Re: [Freeipa-users] Unable to enroll new client in DNS
On 21.10.2015 22:43, Justin Lambert wrote: > ;; ANSWER SECTION: > 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 > > dns_tkey_negotiategss: TKEY is unacceptable Please consult named logs on server ipa1.domain.com and see if there are any errors related to dynamic update. Speaking about GSS-TSIG, one of problems can be clock skew between DNS server and client. Also, please add information about package versions: $ rpm -q bind bind-dyndb-ldap Thank you. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] clean-ruv : How Long?
Hi Janelle, It's really hard to say how long it might take. I know if the replicas are under heavy replication load it can take while to complete. Either way it should not take long to complete(a few hours max) - as long as all the replicas are online. There is very good logging for cleanAllRUV in the Directory Server's errors log. If the task is hung up somewhere it should say what replica(repl agreement) is causing the task to not progress. Then from there you can look at that replica to see whats going on that system. You might have to chase down each replica until you find that one that is acting up. Typically when cleanallruv is not finishing it's because a replica is down(shutdown), or there is an old repl agreement that points to replica that no longer exists. Here is a troubleshooting page that might also be useful: http://www.port389.org/docs/389ds/FAQ/troubleshoot-cleanallruv.html Mark On 10/22/2015 11:44 AM, Janelle wrote: Hello, I was wondering if there is any average or expectation of how long a "clean-ruv" task should take across 16 fairly busy servers? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SUDO does not always works on first try
Hi Lukas, Thank you. These packages fixed the issue. Best regards, Fabian -Ursprüngliche Nachricht- Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] Gesendet: Montag, 19. Oktober 2015 10:52 An: Zoske, Fabian Cc: freeipa-users@redhat.com Betreff: Re: [Freeipa-users] SUDO does not always works on first try On (19/10/15 08:39), Zoske, Fabian wrote: >Hi Jakub, > >I think there is a package missing. >When I try to install the packages you provided, yum exits with an error. >" Requires: python-sssdconfig = 1.12.2-58.el7_1.18 " > python-sssdconfig is noarch package which is missing in https://jhrozek.fedorapeople.org/sssd-test-builds/ I hope Jakub will upload it. >Can you provide me this package or tell me where to find it? > Alternatively, you can test backported version from fedora 21. It is the latest 1.12 release + few bugfixes. https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Steps to rebuild a master node in IPA cluster
On 10/21/2015 11:11 PM, Andrey Ptashnik wrote: > Hello IPA Team, > > In one location we have IPA cluster based on CentOS 7.1 with IPA 4.1.0. One > master and another replica. We noticed that Master node potentially has a > corrupted database, some records cannot be deleted and IPA services crush one > in a while. Second member (aka replica) is stable. We wanted to rebuild the > Master node. > > What are the correct steps to move master functions to the replica, retire > the old master and rebuild it? > > Regards, > > Andrey Ptashnik Would http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master help? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SUDO does not always works on first try
On Thu, Oct 22, 2015 at 06:14:01AM +, Zoske, Fabian wrote: > Hi Lukas, > > Thank you. These packages fixed the issue. Thank you very much for the testing and reporting back! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to enroll new client in DNS
On 22.10.2015 14:23, Justin Lambert wrote: > When I looked at the DNS logs there was nothing of any value (with a fresh > attempt of registering DNS records) so I added a logging channel for ldap > at severity 9. After restarting bind the DNS registration worked without > issue. Removing the logging channel and re-running the update worked. It > appears that restarting bind fixed the issue, which is a bit scary. I’m > running bind-dyndb-ldap-6.0.2. Do you know if anyone has seen this issue > before? No, I did not hear about this particular issue. Please let me know if it happens again. Have a nice day! Petr^2 Spacek > > On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacekwrote: > >> On 21.10.2015 22:43, Justin Lambert wrote: >>> ;; ANSWER SECTION: >>> 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 >>> >>> dns_tkey_negotiategss: TKEY is unacceptable >> >> Please consult named logs on server ipa1.domain.com and see if there are >> any >> errors related to dynamic update. >> >> Speaking about GSS-TSIG, one of problems can be clock skew between DNS >> server >> and client. >> >> Also, please add information about package versions: >> $ rpm -q bind bind-dyndb-ldap >> >> Thank you. >> >> -- >> Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to enroll new client in DNS
When I looked at the DNS logs there was nothing of any value (with a fresh attempt of registering DNS records) so I added a logging channel for ldap at severity 9. After restarting bind the DNS registration worked without issue. Removing the logging channel and re-running the update worked. It appears that restarting bind fixed the issue, which is a bit scary. I’m running bind-dyndb-ldap-6.0.2. Do you know if anyone has seen this issue before? On Thu, Oct 22, 2015 at 1:24 AM, Petr Spacekwrote: > On 21.10.2015 22:43, Justin Lambert wrote: > > ;; ANSWER SECTION: > > 2667812275.sig-ipa1.domain.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0 > > > > dns_tkey_negotiategss: TKEY is unacceptable > > Please consult named logs on server ipa1.domain.com and see if there are > any > errors related to dynamic update. > > Speaking about GSS-TSIG, one of problems can be clock skew between DNS > server > and client. > > Also, please add information about package versions: > $ rpm -q bind bind-dyndb-ldap > > Thank you. > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] clean-ruv : How Long?
Hello, I was wondering if there is any average or expectation of how long a "clean-ruv" task should take across 16 fairly busy servers? Thank you ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project