass=posixGroup --base-dn="dc=mydc1,dc=mydc2.it" > --with-compat ldap://ldap01 > ipa: INFO: trying https://freeipa01.unix.mydomain.it/ipa/xml > Password: > ipa: INFO: Forwarding 'migrate_ds' to server u' > http://freeipa01.unix.mydomain.it/ipa/xml' > ipa: ERROR: Container for group not found at ou=groups,dc=mydc1,dc= > mydc2.it > > I looked at my ldap server logs and I found out that the search executed > has scope=1. Actually both for users and groups. This is a problem for me, > in having a lot of subtrees (ou) in which my users and groups are. Is there > a way to manage this? > > Thanks in advance > Marco > > P.s. As a side note, I suppose there's a typo in the verbose message I > obtain in my output: > ipa: INFO: Forwarding 'migrate_ds' to server *u*' > http://freeipa01.unix.mydomain.it/ipa/xml' > > > Please open tickets for both issues. > Done: https://fedorahosted.org/freeipa/ticket/2547 https://fedorahosted.org/freeipa/ticket/2546 Do you have a hint on how to manage to do this import in the meantime? Every manual step is ok for me. Thanks again Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
On Sun, Mar 18, 2012 at 6:04 PM, Dmitri Pal wrote: > ** > On 03/18/2012 01:00 PM, Marco Pizzoli wrote: > > Hi Dmitri, > > On Sun, Mar 18, 2012 at 5:41 PM, Dmitri Pal wrote: > >> On 03/18/2012 08:59 AM, Marco Pizzoli wrote: >> >> Hi Simo, >> >> On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce wrote: >> >>> On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote: >>> > Hi guys, >>> > >>> > I extended my set of LDAP objectClasses associated to users by adding >>> > my new objectClass to my cn=ipaConfig LDAP entry, the >>> > ipaUserObjectClasses attribute. >>> > Then, I created a new user with the web ui and I see the new >>> > objectClass associated with that user, but as structural instead of >>> > auxiliary. I don't know why, could you help me? >>> > >>> > Same thing happened for my groups. I added 3 objectClasses and now I >>> > see all of them as structural. I would understand an answer: all >>> > objectClasses eventually result as structural, but so why, for >>> > example, the ipaObject is still an auxiliary objectClass? >>> >>> The objectClass type depends on the schema. It is not something that >>> changes after you assign it to an object. >>> >> >> Yes, your answer surely does make sense. >> >> My question was triggered by the fact that, AFAICS, not all objectClasses >> are structural as well. >> In fact I can see that, for my group object, the objectClass "ipaobject" >> has been defined as auxiliary, while others structural. >> For users, I see that *only my objectClass* is defined as structural. All >> others as auxiliary. >> >> In attachment you can see 2 images that immediately represent what I'm >> trying to explain. >> >> If this was the intended behaviour, I would be really interested in >> knowing what is the rationale behind this. >> Only curiousity, as usual :-) >> >> Thanks again for your patience! >> >> >> AFAIU the object classes that are added to users and groups need to be >> first defined in the schema. >> I assume you have done so otherwise all sorts of errors would have shown >> up. Am I correct? >> > > Exact. I followed the instructions on extending the schema on 389-ds, by > inserting a file in my /etc/dirsrv//schema dir. > Everything went ok, and I can see from phpldapadmin that the DSA correctly > present my objectClasses as available to use for extending objects. > > >> I do not recognize the object classes as standard object classes. But >> might knowledge might be limited. >> > > Exact, they are "mine" objects, under a reserved OID number. > > >> Can you put show how you defined these new object classes in schema? You >> might have not specified the type and it defaulted to structural. >> > > This was a schema file created for OpenLDAP and which is currently in > production. > I used the script posted on the 389-ds HowTo for the migration from > OpenLDAP schema files to 389-ds format. > Here you can find it. A little camouflated, of course. > > [root@freeipa01 ~]# cat > /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif > dn: cn=schema > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.4 NAME 'xxxUfficio' DESC > 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' SUP > top AUXILIARY DESC 'Definizione di attributi specifici per gli utenti XXX' > MAY ( xxxUfficio )) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.1 NAME 'xxxProgetto' DESC 'Nome > del macro-progetto associato a questo gruppo LDAP' EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.2 NAME 'xxxAmbiente' DESC 'Nome > di ambiente SVIL-TEST-VALID-PROD associato al progetto' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications > ) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.5 NAME 'xxxTipoGruppo' DESC > 'Tipologia di gruppo' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' SUP > top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi XXX' > MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo )) > attributetypes: ( 1.3.6.1.4.1.3600
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
Hi Dmitri, On Sun, Mar 18, 2012 at 5:41 PM, Dmitri Pal wrote: > ** > On 03/18/2012 08:59 AM, Marco Pizzoli wrote: > > Hi Simo, > > On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce wrote: > >> On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote: >> > Hi guys, >> > >> > I extended my set of LDAP objectClasses associated to users by adding >> > my new objectClass to my cn=ipaConfig LDAP entry, the >> > ipaUserObjectClasses attribute. >> > Then, I created a new user with the web ui and I see the new >> > objectClass associated with that user, but as structural instead of >> > auxiliary. I don't know why, could you help me? >> > >> > Same thing happened for my groups. I added 3 objectClasses and now I >> > see all of them as structural. I would understand an answer: all >> > objectClasses eventually result as structural, but so why, for >> > example, the ipaObject is still an auxiliary objectClass? >> >> The objectClass type depends on the schema. It is not something that >> changes after you assign it to an object. >> > > Yes, your answer surely does make sense. > > My question was triggered by the fact that, AFAICS, not all objectClasses > are structural as well. > In fact I can see that, for my group object, the objectClass "ipaobject" > has been defined as auxiliary, while others structural. > For users, I see that *only my objectClass* is defined as structural. All > others as auxiliary. > > In attachment you can see 2 images that immediately represent what I'm > trying to explain. > > If this was the intended behaviour, I would be really interested in > knowing what is the rationale behind this. > Only curiousity, as usual :-) > > Thanks again for your patience! > > > AFAIU the object classes that are added to users and groups need to be > first defined in the schema. > I assume you have done so otherwise all sorts of errors would have shown > up. Am I correct? > Exact. I followed the instructions on extending the schema on 389-ds, by inserting a file in my /etc/dirsrv//schema dir. Everything went ok, and I can see from phpldapadmin that the DSA correctly present my objectClasses as available to use for extending objects. > I do not recognize the object classes as standard object classes. But > might knowledge might be limited. > Exact, they are "mine" objects, under a reserved OID number. > Can you put show how you defined these new object classes in schema? You > might have not specified the type and it defaulted to structural. > This was a schema file created for OpenLDAP and which is currently in production. I used the script posted on the 389-ds HowTo for the migration from OpenLDAP schema files to 389-ds format. Here you can find it. A little camouflated, of course. [root@freeipa01 ~]# cat /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif dn: cn=schema attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.4 NAME 'xxxUfficio' DESC 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli utenti XXX' MAY ( xxxUfficio )) attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.1 NAME 'xxxProgetto' DESC 'Nome del macro-progetto associato a questo gruppo LDAP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.2 NAME 'xxxAmbiente' DESC 'Nome di ambiente SVIL-TEST-VALID-PROD associato al progetto' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.5 NAME 'xxxTipoGruppo' DESC 'Tipologia di gruppo' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi XXX' MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo )) attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.6 NAME 'xxxWebminAmbiente' DESC 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.4 NAME 'xxxWebminAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli oggetti Webmin' MAY ( xxxWebminAmbiente )) attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.3 NAME 'xxxDB2GruppiPrivilegi' DESC 'Tipologia di gruppo creato per accesso al D
Re: [Freeipa-users] Doubt on FreeIPA LDAP extensibility
Hi Simo, On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce wrote: > On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote: > > Hi guys, > > > > I extended my set of LDAP objectClasses associated to users by adding > > my new objectClass to my cn=ipaConfig LDAP entry, the > > ipaUserObjectClasses attribute. > > Then, I created a new user with the web ui and I see the new > > objectClass associated with that user, but as structural instead of > > auxiliary. I don't know why, could you help me? > > > > Same thing happened for my groups. I added 3 objectClasses and now I > > see all of them as structural. I would understand an answer: all > > objectClasses eventually result as structural, but so why, for > > example, the ipaObject is still an auxiliary objectClass? > > The objectClass type depends on the schema. It is not something that > changes after you assign it to an object. > Yes, your answer surely does make sense. My question was triggered by the fact that, AFAICS, not all objectClasses are structural as well. In fact I can see that, for my group object, the objectClass "ipaobject" has been defined as auxiliary, while others structural. For users, I see that *only my objectClass* is defined as structural. All others as auxiliary. In attachment you can see 2 images that immediately represent what I'm trying to explain. If this was the intended behaviour, I would be really interested in knowing what is the rationale behind this. Only curiousity, as usual :-) Thanks again for your patience! Marco > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > <><>___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem in "ipa migrate-ds" procedure
Hi guys, I'm trying to migrate my ldap user base to freeipa. I'm using the last Release Candidate. I already changed "ipa config-mod --enable-migration=TRUE" This is what I have: ipa -v migrate-ds --bind-dn="cn=manager,dc=mydc1,dc=mydc2.it" --user-container="ou=people,dc=mydc1,dc=mydc2.it" --user-objectclass=inetOrgPerson --group-container="ou=groups,dc=mydc1,dc= mydc2.it" --group-objectclass=posixGroup --base-dn="dc=mydc1,dc=mydc2.it" --with-compat ldap://ldap01 ipa: INFO: trying https://freeipa01.unix.mydomain.it/ipa/xml Password: ipa: INFO: Forwarding 'migrate_ds' to server u' http://freeipa01.unix.mydomain.it/ipa/xml' ipa: ERROR: Container for group not found at ou=groups,dc=mydc1,dc=mydc2.it I looked at my ldap server logs and I found out that the search executed has scope=1. Actually both for users and groups. This is a problem for me, in having a lot of subtrees (ou) in which my users and groups are. Is there a way to manage this? Thanks in advance Marco P.s. As a side note, I suppose there's a typo in the verbose message I obtain in my output: ipa: INFO: Forwarding 'migrate_ds' to server *u*' http://freeipa01.unix.mydomain.it/ipa/xml' ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Migration from LDAP to IPA
Hi, by looking at the RHEL6 IPA documentation I can find instructions on how migrate from an existing LDAP server to IPA. It's cited the step: ipa config-mod --enable-migration=TRUE Please, could you explain to me what is the internal scope of this command? Also, is it normal that (always in the doc) after executing "ipa migrate-ds" I don't have to revert to ipa config-mod --enable-migration=FALSE Thanks again Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User Level Ticket Policies from Web UI?
