Hi,
Not sure if this is a bug or if I'm ignorant of the RH world, but when I
try to do a fresh IPA install on Centos 7.2, I'm getting failures here:
[1/27]: creating certificate server user
[2/27]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
1.13.0
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 19 January 2016 at 18:49, Jakub Hrozek wrote:
> On Tue, Jan 19, 2016 at 12:23:39AM +, Simpson Lachlan wrote:
> > Since I got the service back up and running,
is, "We've always done it this
way."
- Grace Hopper
On 22 January 2016 at 11:17, Lachlan Musicman <data...@gmail.com> wrote:
> No, I've not updated to 1.13.0-41 - I do the "yum upgrades" relatively
> frequently, I don't think it's in the repos yet.
>
> cheer
<jhro...@redhat.com> wrote:
> On Wed, Jan 20, 2016 at 09:15:47AM +1100, Lachlan Musicman wrote:
> > 1.13.0
>
> I suspect it's 7.2, then. Did you alrady update to the latest available
> version (1.13.0-41)? If yes, do you have logfiles?
>
> See https://fedorahost
Hola,
We couldn't get sssd and sudo to work and discovered this on the SSSD
troubleshooting page:
https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO#Knownissues
Is this on the radar to be solved at all or is it unsolvable?
Cheers
L.
--
The most dangerous phrase in the language is,
Hi,
We seem to have some progress, after reading this blog post about sssd
performance tuning.
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
So now we see that on the FreeIPA server, everything is stable and always
produces the results we
Now that groups are working as expected, we have noticed that when listing
a directory the user and group now have full domain qualifiers.
This doesn't look great. We've also noticed that we now need to
chown :group@subdomain filename
(with default_domain_suffix set).
Is there a reason why
FWIW,
We are seeing the issues that are described here:
https://www.redhat.com/archives/freeipa-users/2015-December/msg00046.html
I was about to write when I found this, it explains exactly what I am
seeing - right down to the "impossible to reproduce because it's so
(seemingly) random".
I am
.x86_64
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 17 May 2016 at 22:34, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Tue, May 17, 2016 at 03:08:37PM +1000, Lachlan Musicman wrote:
> > FWIW,
> &g
lookup failed
cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 18 May 2016 at 08:35, Lachlan Musicman <data...@gmail.com> wrote:
> Hmmm, I also now see
>
> https://fedorahosted.org/sssd/
Hola,
We have an interesting scenario that is hard to find any information on.
Due to permission restrictions, a NAS that is mounted and visible by both
AD and 'nix clients, every user belongs to a particular primary group.
When we try doing idoverride's on the groups, it fails with the Primary
Hola,
We successfully installed ipa-server, and then successfully joined an AD in
a one way trust.
All in IPA are Centos 7.2 latest updates.
I can successfully get info from AD by using: $id username on the server.
I can successfully *join* the new ipa server with a client using
Hey,
While hunting this sssd/hbac/AD user problem, I noticed in the
selinux_child.log a lot of errors that look like this:
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446
On 14 July 2016 at 17:44, Sumit Bose <sb...@redhat.com> wrote:
> On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote:
> > Ok, I have some logs of sssd 1.13.0 not working. Same values as before:
> >
> > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156
This is exactly the issue I'm seeing too, various differences, but the
symptoms are the same.
Main diff would be that sometimes stopping sssd, clearing cache and
restarting sssd works, but only if individual AD domain members are added
to the external group - not AD domain groups.
Cheers
L.
Hopper
On 12 July 2016 at 09:08, Lachlan Musicman <data...@gmail.com> wrote:
> Alex, Sumit,
>
> Which log levels would you recommend for sssd to help debug this issue?
>
> We've been using 7, but I just realised that it's not an increasing scale
> but bitmasked...
>
> che
rote:
> On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote:
> > I've updated all the relevant hosts and the FreeIPA server to the COPR
> sssd
> > 1.14.0 release and the problem seems to have disappeared.
>
> Great, but please keep an eye on the machine, the
will be able to
check it then?
Cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 15 July 2016 at 20:17, Lachlan Musicman <data...@gmail.com> wrote:
> Wont be able to check until Monday morning (Australia's we
wrote:
> On Fri, Jul 15, 2016 at 01:07:00PM +1000, Lachlan Musicman wrote:
> > I've updated all the relevant hosts and the FreeIPA server to the COPR
> sssd
> > 1.14.0 release and the problem seems to have disappeared.
>
> Great, but please keep an eye on the machine, the 1.
done it this
way."
- Grace Hopper
On 19 July 2016 at 11:13, Lachlan Musicman <data...@gmail.com> wrote:
> Ok, the bad news is that it didn't last. We are still having the same
> problem - HBAC is rejecting users because not all jobs are being discovered
> on the host.
