Re: [Freeipa-users] ipa-replica-install fails at CA setup
Definition cn=Password
Policy,cn=accounts,dc=mr,dc=ric--no CoS Templates found, which should be
added before the CoS Definition.
[29/Apr/2015:09:40:10 -0400] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[29/Apr/2015:09:40:10 -0400] - Listening on All Interfaces port 636 for
LDAPS requests
[29/Apr/2015:09:40:10 -0400] - Listening on /var/run/slapd-MR-RIC.socket
for LDAPI requests
[29/Apr/2015:09:40:10 -0400] - The change of nsslapd-maxdescriptors will
not take effect until the server is restarted
-
- access log
[29/Apr/2015:09:40:11 -0400] conn=3 fd=64 slot=64 connection from
172.25.12.161 to 172.25.12.161
[29/Apr/2015:09:40:11 -0400] conn=3 op=0 SRCH base= scope=0
filter=(objectClass=*) attrs=ALL
[29/Apr/2015:09:40:11 -0400] conn=3 op=0 RESULT err=0 tag=101 nentries=1
etime=0
[29/Apr/2015:09:40:11 -0400] conn=3 op=1 BIND dn=cn=Directory Manager
method=128 version=3
[29/Apr/2015:09:40:11 -0400] conn=3 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=cn=directory manager
[29/Apr/2015:09:40:11 -0400] conn=3 op=2 SRCH base=o=ipaca scope=0
filter=(objectClass=*) attrs=ALL
[29/Apr/2015:09:40:11 -0400] conn=3 op=2 RESULT err=32 tag=101 nentries=0
etime=0
[29/Apr/2015:09:40:11 -0400] conn=3 op=3 UNBIND
[29/Apr/2015:09:40:11 -0400] conn=3 op=3 fd=64 closed - U1
-
On Wed, Apr 29, 2015 at 12:14 PM, Rob Crittenden rcrit...@redhat.com
wrote:
Qing Chang wrote:
mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap
service was available at all at installation stage.
I think we'd need to see the full ipareplica-install.log.
You might also want to see if a ns-slapd process is running and check
/var/log/dirsrv/slapd-REALM/errors for anything interesting.
rob
Thanks,
Qing
On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang tmp...@gmail.com
mailto:tmp...@gmail.com wrote:
CentOS7.1 with IPA server 4.1.
ipa-replica-install --setup-ca --setup-dns ... fails with this
error message:
-
[2/22]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned
non-zero exit status 1
[error] RuntimeError: Configuration of CA failed
-
ipareplica-install.log shows this:
-
2015-04-29T13:40:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Starting external process
2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpaUGoKX'
2015-04-29T13:40:51Z DEBUG Process finished, return code=1
2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration
from /tmp/tmpaUGoKX.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR...
Exception from Java Configuration Servlet: Error in populating
database: Could not connect to LDAP server host mrip
a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to
connect to server ldap://mripa2.mr.ric:389 (91)
2015-04-29T13:40:51Z CRITICAL failed to configure ca instance
Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX''
returned non-zero exit status 1
2015-04-29T13:40:51Z DEBUG Traceback (most recent call last):
File
/usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
run_step(full_msg, method)
File
/usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 372, in run_step
method()
File
/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
-
I hope this is enough information.
Thanks in advance,
Qing Chang
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-replica-install fails at CA setup
CentOS7.1 with IPA server 4.1.
ipa-replica-install --setup-ca --setup-dns ... fails with this error
message:
-
[2/22]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero
exit status 1
[error] RuntimeError: Configuration of CA failed
-
ipareplica-install.log shows this:
-
2015-04-29T13:40:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Starting external process
2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpaUGoKX'
2015-04-29T13:40:51Z DEBUG Process finished, return code=1
2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpaUGoKX.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR... Exception
from Java Configuration Servlet: Error in populating database: Could not
connect to LDAP server host mrip
a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to
server ldap://mripa2.mr.ric:389 (91)
2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero
exit status 1
2015-04-29T13:40:51Z DEBUG Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
-
I hope this is enough information.