On Sun, Feb 26, 2012 at 9:09 PM, Dmitri Pal wrote: > ** > On 02/26/2012 02:17 PM, Marco Pizzoli wrote: > > > > On Sun, Feb 26, 2012 at 7:35 PM, Dmitri Pal wrote: > >> On 02/25/2012 07:48 AM, Marco Pizzoli wrote: >> >> Hi guys, >> I see that there is not a web ui interface for setting user level ticket >> policies? >> Is there a particular reason for this? Just a curiousity. >> >> We do not think there is a lot of value in one off password policies. >> The password policies can be set per group. What is the real world use case >> to set them per user? Even if you have a special user that needs a special >> password policy it is usually not just one user but rather a group of those. >> >> Can you come up with an example where such logic has a flaw? >> > > Hi Dmitri, > My question was not related to the feature per se, but about the fact that > there is not a web ui to do it while it's there using the CLI. So I'm > curious to know what was the reason for the different dealing. > > > AFAIR the only where we allow the changes to the ticket policy is in the > global config both in UI and CLI. Per user you can use setattr/addattr and > change it but we do not expose everythign one can do via setattr/addattr in > the UI. > Apologize for not having written the reference before: I'm talking about 12.2.2 of the RHEL6-doc. > Coming to your answer, (correct me if I am wrong!) on the RHEL6-doc I > don't see any note pertaining to group based password policies. > > > Section 11.2.2** > Yes, my fault. Thanks again So now, I ask you if this is a FreeIPA 2.2 feature I have not seen so far. Thanks again Marco ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] User Level Ticket Policies from Web UI?
On Sun, Feb 26, 2012 at 7:35 PM, Dmitri Pal wrote: > ** > On 02/25/2012 07:48 AM, Marco Pizzoli wrote: > > Hi guys, > I see that there is not a web ui interface for setting user level ticket > policies? > Is there a particular reason for this? Just a curiousity. > > We do not think there is a lot of value in one off password policies. The > password policies can be set per group. What is the real world use case to > set them per user? Even if you have a special user that needs a special > password policy it is usually not just one user but rather a group of those. > > Can you come up with an example where such logic has a flaw? > Hi Dmitri, My question was not related to the feature per se, but about the fact that there is not a web ui to do it while it's there using the CLI. So I'm curious to know what was the reason for the different dealing. Coming to your answer, (correct me if I am wrong!) on the RHEL6-doc I don't see any note pertaining to group based password policies. So now, I ask you if this is a FreeIPA 2.2 feature I have not seen so far. Thanks again Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Strange klist output
On Sat, Feb 25, 2012 at 3:20 PM, Simo Sorce wrote: > On Sat, 2012-02-25 at 13:53 +0100, Marco Pizzoli wrote: > > Hi, as you know I'm working with FreeIPA 2.1.90. > > > > By following documentation I checked my tickets by issuing the klist > > command but I'm obtaining an output slightly different than the one on > > the doc. > > > > [root@freeipa01 ~]# klist -kt /etc/krb5.keytab > > Keytab name: WRFILE:/etc/krb5.keytab > > KVNO Timestamp Principal > > - > > > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > >2 02/15/12 18:28:58 > > host/freeipa01.unix.mydomain...@unix.mydomain.it > > > > I see 6 rows as duplicated. Is it normal? Please, could you explain > > what is happening? > > > > Use -e to see what enctypes are reported. > [root@freeipa01 ~]# klist -kt /etc/krb5.keytab -e Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(aes256-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(aes128-cts-hmac-sha1-96) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des3-cbc-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(arcfour-hmac) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des-hmac-sha1) 2 02/15/12 18:28:58 host/freeipa01.unix.mydomain...@unix.mydomain.it(des-cbc-md5) Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] User Level Ticket Policies from Web UI?
Hi guys, I see that there is not a web ui interface for setting user level ticket policies? Is there a particular reason for this? Just a curiousity. Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa.keytab - Maybe found bug in documentation
Hi guys, please confirm that this is a bug in the documentation: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/kerberos.html#about-keytabs 12.1.2. About Protecting Keytabs To protect keytab files, reset the permissions and ownership to restrict access to the files to only the keytab owner. : For example, set the owner of the Apache keytab (/etc/httpd/conf/ipa.keytab) to httpd and the mode to 0600. It should be the "apache" user, isn't it? I only checked on a RHEL6 system that the httpd user is "apache", but I have not checked with a RHEL6-&-FreeIPA system. Thanks as usual Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Fwd: Question about alpha release process
On Fri, Feb 24, 2012 at 4:54 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> Hi guys, >> Sorry to resend this, but this information would be helpful to me. >> >> Thanks in advance as usual >> Marco >> >> ------ Forwarded message -- >> From: *Marco Pizzoli* > <mailto:marco.pizzoli@gmail.**com >> >> Date: Wed, Feb 22, 2012 at 11:08 AM >> Subject: Question about alpha release process >> To: freeipa-de...@redhat.com >> <mailto:freeipa-devel@redhat.**com >> > >> >> >> Hi guys, >> during next days I'm going to put more effort on my FreeIPA project, so >> I would appreciate to test (and report problems/bugs, of course) with >> other alpha versions of FreeIPA 2.2. >> Have you got any plan to release other alpha versions shortly? >> >> Just to know, thanks a lot as usual. >> Marco >> > > Nice timing, I had a response started to your original e-mail in another > e-mail window :-) > Have I won something? :-) > The changes so far since the last alpha have been relatively minor which > is why I haven't done another alpha so far (DNS being the exception). We > have quite a lot of pending fixes I'm going to roll up into a release at > the end of next week. Since we'll be feature complete I'll probably call it > beta 1. > Thanks a lot for letting me know! > regards > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Fwd: Question about alpha release process
Hi guys, Sorry to resend this, but this information would be helpful to me. Thanks in advance as usual Marco -- Forwarded message -- From: Marco Pizzoli Date: Wed, Feb 22, 2012 at 11:08 AM Subject: Question about alpha release process To: freeipa-de...@redhat.com Hi guys, during next days I'm going to put more effort on my FreeIPA project, so I would appreciate to test (and report problems/bugs, of course) with other alpha versions of FreeIPA 2.2. Have you got any plan to release other alpha versions shortly? Just to know, thanks a lot as usual. Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] A way to rename a host and/or a host group?