>
&
On 19 July 2016 at 16:40, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > I think the thing that frustrates the most is that id u...@domain.com is
> > returning correct data on both but they can't loginand
06AM +1000, Lachlan Musicman wrote:
> > On 19 July 2016 at 16:40, Jakub Hrozek <jhro...@redhat.com> wrote:
> >
> > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > > > I think the thing that frustrates the most is that id
> u...@domain
done it this
way."
- Grace Hopper
On 15 July 2016 at 18:05, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Fri, Jul 15, 2016 at 08:59:43AM +0200, Lukas Slebodnik wrote:
> > On (15/07/16 12:56), Lachlan Musicman wrote:
> > >This line:
> > >
> > >We have S
per
On 11 July 2016 at 17:15, Sumit Bose <sb...@redhat.com> wrote:
> On Mon, Jul 11, 2016 at 04:55:37PM +1000, Lachlan Musicman wrote:
> > On 11 July 2016 at 16:44, Alexander Bokovoy <aboko...@redhat.com> wrote:
> >
> > > On Mon, 11 Jul 2016, Lachlan Musicman wr
I've updated all the relevant hosts and the FreeIPA server to the COPR sssd
1.14.0 release and the problem seems to have disappeared.
Cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 15 July 2016 at 10:09, Lachlan Musi
is, "We've always done it this
way."
- Grace Hopper
On 15 July 2016 at 11:27, Lachlan Musicman <data...@gmail.com> wrote:
> Hey,
>
> While hunting this sssd/hbac/AD user problem, I noticed in the
> selinux_child.log a lot of errors that look like this:
>
>
On 11 July 2016 at 16:44, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Mon, 11 Jul 2016, Lachlan Musicman wrote:
>
>> Hola,
>>
>> Centos 7, up to date.
>>
>> [root@linuxidm ~]# ipa --version
>> VERSION: 4.2.0, API_VERSION: 2.156
>>
&
Hola,
Centos 7, up to date.
[root@linuxidm ~]# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
One way trust is successfully established, can login with
ssh usern...@domain1.com@server1.domain2.com
Am testing to get HBAC to work.
I've noticed that with the Allow All rule in effect, the
Have you set up the external group and internal group as required in IPA?
The server you are trying to log into - you have added this to the IPA
server using ipa-client-install?
When you are logged into the server that you want to login to as root (or
local user), does `id user@ad_domain.com`
Can I just confirm - the IT team are about to migrate our PDC across town.
I presume that the trust relationship is with the domain, not the actual
machine itself. So our IPA server will just see the new PDC and everything
will be smooth?
No need to change any config or create a new trust?
We are seeing SSSD in a failed state at random intervals.
Using the 1.14.0 COPR repo on Centos 7, FreeIPA 4.2
Unfortunately it's not something we want to reproduce and I'd turned the
debug logs off because of their size. I'm turning them back on one by one
as the crashes happen.
The only thing
On 2 February 2017 at 09:19, Jason B. Nance wrote:
> >- User/group management in general becomes largely a command-line
> operation (such as mapping groups so they can be used in HBAC and sudo
> rules)
>
> While this is a nice-to-have, it isn't a deal breaker.
>
This
On 2 February 2017 at 09:51, Martin Basti <mba...@redhat.com> wrote:
>
> On 01.02.2017 23:44, Lachlan Musicman wrote:
>
>
>
> (aside: does FreeIPA have plans to move toward PatternFly?
> http://www.patternfly.org/ )
>
>
> Unless I missed something, FreeIPA 4
On 2 February 2017 at 10:06, Jason B. Nance wrote:
>
> >- User/group management in general becomes largely a command-line
>> operation (such as mapping groups so they can be used in HBAC and sudo
>> rules)
>>
>> While this is a nice-to-have, it isn't a deal breaker.
>>
>
On 4 February 2017 at 02:40, deepak dimri
wrote:
> Thanks Rob
>
> Is there a place/link i can download the release for centos 7?
>
>
Amit,
You can get them from the vault:
http://vault.centos.org/7.2.1511/updates/x86_64/Packages/
I've still not done a
Hi,
We have a new rstudio server that we'd like to have FreeIPA manage Auth on.
sssd works - I can login with my appropriate credentials via cli, but the
web interface doesn't accept the creds.
I've read http://www.freeipa.org/page/Web_App_Authentication#PAM_service
but we don't want to create
On 18 July 2016 at 18:26, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> > Ok, I've just spoken with my colleague that has been involved in the IPA
> > roll out, and he said he thought that override_sp
We saw another sssd crash on the weekend (well, Friday night).
Centos 7, sssd 1.14.0 from COPR
Everything has worked fine for over a month until Friday.
According to the log sssd_nss on the host in question:
- at about 16:18, watchdog_handler killed a process for a timer overflow.