Thanks in advance,
Qing Chang
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-install fails at CA setup
mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap
service was available at all at installation stage.
Thanks,
Qing
On Wed, Apr 29, 2015 at 10:29 AM, Qing Chang tmp...@gmail.com wrote:
CentOS7.1 with IPA server 4.1.
ipa-replica-install --setup-ca --setup-dns ... fails with this error
message:
-
[2/22]: configuring certificate server instance
ipa : CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero
exit status 1
[error] RuntimeError: Configuration of CA failed
-
ipareplica-install.log shows this:
-
2015-04-29T13:40:11Z DEBUG Saving StateFile to
'/var/lib/ipa/sysrestore/sysrestore.state'
2015-04-29T13:40:11Z DEBUG Starting external process
2015-04-29T13:40:11Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpaUGoKX'
2015-04-29T13:40:51Z DEBUG Process finished, return code=1
2015-04-29T13:40:51Z DEBUG stdout=Loading deployment configuration from
/tmp/tmpaUGoKX.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into
/etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
Installation failed.
2015-04-29T13:40:51Z DEBUG stderr=pkispawn: ERROR... Exception
from Java Configuration Servlet: Error in populating database: Could not
connect to LDAP server host mrip
a2.mr.ric port 389 Error netscape.ldap.LDAPException: failed to connect to
server ldap://mripa2.mr.ric:389 (91)
2015-04-29T13:40:51Z CRITICAL failed to configure ca instance Command
''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpaUGoKX'' returned non-zero
exit status 1
2015-04-29T13:40:51Z DEBUG Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 382, in start_creation
run_step(full_msg, method)
File /usr/lib/python2.7/site-packages/ipaserver/install/service.py,
line 372, in run_step
method()
File /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py,
line 673, in __spawn_instance
raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed
-
I hope this is enough information.
Thanks in advance,
Qing Chang
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] HostEnrol role does not seem to work
I assigned an IPA user account the HostEnrol role and run ipa-client-install, when it got to this User authorized to enroll computers:, I used that account, then got following: Joining realm failed: No permission to join this host to the IPA domain. Installation failed. Rolling back changes. IPA client is not configured on this system. Am I missing something here? Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HostEnrol role does not seem to work
On 17/01/2013 1:42 PM, Rob Crittenden wrote: Qing Chang wrote: I assigned an IPA user account the HostEnrol role and run ipa-client-install, when it got to this User authorized to enroll computers:, I used that account, then got following: Joining realm failed: No permission to join this host to the IPA domain. Installation failed. Rolling back changes. IPA client is not configured on this system. Am I missing something here? What privileges are in the HostEnrol role? it's all default, I did not make any changes. Or can you show the output of this, where tuser1 is the user you're trying to enroll with? % ipa user-show tuser1 --all --raw |grep -i member [root@ipa1 ~]# ipa user-show testipa --all --raw |grep -i member memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca memberof: ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HostEnrol role does not seem to work
On 17/01/2013 2:40 PM, Rob Crittenden wrote: Qing Chang wrote: On 17/01/2013 1:42 PM, Rob Crittenden wrote: Qing Chang wrote: I assigned an IPA user account the HostEnrol role and run ipa-client-install, when it got to this User authorized to enroll computers:, I used that account, then got following: Joining realm failed: No permission to join this host to the IPA domain. Installation failed. Rolling back changes. IPA client is not configured on this system. Am I missing something here? What privileges are in the HostEnrol role? it's all default, I did not make any changes. Or can you show the output of this, where tuser1 is the user you're trying to enroll with? % ipa user-show tuser1 --all --raw |grep -i member [root@ipa1 ~]# ipa user-show testipa --all --raw |grep -i member memberof: cn=ipausers,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca memberof: cn=hostenrol,cn=roles,cn=accounts,dc=sri,dc=utoronto,dc=ca memberof: ipauniqueid=d7f28bde-492f-11e2-b297-005056af688c,cn=sudorules,cn=sudo,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=sri,dc=utoronto,dc=ca