Discussion:
Free ipa Configurations
(too old to reply)
Rolf Nufable
2014-11-10 01:05:36 UTC
Permalink
Hello

I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .

I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..

another question is I've tried using 4.1.0 for the server side but I can't configure the dns forwarders for it it always says that the forwarder does not respond, How can I solve this too? is there a new way to add a dns forwarder for IPA ??

please help me with these freeipa problems because I really want to deploy them already and get it over with -_-
Martin Basti
2014-11-10 09:10:31 UTC
Permalink
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network ,
I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the
client side using 2 VM's at first it was okay, got it connected and
used ldap to pass sudo for the client side, but when I finally
deployed it in our real network consisting of an esxi server and one
work station having the same versions of free ipa for server and
client, the error that I'm getting is that " the user does not exist "
when I invoked the " su - ( user ) " command, so My question is how
can I solve this problem?? I've been at it for 3 weeks now ..
another question is I've tried using 4.1.0 for the server side but I
can't configure the dns forwarders for it it always says that the
forwarder does not respond, How can I solve this too? is there a new
way to add a dns forwarder for IPA ??
please help me with these freeipa problems because I really want to
deploy them already and get it over with -_-
Hello,

IPA (4.1) doesn't allow to add global forwarders, which are not
responding during installation.

Are you sure the forwarder is working? Can you resolve root zone using
this forwarder?

Workaround is to install server without --forwarder option, after
installation you can add global forwarder using command dnsconfig-mod
--forwarder=a.b.c.d

HTH
Martin^2
--
Martin Basti
Martin Kosek
2014-11-10 11:56:00 UTC
Permalink
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Jakub Hrozek
2014-11-10 12:41:37 UTC
Permalink
Post by Martin Kosek
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.

I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-11 05:24:22 UTC
Permalink
well I'll try them now, my sssd config only consists of these lines added to the sudo area

sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com

plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..


TIA
Post by Martin Kosek
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.

I think we need to examine SSSD logs...
Rolf Nufable
2014-11-11 05:37:17 UTC
Permalink
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache


On Tuesday, November 11, 2014 1:24 PM, Rolf Nufable <***@yahoo.com> wrote:



well I'll try them now, my sssd config only consists of these lines added to the sudo area

sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com

plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..


TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.

I think we need to examine SSSD logs...
Martin Kosek
2014-11-11 06:56:14 UTC
Permalink
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.

More info here:
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?

In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.

Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-11 07:07:50 UTC
Permalink
well I dont know how or what command to use to display the logs, could you teach me how? , but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only

while on the client side, even though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.

TIA
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.

More info here:
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?

In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.

Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
Martin Kosek
2014-11-11 07:28:22 UTC
Permalink
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for example:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
errors on the server in following logs:
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-11 07:45:42 UTC
Permalink
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either you are on the server or client side, or at least thats what I remember.

Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for example:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
errors on the server in following logs:
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
Rolf Nufable
2014-11-11 08:32:53 UTC
Permalink
never mind the problem on the server side, somehow it got fixed , I really don't know how though

so in the client side , It is successful when installing free ipa client and the server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )

So I really don't know why Can't I connect to the ipa server.

Iptables works fine.
/etc/resolv.conf is file as well

sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com


and /etc/nsswitch.conf
(added this line )

sudoers : files sss ldap

is there something missing ?



On Tuesday, November 11, 2014 3:45 PM, Rolf Nufable <***@yahoo.com> wrote:



oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either you are on the server or client side, or at least thats what I remember.

Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for example:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.

FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
errors on the server in following logs:
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
Martin Kosek
2014-11-11 09:56:16 UTC
Permalink
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.

Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.

Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either you are on the server or client side, or at least thats what I remember.
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-11 10:07:57 UTC
Permalink
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )

well I'm having this error in the client side when using the command su - ( user )

su - ***@example.com

su : ***@example.com does not exist.



On Tuesday, November 11, 2014 5:56 PM, Martin Kosek <***@redhat.com> wrote:



It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.

Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.

Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
Jakub Hrozek
2014-11-11 10:11:06 UTC
Permalink
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?

Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?

