date:20181024

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-24 Thread Rob Crittenden via FreeIPA-users

Ralph Crongeyer via FreeIPA-users wrote:
> So it does allow me to login, however there is a popup that says:
> "Some operations failed.", and a link "View details", when I click on
> that it shows:
> "invalid 'PKINIT enabled server': all masters must have IPA master role"  
> And there is a button that says "OK", when I click on that it shows this:

Ok. Start by running:

$ kinit admin
$ ipa domainlevel-get

If it is 1 you can try

$ ipa server-del --ignore-topology-disconnect --ignore-last-of-role
--force replica.server

rob

> 
> 
>   Runtime error
> 
> Web UI got in unrecoverable state during "runtime" phase.
> 
> 
>   Technical details:
> 
> y.server_config is undefined
> freeipa/ipa/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
> start_runtime@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
> register_phases/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
> forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> dojo/promise/all/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> register_phases/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
> on_success@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
> f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
> emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
> c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
> l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
> fireWith@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
> k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346
> t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
> 
> On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden  > wrote:
> 
> Ralph Crongeyer via FreeIPA-users wrote:
> > Can this be manually removed? W currently can't login to the web
> portal
> > due to this issue.
> 
> I don't understand how one master is affecting the web server of
> another. By design they are independent. Can you provide details on how
> login is failing?
> 
> rob
> 
> >
> > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer
> mailto:rcronge...@gmail.com>
> > >> wrote:
> >
> >     The goal is to remove the replica server from the master. No split
> >     brain. I need to remove this as we can't login to the portal
> because
> >     of this.
> >
> >
> >     On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden
> mailto:rcrit...@redhat.com>
> >     >> wrote:
> >
> >         Ralph Crongeyer via FreeIPA-users wrote:
>

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

2018-10-24 Thread Robbie Harwood via FreeIPA-users

lune voo  writes:

> Hello Robbie.
>
> That's also the strange part, the kpasswd does not work after that.

Can you post kerb logs for the failure?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Abstracted NTP server configuration

2018-10-24 Thread Rob Crittenden via FreeIPA-users

Andrey Bychkov via FreeIPA-users wrote:
> Hello, I fixed design page.
> 
> https://www.freeipa.org/page/V4/NTP_Servers_Configuration

Tibor, do you have any input on this?

As I read this it will be up to the end-user to install their favorite
NTP client package, right? Otherwise installation is going to fail if
none of the supported NTP client packages are installed? Similar to how
DNS is detected?

With 4.7.0 we just got out of the business of running an NTP server on
an IPA master. Is it necessary to add that back?

