On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
1.11.6-30. The server is CentOS 7 / IPA 4.1.3
When I try to log in using MIT kerberos and a valid ticket it works on
one
client, and fails on the
Janelle wrote:
On 6/17/15 6:21 AM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It
died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS
Piotr Baranowski wrote:
- 17 cze 2015 o 15:51, Alexander Bokovoy aboko...@redhat.com napisał(a):
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- Oryginalna wiadomość -
Od: Alexander Bokovoy aboko...@redhat.com
So you have two different certificates in use here and your client
Hey Rob,
I tried the install again with Java 1.7 and no joy. Do you recommend a
clean install with 1.7?
On Jun 17, 2015 6:15 AM, Rob Crittenden rcrit...@redhat.com wrote:
Randall Harrison wrote:
Hello freeipa!
I am having difficulty installing freeipa on a freshly installed
CentOS6.6 box.
Randall Harrison wrote:
Hey Rob,
I tried the install again with Java 1.7 and no joy. Do you recommend a
clean install with 1.7?
Be sure the CA is completely uninstalled. The installer sometimes
doesn't record that a CA has been partially installed causing the
uninstall to skip it, which
The change that you made might break other things.
On Wed, 2015-06-17 at 22:45 +0530, Prashant Bapat wrote:
Hi Nathaniel,
I think your patch should work. Please give me a day to test and
confirm.
However, I changed this section in otptoken.py:
Hi Nathaniel,
I think your patch should work. Please give me a day to test and confirm.
However, I changed this section in otptoken.py:
StrEnum('ipatokenotpalgorithm?',
cli_name='algo',
label=_('Algorithm'),
doc=_('Token hash algorithm'),
Hello!
Thanks, currently I'm trying to re-initialize all our replicas, hope this will
fix most issues.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, June 17, 2015 6:40 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig
On 06/17/2015 01:38 PM, Alexander Frolushkin wrote:
Ok, I'll try this soon, thank you!
Also, please note, most of today dups appeared when 4 of 19 servers
was very busy in IO (all our servers are VMs), because dirsrv debug
was enabled to gather logs for our case about
attrlist_replace -
Except:
unable to decode: {replica 22} 5576b83e00020016 5576ba4b00020016
unable to decode: {replica 20} 55716e5700030014 55716e5700030014
unable to decode: {replica 16} 548a81260010 548a81260010
unable to decode: {replica 24} 557fb7d400040018
On Wed, 17 Jun 2015, Henry Hofmann wrote:
For redmine use http://www.redmine.org/plugins/redmine_pam_auth. You
don't need to include the user which runs redmine into shadow group
with FreeIPA because user accounts are never in /etc/shadow for
FreeIPA so you don't need that access.
What you
Ok, I'll try this soon, thank you!
Also, please note, most of today dups appeared when 4 of 19 servers was very
busy in IO (all our servers are VMs), because dirsrv debug was enabled to
gather logs for our case about
attrlist_replace - attr_replace (nsslapd-referral,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
It should be possible, yes - if you target web service/Red Mine to the
compat tree, as it was done for example in this integration:
http://www.freeipa.org/page/HowTo/vsphere5_integration
Tanks, your expression is very helpful for
On Wed, 17 Jun 2015, Henry Hofmann wrote:
Thanks, I get more and more information and amazed about FreeIPA and
functionally.
I can successfully login in Redmine and Cloud with users from the trust domain.
I have add additional attributes for the user accounts like mail etc.
For the external
On 06/17/2015 12:57 PM, Alexander Frolushkin wrote:
Unfortunately, number of duplicates grows dramatically on most sites.
Some servers already have over 40 duplicates.
Could you please say, may I use re-initialize on falling replica from
the good one to fix this?
If you have a good one,
Hi list!
I have a challenging setup i need some help with.
My topology:
EXTERNAL CLIENTS - INTERNET - SERVER - IPA - INTERNAL CLIENTS
There is no problem with Internal clients. They register/enroll and then work
like a charm.
The challenge is how external access IPA server.
Firewall
- Oryginalna wiadomość -
Od: Alexander Bokovoy aboko...@redhat.com
So you have two different certificates in use here and your client
doesn't know about the other certificate (from your proxy). You need
either to deliver that certificate to the client by yourself or change
your
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
Hi list!
I have a challenging setup i need some help with.
My topology:
EXTERNAL CLIENTS - INTERNET - SERVER - IPA - INTERNAL CLIENTS
There is no problem with Internal clients. They register/enroll and then work
like a charm.
The challenge is how
Hello.
Another example. Today appeared on servers of different site.