- there is
that is important for the patients & etc.
Cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 12 September 2016 at 20:28, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (12/09/16 11:09), Lachlan Musicman w
I must have made an error again:
- ipa hbactest gives seemingly correct answer on both server and client
- user can't actually use sudo on client?
Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>From the server:
[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au
Hi
Sometimes when I visit the ID Views page in the webgui, it is crushingly
slow, and often it times out.
Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
Is there a reason, can I do something to fix this?
cheers
L.
--
The most dangerous phrase in the language is, "We've always
Hola,
What is the relationship between the IPA server, host-clients and the
sssd.conf?
>From what I can tell, sssd.conf is edited/changed by the ipa-client-install
process on the host-client.
What level of similarity does there need to be between the two sssd.confs?
My server's sssd.conf has a
Simpson Lachlan wrote:
>>> > > > -Original Message-
>>> > > >
>>> > > > On 09/19/2016 03:12 AM, Lachlan Musicman wrote:
>>> > > > > Hi
>>> > > > >
>>> > > > > Sometimes when I visit the ID
2016 at 09:33:21AM +0300, Alexander Bokovoy wrote:
> > On Tue, 20 Sep 2016, Martin Babinsky wrote:
> > > On 09/20/2016 12:17 AM, Simpson Lachlan wrote:
> > > > > -Original Message-
> > > > >
> > > > > On 09/19/2016 03:12 AM, Lachla
My translations of your comments are in line, if you could correct, I'd
appreciate that.
On 20 September 2016 at 17:11, Lukas Slebodnik wrote:
> >--
> >[domain/unixdev.etc]
> >ignore_group_members = True
> It was probably set as a result of performance
"
- Grace Hopper
On 19 September 2016 at 18:21, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (19/09/16 16:43), Lachlan Musicman wrote:
> >I must have made an error again:
> >
> >- ipa hbactest gives seemingly correct answer on both server and client
> &g
(redface)
It seems to be working.
Thanks
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 20 September 2016 at 09:57, Lachlan Musicman <data...@gmail.com> wrote:
> We have one "allow all" sudo rule (
Hola,
I've set up a test domain that's as much as possible the same as the prod
domain, and successfully got a one way trust against the AD: cantos 7.2,
ipa 4.2.0-15/api2.156, sssd (copr) 1.14.1-3
On that test domain I believe I have HBAC working successfully.
Once I could show that it was
Slebodnik <lsleb...@redhat.com> wrote:
> On (16/11/16 11:46), Lachlan Musicman wrote:
> >I don't know what I've done wrong, but when I use ipa-client-install on a
> >new host to add to my one way trust domain, I now have a
> >[domain/shadowutils] stanza.
> >
> >
Gah, just happened to me. Wasn't porn, but was someone called Kimi and the
only content was "Heeey Lachlan, how's it going?"
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 16 November 2016 at 04:02, Martin Basti
I don't know what I've done wrong, but when I use ipa-client-install on a
new host to add to my one way trust domain, I now have a
[domain/shadowutils] stanza.
This first happened a couple of weeks ago, I saw this bug and thought "it
will be solved soon".
Hola,
I'm getting the above error when trying to login - inconsistently and after
the password request.
Using debian's openssh 7.3p1-3 going into Centos 7.2, FreeIPA 4.2 and sssd
1.14.2 (from copr).
When I google, none of the results seem applicable, but I'm not 100% sure,
and testing seems
Jake,
I've seen this behaviour and am still struggling to find a solution.
The version of underlying OS and sssd are useful to know fwiw.
To trouble shoot HBAC:
- in *target machine* sssd.conf, add debug_level=7 to each stanza (can go
as high as 9, but I believe 7 will be sufficient)
-
On 12 October 2016 at 15:23, Robert Sturrock wrote:
> Hi All.
>
> We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide
> better connectivity to our (large) organisational AD service for Linux
> clients.
>
> We have setup IPA and configured a suitable AD trust
.
Is there a special rule about sshd and the ipa-server?
cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 11 October 2016 at 14:06, Lachlan Musicman <data...@gmail.com> wrote:
> Hola,
>
> I've set up a test domain t
Hi,
I've reported a bug against SSSD and Lukas has pointed to a number of
FreeIPA errors in our logs.
I've can't find any information on how I might fix these errors or what I
might do to mitigate them. Any pointers appreciated:
First error:
[sssd[be[unixdev.domain.org.au]]]
r, I've not tried this on a
> recent version of ipa so it may no longer work or not be needed any more.
>
> Regards
>
> Bob
>
> On 17/03/2017 02:20, Lachlan Musicman wrote:
>
> While going through the logs on the FreeIPA server, I noticed this:
>
>
> WARNING: changelog:
Yes. What I do would you like? Current debug levels are at 8
L.
On 16 Mar. 2017 7:06 pm, "Jakub Hrozek" <jhro...@redhat.com> wrote:
> On Thu, Mar 16, 2017 at 11:36:57AM +1100, Lachlan Musicman wrote:
> > I'm experiencing issues with HBAC and I think it's a bug in sssd.
I'm experiencing issues with HBAC and I think it's a bug in sssd. Not sure
if better to report to here or sssd mailing list. Also sssd in pagure is
bare and I didn't want to sully the blank slate. (
https://pagure.io/sssd/issues )
The details:
env: CentOS 7.3, FreeIPA 4.4, sssd 1.15.1 from COPR
On 20 March 2017 at 19:38, Martin Basti <mba...@redhat.com> wrote:
> On 19.03.2017 22:58, Lachlan Musicman wrote:
>
> Hi,
>
> I've reported a bug against SSSD and Lukas has pointed to a number of
> FreeIPA errors in our logs.
> I've can't find any information on h
While going through the logs on the FreeIPA server, I noticed this:
WARNING: changelog: entry cache size 2097152 B is less than db size
12804096 B; We recommend to increase the entry cache size
nsslapd-cachememsize.
I have found a number of documents:
What it is:
Which logs do you want from the server?
--
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 16 March 2017 at 20:09, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Thu, Mar 16, 2017 at 07:56:58PM +1100, Lachlan Musicman wro
On 4 April 2017 at 04:28, Andrey Ptashnik wrote:
> Hello,
>
> We have Centos 7.2 and IPA 4.2 version.
> I remember that in previous versions in order to upgrade to the latest one
> I had to run IPA upgrade scripts that would separately upgrade LDAP
> database. Is that the
On 3 April 2017 at 19:11, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Mon, Apr 03, 2017 at 11:00:21AM +1000, Lachlan Musicman wrote:
> >
> > With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces
> in
> > their names, libsemanage fails to update:
On 4 April 2017 at 01:35, Alexander Bokovoy wrote:
> On ma, 03 huhti 2017, Orion Poplawski wrote:
>
>> On 04/03/2017 09:03 AM, Orion Poplawski wrote:
>>
>>> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>>>
On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
On 11 April 2017 at 00:14, Johan Vermeulen wrote:
> Hello All,
>
> just getting started with FreeIPA and one of the first features I'm trying
> is adding hosts, something I can't do in our current
> ldap-setup. So I'm looking forward to being able to do this.
> But after
Hola,
I've reported this issue before (with a different symptom iirc), but
thought I should mention again, as I have no idea how to competently report
it to selinux.
With SSSD/IPA in use, in a one way trust to AD, and AD users have spaces in
their names, libsemanage fails to update:
eg from
Hola,
On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and sssd
(via COPR) 1.15.1, which has a one way trust to an AD domain. unix.name.org
-> name.org
I've seen some interesting behaviour.
Being part of a large organisation with a smaller nix environment and a
larger Windows
rozek wrote:
> > > On Thu, Mar 09, 2017 at 01:37:46PM +1100, Lachlan Musicman wrote:
> > > > Hola,
> > > >
> > > > On CentOS 7.3, using FreeIPA VERSION: 4.4.0, API_VERSION: 2.213 and
> sssd
> > > > (via COPR) 1.15.1, which has a one
On 24 April 2017 at 12:24, Prasun Gera wrote:
> That doesn't work very well. The spam bots use different emails. And gmail
> marks the entire message thread as spam, not just the spam reply.
>
> On Sun, Apr 23, 2017 at 7:20 AM, Dewangga Bachrul Alam <
>
Robert, did you look in /var/log/ipaserver-install.log as it says?
Was there any other information?
cheers
L.
--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective transformation, rooted in
grief and rage but pointed
We are seeing this. I'm not at work, but I think it's bug report 6766.
Patch has already been committed (bot by us), we're waiting for IPA 4.5.
cheers
L.
--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective
reams."
- Patrice Cullors, *Black Lives Matter founder*
On 18 May 2017 at 19:34, Lachlan Musicman <data...@gmail.com> wrote:
> We are seeing this. I'm not at work, but I think it's bug report 6766.
>
> Patch has already been committed (bot by us), we're waiting fo
parately?
>
> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman <data...@gmail.com>
> wrote:
>
>> https://pagure.io/freeipa/issue/6766
>>
>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>
>> --
>> "Mission Statement: To provide hope
On 17 May 2017 at 15:23, Lakshan Jayasekara <
lakshan.jayasek...@lankaclear.com> wrote:
>
> Hi All,
>
>
>
> I’m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running
on CentOS 7 and have one replica server as well. I need to patch up centos
system as per PCI DSS compliance. Let me
75 matches
Mail list logo