On Wed, Feb 22, 2012 at 10:34 PM, JR Aquino wrote: > On Feb 22, 2012, at 1:24 PM, Marco Pizzoli wrote: > > > Hi guys, > > I see that there's no way to rename a host once created. Same issue with > host groups. > > Could you confirm that it is by design and so I never will be able to do > that? > > > > Thanks > > Marco (wanting to rename everything :-( ) > > Hi Marco. Yes, you do need to fully delete and uninstall a host from > FreeIPA before readding it with a new name. > > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html > > What may make this easier for you is a feature in 389 DS called Automember: > > http://directory.fedoraproject.org/wiki/Auto_Membership_Design > > Automember is a way to use regular expression to tie a given fqdn-type to > a given hostgroup. So that when you 'add' a host with a similar name. say: > webserver2.example.com, the host automatically ends up in the > 'webservers' host group. > > If you wish for a bunch of hosts to be "renamed"/re-provisioned, and > automatically assigned to a new hostgroup, you can predefine the regex > mapping and make this process a little easier. > > FreeIPA provides a CLI (and in 2.1.90, a WebUI) for managing these entries. > > > > Here is the help doc from the cli tool: > > Auto Membership Rule. > > Bring clarity to the membership of hosts and users by configuring inclusive > or exclusive regex paterns, you can automatically assign a new entries into > a group or hostgroup based upon attribute information. > > A rule is directly associated with a group by name, so you cannot create > a rule without an accompanying group or hostgroup > > A condition is a regular expression used by 389-ds to match a new incoming > entry with an automember rule. If it matches an inclusive rule then the > entry is added to the appropriate group or hostgroup. > > EXAMPLES: > > Create the initial group or hostgroup: > ipa hostgroup-add --desc="Web Servers" webservers > ipa group-add --desc="Developers" devel > > Create the initial rule: > ipa automember-add --type=hostgroup webservers > ipa automember-add --type=group devel > > Add a condition to the rule: > ipa automember-add-condition --key=fqdn --type=hostgroup > --inclusive-regex=^web[1-9]+\.example\.com webservers > ipa automember-add-condition --key=manager --type=group > --inclusive-regex=^uid=mscott devel > > Add an exclusive condition to the rule to prevent auto assignment: > ipa automember-add-condition --key=fqdn --type=hostgroup > --exclusive-regex=^web5\.example\.com webservers > > Add a host: >ipa host-add web1.example.com > > Add a user: >ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott > > Verify automembership: >ipa hostgroup-show webservers > Host-group: webservers > Description: Web Servers > Member hosts: web1.example.com > >ipa group-show devel > Group name: devel > Description: Developers > GID: 100420 > Member users: tuser > > Remove a condition from the rule: > ipa automember-remove-condition --key=fqdn --type=hostgroup > --inclusive-regex=^web[1-9]+\.example\.com webservers > > Modify the automember rule: >ipa automember-mod > > Set the default target group: >ipa automember-default-group-set --default-group=webservers > --type=hostgroup >ipa automember-default-group-set --default-group=ipausers --type=group > > Set the default target group: >ipa automember-default-group-remove --type=hostgroup >ipa automember-default-group-remove --type=group > > Show the default target group: >ipa automember-default-group-show --type=hostgroup >ipa automember-default-group-show --type=group > > Find all of the automember rules: >ipa automember-find > > Display a automember rule: >ipa automember-show --type=hostgroup webservers >ipa automember-show --type=group devel > > Delete an automember rule: >ipa automember-del --type=hostgroup webservers >ipa automember-del --type=group devel > > Topic commands: > automember-add Add an automember rule. > automember-add-condition Add conditions to an automember rule. > automember-default-group-remove Remove default group for all unmatched > entries. > automember-default-group-set Set default group for all unmatched > entries. > automember-default-group-showDisplay information about the default > automember groups. > automember-del Delete an automember rule. > a
[Freeipa-users] A way to rename a host and/or a host group?
Hi guys, I see that there's no way to rename a host once created. Same issue with host groups. Could you confirm that it is by design and so I never will be able to do that? Thanks Marco (wanting to rename everything :-( ) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Bug in documentation or in CLI tools?
Hi guys, in a previous question about FreeIPA 2.1.90 I submitted to you, I received from Martin the answer to use the command: "ipa dnszone-mod *--dynamic-update=TRUE* " I used it and I successfully achieved my purpose, but comparing this command against the documentation (both RHEL and Fedora) I think I found an incongruence. Both here[1] and here[2] the parameter of dnszone-mod to enable dynamic updates is reported being "*--allow-dynupdate*". Have I found a bug in the documentation? Or is it a difference from FreeIPA 2.1 and FreeIPA 2.1.90? Thanks in advance Marco [1] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/modifying-dns-zones.html#editing-dns-zone-cmd [2] https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/modifying-dns-zones.html#editing-dns-zone-cmd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automatic dns update failing
On Mon, Feb 20, 2012 at 9:46 AM, Martin Kosek wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > > > Thanks in advance as usual > > Marco > > Hello Marco, > > please check the settings of the zone you are trying to add clients to. > GSS-TSIG updates are not enabled by default for new zones, it may be > your case. > > This is an entry for my zone 'example.com' where dynamic updates are > enabled: > > # ipa dnszone-show example.com --all > dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com > Zone name: example.com > Authoritative nameserver: ns.example.com. > Administrator e-mail address: hostmaster.example.com. > SOA serial: 2012200201 > SOA refresh: 3600 > SOA retry: 900 > SOA expire: 1209600 > SOA minimum: 3600 > > BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant > IDM.LAB.BOS.REDHAT.COM > > krb5-self * ; grant IDM.LAB.BOS.REDHAT.COMkrb5-self > > * SSHFP; > Active zone: TRUE > > Dynamic update: TRUE > nsrecord: ns.example.com. > objectclass: top, idnsrecord, idnszone > > I have marked the important attributes with ">". I would also make sure > that the zone is properly loaded in bind-dyndb-ldap plugin (you can for > example try to retrieve its SOA record with dig). > Hi Martin, yes this is the case: [root@freeipa01 ~]# ipa dnszone-show internet.unix.mydomain.it --all dn: idnsname=internet.unix.mydomain.it,cn=dns,dc=unix,dc=mydomain,dc=it Zone name: internet.unix.mydomain.it Authoritative nameserver: freeipa01.unix.mydomain.it. Administrator e-mail address: hostmaster.internet.unix.mydomain.it. SOA serial: 2012180201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE nsrecord: freeipa01.unix.mydomain.it. objectclass: top, idnsrecord, idnszone So, could you tell me how should I do to have my (new) zone being eventually updated? A link to a doc page would suffices. Thanks a lot Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automatic dns update failing
On Sun, Feb 19, 2012 at 8:47 PM, Simo Sorce wrote: > On Sun, 2012-02-19 at 17:23 +0100, Marco Pizzoli wrote: > > Hi, > > During my setup today I'm always failing in enrolling clients with > > automatic dns updates. > > I'm playing with FreeIPA 2.1.90, but I guess this is a general > > problem, not strictly due to the alpha version. > > > > I'm doing a "ipa-client-install --enable-dns-updates" and at the > > console I see: > > Failed to update DNS A record. (Command '/usr/bin/nsupdate > > -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) > > > > I see in server logs that named refuses it: > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: > > update 'internet.unix.mydomain.it/IN' denied > > Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: > > update 'internet.unix.mydomain.it/IN' denied > > > > What is the cause? What other informations do you need about my > > deployment? > > Did you install freeipa with the --setup-dns option ? > And does your client use the freeipa dns server in that case ? > > If either answer is no, it is normal to see the update fail as a non > freeipa dns server wouldn't be able to accept the update (unless you > manually configured the external server to handle GSS-TSIG updates). > > If both answers are yes then we may need to activate debug logging in > named, as it is supposed to work. > Yes to both. Please let me know the best way to do it and I will follow it. --- I already found a bug with the web ui. I'll send another mail in a few minutes. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] automatic dns update failing
Hi, During my setup today I'm always failing in enrolling clients with automatic dns updates. I'm playing with FreeIPA 2.1.90, but I guess this is a general problem, not strictly due to the alpha version. I'm doing a "ipa-client-install --enable-dns-updates" and at the console I see: Failed to update DNS A record. (Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 2) I see in server logs that named refuses it: Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#38558: update ' internet.unix.mydomain.it/IN' denied Feb 19 17:05:25 freeipa01 named[2089]: client 192.168.20.112#40809: update ' internet.unix.mydomain.it/IN' denied What is the cause? What other informations do you need about my deployment? Thanks in advance as usual Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install
On Tue, Feb 14, 2012 at 8:25 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> >> >> On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: >> >>Marco Pizzoli wrote: >> >>Hi guys, >>I'm running freeipa-server-2.1.4-5.fc16.__**x86_64. >> >> >>Following the documentation I can see that to uninstall and >>reinstall a >>freeipa system it is sufficient to: >> >> > ipa-server-install >> > ipa-server-install --uninstall >> > ipa-server-install >> >>Well, when re-installing the system, I get this error on the >>console: >>[cut] >>done configuring named. >>Configuration of client side components failed! >>ipa-client-install returned: Command '/usr/sbin/ipa-client-install >>--on-master --unattended --domain unix.mydomain.it >><http://unix.mydomain.it> >><http://unix.mydomain.it> --server freeipa01.unix.mydomain.it >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it> >> > >><http://freeipa01.unix.__mydom**ain.it <http://mydomain.it> >> >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>>> >> --realm UNIX.MYDOMAIN.IT >><http://UNIX.MYDOMAIN.IT> >><http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it> >> > >><http://freeipa01.unix.__mydom**ain.it <http://mydomain.it> >> >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it>>>' >> returned non-zero exit >>status 1 >> >> >>I had a look to /var/log/ipaclient-install.log and I saw these >> lines >> >>[cut] >>2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >> >> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt<http://mydomain.it/ipa/config/ca.crt> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt> >> > >>2012-02-14 09:53:39,435 DEBUG stdout= >>2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- >> >> http://freeipa01.unix.__mydoma**in.it/ipa/config/ca.crt<http://mydomain.it/ipa/config/ca.crt> >> >> >> <http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt> >> > >>Resolving freeipa01.unix.mydomain.it... 192.168.146.131 >>Connecting to freeipa01.unix.mydomain.it >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it> >> > >><http://freeipa01.unix.__mydom**ain.it <http://mydomain.it> >> >> <http://freeipa01.unix.