Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-03 Thread Janelle
Sorry Rob - I beg to differ here. I can replicate this with my replica failures. It happens that a replica simply loses it's mind. Somehow the keytab gets mucked up and further connections for replication fail -- it shows a failed "admin" login and they add up because the other servers

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-03 Thread Rob Crittenden
Janelle wrote: You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly. Look in /var/log/dirsrv/slapd-INSTANCE/errors This probably doesn't have anything to do with replication. Lockout is per-master because failed (and

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-03 Thread Janelle
You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly. Look in /var/log/dirsrv/slapd-INSTANCE/errors Look for errors where replication is not starting correctly because of credential problems. You may have to re-init

Re: [Freeipa-users] ipa automountlocation-tofiles

2015-09-03 Thread Rob Crittenden
Marc Wiatrowski wrote: On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden > wrote: Marc Wiatrowski wrote: Hello, In trying to script some changes for automount locations. I've noticed 'ipa

Re: [Freeipa-users] ipa automountlocation-tofiles

2015-09-03 Thread Marc Wiatrowski
That looks to have done the trick! (no restart needed) thank you On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden wrote: > Marc Wiatrowski wrote: > >> On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden > > wrote: >> >> Marc

[Freeipa-users] Replacing the "master"

2015-09-03 Thread Steven Jones
I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To reconnect to the remote

Re: [Freeipa-users] ipa automountlocation-tofiles

2015-09-03 Thread Rob Crittenden
Marc Wiatrowski wrote: That looks to have done the trick! (no restart needed) thank you Great. I opened https://fedorahosted.org/freeipa/ticket/5285 to track this. rob On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden > wrote: Marc

Re: [Freeipa-users] Replacing the "master"

2015-09-03 Thread Rob Crittenden
Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To

[Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-03 Thread Torsten Harenberg
Dear all, I cannot get an "admin" kerberos token anymore on our main IPA server: [root@ipa log]# kinit admin kinit: Clients credentials have been revoked while getting initial credentials Sep 03 11:02:30 ipa.pleiades.uni-wuppertal.de krb5kdc[1351](info): AS_REQ (6 etypes {18 17 16 23 25 26})

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-03 Thread Torsten Harenberg
Sorry for self-replying, I was able to solve it by using the 2nd IPA server: [root@ipa2 ~]# kinit admin Password for ad...@pleiades.uni-wuppertal.de: [root@ipa2 ~]# ipa user-status admin --- Account disabled: False --- Server:

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Alexander Bokovoy
On Wed, 02 Sep 2015, Prasun Gera wrote: I have zero confidence in any of the install and uninstall scripts. And this is on RHEL systems. On unofficial ones like Ubuntu, things are even more broken. I really like freeipa, but so far even in a smallish lab environment, it has been a nightmare. I

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Jakub Hrozek
On Wed, Sep 02, 2015 at 06:30:09PM -0700, Prasun Gera wrote: > FYI, I think the culprit (at least one of) is ipa-client-automount > --uninstall. This removes sss entirely from nssswitch, not just from the > automount section. Hmm, I haven't tested that but it sounds like a bug.. I would expect

Re: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts

2015-09-03 Thread Prasun Gera
I have zero confidence in any of the install and uninstall scripts. And this is on RHEL systems. On unofficial ones like Ubuntu, things are even more broken. I really like freeipa, but so far even in a smallish lab environment, it has been a nightmare. I am really tempted to just go back to NIS.