[Freeipa-users] Re: new client setup

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
Florence,Thanks yeah I was able to telnet to port 389.  It was the TTL of the 
DNS records.  It finally flushed and worked.
Cheers! 

On Tuesday, March 6, 2018 3:34 PM, Florence Blanc-Renaud via FreeIPA-users 
 wrote:
 

 On 06/03/2018 21:39, Andrew Meyer via FreeIPA-users wrote:
> I am trying to add another client in my main location and getting the 
> following information:
> [user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net 
> --realm=stl1.example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
> responding, unable to verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe 
> ipa-client-install command failed. See /var/log/ipaclient-install.log 
> for more information
> [user@freeipa01 ipa]$
> 
> 
> [user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net 
> --realm=example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net: cannot verify if this is an IPA server
> Skip infra-test-ipa2.example.net: cannot verify if this is an IPA server
> Skip freeipa03.east.example.net: cannot verify if this is an IPA server
> Skip freeipa01.east.example.net: cannot verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe 
> ipa-client-install command failed. See /var/log/ipaclient-install.log 
> for more information
> [user@freeipa01 ~]$
> 
> I have checked my /etc/resolv.conf and made sure that they are pointed 
> at the current local FreeIPA nameservers/resolvers.
> 
> Here is the output /var/log/ipaclient-install.log
> 
> [user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG Logging to /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG ipa-client-install was invoked with arguments 
> [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': 
> False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name': 
> 'stl1.example.net', 'force_ntpd': False, 'on_master': False, 
> 'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': None, 
> 'keytab': None, 'no_ntp': False, 'domain_name': 'stl1.example.net', 
> 'request_cert': False, 'fixed_primary': False, 'no_ac': False, 
> 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
> 'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True, 
> 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
> 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': 
> None, 'unattended': False, 'quiet': False, 'nisdomain': None, 
> 'prompt_password': False, 'host_name': None, 'permit': False, 
> 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 
> 'log_file': None, 'uninstall': False}
> 2018-03-06T20:29:32Z DEBUG IPA version 4.5.0-22.el7.centos
> 2018-03-06T20:29:32Z DEBUG Loading Index file from 
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-enabled chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=disabled
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=3
> 2018-03-06T20:29:32Z DEBUG stdout=unknown
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:37Z DEBUG [IPA Discovery]
> 2018-03-06T20:29:37Z DEBUG Starting IPA discovery with 
> domain=stl1.example.net, servers=None, hostname=freeipa01.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search for LDAP SRV record in stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
> _ldap._tcp.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
> infra-test-ipa.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
> infra-test-ipa2.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG [Kerberos realm search]
> 2018-03-06T20:29:37Z DEBUG Kerberos realm forced
> 2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
> _kerberos._udp.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 88 
>

[Freeipa-users] Re: new client setup

2018-03-06 Thread Florence Blanc-Renaud via FreeIPA-users 

On 06/03/2018 21:39, Andrew Meyer via FreeIPA-users wrote:
I am trying to add another client in my main location and getting the 
following information:
[user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net 
--realm=stl1.example.net --mkhomedir --enable-dns-updates
Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
responding, unable to verify if this is an IPA server
Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
responding, unable to verify if this is an IPA server
Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not 
responding, unable to verify if this is an IPA server
Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not 
responding, unable to verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): ^CThe 
ipa-client-install command failed. See /var/log/ipaclient-install.log 
for more information

[user@freeipa01 ipa]$


[user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net 
--realm=example.net --mkhomedir --enable-dns-updates

Skip infra-test-ipa.example.net: cannot verify if this is an IPA server
Skip infra-test-ipa2.example.net: cannot verify if this is an IPA server
Skip freeipa03.east.example.net: cannot verify if this is an IPA server
Skip freeipa01.east.example.net: cannot verify if this is an IPA server
Provide your IPA server name (ex: ipa.example.com): ^CThe 
ipa-client-install command failed. See /var/log/ipaclient-install.log 
for more information

[user@freeipa01 ~]$

I have checked my /etc/resolv.conf and made sure that they are pointed 
at the current local FreeIPA nameservers/resolvers.


