Running windows Remote Desktop with SSO
by Marcos Acebes
Hi.
We are trying to integrate windows apps with Linux on our freeIPA environment so users with a freeIPA account can run windows Remote Desktop or Windows remote app with SSO when they login on a Linux Desktop.
Someone have any experience with that?
Some recommendations about the way to achieve that?
- AD trust?
- Local windows accounts?
- Kerberos ticket associated with each app?
Thanks in advance for your suggestions.
Marcos Acebes
System engineer
LUNARC
3 years, 2 months
Re: FreeIPA Community Portal - install errors - "No module named ipalib"
by Joseph Flynn
Yes, thank you Alexander.
Yes I performed the enrollment (if running the client install the same as
'enrolling'?)
To make it easier to read, I have the executed steps and the error
formatted for easy reading in
http://agileiomo.blogspot.com/2018/05/errors-i-am-seeing-with-installing....
On Sat, May 12, 2018 at 3:26 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On pe, 11 touko 2018, Henery Hawk via FreeIPA-users wrote:
>
>> Trying to follow the install instructions for the portal at
>> http://freeipa-community-portal.readthedocs.io/en/latest/
>> deploy.html#installation.
>> Using Fedora Server 28.
>>
>> Any thoughts?
>>
>> When creating the stage user via script I get the following error:
>>
>> [*] sudo ./create-portal-user
>> Traceback (most recent call last):
>> File "./create-portal-user", line 27, in <module>
>> from ipalib import api
>> ImportError: No module named ipalib
>>
> Do you have this machine enrolled to IPA itself?
>
> The first thing you are asked to do before installation of the portal
> app is to enroll themachine to IPA:
>
> ---------------
> Before continuing into the installation, the server should be enrolled
> as a FreeIPA client of the FreeIPA domain it belongs to. Running:
>
> ipa-client-install
>
> with your favorite options will do.
> ---------------
>
>
>
>> I try to manually install ipalib which brings me to another error:
>>
>> [*] sudo pip install ipalib
>> .
>> .
>> .
>> In distributed package, building from C files...
>> Traceback (most recent call last):
>> File "<string>", line 1, in <module>
>> File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in
>> <module>
>> raise Exception("Could not find main GSSAPI shared library.
>> Please "
>> Exception: Could not find main GSSAPI shared library. Please try
>> setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to
>> 'false'
>>
>> ----------------------------------------
>> Command "python setup.py egg_info" failed with error code 1 in
>> /tmp/pip-install-qQYKRY/gssapi/
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>> rahosted.org
>>
>
>
3 years, 2 months
FreeIPA Community Porta - intall errors - "No module named ipalib"
by Henery Hawk
Trying to follow the install instructions for the portal at http://freeipa-community-portal.readthedocs.io/en/latest/deploy.html#inst.... Using Fedora Server 28.
Any thoughts?
When creating the stage user via script I get the following error:
[*] sudo ./create-portal-user
Traceback (most recent call last):
File "./create-portal-user", line 27, in <module>
from ipalib import api
ImportError: No module named ipalib
I try to manually install ipalib which brings me to another error:
[*] sudo pip install ipalib
.
.
.
In distributed package, building from C files...
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/tmp/pip-install-qQYKRY/gssapi/setup.py", line 109, in <module>
raise Exception("Could not find main GSSAPI shared library. Please "
Exception: Could not find main GSSAPI shared library. Please try setting GSSAPI_MAIN_LIB yourself or setting ENABLE_SUPPORT_DETECTION to 'false'
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-install-qQYKRY/gssapi/
3 years, 2 months
A record discrepency
by Andrew Meyer
On one of my FreeIPA servers I have an A record that points to the correct IP in the web ui, but when I go look at the raw file in /var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect. I have done a kinit admin, and then ipa-replica-manage re-initialize --from know.working.server.net. However the change is not reflected in BIND.
Should it not be changed?
3 years, 2 months
Problem on dirsrv when updating from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5)
by SOLER SANGUESA Miguel
hello,
I have an IPA master that updated from 4.5.0 (RHEL 7.4) to 4.5.4 (RHEL 7.5). An hour later I tried to do the same with the unique replica I have, but after update dirsrv is not starting.
It says it is needed run "ipa-server-upgrade", but it also fails:
# ipactl start
Upgrade required: please run ipa-server-upgrade command
Aborting ipactl
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
[4/8]: starting directory server
[error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMOLE-ORG.service' returned non-zero exit status 1
[cleanup]: stopping directory server
[cleanup]: restoring configuration
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
On the log I can see:
2018-04-30T14:36:15Z DEBUG Starting external process
2018-04-30T14:36:15Z DEBUG args=/bin/systemctl is-active dirsrv(a)IPA-EXAMPLE-ORG.service
2018-04-30T14:36:15Z DEBUG Process finished, return code=3
2018-04-30T14:36:15Z DEBUG stdout=failed
...
2018-04-30T14:36:15Z DEBUG [4/8]: starting directory server
2018-04-30T14:36:15Z DEBUG Starting external process
2018-04-30T14:36:15Z DEBUG args=/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service
2018-04-30T14:36:15Z DEBUG Process finished, return code=1
2018-04-30T14:36:15Z DEBUG stdout=
2018-04-30T14:36:15Z DEBUG stderr=Job for dirsrv(a)IPA-EXAMPLE-ORG.service failed because the control process exited with error code. See "systemctl status dirsrv(a)IPA-EXAMPLE-ORG.service" and "journalctl -xe" for details.