Ok, this is enough do do an enrollment (HostEnrol is not a default role). What it lacks is the ability to add a new host entry. You can add this ability by adding the 'Add Hosts' privilege to the 'Host Enrollment' privilege. On the command line like this: $ ipa privilege-add-permission 'Host Enrollment' --permissions='Add Hosts' Note that this is expected. We delegate as few permissions by default as possible. The expectation is that a higher-level administrator pre-creates the hosts that should be allowed to be enrolled and this delegated role can enroll them. agreed. Maybe this sort of thing can be put into a FAQ? Appreciated! Qing rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] disable user account in batch mode in IPA
I hope google did not skip me when searching for an answer. I'd like to disable inactive accounts migrated from OpneLDAP, so far I can only do it per web UI. Because I have hundreds of accounts to disable, I really appreciate if someone can provide a command line for me. I actually tried to figure out what attribute corresponds to disabled but could not see it in ldapsearch output, for example: ldapsearch -LL -x -D 'cn=Directory Manager' -W -b 'dc=sri,dc=utoronto,dc=ca' '(uid=shassan)' Thanks you. Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA client randomly lose memory of users
my dovecot IMAP server would randomly lose memory of users, as an example: Samba/NFS server knows this user: [root@smb2 shassan]# getent passwd bqiang bqiang:*:47105:471:Beiping Qiang:/home2/bqiang:/bin/tcsh But dovecot server does not: [root@dovecot2 ~]# getent passwd bqiang Only when I apply this: [root@dovecot2 ~]# \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb [root@dovecot2 ~]# service sssd restart It gets it: [root@dovecot2 ~]# getent passwd bqiang bqiang:*:47105:471:Beiping Qiang:/home2/bqiang:/bin/tcsh So far I have to deal with this for three users. It's quite possible that there are more than 3 that are affected, they were just patient enough to wait until dovecot recovers its memory. Again, this seems to be a sssd bug? Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 19/11/2012 3:33 AM, Natxo Asenjo wrote: hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? last week I asked a similar question :-). In the man page of sssd.conf look for 'timeoute'. There are quite a few settings you can change about the sss_cache. the sss_cache is in a package called sssd-tools now, in the next release it will be part of the sssd main package I have great confidence in IPA now, big part of it is because of this list!! Me too. thanks, Naxto, I'll do some research on it. Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 16/11/2012 12:11 PM, Dmitri Pal wrote: On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri Dmitri, appreciate your prompt response. I having being on this thing for past day and a half, I think I now understand the issues and found fix/workaround for them. 1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a samba mapping request will cause samba to CLEAR sambaLMPassword and sambaNTPassword attributes, yes, not set password to something, but the attributes are wiped out. This may only apply to my situation because I HAVE to use samba 3.0.23d, a ancient version!! Originally when I migrated users from OpenLDAP, sambaPwdLastSet has a none zero value for every account. As users migrated their password properly, the value was not touch. But, if someone's password has to be reset (too short, forgotten) by us admin user using the UI, sambaPwdLastSet is set to 0. This explains why the problem is not wide spread. Fix/workaround: change sambaPwdLastSet to a sensible value after a password reset by admin. Question: is this a designed behavior for IPA? Or does migrate-mode or not make difference? 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? I have great confidence in IPA now, big part of it is because of this list!! Many thanks, Qing = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6@rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding group fails with Type or value exists