Here is the output /var/log/ipaclient-install.log

[user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log
2018-03-06T20:29:32Z DEBUG Logging to /var/log/ipaclient-install.log
2018-03-06T20:29:32Z DEBUG ipa-client-install was invoked with arguments 
[] and options: {'no_dns_sshfp': False, 'force': False, 'verbose': 
False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name': 
'stl1.example.net', 'force_ntpd': False, 'on_master': False, 
'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': None, 
'keytab': None, 'no_ntp': False, 'domain_name': 'stl1.example.net', 
'request_cert': False, 'fixed_primary': False, 'no_ac': False, 
'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': 
None, 'unattended': False, 'quiet': False, 'nisdomain': None, 
'prompt_password': False, 'host_name': None, 'permit': False, 
'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True, 
'log_file': None, 'uninstall': False}

2018-03-06T20:29:32Z DEBUG IPA version 4.5.0-22.el7.centos
2018-03-06T20:29:32Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'

2018-03-06T20:29:32Z DEBUG Starting external process
2018-03-06T20:29:32Z DEBUG args=/usr/sbin/selinuxenabled
2018-03-06T20:29:32Z DEBUG Process finished, return code=1
2018-03-06T20:29:32Z DEBUG stdout=
2018-03-06T20:29:32Z DEBUG stderr=
2018-03-06T20:29:32Z DEBUG Starting external process
2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-enabled chronyd.service
2018-03-06T20:29:32Z DEBUG Process finished, return code=1
2018-03-06T20:29:32Z DEBUG stdout=disabled

2018-03-06T20:29:32Z DEBUG stderr=
2018-03-06T20:29:32Z DEBUG Starting external process
2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active chronyd.service
2018-03-06T20:29:32Z DEBUG Process finished, return code=3
2018-03-06T20:29:32Z DEBUG stdout=unknown

2018-03-06T20:29:32Z DEBUG stderr=
2018-03-06T20:29:37Z DEBUG [IPA Discovery]
2018-03-06T20:29:37Z DEBUG Starting IPA discovery with 
domain=stl1.example.net, servers=None, hostname=freeipa01.stl1.example.net

2018-03-06T20:29:37Z DEBUG Search for LDAP SRV record in stl1.example.net
2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
_ldap._tcp.stl1.example.net
2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
infra-test-ipa.example.net.stl1.example.net.
2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389 
infra-test-ipa2.example.net.stl1.example.net.

2018-03-06T20:29:37Z DEBUG [Kerberos realm search]
2018-03-06T20:29:37Z DEBUG Kerberos realm forced
2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
_kerberos._udp.stl1.example.net
2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 88 
infra-test-ipa.example.net.stl1.example.net.
2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 88 
infra-test-ipa2.example.net.stl1.example.net.

2018-03-06T20:29:37Z DEBUG [LDAP server check]
2018-03-06T20:29:37Z DEBUG Verifying that 
infra-test-ipa.example.net.stl1.example.net (realm stl1.example.net) is 
an IPA server
2018-03-06T20:29:37Z DEBUG Init LDAP connection to: 
ldap://infra-test-ipa.example.net.stl1.example.net:389

