May 2018 - FreeIPA-users - Fedora Mailing-Lists

by Ross Infinger

After a failed ipa-replica-install, I try to uninstall with ipa-server-install --uninstall. However the uninstall is failing with the following: [root@ipa-nyc-pci01 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding. Are you sure you want to continue with the uninstall procedure? [no]: yes ipa.ipapython.install.cli.uninstall_tool(CompatServerMasterInstall): ERROR Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server ipa-nyc-pci02.pci.example.com to replicate with servers: ipa-nyc-pci01.pci.example.com Topology does not allow server pci-mgmt-ipa01.pci.example.com to replicate with servers: ipa-nyc-pci01.pci.example.com Topology does not allow server pci-mgmt-ipa02.pci.example.com to replicate with servers: ipa-nyc-pci01.pci.example.com. ipa.ipapython.install.cli.uninstall_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-uninstall.log for more information Is there a way to manually clean up the failed install?

4 years

2
1
0 / 0

Running windows Remote Desktop with SSO

by Marcos Acebes

Hi. We are trying to integrate windows apps with Linux on our freeIPA environment so users with a freeIPA account can run windows Remote Desktop or Windows remote app with SSO when they login on a Linux Desktop. Someone have any experience with that? Some recommendations about the way to achieve that? - AD trust? - Local windows accounts? - Kerberos ticket associated with each app? Thanks in advance for your suggestions. Marcos Acebes System engineer LUNARC

4 years

1
0
0 / 0

Re: FreeIPA Community Portal - install errors - "No module named ipalib"

by Joseph Flynn

Yes, thank you Alexander. Yes I performed the enrollment (if running the client install the same as 'enrolling'?) To make it easier to read, I have the executed steps and the error formatted for easy reading in http://agileiomo.blogspot.com/2018/05/errors-i-am-seeing-with-installing.... On Sat, May 12, 2018 at 3:26 AM, Alexander Bokovoy <abokovoy(a)redhat.com> wrote: > On pe, 11 touko 2018, Henery Hawk via FreeIPA-users wrote: > >> Trying to follow the install instructions for the portal at >> http://freeipa-community-portal.readthedocs.io/en/latest/ >> deploy.html#installation. >> Using Fedora Server 28. >> >> Any thoughts? >> >> When creating the stage user via script I get the following error: >> >> [*] sudo ./create-portal-user >> Traceback (most recent call last): >> File "./create-portal-user", line 27, in <module> >> from ipalib import api >> ImportError: No module named ipalib >> > Do you have this machine enrolled to IPA itself? > > The first thing you are asked to do before installation of the portal > app is to enroll themachine to IPA: > > --------------- > Before continuing into the installation, the server should be enrolled > as a FreeIPA client of the FreeIPA domain it belongs to. Running: > > ipa-client-install > > with your favorite options will do. > --------------- > > > >> I try to manually install ipalib which brings me to another error: >> >> [*] sudo pip install ipalib >> . >> . >> . >> In distributed package, building from C files... >> Traceback (most recent call last): >> File "<string>", line 1, in <module> >> File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in >> <module> >> raise Exception("Could not find main GSSAPI shared library. >> Please " >> Exception: Could not find main GSSAPI shared library. Please try >> setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to >> 'false' >> >> ---------------------------------------- >> Command "python setup.py egg_info" failed with error code 1 in >> /tmp/pip-install-qQYKRY/gssapi/ >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo >> rahosted.org >> > >

4 years

2
3
0 / 0

FreeIPA Community Porta - intall errors - "No module named ipalib"

by Henery Hawk

Trying to follow the install instructions for the portal at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#inst.... Using Fedora Server 28. Any thoughts? When creating the stage user via script I get the following error: [*] sudo ./create-portal-user Traceback (most recent call last): File "./create-portal-user", line 27, in <module> from ipalib import api ImportError: No module named ipalib I try to manually install ipalib which brings me to another error: [*] sudo pip install ipalib . . . In distributed package, building from C files... Traceback (most recent call last): File "<string>", line 1, in <module> File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in <module> raise Exception("Could not find main GSSAPI shared library. Please " Exception: Could not find main GSSAPI shared library. Please try setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to 'false' ---------------------------------------- Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-qQYKRY/gssapi/

4 years

2
1
0 / 0

A record discrepency

by Andrew Meyer

On one of my FreeIPA servers I have an A record that points to the correct IP in the web ui, but when I go look at the raw file in /var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect. I have done a kinit admin, and then ipa-replica-manage re-initialize --from know.working.server.net. However the change is not reflected in BIND. Should it not be changed?

4 years

1
1
0 / 0

Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)