As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Petr Vobornik
2014-11-11 11:10:51 UTC
Permalink
Post by Jakub Hrozek
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?
Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?
As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
Does:

$ id ***@example.com

return you the user info?

if not and ipa-client-install was run successfully before, check
nsswitch.conf if it has sssd configured (sss next to various providers).

if not run:
$ authconfig --enablesssd --update

if it doesn't help, try to run:
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update

if it helps, please tell me. I'm curious if you suffer from one issue I
experienced.
Post by Jakub Hrozek
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-12 03:09:45 UTC
Permalink
I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine.

but the time is really wrong. and I disabled NTP and the server has no access to the internet.

these are my network configurations.

peerdns = no
ipaddr = 192.168.1.1
netmask = 255.255.255.0
dns1 = 192.168.1.1
onboot = yes

as you can see I've made the server also the dns1, (is this correct though ? i really don't know )

feel free to correct my network config

And another problem is that I need to sync my freeipa server time to the right time zone? if thats the case then I do need internet connection for my Freeipa server , so that it could access ntp servers right? ( or am I wrong? )

still this is a great breakthrough for my work

Now what to do?

ps. Martin attached is the krb5kdc.log after I changed the time of the server. Httpd error log didnt changed at all after I tried to access the web UI and tried to log in..


TIA
Post by Jakub Hrozek
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?
Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?
As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
Does:

$ id ***@example.com

return you the user info?

if not and ipa-client-install was run successfully before, check
nsswitch.conf if it has sssd configured (sss next to various providers).

if not run:
$ authconfig --enablesssd --update

if it doesn't help, try to run:
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update

if it helps, please tell me. I'm curious if you suffer from one issue I
experienced.
Post by Jakub Hrozek
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Petr Vobornik
Martin Kosek
2014-11-12 07:34:39 UTC
Permalink
Post by Rolf Nufable
I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine.
but the time is really wrong. and I disabled NTP and the server has no access to the internet.
these are my network configurations.
peerdns = no
ipaddr = 192.168.1.1
netmask = 255.255.255.0
dns1 = 192.168.1.1
onboot = yes
as you can see I've made the server also the dns1, (is this correct though ? i really don't know )
feel free to correct my network config
And another problem is that I need to sync my freeipa server time to the right time zone? if thats the case then I do need internet connection for my Freeipa server , so that it could access ntp servers right? ( or am I wrong? )
Yes, internet connection helps. Theoretically you could just set up the time
manually on your FreeIPA server and then let your clients synchronize their
time with it as NTP is running there, but that may be cumbersome.
Post by Rolf Nufable
still this is a great breakthrough for my work
Now what to do?
FreeIPA server and the KDC do not care about the time zone, it works with UTC
time anyway, AFAIK. You just simply need to have the time synchronized on all
your servers and clients or Kerberos protocol will not work.
Post by Rolf Nufable
ps. Martin attached is the krb5kdc.log after I changed the time of the server. Httpd error log didnt changed at all after I tried to access the web UI and tried to log in..
I saw no error there...
Post by Rolf Nufable
TIA
Post by Jakub Hrozek
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?
Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?
As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
return you the user info?
if not and ipa-client-install was run successfully before, check
nsswitch.conf if it has sssd configured (sss next to various providers).
$ authconfig --enablesssd --update
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update
if it helps, please tell me. I'm curious if you suffer from one issue I
experienced.
Post by Jakub Hrozek
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Rolf Nufable
2014-11-18 08:54:14 UTC
Permalink
Hello all I have a question regarding the log in in IPA
well I didn't expect this to happen since last week all installation went smoothly and the adding of the clients as well but now I have another problem. 
My first problem was ntp/ntpdate wasn't cooperating well and it won't update my fedora 20 time correctly every reboot, so I get the wrong time and manually issue the ntpdate just to get the correct time... ( well this problem is small ) 
So what I did was just configured/updated the timezone of the Freeipa Server. then I tried rebooting it 3 times in a row just to make sure it won't change time. and it was successful.  ( I did this last friday )
yesterday I checked the time of the free ipa server. and it was way off.. Now my problem is that if I edited the time or restarted ntpd / ntpdate I cannot log-in to the web UI of freeipa although I'm using the admin account and the right credentials as well , It asks me to configure the browser credentials ( the one going to about:config ) but I still cannot log in, And I don't really know why .. But if I didn't I can Log in smoothly..
any Ideas on whats causing this error?
TIA :) 
Post by Rolf Nufable
I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine.
but the time is really wrong. and I disabled NTP and the server has no access to the internet.
these are my network configurations.
peerdns = no
ipaddr  = 192.168.1.1
netmask = 255.255.255.0
dns1 = 192.168.1.1
onboot = yes
as you can see I've made the server also the dns1, (is this correct though ? i really don't know )
feel free to correct my network config
And another problem is that I need to sync my freeipa server time to the right time zone? if thats the case then I do need internet connection for my Freeipa server , so that it could access ntp servers right?  ( or am I wrong? )
Yes, internet connection helps. Theoretically you could just set up the time
manually on your FreeIPA server and then let your clients synchronize their
time with it as NTP is running there, but that may be cumbersome.
Post by Rolf Nufable
still this is a great breakthrough for my work
Now what to do?
FreeIPA server and the KDC do not care about the time zone, it works with UTC
time anyway, AFAIK. You just simply need to have the time synchronized on all
your servers and clients or Kerberos protocol will not work.
Post by Rolf Nufable
ps. Martin attached is the krb5kdc.log after I changed the time of the server.  Httpd error log didnt changed at all after I tried to access the web UI and tried to log in..
I saw no error there...
Post by Rolf Nufable
TIA
 
