Re: [Freeipa-users] Unable to enroll new client in DNS

[Petr Spacek]

On 21.10.2015 22:43, Justin Lambert wrote:
> ;; ANSWER SECTION:
> 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> 
> dns_tkey_negotiategss: TKEY is unacceptable

Please consult named logs on server ipa1.domain.com and see if there are any
errors related to dynamic update.

Speaking about GSS-TSIG, one of problems can be clock skew between DNS server
and client.

Also, please add information about package versions:
$ rpm -q bind bind-dyndb-ldap

Thank you.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] clean-ruv : How Long?

[Mark Reynolds]

Hi Janelle,

It's really hard to say how long it might take.  I know if the replicas 
are under heavy replication load it can take while to complete.  Either 
way it should not take long to complete(a few hours max) - as long as 
all the replicas are online.   There is very good logging for 
cleanAllRUV in the Directory Server's errors log. If the task is hung up 
somewhere it should say what replica(repl agreement) is causing the task 
to not progress.  Then from there you can look at that replica to see 
whats going on that system.  You might have to chase down each replica 
until you find that one that is acting up.  Typically when cleanallruv 
is not finishing it's because a replica is down(shutdown), or there is 
an old repl agreement that points to replica that no longer exists.


Here is a troubleshooting page that might also be useful:

http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html

Mark


On 10/22/2015 11:44 AM, Janelle wrote:

Hello,

I was wondering if there is any average or expectation of how long a 
"clean-ruv" task should take across 16 fairly busy servers?


Thank you
~J



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SUDO does not always works on first try

[Zoske, Fabian]

Hi Lukas,

Thank you. These packages fixed the issue.

Best regards,
Fabian

-Ursprüngliche Nachricht-
Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] 
Gesendet: Montag, 19. Oktober 2015 10:52
An: Zoske, Fabian
Cc: freeipa-users@redhat.com
Betreff: Re: [Freeipa-users] SUDO does not always works on first try

On (19/10/15 08:39), Zoske, Fabian wrote:
>Hi Jakub,
>
>I think there is a package missing.
>When I try to install the packages you provided, yum exits with an error.
>" Requires: python-sssdconfig = 1.12.2-58.el7_1.18 "
>
python-sssdconfig is noarch package which is missing in 
https://jhrozek.fedorapeople.org/sssd-test-builds/
I hope Jakub will upload it.

>Can you provide me this package or tell me where to find it?
>
Alternatively, you can test backported version from fedora 21.
It is the latest 1.12 release + few bugfixes.
https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Steps to rebuild a master node in IPA cluster

[Martin Kosek]

On 10/21/2015 11:11 PM, Andrey Ptashnik wrote:
> Hello IPA Team,
> 
> In one location we have IPA cluster based on CentOS 7.1  with IPA 4.1.0. One 
> master and another replica. We noticed that Master node potentially has a 
> corrupted database, some records cannot be deleted and IPA services crush one 
> in a while. Second member (aka replica) is stable. We wanted to rebuild the 
> Master node.
> 
> What are the correct steps to move master functions to the replica, retire 
> the old master and rebuild it?
> 
> Regards,
> 
> Andrey Ptashnik

Would
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
help?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SUDO does not always works on first try

[Jakub Hrozek]

On Thu, Oct 22, 2015 at 06:14:01AM +, Zoske, Fabian wrote:
> Hi Lukas,
> 
> Thank you. These packages fixed the issue.

Thank you very much for the testing and reporting back!

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to enroll new client in DNS

[Petr Spacek]

On 22.10.2015 14:23, Justin Lambert wrote:
> When I looked at the DNS logs there was nothing of any value (with a fresh
> attempt of registering DNS records) so I added a logging channel for ldap
> at severity 9.  After restarting bind the DNS registration worked without
> issue.  Removing the logging channel and re-running the update worked.  It
> appears that restarting bind fixed the issue, which is a bit scary.  I’m
> running bind-dyndb-ldap-6.0.2.  Do you know if anyone has seen this issue
> before?

No, I did not hear about this particular issue. Please let me know if it
happens again.

Have a nice day!

Petr^2 Spacek

> 
> On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacek  wrote:
> 
>> On 21.10.2015 22:43, Justin Lambert wrote:
>>> ;; ANSWER SECTION:
>>> 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
>>>
>>> dns_tkey_negotiategss: TKEY is unacceptable
>>
>> Please consult named logs on server ipa1.domain.com and see if there are
>> any
>> errors related to dynamic update.
>>
>> Speaking about GSS-TSIG, one of problems can be clock skew between DNS
>> server
>> and client.
>>
>> Also, please add information about package versions:
>> $ rpm -q bind bind-dyndb-ldap
>>
>> Thank you.
>>
>> --
>> Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Unable to enroll new client in DNS

[Justin Lambert]

When I looked at the DNS logs there was nothing of any value (with a fresh
attempt of registering DNS records) so I added a logging channel for ldap
at severity 9.  After restarting bind the DNS registration worked without
issue.  Removing the logging channel and re-running the update worked.  It
appears that restarting bind fixed the issue, which is a bit scary.  I’m
running bind-dyndb-ldap-6.0.2.  Do you know if anyone has seen this issue
before?

On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacek  wrote:

> On 21.10.2015 22:43, Justin Lambert wrote:
> > ;; ANSWER SECTION:
> > 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0  0
> >
> > dns_tkey_negotiategss: TKEY is unacceptable
>
> Please consult named logs on server ipa1.domain.com and see if there are
> any
> errors related to dynamic update.
>
> Speaking about GSS-TSIG, one of problems can be clock skew between DNS
> server
> and client.
>
> Also, please add information about package versions:
> $ rpm -q bind bind-dyndb-ldap
>
> Thank you.
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] clean-ruv : How Long?

[Janelle]

Hello,

I was wondering if there is any average or expectation of how long a 
"clean-ruv" task should take across 16 fairly busy servers?


Thank you
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project