Re: [Freeipa-users] How to handle users with multiple homedirs on different machines?
On Wed, Jun 3, 2015 at 12:29 AM, Lukas Slebodnik lsleb...@redhat.com wrote: However sssd is available just on linux (or FreeBSD) I'm not sure which clients do you use on Solaris or other Solaris would be configured via LDAP. RedHat appears to have a pretty good guide for doing this. Same goes for any other systems lacking sssd client or so I hope. As an example, I have user Bob. On a Linux box Bob has homedir at /home/b/bob ^ Unfortunatelly, there's no way how to say sssd to use just first letter from name. Hmmm. Is time for a feature request? Should this be directed to SSSD or FreeIPA group? override_homedir appears to have plenty of substitution options. This wouldn't be a major change request. For more flexibility, I think it would be nice to refer to an output of a script for determining homedir overrides. On a Solaris this is likely /export/home/bob While on some other odd system it could be /mnt/nas/users/bob Different prefix for homedir /export/home, /home, /mnt/nas/users could be addresed with the option homedir_substring in sssd conf. https://fedorahosted.org/sssd/ticket/1853 So you could store %H in ldap attribute, but clients need to understand such value. (sssd = 1.11.6). I'm not sure about other clients. As there is no sssd client for Solaris, I think I may have found a workaround via automounter as suggested by Coy Hile. But that only solves the Solaris specific homdir paths. In any case, I'm further today than I was yesterday. Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to handle users with multiple homedirs on different machines?
I have a environment that spans across multiple physical locations where there is a mix of Linux and Solaris workstations/servers. So far we've been managing accounts (/etc/password) via Puppet. Problem: FreeIPA allows to store only one homedir path. Q: Is there a way to store/set a different home path based on the system that the user is logged into? As an example, I have user Bob. On a Linux box Bob has homedir at /home/b/bob On a Solaris this is likely /export/home/bob While on some other odd system it could be /mnt/nas/users/bob The contents in each of the above locations differs for Bob. There are NAS boxes that hold data for specific groups that are mounted on few machines only. We can't use NAS as central homedir storage for number of reasons. Mounting exported filesystems as subdirs under main homedir isn't an option either. Many odd-ball systems don't export their filesystems. Mounting all homedirs locations isn't necessary on all machines. Performance issues over network., etc, etc. Is there a way to handle such scenario as outline above? I would welcome any input/ideas. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/24/2014 9:05 AM, Ade Lee wrote: Forwarding to a couple of colleagues of mine who will be taking point on this. From what I can see, the CS.cfg is truncated. Fortunately, I believe it is reparable. Ade I've been in contact with Endi and Ade. It was a truncated config file as per msg above. Endi had emailed me a restored config. I can happily say that my IPA instance is back in operation. Thank you all. For anyone else reading this: For me this config truncation happened after a 'yum update'. Perhaps shutting down the IPA stack before doing package updates might be more advisable. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 7:59 PM, Ade Lee wrote: If you scroll to the end of the CS.cfg, does it look like it has been truncated? I'd have to say no. It doesn't look truncated to me. At least there are no obvious signs. But then again I don't know everything that is suppose to be there. I know that the line starting with pkicreate.unsecure_port= isn't there, that's for sure. Hence why init script fails to start PKI-CA. If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: Sadly there were no backups. This was a test/dev VM with no backup policy. find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* I've replied to you directly with all CS.cfg* files I could find. Most appear to be templates and not backups as per your message. Also, do you have a replica CA? Yes and no. The master was originally configured with a replica but the test replica VM was not used after that and was shutdown and removed. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 7:59 PM, Ade Lee wrote: If you scroll to the end of the CS.cfg, does it look like it has been truncated? I'd have to say no. It doesn't look truncated to me. At least there are no obvious signs. But then again I don't know everything that is suppose to be there. I know that the line starting with pkicreate.unsecure_port= isn't there, that's for sure. Hence why init script fails to start PKI-CA. If you have backups of the CS.cfg, that will help. Also, you could look for backups that we have created: Sadly there were no backups. This was a test/dev VM with no backup policy. find /var/lib/pki-ca -name CS.cfg* find /var/log -name CS.cfg* I've replied to you directly with all CS.cfg* files I could find. Most appear to be templates and not backups as per your message. Also, do you have a replica CA? Yes and no. The master was originally configured with a replica but the test replica VM was not used after that and was shutdown and removed. PS. I replied to the wrong email. Ooops, sorry. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] PKI-CA fails to start (broken config after update?)
On 9/22/2014 9:14 AM, Ade Lee wrote: Another question - what is the output of ls -l /etc/pki-ca/CS.cfg ? ls -l /etc/pki-ca/CS.cfg -rw-r-. 1 pkiuser pkiuser 49196 Sep 19 11:29 /etc/pki-ca/CS.cfg I know that I did NOT change the configs myself. But something certainly did during 'yum update'. There are no .rpmsave or .rpmnew files that would typically be created if configs are properly marked in RPM spec file. There are two other files that exist though: -rw-r-. 1 pkiuser pkiuser 65869 Sep 19 11:30 CS.cfg.in.p21 -rw-rw. 1 pkiuser pkiuser 65955 Sep 5 2013 CS.cfg.in.p33 However, they are not usable either in place of current CS.cfg. There have been no updates recently on rhel 6 to the pki packages. There has, however, been an update to tomcat - which broke dogtag startups. What version of tomcat6 is on your system? rpm -qa tomcat6 tomcat6-6.0.24-78.el6_5.noarch -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] PKI-CA fails to start (broken config after update?)
Hello, Encountered same issue as described here: https://www.redhat.com/archives/freeipa-users/2013-July/msg00133.html https://www.redhat.com/archives/freeipa-users/2014-August/msg00224.html Plain vanilla IPA setup. No changes, no customizations. Recently IPA fails to start. Error happened right after a 'yum update' and reboot. --- Starting pki-ca: [ OK ] Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. Usage: grep [OPTION]... PATTERN [FILE]... Try `grep --help' for more information. ... Failed to start CA Service Shutting down Digging into the matter further... The line that causes the error above is in /usr/share/pki/scripts/functions (which is loaded by pki-ca init script): netstat -antl | grep ${port} /dev/null The $port variable is blank so call to grep is without a search parameter. Hence invalid call to grep and subsequent error msg I'm seeing as above. $port is defined just a few lines above as port=`grep '^pkicreate.unsecure_port=' ${pki_instance_configuration_file} | cut -b25- -` BUT! For whatever reason there is no line that starts with pkicreate.unsecure_port in $pki_instance_configuration_file (/var/lib/pki-ca/conf/CS.cfg). Thus no port info is ever obtained for use in grep. Why there is no such line in config file where one is expected is unknown to me... Versions currently installed ipa-server-3.0.0-37.el6.x86_64 pki-ca-9.0.3-32.el6.noarch Did updates to pki packages clobber the configs? What got broken? How do I resolve it? Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project