Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 9:40 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 8:17 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tr u st Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). Well things got ugly. I enabled debug and pointed in the right direction, smb failed to start. Came down to the cifs service was not added when I did the adtrust-install. I tried adding it and it complained that it could not find the A record for the host even though it was there. Thinking something was hung up in resolver cache possibly I restarted the ipa service and it failed completely. Ipactl start fails starting smb because of the missing service and everything fails from there. Is there any way to recover from this mess I just made? :) I assume you have IPA 4.x, i.e. systemd-based environment. Yes, sorry forgot to include that. 1. Start manually dirsrv@INSTANCE-NAME.service 2. Disable ADTRUST and EXTID services with ipa-ldap-updater. Note that you SHOULD NOT replace $FOO variables below, they should be as specified in the resulting file. For ipa-ldap-updater use see its manual page and my blog: https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ # cat END 88-disable-adtrust-extid.update dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService END # ipa-ldap-updater -l ./88-disable-adtrust-extid.update 3. Restart IPA 4. Re-run ipa-adtrust-install and look at the output, including what it appends to /var/log/ipaserver-install.log. Beautiful, that much is running again, thanks for those pointers. And I'm ashamed to say I tracked down the issue to a fat finger in the resolv.conf file, so it really couldn't look up the needed record :/ So back to the original issue that was in the end because smb wasn't started most likely. I'm still not sure how this will all respond in a multi homed environment like this if the IPA server cannot communicate with all of the interfaces on the DC. Will that cause an issue with the trust or is there anything I need to take into consideration with this? There are few things to consider: 1. IPA master uses DNS SRV records to discover whom to talk to on AD side. Received name from the SRV record is them used by IPA master to connect to the AD DC. 2. AD DCs use DNS SRV records to discover which IPA master to respond to when verifying trust. Received name from the SRV record is then used by AD DC to connect to the IPA master. 3. While right now trust is established using password-based authentication between IPA and AD DCs, actual resolution of identities when trust is in use requires working Kerberos authentication. This might give you a headache in multi-homed environments if the IP returned when resolving AD DC or IPA master would be unreachable. In any case, it is mostly a question of correct routing tables and DNS name resolution. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multi homed environment
-Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 10:21 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 9:40 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 8:17 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tr u st Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). Well things got ugly. I enabled debug and pointed in the right direction, smb failed to start. Came down to the cifs service was not added when I did the adtrust-install. I tried adding it and it complained that it could not find the A record for the host even though it was there. Thinking something was hung up in resolver cache possibly I restarted the ipa service and it failed completely. Ipactl start fails starting smb because of the missing service and everything fails from there. Is there any way to recover from this mess I just made? :) I assume you have IPA 4.x, i.e. systemd-based environment. Yes, sorry forgot to include that. 1. Start manually dirsrv@INSTANCE-NAME.service 2. Disable ADTRUST and EXTID services with ipa-ldap-updater. Note that you SHOULD NOT replace $FOO variables below, they should be as specified in the resulting file. For ipa-ldap-updater use see its manual page and my blog: https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-upda ter/ # cat END 88-disable-adtrust-extid.update dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService END # ipa-ldap-updater -l ./88-disable-adtrust-extid.update 3. Restart IPA 4. Re-run ipa-adtrust-install and look at the output, including what it appends to /var/log/ipaserver-install.log. Beautiful, that much is running again, thanks for those pointers. And I'm ashamed to say I tracked down the issue to a fat finger in the resolv.conf file, so it really couldn't look up the needed record :/ So back to the original issue that was in the end because smb wasn't started most likely. I'm still not sure how this will all respond in a multi homed environment like this if the IPA server cannot communicate with all of the interfaces on the DC. Will that cause an issue with the trust or is there anything I need to take into consideration with this? There are few things to consider: 1. IPA master uses DNS SRV records to discover whom to talk to on AD side. Received name from the SRV record is them used by IPA master to connect to the AD DC. 2. AD DCs use DNS SRV records to discover which IPA master to respond to when verifying trust. Received name from the SRV record is then used by AD DC to connect to the IPA master. 