[Freeipa-users] Re: new client setup

2018-03-06 Thread Rob Crittenden via FreeIPA-users 
Andrew Meyer via FreeIPA-users wrote:
> I am trying to add another client in my main location and getting the
> following information:
> [user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net
> --realm=stl1.example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa.example.net.stl1.example.net: LDAP server is not
> responding, unable to verify if this is an IPA server
> Skip infra-test-ipa2.example.net.stl1.example.net: LDAP server is not
> responding, unable to verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe
> ipa-client-install command failed. See /var/log/ipaclient-install.log
> for more information
> [user@freeipa01 ipa]$
> 
> 
> [user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net
> --realm=example.net --mkhomedir --enable-dns-updates
> Skip infra-test-ipa.example.net: cannot verify if this is an IPA server
> Skip infra-test-ipa2.example.net: cannot verify if this is an IPA server
> Skip freeipa03.east.example.net: cannot verify if this is an IPA server
> Skip freeipa01.east.example.net: cannot verify if this is an IPA server
> Provide your IPA server name (ex: ipa.example.com): ^CThe
> ipa-client-install command failed. See /var/log/ipaclient-install.log
> for more information
> [user@freeipa01 ~]$
> 
> I have checked my /etc/resolv.conf and made sure that they are pointed
> at the current local FreeIPA nameservers/resolvers.  
> 
> Here is the output /var/log/ipaclient-install.log
> 
> [user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG Logging to /var/log/ipaclient-install.log
> 2018-03-06T20:29:32Z DEBUG ipa-client-install was invoked with arguments
> [] and options: {'no_dns_sshfp': False, 'force': False, 'verbose':
> False, 'ip_addresses': None, 'configure_firefox': False, 'realm_name':
> 'stl1.example.net', 'force_ntpd': False, 'on_master': False,
> 'no_nisdomain': False, 'ssh_trust_dns': False, 'principal': None,
> 'keytab': None, 'no_ntp': False, 'domain_name': 'stl1.example.net',
> 'request_cert': False, 'fixed_primary': False, 'no_ac': False,
> 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False,
> 'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True,
> 'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False,
> 'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir':
> None, 'unattended': False, 'quiet': False, 'nisdomain': None,
> 'prompt_password': False, 'host_name': None, 'permit': False,
> 'automount_location': None, 'preserve_sssd': False, 'mkhomedir': True,
> 'log_file': None, 'uninstall': False}
> 2018-03-06T20:29:32Z DEBUG IPA version 4.5.0-22.el7.centos
> 2018-03-06T20:29:32Z DEBUG Loading Index file from
> '/var/lib/ipa-client/sysrestore/sysrestore.index'
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/usr/sbin/selinuxenabled
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-enabled chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=1
> 2018-03-06T20:29:32Z DEBUG stdout=disabled
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:32Z DEBUG Starting external process
> 2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active chronyd.service
> 2018-03-06T20:29:32Z DEBUG Process finished, return code=3
> 2018-03-06T20:29:32Z DEBUG stdout=unknown
> 
> 2018-03-06T20:29:32Z DEBUG stderr=
> 2018-03-06T20:29:37Z DEBUG [IPA Discovery]
> 2018-03-06T20:29:37Z DEBUG Starting IPA discovery with
> domain=stl1.example.net, servers=None, hostname=freeipa01.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search for LDAP SRV record in stl1.example.net
> 2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of
> _ldap._tcp.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389
> infra-test-ipa.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 389
> infra-test-ipa2.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG [Kerberos realm search]
> 2018-03-06T20:29:37Z DEBUG Kerberos realm forced
> 2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of
> _kerberos._udp.stl1.example.net
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 88
> infra-test-ipa.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG DNS record found: 0 100 88
> infra-test-ipa2.example.net.stl1.example.net.
> 2018-03-06T20:29:37Z DEBUG [LDAP server check]
> 2018-03-06T20:29:37Z DEBUG Verifying that
> infra-test-ipa.example.net.stl1.example.net (realm stl1.example.net) is
> an IPA

[Freeipa-users] new client setup

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
I am trying to add another client in my main location and getting the following 
information:[user@freeipa01 ipa]$ sudo ipa-client-install 
--domain=stl1.example.net --realm=stl1.example.net --mkhomedir 
--enable-dns-updatesSkip infra-test-ipa.example.net.stl1.example.net: LDAP 
server is not responding, unable to verify if this is an IPA serverSkip 
infra-test-ipa2.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverSkip 
infra-test-ipa.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverSkip 
infra-test-ipa2.example.net.stl1.example.net: LDAP server is not responding, 
unable to verify if this is an IPA serverProvide your IPA server name (ex: 
ipa.example.com): ^CThe ipa-client-install command failed. See 
/var/log/ipaclient-install.log for more information[user@freeipa01 ipa]$

