On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote:
On 05/01/2012 06:15 PM, Steven Jones wrote:
So this opens a chicken and egg?
ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the
older 6.2 clients will break? but I cant upgrade the clients until after
the
Steven Jones wrote:
So this opens a chicken and egg?
ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older
6.2 clients will break? but I cant upgrade the clients until after the servers
are doneif so that is a huge and ugly looking task that is one way
No,
Sorry about not supplying the versions!
On the redhat 6.2 server:
ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64
Red Hat 5.8ipa-client-2.1.3-1.el5
I have looked over various documents and not had much luck.
ThanksMatt
Run: klist -kt /etc/krb5.keytab to see what keys are available. It shows the
master server and itself.
When you ran ipa-client-install were any errors reported? None
It appears that basic nss services aren't working. Can you do:
id mdavidsonid: mdavidson: No such user
getent passwd
To clarify one point.
I used the current redhat documents to setup the two systems.
Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
SSH does not seem to be discussed and that is when I started web surfing in an
On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote:
Sorry about not supplying the versions!
On the redhat 6.2 server:
ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64
Red Hat 5.8ipa-client-2.1.3-1.el5
I have looked over various
Matthew Davidson wrote:
To clarify one point.
I used the current redhat documents to setup the two systems.
Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US
Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US
SSH does not seem to be discussed and that is when I started
shabahang elmian wrote:
Hello,
I would be thankful if some one can help me to resolve the problem.
We need to see /var/log/ipaserver-install.log and potentially
/var/log/pki-ca/debug to determine what the problem is.
It would appear that the CA process didn't start.
Details on your
Hi Rob
[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
--server=rhel6.example.comDNS domain 'example.com' is not configured for
automatic KDC address lookup.KDC address will be set to fixed value.
Discovery was successful!Hostname: rhel6.example.comRealm: EXAMPLE.COMDNS
Domain:
On 05/02/2012 12:43 PM, Matthew Davidson wrote:
Hi Rob
[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
--server=rhel6.example.com
DNS domain 'example.com' is not configured for automatic KDC address
lookup.
KDC address will be set to fixed value.
Discovery was successful!
Matthew Davidson wrote:
Hi Rob
[root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM
--server=rhel6.example.com
DNS domain 'example.com' is not configured for automatic KDC address lookup.
KDC address will be set to fixed value.
Discovery was successful!
Hostname: rhel6.example.com
Realm:
Dmitri,1) Do you have admin account on IPA side?
Yes. And judging by the command below admin does log in, or am I mistaken?
[root@rhel5 ~]# kinit adminPassword for ad...@example.com:
[root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal:
ad...@example.com
Valid starting
On 05/02/2012 02:50 PM, Matthew Davidson wrote:
Dmitri,
1) Do you have admin account on IPA side?
Yes. And judging by the command below admin does log in, or am I mistaken?
[root@rhel5 ~]# kinit admin
Password for ad...@example.com:
[root@rhel5 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
On 05/02/2012 11:34 AM, Rob Crittenden wrote:
shabahang elmian wrote:
Hello,
I would be thankful if some one can help me to resolve the problem.
We need to see /var/log/ipaserver-install.log and potentially
/var/log/pki-ca/debug to determine what the problem is.
It would appear that the CA
Is this from the client or from the server? I bet on the server.
That is from the client. I sent a reply to Rob about the DNS, but I was under
the assumption that the client was using the config files.
thanksMatt
Date: Wed, 2 May 2012 14:57:24 -0400
From: d...@redhat.com
To:
Matthew Davidson wrote:
Is this from the client or from the server? I bet on the server.
That is from the client. I sent a reply to Rob about the DNS, but I was
under the assumption that the client was using the config files.
We recommend using a different realm name for the IPA realm, it
-users
-- next part --
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html
--
Message: 2
Date: Wed, 02 May 2012 14:57:24 -0400
From: Dmitri Pal d
Hi,
proper isnt defined as such, but yes in an ideal world Trouble is we have
so many servers that we patch over 2 or 3 early start mornings, until now we
did test first, then prod.now we have to start to separate them
also will IPA server on 6.3 collide with IPA server on 6.2?
What is the impact of IPA not working properly?
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: Martin Kosek [mko...@redhat.com]
Sent: Thursday, 3 May 2012 1:52 a.m.
To: Rob Crittenden
Steven Jones wrote:
Hi,
proper isnt defined as such, but yes in an ideal world Trouble is we have
so many servers that we patch over 2 or 3 early start mornings, until now we did test
first, then prod.now we have to start to separate them
Right, this is why we fixed the bug.
/attachments/20120502/51a0eaec/attachment.html
--
Message: 2
Date: Wed, 02 May 2012 14:57:24 -0400
From: Dmitri Pal d...@redhat.com mailto:d...@redhat.com
To: Matthew Davidson m...@mldserviceslex.com
mailto:m...@mldserviceslex.com
Cc: freeipa
On 05/02/2012 05:28 PM, Steven Jones wrote:
Hi,
proper isnt defined as such, but yes in an ideal world Trouble is we
have so many servers that we patch over 2 or 3 early start mornings, until
now we did test first, then prod.now we have to start to separate them
also will IPA
Steven Jones wrote:
What is the impact of IPA not working properly?
That is a bit of a loaded question. It depends on your definition of
properly but basically if IPA server isn't working, none of your auth
or identity works. Depending on what state sssd thinks the server is in
it may fall
On 05/02/2012 05:29 PM, Steven Jones wrote:
What is the impact of IPA not working properly?
You need to differentiate client system that uses IPA for identity
lookups and authentication and administrative station where you have
ipa-admintools package installed. It is not recommended to have this
Hi,
I'm curious how members of this list are monitoring their IPA servers'
replication status. `ipa-replica-manage list` doesn't actually tell you if your
replica is working. I just realized that our replica's IPA processes were hung
(likely as a result of suspending resuming the VM it's
Hi,
Sorry, I used IPA I should have used lower case eg,
But ipa command still
won't work properly as its API is higher that the server's.
The way I read that is a client will have limited command line capability? that
would be Ok over say some weeks while we upgraded.
regards
Steven Jones
Hi,
BTW, is this advice in the admin guide? I would suggest its worth stating.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: freeipa-users-boun...@redhat.com
Hi,
I'm definitely interested in this too.
You can use
ipa-replica-manage -v list $HOSTNAME
to get detailed status information.
I also found this:
http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring
But I believe that it needs to have the Directory Manager password
On 05/02/2012 05:46 PM, Ian Levesque wrote:
Hi,
I'm curious how members of this list are monitoring their IPA servers'
replication status. `ipa-replica-manage list` doesn't actually tell you if
your replica is working. I just realized that our replica's IPA processes
were hung (likely as
On 05/02/2012 04:11 PM, Ian Levesque wrote:
On May 2, 2012, at 5:56 PM, Dmitri Pal wrote:
I'm curious how members of this list are monitoring their IPA servers' replication
status. `ipa-replica-manage list` doesn't actually tell you if your replica is
working. I just realized that our
On 05/02/2012 07:36 PM, Ian Levesque wrote:
On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less
privileged account; i.e., an account solely designed to check replication
status?
You also need to expose the RUV
Rich Megginson wrote:
On 05/02/2012 07:36 PM, Ian Levesque wrote:
On May 2, 2012, at 6:48 PM, Rich Megginson wrote:
Is there any way to expose the nsDS5ReplicationAgreement objectClass
to a less privileged account; i.e., an account solely designed to
check replication status?
You also need
32 matches
Mail list logo
