Hi
i am getting ipa: ERROR: CIFS server communication error: code
-1073741771,
while doing
[root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code -1073741771,
HI
thanks for the reply
i have created PTR record for IPA server under reverse lookup zone manually
and ipa server resolving from AD
how can i solve trhis issue.?
On Wed, Mar 18, 2015 at 12:15 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Wed, 18 Mar 2015, Ben .T.George wrote:
Hi
On 3/18/15, 3:55 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
On Tue, 17 Mar 2015, Gould, Joshua wrote:
/etc/sssd/sssd.conf:
[domain/test.osuwmc]
HI
i saw the this in BZ and it's closed my mentioning it's got resolved on
RHEL/Centos 7.
But i am already using 7 .
please anyone help me to fix this?
Regards,
Nem
On Wed, Mar 18, 2015 at 11:19 AM, Ben .T.George bentech4...@gmail.com
wrote:
Hi
i am getting ipa: ERROR: CIFS server
On Wed, 18 Mar 2015, Ben .T.George wrote:
Hi
i am getting ipa: ERROR: CIFS server communication error: code
-1073741771,
while doing
[root@kwtpocpbis02 ~]# ipa trust-add --type=ad infra.com --admin
Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS
I ran some more tests and I've found that it's a general sssd issue which
affects everything handled by sssd (pam, ssh, sudo). I see similar problems
with 'su - username'. I'm guessing that kinit works since it bypasses sssd.
Does anyone have any ideas on debugging this?
On Tue, Mar 17, 2015 at
this is the result from AD
C:\Users\Administratornslookup
Default Server: localhost
Address: 127.0.0.1
set type=srv
_ldap._tcp.infra.com
Server: localhost
Address: 127.0.0.1
_ldap._tcp.infra.comSRV service location:
priority = 0
weight = 100
On Wed, 18 Mar 2015, Ben .T.George wrote:
HI
i saw this ticket and' 13 months old
https://fedorahosted.org/freeipa/ticket/4202
is this fixed? i think the mentioned patch is for 3.3
This is fixed.
Do you have any host in .solaris.com that is joined your AD in
infra.com?
--
/ Alexander
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
On Tue, 17 Mar 2015, Gould, Joshua wrote:
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for the AD domain.
# ipa idrange-mod --base-id=10
On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
On Tue, 17 Mar 2015, Gould, Joshua wrote:
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for
did that and the result is
[root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b
dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn
Enter LDAP Password:
ldap_bind: No such object (32)
You have new mail in /var/spool/mail/root
On Wed, Mar 18, 2015 at 12:59 PM, Alexander
On Wed, 18 Mar 2015, Ben .T.George wrote:
did that and the result is
[root@kwtpocpbis02 ~]# ldapsearch -D administra...@infra.com -W -b
dc=infra,dc=com '(serviceprincipalname=*solaris.com)' dn
Enter LDAP Password:
ldap_bind: No such object (32)
You have new mail in /var/spool/mail/root
Ah,
no,
this is new host-name i am choosed.
anyway how to check is there any existing solaris.com in AD, under DNS
management, i cannot see anything
Regards,
Ben
On Wed, Mar 18, 2015 at 12:45 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Wed, 18 Mar 2015, Ben .T.George wrote:
HI
i saw
Hi list (Simo ;)
Sorry for the bit off-topic question, but do we know whether Samba4 can now
share the same KDC with IPA server so that it can act as AD DC?
I heard MIT KDC functionality would have to be extended, but not sure whether
this is on the roundmap or not.
Many thanks,
Ondrej
Sent
On Wed, 18 Mar 2015, Ondrej Valousek wrote:
Hi list (Simo ;)
Sorry for the bit off-topic question, but do we know whether Samba4 can
now share the same KDC with IPA server so that it can act as AD DC? I
heard MIT KDC functionality would have to be extended, but not sure
whether this is on the
On Wed, 18 Mar 2015, Ben .T.George wrote:
ok thanks now the output is something different
[root@kwtpocpbis02 ~]# ldapsearch -h 172.16.107.250 -D
administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*
solaris.com)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
ok thanks now the output is something different
[root@kwtpocpbis02 ~]# ldapsearch -h 172.16.107.250 -D
administra...@infra.com -W -b dc=infra,dc=com '(serviceprincipalname=*
solaris.com)' dn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base dc=infra,dc=com with scope subtree
# filter:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
On 3/18/15, 3:55 AM, Sumit Bose sb...@redhat.com wrote:
On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
On Tue, 17 Mar 2015, Gould, Joshua wrote:
On Wed, Mar 18, 2015 at 04:15:28PM +0530, Sanju A wrote:
Hi All,
I have configured IPA and later configured master-master replication. But
it failed to fall over to the replica when master down. Please help
Here are the details.
