Hi Folks.
I have installed an ipa server on a linux CentOS release 6.4 (Final). It is using outside DNS. I have https console access authenticating admin user through kerberos, and have migrated information on 80+ users and groups to it from a LDAP server.
Packages related to ipa installed are:
[root ~]# rpm -qa | grep ipa ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-82.el6.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 ipa-admintools-3.0.0-26.el6_4.2.x86_64 ipa-client-3.0.0-26.el6_4.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 ipa-server-3.0.0-26.el6_4.2.x86_64 [root ~]#
I am now on the process of in CentOS 6.4 as IPA client, but I am getting error "KeyError: 'namingcontexts'" I cannot find solution to.
Packages installed are:
$ rpm -qa | grep ipa ipa-client-3.0.0-26.el6_4.2.x86_64 ipa-python-3.0.0-26.el6_4.2.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 libipa_hbac-1.9.2-82.el6.x86_64
Error on installation is the following
$ ipa-client-install Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 2323, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 2309, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 1684, in install ret = ds.search(domain=options.domain, servers=options.server, hostname=hostname, ca_cert_path=get_cert_path(options.ca_cert_file)) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 243, in search ldapret = self.ipacheckldap(server, self.realm, ca_cert_path=ca_cert_path) File "/usr/lib/python2.6/site-packages/ipaclient/ipadiscovery.py", line 343, in ipacheckldap basedn = get_ipa_basedn(lh) File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 817, in get_ipa_basedn contexts = entries[0][1]['namingcontexts'] KeyError: 'namingcontexts'
Is it possible to be a CentOS 6.4 problem or it is me that have to go back to the drawing board (missing any package, etc..) and see if I made any mistake?
Please advise.
Many thanks,
Marcelo
On 06/12/2013 04:31 PM, Marcelo Carvalho wrote:
Is it possible to be a CentOS 6.4 problem or it is me that have to go back to the drawing board (missing any package, etc..) and see if I made any mistake?
The first time that I set up a FreeIPA server, the process errored out and I did not notice. I had a mostly-working FreeIPA server. It's possible that yours is also incomplete. The install should have left a log file which might help you determine whether or not there was a problem during setup.
If there was, you should probably start from scratch with a new install of CentOS to host FreeIPA, then export the user data you've got and import it on the new host.
From: "Gordon Messmer"
It's possible that yours is also incomplete.
Do you mean the server installation may causing the problem on the client installation in a different machine?
The error message I mentioned was on a client ipa installation on a different box from the server.
----- Original Message ----- From: "Gordon Messmer" gordon.messmer@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 12:54:18 AM Subject: Re: [CentOS] IPA Client Install
On 06/12/2013 04:31 PM, Marcelo Carvalho wrote:
Is it possible to be a CentOS 6.4 problem or it is me that have to go back to the drawing board (missing any package, etc..) and see if I made any mistake?
The first time that I set up a FreeIPA server, the process errored out and I did not notice. I had a mostly-working FreeIPA server. It's possible that yours is also incomplete. The install should have left a log file which might help you determine whether or not there was a problem during setup.
If there was, you should probably start from scratch with a new install of CentOS to host FreeIPA, then export the user data you've got and import it on the new host. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Do you mean the server installation may causing the problem on the client installation in a different machine?
The error message I mentioned was on a client ipa installation on a different box from the server.
Have you successfully registered any systems against your IPA topology yet?
If you can get another client to complete ipa-client-install it's unlikely to be a server issue but it could feasibly be a schema update missed during install I suppose...
You say you are using non-IPA DNS ... do you have all the appropriate TXT and SRV records in place for autodiscovery?
If you specify an IPA server, domain and realm does it then work?
It might be worth posting on the freeipa lists too
Yes, thanks.
I will go over all my server install notes and logs and check over all your leads.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 9:32:18 AM Subject: Re: [CentOS] IPA Client Install
Do you mean the server installation may causing the problem on the client installation in a different machine?
The error message I mentioned was on a client ipa installation on a different box from the server.
Have you successfully registered any systems against your IPA topology yet?
If you can get another client to complete ipa-client-install it's unlikely to be a server issue but it could feasibly be a schema update missed during install I suppose...
You say you are using non-IPA DNS ... do you have all the appropriate TXT and SRV records in place for autodiscovery?
If you specify an IPA server, domain and realm does it then work?
It might be worth posting on the freeipa lists too _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you specify an IPA server, domain and realm does it then work?
For our info it did work and now we have our "Client configuration complete."
IPA client is installed now, will test and see.