[user@freeipa01 ~]$ sudo ipa-client-install --domain=example.net 
--realm=example.net --mkhomedir --enable-dns-updatesSkip 
infra-test-ipa.example.net: cannot verify if this is an IPA serverSkip 
infra-test-ipa2.example.net: cannot verify if this is an IPA serverSkip 
freeipa03.east.example.net: cannot verify if this is an IPA serverSkip 
freeipa01.east.example.net: cannot verify if this is an IPA serverProvide your 
IPA server name (ex: ipa.example.com): ^CThe ipa-client-install command failed. 
See /var/log/ipaclient-install.log for more information[user@freeipa01 ~]$
I have checked my /etc/resolv.conf and made sure that they are pointed at the 
current local FreeIPA nameservers/resolvers.  
Here is the output /var/log/ipaclient-install.log
[user@freeipa01 ~]$ sudo cat /var/log/ipaclient-install.log2018-03-06T20:29:32Z 
DEBUG Logging to /var/log/ipaclient-install.log2018-03-06T20:29:32Z DEBUG 
ipa-client-install was invoked with arguments [] and options: {'no_dns_sshfp': 
False, 'force': False, 'verbose': False, 'ip_addresses': None, 
'configure_firefox': False, 'realm_name': 'stl1.example.net', 'force_ntpd': 
False, 'on_master': False, 'no_nisdomain': False, 'ssh_trust_dns': False, 
'principal': None, 'keytab': None, 'no_ntp': False, 'domain_name': 
'stl1.example.net', 'request_cert': False, 'fixed_primary': False, 'no_ac': 
False, 'no_sudo': False, 'ca_cert_files': None, 'all_ip_addresses': False, 
'kinit_attempts': None, 'ntp_servers': None, 'enable_dns_updates': True, 
'no_sshd': False, 'no_sssd': False, 'no_krb5_offline_passwords': False, 
'servers': None, 'no_ssh': False, 'force_join': False, 'firefox_dir': None, 
'unattended': False, 'quiet': False, 'nisdomain': None, 'prompt_password': 
False, 'host_name': None, 'permit': False, 'automount_location': None, 
'preserve_sssd': False, 'mkhomedir': True, 'log_file': None, 'uninstall': 
False}2018-03-06T20:29:32Z DEBUG IPA version 
4.5.0-22.el7.centos2018-03-06T20:29:32Z DEBUG Loading Index file from 
'/var/lib/ipa-client/sysrestore/sysrestore.index'2018-03-06T20:29:32Z DEBUG 
Starting external process2018-03-06T20:29:32Z DEBUG 
args=/usr/sbin/selinuxenabled2018-03-06T20:29:32Z DEBUG Process finished, 
return code=12018-03-06T20:29:32Z DEBUG stdout=2018-03-06T20:29:32Z DEBUG 
stderr=2018-03-06T20:29:32Z DEBUG Starting external process2018-03-06T20:29:32Z 
DEBUG args=/bin/systemctl is-enabled chronyd.service2018-03-06T20:29:32Z DEBUG 
Process finished, return code=12018-03-06T20:29:32Z DEBUG stdout=disabled
2018-03-06T20:29:32Z DEBUG stderr=2018-03-06T20:29:32Z DEBUG Starting external 
process2018-03-06T20:29:32Z DEBUG args=/bin/systemctl is-active 
chronyd.service2018-03-06T20:29:32Z DEBUG Process finished, return 
code=32018-03-06T20:29:32Z DEBUG stdout=unknown
2018-03-06T20:29:32Z DEBUG stderr=2018-03-06T20:29:37Z DEBUG [IPA 
Discovery]2018-03-06T20:29:37Z DEBUG Starting IPA discovery with 
domain=stl1.example.net, servers=None, 
hostname=freeipa01.stl1.example.net2018-03-06T20:29:37Z DEBUG Search for LDAP 
SRV record in stl1.example.net2018-03-06T20:29:37Z DEBUG Search DNS for SRV 
record of _ldap._tcp.stl1.example.net2018-03-06T20:29:37Z DEBUG DNS record 
found: 0 100 389 
infra-test-ipa.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG DNS 
record found: 0 100 389 
infra-test-ipa2.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG 
[Kerberos realm search]2018-03-06T20:29:37Z DEBUG Kerberos realm 
forced2018-03-06T20:29:37Z DEBUG Search DNS for SRV record of 
_kerberos._udp.stl1.example.net2018-03-06T20:29:37Z DEBUG DNS record found: 0 
100 88 infra-test-ipa.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG 
DNS record found: 0 100 88 
infra-test-ipa2.example.net.stl1.example.net.2018-03-06T20:29:37Z DEBUG [LDAP 
server check]2018-03-06T20:29:37Z DEBUG Verifying that 
infra-test-ipa.example.net.stl1.example.net (realm stl1.example.net) is an IPA 
server2018-03-06T20:29:37Z DEBUG Init LDAP connection to: 
ldap://infra-test-ipa.example.net.stl1.example.net:3892018-03-06T20:29:37Z 
DEBUG LDAP Error: cannot connect to

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-06 Thread John Seekins via FreeIPA-users 
Oh. I'm sorry I mis-understood.
[jseekins@ops-freeipa-ops-1 ~]$ sudo yum list ipa-server
[sudo] password for jseekins:
Loaded plugins: amazon-id, rhui-lb, search-disabled-repos
Installed Packages
ipa-server.x86_64
   4.5.0-22.el7_4

   @rhui-REGION-rhel-server-releases

On Tue, Mar 6, 2018 at 12:25 PM Rob Crittenden  wrote:

> John Seekins wrote:
> > Rob,
> > Fraser did answer my question, but...
> > As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was
> > trying to convert from CA-less to CA-full install.
> > And Fraser found the exact problem I was running into.
>
> Right, Fraser fixed this upstream in master to happen automatically.
>
> I asked so I could check whether this had been backported so I was
> looking for the exact release you were using (e.g.
> [free]ipa-server-4.5-0.x.y.z).
>
> Either way glad it's working now.
>
> rob
>
> >
> > On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden  > > wrote:
> >
> > John Seekins via FreeIPA-users wrote:
> > > On a RHEL 7 box, I installed the ipa-server package and set up a
> > server without a CA successfully. Then I tried to manually add the
> > CA functionality afterwards and, while the install appeared to work,
> > the server can't properly access the dogtag instance through the
> > proxy, which breaks a lot of functionality.
> > >
> > > Logs here:
> > >
> https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
> > >
> > > What am I doing wrong here?
> >
> > What version of IPA is this? Are you trying to do a CA-less install
> and
> > converting it to a CA-ful install?
> >
> >
> > rob
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: re-add a trust to AD => Local Security Authority is unable to obtain an RPC...