rob

> 
> 
> 19.10.2018 17:11, Rob Crittenden via FreeIPA-users пишет:
>> Andrey Bychkov via FreeIPA-users wrote:
>>> /->>There is no description about what the abstraction layer should be.
>>> What basic functions are there for an NTP server and how does each
>>> server map into that abstraction? What basic methods are required?/
>>>
>>> An abstract module is the parent basentpconf module, which contains the
>>> base ntp classes for the server and the client, from which ntpdlib,
>>> ontpdlib, and chronylib are inherited. The parent client and server
>>> classes contain methods for configuring, synchronizing, and restoring
>>> the initial state of the ntp server. It uses common functions from
>>> ntpmethods. As for ntpdlib, ontpdlib, and chronylib, they contain
>>> classes for configuring their ntp server directly, inherited from
>>> basentpconf, and override the desired properties.
>> Right, so I realize we sort of backed into this Design document from a
>> PR. The purpose of the design review is to hash things out before they
>> are implemented so I'm commenting only on what is in the doc and not in
>> the PR. There are no details of this abstraction in the design.
>>
>>> /->>Do all servers support the options server and pool?/
>>>
>>> All the ntp servers listed here support the server and pool options, the
>>> values of which are written to the configuration file with the
>>> appropriate field.
>> Ok cool.
>>
>>> /->>How will dependencies be managed? Is there a common way to do this
>>> with both Fedora-like and Debian-like distributions?/
>>>
>>> Each package with freeipa ntp lib contains a dependency on the ntp
>>> server that it uses. To use freeipa ntp lib, it is enough to install a
>>> package with an appropriate ntp server.
>> Right but using what mechanism? rpm has this weak dependencies thing
>> which I haven't had a chance to look at (and I don't know about other
>> distros). How is the appropriate time package going to be installed? Are
>> we relying on the end-user to install the time package they want, so if
>> they install none then there is no time sync?
>>
>>> /->>Is it an error if no NTP servers are installed? Is this what is
>>> meant by "default ntp configuration"? Is that functionally equivalent to
>>> "no NTP service is configured"?/
>>>
>>> If the system does not detect the ntp server, and the user does not use
>>> the option '--no-ntp', then the installation of freeipa will end with
>>> information about this. If the ntp server or ntp pool options are not
>>> specified by the user, then the ntp server is set by default, that is,
>>> configured on the basis of the ntp server that was laid down.
>> Ok, this is a change in current behavior. Right now just a warning is
>> displayed if there is no NTP server found.
>>
>>> /->>Could there be service-specific options that would need to be passed
>>> or set?/
>>>
>>> You can set options for the ntp service such as ntp pool and ntp server.
>> But there is no feature that one server provides that others don't, for
>> example? It's fine to limit it to only pools and servers, I'm just
>> trying to anticipate future RFEs.
>>
>>> /->>How will this impact testing? Will all possible options need to be
>>> tested or is spot-checking or a single server adequate?/
>>>
>>> For testing, it is necessary to start the installation of freeipa both
>>> with the --ntp-server and --ntp-pool options, and without them, on all
>>> supported time servers.
>> What I mean is there will be say 3 NTP servers supported. Do all three
>> need to be tested or is it sufficient to test the abstraction?
>>
>>> /->>Will backup/restore need to be extended to pick up the
>>> service-specific files?/
>>>
>>> For backup and restore, standard freeipa methods are used, which are
>>> used to preserve the original state of the service and the configuration
>>> file. After freeipa is removed, the service is restored to its original
>>> state. To do this, freeipa ntp using the createntp.uninstall_client and
>>> createntp.uninstall_server methods for the client and server, respectively.
>> Yes but configuration files need to be baked in, for example. They don't
>> all share the same config file.
>>
>>> /->>Upon restore there will need to be some sort of check that the
>>> required NTP service is installed which means that the service needs to
>>> be recorded somewhere./
>>>
>>> If another ntp service is installed, the service will not be restored,
>>> since the

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

2018-10-24 Thread John Petrini via FreeIPA-users

sssd should be installed as a dependency when you install
freeipa-client. The sssd file itself is /etc/sssd/sssd.conf.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

2018-10-24 Thread lune voo via FreeIPA-users

Hello Robbie.

That's also the strange part, the kpasswd does not work after that.

Best regards.

Lune

Le mer. 24 oct. 2018 à 19:38, Robbie Harwood  a écrit :

> lune voo via FreeIPA-users 
> writes:
>
> > Hello everyone.
> >
> > I send you this mail because I encountered a strange problem trying to
> set
> > a password for a user I just created.
> >
> > First, I created the user with ipa user-add and for the following result
> :
> > Added user 
> >
> > Then I added this user into a password policy group and it worked fine :
> > Then I set a One Time Password for this account and it worked.
> >
> > Finally I tried to set a complex password fitting the password policy
> with
> > the kpasswd command. And here, I encountered the following error message
> :
> > kpasswd: Client not found in Kerberos database getting initial ticket
> >
> > My kpasswd command was like that :
> > printf "%s\n%s\n%s" '' '' '' |
> > kpasswd 
> >
> > It works fine usually, this is the first time I see this error message.
> >
> > I wanted to ask you if you knew what this error message mean ?
> > For me it is that the user does not exist, but I prefer ask you guys.
>
> Correct.  It's "unknown principal" - Kerberos went tried to look up the
> user on the server and got nothing.
>
> > The strange things is that, after that, I tried to ipa user-unlock the
> > account, and it worked o_O.
>
> Well, did kpasswd work after that?
>
> Thanks,
> --Robbie
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

2018-10-24 Thread Jatinder Kumar via FreeIPA-users

Hi,

Thanks for the information, But in ubuntu, there is not "sssd" file.