----- Original Message ----- From: "Marcelo Carvalho" marcelo@alexa.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 10:26:21 AM Subject: Re: [CentOS] IPA Client Install
Yes, thanks.
I will go over all my server install notes and logs and check over all your leads.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 9:32:18 AM Subject: Re: [CentOS] IPA Client Install
Do you mean the server installation may causing the problem on the client installation in a different machine?
The error message I mentioned was on a client ipa installation on a different box from the server.
Have you successfully registered any systems against your IPA topology yet?
If you can get another client to complete ipa-client-install it's unlikely to be a server issue but it could feasibly be a schema update missed during install I suppose...
You say you are using non-IPA DNS ... do you have all the appropriate TXT and SRV records in place for autodiscovery?
If you specify an IPA server, domain and realm does it then work?
It might be worth posting on the freeipa lists too _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you specify an IPA server, domain and realm does it then work?
For our info it did work and now we have our "Client configuration complete."
IPA client is installed now, will test and see.
That's good - but bear in mind sssd will be set with that IPA server explicitly so no load balancing or failover with that set up (ie it'll have an explicit server name and not _SRV_ for discovery)...
I'd strongly recommend making sure go through the list of TXT and SRV records required to automatically discover the servers... they should be in the documentation but if it's still playing up I'll grab an example from my systems.
That's good - but bear in mind sssd will be set with that IPA server explicitly so no load balancing or failover with that set up
Understood, but have to tell you, login tests did NOT work from this recently installed client. It looks for local user, which does not exist.
I have an IPA replica installed and from that replica I can login using a NON local user. The client in the replica is correct configured and was done at IPA replica installation all together and automatically.
I am subscribing to freeipa-users mailing list to check on that. Meanwhile if you have any idea pleas advise.
I'd strongly recommend making sure go through the list of TXT and SRV records required to automatically discover the servers...
Understood.
they should be in the documentation but if it's still playing up I'll grab an example from my systems.
I appreciate that.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 12:09:35 PM Subject: Re: [CentOS] IPA Client Install
If you specify an IPA server, domain and realm does it then work?
For our info it did work and now we have our "Client configuration complete."
IPA client is installed now, will test and see.
That's good - but bear in mind sssd will be set with that IPA server explicitly so no load balancing or failover with that set up (ie it'll have an explicit server name and not _SRV_ for discovery)...
I'd strongly recommend making sure go through the list of TXT and SRV records required to automatically discover the servers... they should be in the documentation but if it's still playing up I'll grab an example from my systems. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Understood, but have to tell you, login tests did NOT work from this recently installed client. It looks for local user, which does not exist.
Concerning - sounds like ipa-client-install didn't update nsswitch or something ... check to see if the system can even see the non-local user exists via getent passwd <user>
I am subscribing to freeipa-users mailing list to check on that. Meanwhile if you have any idea pleas advise.
Good - they'll know how best to diag... the red hat devs are active on there.
I appreciate that.
No worries - it'll be around 10-11am BST that I can get to them to do so tomorrow just to give you an ETA ...
check to see if the system can even see the non-local user exists via getent passwd <user>
getent passwd <user> --- returns nothing on the recent installed client node (as expected - it is not working)
getent passwd <user> --- Fron the ipareplica, it returns the information on the user. (client is working)
Checking on the nsswitch lead.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 12:59:58 PM Subject: Re: [CentOS] IPA Client Install
Understood, but have to tell you, login tests did NOT work from this recently installed client. It looks for local user, which does not exist.
Concerning - sounds like ipa-client-install didn't update nsswitch or something ... check to see if the system can even see the non-local user exists via getent passwd <user>
I am subscribing to freeipa-users mailing list to check on that. Meanwhile if you have any idea pleas advise.
Good - they'll know how best to diag... the red hat devs are active on there.
I appreciate that.
No worries - it'll be around 10-11am BST that I can get to them to do so tomorrow just to give you an ETA ... _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I have the client working at the recent installed client node.
It took a --uninstall and a fresh reinstall with all --domain= --server= and --realm= options as before.
My bad. I probably did a second ipa-clien-install without the proper --unistall before.
----- Original Message ----- From: "Marcelo Carvalho" marcelo@alexa.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 2:23:26 PM Subject: Re: [CentOS] IPA Client Install
check to see if the system can even see the non-local user exists via getent passwd <user>
getent passwd <user> --- returns nothing on the recent installed client node (as expected - it is not working)
getent passwd <user> --- Fron the ipareplica, it returns the information on the user. (client is working)
Checking on the nsswitch lead.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Thursday, June 13, 2013 12:59:58 PM Subject: Re: [CentOS] IPA Client Install
Understood, but have to tell you, login tests did NOT work from this recently installed client. It looks for local user, which does not exist.
