I have problem with replication of hosts enrolled to FreeIPA between my IPA server and replica (both Centos 6.6 ipa-server-3.0.0).
If the host is enrolled to replica I can't see it on Master WEB UI. Although user replication works and the host seem to be in both DNS records (on master and replica)
This behaviour stops me from being able to manage users and groups from one WEB UI as I can't assign access to host which are missing from interface.
To enrol hosts I use puppet with following command:
/usr/sbin/ipa-client-install --realm DOMAIN.COM --password password1 --principal admin#DOMAIN.COM --mkhomedir --domain doamin.com --server master.domain.com --server replica.domain.com --enable-dns-updates --force --unattended
I tried to use that command with --force-join and --fixed-primary however the result were the same which is:
The command performs discovery with random output i.e. sometimes it will choose master other time replica server.
A bit of how I build master:
ipa-server-install --no-ntp --setup-dns --no-reverse --no-forwarders -n domain.com --hostname master.domain.com -p password1 -a password2 -r DOMAIN.COM
and replica:
ipa-replica-prepare replica.domain.com --ip-address 10.0.0.2
ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-replica.domain.com.gpg
Any help will be appreciated, the ports are open as per RedHat manual. CLI command such as ipa-replica-manage list shows good relation between both master and replica.
Kind of disappointing that no one was able to help me, anyway.
I have found that the logs for dirsrv had following error:
sasl_io_recv failed to decode packet for connection
Apparently this was due to a bug in IPA where there is not enough memory assigned to nsslapd-sasl-max-buffer-size which was set to default 64KB
this is a ticket for it https://fedorahosted.org/389/ticket/47457.
One would expect that the IPA 3.0.0 should be patched to resolve this issue but unfortunately not.
As I was not able to find the patch I had to manually increase the buffer size using following:
To check the buffer size:
ldapsearch -b cn=config -D "cn=Directory Manager" -W | grep nsslapd-sasl-max-buffer-size
To enter ldap command line:
ldapmodify -D "cn=directory manager" -w password1 -p 389 -h 127.0.0.1 -x -a
To modify entry (from http://blog.christophersmart.com/):
dn: cn=config
changetype: modify
replace: nsslapd-sasl-max-buffer-size
nsslapd-sasl-max-buffer-size: 2097152
[enter key]
Related
we have a problem with Apache Directory Studio (Version: 2.0.0.v20200411-M15 and previous).
When we connect to an OpenLDAP instance we can't see the naming contexts of the Root DSE.
We have the OpenLDAP configured as multi-master and the strange thing is that in one node we can see it and not in the other.
Root DSE with missing entry screenshot
Root DSE showing the entry screenshot
When we try to get the info via ldapsearch, we can see the correct naming context for both nodes:
ldapsearch -H ldap://localhost:16389 -x -D "cn=adminLDAPI,ou=system,dc=XXXXXXX,dc=com" -W -s base -a always "(objectClass=*)" "namingcontexts"
ldapsearch finds namingcontexts screenshot
If we try to fetch the Base DNs with the connection options, it is not fetched on the "wrong" node.
No base DN returned screenshot
And neither entering manually works.
I've checked cn=config and cn=database but is all the same.
Any ideas?
Thanks in advance
I am trying to connect to cqlsh from remote (kuebctl command) when encryption is enabled, but I am unable to connect to cqlsh. anyone has a better way to connect?
$ kubectl run -i --tty --restart=Never --rm --image cassandra cqlsh -- cqlsh cassandra-0.cassandra.default.svc.cluster.local -u cassandra -p cassandra --ssl
If you don't see a command prompt, try pressing enter.
Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /root/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.
pod "cqlsh" deleted
pod default/cqlsh terminated (Error)
Since I am connecting from remote, I cannot set the cqlshrc file.
You can specify location of the certfile, and validate options via environment variables SSL_CERTFILE and SSL_VALIDATE correspondingly, but you'll need to mount certificate files anyway, so you can also mount corresponding cqlshrc...
See documentation for more details.
P.S. Also, if client validation is enabled, you'll need to provide client's key/certificate as well (options userkey, and usercert in the cqlshrc).
Since I was using cassandra image to connect cql, I added the cqlshrc file in the cassandra image where cql is installed to get it working.
I have downloaded the sandbox from hortonworks (Centos OS), then tried to follow the tutorial. It seems like the ambari-admin-password-reset command is not there and missing. I tried also to login with putty, the console asked me to change the password so I did.
now it seems like the command is there, but I have different passwords for the console and one for the putty for the same user.
