Very odd, those steps look correct to me. And if auto-discovery for the domain,
realm, hostname and IPA server work, then it’s not the ipa-client-install
script I think.
What versions are you running? Important bits:
- freeipa packages
- kerberos packages
- sssd packages
also, what does
I was using curtin but now i'm using cloud-init post-installatio, after the
installation freeipa-client is installed and sssd.conf configured as well
as krb5.conf and krb5.keytab but the nfs mount doesn't work !
The command to deploy the script is:
maas $PROFILE machine deploy $SYSTEM_ID
Yes, while in general upgrades should be possible, the big jump you made
combined with a distro that isn’t as robust as say, CentOS or RHEL I’d suggest
always simply rolling a replacement server to replace the old ones one by one.
Also always run at least 2 servers with all the roles so you
In what phase do you run the script? It should be one of the last scripts in
the final phase for the install to work reliably. If it’s in preconfig or
config phase it breaks 9 out of 10 times.
John
> On 29 May 2019, at 22:53, Boudjoudad Abdelkader wrote:
>
> I'm using cloud-init with this
I'm using cloud-init with this script:
locale-gen en_CA.utf8
locale-gen en_US.utf8
HOSTNAME=$(hostname)
IP=$(hostname -i | awk '{print $1}')
echo "$HOSTNAME.example.com" > /etc/hostname
FQDN="$HOSTNAME.example.com"
echo "FQDN is: $FQDN"
sed -i "1 i\
$IP $FQDN $HOSTNAME" /etc/hosts
apt-get -y
What I meant was that you are already practically disabling it; you specify the
hostname, domain, server, realm on your command line but those should be
discoverable.
Here is an enrollment jinja2 template I use:
ipa-client-install -U --enable-dns-updates
Hi John,
Thank you for the quick reply,
To disable autodiscrovery the option is ?
--autodiscovery=no
On Wed, May 29, 2019 at 4:18 PM John Keates wrote:
> I don’t know what you are missing, but I do know that in theory your
> enrolment should work with just -U for unattended and the principal
Ah, is FreeIPA generally okay with servers being at different versions,
then? Could I upgrade by creating a new server, enrolling it as a
replica of then old server and then shut down the old server. Can I do
that as a general behaviour?
On 29/05/2019 21:21, John Keates via FreeIPA-users wrote:
>
I don’t know what you are missing, but I do know that in theory your enrolment
should work with just -U for unattended and the principal and password.
Unless you have a special environment that requires auto discovery to be
disabled, I’d recommend using it.
I’m enrolling clients in three ways
Hello,
I'm trying to automate freeipa-client installation on Ubuntu with custom
script using MAAS as follow :
HOSTNAME=$(hostname)
IP=$(hostname -i | awk '{print $1}')
echo "$HOSTNAME.example.com" > /etc/hostname
FQDN="$HOSTNAME.example.com"
echo "FQDN is: $FQDN"
sed -i "1 i\
$IP $FQDN $HOSTNAME"
Hello good people,
Due to being unfamiliar with Fedora, my home FreeIPA server has been
languishing on Fedora version 25 for ages. I recently twigged that it
hadn't been updated in ages to upgraded to Fedora version 30. That
seemed to go OK, but now, when I try to run ipactl start, I get the
On 29/05/2019 03.39, チョーチュアン via FreeIPA-users wrote:
> Thanks for the feed, and yes, I have the RSA CA working apart from a
> negotiation error.
Hi,
fantastic, thanks for trying this! I was able to install FreeIPA with
NitroKey HSM support last year using an experimental build
Thanks a lot!
On Wed, May 29, 2019 at 4:06 PM Andrey Bondarenko
wrote:
> T
>
> On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy
> wrote:
>
>> On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
>> >Hello,
>> >
>> >Is the SOA generation algorithm for zones documented anywhere or
T
On Wed, May 29, 2019 at 1:43 PM Alexander Bokovoy
wrote:
> On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
> >Hello,
> >
> >Is the SOA generation algorithm for zones documented anywhere or anyone by
> >chance knows what it is?
> >
> >We have cluster of 8 nodes and SOA is
On Wed, May 29, 2019 at 01:19:19PM -, Khurrum Maqb via FreeIPA-users wrote:
> They are indeed all self signed:
>
> #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
> issuer= /O=DOMAIN.COM/CN=server1.dom.ain
> subject= /O=DOMAIN.COM/CN=server1.dom.ain
>
> #openssl x509
They are indeed all self signed:
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
issuer= /O=DOMAIN.COM/CN=server1.dom.ain
subject= /O=DOMAIN.COM/CN=server1.dom.ain
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
issuer=
On ke, 29 touko 2019, Andrey Bondarenko via FreeIPA-users wrote:
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones
(with huge amount of changes). But if I make a
Hello,
Is the SOA generation algorithm for zones documented anywhere or anyone by
chance knows what it is?
We have cluster of 8 nodes and SOA is different on some IPAs in some zones
(with huge amount of changes). But if I make a change I actually see it on
different IPA.
Also, restarting IPA
On Tue, May 28, 2019 at 8:17 PM Rob Crittenden wrote:
> FWIW, speaking of healthcheck, you might want to look at the
> freeipa-healthcheck package in Fedora 28+. It produces JSON output of
> checks a bunch of things including whether services are running.
>
> It is still in pretty early
On Tue, May 28, 2019 at 08:27:41PM -, Khurrum Maqb via FreeIPA-users wrote:
> Oh I see. I misunderstood the result.
>
> ]# ipa pkinit-status
> -
> 4 servers matched
> -
> Server name: server1.dom.ain
> PKINIT status: enabled
>
> Server name:
On Tue, May 28, 2019 at 08:43:33PM -, Khurrum Maqb via FreeIPA-users wrote:
> I apologize for the successive emails.
>
> FYI, the OCSP + the Server Cert error goes away and the CA starts responding
> after I turn NSSOCSP off in /etc/httpd/conf.d/nss.conf
ah, iirc you mentioned earlier
21 matches
Mail list logo