Accessing IPA host data from an enrolled workstation
by David Harvey
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or
for the moment into the description field). My intention is to then read
these from the host in order to define some local behaviour for scripts or
puppet.
Example - a concept of machine ownership, or device class for local scripts
or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less well
might already be able to trivially read the host data IPA holds, or that
the kinit might not be needed given the machine can already read out getent
aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
Kind regards,
David
5 years, 10 months
Server Uninstall Fail
by Ross Infinger
After a failed ipa-replica-install, I try to uninstall with ipa-server-install --uninstall. However the uninstall is failing with the following:
[root@ipa-nyc-pci01 ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
ipa.ipapython.install.cli.uninstall_tool(CompatServerMasterInstall): ERROR Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server ipa-nyc-pci02.pci.example.com to replicate with servers:
ipa-nyc-pci01.pci.example.com
Topology does not allow server pci-mgmt-ipa01.pci.example.com to replicate with servers:
ipa-nyc-pci01.pci.example.com
Topology does not allow server pci-mgmt-ipa02.pci.example.com to replicate with servers:
ipa-nyc-pci01.pci.example.com.
ipa.ipapython.install.cli.uninstall_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information
Is there a way to manually clean up the failed install?
5 years, 10 months
Running windows Remote Desktop with SSO
by Marcos Acebes
Hi.
We are trying to integrate windows apps with Linux on our freeIPA environment so users with a freeIPA account can run windows Remote Desktop or Windows remote app with SSO when they login on a Linux Desktop.
Someone have any experience with that?
Some recommendations about the way to achieve that?
- AD trust?
- Local windows accounts?
- Kerberos ticket associated with each app?
Thanks in advance for your suggestions.
Marcos Acebes
System engineer
LUNARC
5 years, 10 months
Re: FreeIPA Community Portal - install errors - "No module named ipalib"
by Joseph Flynn
Yes, thank you Alexander.
Yes I performed the enrollment (if running the client install the same as
'enrolling'?)
To make it easier to read, I have the executed steps and the error
formatted for easy reading in
http://agileiomo.blogspot.com/2018/05/errors-i-am-seeing-with-installing....
On Sat, May 12, 2018 at 3:26 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On pe, 11 touko 2018, Henery Hawk via FreeIPA-users wrote:
>
>> Trying to follow the install instructions for the portal at
>> http://freeipa-community-portal.readthedocs.io/en/latest/
>> deploy.html#installation.
>> Using Fedora Server 28.
>>
>> Any thoughts?
>>
>> When creating the stage user via script I get the following error:
>>
>> [*] sudo ./create-portal-user
>> Traceback (most recent call last):
>> File "./create-portal-user", line 27, in <module>
>> from ipalib import api
>> ImportError: No module named ipalib
>>
> Do you have this machine enrolled to IPA itself?
>
> The first thing you are asked to do before installation of the portal
> app is to enroll themachine to IPA:
>
> ---------------
> Before continuing into the installation, the server should be enrolled
> as a FreeIPA client of the FreeIPA domain it belongs to. Running:
>
> ipa-client-install
>
> with your favorite options will do.
> ---------------
>
>
>
>> I try to manually install ipalib which brings me to another error:
>>
>> [*] sudo pip install ipalib
>> .
>> .
>> .
>> In distributed package, building from C files...
>> Traceback (most recent call last):
>> File "<string>", line 1, in <module>
>> File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in
>> <module>
>> raise Exception("Could not find main GSSAPI shared library.
>> Please "
>> Exception: Could not find main GSSAPI shared library. Please try
>> setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to
>> 'false'
>>
>> ----------------------------------------
>> Command "python setup.py egg_info" failed with error code 1 in
>> /tmp/pip-install-qQYKRY/gssapi/
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>> rahosted.org
>>
>
>
5 years, 10 months
FreeIPA Community Porta - intall errors - "No module named ipalib"
by Henery Hawk
Trying to follow the install instructions for the portal at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#inst.... Using Fedora Server 28.
Any thoughts?
When creating the stage user via script I get the following error:
[*] sudo ./create-portal-user
Traceback (most recent call last):
File "./create-portal-user", line 27, in <module>
from ipalib import api
ImportError: No module named ipalib
I try to manually install ipalib which brings me to another error:
[*] sudo pip install ipalib
.
.
.
In distributed package, building from C files...
