[Freeipa-users] sss / nsswitch

2016-09-12 Thread Rob Verduijn
Hi all, Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24. Then after the reboot the nfs-idmap service told me it couldn't start because it could not find method sss. So I filed a bug report and tried switching the method nsswitch. But now all files on my kerberos nfs4 sha

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

2016-09-12 Thread Endi Sukma Dewata
On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: I've tried that but still the same result. [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h localhost -b "uid=admin,ou=people,o=ipaca" Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (obje

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

2016-09-12 Thread Rob Crittenden
Natxo Asenjo wrote: hi, I can reproduce this everytime. Restarting httpd fixes it for a while, but then ik stops working: $ ipa cert-show 1 ipa: ERROR: cannot connect to 'https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is

[Freeipa-users] Freeipa 4.2.0 slow response

2016-09-12 Thread Rakesh Rajasekharan
Hi, I am experiencing a very slow response from freeipa.. the new passwords that I am resetting are never working for the users and its takes a lot of time for an existing user to login around 25 secs. doing a kinit admin itself is very slowKRB5_TRACE=/dev/stderr kinit admin [11298] 1473702491.60

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

2016-09-12 Thread Georgios Kafataridis
So, does anyone understand something more than me from the logs ? Can I search for something that can help me solve it ? On 9/9/2016 11:26 μμ, Georgios Kafataridis wrote: These are fresh logs from a last attempt to create a replica Centos 7 /var/log/pki/pki-tomcat/ca/debug [09/Sep/2016:22:

[Freeipa-users] About AllowGroups with sshd

2016-09-12 Thread Jose Alvarez R.
Hello I have an question I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). I wants enable root a two servers this servers, because they are backup servers. I add theses lines in /etc/ssh/sshd_config of a client server. AllowUsers root@192.168.20.2 AllowU

Re: [Freeipa-users] sssd stops after nss crashes

2016-09-12 Thread Lukas Slebodnik
On (12/09/16 21:47), Lachlan Musicman wrote: >SELinux is disabled, updated to 1.14.1 today. > >This is the first crash in weeks, so we aren't that phased, although we'd >love to know it wont happen again BTW Did it really crashed? Do you have a coredump We fixed few bad bugs(regressions) in 1.14.1

Re: [Freeipa-users] Increase ListenBacklog for httpd

2016-09-12 Thread Rakesh Rajasekharan
can anyone provide some insight on this please.. I have been trying to debug a hang issues for past few weeks.. and finally foudn that it starts with this issue when I see a lot of connections in SYN_RECV state. as it is happening now netstat shows around 14-16 connectiosn in SYNC_RECV If I coul

Re: [Freeipa-users] Disable DNS checks using ipa-server-intall with FreeIPA 4.3.2 on Fedora 24?

2016-09-12 Thread Richard Harmonson
Thank you, Martin. '--allow-zone-overlap' may indeed fix one of the challenges. I will give it a try. Another check that is not a blocker but undesirable is the reverse zone lookup. The installer does a check and some turkey upstream of my infrastructure has a zone for 192.168.101.0 in a public DN

Re: [Freeipa-users] Disable DNS checks using ipa-server-intall with FreeIPA 4.3.2 on Fedora 24?

2016-09-12 Thread Richard Harmonson
On Mon, Sep 12, 2016 at 6:01 AM, Rob Crittenden wrote: > Richard Harmonson wrote: > >> Is there an option to disable the various DNS checks using >> ipa-server-install with FreeIPA 4.3.2? Is there plans to do provide the >> option in future releases? Reviewing the ipa-server-install man page, I >

Re: [Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
- On Sep 12, 2016, at 2:54 PM, Rob Crittenden rcrit...@redhat.com wrote: > Troels Hansen wrote: >> Not sure if this should actually go here? >> >> ipa-client (and ipa-server) RPM requires ntp. >> Shouldn't it be sufficient to require any tools that provides ntp >> functionality (at least ntp a

Re: [Freeipa-users] problems with ipa server no longer responding to ldap

2016-09-12 Thread Rob Crittenden
siology.io wrote: Hello there. My setup is that i have five ipa servers. 2 in one location (alder, auth-syd2), 2 in anouther location (auth-wlg, auth-wlg2), and one in yet anouther location (waffle) which is reached over a long, mostly-but-possibly-notably-not-entirely reliable vpn connection.