Post by Jakub Hrozek
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?
Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?
As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
return you the user info?
if not and ipa-client-install was run successfully before, check
nsswitch.conf if it has sssd configured (sss next to various providers).
$ authconfig --enablesssd --update
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update
if it helps, please tell me. I'm curious if you suffer from one issue I
experienced.
Post by Jakub Hrozek
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
  server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
  you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
  though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
  contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
  GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
  advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
  in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
  is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
Petr Spacek
2014-11-24 08:51:23 UTC
Permalink
Post by Rolf Nufable
Hello all I have a question regarding the log in in IPA
well I didn't expect this to happen since last week all installation went smoothly and the adding of the clients as well but now I have another problem.
My first problem was ntp/ntpdate wasn't cooperating well and it won't update my fedora 20 time correctly every reboot, so I get the wrong time and manually issue the ntpdate just to get the correct time... ( well this problem is small )
So what I did was just configured/updated the timezone of the Freeipa Server. then I tried rebooting it 3 times in a row just to make sure it won't change time. and it was successful. ( I did this last friday )
yesterday I checked the time of the free ipa server. and it was way off.. Now my problem is that if I edited the time or restarted ntpd / ntpdate I cannot log-in to the web UI of freeipa although I'm using the admin account and the right credentials as well , It asks me to configure the browser credentials ( the one going to about:config ) but I still cannot log in, And I don't really know why .. But if I didn't I can Log in smoothly..
any Ideas on whats causing this error?
TIA :)
Maybe some timestamps in Kerberos tickets you have 'cached' locally are wrong.
I would try to check timestampt in "klist" output or try to kdestroy & kinit
again.