3. While right now trust is established using password-based authentication between IPA and AD DCs, actual resolution of identities when trust is in use requires working Kerberos authentication. This might give you a headache in multi-homed environments if the IP returned when resolving AD DC or IPA master would be unreachable. In any case, it
Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 8:17 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tru st Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). Well things got ugly. I enabled debug and pointed in the right direction, smb failed to start. Came down to the cifs service was not added when I did the adtrust-install. I tried adding it and it complained that it could not find the A record for the host even though it was there. Thinking something was hung up in resolver cache possibly I restarted the ipa service and it failed completely. Ipactl start fails starting smb because of the missing service and everything fails from there. Is there any way to recover from this mess I just made? :) I assume you have IPA 4.x, i.e. systemd-based environment. 1. Start manually dirsrv@INSTANCE-NAME.service 2. Disable ADTRUST and EXTID services with ipa-ldap-updater. Note that you SHOULD NOT replace $FOO variables below, they should be as specified in the resulting file. For ipa-ldap-updater use see its manual page and my blog: https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ # cat END 88-disable-adtrust-extid.update dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService END # ipa-ldap-updater -l ./88-disable-adtrust-extid.update 3. Restart IPA 4. Re-run ipa-adtrust-install and look at the output, including what it appends to /var/log/ipaserver-install.log. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] more replication fun
Janelle wrote:
On 5/7/15 12:59 AM, thierry bordaz wrote:
On 05/07/2015 05:39 AM, Janelle wrote:
On 5/6/15 8:12 PM, Vaclav Adamec wrote:
Hi,
Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode
thread), if you are sure that's not any live replica server behind
this id than just try cleanallruv.pl -w X -b dc= -r 9
Vasek
On Thu, May 7, 2015 at 2:25 AM, Janelle janellenicol...@gmail.com
wrote:
Hi again..
Seems to be an ongoing theme (replication). How does one remove these?
unable to decode: {replica 9} 553ef80e00010009
55402c390009
I am hoping this is a stupid question with a really simple answer
that I am simply missing?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thank you Vasek,
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I
think I have had replication issues 5 times. In the 6 months of
working with FreeIPA, replication issues are constant. From reading
the threads, I am not the only one in this predicament. Is there any
history on why replication is so problematic in FreeIPA?
regards
~J
Hi Janelle,
This is a large question and I have no precise answer. My
understanding of OpenLDAP replication vs RHDS replication is that
it is not based on the same approach syncrepl vs
replica_agreement. Both are working. Replication is complex and
when I compare RHDS with others DS implementation using the same
approach (replica_agreement) I can say that RHDS is doing a good
job in terms of performance, stability and robustness.
Replication is sensitive to administrative tasks, backup-restore,
reinit, upgrade, schema update. This is possibly your case we have
seen 'unable to decode' during upgrade/cleanruv and still
investigating that bug.
thanks
thierry
All of this makes good sense - in fact, even the OpenLDAP vs 389-ds
issues and replication. Yes, in the environment I had, there were a
couple of masters, and the reset were read-only, which meant keeping in
sync - easy.
Now, I was looking through the archives and can't seem to find the
recommended way to delete one of these:
unable to decode {replica 22} 553eec6400040016 553eec6400040016
I think someone mentioned a script, but I can't find it. I have
several replicas in this state and would like to try and clean them up.
The interesting thing is - the replicas in this state
seehttps://www.redhat.com/archives/freeipa-users/2015-May/msg00062.htmlm to
have a
higher CPU load as based on uptime. Interesting.
