Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

This looks as something PKI specific (given it is in /usr/sbin/pki-server), CCing Endi from Dogtag team. From doing some additional Googling, it seems like the request should be in the PKI-CA dirsrv instance. Thus far, I haven't been able to figure out the incantation necessary to get

Re: [Freeipa-users] sssd went away, failed to restart

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Lukas, On 02/23/16 13:46, Lukas Slebodnik wrote: > On (23/02/16 13:01), Harald Dunkel wrote: >> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote: >>> I would rather focus on different thing. Why is sssd_be process blocked for >>> long time? >>>

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

The "KRB5_TRACE=/dev/stderr kinit jon" command helped out immensely by pointing out that it was failing on dir1, but not dir0. Turns out it was a DNS issue on my second directory server was breaking replication. Thank you for the assistance. On Tue, Feb 23, 2016 at 3:42 PM, Jakub Hrozek

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

It looks like I have a replication issue. What process manages replication? root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon [6175] 1456260239.45010: Resolving unique ccache of type KEYRING [6175] 1456260239.45131: Getting initial credentials for j...@mrjester.net [6175]

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote: > Made no changes to the system between posting. Only tried a couple of > kinits to generate some logs. > > Set sssd debug to 9, restarted, did a few kinits. kinit doesn't hit sssd, but goes directly to the KDC. > >

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

On Tue, Feb 23, 2016 at 01:32:11PM -0500, Jester wrote: > New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu > Desktop 15.10 (nuc) with IPA client 4.1.4. > > ipa-client-install was successful. Host object created, DNS updated, etc. > > I am not able to log into the Ubuntu client

[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

Hi! I've been doing backups using the tool like this: ipa-backup --data --online I didn't want any configuration to be backed up, since it is managed from a chef recipe. However, when I tried to recover the backup to a fresh FreeIPA install, Kerberos (GSSAPI) broke — I can't authenticate myself

[Freeipa-users] Client Auth Failing - Ubuntu 15.10

New IPA install of Fedora 23 with FreeIPA 4.2.3. Client is Ubuntu Desktop 15.10 (nuc) with IPA client 4.1.4. ipa-client-install was successful. Host object created, DNS updated, etc. I am not able to log into the Ubuntu client with any user aside from Admin. I get inconsistent password

Re: [Freeipa-users] lock table errors

> On 02/23/2016 05:10 PM, Andy Thompson wrote: > On 02/23/2016 03:02 PM, Andy Thompson wrote: > > Came across one of my replicas this morning with the following in > > the error log > > > > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of > > available

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

> > The docs you are referring to are quite old: 5 full Fedora releases, > several IPA releases. > You're right, sorry. I found this documentation

Re: [Freeipa-users] server installation but client part fails

On 23/02/16 15:04, Rob Crittenden wrote: lejeczek wrote: hi everybody I'm trying server installation but it fails, I think very last leg, and I was hoping you could suggest places which I should start looking at. [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key

Re: [Freeipa-users] lock table errors

On 02/23/2016 05:10 PM, Andy Thompson wrote: On 02/23/2016 03:02 PM, Andy Thompson wrote: Came across one of my replicas this morning with the following in the error log [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available lock entries [20/Feb/2016:17:23:38 -0500]

Re: [Freeipa-users] lock table errors

> >> On 02/23/2016 03:02 PM, Andy Thompson wrote: > >>> Came across one of my replicas this morning with the following in > >>> the error log > >>> > >>> [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of > >>> available lock entries > >>> [20/Feb/2016:17:23:38 -0500]

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Ludwig Krispenz wrote: > The crash is an abort because of a failed assertion in the kerberos code > > Thread 1 (Thread 0x7fa7d4c88700 (LWP 3125)): > #0 0x7fa7e6ace5f7 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x7fa7e6acfce8 in abort () from

Re: [Freeipa-users] lock table errors

On 02/23/2016 03:43 PM, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, February 23, 2016 9:31 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] lock table

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

Karl Forner wrote: > I forgot to say that I did a "kinit admin" before the ipa user-mod. > > On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner > wrote: > > Hello, > > I tried to postpone a password expiration date, as indicated here: >

Re: [Freeipa-users] could not get zone keys for secure dynamic update

Hi all, ipa-dns-install --dnssec-master --force did the trick, this is looking much better. I'l  do some more tests later. For now, thanks a lot! Winny Op 23-02-16 om 14:52 schreef Petr Spacek: On 23.2.2016