**mydomain.it<http://freeipa01.unix.mydomain.it> >> >>|192.168.146.131|**:__80... >> >>connected. >> >>HTTP request sent, awaiting response... 200 OK >>Length: 1325 (1.3K) [application/x-x509-ca-cert] >>Saving to: <80><9C>/etc/ipa/ca.crt<__**E2><80><9D> >> >> >> 0K . >>100% 270M=0s >> >>2012-02-14 09:53:39 (270 MB/s) - >><80><9C>/etc/ipa/ca.crt<__**E2><80><9D> >> >>saved [1325/1325] >> >> >>2012-02-14 09:53:39,436 DEBUG Backing up system configuration file >>'/etc/sssd/sssd.conf' >>2012-02-14 09:53:39,463 DEBUG Saving Index File to >>'/var/lib/ipa-client/__**sysrestore/sysrestore.index' >> >>2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it >><http://unix.csebo.it> >><http://unix.csebo.it> is already configured in existing SSSD >>config, >> >>creating a new one. >>2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d >>/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt >>2012-02-14 09:53:39,643 DEBUG stdout= >>2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain >>certificate from file: You are attempting to import a cert with >>the same >>issuer/serial as an existing cert, but that is not the same cert. >> >> >>So I tried a new "ipa-server-install --uninstall" and checked >>the file >>/etc/ipa/ca.crt. And it remained there. >>What is the problem? >> >> >>The problem isn't the existence of the file, it is the existence of >>the cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d >>/etc/pki/nsdb >> >> >> [root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ >> certutil: could not find certificate named "IPA CA": security library: >> bad database. >> > > Well that's strange. Can you run: certutil -L -d /etc/pki/nssdb ? > More strange... I re-did a freeipa-install and it worked... Thanks anyway ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem in ipa-server-install -> uninstall -> install
On Tue, Feb 14, 2012 at 3:24 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> Hi guys, >> I'm running freeipa-server-2.1.4-5.fc16.**x86_64. >> >> Following the documentation I can see that to uninstall and reinstall a >> freeipa system it is sufficient to: >> >> > ipa-server-install >> > ipa-server-install --uninstall >> > ipa-server-install >> >> Well, when re-installing the system, I get this error on the console: >> [cut] >> done configuring named. >> Configuration of client side components failed! >> ipa-client-install returned: Command '/usr/sbin/ipa-client-install >> --on-master --unattended --domain unix.mydomain.it >> <http://unix.mydomain.it> --server freeipa01.unix.mydomain.it >> <http://freeipa01.unix.**mydomain.it <http://freeipa01.unix.mydomain.it>> >> --realm UNIX.MYDOMAIN.IT >> <http://UNIX.MYDOMAIN.IT> --hostname freeipa01.unix.mydomain.it >> <http://freeipa01.unix.**mydomain.it <http://freeipa01.unix.mydomain.it>>' >> returned non-zero exit status 1 >> >> >> I had a look to /var/log/ipaclient-install.log and I saw these lines >> >> [cut] >> 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt >> http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt> >> 2012-02-14 09:53:39,435 DEBUG stdout= >> 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- >> http://freeipa01.unix.**mydomain.it/ipa/config/ca.crt<http://freeipa01.unix.mydomain.it/ipa/config/ca.crt> >> Resolving freeipa01.unix.mydomain.it... 192.168.146.131 >> Connecting to freeipa01.unix.mydomain.it >> <http://freeipa01.unix.**mydomain.it <http://freeipa01.unix.mydomain.it> >> >|192.168.146.131|:**80... connected. >> >> HTTP request sent, awaiting response... 200 OK >> Length: 1325 (1.3K) [application/x-x509-ca-cert] >> Saving to: <80><9C>/etc/ipa/ca.crt<**E2><80><9D> >> >> 0K . 100% >> 270M=0s >> >> 2012-02-14 09:53:39 (270 MB/s) - <80><9C>/etc/ipa/ca.crt<** >> E2><80><9D> >> saved [1325/1325] >> >> >> 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file >> '/etc/sssd/sssd.conf' >> 2012-02-14 09:53:39,463 DEBUG Saving Index File to >> '/var/lib/ipa-client/**sysrestore/sysrestore.index' >> 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it >> <http://unix.csebo.it> is already configured in existing SSSD config, >> >> creating a new one. >> 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d >> /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt >> 2012-02-14 09:53:39,643 DEBUG stdout= >> 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain >> certificate from file: You are attempting to import a cert with the same >> issuer/serial as an existing cert, but that is not the same cert. >> >> >> So I tried a new "ipa-server-install --uninstall" and checked the file >> /etc/ipa/ca.crt. And it remained there. >> What is the problem? >> > > The problem isn't the existence of the file, it is the existence of the > cert in /etc/pki/nssdb. Try running: certutil -D -n 'IPA CA' -d > /etc/pki/nsdb > [root@freeipa01 ~]# certutil -D -n 'IPA CA' -d /etc/pki/nssdb/ certutil: could not find certificate named "IPA CA": security library: bad database. Thanks again Marco > Re-install should succeed then. > > rob > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem in ipa-server-install -> uninstall -> install
Hi guys, I'm running freeipa-server-2.1.4-5.fc16.x86_64. Following the documentation I can see that to uninstall and reinstall a freeipa system it is sufficient to: > ipa-server-install > ipa-server-install --uninstall > ipa-server-install Well, when re-installing the system, I get this error on the console: [cut] done configuring named. Configuration of client side components failed! ipa-client-install returned: Command '/usr/sbin/ipa-client-install --on-master --unattended --domain unix.mydomain.it --server freeipa01.unix.mydomain.it --realm UNIX.MYDOMAIN.IT --hostname freeipa01.unix.mydomain.it' returned non-zero exit status 1 I had a look to /var/log/ipaclient-install.log and I saw these lines [cut] 2012-02-14 09:53:39,435 DEBUG args=/usr/bin/wget -O /etc/ipa/ca.crt http://freeipa01.unix.mydomain.it/ipa/config/ca.crt 2012-02-14 09:53:39,435 DEBUG stdout= 2012-02-14 09:53:39,435 DEBUG stderr=--2012-02-14 09:53:39-- http://freeipa01.unix.mydomain.it/ipa/config/ca.crt Resolving freeipa01.unix.mydomain.it... 192.168.146.131 Connecting to freeipa01.unix.mydomain.it|192.168.146.131|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1325 (1.3K) [application/x-x509-ca-cert] Saving to: <80><9C>/etc/ipa/ca.crt<80><9D> 0K . 100% 270M=0s 2012-02-14 09:53:39 (270 MB/s) - <80><9C>/etc/ipa/ca.crt<80><9D> saved [1325/1325] 2012-02-14 09:53:39,436 DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2012-02-14 09:53:39,463 DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2012-02-14 09:53:39,540 DEBUG Domain unix.csebo.it is already configured in existing SSSD config, creating a new one. 2012-02-14 09:53:39,642 DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt 2012-02-14 09:53:39,643 DEBUG stdout= 2012-02-14 09:53:39,643 DEBUG stderr=certutil: could not obtain certificate from file: You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert. So I tried a new "ipa-server-install --uninstall" and checked the file /etc/ipa/ca.crt. And it remained there. What is the problem? Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?
Hi Adam, On Mon, Feb 13, 2012 at 5:58 PM, Adam Young wrote: > On 02/12/2012 04:00 PM, Marco Pizzoli wrote: > > Hi, > I see DogTag PKI used as a certificate server for the enrollment of hosts > and services. > What about the enrollment of normal X509v3 certificates? I have not seen, > correct me if I'm wrong, any reference to the possibility to use it as a > regular CA for user certificates. Not within FreeIPA, of course. > > Is there any drawback in using it as the primary CA for the company? > > > It is a full CA. You can use it as such. Dogtag is a vibrant project in > its own right, and you can find developers on #dogtag-pki in Freenode. > The install is done via pkisilent, and you might want to make sure that > you understand the parameters used to call it. > I will. Thanks for the pointer. > One major drawback is that IPA has disabled Nonces in the Dogtag backend. > These are there to defend against a CSRF attack. What this means is that > you should not expose the Dogtag WebUI through the IPA server, either on > its Dogtag port or via HTTP proxy. It should be explicitly stated that IPA > implements Nonces for its web UI, and does not allow session based calls > through to the Dogtag back end, so its configuration is secure. The > problem is only exposed if you expose additional web URLs to the Dogtag > backend beyond those specified in the PKI Proxy. > > Enabling nonces will break IPA. > You told me something I wasn't aware of. I will dig into this during next weeks. > I've installed and used the standard Java tools for Dogtag and used them > to talk to the PKI backend installed by IPA. They work fine. > Ok, this is what I hoped to read! :-) Currently, IPA acts as a single Agent in Dogtag. This should be fine. > For other certificate usage, you should probably use a different agent. > Please be patient with me, I don't understand yet the concept of "agent". Even a reference to the documentation would be helpful to me. > IPA does not currently support user certificates. However, there are > standard LDAP object classes and attributes that you could conceivably use > to record them if you wanted to keep them in a single DirSrv. Obviosuly, > you do not want to put the private keys on the IPA server, so plan > accordingly. > I will, I promise :-) > Red Hat does not support using the Certificate Server (PKI) backend with > its Identity management install for purposes other than support for the IdM > (IPA) front end, so beware that you have no "up sell" if you desire to get > paid support for IPA. > I understand. I link a question I'm curious of: if I remember correctly, on the PKI-user mailing list I read a user complaining about RH not selling RHCS standalone anymore. Is it true? You've been very helpful! Your blog too.. :-) Thanks a lot! Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Future audit feature
On Mon, Feb 13, 2012 at 6:27 PM, Dmitri Pal wrote: > ** > On 02/13/2012 11:28 AM, Marco Pizzoli wrote: > > Hi John, > > On Mon, Feb 13, 2012 at 5:23 PM, John Dennis wrote: > >> On 02/13/2012 09:14 AM, Marco Pizzoli wrote: >> >>> Hi guys, >>> I'm interested to know what is the expected feature that I have to >>> expect from the Audit part of IPA. >>> >>> I had a look at this: http://www.freeipa.org/page/Audit_Design_Overview >>> I see that are mentioned watchers on directories for alerting on file >>> alterations. >>> What is the final high-level purpose? I suppose not only anti >>> tampering... >>> >> >> The audit portion of IPA has been put on hold while we focus on on the >> core identity and policy components. >> > > Yes, I'm aware of this. > > >> A significant part of the audit component was collecting log information >> from all services on a host and aggregating them on a central server for >> analysis and archiving. The directory watching you saw on the >> aforementioned page is exactly for the purposes of watching log file >> manipulation. >> > > Good. > > >> There has been a *lot* of recent discussion on how to perform logging in >> the larger community as well as capturing auditable system events. As yet >> there hasn't been a consensus. Until such time as a consensus forms around >> the methods, tools, and libraries in this domain we won't proceed further >> with the A part of IPA. However, we are actively participating in these >> discussions. >> > > I'm very interest in this topic. Please, could you tell me where I can > read these discussions? > > > Some of them are internal to Red Hat just because we want to understand > the use cases before we wrap our head around the audit on OS level and > reach out to different communities looking for ideas. > Ok, I understand. > There will be some discussions on the developer conference in Brno later > this week. > I will keep you updated as soon as I have something to share. > Thank you very much indeed. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Future audit feature