Thanks
~J
See https://www.redhat.com/archives/freeipa-users/2015-May/msg00062.html
It would be nice to know if this style of RUV could be acted on by
ipa-replica-manage. I added this bit as a catch-all so no RUV would be
invisibly skipped if it didn't match the regex I wrote. If this kind of
RUV could indeed still be cleaned it would be nice to know and we could
make that possible.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multi homed environment
-Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 9:40 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 8:17 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tr u st Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). Well things got ugly. I enabled debug and pointed in the right direction, smb failed to start. Came down to the cifs service was not added when I did the adtrust-install. I tried adding it and it complained that it could not find the A record for the host even though it was there. Thinking something was hung up in resolver cache possibly I restarted the ipa service and it failed completely. Ipactl start fails starting smb because of the missing service and everything fails from there. Is there any way to recover from this mess I just made? :) I assume you have IPA 4.x, i.e. systemd-based environment. Yes, sorry forgot to include that. 1. Start manually dirsrv@INSTANCE-NAME.service 2. Disable ADTRUST and EXTID services with ipa-ldap-updater. Note that you SHOULD NOT replace $FOO variables below, they should be as specified in the resulting file. For ipa-ldap-updater use see its manual page and my blog: https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ # cat END 88-disable-adtrust-extid.update dn: cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService dn: cn=EXTID,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX remove:ipaConfigString:enabledService END # ipa-ldap-updater -l ./88-disable-adtrust-extid.update 3. Restart IPA 4. Re-run ipa-adtrust-install and look at the output, including what it appends to /var/log/ipaserver-install.log. Beautiful, that much is running again, thanks for those pointers. And I'm ashamed to say I tracked down the issue to a fat finger in the resolv.conf file, so it really couldn't look up the needed record :/ So back to the original issue that was in the end because smb wasn't started most likely. I'm still not sure how this will all respond in a multi homed environment like this if the IPA server cannot communicate with all of the interfaces on the DC. Will that cause an issue with the trust or is there anything I need to take into consideration with this? Thanks much -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] more replication fun
On 5/7/15 12:59 AM, thierry bordaz wrote:
On 05/07/2015 05:39 AM, Janelle wrote:
On 5/6/15 8:12 PM, Vaclav Adamec wrote:
Hi,
Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode
thread), if you are sure that's not any live replica server behind
this id than just try cleanallruv.pl -w X -b dc= -r 9
Vasek
On Thu, May 7, 2015 at 2:25 AM, Janelle janellenicol...@gmail.com
wrote:
Hi again..
Seems to be an ongoing theme (replication). How does one remove these?
unable to decode: {replica 9} 553ef80e00010009
55402c390009
I am hoping this is a stupid question with a really simple answer
that I am simply missing?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thank you Vasek,
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I
think I have had replication issues 5 times. In the 6 months of
working with FreeIPA, replication issues are constant. From reading
the threads, I am not the only one in this predicament. Is there any
history on why replication is so problematic in FreeIPA?
regards
~J
Hi Janelle,
This is a large question and I have no precise answer. My
understanding of OpenLDAP replication vs RHDS replication is that
it is not based on the same approach syncrepl vs
replica_agreement. Both are working. Replication is complex and
when I compare RHDS with others DS implementation using the same
approach (replica_agreement) I can say that RHDS is doing a good
job in terms of performance, stability and robustness.
Replication is sensitive to administrative tasks, backup-restore,
reinit, upgrade, schema update. This is possibly your case we have
seen 'unable to decode' during upgrade/cleanruv and still
investigating that bug.
thanks
thierry
All of this makes good sense - in fact, even the OpenLDAP vs 389-ds
issues and replication. Yes, in the environment I had, there were a
couple of masters, and the reset were read-only, which meant keeping in
sync - easy.
Now, I was looking through the archives and can't seem to find the
recommended way to delete one of these:
unable to decode {replica 22} 553eec6400040016 553eec6400040016
I think someone mentioned a script, but I can't find it. I have
several replicas in this state and would like to try and clean them up.
The interesting thing is - the replicas in this state seem to have a
higher CPU load as based on uptime. Interesting.
Thanks
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multi homed environment
-Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, May 8, 2015 8:17 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] multi homed environment On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_tru st Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). Well things got ugly. I enabled debug and pointed in the right direction, smb failed to start. Came down to the cifs service was not added when I did the adtrust-install. I tried adding it and it complained that it could not find the A record for the host even though it was there. Thinking something was hung up in resolver cache possibly I restarted the ipa service and it failed completely. Ipactl start fails starting smb because of the missing service and everything fails from there. Is there any way to recover from this mess I just made? :) thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Antwort: Re: Known issues with IPA on VM?