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in <module>
raise Exception("Could not find main GSSAPI shared library. Please "
Exception: Could not find main GSSAPI shared library. Please try setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to 'false'
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-qQYKRY/gssapi/
5 years, 10 months
A record discrepency
by Andrew Meyer
On one of my FreeIPA servers I have an A record that points to the correct IP in the web ui, but when I go look at the raw file in /var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect. I have done a kinit admin, and then ipa-replica-manage re-initialize --from know.working.server.net. However the change is not reflected in BIND.
Should it not be changed?
5 years, 10 months
Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)
by SOLER SANGUESA Miguel
hello,
I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5). An hour later I tried to do the same with the unique replica I have, but after update dirsrv is not starting.
It says it is needed run "ipa-server-upgrade", but it also fails:
# ipactl start
Upgrade required: please run ipa-server-upgrade command
Aborting ipactl
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMOLE-ORG.service' returned non-zero exit status 1
[cleanup]: stopping directory server
[cleanup]: restoring configuration
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On the log I can see:
2018-04-30T14:36:15Z DEBUG Starting external process
2018-04-30T14:36:15Z DEBUG args=/bin/systemctl is-active dirsrv(a)IPA-EXAMPLE-ORG.service
2018-04-30T14:36:15Z DEBUG Process finished, return code=3
2018-04-30T14:36:15Z DEBUG stdout=failed
...
2018-04-30T14:36:15Z DEBUG [4/8]: starting directory server
2018-04-30T14:36:15Z DEBUG Starting external process
2018-04-30T14:36:15Z DEBUG args=/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service
2018-04-30T14:36:15Z DEBUG Process finished, return code=1
2018-04-30T14:36:15Z DEBUG stdout=
2018-04-30T14:36:15Z DEBUG stderr=Job for dirsrv(a)IPA-EXAMPLE-ORG.service failed because the control process exited with error code. See "systemctl status dirsrv(a)IPA-EXAMPLE-ORG.service" and "journalctl -xe" for details.
2018-04-30T14:36:15Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 95, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 161, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 294, in start
skip_output=not capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 542, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
2018-04-30T14:36:15Z DEBUG [error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
Checking /var/log/dirsrv/slapd-IPA-EXAMPLE-ORG/errors I show:
[30/Apr/2018:16:04:52.584220922 +0200] - ERR - slapd_bootstrap_config - The default password storage scheme could not be read or was not found in the file /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse.ldif. It is mandatory.
Checking on internet I show that "dse.ldif" could be corrupted, so I changed with "dse.ldif.startOK" without any change and then I changed with "dse.ldif.bak". The problem persist but the error has changed:
[30/Apr/2018:16:32:13.435210918 +0200] - NOTICE - config_set_port - Non-Secure Port Disabled
[30/Apr/2018:16:32:13.556581301 +0200] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libreplication-plugin.so: undefined symbol: replication_legacy_plugin_init
[30/Apr/2018:16:32:13.561590553 +0200] - ERR - symload_report_error - Could not load symbol "replication_legacy_plugin_init" from "/usr/lib64/dirsrv/plugins/libreplication-plugin.so" for plugin Legacy Replication Plugin
[30/Apr/2018:16:32:13.564590264 +0200] - ERR - load_plugin_entry - Unable to load plugin "cn=Legacy Replication Plugin,cn=plugins,cn=config"
I saw a bug about this problem, but it is still opened:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1529442
Any idea how to fix the issue?
If it is not possible to fix it, can I remove the replica from IPA and install it again with the same name?
Thanks & Regards.
______________________________
5 years, 10 months
next 4.7 pre-release...
by Rob Crittenden
I've started testing of the next 4.7 pre-release for F28 which rolls up
the fixes made so far and adds more, including ensuring the right
dependencies are available.
If there are any open tickets/PRs you feel are a must-have let me know
ASAP. I don't have a specific date I want to do the tag but I'm hoping
for next week (I said the same thing to myself last week).
It is just another pre-release so it doesn't need to have absolutely
everything but it would be nice to be able to greenlight safer usage on
F28 at least (perhaps with a known issue or two).
rob
5 years, 10 months
upgrade from 4.4 to 4.5
by Sandor Juhasz
Hello,
we have upgraded from 4.4 to 4.5.
The upgrade seems successful, but there is a small issue.
Replication is in sync in the 4 way master cluster.
Everything replicates - users, groups, properties.
The list gives the last successful update time.
If we run
ipa-replica-manage force-sync --from <SERVERX>
It gives back:
No status yet
A lot of times and never returns.
Is this normal? IS this a bug?
CentOS Linux release 7.5.1804 (Core)
ipa-client-4.5.4-10.el7.centos.x86_64
ipa-server-4.5.4-10.el7.centos.x86_64
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
5 years, 10 months