Hi John, On Mon, Feb 13, 2012 at 5:23 PM, John Dennis wrote: > On 02/13/2012 09:14 AM, Marco Pizzoli wrote: > >> Hi guys, >> I'm interested to know what is the expected feature that I have to >> expect from the Audit part of IPA. >> >> I had a look at this: >> http://www.freeipa.org/page/**Audit_Design_Overview<http://www.freeipa.org/page/Audit_Design_Overview> >> I see that are mentioned watchers on directories for alerting on file >> alterations. >> What is the final high-level purpose? I suppose not only anti tampering... >> > > The audit portion of IPA has been put on hold while we focus on on the > core identity and policy components. > Yes, I'm aware of this. > A significant part of the audit component was collecting log information > from all services on a host and aggregating them on a central server for > analysis and archiving. The directory watching you saw on the > aforementioned page is exactly for the purposes of watching log file > manipulation. > Good. > There has been a *lot* of recent discussion on how to perform logging in > the larger community as well as capturing auditable system events. As yet > there hasn't been a consensus. Until such time as a consensus forms around > the methods, tools, and libraries in this domain we won't proceed further > with the A part of IPA. However, we are actively participating in these > discussions. > I'm very interest in this topic. Please, could you tell me where I can read these discussions? Thanks! Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Future audit feature
Hi guys, I'm interested to know what is the expected feature that I have to expect from the Audit part of IPA. I had a look at this: http://www.freeipa.org/page/Audit_Design_Overview I see that are mentioned watchers on directories for alerting on file alterations. What is the final high-level purpose? I suppose not only anti tampering... Thanks a lot as usual! Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
On Sun, Feb 12, 2012 at 10:26 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > Here they are. > > > > I think that it is not worth sending an attachment of over 1.2MB to > the > > > > entire list, even if I don't have any personal data in them. > > > Thanks. Could you please edit /usr/sbin/ipactl and change timeout > > > parameter at lines 125 and 128 to something greater than 6? Maybe 10 > > > or even 15... The parameter is seconds to time out: > > > .. > > > wait_for_open_socket(lurl.hostport, timeout=6) > > > .. > > > wait_for_open_ports(host, [int(port)], timeout=6) > > > .. > > > > > > Looks like your VM is so slow that ipactl simply times out to wait for > > > the directory server to respond. We've seen this before with some > > > other VMs. > > > > > > > Good catch! > > I tried with 25, but same result :-( > > I tried with 45 and now it is up! > > > > Please, could you confirm that the following "exited" is not bad thing: > > > > [root@freeipa04 ~]# systemctl|grep ipa > > ipa.service loaded active *exited*Identity, Policy, > > Audit > > ipa_kpasswd.service loaded active running IPA Kerberos > password > > service > *exited* is fine, it is /usr/sbin/ipactl exited after running the > startup sequence. > Ok, thanks. > Would you mind to file a ticket against FreeIPA to make this time out > configurable in /etc/ipa/default.conf? This is something that we can't > predict in all cases so this would be per-system setting. > Done. https://fedorahosted.org/freeipa/ticket/2375 For the record, in creating a new ticket I notice that I can specify as affected version only versions "2.0" and "alpha3". Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
> > Here they are. > > I think that it is not worth sending an attachment of over 1.2MB to the > > entire list, even if I don't have any personal data in them. > Thanks. Could you please edit /usr/sbin/ipactl and change timeout > parameter at lines 125 and 128 to something greater than 6? Maybe 10 > or even 15... The parameter is seconds to time out: > .. > wait_for_open_socket(lurl.hostport, timeout=6) > .. > wait_for_open_ports(host, [int(port)], timeout=6) > .. > > Looks like your VM is so slow that ipactl simply times out to wait for > the directory server to respond. We've seen this before with some > other VMs. > Good catch! I tried with 25, but same result :-( I tried with 45 and now it is up! Please, could you confirm that the following "exited" is not bad thing: [root@freeipa04 ~]# systemctl|grep ipa ipa.service loaded active *exited*Identity, Policy, Audit ipa_kpasswd.service loaded active running IPA Kerberos password service Thanks a lot! Marco -- _ Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA DogTag PKI as a regular Certification Authority?
Hi, I see DogTag PKI used as a certificate server for the enrollment of hosts and services. What about the enrollment of normal X509v3 certificates? I have not seen, correct me if I'm wrong, any reference to the possibility to use it as a regular CA for user certificates. Not within FreeIPA, of course. Is there any drawback in using it as the primary CA for the company? Thanks a lot again! Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Questions about AD Synchronization
Hi guys, a couple of questions about AD synchronization. I read in the guide these points: - A synchronization operation runs every five minutes. --> I read that it can be triggered on demand, but is it possibile to change the value of this frequency? - Synchronization can only be configured with one Active Directory domain. Multiple domains are not supported. --> Do they will in a future version? - While modifications are bi-directional (going both from Active Directory to FreeIPA and from FreeIPA to Active Directory), new accounts are only uni-directional. New accounts created in Active Directory are synchronized over to FreeIPA. However, user accounts created in FreeIPA must also be added in Active Directory before they will be synchronized. ---> What is the origin of this restriction? I mean, why cannot be created a user in AD by FreeIPA? And another question, not related to the synchronization: - In the FreeIPA 389-ds I see used the "DUA Config Profile" objectClass. To learn what it is I already read RFC#4876. Now I would like to have a look at a document/draft/etc.. about his using within FreeIPA. Is it available anywhere? If no, could someone give some explanation? Thanks a lot as usual! Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
On Sun, Feb 12, 2012 at 6:24 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > I don't get hangs or other type of similar evidences. My system just > > > > complete (correctly, it seems) a shutdown sequence. > > > > I am not yet an expert about systemd, so I don't know if it's just > going > > > to > > > > kill the service if it doesn't respond in a specific time to a > request to > > > > shut down. > > > > I'm working with more than one virtual machine active on my > not-so-new > > > > laptop, so the promptness of response is very low... > > > > > > > > If you want me to do any kind of test, just let me know. > > > If you could reproduce similar results with new VM, it would be good > > > to get access to the 389-ds database in question and exact steps to > > > reproduce the failure. > > > > > > > I can start the VM setup right now, but please explain more in detail > what > > I do need to do for this trial. > Ideally, install Fedora 16 and apply all updates. Then connect over > ssh with something like this: > > $ ssh root@freeipa-test-vm | tee -a ~/freeipa-test-vm-session.log > > and perform FreeIPA packages install, ipa-server-install, and all > operations that caused the data corruption. > > You can logout and enter over ssh multiple times, every time using the > command above to ensure that log is appended. > > This log will show what has happened on the console as you performed > install and configuration. In addition to it /var/log will contain > number of files (ipaserver-*.log, ipaclient-*.log, pki*.log, pki-ca/*, > dirsrv/*, etc) with logs relevant to FreeIPA operations. Then > /etc/dirsrv/ would contain 389-ds instances' data stores. > > Thanks in advance. > For the record: logs have been sent off-list to Alexander Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
On Sun, Feb 12, 2012 at 6:00 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy >wrote: > > > > > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > > > I'm having the same issue with another freeipa setup which was > installed > > > > directly from the updates-testing repository. > > > > He was working correctly once installed but then, after the first > > > power-on > > > > after the installation, no working from the 389-ds side. > > > > > > > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > > > > starting up > > > > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > > > > Directory Server was running, recovering database. > > > > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment > > > So there is something fishy with 389-ds shutdown on reboots? Am I > > > correct in assuming that you had FreeIPA working after install, then > > > power cycled the VM and after restart it didn't come back online? > > > > > > > Well, just to be clear, each time I talked about reboot actually I > intended > > "shutdown -h now" and powering on the day after. > > > > Was there anything specific about shutdown? Anything similar to > > > https://fedorahosted.org/freeipa/ticket/2302 ? > > > > > > > > > I don't get hangs or other type of similar evidences. My system just > > complete (correctly, it seems) a shutdown sequence. > > I am not yet an expert about systemd, so I don't know if it's just going > to > > kill the service if it doesn't respond in a specific time to a request to > > shut down. > > I'm working with more than one virtual machine active on my not-so-new > > laptop, so the promptness of response is very low... > > > > If you want me to do any kind of test, just let me know. > If you could reproduce similar results with new VM, it would be good > to get access to the 389-ds database in question and exact steps to > reproduce the failure. > I can start the VM setup right now, but please explain more in detail what I do need to do for this trial. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
On Sun, Feb 12, 2012 at 5:41 PM, Alexander Bokovoy wrote: > On Sun, 12 Feb 2012, Marco Pizzoli wrote: > > I'm having the same issue with another freeipa setup which was installed > > directly from the updates-testing repository. > > He was working correctly once installed but then, after the first > power-on > > after the installation, no working from the 389-ds side. > > > > [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 > > starting up > > [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment > So there is something fishy with 389-ds shutdown on reboots? Am I > correct in assuming that you had FreeIPA working after install, then > power cycled the VM and after restart it didn't come back online? > Well, just to be clear, each time I talked about reboot actually I intended "shutdown -h now" and powering on the day after. Was there anything specific about shutdown? Anything similar to > https://fedorahosted.org/freeipa/ticket/2302 ? > I don't get hangs or other type of similar evidences. My system just complete (correctly, it seems) a shutdown sequence. I am not yet an expert about systemd, so I don't know if it's just going to kill the service if it doesn't respond in a specific time to a request to shut down. I'm working with more than one virtual machine active on my not-so-new laptop, so the promptness of response is very low... If you want me to do any kind of test, just let me know. Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Report for FreeIPA 2.2 advances?