Andrew Holway andrew.hol...@gmail.com schrieb am 08.05.2015 14:18:35: Von: Andrew Holway andrew.hol...@gmail.com An: Christoph Kaminski christoph.kamin...@biotronik.com Kopie: Freeipa-users freeipa-users@redhat.com Datum: 08.05.2015 14:18 Betreff: Re: [Freeipa-users] Known issues with IPA on VM? (The VM's have ever 4 CPU's and 2GB RAM, we have circa 120 Users/Groups) Are you using ECC memory? it is a 19 IBM server, enterprise hardware (AFAIK it have ever ECC memory) Greetz Christoph Kaminski -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] more replication fun
On 05/08/2015 05:30 PM, Rob Crittenden wrote:
Janelle wrote:
On 5/7/15 12:59 AM, thierry bordaz wrote:
On 05/07/2015 05:39 AM, Janelle wrote:
On 5/6/15 8:12 PM, Vaclav Adamec wrote:
Hi,
Mike Reynolds recommend cleanallruv script (IPA RUV unable to
decode
thread), if you are sure that's not any live replica server behind
this id than just try cleanallruv.pl -w X -b dc= -r 9
Vasek
On Thu, May 7, 2015 at 2:25 AM, Janelle janellenicol...@gmail.com
wrote:
Hi again..
Seems to be an ongoing theme (replication). How does one remove
these?
unable to decode: {replica 9} 553ef80e00010009
55402c390009
I am hoping this is a stupid question with a really simple answer
that I am simply missing?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thank you Vasek,
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I
think I have had replication issues 5 times. In the 6 months of
working with FreeIPA, replication issues are constant. From reading
the threads, I am not the only one in this predicament. Is there any
history on why replication is so problematic in FreeIPA?
regards
~J
Hi Janelle,
This is a large question and I have no precise answer. My
understanding of OpenLDAP replication vs RHDS replication is that
it is not based on the same approach syncrepl vs
replica_agreement. Both are working. Replication is complex and
when I compare RHDS with others DS implementation using the same
approach (replica_agreement) I can say that RHDS is doing a good
job in terms of performance, stability and robustness.
Replication is sensitive to administrative tasks, backup-restore,
reinit, upgrade, schema update. This is possibly your case we have
seen 'unable to decode' during upgrade/cleanruv and still
investigating that bug.
thanks
thierry
All of this makes good sense - in fact, even the OpenLDAP vs 389-ds
issues and replication. Yes, in the environment I had, there were a
couple of masters, and the reset were read-only, which meant keeping in
sync - easy.
Now, I was looking through the archives and can't seem to find the
recommended way to delete one of these:
unable to decode {replica 22} 553eec6400040016 553eec6400040016
I think someone mentioned a script, but I can't find it. I have
several replicas in this state and would like to try and clean them up.
The interesting thing is - the replicas in this state
seehttps://www.redhat.com/archives/freeipa-users/2015-May/msg00062.htmlm
to have a
higher CPU load as based on uptime. Interesting.
Thanks
~J
See https://www.redhat.com/archives/freeipa-users/2015-May/msg00062.html
hopefully it does, if not maybe Mark can help to get rid of it
It would be nice to know if this style of RUV could be acted on by
ipa-replica-manage. I added this bit as a catch-all so no RUV would be
invisibly skipped if it didn't match the regex I wrote. If this kind
of RUV could indeed still be cleaned it would be nice to know and we
could make that possible.
I think this kind of RUV should never exist, strange enough we have a
hard time to reproduce it in the lab, but out in the real world they
seem to proliferate.
Any help to reproduce is greatly appreciated.
Ludwig
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Are there active plans to allow AD trust users to login to the FreeIPA webUI?
We have all of our users in a trusted Active Directory domain and it would be nice to allow them to administer our DNS using their AD accounts. I tried creating a group called DNS administrators and assigning it the DNS administrator privilege and then adding my ad_domain_admin group (containing the nested external group containing my ad groups), but when I try to login to the webui it denies me access. I see a ticket here regarding allowing this : https://fedorahosted.org/freeipa/ticket/3242 It doesn't look like anything has happened on that ticket in the last 15 months though. Any idea if / when this will be implemented? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] more replication fun
Janelle wrote:
On 5/8/15 8:43 AM, Ludwig Krispenz wrote:
On 05/08/2015 05:30 PM, Rob Crittenden wrote:
Janelle wrote:
On 5/7/15 12:59 AM, thierry bordaz wrote:
On 05/07/2015 05:39 AM, Janelle wrote:
On 5/6/15 8:12 PM, Vaclav Adamec wrote:
Hi,
Mike Reynolds recommend cleanallruv script (IPA RUV unable to
decode
thread), if you are sure that's not any live replica server behind
this id than just try cleanallruv.pl -w X -b dc= -r 9
Vasek
On Thu, May 7, 2015 at 2:25 AM, Janelle janellenicol...@gmail.com
wrote:
Hi again..