[Freeipa-users] server installation but client part fails

hi everybody I'm trying server installation but it fails, I think very last leg, and I was hoping you could suggest places which I should start looking at. [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

On 1/28/2016 2:45 PM, Endi Sukma Dewata wrote: Hi, If you're cloning from an IPA running on RHEL/CentOS 6 with CA signed by another CA you are likely hitting this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1291747 The bug has been fixed in this package: pki-ca-9.0.3-45. You'll need to

Re: [Freeipa-users] lock table errors

> -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Ludwig Krispenz > Sent: Tuesday, February 23, 2016 9:31 AM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] lock table errors > > > On 02/23/2016 03:02 PM,

Re: [Freeipa-users] lock table errors

On 02/23/2016 03:02 PM, Andy Thompson wrote: Came across one of my replicas this morning with the following in the error log [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available lock entries [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Deleting

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

I forgot to say that I did a "kinit admin" before the ipa user-mod. On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner wrote: > Hello, > > I tried to postpone a password expiration date, as indicated here: > >

Re: [Freeipa-users] could not get zone keys for secure dynamic update

On 23.2.2016 14:18, Winfried de Heiden wrote: > Hi all, > > And so did I, following > http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured: > > ipa-dns-install --dnssec-master > > The log file for this installation can be found in > /var/log/ipaserver-install.log >

Re: [Freeipa-users] sssd went away, failed to restart

On 02/23/2016 11:58 AM, Lukas Slebodnik wrote: > I would rather focus on different thing. > Why is sssd_be process blocked for long time? > I have no idea. Was it really blocked? > Do you use enumeration? > If yes do you really need it. Nope. > > Workaround might be to increate timeout

Re: [Freeipa-users] sssd went away, failed to restart

On Tue, Feb 23, 2016 at 10:55:18AM +0100, Harald Dunkel wrote: > On 02/23/2016 10:00 AM, Jakub Hrozek wrote: > > > > Typically, this happens when the machine SSSD is running on is very > > busy, the sssd_be process is blocked writing some large result from > > LDAP, the monitor process considers

Re: [Freeipa-users] sssd went away, failed to restart

On (23/02/16 10:55), Harald Dunkel wrote: >On 02/23/2016 10:00 AM, Jakub Hrozek wrote: >> >> Typically, this happens when the machine SSSD is running on is very >> busy, the sssd_be process is blocked writing some large result from >> LDAP, the monitor process considers it stuck and kills it.

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

On 02/22/2016 11:51 PM, Timothy Geier wrote: What’s the established procedure to start a 389 instance without any replication agreements enabled? The only thing that seemed close on google (http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html) seems risky

Re: [Freeipa-users] sssd went away, failed to restart

On 02/23/2016 10:00 AM, Jakub Hrozek wrote: > > Typically, this happens when the machine SSSD is running on is very > busy, the sssd_be process is blocked writing some large result from > LDAP, the monitor process considers it stuck and kills it. However, we > /should/ restart and reconnect the

Re: [Freeipa-users] WARNING: Using deny rules is deprecated, the option ipa_hbac_treat_deny_as will be removed in the next upstream version

On Tue, Feb 23, 2016 at 10:15:19AM +0100, Harald Dunkel wrote: > Hi folks, > > journalctl shows me a bazillion of Logfile entries: > > Jan 12 20:02:04 host.example.com sssd[be[2362]: WARNING: Using deny rules is > deprecated, the option ipa_hbac_treat_deny_as will be removed in the next >

[Freeipa-users] WARNING: Using deny rules is deprecated, the option ipa_hbac_treat_deny_as will be removed in the next upstream version

Hi folks, journalctl shows me a bazillion of Logfile entries: Jan 12 20:02:04 host.example.com sssd[be[2362]: WARNING: Using deny rules is deprecated, the option ipa_hbac_treat_deny_as will be removed in the next upstream version This makes about 10% of the whole log. What am I supposed to

Re: [Freeipa-users] sssd went away, failed to restart

On Tue, Feb 23, 2016 at 08:11:58AM +0100, Harald Dunkel wrote: > On 02/22/2016 03:51 PM, Jakub Hrozek wrote: > > > > Is there anything else in the logs (/var/log/sssd/*) > > > > Only some events after sssd went away: > > srvvm01:/var/log/sssd# cat sssd.log.1 > (Sun Feb 21 18:02:21 2016) [sssd]