I have tried to look for the reason why for the same user 'root' I have 2 different passwords (one for the virtual box console and one for the putty) that I can login with. I see different commands on each box. more than that when I share folder I can only see it on the virtual box console but not on the putty console) which is really frustrating.
How can I enforce that what I would see from putty would be the same as what I see from the virtual box console.
I think it somehow related to TTY but I am not sure.
EDIT:
running commands from the virtual box machine output:
grep "^passwd" /etc/nsswitch.conf
OUT: passwd: files sss
grep root /etc/passwd
OUT: rppt"x"0"0"root:/root:/bin/bash
operator:x:11:0:operator:/root:/sbin/nologin
getent passwd root
OUT: root:x:0:0:root:/root:/bin/bash
EDIT:
I think this is all about docker containers. It seems like the machine 2222 port is the ssh port for the hdp 2.5 container and not for the hosting machine.
Now I get another problem. when running
docker exec sandbox ls
it is getting stuck. any help ?
Thanks for helpers
So now I had the time to analyze the sandbox vm, and write it up for other users.
As you stated correctly in your edit of the question, its the docker container setup of the sandbox, which confuses with two separate root users:
via ssh root#127.0.0.1 -p 2222 you get into the docker container called "sandbox". This is a CentOS release 6.8 (Final), containing all the HDP services, especially the ambari service. The configuration enforces a password change at first login for the root user. Inside this VM you can also execute the ambari-admin-password-reset and set there a password for the ambari admin.
via console access you reach the docker host running a Centos 7.2, here you can login with the default root password for the VM as found in the HDP docs.
Coming to your sub-question with the hanging docker exec, it seems to be a bug in that specific docker version. If you google that, you will find issues discussing this or similar problems with docker.
So I thought that it would be a good idea to just update the host via yum update. However this turned out to be a difficult path.
yum tried to update the kernel, but complained that there is not enough space on the boot partion.
So I moved the boot partion to the root partition:
edit /etc/fsab and comment out the boot entry
unmount /boot
mv /boot
cp -a /boot.org /boot
grub2-mkconfig -o /boot/grub2/grub.cfg
grub2-install /dev/sda
reboot
After that I have found out that the docker configuration is broken and docker does not start anymore. In the logs it complained about
"Error starting daemon: error initializing graphdriver:
\"/var/lib/docker\" contains other graphdrivers: devicemapper; Please
cleanup or explicitly choose storage driver (-s )"
So I edited /etc/systemd/system/multi-user.target.wants/docker.service and changed the ExecStart setting to:
ExecStart=/usr/bin/dockerd --storage-driver=overlay
After a service docker start and a docker start sandbox. The container worked again and I could could login to the container and after a ambari-server restart everything worked again.
And now - with the new docker version 1.12.2, docker exec sandbox ls works again.
So to sum up the docker exec command has a bug in that specific version of the sandbox, but you should think twice if you want to upgrade your sandbox.
I ran into the same issue.
The HDP 2.5 sandbox runs all of its components in a docker container, but commands like docker exec -it sandbox /bin/bash or docker attach sandbox got stuck.
When I ran a simple ps aux, I found several /usr/bin/docker-proxy commands which looked like :
/usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 60000 -container-ip 172.17.0.2 -container-port 60000
They probably forward the HTTP ports of the various UIs of HDP components.
I could ssh into the container ip (here 172.17.0.2) using root/hadoop to authenticate. From there, I could use all "missing" commands like ambari-admin-password-reset.
$ ssh root#172.17.0.2
... # change password
$ ambari-admin-password-reset
NB: I am new to docker, so there's probably a better way to deal with this.
I'd like to post here the instructions for 3.0.1 here.
I followed the instructions of installing hortonworks version 3.0.1 here: https://youtu.be/5TJMudSNn9c
After running the docker container, go to your browser and enter "localhost:4200", that will take you to the in browser terminal of the container, that hosts ambari. Enter "root" for login and "hadoop" for password, change the root password, and then enter "ambari-admin-password-reset" in order to reset ambari password.
In order to be able to use sandbox-hdp.hortonworks.com, you need to add the line "127.0.0.1 sandbox-hdp.hortonworks.com" at the end of the /private/etc/hosts file on your mac.
Incorrect Pass
Then right corner click on power button >> power off drop down >> Restart >> when it boots up then press Esc key to get into recovery menu
Restart
select advance option and hit enter
Advance Option
Select Recovery mode hit enter
Select Root
Root enter
Command
mount -rw -o remount/
ls /home
change pass command
passwd username
user as yours
last step
enter pass two times by pressing enter
enter image description here
Hopefully you changed password (:
I am running an Amazon EC2 CentOS 6.6 server instance with pre-installed PostgreSQL 8.4.20 server which I want to upgrade to 9.4.1 using pg_upgrade via SSH.