Seems to be an ongoing theme (replication). How does one remove
these?
unable to decode: {replica 9} 553ef80e00010009
55402c390009
I am hoping this is a stupid question with a really simple answer
that I am simply missing?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thank you Vasek,
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I
think I have had replication issues 5 times. In the 6 months of
working with FreeIPA, replication issues are constant. From reading
the threads, I am not the only one in this predicament. Is there any
history on why replication is so problematic in FreeIPA?
regards
~J
Hi Janelle,
This is a large question and I have no precise answer. My
understanding of OpenLDAP replication vs RHDS replication is that
it is not based on the same approach syncrepl vs
replica_agreement. Both are working. Replication is complex and
when I compare RHDS with others DS implementation using the same
approach (replica_agreement) I can say that RHDS is doing a good
job in terms of performance, stability and robustness.
Replication is sensitive to administrative tasks, backup-restore,
reinit, upgrade, schema update. This is possibly your case we have
seen 'unable to decode' during upgrade/cleanruv and still
investigating that bug.
thanks
thierry
All of this makes good sense - in fact, even the OpenLDAP vs 389-ds
issues and replication. Yes, in the environment I had, there were a
couple of masters, and the reset were read-only, which meant keeping in
sync - easy.
Now, I was looking through the archives and can't seem to find the
recommended way to delete one of these:
unable to decode {replica 22} 553eec6400040016
553eec6400040016
I think someone mentioned a script, but I can't find it. I have
several replicas in this state and would like to try and clean them up.
The interesting thing is - the replicas in this state
seehttps://www.redhat.com/archives/freeipa-users/2015-May/msg00062.htmlm
to have a
higher CPU load as based on uptime. Interesting.
Thanks
~J
See https://www.redhat.com/archives/freeipa-users/2015-May/msg00062.html
hopefully it does, if not maybe Mark can help to get rid of it
It would be nice to know if this style of RUV could be acted on by
ipa-replica-manage. I added this bit as a catch-all so no RUV would
be invisibly skipped if it didn't match the regex I wrote. If this
kind of RUV could indeed still be cleaned it would be nice to know
and we could make that possible.
I think this kind of RUV should never exist, strange enough we have a
hard time to reproduce it in the lab, but out in the real world they
seem to proliferate.
Any help to reproduce is greatly appreciated.
Ludwig
rob
One last question regarding this (I hope).
Now I am trying to re-add a server that does not show up in replica
list, has no outstanding clean-ruv tasks, BUT - I still get:
The host ipa03.example.com already exists on the master server.
You should remove it before proceeding:
% ipa host-del ipa03.example.com
BUT - trying that results in:
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
disabled
I'm guessing the replica was removed without being formally deleted. You
can remove it with: ipa-replica-manage del --force --cleanup
ipa03.example.com
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] more replication fun
On 5/8/15 8:43 AM, Ludwig Krispenz wrote:
On 05/08/2015 05:30 PM, Rob Crittenden wrote:
Janelle wrote:
On 5/7/15 12:59 AM, thierry bordaz wrote:
On 05/07/2015 05:39 AM, Janelle wrote:
On 5/6/15 8:12 PM, Vaclav Adamec wrote:
Hi,
Mike Reynolds recommend cleanallruv script (IPA RUV unable to
decode
thread), if you are sure that's not any live replica server behind
this id than just try cleanallruv.pl -w X -b dc= -r 9
Vasek
On Thu, May 7, 2015 at 2:25 AM, Janelle janellenicol...@gmail.com
wrote:
Hi again..
Seems to be an ongoing theme (replication). How does one remove
these?
unable to decode: {replica 9} 553ef80e00010009
55402c390009
I am hoping this is a stupid question with a really simple answer
that I am simply missing?
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thank you Vasek,
I am curious however. I have been running OpenLDAP configs with 20 or
more servers in replication for over 5 years. In all that time, I
think I have had replication issues 5 times. In the 6 months of
working with FreeIPA, replication issues are constant. From reading
the threads, I am not the only one in this predicament. Is there any
history on why replication is so problematic in FreeIPA?
regards
~J
Hi Janelle,
This is a large question and I have no precise answer. My
understanding of OpenLDAP replication vs RHDS replication is that
it is not based on the same approach syncrepl vs
replica_agreement. Both are working. Replication is complex and
when I compare RHDS with others DS implementation using the same
approach (replica_agreement) I can say that RHDS is doing a good
job in terms of performance, stability and robustness.
