[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Hi, After upgrading to EL 7.3 which included an upgrade of IPA from 4.2.0- 15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting: 22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind... 22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server failed: {'desc': 'Invalid

Re: [Freeipa-users] Replica issue / Certificate Authority

Christopher Young wrote: > Ok. I think I have a 'hint' here, but I could use some help getting this > fixed. > > Comparing the two IPA servers, I found the following (modified SOME of > the output myself): You're right about the ipaCert. I'd export the renewed cert from your working server

Re: [Freeipa-users] Replica issue / Certificate Authority

Ok. I think I have a 'hint' here, but I could use some help getting this fixed. Comparing the two IPA servers, I found the following (modified SOME of the output myself): on 'ipa02' (the 'good' one): - ipa cert-show 1 Issuing CA: ipa Certificate: <<>> Subject: CN=Certificate

Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA Error 4301: CertificateOperationError)

I have a similar issue (see my recent list post), and I was wondering if this was ever fixed? CA appears to work one system (master/replica) but not the other. On Mon, Jun 13, 2016 at 4:41 AM, Petr Vobornik wrote: > On 06/12/2016 07:05 PM, dan.finkelst...@high5games.com

[Freeipa-users] Replica issue / Certificate Authority

I'm hoping to provide enough information to get some help to a very important issue that I'm currently having. I have two IPA servers at a single location that recently had a replication issue that I eventually resolved by reinitializing one of the masters/replicas with one that seemed to be the

[Freeipa-users] Add text to web login page

I need to add a login banner to the login page for freeIPA, is there a setting that I could easily change for this? Thanks, -- Mike Waite -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

[Freeipa-users] FYI incorrect configuration when using ipa-client-automount

Hello, I've was being bugged by a non functional automounter. So I tried a fresh centos7.3 install (minimal) with only the additional package ipa-client. I did the installation and update to latest patch level and reboot. Then ran ipa-client-install --enable-dns-updates Did the yes/admin

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

On 12/15/2016 08:01 PM, beeth beeth wrote: Hi Flo, That's a good point! I checked the dirsrv certificate and confirmed valid(good until later next year). Since I had no problem to enroll another new IPA client(RHEL7 box instead of RHEL6) to such replica server, I thought it might not be a

[Freeipa-users] Announcing bind-dyndb-ldap version 11.0

The FreeIPA team is proud to announce bind-dyndb-ldap version 11.0. It can be downloaded fromhttps://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora Rawhide. Latest news: 11.0 [1] The plugin was ported to BIND 9.11. Minimal BIND version is now

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-15 13:47 GMT+01:00 Petr Vobornik : > On 12/12/2016 08:53 PM, Rob Verduijn wrote: > > Hello, > > > > I've recently upgraded to centos 7.3. > > Didn't intend to so soon but should have checked the anounce lists before > > launching my ansible update playbook. > > > >

Re: [Freeipa-users] Kerberos realm for different domain

On 16/12/2016 10:19, Alexander Bokovoy wrote: I want to allow users in the AD.EXAMPLE.COM realm to login to machines in the IPA.EXAMPLE.COM realm. Will this still work when the machines are in different DNS domains? Yes, it will. Here is the catch: you need to make sure these different DNS

Re: [Freeipa-users] Kerberos realm for different domain

On pe, 16 joulu 2016, Brian Candler wrote: On 16/12/2016 08:21, Alexander Bokovoy wrote: So you can have IPA masters with FQDNs in totally different DNS domains than dictated by their Kerberos realm and --domain options. That I understand - not only can the IPA masters have FQDNs in

Re: [Freeipa-users] Kerberos realm for different domain

On 16/12/2016 08:21, Alexander Bokovoy wrote: So you can have IPA masters with FQDNs in totally different DNS domains than dictated by their Kerberos realm and --domain options. That I understand - not only can the IPA masters have FQDNs in different DNS domains, but indeed the member

Re: [Freeipa-users] Kerberos realm for different domain

On to, 15 joulu 2016, Brian Candler wrote: On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > wrote: yes you can do it. DNS domain and Kerberos realm are two different things. It's common and AFAIK recommended to capitalize DNS domain to get