2018-03-06 Thread lejeczek via FreeIPA-users 



On 06/03/18 13:26, lejeczek via FreeIPA-users wrote:

... connection to the Active Directory Domain Controller

Hi gents

Would you know why this happens?

I mean, it happens when I on AD DC remove a trust, then do 
trust-del on IPA, then go back to AD and try to add the 
"same" trust, then that happens.
I have two masters and that AD mentions hostname of one of 
them next to "Active Directrory Domain Controller..."


thanks, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org


I wonder if it can have something to do with the fact that I 
have all three boxes as qemu-kvm guests?


I found this: 
https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/RHiOCFETVQI 
- where apparently VMware is the culprit.

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
Agreed.  Going to try and get direct management to move forward w/ CentOS 7 up 
there.Thanks to you and your team for all their help.   FreeIPA is so awesome.

On Tuesday, March 6, 2018 1:31 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer wrote:
> We got it fixed.  But one of the servers became severely out of sync
> causing other issues.  We got it fixed and replication is now working
> once again.  Now it is just figuring out if we truly can use Amazon
> Linux 2 as a FreeIPA replica or if we need to stick w/ CentOS 7.

If they use a different release of curl who knows what else is
different. Do you want to trust your intrastructure with that?

IPA herds many cats and it can be difficult to keep so many dependent
packages in-line. With so many moving parts even small changes can
sometimes cause a tremendous amount of grief.

rob

> 
> 
> On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users
>  wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> After getting the feedback previously from the mailing list (thank you
>> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
>> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
>> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
>> it I get the following error:
>>
>> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
>> --setup-dns --forwarder=10.10.0.2
>>
>> 2018-03-05T21:33:57Z DEBUG stderr=
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2018-03-05T21:33:57Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
>> Estimated time: 3 minutes
>> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
>> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
>> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
>> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master
> [attempt 1/5]
>> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
>> url=ldap://infra-test-ipa.gatewayblend.net:389
>> conn=
>> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
>> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>>     method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1192, in __setup_replication
>>     repl.setup_cs_replication(self.master_host)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1814, in setup_cs_replication
>>     raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
>> replication
>> 2018-03-05T21:34:14Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>     return_value = self.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
>> 333, in run
>>     cfgr.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 368, in run
>>     self.execute()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 392, in execute
>>     for _nothing in self._executor():
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>>     step()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in 
>>     step = lambda: next(self.__gen)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>>     value = gen.send(prev_value)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 658, in _configure
>>     next(executor)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434,

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Rob Crittenden via FreeIPA-users 
Andrew Meyer wrote:
> We got it fixed.  But one of the servers became severely out of sync
> causing other issues.  We got it fixed and replication is now working
> once again.  Now it is just figuring out if we truly can use Amazon
> Linux 2 as a FreeIPA replica or if we need to stick w/ CentOS 7.

If they use a different release of curl who knows what else is
different. Do you want to trust your intrastructure with that?

IPA herds many cats and it can be difficult to keep so many dependent
packages in-line. With so many moving parts even small changes can
sometimes cause a tremendous amount of grief.

rob

> 
> 
> On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users
>  wrote:
> 
> 
> Andrew Meyer via FreeIPA-users wrote:
>> After getting the feedback previously from the mailing list (thank you
>> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
>> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
>> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
>> it I get the following error:
>>
>> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
>> --setup-dns --forwarder=10.10.0.2
>>
>> 2018-03-05T21:33:57Z DEBUG stderr=
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
>> '/var/lib/ipa/sysupgrade/sysupgrade.state'
>> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
>> '/var/lib/ipa/sysrestore/sysrestore.state'
>> 2018-03-05T21:33:57Z DEBUG Loading Index file from
>> '/var/lib/ipa/sysrestore/sysrestore.index'
>> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
>> Estimated time: 3 minutes
>> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
>> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
>> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
>> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master
> [attempt 1/5]
>> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
>> url=ldap://infra-test-ipa.gatewayblend.net:389
>> conn=
>> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
>> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 504, in start_creation
>>     run_step(full_msg, method)
>>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
>> line 494, in run_step
>>     method()
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>> 1192, in __setup_replication
>>     repl.setup_cs_replication(self.master_host)
>>   File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
>> line 1814, in setup_cs_replication
>>     raise RuntimeError("Failed to start replication")
>> RuntimeError: Failed to start replication
>>
>> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
>> replication
>> 2018-03-05T21:34:14Z DEBUG   File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
>> execute
>>     return_value = self.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
>> 333, in run
>>     cfgr.run()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 368, in run
>>     self.execute()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 392, in execute
>>     for _nothing in self._executor():
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 453, in _handle_exception
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 424, in __runner
>>     step()
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 421, in 
>>     step = lambda: next(self.__gen)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 81, in run_generator_with_yield_from
>>     six.reraise(*exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
>> line 59, in run_generator_with_yield_from
>>     value = gen.send(prev_value)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 658, in _configure
>>     next(executor)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 434, in __runner
>>     exc_handler(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 463, in _handle_execute_exception
>>     self._handle_exception(exc_info)
>>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>> line 521, in