Replication is sensitive to administrative tasks, backup-restore,
reinit, upgrade, schema update. This is possibly your case we have
seen 'unable to decode' during upgrade/cleanruv and still
investigating that bug.
thanks
thierry
All of this makes good sense - in fact, even the OpenLDAP vs 389-ds
issues and replication. Yes, in the environment I had, there were a
couple of masters, and the reset were read-only, which meant keeping in
sync - easy.
Now, I was looking through the archives and can't seem to find the
recommended way to delete one of these:
unable to decode {replica 22} 553eec6400040016
553eec6400040016
I think someone mentioned a script, but I can't find it. I have
several replicas in this state and would like to try and clean them up.
The interesting thing is - the replicas in this state
seehttps://www.redhat.com/archives/freeipa-users/2015-May/msg00062.htmlm
to have a
higher CPU load as based on uptime. Interesting.
Thanks
~J
See https://www.redhat.com/archives/freeipa-users/2015-May/msg00062.html
hopefully it does, if not maybe Mark can help to get rid of it
It would be nice to know if this style of RUV could be acted on by
ipa-replica-manage. I added this bit as a catch-all so no RUV would
be invisibly skipped if it didn't match the regex I wrote. If this
kind of RUV could indeed still be cleaned it would be nice to know
and we could make that possible.
I think this kind of RUV should never exist, strange enough we have a
hard time to reproduce it in the lab, but out in the real world they
seem to proliferate.
Any help to reproduce is greatly appreciated.
Ludwig
rob
That little ldapmodify - did indeed do the trick In fact, it seemed to
replicate the clean correctly and it disappeared from all my replicas
in a few seconds.
Let me see if I can reproduce in my lab.
Thank you
~J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Are there active plans to allow AD trust users to login to the FreeIPA webUI?
On 05/08/2015 12:25 PM, nat...@nathanpeters.com wrote: We have all of our users in a trusted Active Directory domain and it would be nice to allow them to administer our DNS using their AD accounts. I tried creating a group called DNS administrators and assigning it the DNS administrator privilege and then adding my ad_domain_admin group (containing the nested external group containing my ad groups), but when I try to login to the webui it denies me access. I see a ticket here regarding allowing this : https://fedorahosted.org/freeipa/ticket/3242 It doesn't look like anything has happened on that ticket in the last 15 months though. Any idea if / when this will be implemented? There are no current plans. It is quite complex as we need to have a ticket for the user for ldap server to have this functionality enabled. This is the first time anyone from the community actually requested this feature. I think for the future planning it would be best if you can comment in the ticket and add your justification. We will consider it in the next planning cycle. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Ok, thanks. I've updated the ticket with my justification for continuing work on this feature: https://fedorahosted.org/freeipa/ticket/3242#comment:12 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
Thanks Timo, And sorry I missed that. How's this? https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1453253 Thanks again, Andrew On Tue, May 5, 2015 at 2:43 PM, Timo Aaltonen tjaal...@ubuntu.com wrote: On 05.05.2015 23:27, Andrew Sacamano wrote: Thanks again Lukas and Timo, I'm very sorry it took so long for me to get to this - I got pulled into an urgent project at work and am just getting my head above water today. I've filed https://fedorahosted.org/sssd/ticket/2648 err, the bug needs to be on launchpad, since that's where it belongs On Wed, Apr 22, 2015 at 1:16 AM, Timo Aaltonen tjaal...@ubuntu.com mailto:tjaal...@ubuntu.com wrote: On 21.04.2015 22 tel:21.04.2015%2022:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Configuration of client side components failed!
So i have been looking around for a solution for this issue for a few days
now and have had no luck. I know in older versions of freeipa this was a
issue but i think i should be using the most updated version.
