hiI found my issue , it was related to "curl" which we complied it and replaced
it, now after putting the original one , issue fixed.
From: "[email protected]"
<[email protected]>
To: [email protected]
Sent: Monday, February 16, 2015 4:40 PM
Subject: Freeipa-users Digest, Vol 79, Issue 57
Send Freeipa-users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."
Today's Topics:
1. join error (mohammad sereshki)
2. Re: resolving subdomain AD in a trust relationship (Nicolas Zin)
3. Re: resolving subdomain AD in a trust relationship
(Alexander Bokovoy)
4. Re: join error (Martin Basti)
5. Re: ipa replication not working (Martin Kosek)
6. Re: join error (mohammad sereshki)
7. Re: join error (Dmitri Pal)
----------------------------------------------------------------------
Message: 1
Date: Mon, 16 Feb 2015 02:02:27 -0800
From: mohammad sereshki <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [Freeipa-users] join error
Message-ID:
<[email protected]>
Content-Type: text/plain; charset=us-ascii
hi
when I want to add a host to IPA I get below error, My server is centOS, is
there anyone to help me?
HTTP response code is 401, not 200
================
stderr=
trying to retrieve CA cert via LDAP from ldap://linux126.example.com
Existing CA cert and Retrieved CA cert are identical
args=/usr/sbin/ipa-join -s linux126.example.com -b dc=mtnirancell,dc=ir -d -h
temsdp-smsc1.example.com
stdout=
stderr=XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>temsdp-smsc1.example.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-358.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to linux126.example.com port 443 (#0)
* Trying 192.168.65.187...
* Connected to linux126.example.com (192.168.65.187) port 443 (#0)
* Connected to linux126.example.com (192.168.65.187) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=example.com; CN=linux126.example.com
* start date: 2014-12-10 12:38:10 GMT
* expire date: 2016-12-10 12:38:10 GMT
* common name: linux126.example.com (matched)
* issuer: O=example.com; CN=Certificate Authority
* SSL certificate verify ok.
* Server auth using Basic with user ''
> POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com
> Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer:
> https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24
> Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483
> bytes
< HTTP/1.1 401 Authorization Required < Date: Sun, 15 Feb 2015 12:54:54 GMT <
Server: Apache/2.2.15< Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT < ETag:
"e24d7-55a-4d4833fadc640" < Accept-Ranges: bytes < Content-Length: 1370 <
Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing
connection #0
HTTP response code is 401, not 200
Joining realm failed: XML-RPC CALL:
<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>temsdp-smsc1.example.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-358.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n
* About to connect() to linux126.example.com port 443 (#0)
* Trying 192.168.65.187...
* Connected to linux126.example.com (192.168.65.187) port 443 (#0)
* Connected to linux126.example.com (192.168.65.187) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/ipa/ca.crt
CApath: none
* SSL connection using AES256-SHA
* Server certificate:
* subject: O=example.com; CN=linux126.example.com
* start date: 2014-12-10 12:38:10 GMT
* expire date: 2016-12-10 12:38:10 GMT
* common name: linux126.example.com (matched)
* issuer: O=example.com; CN=Certificate Authority
* SSL certificate verify ok.
* Server auth using Basic with user ''
> POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com
> Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer:
> https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24
> Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483
> bytes
< HTTP/1.1 401 Authorization Required < Date: Sun, 15 Feb 2015 12:54:54 GMT <
Server: Apache/2.2.15 < Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT < ETag:
"e24d7-55a-4d4833fadc640" < Accept-Ranges: bytes < Content-Length: 1370 <
Connection: close < Content-Type: text/html; charset=UTF-8 < * Closing
connection #0
HTTP response code is 401, not 200
Installation failed. Rolling back changes.
Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
args=ipa-client-automount --uninstall --debug
stdout=Restoring configuration
------------------------------
Message: 2
Date: Mon, 16 Feb 2015 05:37:36 -0500 (EST)
From: Nicolas Zin <[email protected]>
To: Alexander Bokovoy <[email protected]>
Cc: Francois Cami <[email protected]>, [email protected]
Subject: Re: [Freeipa-users] resolving subdomain AD in a trust
relationship
Message-ID:
<1746325772.2636258.1424083056821.javamail.r...@savoirfairelinux.com>
Content-Type: text/plain; charset=utf-8
OK
seems promising but it stills fail.
I used
ipa idrange-mod COMPANY.COM_id_range --range-size=10000000
ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=10000000
restarted sssd (and IPA in case of) but still get the same error.
Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in
which section? :-(
thank you
----- Mail original -----
De: "Alexander Bokovoy" <[email protected]>
?: "Nicolas Zin" <[email protected]>
Cc: [email protected], "Francois Cami" <[email protected]>
Envoy?: Lundi 16 F?vrier 2015 13:50:38
Objet: Re: [Freeipa-users] resolving subdomain AD in a trust relationship
On Mon, 16 Feb 2015, Nicolas Zin wrote:
>Hi,
>
>we created a trust relationship with an AD, and we get this result:
># ipa trust-domainfind "company.com"
> Domain name: corp.company.com
> Domain NetBIOS name: COMPANY
> Domain Security Identifier: S-1-5-21-blabla-blabla-blabla
> Domain enabled: True
>
> Domain name: company.com
> Domain NetBIOS name: ROOT
> Domain Security Identifier: S-1-5-21-blabla2-blabla2-blabla2
> Domain enabled: True
>
>We manage to see the user from the root domain:
>id [email protected]
>
>But cannot see a user from the child:
>id [email protected]
>
>
>In the logs we see:
>Could not convert objectSID S-1-5-21-blabla-blabla-blabla-496378] to a UNIX ID
RID (496378) is larger than the size of the idrange given for this
domain (200000 ids by default).