What I've done so far: Downloaded and installed PostgreSQL 9.4.1 with yum, configured it. Configured the postgres user to have the same password on the UNIX server and for both database instances. Both database instances are functioning correctly - old one on port 5432, new on 5433.
What I am trying to do:
su - postgres
/usr/pgsql-9.4/bin/pg_upgrade
-b /usr/bin/
-B /usr/pgsql-9.4/bin/
-d /var/lib/pgsql/data/
-D /var/lib/pgsql/9.4/data/
Here is my issue with pg_hba.conf. Using
TYPE DATABASE USER METHOD
local all all trust
or
TYPE DATABASE USER METHOD
local all all peer
I can't start the old server, getting:
Performing Consistency Checks
-----------------------------
Checking cluster versions ok
connection to database failed: fe_sendauth: no password supplied
Failure, exiting
Using the default setting
TYPE DATABASE USER METHOD
local all all ident
is the only method that allows me to start the server, but then I get the following error:
Performing Consistency Checks
-----------------------------
Checking cluster versions ok
*failure*
Consult the last few lines of "pg_upgrade_server.log" for
the probable cause of the failure.
connection to database failed: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/tmp/.s.PGSQL.50432"?
could not connect to old postmaster started with the command:
"/usr/bin/pg_ctl" -w -l "pg_upgrade_server.log" -D "/var/lib/pgsql/data/" -o "-p 50432 -c autovacuum=off -c autovacuum_freeze_max_age=2000000000 -c listen_addresses='' -c unix_socket_permissions=0700" start
Failure, exiting
I have been reading more than 10 hours straight everything related, before I posted this, but can't seem to find the solution. Will be very grateful if you can give me any hints.
I work at an organization with stringent security requirements, sometimes excessively so. My project team is trying to create an SVN repository, and we are having difficulties setting one up to comply with both our needs and our security requirements.
Our IT department requires us to authenticate ourselves with two-factor authentication. Each developer has an RSA token that must be used to log in to the repository host machines via SSH. The value displayed on the token changes once per minute and each value can be used only once.
The developers require the capability to store passwords. This prevents us from using svn+ssh to log in to the repository. Since the RSA token changes once a minute, we can't store the SSH passwords. Worse, the RSA token would reduce us to one SVN operation each minute. This is flatly unacceptable, especially since we have scripts that chain multiple SVN operations together.
We attempted to compromise by opening an SSH tunnel with port forwarding. We would open up a tunnel using ssh user#hostmachine -L 3690:localhost:3690 to forward all SVN requests on our local machine to the secure machine, where an svnserve process was running. This meant we could log in with two-factor authentication, and then use a separate SVN username and password (which could be stored) with our utilities.
Unfortunately, we noticed that we didn't need the tunnel; port 3690 was available to any computer for whom the hostname was visible. This is unacceptable to IT, and our sysadmin thinks that svnserve is the problem, so she is wondering if we have to go back to svn+ssh.
Is there any solution that works? Is our sysadmin correct? Is there an option on svnserve that will force it to listen only to traffic from localhost?
use:
svnserve -dr /my/repo --listen-host 127.0.0.1
This way the service will only listen on the loopback interface. When you connect with ssh use:
ssh -L3690:127.0.0.1:3690 user#svnserver.mycompany.com
also see:
vince#f12 ~ > svnserve --help
usage: svnserve [-d | -i | -t | -X] [options]
Valid options:
-d [--daemon] : daemon mode
-i [--inetd] : inetd mode
-t [--tunnel] : tunnel mode
-X [--listen-once] : listen-once mode (useful for debugging)
-r [--root] ARG : root of directory to serve
-R [--read-only] : force read only, overriding repository config file
--config-file ARG : read configuration from file ARG
--listen-port ARG : listen port
[mode: daemon, listen-once]
--listen-host ARG : listen hostname or IP address
[mode: daemon, listen-once]
-T [--threads] : use threads instead of fork [mode: daemon]
--foreground : run in foreground (useful for debugging)
[mode: daemon]
--log-file ARG : svnserve log file
--pid-file ARG : write server process ID to file ARG
[mode: daemon, listen-once]
--tunnel-user ARG : tunnel username (default is current uid's name)
[mode: tunnel]
-h [--help] : display this help
--version : show program version information
svnserve might have options to only listen on localhost, but this sounds like a firewall configuration issue.
If port 3690 isn't meant to accessible externally, it should be blocked by the firewall. It shouldn't matter whether svnserve or anything else is listening on that port. svnserve can then continue to listen on 3690, but will only receive connections from localhost because others are blocked by the firewall.