Original LDIF:
# extended LDIF
#
# LDAPv3
# base cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# System: Manage Host Keytab,
Hi, this is really strange, if these conflict entries get created they
should be the same on all servers.
could you repeat the two searches requesting the attribute
nscpentrywsi (you have to do it as directory manager, and add -o
ldif-wrap=no), it could give info when and where these entries
Hi,
I have gotten into a strange situation. I'm running FreeIPA for 2 different
environments, dev/production. By mistake, the domain for both are
configured same. Say EXAMPLE.COM.
Now the problem users are facing when using the web UI using Firefox. It
complains that the secure connection failed
Simo is right! This issue is same as
https://fedorahosted.org/freeipa/ticket/5047
If I change the algorithm in the otp url to uppercase it scans in Google
authenticator/iPhone.
Further more I manually edited
the /usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py and
uppercases the 'sha'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
It should be possible, yes - if you target web service/Red Mine to the compat
tree, as it was done for example in this integration:
http://www.freeipa.org/page/HowTo/vsphere5_integration
Tanks, your expression is very helpful for nested group
On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
1.11.6-30. The server is CentOS 7 / IPA 4.1.3
When I try to log in using MIT kerberos and a valid ticket it works on one
client, and fails on the
On 06/15/2015 02:19 PM, Henry Hofmann wrote:
Hi,
I have a question about using IPA (v.4) with an AD (2012) Trust.
Is it possible to login with a user from the Active Directory Domain to an
Web-Service (like redmine) which is configured to the IPA LDAP?
I have understand this by read this
Hi,
you did send the data directly to me, maybe not wanting to share them to
everyone. I'll continue discussion here, trying to be careful.
The good entry was created in April on replica 12 0x0c
createTimestamp;vucsn-5524d42b0067000c: 20150408070720Z
the nsuniqueid entry was created
This is correct, thank you for understanding and for helping!
Replica with id 26 was created today, this is our new server which was included
in domain just a few hours ago. Looks like this dup came right after this new
replica creation.
WBR,
Alexander Frolushkin
Cell +79232508764
Work
On 06/17/2015 11:03 AM, Alexander Frolushkin wrote:
This is correct, thank you for understanding and for helping!
Replica with id 26 was created today, this is our new server which was
included in domain just a few hours ago. Looks like this dup came
right after this new replica creation.
# grep conn=237 ./access
[17/Jun/2015:14:37:03 +0600] conn=237 fd=71 slot=71 connection from 10.99.75.82
to 10.61.8.2
[17/Jun/2015:14:37:03 +0600] conn=237 op=0 BIND dn= method=sasl version=3
mech=GSSAPI
[17/Jun/2015:14:37:03 +0600] conn=237 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL
This is not a good news, because replica id 20 is not exist for a some days
already. It was recreated and now have id 23
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, June 17, 2015 4:10 PM
To: Alexander Frolushkin
Will this be enough?
# grep conn=237 op=93 ./access
[17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn=cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
[17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0 tag=105 nentries=0
etime=0 csn=555ac9360014
#
conn=237 is from 10.99.75.82 which replica is this ?
msk-rhidm-03.unix.megafon.ru:389: 10
On 06/17/2015 12:13 PM, Alexander Frolushkin wrote:
This is not a good news, because replica id 20 is not exist for a some days
already. It was recreated and now have id 23
WBR,
Alexander Frolushkin
Cell
conn=237 is from 10.99.75.82 which replica is this ?
On 06/17/2015 12:13 PM, Alexander Frolushkin wrote:
This is not a good news, because replica id 20 is not exist for a some
days already. It was recreated and now have id 23
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
In access log:
[17/Jun/2015:10:08:01 +0600] conn=2 op=91 ADD dn=cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
[17/Jun/2015:10:08:01 +0600] conn=2 op=91 RESULT err=0 tag=105 nentries=0
etime=0 csn=5580f321001a
There is a lot of strange around this time in
I'm pretty sure id 26 is unique
ipa-replica-manage list-ruv
Directory Manager password:
unable to decode: {replica 20} 555ac82600010014 55716e5700030014
unable to decode: {replica 24} 557fb7d400040018 557fb9a100100018
unable to decode: {replica 22} 5576b83e00010016
This was a usual ipa-replica-install --setup-ca --setup-dns and after that
ipa-adtrust-install.
No DEL found:
# grep cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ./access
[17/Jun/2015:10:08:01 +0600] conn=2 op=89 SRCH base=cn=System: Manage Host
On 06/17/2015 11:22 AM, Alexander Frolushkin wrote:
This was a usual ipa-replica-install --setup-ca --setup-dns and
after that ipa-adtrust-install.
No DEL found:
# grep cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru ./access
[17/Jun/2015:10:08:01 +0600]
Unfortunately, number of duplicates grows dramatically on most sites. Some
servers already have over 40 duplicates.