Petr^2 Spacek
Post by Rolf Nufable
Post by Rolf Nufable
I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine.
but the time is really wrong. and I disabled NTP and the server has no access to the internet.
these are my network configurations.
peerdns = no
ipaddr = 192.168.1.1
netmask = 255.255.255.0
dns1 = 192.168.1.1
onboot = yes
as you can see I've made the server also the dns1, (is this correct though ? i really don't know )
feel free to correct my network config
And another problem is that I need to sync my freeipa server time to the right time zone? if thats the case then I do need internet connection for my Freeipa server , so that it could access ntp servers right? ( or am I wrong? )
Yes, internet connection helps. Theoretically you could just set up the time
manually on your FreeIPA server and then let your clients synchronize their
time with it as NTP is running there, but that may be cumbersome.
Post by Rolf Nufable
still this is a great breakthrough for my work
Now what to do?
FreeIPA server and the KDC do not care about the time zone, it works with UTC
time anyway, AFAIK. You just simply need to have the time synchronized on all
your servers and clients or Kerberos protocol will not work.
Post by Rolf Nufable
ps. Martin attached is the krb5kdc.log after I changed the time of the server. Httpd error log didnt changed at all after I tried to access the web UI and tried to log in..
I saw no error there...
Post by Rolf Nufable
TIA
Post by Jakub Hrozek
Post by Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? )
well I'm having this error in the client side when using the command su - ( user )
Are you sure ipa-client-install did run successfully on that machine?
Can you unenroll and enroll the client back so that we start from an
sssd.conf that is created by the tooling?
As Martin said, you don't need those sudo-related config options with
recent SSSD releases, they wouldn't work in the sudo section anyway.
return you the user info?
if not and ipa-client-install was run successfully before, check
nsswitch.conf if it has sssd configured (sss next to various providers).
$ authconfig --enablesssd --update
$ authconfig --disablesssd --update
$ authconfig --enablesssd --update
if it helps, please tell me. I'm curious if you suffer from one issue I
experienced.
Post by Jakub Hrozek
Post by Rolf Nufable
It is still really hard to give advise as I do not know what's actually wrong.
So are you trying to set up a sudo on your client or are you trying to log in
with your client browser to FreeIPA server? These are 2 orthogonal actions.
Who gives the "Can't I connect to the ipa server" error? As I said earlier, I
cannot help you without described procedure you are trying to do, logs and
exact error messages.
Martin
Post by Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though
so in the client side , It is successful when installing free ipa client and the
server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that version incompatibility would not be an issue since if either one is of a lower version, the only features that would be used is the one that the lower version can do )
Post by Rolf Nufable
So I really don't know why Can't I connect to the ipa server.
Iptables works fine.
/etc/resolv.conf is file as well
sssd/sssd.conf ( added these lines )
[sudo]
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
and /etc/nsswitch.conf
(added this line )
sudoers : files sss ldap
is there something missing ?
oh sorry I forgot that on the clients side " network.negotiate-auth.trusted-uris " they have the same domain as of the server side I've configured it as well as in the client side because recent guides for deploying IPA says that you must go to about:config either
you are on the server or client side, or at least thats what I remember.
Post by Rolf Nufable
Wait a sec I'm trying to achieve the state again where the server side wont let me log in using the admin credentials , just so i could show you the logs
Post by Rolf Nufable
well I dont know how or what command to use to display the logs, could you teach me how?
There should be HOWTO articles on how to do that. Jakub may have better
sources, but I see for
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html
Post by Rolf Nufable
, but yes the network.negotiate-auth.trusted-uris has the same domain name which is example.com this is on the server side only
network.negotiate-auth.trusted-uris must be set in the *client* Firefox machine.
Post by Rolf Nufable
while on the client side, even
though the network.negotiate-auth.trusted-uris is configured correctly, the web UI can't be accessed so its a really weird scenario. but the registration of the ipa client to the server says its successful.
FreeIPA 4.0+ Web UI should allow you to login at least with your user+password,
if SSO login fails. Does at least this part work? Because if not, there is some
error on the server side. It would be interesting to check if there are no
- /var/log/httpd/error_log
- /var/log/krb5kdc.log
Post by Rolf Nufable
TIA
On 11/11/2014 06:37 AM, Rolf Nufable
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the
contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech =
GSSAPI
Post by Rolf Nufable
Post by Rolf Nufable
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to
advise as I still did not see any related
Post by Rolf Nufable
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it
in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question
is how can I solve this problem?? I've been at it for 3 weeks now ..
Post by Rolf Nufable
Post by Rolf Nufable
Post by Rolf Nufable
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Jakub Hrozek
2014-11-11 10:09:15 UTC
Permalink
Post by Martin Kosek
Post by Rolf Nufable
or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a headache
Hm, that is worrying. FreeIPA 4.0+ should definitely not be more difficult to
deploy, on the contrary, it should be much cooler than 3.3.
Post by Rolf Nufable
well I'll try them now, my sssd config only consists of these lines added to the sudo area
sudo_provider = ldap
ldap_uri = ldap://myipaserver.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/myipaserver.example.com
ldap_sasl_realm = EXAMPLE.COM
krb_server = myipaserver.example.com
BWT, with FreeIPA 4.0+ / RHEL-6.6+ / recent Fedoras you can use "ipa" sudo
provider. Actually, FreeIPA 4.0+ clients do that for you.
Right, in addition, the above should have been added to the domain
section, not the sudo section with older clients..
Post by Martin Kosek
https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf
https://fedorahosted.org/freeipa/ticket/3358
Post by Rolf Nufable
plus another question why is it that when I invoke the kinit admin command for the kerberos I couldnt access the web UI and keeps asking me to configure my web browser ( firefox) though I've already configured it many times..
Are you sure that network.negotiate-auth.trusted-uris in about:config
correctly? Are you saying that your Firefox works with FreeIPA 3.3 server but
not with FreeIPA 4.0+? What is the domain of the FreeIPA 4.0+ server and what
is the setting of network.negotiate-auth.trusted-uris?
In any case, it is still hard to advise as I still did not see any related
logs, error messages or actual real errors preventing you from enrolling FreeIPA.
Thanks,
Martin
Post by Rolf Nufable
TIA
On 11/10/2014 02:05 AM, Rolf
Post by Rolf Nufable
Hello
I have tons of questions on why free ipa wont't work on my network , I've been using fedora 20 as the os for the server and client free ipa .
I deployed freeipa 4.0.3 at the server side and freeipa 4.1.0 for the client side using 2 VM's at first it was okay, got it connected and used ldap to pass sudo for the client side, but when I finally deployed it in our real network consisting of an esxi server and one work station having the same versions of free ipa for server and client, the error that I'm getting is that " the user does not exist " when I invoked the " su - ( user ) " command, so My question is how can I solve this problem?? I've been at it for 3 weeks now ..
I assume this is on Fedora 20, running from the mkosek/freeipa Copr repo. I
assume this is a problem in SSSD client part, if the user cannot be found.
CCing Lukas and Jakub to advise.
Sorry, I skipped this thread b/c the subject didn't look like it was
SSSD-related.
I think we need to examine SSSD logs...
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Continue reading on narkive:
Loading...