2018-04-30T14:36:15Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 95, in __start
srv.start(self.serverid, ldapi=True)
File "/usr/lib/python2.7/site-packages/ipaplatform/redhat/services.py", line 161, in start
instance_name, capture_output=capture_output, wait=wait)
File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 294, in start
skip_output=not capture_output)
File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 542, in run
raise CalledProcessError(p.returncode, arg_string, str(output))
CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
2018-04-30T14:36:15Z DEBUG [error] CalledProcessError: Command '/bin/systemctl start dirsrv(a)IPA-EXAMPLE-ORG.service' returned non-zero exit status 1
Checking /var/log/dirsrv/slapd-IPA-EXAMPLE-ORG/errors I show:
[30/Apr/2018:16:04:52.584220922 +0200] - ERR - slapd_bootstrap_config - The default password storage scheme could not be read or was not found in the file /etc/dirsrv/slapd-IPA-EXAMPLE-ORG/dse.ldif. It is mandatory.
Checking on internet I show that "dse.ldif" could be corrupted, so I changed with "dse.ldif.startOK" without any change and then I changed with "dse.ldif.bak". The problem persist but the error has changed:
[30/Apr/2018:16:32:13.435210918 +0200] - NOTICE - config_set_port - Non-Secure Port Disabled
[30/Apr/2018:16:32:13.556581301 +0200] - ERR - symload_report_error - Netscape Portable Runtime error -5975: /usr/lib64/dirsrv/plugins/libreplication-plugin.so: undefined symbol: replication_legacy_plugin_init
[30/Apr/2018:16:32:13.561590553 +0200] - ERR - symload_report_error - Could not load symbol "replication_legacy_plugin_init" from "/usr/lib64/dirsrv/plugins/libreplication-plugin.so" for plugin Legacy Replication Plugin
[30/Apr/2018:16:32:13.564590264 +0200] - ERR - load_plugin_entry - Unable to load plugin "cn=Legacy Replication Plugin,cn=plugins,cn=config"
I saw a bug about this problem, but it is still opened:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1529442
Any idea how to fix the issue?
If it is not possible to fix it, can I remove the replica from IPA and install it again with the same name?
Thanks & Regards.
______________________________
3 years, 2 months
next 4.7 pre-release...
by Rob Crittenden
I've started testing of the next 4.7 pre-release for F28 which rolls up
the fixes made so far and adds more, including ensuring the right
dependencies are available.
If there are any open tickets/PRs you feel are a must-have let me know
ASAP. I don't have a specific date I want to do the tag but I'm hoping
for next week (I said the same thing to myself last week).
It is just another pre-release so it doesn't need to have absolutely
everything but it would be nice to be able to greenlight safer usage on
F28 at least (perhaps with a known issue or two).
rob
3 years, 2 months
upgrade from 4.4 to 4.5
by Sandor Juhasz
Hello,
we have upgraded from 4.4 to 4.5.
The upgrade seems successful, but there is a small issue.
Replication is in sync in the 4 way master cluster.
Everything replicates - users, groups, properties.
The list gives the last successful update time.
If we run
ipa-replica-manage force-sync --from <SERVERX>
It gives back:
No status yet
A lot of times and never returns.
Is this normal? IS this a bug?
CentOS Linux release 7.5.1804 (Core)
ipa-client-4.5.4-10.el7.centos.x86_64
ipa-server-4.5.4-10.el7.centos.x86_64
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Ltd*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964
3 years, 2 months
obtaining initial ticket via keytab
by Josh
Greetings,
I am trying to follow steps at https://kb.iu.edu/d/aumh to create
freeipa admin keytab to use in some scripts but getting an error
kinit: Preauthentication failed while getting initial credentials
Does anyone know what I am missing here?
Thanks,
Josh.
$ ktutil
ktutil: addent -password -p admin(a)EXAMPLE.ORG -k 1 -e aes256-cts
Password for admin(a)EXAMPLE.ORG:
ktutil: wkt /tmp/admin.kt
ktutil: quit
$ klist -k /tmp/admin.kt
Keytab name: FILE:/tmp/admin.kt
KVNO Principal
----
--------------------------------------------------------------------------
1 admin(a)EXAMPLE.ORG
$ klist -k /tmp/admin.kt -e
Keytab name: FILE:/tmp/admin.kt
KVNO Principal
----
--------------------------------------------------------------------------
1 admin(a)EXAMPLE.ORG (aes256-cts-hmac-sha1-96)
$ kinit -k -t /tmp/admin.kt admin(a)EXAMPLE.ORG
kinit: Preauthentication failed while getting initial credentials
$ kinit admin
Password for admin(a)EXAMPLE.ORG:
$ klist -e
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin(a)EXAMPLE.ORG
Valid starting Expires Service principal
05/09/2018 23:08:46 05/10/2018 23:08:43 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
$
3 years, 2 months
CA install on replica fails - Clone URI does not match...
by Ross Infinger
I'm installing the CA service on an existing replica with command ipa-ca-install. It fails with this error in the log:
Installation failed:
com.netscape.certsrv.base.BadRequestException: Clone URI does not match available subsystems: https://pci-mgmt-ipa01.pci.xxxxxx.com:443
Version of both ca master and replica is 4.5.0 api version 2.228
domain level is 1
ipareplica-ca-install.log attached.
How can I further troubleshoot this?
Thanks,
Ross
3 years, 2 months