What it it ? A client machine running on a client different
On Wed, Mar 18, 2015 at 06:44:04PM +0530, Sanju A wrote:
Dear Jakub,
I have joined the client machine using the following command (including
the replica server details) and it is working.
ipa-client-install --mkhomedir --domain=example.com
--server=ipa.example.com
On Wed, 18 Mar 2015, Gould, Joshua wrote:
On 3/18/15, 4:28 AM, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
I¹ll be happy to remove the AD section from the sssd.conf file and test
but I think there¹s more going on. The AD section was generated from
On 3/18/15, 9:48 AM, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
On 3/18/15, 4:28 AM, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 18 Mar 2015, Gould, Joshua wrote:
I¹ll be happy to remove the AD section from the sssd.conf file and test
but
On Wed, 18 Mar 2015, Guertin, David S. wrote:
Wait, why do you have middlebury.edu section here at all? If middlebury is
trusted by csns.middlebury.edu, you should not have a separate
[domain/middlebury.edu] section at all!
That was in there because in my increasingly desperate attempts to get
Hello,
Im wondering how we should be handing SSSD for redundant configurations on
our freeipa clients. We have three freeipa servers; how can we make SSSD
check another freeipa in the event that one goes down?
It appears we can do something like the following:
ipa_hostname =
Wait, why do you have middlebury.edu section here at all? If middlebury is
trusted by csns.middlebury.edu, you should not have a separate
[domain/middlebury.edu] section at all!
That was in there because in my increasingly desperate attempts to get this
working, I actually read the
On 03/18/2015 10:50 AM, Kim Perrin wrote:
Hi all,
yesterday I cleared up replication problems on my last standing IPA
server. So I somewhat feel like I'm coming out of the tunnel. Today I
want to turn up a replica again. However before doing so I'd like to
clean out the last remnants of data
Craig White wrote:
*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Andrew Holway
*Sent:* Wednesday, March 18, 2015 9:40 AM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] SSSD in redundant configuration
Hello,
Im
ah, good question. Relevant errors around trying to use the ldif I
included to remove replica ID 97 --
[18/Mar/2015:04:01:51 +] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting for all the replicas to receive all the deleted replica
updates...
[18/Mar/2015:04:01:51 +]
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Andrew Holway
Sent: Wednesday, March 18, 2015 9:40 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] SSSD in redundant configuration
Hello,
Im wondering how we should be handing SSSD for
On 03/18/2015 11:07 AM, Kim Perrin wrote:
ah, good question. Relevant errors around trying to use the ldif I
included to remove replica ID 97 --
[18/Mar/2015:04:01:51 +] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting for all the replicas to receive all the deleted replica
updates...
In standard FreeIPA setup we have 'allow_all' HBAC rule which roughly
states anyone can access any service on any host. Did you disable this
rule?
If yes, then you have to have an explicit rules allowing access to specific
services.
Thanks! Yes, that was it exactly. I did disable the allow
No I haven't been using docker images. I was merely suggesting it as a way
of reproducing the failure consistently and passing it on. I have been
running everything natively. Barring external factors such as DNS, which
probably don't matter in this case, I think this should be reproducible on
an
I think I have figured it out. The contents of /var/lib/sss/db are not
cleared on uninstall. Stopping sssd, clearing that directory and restarting
sssd solves the problem. Is there a reason why this is not cleared on
uninstall?
On Wed, Mar 18, 2015 at 6:35 PM, Prasun Gera prasun.g...@gmail.com
On Wed, 18 Mar 2015, Guertin, David S. wrote:
I've almost got AD integration going, except for the minor detail that no one
can log in. When an AD user tries to SSH in to the IPA server, /var/log/secure
shows:
--
Mar 18 13:59:08 genet sshd[21335]:
On 03/17/2015 02:54 PM, Prasun Gera wrote:
Sorry, the message got sent accidentally earlier before I could
provide all the details.
Version: 4.1.0 on RHEL 7.1 x86_64
Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin - This always works
4. ssh admin@localhost -
I've almost got AD integration going, except for the minor detail that no one
can log in. When an AD user tries to SSH in to the IPA server, /var/log/secure
shows:
--
Mar 18 13:59:08 genet sshd[21335]: pam_unix(sshd:auth): authentication failure;
Prasun Gera wrote:
How do I confirm that there are no certs left behind and that
cert-monger isn't tracking them? I'm a bit new to all the components
used by IPA. I do see that the /root/cacert.p12 file is never deleted.
Not clean but this shouldn't prevent re-install.
After an uninstall, I
How do I confirm that there are no certs left behind and that cert-monger
isn't tracking them? I'm a bit new to all the components used by IPA. I do
see that the /root/cacert.p12 file is never deleted.
After an uninstall, I see this:
getcert list
Number of certificates and requests being tracked:
On Tue, 17 Mar 2015, Guertin, David S. wrote:
When you changed idrange, it helps to remove SSSD cache, both on IPA
master and IPA clients and restart SSSD.
OK, I cleared the cache and restarted sssd with:
sss_cache -E
systemctl restart sssd
Still no change in the error: Could not convert
Hi,
I've made a few changes (and hopefully improvements) to freeipa.org wiki
concerning mainly test contribution and documentation.
These changes namely consist of:
- Contribute page [1] - the structure is a bit different (for previous
version see [2]), and there is a new paragraph Testing that
On Tue, 17 Mar 2015, Gould, Joshua wrote:
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for the AD domain.
# ipa idrange-mod --base-id=10 --range-size=90 --rid-base=0
Range name: TEST.OSUWMC_id_range
41 matches
Mail list logo