(Please note that my company's name is withheld)
During the ipa-server-install it fails with:
Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--on-master' '--unattended' '--domain' 'withheld.com' '--server'
'###-#-centos7.withheld.com' '--realm' 'withheld.COM' '--hostname'
'-#-centos7.withheld.com'' returned non-zero exit status 1
here is the yum ipa-server package i am using:
# yum info ipa-server
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
* base: mirrors.usinternet.com
* extras: mirror.oss.ou.edu
* updates: mirrors.gigenet.com
Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.1.0
Release : 18.el7.centos.3
Size: 4.2 M
Repo: installed
From repo : updates
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication credentials),
Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA server
you need
: to install this package (in other words, most people should
NOT install
: this package).
here is the yum ipa-client package i am using:
# yum info ipa-client
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
* base: mirrors.usinternet.com
* extras: mirror.oss.ou.edu
* updates: mirrors.gigenet.com
Installed Packages
Name: ipa-client
Arch: x86_64
Version : 4.1.0
Release : 18.el7.centos.3
Size: 440 k
Repo: installed
From repo : updates
Summary : IPA authentication for use on clients
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication credentials),
Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If your network uses IPA for
authentication,
: this package should be installed on every client machine.
here is the /var/log/ipaserver-install.log:
2015-05-08T17:47:16Z DEBUG stderr=Using existing certificate
'/etc/ipa/ca.crt'.
Hostname: ###--centos7.withheld.com
Realm: withheld.COM
DNS Domain: withheld.com
IPA Server: -#-centos7.withheld.com
BaseDN: dc=,dc=
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://-#-centos7.withheld.com/ipa/json
Forwarding 'ping' to json server 'https://
###-#-centos7.withheld.com/ipa/json'
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2925, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 2906, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2609, in install
api.Backend.rpcclient.forward('ping')
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 883, in
forward
return self._call_command(command, params)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 860, in
_call_command
return command(*params)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 1011, in _call
return self.__request(name, args)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 980, in
__request
verbose=self.__verbose = 3,
File /usr/lib64/python2.7/xmlrpclib.py, line 1228, in request
h = self.make_connection(host)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 484, in
make_connection
if self._connection and host == self._connection[0]:
AttributeError: KerbTransport instance has no attribute '_connection'
2015-05-08T17:47:16Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py, line
646, in run_script
return_value = main_function()
File /usr/sbin/ipa-server-install, line 1292, in main
sys.exit(Configuration of client side components
failed!\nipa-client-install returned: + str(e))
please let me know of any thing i can give to help fix the issue
Thanks
Jacob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Configuration of client side components failed!
On 05/08/2015 02:06 PM, Linux Shell wrote:
So i have been looking around for a solution for this issue for a few
days now and have had no luck. I know in older versions of freeipa
this was a issue but i think i should be using the most updated version.
(Please note that my company's name is withheld)
During the ipa-server-install it fails with:
Restarting the web server
Configuration of client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--on-master' '--unattended' '--domain' 'withheld.com' '--server'
'###-#-centos7.withheld.com' '--realm' 'withheld.COM'
'--hostname' '-#-centos7.withheld.com'' returned non-zero
exit status 1
here is the yum ipa-server package i am using:
# yum info ipa-server
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
* base: mirrors.usinternet.com http://mirrors.usinternet.com
* extras: mirror.oss.ou.edu http://mirror.oss.ou.edu
* updates: mirrors.gigenet.com http://mirrors.gigenet.com
Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.1.0
Release : 18.el7.centos.3
Size: 4.2 M
Repo: installed
From repo : updates
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally
managed Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA
server you need
: to install this package (in other words, most people
should NOT install
: this package).
here is the yum ipa-client package i am using:
# yum info ipa-client
Loaded plugins: fastestmirror, rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Loading mirror speeds from cached hostfile
* base: mirrors.usinternet.com http://mirrors.usinternet.com
* extras: mirror.oss.ou.edu http://mirror.oss.ou.edu
* updates: mirrors.gigenet.com http://mirrors.gigenet.com
Installed Packages
Name: ipa-client
Arch: x86_64
Version : 4.1.0
Release : 18.el7.centos.3
Size: 440 k
Repo: installed
From repo : updates
Summary : IPA authentication for use on clients
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally
managed Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If your network uses IPA for
authentication,
: this package should be installed on every client machine.
here is the /var/log/ipaserver-install.log:
2015-05-08T17:47:16Z DEBUG stderr=Using existing certificate
'/etc/ipa/ca.crt'.