Hi guys, please, could you create a view/report similar to this: {22} All 2.1.x Tickets By Milestone (Including closed) - https://fedorahosted.org/freeipa/report/22 for the version 2.2.x ? Thanks in advance Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
On Sun, Feb 12, 2012 at 2:15 PM, Marco Pizzoli wrote: > Hi Alexander, > > On Sat, Feb 11, 2012 at 11:54 PM, Alexander Bokovoy > wrote: > >> On Sat, 11 Feb 2012, Marco Pizzoli wrote: >> > Hi, >> > Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing >> in >> > having it started. >> > >> > [root@freeipa01 ~]# systemctl | grep ipa >> > ipa.service loaded failed failedIdentity, Policy, >> > Audit >> > >> > /var/log/messages >> > [cut] >> > Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not >> > readable (yet?) after start. >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 0.fedora.pool.ntp.org >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 1.fedora.pool.ntp.org >> > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: >> > 2.fedora.pool.ntp.org >> > Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not >> > readable (yet?) after start. >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from >> Directory >> > Service: Unknown error when retrieving list of services from LDAP: >> [Errno >> > 111] Connection refused >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down >> > Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service >> > Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, >> > code=exited, status=1 >> > Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed >> state. >> > Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us >> > (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s >> > 675ms 758us. >> > [cut] >> > >> > /var/log/dirsrv/slapd-/errors >> > [cut] >> > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 >> > starting up >> > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time >> > Directory Server was running, recovering database. >> > >> > /var/log/dirsrv/slapd-/errors >> > [cut] >> > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 >> > starting up >> > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time >> > Directory Server was running, recovering database. >> > >> > dmesg output >> > [cut] >> > [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux >> database >> > in 14ms 981us, size on heap is 485K. >> > [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for >> > /var/run/dirsrv configured, ignoring. >> > [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for >> > /var/lock/dirsrv configured, ignoring. >> > [cut] >> > >> > Any help? >> Did you try 'ipactl start' afterwards? >> > > Yes, same as before. > > >> I'm not sure what has caused 389-ds database issue but from the log >> excerpts it looks like 389-ds was able to fix those. >> >> Fedora 16 stable updates got freeipa 2.1.4-5 and 389-ds 1.2.10-rc1 >> tonight. >> > > Now, I did a full upgrade of the system but I'm encountering quite the > same problem. > The interesting thing is that the 389-ds upgrade produced a log full of > interesting info about what the problem is. > > Please find my log here: http://pastebin.com/ueH87Q05 > > I'm running a system with less than 1GB RAM > > [root@freeipa01 ~]# free -m > total used free sharedbuffers cached > Mem: 869758110 0 42561 > -/+ buffers/cache:154714 > Swap: 2015 0 2015 > > > I'm curious to know if is an opportunity to recover the system. If no, I > have no problems in erase and recreate. > > Thanks again > Marco > I'm having the same issue with another freeipa setup which was installed directly from the updates-testing repository. He was working correctly once installed but then, after the first power-on after the installation, no working from the 389-ds side. [12/Feb/2012:16:19:44 +0100] - 389-Directory/1.2.10.rc1 B2012.035.328 starting up [12/Feb/2012:16:19:44 +0100] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [12/Feb/2012:16:19:44 +0100] - libdb: unable to join the environment ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA not starting - probably 389ds cause
Hi Alexander, On Sat, Feb 11, 2012 at 11:54 PM, Alexander Bokovoy wrote: > On Sat, 11 Feb 2012, Marco Pizzoli wrote: > > Hi, > > Today I booted my FreeIPA 2.1.4 system on Fedora16 and now I'm failing in > > having it started. > > > > [root@freeipa01 ~]# systemctl | grep ipa > > ipa.service loaded failed failedIdentity, Policy, > > Audit > > > > /var/log/messages > > [cut] > > Feb 11 12:15:13 freeipa01 systemd[1]: PID file /run/sendmail.pid not > > readable (yet?) after start. > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 0.fedora.pool.ntp.org > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 1.fedora.pool.ntp.org > > Feb 11 12:15:13 freeipa01 ntpd_intres[821]: host name not found: > > 2.fedora.pool.ntp.org > > Feb 11 12:15:14 freeipa01 systemd[1]: PID file /run/sm-client.pid not > > readable (yet?) after start. > > Feb 11 12:15:29 freeipa01 ipactl[998]: Failed to read data from Directory > > Service: Unknown error when retrieving list of services from LDAP: [Errno > > 111] Connection refused > > Feb 11 12:15:29 freeipa01 ipactl[998]: Shutting down > > Feb 11 12:15:29 freeipa01 ipactl[998]: Starting Directory Service > > Feb 11 12:15:29 freeipa01 systemd[1]: ipa.service: main process exited, > > code=exited, status=1 > > Feb 11 12:15:29 freeipa01 systemd[1]: Unit ipa.service entered failed > state. > > Feb 11 12:15:29 freeipa01 systemd[1]: Startup finished in 2s 327ms 887us > > (kernel) + 4s 398ms 198us (initrd) + 40s 949ms 673us (userspace) = 47s > > 675ms 758us. > > [cut] > > > > /var/log/dirsrv/slapd-/errors > > [cut] > > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > > starting up > > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > > > /var/log/dirsrv/slapd-/errors > > [cut] > > [11/Feb/2012:12:15:27 +0100] - 389-Directory/1.2.10.a6 B2011.353.1631 > > starting up > > [11/Feb/2012:12:15:27 +0100] - Detected Disorderly Shutdown last time > > Directory Server was running, recovering database. > > > > dmesg output > > [cut] > > [ 17.440200] systemd-tmpfiles[743]: Successfully loaded SELinux > database > > in 14ms 981us, size on heap is 485K. > > [ 17.593118] systemd-tmpfiles[743]: Two or more conflicting lines for > > /var/run/dirsrv configured, ignoring. > > [ 17.593225] systemd-tmpfiles[743]: Two or more conflicting lines for > > /var/lock/dirsrv configured, ignoring. > > [cut] > > > > Any help? > Did you try 'ipactl start' afterwards? > Yes, same as before. > I'm not sure what has caused 389-ds database issue but from the log > excerpts it looks like 389-ds was able to fix those. > > Fedora 16 stable updates got freeipa 2.1.4-5 and 389-ds 1.2.10-rc1 > tonight. > Now, I did a full upgrade of the system but I'm encountering quite the same problem. The interesting thing is that the 389-ds upgrade produced a log full of interesting info about what the problem is. Please find my log here: http://pastebin.com/ueH87Q05 I'm running a system with less than 1GB RAM [root@freeipa01 ~]# free -m total used free sharedbuffers cached Mem: 869758110 0 42561 -/+ buffers/cache:154714 Swap: 2015 0 2015 I'm curious to know if is an opportunity to recover the system. If no, I have no problems in erase and recreate. Thanks again Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA support for AIX as a client?
On Fri, Feb 10, 2012 at 11:56 PM, Dmitri Pal wrote: > ** > On 02/10/2012 04:16 PM, Marco Pizzoli wrote: > > Hi guys, > I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is > supported for version 5.3. > What about versions 6.1 and 7.1? Are they really not supported or simply > not been verified they can work? > > You are definitely welcome to try and provide step by step instructions. > It should work we just never had this as a priority. > This is a real help that you can provide while we are fixing the SSSD > build. :-) > I would be happy to do it, but it will be not so easy for me finding a system for testing purposes... :-( > If the instructions are testable and repeatable we will post them on the > IPA wiki. I would grant you access to create pages if you want to go this > route. > Good to know. Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 10:35 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 22:30 +0100, Marco Pizzoli wrote: > > > > > > On Fri, Feb 10, 2012 at 10:18 PM, John Dennis > > wrote: > > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > > --> Finished Dependency Resolution > > *Error: Protected multilib versions: > > libldb-1.1.0-1.fc16.i686 != > > libldb-1.1.4-1.fc16.1.x86_64* > > > > This error is because you've got both a 32-bit and 64-bit > > version of libldb installed, note how the 32-bit version is > > 1.1.0 and the 64-bit version is 1.1.4, they're not the same. > > > > Actually I think the situation is a little bit different. > > > > To explain myself better I start by posting this output: > > > > [root@freeipa02 ~]# rpm -qa|grep libldb > > libldb-1.1.0-1.fc16.x86_64 > > > > Look for a second at the output i posted before. As you can see > > > > [cut] > > --> Running transaction check > > ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed > > [cut] > > > > The package libldb-32bit is being submitted to yum as a candidate from > > a dependence on a package situated in your ipa-devel repository. > > > > I'm not a yum expert, can you confirm what I notice? > > > > > > However the ipa-devel repo does have both the 32-bit and > > 64-bit version of 1.1.4 available in the x86-64 repo > > > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm > > ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm > > > > So the repo looks good, not sure what yum is complaining > > about, it should see both 32-bit and 64-bit is available for > > version 1.1.4 and install both, unless of course you've got a > > dependency on the 1.1.0 32-bit version, but yum should tell > > you that. > > > > That's about as much help as I can give you at the moment. > > > You're right. I see what's happening. SSSD is built with an explicit LDB > dependency. So because it's keeping SSSD at 1.6.4 for you, it's trying > to hang on to libldb 1.1.0 from the regular repos (which is > inappropriate). > > The real question here is why it's not pulling in the latest SSSD bits. > And the answer to that is because we're currently having issues where > not all of the SSSD subpackages are ending up in the repo. So yum is > trying its best with what it has (which doesn't line up). > > We're working on this. We'll have it fixed by sometime on Monday, I'm > sure. > I'm happy we've found the cause. No problem, I have no hurry... there's still a lot of documents to read out there :-) Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 10:18 PM, John Dennis wrote: > On 02/10/2012 03:49 PM, Marco Pizzoli wrote: > >> --> Finished Dependency Resolution >> *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != >> libldb-1.1.4-1.fc16.1.x86_64* >> > > This error is because you've got both a 32-bit and 64-bit version of > libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit > version is 1.1.4, they're not the same. > Actually I think the situation is a little bit different. To explain myself better I start by posting this output: [root@freeipa02 ~]# rpm -qa|grep libldb libldb-1.1.0-1.fc16.x86_64 Look for a second at the output i posted before. As you can see [cut] --> Running transaction check ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed [cut] The package libldb-32bit is being submitted to yum as a candidate from a dependence on a package situated in your ipa-devel repository. I'm not a yum expert, can you confirm what I notice? > However the ipa-devel repo does have both the 32-bit and 64-bit version of > 1.1.4 available in the x86-64 repo > > ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.i686.rpm > ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.x86_64.**rpm > > So the repo looks good, not sure what yum is complaining about, it should > see both 32-bit and 64-bit is available for version 1.1.4 and install both, > unless of course you've got a dependency on the 1.1.0 32-bit version, but > yum should tell you that. > > That's about as much help as I can give you at the moment. > > > -- > John Dennis > > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > -- _ Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA support for AIX as a client?
Hi guys, I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is supported for version 5.3. What about versions 6.1 and 7.1? Are they really not supported or simply not been verified they can work? Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 8:50 PM, John Dennis wrote: > On 02/10/2012 02:35 PM, Marco Pizzoli wrote: > >> No, same as before. >> Is it "yum makecache" sufficient to renew my metadata? >> > > Sounds like it should work, I'm not in the habit of using makecache, I > tend to use the big hammer 'yum clean --all' > > I just checked the repo the files are there, so I assume yum is somehow > confused. This is what I just did: [root@freeipa02 ~]# yum clean all Loaded plugins: langpacks, presto, refresh-packagekit Cleaning repos: fedora ipa-devel updates Cleaning up Everything No delta-package files removed by presto [root@freeipa02 ~]# yum update Loaded plugins: langpacks, presto, refresh-packagekit fedora/metalink | 29 kB 00:00 fedora | 4.2 kB 00:00 fedora/primary_db | 14 MB 00:36 fedora/group_gz | 431 kB 00:00 ipa-devel | 2.5 kB 00:00 ipa-devel/primary_db | 146 kB 00:00 updates/metalink | 25 kB 00:00 updates | 4.7 kB 00:00 updates/primary_db | 4.7 MB 00:11 updates/group_gz | 431 kB 00:01 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package krb5-libs.x86_64 0:1.9.2-4.fc16 will be updated ---> Package krb5-libs.x86_64 0:1.9.2-6.fc16 will be an update ---> Package krb5-workstation.x86_64 0:1.9.2-4.fc16 will be updated ---> Package krb5-workstation.x86_64 0:1.9.2-6.fc16 will be an update ---> Package libipa_hbac.x86_64 0:1.6.4-1.fc16 will be updated ---> Package libipa_hbac.x86_64 0:1.8.90-0.20120207T1718Zgit14b0185.fc16 will be an update ---> Package libldb.x86_64 0:1.1.0-1.fc16 will be updated --> Processing Dependency: libldb = 1.1.0 for package: sssd-1.6.4-1.fc16.x86_64 ---> Package libldb.x86_64 0:1.1.4-1.fc16.1 will be an update ---> Package libtalloc.x86_64 0:2.0.6-1.fc16 will be updated ---> Package libtalloc.x86_64 0:2.0.7-3.fc16 will be an update ---> Package libtdb.x86_64 0:1.2.9-10.fc16 will be updated ---> Package libtdb.x86_64 0:1.2.9-13.fc16 will be an update ---> Package libtevent.x86_64 0:0.9.13-1.fc16 will be updated ---> Package libtevent.x86_64 0:0.9.14-5.fc16 will be an update --> Running transaction check ---> Package libldb.i686 0:1.1.0-1.fc16 will be installed --> Processing Dependency: libdl.so.2(GLIBC_2.1) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libcrypt.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libdl.so.2 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtdb.so.1(TDB_1.2.1) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtalloc.so.2(TALLOC_2.0.2) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: librt.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtevent.so.0 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libdl.so.2(GLIBC_2.0) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtdb.so.1 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtevent.so.0(TEVENT_0.9.9) for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libtalloc.so.2 for package: libldb-1.1.0-1.fc16.i686 --> Processing Dependency: libc.so.6(GLIBC_2.8) for package: libldb-1.1.0-1.fc16.i686 ---> Package libldb.x86_64 0:1.1.0-1.fc16 will be updated --> Running transaction check ---> Package glibc.i686 0:2.14.90-24.fc16.4 will be installed --> Processing Dependency: libfreebl3.so(NSSRAWHASH_3.12.3) for package: glibc-2.14.90-24.fc16.4.i686 --> Processing Dependency: libfreebl3.so for package: glibc-2.14.90-24.fc16.4.i686 ---> Package libtalloc.i686 0:2.0.7-3.fc16 will be installed ---> Package libtdb.i686 0:1.2.9-13.fc16 will be installed ---> Package libtevent.i686 0:0.9.14-5.fc16 will be installed --> Running transaction check ---> Package nss-softokn-freebl.i686 0:3.13.1-15.fc16 will be installed --> Finished Dependency Resolution *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != libldb-1.1.4-1.fc16.1.x86_64* [root@freeipa02 ~]# yum makecache Loaded plugins: langpacks, presto, refresh-packagekit fedora/metalink | 29 kB 00:00 fedora/filelists_db | 22 MB 01:21 fedora/prestodelta | 791 kB 00:02 fedora/other_db | 8.8 MB 00:28 ipa-devel | 2.5 kB 00:00 ipa-devel/filelists_db | 60 kB 00:00 ipa-devel/other_db | 39 kB 00:00 updates/metalink | 25 kB 00:00 updates/filelists_db | 8.0 MB 00:25 updates/prestodelta | 829 kB 00:03 updates/other_db | 2.5 MB 00:10 updates/updateinfo | 470 kB 00:01 Metadata Cache Created [root@freeipa02 ~]# yum info freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages Name: freeipa-server Arch: i686 Version : 2.1.4 Release : 1.20120209T0216Zgit11c25a4.fc16 Size: 957 k Repo: ipa-devel Summary : The IPA a