Concerning - sounds like ipa-client-install didn't update nsswitch or something ... check to see if the system can even see the non-local user exists via getent passwd <user>
I am subscribing to freeipa-users mailing list to check on that. Meanwhile if you have any idea pleas advise.
Good - they'll know how best to diag... the red hat devs are active on there.
I appreciate that.
No worries - it'll be around 10-11am BST that I can get to them to do so tomorrow just to give you an ETA ... _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
My bad. I probably did a second ipa-clien-install without the proper --unistall before.
I've messed up clients like that before ...
Okay looking at my servers.... DNS records:
_kerberos TXT REALMNAME (eg EXAMPLE.COM) _kerberos-master._tcp SRV 0 100 88 ipa01 _kerberos-master._udp SRV 0 100 88 ipa01 _kerberos._tcp SRV 0 100 88 ipa01 _kerberos._udp SRV 0 100 88 ipa01 _kpasswd._tcp SRV 0 100 464 ipa01 _kpasswd._udp SRV 0 100 464 ipa01 _ldap._tcp SRV 0 100 389 ipa01 _ntp._udp SRV 0 100 123 ipa01
Those are all the SRV records...
My sssd.conf looks like:
[domain/example.com]
cache_credentials = True krb5_store_password_if_offline = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa01.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2
domains = example.com [nss]
[pam]
[sudo]
[autofs]
[ssh]
This has been upgraded over time a bit and so on ... you might want to try out libsss_sudo rather than ldap based sudo in EL6.4 for example (add sudo to services and sss to nsswitch in a sudoers: files sss line for example).
Hope that helps out a bit!
I saw you post on freeipa-users ... they are a good bunch there and will hopefully sort any remaining issues you have.
Okay looking at my servers.... DNS records:
Wonderful, thank you. I will go over this and see how to implement.
I saw you post on freeipa-users ...
Remaining issue are implementation of DNS records(above), Ubuntu and Mac clients, which I think now Ubunty is about CA installation. Will see. Mac is giving me more trouble and will deal with that later. All others have been resolved.
Wiil keep posting solutions.
Many thanks,
M.
----- Original Message ----- From: "James Hogarth" james.hogarth@gmail.com To: "CentOS mailing list" centos@centos.org Sent: Friday, June 14, 2013 1:01:04 AM Subject: Re: [CentOS] IPA Client Install
My bad. I probably did a second ipa-clien-install without the proper --unistall before.
I've messed up clients like that before ...
Okay looking at my servers.... DNS records:
_kerberos TXT REALMNAME (eg EXAMPLE.COM) _kerberos-master._tcp SRV 0 100 88 ipa01 _kerberos-master._udp SRV 0 100 88 ipa01 _kerberos._tcp SRV 0 100 88 ipa01 _kerberos._udp SRV 0 100 88 ipa01 _kpasswd._tcp SRV 0 100 464 ipa01 _kpasswd._udp SRV 0 100 464 ipa01 _ldap._tcp SRV 0 100 389 ipa01 _ntp._udp SRV 0 100 123 ipa01
Those are all the SRV records...
My sssd.conf looks like:
[domain/example.com]
cache_credentials = True krb5_store_password_if_offline = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa01.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2
domains = example.com [nss]
[pam]
[sudo]
[autofs]
[ssh]
This has been upgraded over time a bit and so on ... you might want to try out libsss_sudo rather than ldap based sudo in EL6.4 for example (add sudo to services and sss to nsswitch in a sudoers: files sss line for example).
Hope that helps out a bit!
I saw you post on freeipa-users ... they are a good bunch there and will hopefully sort any remaining issues you have. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 06/13/2013 09:06 AM, Marcelo Carvalho wrote:
From: "Gordon Messmer"
It's possible that yours is also incomplete.
Do you mean the server installation may causing the problem on the client installation in a different machine?
Yes, I do.
The client isn't able to query an attribute named "namingcontexts" from the LDAP server. That might indicate that the server installation is incomplete or corrupt.
What version of FreeIPA server did you install?
I didn't see this on the list, so I'm re-sending it.
On 06/13/2013 09:06 AM, Marcelo Carvalho wrote:
From: "Gordon Messmer"
It's possible that yours is also incomplete.
Do you mean the server installation may causing the problem on the client installation in a different machine?
Yes, I do.
The client isn't able to query an attribute named "namingcontexts" from the LDAP server. That might indicate that the server installation is incomplete or corrupt.
What version of FreeIPA server did you install?
-
Gordon Messmer -
James Hogarth -
Marcelo Carvalho