Re: [Freeipa-users] Disable DNS checks using ipa-server-intall with FreeIPA 4.3.2 on Fedora 24?

2016-09-12 Thread Rob Crittenden
Richard Harmonson wrote: Is there an option to disable the various DNS checks using ipa-server-install with FreeIPA 4.3.2? Is there plans to do provide the option in future releases? Reviewing the ipa-server-install man page, I am not seeing it. I want to compliment the team for placing safeguar

Re: [Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Rob Crittenden
Troels Hansen wrote: Not sure if this should actually go here? ipa-client (and ipa-server) RPM requires ntp. Shouldn't it be sufficient to require any tools that provides ntp functionality (at least ntp and chrony exists in RHEL) ? AFAIU there is no way to dynamically prefer one package or ano

Re: [Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
Sorry for this half written email.. - On Sep 12, 2016, at 2:00 PM, Troels Hansen wrote: > ipa-client (and ipa-server) RPM requires ntp. > Shouldn't it be sufficient to req > -- > Med venlig hilsen > Troels Hansen > Systemkonsulent > Casalogic A/S > T (+45) 70 20 10 63 > M (+45)

[Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
Not sure if this should actually go here? ipa-client (and ipa-server) RPM requires ntp. Shouldn't it be sufficient to require any tools that provides ntp functionality (at least ntp and chrony exists in RHEL) ? -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+

[Freeipa-users] ipa-client requires ntp

2016-09-12 Thread Troels Hansen
ipa-client (and ipa-server) RPM requires ntp. Shouldn't it be sufficient to req -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. --

Re: [Freeipa-users] sssd stops after nss crashes

2016-09-12 Thread Lachlan Musicman
SELinux is disabled, updated to 1.14.1 today. This is the first crash in weeks, so we aren't that phased, although we'd love to know it wont happen again - the servers are part of a cluster that executes automated tasks as the data comes off genome sequencing machines - clinical medical analyses t

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan
Yes. I had to restart the browser. Now everything is working again. Thank you. On Mon, Sep 12, 2016 at 12:07 PM, Alexander Bokovoy wrote: > On Mon, 12 Sep 2016, Fujisan wrote: > >> Here is what i get when restarting ipa: >> >> # systemctl restart ipa >> > [] > > Sep 12 11:32:59 myserver ipa

Re: [Freeipa-users] sssd stops after nss crashes

2016-09-12 Thread Lukas Slebodnik
On (12/09/16 11:09), Lachlan Musicman wrote: >We saw another sssd crash on the weekend (well, Friday night). > >Centos 7, sssd 1.14.0 from COPR > Please upgrade to 1.14.1 from copr. >Everything has worked fine for over a month until Friday. > >According to the log sssd_nss on the host in question:

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Alexander Bokovoy
On Mon, 12 Sep 2016, Fujisan wrote: Here is what i get when restarting ipa: # systemctl restart ipa [] Sep 12 11:32:59 myserver ipactl: ipa: INFO: The ipactl command was successful Sep 12 11:32:59 myserver ipactl: Starting Directory Service Sep 12 11:32:59 myserver ipactl: Starting krb5kd

Re: [Freeipa-users] bind crashes on rndc reload

2016-09-12 Thread Anthony Joseph Messina
On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote: > Hi, > > I have a major issue with my setup: > Fedora 24 > freeipa-common-4.3.2-2.fc24.noarch > freeipa-admintools-4.3.2-2.fc24.noarch > freeipa-server-dns-4.3.2-2.fc24.noarch > freeipa-client-common-4.3.2-2.fc24.noarch > freeipa-