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-06 Thread Rob Crittenden via FreeIPA-users 
John Seekins wrote:
> Rob,
> Fraser did answer my question, but...
> As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was
> trying to convert from CA-less to CA-full install.
> And Fraser found the exact problem I was running into.

Right, Fraser fixed this upstream in master to happen automatically.

I asked so I could check whether this had been backported so I was
looking for the exact release you were using (e.g.
[free]ipa-server-4.5-0.x.y.z).

Either way glad it's working now.

rob

> 
> On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden  > wrote:
> 
> John Seekins via FreeIPA-users wrote:
> > On a RHEL 7 box, I installed the ipa-server package and set up a
> server without a CA successfully. Then I tried to manually add the
> CA functionality afterwards and, while the install appeared to work,
> the server can't properly access the dogtag instance through the
> proxy, which breaks a lot of functionality.
> >
> > Logs here:
> > https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
> >
> > What am I doing wrong here?
> 
> What version of IPA is this? Are you trying to do a CA-less install and
> converting it to a CA-ful install?
> 
> 
> rob
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Andrew Meyer via FreeIPA-users 
We got it fixed.  But one of the servers became severely out of sync causing 
other issues.  We got it fixed and replication is now working once again.  Now 
it is just figuring out if we truly can use Amazon Linux 2 as a FreeIPA replica 
or if we need to stick w/ CentOS 7. 

On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users 
 wrote:
 

 Andrew Meyer via FreeIPA-users wrote:
> After getting the feedback previously from the mailing list (thank you
> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
> it I get the following error:
> 
> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
> --setup-dns --forwarder=10.10.0.2
> 
> 2018-03-05T21:33:57Z DEBUG stderr=
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2018-03-05T21:33:57Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes
> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
> url=ldap://infra-test-ipa.gatewayblend.net:389
> conn=
> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 504, in start_creation
>     run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 494, in run_step
>     method()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1192, in __setup_replication
>     repl.setup_cs_replication(self.master_host)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1814, in setup_cs_replication
>     raise RuntimeError("Failed to start replication")
> RuntimeError: Failed to start replication
> 
> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
> replication
> 2018-03-05T21:34:14Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>     return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 333, in run
>     cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 368, in run
>     self.execute()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 392, in execute
>     for _nothing in self._executor():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>     step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in 
>     step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>     value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 658, in _configure
>     next(executor)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 521, in _handle_exception
>     self.__parent._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 518, in _handle_exception
>     super(ComponentBase, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
>