You need to extend idrange for corp.company.com.
In Windows world RIDs grow monotonically -- if you delete user, its RID
is not reused. When there is large churn of users created/removed, RIDs
may go up quickly. For most mid-range companies defaults like IPA has
(200000 ids) are fine but if your situation is different, increase the
range.
Note that idranges for trusted AD domains are not used by DNA plugin as
nothing is allocating in this space on the LDAP server side, rather SSSD
does allocation on its own, it just needs the idrange reserved.
For example, 'ipa idrange-mod <range-name> --size=1000000' to set the
idrange size to one million. Range name for the trusted domain can be
seen with 'ipa idrange-find'.
--
/ Alexander Bokovoy
------------------------------
Message: 3
Date: Mon, 16 Feb 2015 12:48:37 +0200
From: Alexander Bokovoy <[email protected]>
To: Nicolas Zin <[email protected]>
Cc: Francois Cami <[email protected]>, [email protected]
Subject: Re: [Freeipa-users] resolving subdomain AD in a trust
relationship
Message-ID: <[email protected]>
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
On Mon, 16 Feb 2015, Nicolas Zin wrote:
>OK
>
>seems promising but it stills fail.
>I used
>ipa idrange-mod COMPANY.COM_id_range --range-size=10000000
>ipa idrange-mod CORP.COMPANY.COM_id_range --range-size=10000000
>
>restarted sssd (and IPA in case of) but still get the same error.
SSSD logs would be more helpful (debug_level = 9).
>Isn't it in sssd.conf that I should set ldap_idmap_range_size? and if yes, in
>which section? :-(
These options should not be touched at all.
--
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL:
<https://www.redhat.com/archives/freeipa-users/attachments/20150216/68ee1ece/attachment.bin>
------------------------------
Message: 4
Date: Mon, 16 Feb 2015 12:05:07 +0100
From: Martin Basti <[email protected]>
To: mohammad sereshki <[email protected]>,
"[email protected]" <[email protected]>
Subject: Re: [Freeipa-users] join error
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 16/02/15 11:02, mohammad sereshki wrote:
> * Server auth using Basic with user ''
Hello, It looks like anonymous user.
Which version of IPA do you use? Did you specified right user with
ability to enroll client?
Martin^2
------------------------------
Message: 5
Date: Mon, 16 Feb 2015 13:21:19 +0100
From: Martin Kosek <[email protected]>
To: alireza baghery <[email protected]>,
"[email protected]" <[email protected]>
Subject: Re: [Freeipa-users] ipa replication not working
Message-ID: <[email protected]>
Content-Type: text/plain; charset=windows-1252
On 02/16/2015 10:29 AM, alireza baghery wrote:
> i install IPA on CENTOS 6.5 with Replication
> when configure every role in IPA, role Copy to Replica
> but Conversely, it does not work (role from Replica DO not copy to IPA)
> i do the following:
>
> *on server IPA:*
> #ipa-replica-manage list
> ipa... master
> ipareplica...master
>
> #ipa-replica-manage list ipa
> ipareplica.....replica
>
> #ipa-replica-masnage list ipareplica
> ipa...replica
>
> *on server ipareplica*
> #ipa-replica-manage list
> ipa... master
> ipareplica...master
>
> #ipa-replica-manage list ipa
> Failed get data from ipa... Can not Contact LDAP Server
>
>
>
Would pointers in this section
http://www.freeipa.org/page/Troubleshooting#Replication_issues
help? (I updated this section right now)
Thanks,
Martin
------------------------------
Message: 6
Date: Mon, 16 Feb 2015 12:51:56 +0000 (UTC)
From: mohammad sereshki <[email protected]>
To: Martin Basti <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [Freeipa-users] join error
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"
dear
I? use ipa-client-3.0.0-42 and I added with ipa-client-install so it asks to
enter admin user and password.
From: Martin Basti <[email protected]>
To: mohammad sereshki <[email protected]>; "[email protected]"
<[email protected]>
Sent: Monday, February 16, 2015 2:35 PM
Subject: Re: [Freeipa-users] join error
On 16/02/15 11:02, mohammad sereshki wrote:
> * Server auth using Basic with user ''
Hello, It looks like anonymous user.
Which version of IPA do you use? Did you specified right user with
ability to enroll client?
Martin^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/freeipa-users/attachments/20150216/3c78aefe/attachment.html>
------------------------------
Message: 7
Date: Mon, 16 Feb 2015 08:10:45 -0500
From: Dmitri Pal <[email protected]>
To: [email protected]
Subject: Re: [Freeipa-users] join error
Message-ID: <[email protected]>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
On 02/16/2015 07:51 AM, mohammad sereshki wrote:
> dear
> I use ipa-client-3.0.0-42 and I added with ipa-client-install so it
> asks to enter admin user and password.
Did you change admin user privileges inside IPA?
Are you using admin user from IPA or some other local admin account?
>
> ------------------------------------------------------------------------
> *From:* Martin Basti <[email protected]>
> *To:* mohammad sereshki <[email protected]>;
> "[email protected]" <[email protected]>
> *Sent:* Monday, February 16, 2015 2:35 PM
> *Subject:* Re: [Freeipa-users] join error
>
> On 16/02/15 11:02, mohammad sereshki wrote:
>
>
>
> > * Server auth using Basic with user ''
>
> Hello, It looks like anonymous user.
>
> Which version of IPA do you use? Did you specified right user with
> ability to enroll client?
>
> Martin^2
>
>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/freeipa-users/attachments/20150216/24542661/attachment.html>
------------------------------
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
End of Freeipa-users Digest, Vol 79, Issue 57
*********************************************
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