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Alexander Bokovoy
On Mon, 12 Sep 2016, Fujisan wrote: Ok I installed the missing package and restarted ipa but it is still not woking. We need logs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.o

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan
Ok I installed the missing package and restarted ipa but it is still not woking. On Mon, Sep 12, 2016 at 11:13 AM, Fujisan wrote: > No it is missing! > > On Mon, Sep 12, 2016 at 10:55 AM, Alexander Bokovoy > wrote: > >> On Mon, 12 Sep 2016, Fujisan wrote: >> >>> Hello, >>> >>> This morning I no

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Fujisan
No it is missing! On Mon, Sep 12, 2016 at 10:55 AM, Alexander Bokovoy wrote: > On Mon, 12 Sep 2016, Fujisan wrote: > >> Hello, >> >> This morning I noticed I could not reload the Freeipa web ui. Its was >> working well friday but something must have happend over the weekend. >> > Do you have pki

Re: [Freeipa-users] The Web UI is not loading

2016-09-12 Thread Alexander Bokovoy
On Mon, 12 Sep 2016, Fujisan wrote: Hello, This morning I noticed I could not reload the Freeipa web ui. Its was working well friday but something must have happend over the weekend. Do you have pki-symkey installed? /usr/share/pki/server/common/lib/symkey.jar points to /usr/lib/java/symkey.ja

Re: [Freeipa-users] Disable DNS checks using ipa-server-intall with FreeIPA 4.3.2 on Fedora 24?

2016-09-12 Thread Martin Basti
On 11.09.2016 20:15, Richard Harmonson wrote: Is there an option to disable the various DNS checks using ipa-server-install with FreeIPA 4.3.2? Is there plans to do provide the option in future releases? Reviewing the ipa-server-install man page, I am not seeing it. I want to compliment the

[Freeipa-users] bind crashes on rndc reload

2016-09-12 Thread Jochen Demmer
Hi, I have a major issue with my setup: Fedora 24 freeipa-common-4.3.2-2.fc24.noarch freeipa-admintools-4.3.2-2.fc24.noarch freeipa-server-dns-4.3.2-2.fc24.noarch freeipa-client-common-4.3.2-2.fc24.noarch freeipa-server-4.3.2-2.fc24.x86_64 freeipa-server-common-4.3.2-2.fc24.noarch freeipa-client-4

Re: [Freeipa-users] General query regarding nameserver enrtry

2016-09-12 Thread Martin Basti
On 08.09.2016 06:49, Deepak Dimri wrote: Thanks Martin for your reply. It would be cool if i can have IPA client to resolve IPA server without specifying nameserver in resolv.conf How do i configure zone delegation? is there any document i can refer? http://www.zytrax.com/books/dns/ch9/de

Re: [Freeipa-users] sssd stops after nss crashes

2016-09-12 Thread Jakub Hrozek
On Mon, Sep 12, 2016 at 11:09:05AM +1000, Lachlan Musicman wrote: > (Fri Sep 9 20:41:13 2016) [sssd[nss]] [sbus_client_init] (0x0020): > check_file failed for [/var/lib/sss/pipes/private/ > sbus-dp_unix.petermac.org.au]. It looks like the domain process died and never recovered. What is in /var/l

[Freeipa-users] problems with ipa server no longer responding to ldap

2016-09-12 Thread siology.io
Hello there. My setup is that i have five ipa servers. 2 in one location (alder, auth-syd2), 2 in anouther location (auth-wlg, auth-wlg2), and one in yet anouther location (waffle) which is reached over a long, mostly-but-possibly-notably-not-entirely reliable vpn connection. I'm having an issue

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

2016-09-12 Thread Natxo Asenjo
hi, I can reproduce this everytime. Restarting httpd fixes it for a while, but then ik stops working: $ ipa cert-show 1 ipa: ERROR: cannot connect to ' https://kdc01.unix.domain.tld:443/ca/agent/ca/displayBySerial': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupporte