[Freeipa-users] Re: Host is enrolled and installed

2018-04-23 Thread Lachlan Musicman via FreeIPA-users
On 23 April 2018 at 17:53, Lachlan Musicman wrote: > On 23 April 2018 at 17:00, Alexander Bokovoy wrote: > >> On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: >> >>> Am I making hard work of something that is relatively straight forward

[Freeipa-users] replica - install fails with CA issue

2018-04-23 Thread Ross Infinger via FreeIPA-users
I'm trying to promote a new client to a replica. I install the client first then run ipa-replica-install. The client install goes OK but the ipa-replica-install command fails with RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Seems the client was able to reach the CA so I'm

[Freeipa-users] Re: separation of IPA (httpd)

2018-04-23 Thread Brian J. Murrell via FreeIPA-users
On Mon, 2018-04-23 at 17:25 +0100, lejeczek via FreeIPA-users wrote: > > and that hypothetical situation where it all works in LXC - > still poses a question - what kind of an impact would the > fact that it's an LXC have on dependencies chain, in terms > of system's various services, systemd?

[Freeipa-users] Password Expiration and direct LDAP calls

2018-04-23 Thread Jeremy Utley via FreeIPA-users
Hello to the mailing list! We are running FreeIPA to handle authentication, and having an issue. We have a few tools that can not use the full IPA stack (PAM/SSSD/Kerberos), but instead have to talk to the underlying LDAP server directly. The problem we are facing is when user passwords expire,

[Freeipa-users] Re: installing replica - ObjectclassViolation: unknown object class "cmsuser"

2018-04-23 Thread lejeczek via FreeIPA-users
On 23/04/18 15:19, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: hi gents, I'm trying to add replica but process fails: ... Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes   [1/27]: creating certificate server db   [2/27]: setting up initial replication

[Freeipa-users] IPA Error 4203 DatabaseError

2018-04-23 Thread Andrew Meyer via FreeIPA-users
I seem to have 1 server that constantly gets out of sync with the other 3 servers.  Currently I am getting this error when I try to add a user:Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors log). I am trying to find the log files and figure out what I

[Freeipa-users] Re: installing replica - ObjectclassViolation: unknown object class "cmsuser"

2018-04-23 Thread Rob Crittenden via FreeIPA-users
lejeczek via FreeIPA-users wrote: > hi gents, > > I'm trying to add replica but process fails: > ... > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >   [1/27]: creating certificate server db >   [2/27]: setting up initial replication > Starting replication, please wait

[Freeipa-users] Re: separation of IPA (httpd)

2018-04-23 Thread lejeczek via FreeIPA-users
On 20/04/18 19:06, Rob Crittenden via FreeIPA-users wrote: IPA does no testing using LXC containers so YMMV. When I try to install a replica process gets stack at: ... Done configuring ipa-custodia. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes   [1/27]: creating

[Freeipa-users] installing replica - ObjectclassViolation: unknown object class "cmsuser"

2018-04-23 Thread lejeczek via FreeIPA-users
hi gents, I'm trying to add replica but process fails: ... Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes   [1/27]: creating certificate server db   [2/27]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4

[Freeipa-users] Re: at which point IPA changes nsswitch.conf

2018-04-23 Thread Florence Blanc-Renaud via FreeIPA-users
On 04/20/2018 11:06 AM, lejeczek via FreeIPA-users wrote: hi I'd like to ask when, if at all, IPA's installer change nsswitch.conf? I install a client, afterwards no sss in nsswitch, I install a replica on that client, still no sss. Is this normal, expected? many thanks, L.

[Freeipa-users] Re: Host is enrolled and installed

2018-04-23 Thread Lachlan Musicman via FreeIPA-users
On 23 April 2018 at 17:00, Alexander Bokovoy wrote: > On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: > >> Am I making hard work of something that is relatively straight forward and >> solved elsewhere but I've missed? >> >> Ansible has "ignore_errors: True"

[Freeipa-users] Re: Host is enrolled and installed

2018-04-23 Thread Alexander Bokovoy via FreeIPA-users
On ma, 23 huhti 2018, Lachlan Musicman via FreeIPA-users wrote: Am I making hard work of something that is relatively straight forward and solved elsewhere but I've missed? Ansible has "ignore_errors: True" available, but I feel that is a weak get out of jail free card. Given that this is

[Freeipa-users] Host is enrolled and installed

2018-04-23 Thread Lachlan Musicman via FreeIPA-users
Not 100% sure where to send this. Am trying to write an Ansible playbook to install SSSD and enroll the host in a domain. The problem starts when the host exists in the domain and ipa-client is already installed. We can use Ansible's delegate module to remove host from domain enrollment (would