Hostname: ###--centos7.withheld.com
Realm: withheld.COM
DNS Domain: withheld.com
IPA Server: -#-centos7.withheld.com
BaseDN: dc=,dc=
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://-#-centos7.withheld.com/ipa/json
Forwarding 'ping' to json server
'https://###-#-centos7.withheld.com/ipa/json'
Traceback (most recent call last):
File /usr/sbin/ipa-client-install, line 2925, in module
sys.exit(main())
File /usr/sbin/ipa-client-install, line 2906, in main
rval = install(options, env, fstore, statestore)
File /usr/sbin/ipa-client-install, line 2609, in install
api.Backend.rpcclient.forward('ping')
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 883, in
forward
return self._call_command(command, params)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 860, in
_call_command
return command(*params)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 1011, in
_call
return self.__request(name, args)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 980, in
__request
verbose=self.__verbose = 3,
File /usr/lib64/python2.7/xmlrpclib.py, line 1228, in request
h = self.make_connection(host)
File /usr/lib/python2.7/site-packages/ipalib/rpc.py, line 484, in
make_connection
if self._connection and host == self._connection[0]:
AttributeError: KerbTransport instance has no attribute '_connection'
I would assume that this is an attempt to do some kerberos call that failed.
On server that most likely means that KDC was not started for some
reason. And it in turn might not start for different reasons.
Please check the troubleshooting page.
http://www.freeipa.org/page/Troubleshooting
Things to think about:
- DNS configuration
- Is hostname correct and properly resolvable
- Is time correct (time zone?)
- Are there any
Re: [Freeipa-users] Are there active plans to allow AD trust users to login to the FreeIPA webUI?
On 05/08/2015 01:24 PM, nat...@nathanpeters.com wrote: On 05/08/2015 12:25 PM, nat...@nathanpeters.com wrote: We have all of our users in a trusted Active Directory domain and it would be nice to allow them to administer our DNS using their AD accounts. I tried creating a group called DNS administrators and assigning it the DNS administrator privilege and then adding my ad_domain_admin group (containing the nested external group containing my ad groups), but when I try to login to the webui it denies me access. I see a ticket here regarding allowing this : https://fedorahosted.org/freeipa/ticket/3242 It doesn't look like anything has happened on that ticket in the last 15 months though. Any idea if / when this will be implemented? There are no current plans. It is quite complex as we need to have a ticket for the user for ldap server to have this functionality enabled. This is the first time anyone from the community actually requested this feature. I think for the future planning it would be best if you can comment in the ticket and add your justification. We will consider it in the next planning cycle. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Ok, thanks. I've updated the ticket with my justification for continuing work on this feature: https://fedorahosted.org/freeipa/ticket/3242#comment:12 Thank you! Much appreciated. -- Thank you, Dmitri Pal Director of Engineering for IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Known issues with IPA on VM?
(The VM's have ever 4 CPU's and 2GB RAM, we have circa 120 Users/Groups) Are you using ECC memory? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote: I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. Stop here and make sure you obtained the debugging information as described in http://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust Without that information it is hard to tell what is happening. Make also sure to tell exact environment (distribution, version, package versions, etc). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] multi homed environment
I'm trying to roll out IPA in an existing windows environment where everything is multi homed. I did not put my IPA server on all the subnets. I'm having an issue with adding a trust to the domain with the error below ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) DNS I think since it round robins all the existing A records and is returning IPs out of the local subnet. I don't know much about windows dns services but it's got netmask optimization enabled and doing digs against the service returns the local IP first every time, but pings return them in any order. I've considered adding the DCs to the local hosts file but I'm not sure if that will solve the problem or not. Is that a viable fix? Anyone have any experience in an environment like this? Really not sure what additional problems I will run into with all this multi homed nonsense. *** This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Antwort: RE: Known issues with IPA on VM?
On 05/07/2015 08:38 AM, Christoph Kaminski wrote: Just a guess, what is your deployment size? We have a two ipa domains, one have 3 servers (2 hw and 1 vm, no issues with dirsrv yet), another currently includes 16 vm servers, ant dirsrv hangs and crashes periodically... we have 8 IPA servers, 4 bare metal and 4 vm's. We see the crashes only on the vm's. yes, there have been several reports about problems on VMs, but as Martin and Rich said for investigation we need some data about the crashes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