On Thu, Oct 25, 2018 at 12:14 AM Kristian Petersen 
wrote:

> It is basically the same as on CentOS.  The package you install is
> freeipa-client instead of ipa-client, but the command to enroll the host is
> the same.
>
> On Wed, Oct 24, 2018 at 12:05 PM Jatinder Kumar via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi,
>>
>> Actually, I had installed freeipa server on my centos7 machine. But in my
>> organization, we are using Ubuntu. Could you please give the steps so that
>> i can add my ubuntu servers as a client in freeipa for ssh access
>> management.
>>
>>
>>
>>
>> Thank you
>> jatinder
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>
>
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Fwd: Setting up Ubuntu client on free IPA

2018-10-24 Thread Jatinder Kumar via FreeIPA-users

Hi,

Actually, I had installed freeipa server on my centos7 machine. But in my
organization, we are using Ubuntu. Could you please give the steps so that
i can add my ubuntu servers as a client in freeipa for ssh access
management.




Thank you
jatinder
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

2018-10-24 Thread Kristian Petersen via FreeIPA-users

It is basically the same as on CentOS.  The package you install is
freeipa-client instead of ipa-client, but the command to enroll the host is
the same.

On Wed, Oct 24, 2018 at 12:05 PM Jatinder Kumar via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> Actually, I had installed freeipa server on my centos7 machine. But in my
> organization, we are using Ubuntu. Could you please give the steps so that
> i can add my ubuntu servers as a client in freeipa for ssh access
> management.
>
>
>
>
> Thank you
> jatinder
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>


-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Setting up Ubuntu client on free IPA

2018-10-24 Thread Jatinder Kumar via FreeIPA-users

Hi,

Actually, I had installed freeipa server on my centos7 machine. But in my
organization, we are using Ubuntu. Could you please give the steps so that
i can add my ubuntu servers as a client in freeipa for ssh access
management.




Thank you
jatinder
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

2018-10-24 Thread Robbie Harwood via FreeIPA-users

lune voo via FreeIPA-users 
writes:

> Hello everyone.
>
> I send you this mail because I encountered a strange problem trying to set
> a password for a user I just created.
>
> First, I created the user with ipa user-add and for the following result :
> Added user 
>
> Then I added this user into a password policy group and it worked fine :
> Then I set a One Time Password for this account and it worked.
>
> Finally I tried to set a complex password fitting the password policy with
> the kpasswd command. And here, I encountered the following error message :
> kpasswd: Client not found in Kerberos database getting initial ticket
>
> My kpasswd command was like that :
> printf "%s\n%s\n%s" '' '' '' |
> kpasswd 
>
> It works fine usually, this is the first time I see this error message.
>
> I wanted to ask you if you knew what this error message mean ?
> For me it is that the user does not exist, but I prefer ask you guys.

Correct.  It's "unknown principal" - Kerberos went tried to look up the
user on the server and got nothing.

> The strange things is that, after that, I tried to ipa user-unlock the
> account, and it worked o_O.

Well, did kpasswd work after that?