by SOLER SANGUESA Miguel

hello, I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5). An hour later I tried to do the same with the unique replica I have, but after update dirsrv is not starting. It says it is needed run "ipa-server-upgrade", but it also fails: # ipactl start Upgrade required: please run ipa-server-upgrade command Aborting ipactl # ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/8]: saving configuration [2/8]: disabling listeners [3/8]: enabling DS global lock [4/8]: starting directory server [error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMOLE-ORG.service' returned non-zero exit status 1 [cleanup]: stopping directory server [cleanup]: restoring configuration IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1 The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information On the log I can see: 2018-04-30T14:36:15Z DEBUG Starting external process 2018-04-30T14:36:15Z DEBUG args=/bin/systemctl is-active dirsrv(a)IPA-EXAMPLE-ORG.service 2018-04-30T14:36:15Z DEBUG Process finished, return code=3 2018-04-30T14:36:15Z DEBUG stdout=failed ... 2018-04-30T14:36:15Z DEBUG [4/8]: starting directory server 2018-04-30T14:36:15Z DEBUG Starting external process 2018-04-30T14:36:15Z DEBUG args=/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service 2018-04-30T14:36:15Z DEBUG Process finished, return code=1 2018-04-30T14:36:15Z DEBUG stdout= 2018-04-30T14:36:15Z DEBUG stderr=Job for dirsrv(a)IPA-EXAMPLE-ORG.service failed because the control process exited with error code. See "systemctl status dirsrv(a)IPA-EXAMPLE-ORG.service" and "journalctl -xe" for details. 2018-04-30T14:36:15Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 95, in __start srv.start(self.serverid, ldapi=True) File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 161, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 294, in start skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 542, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1 2018-04-30T14:36:15Z DEBUG [error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1 Checking /var/log/dirsrv/slapd-IPA-EXAMPLE-ORG/errors I show: [30/Apr/2018:16:04:52.584220922 +0200] - ERR - slapd_bootstrap_config - The default password storage scheme could not be read or was not found in the file /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse.ldif. It is mandatory. Checking on internet I show that "dse.ldif" could be corrupted, so I changed with "dse.ldif.startOK" without any change and then I changed with "dse.ldif.bak". The problem persist but the error has changed: [30/Apr/2018:16:32:13.435210918 +0200] - NOTICE - config_set_port - Non-Secure Port Disabled [30/Apr/2018:16:32:13.556581301 +0200] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libreplication-plugin.so: undefined symbol: replication_legacy_plugin_init [30/Apr/2018:16:32:13.561590553 +0200] - ERR - symload_report_error - Could not load symbol "replication_legacy_plugin_init" from "/usr/lib64/dirsrv/plugins/libreplication-plugin.so" for plugin Legacy Replication Plugin [30/Apr/2018:16:32:13.564590264 +0200] - ERR - load_plugin_entry - Unable to load plugin "cn=Legacy Replication Plugin,cn=plugins,cn=config" I saw a bug about this problem, but it is still opened: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1529442 Any idea how to fix the issue? If it is not possible to fix it, can I remove the replica from IPA and install it again with the same name? Thanks & Regards. ______________________________

4 years

6
21
0 / 0

Re: After using 3rd party certs (Let's Encrypt) : pki-tomcatd fails to restart [SOLVED]

by Henery Hawk

My problem with pki-tomcatd not restarting after loading the Let's Encrypt certs was solved. My mistake was that for some reason I thought I needed to install tomcat as part of the prerequisites. When I started over and skipped the tomcat installation then everything worked fine. My FreeIPA with Let's Encrypt certs can be read at https://docs.google.com/document/d/1tnxkNoq0wZJtr0gdG6ZkhIisF4o-DRen5aM3V...

4 years

1
0
0 / 0

next 4.7 pre-release...

by Rob Crittenden

I've started testing of the next 4.7 pre-release for F28 which rolls up the fixes made so far and adds more, including ensuring the right dependencies are available. If there are any open tickets/PRs you feel are a must-have let me know ASAP. I don't have a specific date I want to do the tag but I'm hoping for next week (I said the same thing to myself last week). It is just another pre-release so it doesn't need to have absolutely everything but it would be nice to be able to greenlight safer usage on F28 at least (perhaps with a known issue or two). rob

4 years

1
0
0 / 0

upgrade from 4.4 to 4.5

by Sandor Juhasz

Hello, we have upgraded from 4.4 to 4.5. The upgrade seems successful, but there is a small issue. Replication is in sync in the 4 way master cluster. Everything replicates - users, groups, properties. The list gives the last successful update time. If we run ipa-replica-manage force-sync --from <SERVERX> It gives back: No status yet A lot of times and never returns. Is this normal? IS this a bug? CentOS Linux release 7.5.1804 (Core) ipa-client-4.5.4-10.el7.centos.x86_64 ipa-server-4.5.4-10.el7.centos.x86_64 -- *Sándor Juhász* System Administrator *ChemAxon* *Ltd*. Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964

4 years

1
0
0 / 0

obtaining initial ticket via keytab

by Josh

Greetings, I am trying to follow steps at https://kb.iu.edu/d/aumh to create freeipa admin keytab to use in some scripts but getting an error kinit: Preauthentication failed while getting initial credentials Does anyone know what I am missing here? Thanks, Josh. $ ktutil ktutil: addent -password -p admin(a)EXAMPLE.ORG -k 1 -e aes256-cts Password for admin(a)EXAMPLE.ORG: ktutil: wkt /tmp/admin.kt ktutil: quit $ klist -k /tmp/admin.kt Keytab name: FILE:/tmp/admin.kt KVNO Principal ---- -------------------------------------------------------------------------- 1 admin(a)EXAMPLE.ORG $ klist -k /tmp/admin.kt -e Keytab name: FILE:/tmp/admin.kt KVNO Principal ---- -------------------------------------------------------------------------- 1 admin(a)EXAMPLE.ORG (aes256-cts-hmac-sha1-96) $ kinit -k -t /tmp/admin.kt admin(a)EXAMPLE.ORG kinit: Preauthentication failed while getting initial credentials $ kinit admin Password for admin(a)EXAMPLE.ORG: $ klist -e Ticket cache: KEYRING:persistent:1000:1000 Default principal: admin(a)EXAMPLE.ORG Valid starting Expires Service principal 05/09/2018 23:08:46 05/10/2018 23:08:43 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 $

4 years

1
0
0 / 0

2022

2021

2020

2019

2018

2017

FreeIPA-users May 2018