replica - install fails with CA issue
by Ross Infinger
I'm trying to promote a new client to a replica. I install the client first then run ipa-replica-install. The client install goes OK but the ipa-replica-install command fails with
RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Seems the client was able to reach the CA so I'm puzzled why the replica cannot.
6 years
IPA Error 4203 DatabaseError
by Andrew Meyer
I seem to have 1 server that constantly gets out of sync with the other 3 servers. Currently I am getting this error when I try to add a user:Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors log).
I am trying to find the log files and figure out what I need to do to fix this. I'm willing to bet that if I re-initialize the database from another server it will fix it temporarily. However can someone please confirm?
Thank you
6 years
separation of IPA (httpd)
by lejeczek
hi guys
I've been keeping IPA's http part in Apache's virtual host
and it worked seemingly well. Problems arise when yum(or any
package manager) wants to update IPA.
I'm now thinking to separate IPA(s) from the rest.
My(many others?) dilemma is that IPAs usually land on good
hardware and it's a regret that nothing else should be mixed
into Apache when IPA is on it,(as per devel's
recommendations) and what to do, how to do it then...
Without dedicating a separate hardware just for IPA...
I'm thinking of moving IPAs into a LXC containers, with
networks, etc.. so the actual hardware will only be clients
to LXC IPAs...
How do you guys normally do it?
many thanks, L.
6 years
Password Expiration and direct LDAP calls
by Jeremy Utley
Hello to the mailing list!
We are running FreeIPA to handle authentication, and having an issue. We
have a few tools that can not use the full IPA stack (PAM/SSSD/Kerberos),
but instead have to talk to the underlying LDAP server directly. The
problem we are facing is when user passwords expire, those users are still
granted access to these tools that only use LDAP. In researching this
issue, I ran into https://pagure.io/freeipa/issue/1539 - which seems to be
related. Is this still a known issue? Is there any way around it (like
being able to automatically disable any user who's password has been
expired for a certain period of time? This is within a PCI-compliant
infrastructure, so we have to make sure we cover all bases.
Thanks for any help you can give!
Jeremy Utley
6 years
installing replica - ObjectclassViolation: unknown object class "cmsuser"
by lejeczek
hi gents,
I'm trying to add replica but process fails:
...
Configuring certificate server (pki-tomcatd). Estimated
time: 3 minutes
[1/27]: creating certificate server db
[2/27]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[3/27]: creating installation admin user
[error] ObjectclassViolation: unknown object class "cmsuser"
and log:
...
2018-04-23T12:45:43Z DEBUG [3/27]: creating installation
admin user
2018-04-23T12:45:43Z DEBUG Traceback (most recent call last):
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 504, in start_creation
run_step(full_msg, method)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 494, in run_step
method()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 437, in setup_admin
api.Backend.ldap2.add_entry(entry)
File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 1504, in add_entry
self.conn.add_s(str(entry.dn), list(attrs.items()))
File "/usr/lib64/python2.7/contextlib.py", line 35, in
__exit__
self.gen.throw(type, value, traceback)
File
"/usr/lib/python2.7/site-packages/ipapython/ipaldap.py",
line 990, in error_handler
raise errors.ObjectclassViolation(info=info)
ObjectclassViolation: unknown object class "cmsuser"
2018-04-23T12:45:43Z DEBUG [error] ObjectclassViolation:
unknown object class "cmsuser"
2018-04-23T12:45:43Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py",
line 172, in execute
..
Where to start troubleshooting? Is it existing masters and
or new replica candidate.?
many thanks, L.
6 years
at which point IPA changes nsswitch.conf
by lejeczek
hi
I'd like to ask when, if at all, IPA's installer change
nsswitch.conf?
I install a client, afterwards no sss in nsswitch, I install
a replica on that client, still no sss. Is this normal,
expected?
many thanks, L.
6 years
How to import local users to IPA
by shisheer guragain
Hello Guys,
I want to know how do I manage local UNIX users from
IPA server. We have 250 plus Red Hat servers and right now we are managing
all users locally ( manually changing passwords going on each box ). I have
installed a test IPA server and couple of client machines. However, I am
confused on how to I import /etc/passwd from local machines to IPA server.
I would appreciate if anyone can help me understand this. Thanks.
6 years
Apache's URLs: /ipa vs ipa/ui
by lejeczek
hi guys
I wonder ... is a glitch, a problem... or just normal??
When I go to: /ipa
I get: ... Unable to verify your Kerberos credentials
but when I go directly to: /ipa/ui
then I'm presented with login page and I can login okey.
Should not/could not there be another rewriteRule(by default)?
many thanks, L.
6 years
freeipa / automount / multiple maps
by Jerome Bailie
We're currently making the switch from OpenLDAP to Freeipa. Clients are Ubuntu 16 (upgrading to 18 soon).
With FREEIPA, we can automount user home dirs (NFS) successfully with a single map, using auto.home
** However, on our current OpenLDAP system, there are groups of users, which effectively have different automount options, such as:
nfsserver.example.com:/export/groupX/&
whereas the "X" is:
groupA: user1, user2, user3
groupB: user4, user5, user6
groupC, user7, user8, user9
We accomplish this by using nismapentry in OpenLAP.
Another way to look at it is, can a particular user in FREEIPA, be assigned a different NFS server, based on their userid?
Realizing that nismaps are not available in freeipa, is there a similar feature that we haven't found yet?
- Jerry
6 years
