Re: [Freeipa-users] Replication broken

2016-09-26 Thread Timothy Geier
On Sep 26, 2016, at 4:07 PM, Timothy Geier > wrote: On Sep 26, 2016, at 2:17 PM, Timothy Geier > wrote: This issue started when trying to remove a user; ipa user-del showed “operation failed”

[Freeipa-users] another certmonger question

2016-09-26 Thread Natxo Asenjo
hi, after our upgrade from centos 6.8 to 7.2, when I renew a certificate using ipa-getcert resubmit -i xx the certificate is properly renewed, but the info on ipa host-show still shows the old certificate info. Is this normal? $ sudo getcert list | grep expires expires: 2018-09-27

[Freeipa-users] Replication broken

2016-09-26 Thread Timothy Geier
This issue started when trying to remove a user; ipa user-del showed “operation failed” and the user was not removed. The same ipa user-del command was performed on a replica and completed successfully, but it was then immediately apparent that this change did not replicate anywhere else. All

Re: [Freeipa-users] Distributing user keytabs for non-interactive auth question

2016-09-26 Thread Alexander Bokovoy
On ma, 26 syys 2016, Matthew Sellers wrote: Hi Martin, Thank you for clarification. In my example I am configuring 'unprivileged' service users. Specifically, I wrote a script to pull data from IPA from its wonderful REST interface that will run on a group of hosts. Since this has to run

Re: [Freeipa-users] Distributing user keytabs for non-interactive auth question

2016-09-26 Thread Matthew Sellers
Hi Martin, Thank you for clarification. In my example I am configuring 'unprivileged' service users. Specifically, I wrote a script to pull data from IPA from its wonderful REST interface that will run on a group of hosts. Since this has to run non-interactively I would like to use a keytab.

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Ludwig Krispenz
you should only remove agreements to no longer existing servers, eg where: nsDS5ReplicaHost: kdc01.unix.iriszorg.nl the other one should remain, not sure why it cannot contact the server On 09/26/2016 03:35 PM, Natxo Asenjo wrote: hi, or do I need to remove: dn:

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Natxo Asenjo
hi, or do I need to remove: dn: cn=cloneAgreement1-kdc03.unix.iriszorg.nl-pki-tomcat,cn=replica,cn=o\3Dipa ca,cn=mapping tree,cn=config because it has this: nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co ntact LDAP server nsds5replicaUpdateInProgress: FALSE

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Natxo Asenjo
hi, On Mon, Sep 26, 2016 at 3:06 PM, Ludwig Krispenz wrote: > > On 09/26/2016 02:56 PM, Natxo Asenjo wrote: > > > so the command has not been successful in the kdc03. in the dirsrv errors > log I see: > > [26/Sep/2016:14:50:54 +0200] NSMMReplicationPlugin - CleanAllRUV

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Ludwig Krispenz
On 09/26/2016 02:56 PM, Natxo Asenjo wrote: On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo > wrote: On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz > wrote: On

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Natxo Asenjo
On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo wrote: > > > > On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz > wrote: > >> >> On 09/26/2016 01:36 PM, Natxo Asenjo wrote: >> >> And in my example, the replica id would be 66, 96, 71 and 97, correct? >>

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Troels Hansen
- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote: > > Do you see and log messages in the krb5kdc.log on the IPA server? If it > is not the firewall I would suggest to record the IP traffic of the AD > client and check what it tries to do after the AD DC send the >

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Natxo Asenjo
On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz wrote: > > On 09/26/2016 01:36 PM, Natxo Asenjo wrote: > > hi, > > I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went > correctly. > > Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors > >

Re: [Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Ludwig Krispenz
On 09/26/2016 01:36 PM, Natxo Asenjo wrote: hi, I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went correctly. Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace (nsslapd-referral,

[Freeipa-users] replicas removed, but incorrectly

2016-09-26 Thread Natxo Asenjo
hi, I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went correctly. Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace (nsslapd-referral, ldap://kdc03.unix.iriszorg.nl:389/o%3Dipaca) failed and

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Sumit Bose
On Mon, Sep 26, 2016 at 01:11:49PM +0200, Troels Hansen wrote: > > > - On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote: > > > > > Have you checked the firewalls? AD clients must be able to talk to the > > KDC port (88 udp and tcp) on the IPA servers to get service tickets

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Alexander Bokovoy
On ma, 26 syys 2016, Troels Hansen wrote: - On Sep 26, 2016, at 10:18 AM, Sumit Bose sb...@redhat.com wrote: Have you checked the firewalls? AD clients must be able to talk to the KDC port (88 udp and tcp) on the IPA servers to get service tickets for IPA hosts. KDC ports seems to

Re: [Freeipa-users] Question Test 3rd Party Certificate

2016-09-26 Thread Florence Blanc-Renaud
On 09/24/2016 02:37 PM, Günther J. Niederwimmer wrote: Hello, what is the best way to test a new installed 3rd Party certificate ? I hope i have now install (with big problems) the new certificate on clients and servers. But now is the big question is this all working correct together (?), or

Re: [Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Sumit Bose
On Mon, Sep 26, 2016 at 09:25:46AM +0200, Troels Hansen wrote: > After we installed a new set of IPA servers for prod, and joined AD using > username and password to have AD create a correct suffix routing everythin > seems to work, and the suffix routing is created correctly on AD. > >

[Freeipa-users] SSH key based login for the users

2016-09-26 Thread Deepak Dimri
Hi All, Can i have my IPA server pre-configured with RSA and public key authentication enabled (passwordauthentication no) for its users and at the same time have users to automatically register with their ssh key pair during first time login process so that they can login with the keys? i am

Re: [Freeipa-users] Server replication stopped working

2016-09-26 Thread Ludwig Krispenz
On 09/25/2016 09:35 PM, Youenn PIOLET wrote: Hi there, Same issue for me in a my 15 ipa-servers multi-master grid just after the update. The replication is completely broken except on 3/15 nodes. This is the second time I have to fully reinitialize the whole cluster for similar reason. I

[Freeipa-users] SSH using putty to IPA client

2016-09-26 Thread Troels Hansen
After we installed a new set of IPA servers for prod, and joined AD using username and password to have AD create a correct suffix routing everythin seems to work, and the suffix routing is created correctly on AD. However, trying to SSH from Windows using Putty and kerberos fails: Putty log