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Alexander Bokovoy via FreeIPA-users


On ke, 24 loka 2018, Callum Smith via FreeIPA-users wrote:

Dear Rob,

I'm using the python-freeipa library:

(client is initialised and logged in - tested and working with other calls such 
as user_show etc)

client.user_add(
 options.username,
 options.first_name,
 options.last_name,
 options.name,
 mail=options.mail,
 home_directory=options.home_directory,
 uidnumber=options.uid if options.uid else -1,
 gidnumber=options.primary_gid,
 user_password=options.password,
)

Sorry, this is not an API provided by the FreeIPA project. Please
contact authors of python-freeipa (I think it was created by OpenNode
people) and report them bugs you see there.

https://pypi.org/project/python-freeipa/


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] kpasswd: Client not found in Kerberos database getting initial ticket

2018-10-24 Thread lune voo via FreeIPA-users

Hello everyone.

I send you this mail because I encountered a strange problem trying to set
a password for a user I just created.

First, I created the user with ipa user-add and for the following result :
Added user 

Then I added this user into a password policy group and it worked fine :
Then I set a One Time Password for this account and it worked.

Finally I tried to set a complex password fitting the password policy with
the kpasswd command. And here, I encountered the following error message :
kpasswd: Client not found in Kerberos database getting initial ticket

My kpasswd command was like that :
printf "%s\n%s\n%s" '' '' '' |
kpasswd 

It works fine usually, this is the first time I see this error message.

I wanted to ask you if you knew what this error message mean ?
For me it is that the user does not exist, but I prefer ask you guys.

The strange things is that, after that, I tried to ipa user-unlock the
account, and it worked o_O.

I'm running 2 IPA masters 3.0.0 on RHEL 6.6.

Best regards.

Lune.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Callum Smith via FreeIPA-users

Dear Rob,

I'm using the python-freeipa library:

(client is initialised and logged in - tested and working with other calls such 
as user_show etc)

client.user_add(
  options.username,
  options.first_name,
  options.last_name,
  options.name,
  mail=options.mail,
  home_directory=options.home_directory,
  uidnumber=options.uid if options.uid else -1,
  gidnumber=options.primary_gid,
  user_password=options.password,
)

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 24 Oct 2018, at 13:32, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

Callum Smith wrote:
Dear Rob,

Running v4.5.0 (CentOS 7.4 distribution)
API version 2.228

Setting it to -1 gives:
ValidationError: invalid 'uid': must be at least 1

Need more information on what exactly it is you are doing.

rob


Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk 


On 24 Oct 2018, at 12:47, Rob Crittenden 
mailto:rcrit...@redhat.com>
> wrote:

Callum Smith via FreeIPA-users wrote:
Dear All,

When using the API to create an account, if I don't specify the
uidnumber I get this error:

missing attribute "uidNumber" required by object class "posixAccount"

I was expecting the uidNumber to function thus: "system will assign one
if not provided"

Am I missing something?

You need to set uidnumber to -1 to have DNA automatically assign a value
(pre v3.2 the magic number is 999).

rob



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-24 Thread Ralph Crongeyer via FreeIPA-users

So it does allow me to login, however there is a popup that says:
"Some operations failed.", and a link "View details", when I click on that
it shows:
"invalid 'PKINIT enabled server': all masters must have IPA master role"
And there is a button that says "OK", when I click on that it shows this:

Runtime error

Web UI got in unrecoverable state during "runtime" phase.
Technical details:
y.server_config is undefined
freeipa/ipa/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
start_runtime@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
register_phases/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
dojo/promise/all/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
register_phases/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
on_success@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
fireWith@
https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346
t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152

On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden  wrote:

> Ralph Crongeyer via FreeIPA-users wrote:
> > Can this be manually removed? W currently can't login to the web portal
> > due to this issue.
>
> I don't understand how one master is affecting the web server of
> another. By design they are independent. Can you provide details on how
> login is failing?
>
> rob
>
> >
> > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer  > > wrote:
> >
> > The goal is to remove the replica server from the master. No split
> > brain. I need to remove this as we can't login to the portal because
> > of this.
> >
> >
> > On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden  > > wrote:
> >
> > Ralph Crongeyer via FreeIPA-users wrote:
> > > Hi List,
> > > I have a master server that had a replica installed. The
> > replica has
> > > been uninstalled. When I try to run "ipa-replica-manage del
> > --force
> > > replica.server" it fails with:
> > > invalid 'PKINIT enabled server': all masters must have IPA
> > master role
> > > enabled
> > >
> > > How can I delete this replica?
> >
> > What is your ultimate goal here? In your previous post it
> > sounded like
> > you are trying to create a split-brain. IPA doesn't

[Freeipa-users] Re: Cannot add externally-signed IPA CA certificate

2018-10-24 Thread Dmitry Perets via FreeIPA-users

Sorry, I've figured it out myself...
The problem was not with the Root CA certificate, the reported error is 
misleading here.

Actually, the problem was with the certificate generated for the FreeIPA 
itself. 
It had CA:FALSE, because I forgot to select the right extension profile when 
signing it with my openssl "pseudo-CA". 
I've reissued the certificate for FreeIPA with "CA:TRUE" - and it accepted it.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa-server failied to instal - Debian

2018-10-24 Thread Milos Cuculovic via FreeIPA-users

Thank you Timo,

In the meantime I installed the freeipa-server on another clean Ubuntu server, 
which worked well.
Then installed the client on this one, which also worked well. Would be good 
however to understand what’s the issue with the first server.


Milos

> On 24 Oct 2018, at 13:20, Timo Aaltonen  wrote:
> 
> On 24.10.2018 09:57, Milos Cuculovic via FreeIPA-users wrote:
>> Anyone who could help?
> 
> You are mixing Debian and Ubuntu repositories, I don't think that's a
> proper solution in the long run. Server install on Ubuntu 18.10 should
> work more or less, stock 18.04 has issues, and Debian is missing some
> dependencies like libnss-pem, until certmonger is ported to openssl (if
> ever).
> 
> 
> -- 
> t

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Cannot add externally-signed IPA CA certificate

2018-10-24 Thread Dmitry Perets via FreeIPA-users

Hi,

I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with 
openssl. So I've signed the FreeIPA's request with my self-signed "root ca" 
certificate, but it looks like FreeIPA doesn't like it:

ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem 
--external-cert-file=/root/rootca/certs/ipacert.pem 
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORCA 
certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in 
/root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a 
CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe 
ipa-server-install command failed. See /var/log/ipaserver-install.log for more 
information

The subj above is my self-made root CA cert, so it looks like something is 
missing in it. But what...? 

Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else 
is required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install? 

[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem 
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
   <...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier: 
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier: 

keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81

X509v3 Basic Constraints: 
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>

Thanks!!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

2018-10-24 Thread Chris Dagdigian via FreeIPA-users


Thanks! Replies in line




Alexander Bokovoy wrote on 10/24/18 8:40 AM:

On ke, 24 loka 2018, Chris Dagdigian via FreeIPA-users wrote:
Is it possible to override the AD integration use of DNS queries to 
find AD controllers and replace the auto-discovery with a named list 
of domain controllers?

Where? In 'ipa trust-add' or in SSSD? The former has already a mechanism
by specifying a domain controller to contact.


Trust is already built and that took *months* to arrange with the 
mysterious AD admins who do not talk to mere mortals. Not going to mess 
with that! Looking to pin IDM interactions with named AD servers at the 
sssd.conf level I think


We've got a setup in an AWS VPC and we've found that out of the 100 
or so domain controllers in DNS that a few of them refuse to talk to 
us or answer ldaps:// queries. After a lot of nmap and DNS probe work 
we think we've discovered a number of "bad" controllers that may be 
responsible for random password check / login failures in the AWS 
environment


Can the latest sssd/free-ipa be configured to use a list of "known 
good" domain controllers?

SSSD can be pinned down to the specific site and also to specific domain
controllers in 1.16+. Some of the configurations are possible with
earlier versions too, see manual page for sssd-ipa(5), section "Trusted
domains configuration".


Thank you ! We will research/test this


Love this list and the resources on it!

Regards,
Chris


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

2018-10-24 Thread Alexander Bokovoy via FreeIPA-users


On ke, 24 loka 2018, Chris Dagdigian via FreeIPA-users wrote:
Is it possible to override the AD integration use of DNS queries to 
find AD controllers and replace the auto-discovery with a named list 
of domain controllers?

Where? In 'ipa trust-add' or in SSSD? The former has already a mechanism
by specifying a domain controller to contact.

We've got a setup in an AWS VPC and we've found that out of the 100 or 
so domain controllers in DNS that a few of them refuse to talk to us 
or answer ldaps:// queries. After a lot of nmap and DNS probe work we 
think we've discovered a number of "bad" controllers that may be 
responsible for random password check / login failures in the AWS 
environment


Can the latest sssd/free-ipa be configured to use a list of "known 
good" domain controllers?

SSSD can be pinned down to the specific site and also to specific domain
controllers in 1.16+. Some of the configurations are possible with
earlier versions too, see manual page for sssd-ipa(5), section "Trusted
domains configuration".

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Rob Crittenden via FreeIPA-users

Callum Smith wrote:
> Dear Rob,
> 
> Running v4.5.0 (CentOS 7.4 distribution)
> API version 2.228
> 
> Setting it to -1 gives:
> ValidationError: invalid 'uid': must be at least 1

Need more information on what exactly it is you are doing.

rob

> 
> Regards,
> Callum
> 
> --
> 
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. cal...@well.ox.ac.uk 
> 
>> On 24 Oct 2018, at 12:47, Rob Crittenden > > wrote:
>>
>> Callum Smith via FreeIPA-users wrote:
>>> Dear All,
>>>
>>> When using the API to create an account, if I don't specify the
>>> uidnumber I get this error:
>>>
>>> missing attribute "uidNumber" required by object class "posixAccount"
>>>
>>> I was expecting the uidNumber to function thus: "system will assign one
>>> if not provided"
>>>
>>> Am I missing something?
>>
>> You need to set uidnumber to -1 to have DNA automatically assign a value
>> (pre v3.2 the magic number is 999).
>>
>> rob
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

2018-10-24 Thread Chris Dagdigian via FreeIPA-users

Is it possible to override the AD integration use of DNS queries to find 
AD controllers and replace the auto-discovery with a named list of 
domain controllers?


We've got a setup in an AWS VPC and we've found that out of the 100 or 
so domain controllers in DNS that a few of them refuse to talk to us or 
answer ldaps:// queries. After a lot of nmap and DNS probe work we think 
we've discovered a number of "bad" controllers that may be responsible 
for random password check / login failures in the AWS environment


Can the latest sssd/free-ipa be configured to use a list of "known good" 
domain controllers?


Thanks!

Chris
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Callum Smith via FreeIPA-users

Dear Rob,

Running v4.5.0 (CentOS 7.4 distribution)
API version 2.228

Setting it to -1 gives:
ValidationError: invalid 'uid': must be at least 1

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

On 24 Oct 2018, at 12:47, Rob Crittenden 
mailto:rcrit...@redhat.com>> wrote:

Callum Smith via FreeIPA-users wrote:
Dear All,

When using the API to create an account, if I don't specify the
uidnumber I get this error:

missing attribute "uidNumber" required by object class "posixAccount"

I was expecting the uidNumber to function thus: "system will assign one
if not provided"

Am I missing something?

You need to set uidnumber to -1 to have DNA automatically assign a value
(pre v3.2 the magic number is 999).

rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Account creation via API not assigning uidNumber

2018-10-24 Thread Rob Crittenden via FreeIPA-users

Callum Smith via FreeIPA-users wrote:
> Dear All,
> 
> When using the API to create an account, if I don't specify the
> uidnumber I get this error:
> 
> missing attribute "uidNumber" required by object class "posixAccount"
> 
> I was expecting the uidNumber to function thus: "system will assign one
> if not provided"
> 
> Am I missing something?

You need to set uidnumber to -1 to have DNA automatically assign a value
(pre v3.2 the magic number is 999).

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Account creation via API not assigning uidNumber

2018-10-24 Thread Callum Smith via FreeIPA-users

Dear All,

When using the API to create an account, if I don't specify the uidnumber I get 
this error:

missing attribute "uidNumber" required by object class "posixAccount"

I was expecting the uidNumber to function thus: "system will assign one if not 
provided"

Am I missing something?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: freeipa-server failied to instal - Debian

2018-10-24 Thread Timo Aaltonen via FreeIPA-users

On 24.10.2018 09:57, Milos Cuculovic via FreeIPA-users wrote:
> Anyone who could help?

You are mixing Debian and Ubuntu repositories, I don't think that's a
proper solution in the long run. Server install on Ubuntu 18.10 should
work more or less, stock 18.04 has issues, and Debian is missing some
dependencies like libnss-pem, until certmonger is ported to openssl (if
ever).


-- 
t
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa.service "fails" to start

2018-10-24 Thread Florence Blanc-Renaud via FreeIPA-users


On 10/23/18 5:24 AM, None via FreeIPA-users wrote:

Hi Flo, the journalctl reports that request is rejected, error 2.

  dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to 
dogtag-ipa-renew-agent
  dogtag-ipa-renew-agent-submit[29558]: GET 
http://ca-ldap01.:8080/ca/ee/ca/profileSubmit?profil
  dogtag-ipa-renew-agent-submit[29558]: Apache Tomcat/7.0.69 - Error

[Freeipa-users] Re: freeipa-server failied to instal - Debian

2018-10-24 Thread Milos Cuculovic via FreeIPA-users

Anyone who could help?

Milos Cuculovic

> On 15 Oct 2018, at 14:29, Milos Cuculovic  wrote:
> 
> I am trying to install after an uninstall the freeipa-server package on 
> Debian, which is now failing. I normally removed all packages and config 
> files, something seems to still cause issues. The installation output is as 
> follows, after running apt install freeipa-server (I^m first extracting main 
> warning and failure lines I identified).
> 
> —
> Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing 
> complain mode
> Warning failed to create cache: usr.sbin.sssd
> —
> Failed to preset unit: Unit file /etc/systemd/system/bind9.service is masked.
> /usr/bin/deb-systemd-helper: error: systemctl preset failed on bind9.service: 
> No such file or directory
> —
> ob for krb5-kdc.service failed because the control process exited with error 
> code.
> See "systemctl status krb5-kdc.service" and "journalctl -xe" for details.
> invoke-rc.d: initscript krb5-kdc, action "start" failed.
> ● krb5-kdc.service - Kerberos 5 Key Distribution Center
>   Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor 
> preset: enabled)
>  Drop-In: /lib/systemd/system/krb5-kdc.service.d
>   └─slapd-before-kdc.conf
>   Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:00 CEST; 16ms 
> ago
>  Process: 17099 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid 
> $DAEMON_ARGS (code=exited, status=1/FAILURE)
> 
> Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Starting Kerberos 5 Key 
> Distribution Center...
> Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Couldn't open log file 
> /var/log/krb5kdc.log: Read-only file system
> Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: Server error - while 
> fetching master key K/M for realm IPA.MDPI.COM
> Oct 15 14:24:00 freeipa.mdpi.com krb5kdc[17099]: krb5kdc: cannot initialize 
> realm IPA.MDPI.COM - see log file for details
> Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Control 
> process exited, code=exited status=1
> Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: krb5-kdc.service: Failed with 
> result 'exit-code'.
> Oct 15 14:24:00 freeipa.mdpi.com systemd[1]: Failed to start Kerberos 5 Key 
> Distribution Center.
> —
> pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it.
> Job for pki-tomcatd.service failed because the control process exited with 
> error code.
> See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details.
> invoke-rc.d: initscript pki-tomcatd, action "start" failed.
> ● pki-tomcatd.service - LSB: Start pki-tomcatd at boot time
>   Loaded: loaded (/etc/init.d/pki-tomcatd; generated)
>   Active: failed (Result: exit-code) since Mon 2018-10-15 14:24:03 CEST; 17ms 
> ago
> Docs: man:systemd-sysv-generator(8)
>  Process: 17421 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, 
> status=1/FAILURE)
> 
> Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Starting LSB: Start pki-tomcatd 
> at boot time...
> Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: 
> /usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', 
> `while', or `until' loop
> Oct 15 14:24:03 freeipa.mdpi.com pki-tomcatd[17421]: ERROR:  No 'tomcat' 
> instances installed!
> Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Control 
> process exited, code=exited status=1
> Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: pki-tomcatd.service: Failed with 
> result 'exit-code'.
> Oct 15 14:24:03 freeipa.mdpi.com systemd[1]: Failed to start LSB: Start 
> pki-tomcatd at boot time.
> —
> Setting up freeipa-server (4.7.0~pre1+git20180411-2ubuntu2) ...
> dpkg: error processing package freeipa-server (--configure):
> installed freeipa-server package post-installation script subprocess returned 
> error exit status 1
> dpkg: dependency problems prevent configuration of freeipa-server-dns:
> freeipa-server-dns depends on freeipa-server (>= 
> 4.7.0~pre1+git20180411-2ubuntu2); however:
>  Package freeipa-server is not configured yet.
> 
> dpkg: error processing package freeipa-server-dns (--configure):
> dependency problems - leaving unconfigured
> Processing triggers for libc-bin (2.27-3ubuntu1) ...
> Processing triggers for dbus (1.12.2-1ubuntu1) ...
> No apport report written because the error message indicates its a followup 
> error from a previous failure.
>   
>Processing triggers for oddjob (0.34.3-4) ...
> Errors were encountered while processing:
> freeipa-server
> freeipa-server-dns
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> —
> 
> 
> 
> FULL OUTPUT:
> Setting up libsymkey-jni (10.6.0-1ubuntu2) ...
> Setting up python-dnspython (1.15.0-1) ...
> Setting up libxcb-present0:amd64 (1.13-1) ...
> Setting up libslf4j-java (1.7.25-3) ...
> Setting up libglvnd0:amd64 (1.0.0-2ubuntu2.2) ...
> Setting up oddjob (0.34.3-4) ...
>

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

[Freeipa-users] Re: Abstracted NTP server configuration

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

[Freeipa-users] Fwd: Setting up Ubuntu client on free IPA

[Freeipa-users] Re: Setting up Ubuntu client on free IPA

[Freeipa-users] Setting up Ubuntu client on free IPA

[Freeipa-users] Re: kpasswd: Client not found in Kerberos database getting initial ticket

[Freeipa-users] Re: Account creation via API not assigning uidNumber

[Freeipa-users] kpasswd: Client not found in Kerberos database getting initial ticket

[Freeipa-users] Re: Account creation via API not assigning uidNumber

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: Cannot add externally-signed IPA CA certificate

[Freeipa-users] Re: freeipa-server failied to instal - Debian

[Freeipa-users] Cannot add externally-signed IPA CA certificate

[Freeipa-users] Re: can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

[Freeipa-users] Re: can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

[Freeipa-users] Re: Account creation via API not assigning uidNumber

[Freeipa-users] can clients or servers be pinned to named Active Directory servers to bypass DNS auto-discovery?

[Freeipa-users] Re: Account creation via API not assigning uidNumber

[Freeipa-users] Re: Account creation via API not assigning uidNumber

[Freeipa-users] Account creation via API not assigning uidNumber

[Freeipa-users] Re: freeipa-server failied to instal - Debian

[Freeipa-users] Re: ipa.service "fails" to start

[Freeipa-users] Re: freeipa-server failied to instal - Debian

27 matches

Site Navigation

Mail list logo

Footer information