[Freeipa-users] Re: error when promoting new client to replica

2018-03-06 Thread Rob Crittenden via FreeIPA-users 
Andrew Meyer via FreeIPA-users wrote:
> After getting the feedback previously from the mailing list (thank you
> for all your help) I have deployed a CentOS 7 image in AWS.  I was able
> to add teh client machine to the FreeIPA domain.  The CentOS 7 instance
> is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote
> it I get the following error:
> 
> ipa-replica-install --setup-ca --ssh-trust-dns --mkhomedir --setup-kra
> --setup-dns --forwarder=10.10.0.2
> 
> 2018-03-05T21:33:57Z DEBUG stderr=
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Saving StateFile to
> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> 2018-03-05T21:33:57Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2018-03-05T21:33:57Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2018-03-05T21:33:57Z DEBUG Configuring certificate server (pki-tomcatd).
> Estimated time: 3 minutes
> 2018-03-05T21:33:57Z DEBUG   [1/27]: creating certificate server db
> 2018-03-05T21:33:57Z DEBUG   duration: 0 seconds
> 2018-03-05T21:33:57Z DEBUG   [2/27]: setting up initial replication
> 2018-03-05T21:33:57Z DEBUG Fetching nsDS5ReplicaId from master [attempt 1/5]
> 2018-03-05T21:33:57Z DEBUG retrieving schema for SchemaCache
> url=ldap://infra-test-ipa.gatewayblend.net:389
> conn=
> 2018-03-05T21:33:58Z DEBUG Successfully updated nsDS5ReplicaId.
> 2018-03-05T21:34:14Z DEBUG Traceback (most recent call last):
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 504, in start_creation
>     run_step(full_msg, method)
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 494, in run_step
>     method()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1192, in __setup_replication
>     repl.setup_cs_replication(self.master_host)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py",
> line 1814, in setup_cs_replication
>     raise RuntimeError("Failed to start replication")
> RuntimeError: Failed to start replication
> 
> 2018-03-05T21:34:14Z DEBUG   [error] RuntimeError: Failed to start
> replication
> 2018-03-05T21:34:14Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
>     return_value = self.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 333, in run
>     cfgr.run()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 368, in run
>     self.execute()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 392, in execute
>     for _nothing in self._executor():
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>     step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in 
>     step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
>     value = gen.send(prev_value)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 658, in _configure
>     next(executor)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 434, in __runner
>     exc_handler(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 463, in _handle_execute_exception
>     self._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 521, in _handle_exception
>     self.__parent._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 518, in _handle_exception
>     super(ComponentBase, self)._handle_exception(exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 453, in _handle_exception
>     six.reraise(*exc_info)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 424, in __runner
>     step()
>   File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 421, in 
>     step = lambda: next(self.__gen)
>   File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-06 Thread John Seekins via FreeIPA-users 
Rob,
Fraser did answer my question, but...
As the initial email topic notes, this is FreeIPA 4.5.0. And yes, I was
trying to convert from CA-less to CA-full install.
And Fraser found the exact problem I was running into.

On Tue, Mar 6, 2018 at 11:58 AM Rob Crittenden  wrote:

> John Seekins via FreeIPA-users wrote:
> > On a RHEL 7 box, I installed the ipa-server package and set up a server
> without a CA successfully. Then I tried to manually add the CA
> functionality afterwards and, while the install appeared to work, the
> server can't properly access the dogtag instance through the proxy, which
> breaks a lot of functionality.
> >
> > Logs here:
> > https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
> >
> > What am I doing wrong here?
>
> What version of IPA is this? Are you trying to do a CA-less install and
> converting it to a CA-ful install?
>
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: CA server install on existing server fails - FreeIPA 4.5.0

2018-03-06 Thread Rob Crittenden via FreeIPA-users 
John Seekins via FreeIPA-users wrote:
> On a RHEL 7 box, I installed the ipa-server package and set up a server 
> without a CA successfully. Then I tried to manually add the CA functionality 
> afterwards and, while the install appeared to work, the server can't properly 
> access the dogtag instance through the proxy, which breaks a lot of 
> functionality.
> 
> Logs here:
> https://gist.github.com/johnseekins/d1a117c568f7895ec0e7fa588aba745d
> 
> What am I doing wrong here?

What version of IPA is this? Are you trying to do a CA-less install and
converting it to a CA-ful install?


rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] re-add a trust to AD => Local Security Authority is unable to obtain an RPC...

2018-03-06 Thread lejeczek via FreeIPA-users 

... connection to the Active Directory Domain Controller

Hi gents

Would you know why this happens?

I mean, it happens when I on AD DC remove a trust, then do 
trust-del on IPA, then go back to AD and try to add the 
"same" trust, then that happens.
I have two masters and that AD mentions hostname of one of 
them next to "Active Directrory Domain Controller..."


thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: cross realm trust - without win AD credentials ?

2018-03-06 Thread lejeczek via FreeIPA-users 



On 06/03/18 11:13, Alexander Bokovoy wrote:

On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:



On 06/03/18 07:28, Florence Blanc-Renaud wrote:

On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:

hi guys

I wonder if it is(would be) possible to have IPA join 
AD but

so IPA admin only asks AD admin(s) to do whatever is
required and then s/he does IPA end?
And a reason you would do that is - domains are 
formally(and

in other ways) separate that AD admin would have to keep
secret and not share any of those AD credentials you would
normally use in IPA to add such a trust.

many thanks, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Hi,

it is possible to use a shared secret instead of the AD 
admin credentials when establishing the trust:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#create-trust-shared-secret 




Does this address your concern?
Flo


That might be exactly it!
I'm trying "one way" and while the command succeeded I 
saw this:

...
Domain Security Identifier: 
S-1-5-21-3110176660-1847390102-3050341588
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20

  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Waiting for confirmation by remote side
  gidnumber: 141610
  ipantsecurityidentifier: 
S-1-5-21-690266907-396463273-2110627865-1004

  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
...

