Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing me to the right direction. I was able to fix most of my issues. My setup is a little complex where I am trying to have a master and the replica in different networks and are in sync + each of them is serving a different set of hosts.
Shreeraj ---------------------------------------------------------------------------------------- Change is the only Constant ! On Thursday, February 20, 2014 2:20 PM, Dmitri Pal <[email protected]> wrote: On 02/20/2014 02:58 PM, Shree wrote: Can you help me figure out, below is some info on the existing working configuration one one of the clients >1)Sudo version 1.7.4p5 > >2)[root@test500 ~]# sssd --version >1.9.2 > >3)These are the uncommented lines in /etc/sssd/sssd.conf >[sssd] >config_file_version = 2 >services = nss, pam >domains = mydomain.com >[domain/mydomain.com] >cache_credentials = True >krb5_store_password_if_offline = True >ipa_domain = mydomain.com >id_provider = ipa >auth_provider = ipa >access_provider = ipa >ipa_hostname = dns.mydomain.com >chpass_provider = ipa >ipa_server = ldap.mydomain.com >ldap_netgroup_search_base = cn=ng,cn=compat,dc=mydomain,dc=com >ldap_tls_cacert = /etc/ipa/ca.crt > >======================================= >4)And these are the options in /etc/nsswitch.conf >sudoers: files ldap >passwd: files sss >shadow: files sss >group: files sss > > >Shreeraj >---------------------------------------------------------------------------------------- > > >Change is the only Constant ! > > > >On Thursday, February 20, 2014 7:20 AM, Dmitri Pal <[email protected]> wrote: > >On 02/19/2014 06:52 PM, Shree wrote: >Rob >>You were right. After upgrading the client to the ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the client install that went something like >>================= >>Autodiscovery of servers for failover cannot work with this configuration. >>If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. >>Proceed with fixed values and no DNS discovery? [no]: yes >>================= >> >>I continued by saying yes because in my case the master and the replica are >>in different VLANs and failover is not possible for me. I have tried in two >>hosts successfully and am hoping that does the trick. >> >> >>However I see one issue immediately that my sudo access does not seem to work >>now on the newly added clients! Do you know what might be happening? >> >> Are you using SSSD and SUDO integration? >What version of sudo and sssd? >See if this would help: >http://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > > > >Shreeraj >>---------------------------------------------------------------------------------------- >> >> >>Change is the only Constant ! >> >> >> >>On Wednesday, February 19, 2014 2:21 PM, Rob Crittenden <[email protected]> >>wrote: >> >>Shree wrote: >>> root@test500 ~]# rpm -q ipa-client >>> ipa-client-2.2.0-16.el6.x86_64 >>> [root@test500 ~]# >> >>You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484 >> >>Unfortunately our logging around discovery was rather horrible in 2.2.x >>so it is difficult to know exactly what is going on. >> >>I believe the problem is that it is still doing DNS discovery even >>though you've passed in a server name so it is setting up Kerberos to >>look up the KDC which it finds but can't talk to. >> >>This should be fixed in the 3.0 packages so updating to those is the >>preferred solution. >> >>For 2.x you can try the --force option which should make it skip some >>discovery. >> >>rob >> >>> >>> >>> Shreeraj >>> ---------------------------------------------------------------------------------------- >>> >>> >>> Change is the only Constant ! >>> >>> >>> On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden >>> <[email protected]> wrote: >>> Shree wrote: >>> > Here are a couple of things >>> > >>> > [skarulkar@ldap2 <mailto:skarulkar@ldap2> ~]$ rpm -q ipa-client >>> > ipa-client-3.0.0-26.el6_4.4.x86_64 >>> >>> What is the version on the client that is failing to enroll? >>> >>> rob >>> >>> > >>> > and my /etc/krb5.conf looks like .......... >>> > ======================================= >>> > includedir /var/lib/sss/pubconf/krb5.include.d/ >>> > >>> > [logging] >>> > default = FILE:/var/log/krb5libs.log >>> > kdc = FILE:/var/log/krb5kdc.log >>> > admin_server = FILE:/var/log/kadmind.log >>> > >>> > [libdefaults] >>> > default_realm = MYDOMAIN.COM >>> > dns_lookup_realm = false >>> > dns_lookup_kdc = true >>> > rdns = false >>> > ticket_lifetime = 24h >>> > forwardable = yes >>> > >>> > [realms] >>> > MYDOMAIN.COM = { >>> > kdc = ldap2.mydomain.com:88 >>> > master_kdc = ldap2.mydomain.com:88 >>> > admin_server = ldap2.mydomain.com:749 >>> > default_domain = mydomain.com >>> > pkinit_anchors = FILE:/etc/ipa/ca.crt >>> > default_domain = mydomain.com >>> > pkinit_anchors = FILE:/etc/ipa/ca.crt >>> > } >>> > >>> > [domain_realm] >>> > .mydomain.com = MYDOMAIN.COM >>> > mydomain.com = MYDOMAIN.COM >>> > >>> > [dbmodules] >>> > MYDOMAIN.COM = { >>> > db_library = ipadb.so >>> > } >>> > >>> > ======================================= >>> > >>> > >>> > Shreeraj >>> > >>> ---------------------------------------------------------------------------------------- >>> > >>> > >>> > Change is the only Constant ! >>> > >>> > >>> > On Wednesday, February 19, 2014 12:59 PM, Rob Crittenden >>> > <[email protected] <mailto:[email protected]>> wrote: >>> > Shree wrote: >>> > > 1) I have got a step furthur. My replica is not running CA Service. To >>> > > achieve this I had to remove the existing cert with this command >>> > > >>> > > pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force >>> > > >>> > > Now the replica looks like this >>> > > >>> > > skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2 >>> <mailto:skarulkar@ldap2>> tmp]$ sudo ipactl status >>> > > [sudo] password for skarulkar: >>> > > Directory Service: RUNNING >>> > > KDC Service: RUNNING >>> > > KPASSWD Service: RUNNING >>> > > MEMCACHE Service: RUNNING >>> > > HTTP Service: RUNNING >>> > > CA Service: RUNNING >>> > > [skarulkar@ldap2 <mailto:skarulkar@ldap2> <mailto:skarulkar@ldap2 >> >>> <mailto:skarulkar@ldap2>> tmp]$ >>> >>> > >>> > The tracking failed with: >>> > >>> > 2014-02-18T20:20:43Z DEBUG stdout=Error initializing Kerberos library: >>> > Improper format of Kerberos configuration file. >>> > >>> > It looks like it failed on this for most if not all the tracking. What >>> > does /etc/krb5.conf look like? >>> > >>> > > >>> > > 2) I am still not able to add client using ipa-client-install >>> using the >>> > > replica. >>> > >>> > The temporary krb5.conf that is used during enrollment has >>> > dns_lookup_kdc=True so it is probably trying to contact the other KDC >>> > and failing. >>> > >>> > What is the output of: >>> > >>> > $ rpm -q ipa-client >>> > >>> > >>> > rob >>> > >>> > >>> > >>> >>> >>> >> >> >> >> >> >> >>_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users > > >-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ > >_______________________________________________ >Freeipa-users mailing list >[email protected] >https://www.redhat.com/mailman/listinfo/freeipa-users > > It seems like you do not use SSSD integration so turning the debug on sudo and seeing what it is doing is the next step. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