Could you please say, may I use re-initialize on falling replica from the good
one to fix this?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: Ludwig
Hello Alexander,
How did you initialize that new replica 26.
Either 'cn=System: Manage Host
Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of
the total init data, or a DEL of that entry happened on replica 26
(before a new ADD) but the DEL was not replicated to
On 06/17/2015 11:52 AM, Ludwig Krispenz wrote:
On 06/17/2015 11:45 AM, thierry bordaz wrote:
On 06/17/2015 11:22 AM, Alexander Frolushkin wrote:
This was a usual ipa-replica-install --setup-ca --setup-dns and
after that ipa-adtrust-install.
No DEL found:
# grep cn=System: Manage Host
On Wed, Jun 17, 2015 at 12:40:37PM +0530, Prashant Bapat wrote:
Hi,
I have gotten into a strange situation. I'm running FreeIPA for 2 different
environments, dev/production. By mistake, the domain for both are
configured same. Say EXAMPLE.COM.
Now the problem users are facing when using
On 06/17/2015 11:45 AM, thierry bordaz wrote:
On 06/17/2015 11:22 AM, Alexander Frolushkin wrote:
This was a usual ipa-replica-install --setup-ca --setup-dns and
after that ipa-adtrust-install.
No DEL found:
# grep cn=System: Manage Host
On 06/17/2015 11:56 AM, Alexander Frolushkin wrote:
Will this be enough?
# grep conn=237 op=93 ./access
[17/Jun/2015:14:39:46 +0600] conn=237 op=93 ADD dn=cn=System: Manage
Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru
[17/Jun/2015:14:39:46 +0600] conn=237 op=93 RESULT err=0
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the
On 6/17/15 6:21 AM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It
died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error -8172:Peer's certificate issuer has been marked as not trusted
by the user.
It was rebuilt - new OS and doing a
On 06/17/2015 02:27 PM, Alexander Frolushkin wrote:
Except:
unable to decode: {replica 22} 5576b83e00020016 5576ba4b00020016
unable to decode: {replica 20} 55716e5700030014 55716e5700030014
unable to decode: {replica 16} 548a81260010 548a81260010
unable to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Ok, how can I configure the map of source attributes (mail or any other) to
compat tree?
Thanks and best regards,
Henry
- -Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Mittwoch, 17. Juni 2015 14:20
To:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error -8172:Peer's certificate issuer has been marked as
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- Oryginalna wiadomość -
Od: Alexander Bokovoy aboko...@redhat.com
So you have two different certificates in use here and your client
doesn't know about the other certificate (from your proxy). You need
either to deliver that certificate to
On Wed, 17 Jun 2015, Henry Hofmann wrote:
Ok, how can I configure the map of source attributes (mail or any other) to
compat tree?
Go back in archives in this list and read discussions about Single mail
deployment in an FreeIPA-WindowsAD scenario. TLDR; not possible in the
compat tree as of
- 17 cze 2015 o 16:21, Alexander Bokovoy aboko...@redhat.com napisał(a):
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- 17 cze 2015 o 15:51, Alexander Bokovoy aboko...@redhat.com napisał(a):
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- Oryginalna wiadomość -
Od: Alexander
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- 17 cze 2015 o 15:51, Alexander Bokovoy aboko...@redhat.com napisał(a):
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- Oryginalna wiadomość -
Od: Alexander Bokovoy aboko...@redhat.com
So you have two different certificates in use here
- 17 cze 2015 o 15:51, Alexander Bokovoy aboko...@redhat.com napisał(a):
On Wed, 17 Jun 2015, Piotr Baranowski wrote:
- Oryginalna wiadomość -
Od: Alexander Bokovoy aboko...@redhat.com
So you have two different certificates in use here and your client
doesn't know about the other
On 6/17/15 6:21 AM, Rob Crittenden wrote:
Janelle wrote:
On 6/17/15 6:14 AM, Rob Crittenden wrote:
Janelle wrote:
Hi,
Had a server - named ipa001.example.com -- it was a replica. It
died. It
was re-installed. However, prior to the re-install it was saying the
wonderful:
TLS error
Prashant,
I have proposed a patch for the issue:
https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html
Please test it and let me know if it works for you.
Nathaniel
On Wed, 2015-06-17 at 12:35 +0530, Prashant Bapat wrote:
Simo is right! This issue is same as
On Wed, 2015-06-17 at 09:17 -0700, nat...@nathanpeters.com wrote:
On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
1.11.6-30. The server is CentOS 7 / IPA 4.1.3
When I try to log in using MIT
On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
1.11.6-30. The server is CentOS 7 / IPA 4.1.3
When I try to log in using MIT kerberos and a valid ticket it works on
one
client, and fails on the
58 matches
Mail list logo