Now I'm trying to ssh to IPA as:

$ ssh a...@ad.priv.dom.local@10.1.1.1

but this fails as if the password was incorrect, which 
naturally is not true.

Is the problem "one way" trust?
One-way trust with a shared secret is not working 
currently. Either use

two-way trust with a shared secret or use admin credentials.

If you are interested in the details, just search mailing 
archives.




Oogh, gee, if you guys could make one-way work... I could 
not stress it enough... f a n t a s t i c that would be.


b.w. L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: cross realm trust - without win AD credentials ?

2018-03-06 Thread Alexander Bokovoy via FreeIPA-users 

On ti, 06 maalis 2018, lejeczek via FreeIPA-users wrote:



On 06/03/18 07:28, Florence Blanc-Renaud wrote:

On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:

hi guys

I wonder if it is(would be) possible to have IPA join AD but
so IPA admin only asks AD admin(s) to do whatever is
required and then s/he does IPA end?
And a reason you would do that is - domains are formally(and
in other ways) separate that AD admin would have to keep
secret and not share any of those AD credentials you would
normally use in IPA to add such a trust.

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Hi,

it is possible to use a shared secret instead of the AD admin 
credentials when establishing the trust:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#create-trust-shared-secret


Does this address your concern?
Flo


That might be exactly it!
I'm trying "one way" and while the command succeeded I saw this:
...
Domain Security Identifier: S-1-5-21-3110176660-1847390102-3050341588
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, 
S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, 
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, S-1-5-1, 
S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, S-1-5-9, 
S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, S-1-5-17, 
S-1-5-18, S-1-5-19, S-1-5-20

  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Waiting for confirmation by remote side
  gidnumber: 141610
  ipantsecurityidentifier: 
S-1-5-21-690266907-396463273-2110627865-1004

  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
...

Now I'm trying to ssh to IPA as:

$ ssh a...@ad.priv.dom.local@10.1.1.1

but this fails as if the password was incorrect, which naturally is 
not true.

Is the problem "one way" trust?

One-way trust with a shared secret is not working currently. Either use
two-way trust with a shared secret or use admin credentials.

If you are interested in the details, just search mailing archives.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: cross realm trust - without win AD credentials ?

2018-03-06 Thread lejeczek via FreeIPA-users 



On 06/03/18 07:28, Florence Blanc-Renaud wrote:

On 05/03/2018 19:01, lejeczek via FreeIPA-users wrote:

hi guys

I wonder if it is(would be) possible to have IPA join AD but
so IPA admin only asks AD admin(s) to do whatever is
required and then s/he does IPA end?
And a reason you would do that is - domains are formally(and
in other ways) separate that AD admin would have to keep
secret and not share any of those AD credentials you would
normally use in IPA to add such a trust.

many thanks, L.
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Hi,

it is possible to use a shared secret instead of the AD 
admin credentials when establishing the trust:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#create-trust-shared-secret 



Does this address your concern?
Flo


That might be exactly it!
I'm trying "one way" and while the command succeeded I saw this:
...
Domain Security Identifier: 
S-1-5-21-3110176660-1847390102-3050341588
  SID blacklist incoming: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20
  SID blacklist outgoing: S-1-0, S-1-1, S-1-2, S-1-3, 
S-1-5-1, S-1-5-2, S-1-5-3, S-1-5-4, S-1-5-5,
  S-1-5-6, S-1-5-7, S-1-5-8, 
S-1-5-9, S-1-5-10, S-1-5-11, S-1-5-12, S-1-5-13,
  S-1-5-14, S-1-5-15, S-1-5-16, 
S-1-5-17, S-1-5-18, S-1-5-19, S-1-5-20

  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Waiting for confirmation by remote side
  gidnumber: 141610
  ipantsecurityidentifier: 
S-1-5-21-690266907-396463273-2110627865-1004

  ipantsupportedencryptiontypes: 28
  ipanttrustdirection: 1
...

Now I'm trying to ssh to IPA as:

$ ssh a...@ad.priv.dom.local@10.1.1.1

but this fails as if the password was incorrect, which 
naturally is not true.

Is the problem "one way" trust?

many thanks, L.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] MAKE REPLCATION SERVER 1 WAY

2018-03-06 Thread barrykfl--- via FreeIPA-users 
Hi all:

is it possible make the replication server 1 way ?
I got radius/ldap config server in far remote site ..
so no need mutual replication.

remote site just make a slave one way is ok.


Regards
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org