On 16/11/2012 3:25 AM, Martin Kosek wrote: On 11/16/2012 12:48 AM, Qing Chang wrote: On 15/11/2012 6:10 PM, John Dennis wrote: On 11/15/2012 04:21 PM, Qing Chang wrote: Adding group produces error message Type or value exists and fails. As shown below, I tried a few different group name to ensure that there is no duplicates: [root@ipa1 ~]# ipa -d group-add example --desc=Test ipa: DEBUG: Caught fault 4203 from server http://ipa1/ipa/xml: Type or value exists: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Type or value exists: Saw in a thread in March, it did not appear there was a resolution. Hello Qing: What version of ipa are you using? Which distribution (e.g. F17, RHEL 6.3)? ipa-admintools.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-client.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-pki-ca-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-pki-common-theme.noarch9.0.3-7.el6 @rhel-x86_64-server-6 ipa-python.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 ipa-server.x86_64 2.2.0-16.el6@rhel-x86_64-server-6 ipa-server-selinux.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 libipa_hbac.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 libipa_hbac-python.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 python-iniparse.noarch 0.3.1-2.1.el6 @anaconda-RedHatEnterpriseLinux-20171049.x86_64/6.2 Red Hat Enterprise Linux Server release 6.3 (Santiago) Thanks, Qing Hello Quing, did you by any chance modified the list of default group objectclasses? I managed to reproduce the same error with adding posixgroup to the list: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,posixgroup ... Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject, posixgroup ... # ipa group-add foo --desc foo ipa: ERROR: Type or value exists: posixgroup should not be in the list as it is later added in group-add command when the group is non-posix. In my case, remedy was simple: # ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject # ipa group-add foo --desc foo - Added group foo - Group name: foo Description: foo GID: 67447 Martin Brilliant observation, I do have posixgroup added thinking that's necessary to ensure posix group is created... Removed and works. Many thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] adding group fails with Type or value exists
Adding group produces error message Type or value exists and fails. As shown below, I tried a few different group name to ensure that there is no duplicates: [root@ipa1 ~]# ipa -d group-add example --desc=Test ipa: DEBUG: Caught fault 4203 from server http://ipa1/ipa/xml: Type or value exists: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Type or value exists: Saw in a thread in March, it did not appear there was a resolution. I have turned off migration mode also to make sure that's not a factor. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Keep Samba password in sync with userpassword and kerberos password
In a thread on Freeipa-devel titled freeIPA as a samba backendthere is a statement as below: = IPA will keep all of your passwords in sync - userPassword, sambaNTPassword, sambaLMPassword, and your kerberos passwords. 389 cannot do this - the functionality that does this is provided by an IPA password plugin. Openldap has a similar plugin, but I think it is contrib and not officially supported. == Can someone please point me to where I can find this plugin and configured it to keep all passwords listed above in sync? I am unable to find detailed information on password plugin in IPA 2.2 doc. My intention is to provide my Windows users (accounts on IPA server) IPA web interface only for changing their password. I am using Samba 3.0.23d as a standalone server because this is a last version that does not check for SIDs strictly... Many thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Migration from OpenLDAP to IPA: reset expired password in IPA UI
Using https://IPA/ipa/migration, users can migrate their password to their Kerberos principals successfully, a subsequent login to /ui gives them interface to change attrs to their account. But if their LDAP password is shorter than the default policy of 8 letter (IPA migrate the password but set it as expired,) they have no chance to reset it to meet the policy through the UI. I had to help them login in with a ssh session to a IPA client machine to do this, although the majority of my users do not need the ability to have interactive ssh sessions. Is there a possibility to enable users to change or reset expired password in the UI? Thanks, Qing Chang ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrate-ds fails with Can't contact LDAP server
On 13/08/2012 10:39 AM, Rob Crittenden wrote: Qing Chang wrote: Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new ESXi host, after preparing migration mode as well as adding necessary objectclasses, tried to run following: ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager --group-container=ou=group --schema=RFC2307 --with-compat --group-objectclass=posixGroup It failed promptly with this: = ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 ipa: DEBUG: Caught fault 4203 from server http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: = /var/log/dirsrv/access shows: = [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH base=cn=accounts,dc=sri,dc=utoronto,dc=ca scope=2 filter=((uid=postfix)(objectClass=posixAccount)) attrs=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 nentries=0 etime=0 = Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this problem. Check your iptables/firewall configuration on both hosts. rob I have disabled iptables on ipa1, ipa1 and openldap can ping each other. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrate-ds fails with Can't contact LDAP server
My sincere apologies: I forgot to start slapd on my openldap server... Qing On 13/08/2012 10:39 AM, Rob Crittenden wrote: Qing Chang wrote: Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new ESXi host, after preparing migration mode as well as adding necessary objectclasses, tried to run following: ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager --group-container=ou=group --schema=RFC2307 --with-compat --group-objectclass=posixGroup It failed promptly with this: = ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 ipa: DEBUG: Caught fault 4203 from server http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: = /var/log/dirsrv/access shows: = [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH base=cn=accounts,dc=sri,dc=utoronto,dc=ca scope=2 filter=((uid=postfix)(objectClass=posixAccount)) attrs=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 nentries=0 etime=0 = Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this problem. Check your iptables/firewall configuration on both hosts. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] migrate-ds fails with Can't contact LDAP server
Just installed a fresh RHEL 6.3 VM with IPA 2.2..0-16.el6 on our new ESXi host, after preparing migration mode as well as adding necessary objectclasses, tried to run following: ipa -d migrate-ds ldap://openldap:389 --bind-dn=cn=Manager --group-container=ou=group --schema=RFC2307 --with-compat --group-objectclass=posixGroup It failed promptly with this: = ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for CN=ipa1.sri.utoronto.ca,O=SRI.UTORONTO.CA ipa: DEBUG: handshake complete, peer = IP_of_ipa1:443 ipa: DEBUG: Caught fault 4203 from server http://ipa1.sri.utoronto.ca/ipa/xml: Can't contact LDAP server: ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: = /var/log/dirsrv/access shows: = [12/Aug/2012:07:53:26 -0400] conn=81 op=6 SRCH base=cn=accounts,dc=sri,dc=utoronto,dc=ca scope=2 filter=((uid=postfix)(objectClass=posixAccount)) attrs=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn memberOf nsUniqueId modifyTimestamp entryusn shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdattribute authorizedService accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap ipaSshPubKey [12/Aug/2012:07:53:26 -0400] conn=81 op=6 RESULT err=0 tag=101 nentries=0 etime=0 = Previous installation of VBox VM (RHEL 6.3 with IPA ) did not have this problem. Please help, Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
On 23/07/2012 3:33 PM, Rob Crittenden wrote: Qing Chang wrote: On 20/07/2012 5:14 PM, Rob Crittenden wrote: Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It already can, see the --schema option. it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. If the LDAP server you are migrating from is using RFC2307 (e.g. memberUid in the groups to specify membership) then use --schema=RFC2307. You are specifying the remote schema, not the local schema. Indeed it is the remote schema, for future reference, this my command line: # ipa -d migrate-ds ldap://ldap:389 --bind-dn=cn=Manager,dc=... --group-container=ou=group --group-overwrite-gid --schema=RFC2307 --with-compat --group-objectclass=posixGroup rob Your help is much appreciated! Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Openldap to IPA migration confusion
On 20/07/2012 5:14 PM, Rob Crittenden wrote: Qing Chang wrote: Greetings, Migration from OpedLDAP to IPA creates a pair of subtrees for both users and groups: compat and accounts, use groups as an example: dn: cn=acdp,cn=groups,cn=compat,dc=sri,dc=utoronto,dc=ca dn: cn=acdp,cn=groups,cn=accounts,dc=sri,dc=utoronto,dc=ca IPA web GUI does not show memberUid attribute, although it is migrated correctly, by adding a user to the group in the web GUI, it reveals that member is added to both compat and accounts, but differently: accounts: member: uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca compat: memberUid: qchang It also reveals that GUI does not display anything for compat tree, but I can use ldap tools to show compat entries. My questions: 1, why do we have two trees created? I vaguely remember that it is mentioned that compat is for support of IPA as an NIS proxy? cn=compat is a view of the data in rfc2307-compatible format (so memberUid instead of member). It isn't a separate copy. It is so clients that don't support 2307bis can still authenticate and identify users using nss_ldap. 2, Can the migration script be modified to convert memberUid to member for accounts tree? Or can I modify it manually and load the tree with ldapmod without breaking IPA? It already can, see the --schema option. it says: --schema=['RFC2307bis', 'RFC2307'] The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis I assume I am using the default. Does this mean that I should use RFC2307 instead? It does not make much sense to me because my OpenLDAP server is using RFC2307 if I understand your comments above right. Thanks, Qing 3, What does Samba use, compat or accounts? I do have a Samba server setup as an IPA client and it works very well, but I don't seem to be able to find a place to specify either compat or accounts for user and group look up, I assume IPA client libraries take care of it. In fact there is no entries that are related to LDAP in my smb.conf, there is only a few lines related to IPA/Kerberos: = security = user passdb backend = smbpasswd # Kerberos options realm = SRI.UTORONTO.CA kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab = I'm not familiar with configure Samba with an ldap backend, maybe someone else will chime in. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 5:46 PM, Dmitri Pal wrote: On 07/11/2012 04:01 PM, Qing Chang wrote: On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating afs/DOMAIN@REALM Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. sorry for my ignorance, ktadd accepted -e des-cbc-crc:v4 but created keytab with no salt: = kadmin.local: ktadd -e des-cbc-crc:v4 -k /tmp/openafs afs/openafs.sri.utoronto.ca Entry for principal afs/openafs.sri.utoronto.ca with kvno 20, encryption type des-cbc-crc added to keytab WRFILE:/tmp/openafs. kadmin.local: getprinc afs/openafs.sri.utoronto.ca Principal: afs/openafs.sri.utoronto...@sri.utoronto.ca Expiration date: [never] Last password change: Thu Jul 12 15:08:16 EDT 2012 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jul 12 15:08:16 EDT 2012 (admin/ad...@sri.utoronto.ca) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 20, des-cbc-crc, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] = I also tried :normal and :afs3, no salts added for any types. Is the IPA code not doing it, or I am missing something? Thanks, Qing Is there any problem of adding host entries into IPA? ipa host-add will create a host entry. It is not mean that you have to do something else with it. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
I think I do have it configured already: = krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special = As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be des-cbc-crc:v4, but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material My IPA server kdc.conf file has this: supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 And the krb5.conf file on both IPA server and OpenAFS server has this: allow_weak_crypto = true Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS does not like them. You need to change the supported enc types in LDAP for ipa to care. these attributes are in the cn=REALM_NAME,cn=kerberos,$suffix entry in ldap. Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 3:10 PM, Dan Scott wrote: Hi, On Wed, Jul 11, 2012 at 3:04 PM, Qing Changqch...@sri.utoronto.ca wrote: I agree with you that OpenAFS should implement better enctype. I'll raise it on their list. In the mean time, this is a block, do you have an estimate how long it takes to have the addition of v4 get into RHEL 6.3? I am asking because we are moving from LDAP+Kerberos+Smaba+Kerberized NFSv4 to IPA+OpenAFS to our new infrastructure by end of July. Is it really a block? I run IPA with OpenAFS. I used the kadmin utility to extract the keytab (I think - this was quite a while ago). The ipa-getkeytab utility is nice, but not required. Or am I missing something? Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating afs/DOMAIN@REALM There is another issue, by convention OpenAFS service principal is created as afs/DOMAIN@REALM. IPA does not support creating a service principal without first having a corresponding host principal, eg, afs/FQDN@REALM. Is it possible to add the flexibility in IPA to create an arbitrary service principal, which can be done with a standalone Kerberos KDC? Again, you don't have to use the IPA tools. You can use the Kerberos server tools. Dan On 11/07/2012 2:24 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 10:19 -0400, Qing Chang wrote: I think I do have it configured already: = krbSupportedEncSaltTypes: aes256-cts:normal krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal krbSupportedEncSaltTypes: des-cbc-crc:v4 krbSupportedEncSaltTypes: des-cbc-crc:afs3 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special krbDefaultEncSaltTypes: des3-hmac-sha1:special krbDefaultEncSaltTypes: arcfour-hmac:special = As I mentioned, I can create keytabs with des-cbc-crc:normal and des-cbc-crc:afs3, but not with des-cbc-crc:v4, which is what OpenAFS uses. Qing On 11/07/2012 8:28 AM, Simo Sorce wrote: On Tue, 2012-07-10 at 15:53 -0400, Qing Chang wrote: please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be des-cbc-crc:v4, but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material OK, I just checkjed the code and found out that we do not support creating keys with the 'v4' salt type in the ipa code. I am not sure why I skipped that salt type when I coded it up. Probably because it is basically obsolete (and amounts to unsalted keys) and the only thing that still uses it is AFS which uses DES that is also a completely deprecated and insecure algorithm these days. Unfortunately it is not something that can be changed via some parameter, if this is really needed I can only suggest opening a ticket in freeipa trac instance. But can't AFS use some decent crypto these days, like AES ? Simo. -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + OpenAFS
On 11/07/2012 3:23 PM, Simo Sorce wrote: On Wed, 2012-07-11 at 15:21 -0400, Qing Chang wrote: Because the integration of Kerberos in IPA, Kerberos tools can be used only in limited situations, when creating afs/DOMAIN@REALM with kadmin, I got this error: add_principal: Kerberos database constraints violated while creating afs/DOMAIN@REALM Use ipa service-add to add services, never use kadmin.local, it will not work, we hard-coded failures in the DB driver to prevent users from doing that as kadmin doesn't know where to put and how to properly fill up objects. However you can use kadmin.local on a pre-existing principal to obtain a new keytab. Simo. keytab with v4 salt was created successfully using kadmin, unfortunately OpenAFS still spit out th same error message:[root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' When --force was used with ipa servcie-add to created afs/DOMAIN@REALM, IPA still does not like the fact the is no host entry: [root@ipa2 tmp]# ipa service-add --force afs/sri.utoronto.ca ipa: ERROR: The host 'sri.utoronto.ca' does not exist to add a service to. Thanks, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA + OpenAFS
please forgive me if this is a question that has been answered somewhere already. I am almost finished setting up my first OpenAFS cell using IPA's KDC for authentication but stumble on this error: [root@smb1 ~]# fs setacl /afs system:anyuser rl fs: You don't have the required access rights on '/afs' A thread on OpenAFS mailing list suggests that it is because I have wrong salt with my afs service key. The right one should be des-cbc-crc:v4, but following fails when I tried to cretae the keytab file: [root@smb1 ~]# ipa-getkeytab --server ipa2.sri.utoronto.ca -p afs/openafs.sri.utoronto...@sri.utoronto.ca --keytab /etc/afs.keytab -e des-cbc-crc:v4 -P New Principal Password: Verify Principal Password: Bad or unsupported salt type (1)! Failed to create key material My IPA server kdc.conf file has this: supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 And the krb5.conf file on both IPA server and OpenAFS server has this: allow_weak_crypto = true Why does ipa-getkeytab fail here. Using both des-cbc-crc:normal and des-cbc-crc:afs3 works, but OpenAFS does not like them. Thanks, Qing -- -- Qing Chang Senior Systems Administrator M6-624 Research Computing Sunnybrook Health Sciences Centre 2075 Bayview Ave. Toronto, Ontario, M4N 3M5 (416) 480-6100 x3263 qch...@sri.utoronto.ca -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