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 8:28 PM, John Dennis wrote: > On 02/10/2012 02:22 PM, Marco Pizzoli wrote: > >> I wget-ed the repo file on a 64bit fedora16 system but I'm failing in >> seeing the package for 64-bit systems. >> Please, could you tell me what my error is? >> > > We just finished rebuilding the repo. Please try again. > No, same as before. Is it "yum makecache" sufficient to renew my metadata? > We don't have a mechanism to lock the repo while it's being populated so > on occasion you may see some odd failures if you happen to hit it while > it's updating. I understand. Thanks for explaining. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of FreeIPA > > > 2.1 but the following days I'm planning to have a look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > ___ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test it and > > give feedbacks, once released. > > If you're interested in testing the nightly builds, you can install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > RHEL 6: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > Then you can 'yum update' to the latest nightlies. > I wget-ed the repo file on a 64bit fedora16 system but I'm failing in seeing the package for 64-bit systems. Please, could you tell me what my error is? [root@freeipa02 yum.repos.d]# yum info freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages Name: freeipa-server *Arch: i686* Version : 2.1.4 *Release : 1.20120209T0216Zgit11c25a4.fc16* Size: 957 k *Repo: ipa-devel* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: freeipa-server *Arch: x86_64* Version : 2.1.4 *Release : 4.fc16* Size: 958 k *Repo: updates* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). [root@freeipa02 yum.repos.d]# uname -a Linux freeipa02.unix.domain.it 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 4:39 PM, Rob Crittenden wrote: > Marco Pizzoli wrote: > >> >> On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden > <mailto:rcrit...@redhat.com>> wrote: >> >>Simo Sorce wrote: >> >> On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: >> >> >> >>On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher >>mailto:sgall...@redhat.com>> wrote: >> >> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli >> wrote: >> > Hi, >> > >> > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal >>mailto:d...@redhat.com>> wrote: >> >> > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: >> > > Hi guys, >> > > Next days I'm going to start a test deployment of >> FreeIPA >> > > 2.1 but the following days I'm planning to have a >> look on >> > > the new features FreeIPA 2.2 brings. >> > > >> > > Are you going to release a alpha/beta package >> anytime in the >> > > future? >> > > >> > > Thanks in advance >> > > Marco >> > > >> > > -- >> > > >> > > >> > > >> > > __**___ >> > > Freeipa-users mailing list >> > > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.** >> com > >> > > >> >> https://www.redhat.com/__**mailman/listinfo/freeipa-users<https://www.redhat.com/__mailman/listinfo/freeipa-users> >> >> >> <https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >> **> >> > >> > Yes alpha is planned for next couple weeks. >> > >> > >> > >> > Sorry for asking again, but I'm really interested in this. >> > Any news on the expected release date? I'm available to >> test >> it and >> > give feedbacks, once released. >> >> >> If you're interested in testing the nightly builds, >>you can >> install one >> of the below repository files into /etc/yum.repos.d >> >> Fedora 15-17: >>http://jdennis.fedorapeople.__**org/ipa-devel/ipa-devel-__** >> fedora.repo >><http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-** >> fedora.repo<http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo> >> > >> >> RHEL 6: >>http://jdennis.fedorapeople.__**org/ipa-devel/ipa-devel-rhel._ >> **_repo >> >><http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-rhel.** >> repo <http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo>> >> >> >> Then you can 'yum update' to the latest nightlies. >> >>Good to know! Thanks a lot. >> >>Testing nightly build will involves me reporting problems >> and/or >>errors. >>Which mailing list should I have to use? -users or -devel ? >> >> >>For -devel version I think freeipa-devel is better. >> >>Simo. >> >> >>Just to add that this version has known upgrade problems so I >>wouldn't recommend upgrading an existing installation at this time. >> >> >> Hi Rob, >> Is there a ticket on which I can put me in Cc to track it? >> >> > > There are a number of them: > > https://fedorahosted.org/**freeipa/ticket/2147<https://fedorahosted.org/freeipa/ticket/2147> > https://fedorahosted.org/**freeipa/ticket/2341<https://fedorahosted.org/freeipa/ticket/2341> > https://fedorahosted.org/**freeipa/ticket/2344<https://fedorahosted.org/freeipa/ticket/2344> > Cc'ed to all. Thanks again ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden wrote: > Simo Sorce wrote: > >> On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: >> >>> >>> >>> On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher >>> wrote: >>> On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: >>> > Hi, >>> > >>> > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal >>> wrote: >>> > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: >>> > > Hi guys, >>> > > Next days I'm going to start a test deployment of >>> FreeIPA >>> > > 2.1 but the following days I'm planning to have a >>> look on >>> > > the new features FreeIPA 2.2 brings. >>> > > >>> > > Are you going to release a alpha/beta package >>> anytime in the >>> > > future? >>> > > >>> > > Thanks in advance >>> > > Marco >>> > > >>> > > -- >>> > > >>> > > >>> > > >>> > > __**_ >>> > > Freeipa-users mailing list >>> > > Freeipa-users@redhat.com >>> > > >>> >>> https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> >>> > >>> > Yes alpha is planned for next couple weeks. >>> > >>> > >>> > >>> > Sorry for asking again, but I'm really interested in this. >>> > Any news on the expected release date? I'm available to test >>> it and >>> > give feedbacks, once released. >>> >>> >>> If you're interested in testing the nightly builds, you can >>> install one >>> of the below repository files into /etc/yum.repos.d >>> >>> Fedora 15-17: >>> http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-** >>> fedora.repo<http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo> >>> >>> RHEL 6: >>> http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-rhel.** >>> repo <http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo> >>> >>> >>> Then you can 'yum update' to the latest nightlies. >>> >>> Good to know! Thanks a lot. >>> >>> Testing nightly build will involves me reporting problems and/or >>> errors. >>> Which mailing list should I have to use? -users or -devel ? >>> >> >> For -devel version I think freeipa-devel is better. >> >> Simo. >> >> > Just to add that this version has known upgrade problems so I wouldn't > recommend upgrading an existing installation at this time. > Hi Rob, Is there a ticket on which I can put me in Cc to track it? Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher wrote: > On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: > > Hi, > > > > On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > > Hi guys, > > > Next days I'm going to start a test deployment of FreeIPA > > > 2.1 but the following days I'm planning to have a look on > > > the new features FreeIPA 2.2 brings. > > > > > > Are you going to release a alpha/beta package anytime in the > > > future? > > > > > > Thanks in advance > > > Marco > > > > > > -- > > > > > > > > > > > > ___ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yes alpha is planned for next couple weeks. > > > > > > > > Sorry for asking again, but I'm really interested in this. > > Any news on the expected release date? I'm available to test it and > > give feedbacks, once released. > > If you're interested in testing the nightly builds, you can install one > of the below repository files into /etc/yum.repos.d > > Fedora 15-17: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo > > RHEL 6: > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > Then you can 'yum update' to the latest nightlies. > Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
Hi Alexander, On Fri, Feb 10, 2012 at 2:47 PM, Alexander Bokovoy wrote: > On Fri, 10 Feb 2012, Marco Pizzoli wrote: > > > Hi guys, > > I'm working on Fedora16 and FreeIPA 2.1.4. > > I executed the command ipa-server-install and during the setup digging in > > the logs i can find this error, related to SELinux. > > I'm running in Permissive mode, so nothing prevented me to successfully > > complete my setup. > > > > Is this an error in the policy? > https://bugzilla.redhat.com/show_bug.cgi?id=739708 > Allowing connecting to ephemeral port is something that Ade still not > decided on yet. > Thanks for the info. Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
Hi Dale, On Fri, Feb 10, 2012 at 1:50 PM, Dale Macartney wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi Marco > > I had a very similar issue trying to do the same thing a while back on the > day RHEL 6.2 went GA.. > > My situation was > > SElinux enforcing, then run ipa-server-install.. it gets half way through > the process and it fails > > then I tried > > SELinux permissive, to get the exact same issue > > I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and > ran the setup again, and I was able to install successfully. > > In my situation, it was related to the selinux pki policy. When this was > loaded, it caused the ipa setup to fail... an update was made available in > rhel which allowed me to move forward with selinux in enforcing mode. > > Have you patched Fedora 16 with the latest updates? my situation was quite > a while ago so I would have imagined that there would be an update to that > issue with Fedora as well if this is actually the same issue I encountered. > .. > I updated my system few days ago and I'm currently not seeing further updates available. These are my packages: [root@freeipa01 ~]# rpm -qa|grep -i selinux selinux-policy-3.10.0-75.fc16.noarch libselinux-2.1.6-5.fc16.x86_64 libselinux-python-2.1.6-5.fc16.x86_64 pki-selinux-9.0.17-1.fc16.noarch libselinux-utils-2.1.6-5.fc16.x86_64 selinux-policy-targeted-3.10.0-75.fc16.noarch freeipa-server-selinux-2.1.4-4.fc16.x86_64 > Do you get the same issue with selinux disabled at all? > Actually I haven't tried, but I'm sure to not encounter this problem in that case. As I wrote, I'm running in permissive mode so I only get warning on what it would have been blocked by SELinux, not the effective block to the execution. My setup (apparently) completed correctly. I still have to check-on-the-job :-) Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SELinux error during ipa-server-install
Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? Thanks in advance Marco [root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . * Plugin catchall (100. confidence) suggests *** If you believe that java should be allowed name_connect access on the by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:pki_ca_t:s0 Target Contextsystem_u:object_r:ephemeral_port_t:s0 Target Objects [ None ] Sourcejava Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 59940 Host freeipa01.unix.mydomain.it Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 Target RPM Packages Policy RPMselinux-policy-3.10.0-75.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name freeipa01.unix.mydomain.it Platform Linux freeipa01.unix.mydomain.it3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 Alert Count 2 First SeenFri 10 Feb 2012 01:16:43 PM CET Last Seen Fri 10 Feb 2012 01:17:29 PM CET Local ID 885f3218-de29-4254-b095-0439320b3a50 Raw Audit Messages type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for pid=2663 comm="java" dest=59940 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode= freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170): arch=c03e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=system_u:system_r:pki_ca_t:s0 key=(null) Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect audit2allow audit2allow -R ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal wrote: > ** > On 01/30/2012 09:47 AM, Marco Pizzoli wrote: > > Hi guys, > Next days I'm going to start a test deployment of FreeIPA 2.1 but the > following days I'm planning to have a look on the new features FreeIPA 2.2 > brings. > > Are you going to release a alpha/beta package anytime in the future? > > Thanks in advance > Marco > > -- > > > ___ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > Yes alpha is planned for next couple weeks. > Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users