Re: [Freeipa-users] Replica cannot be reinitialized after upgrade

2.prod 0inf02.prod 0inf02.prod 0inf02.dev 0 = “”” Thanks, Goran On May 15, 2017, at 6:35 AM, Ludwig Krispenz <lkris...@redhat.com> wrote: The messages you see could be transient messages, and if replication is working than this seems to be the ca

Re: [Freeipa-users] Cant locate CSN after yum update

ent only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 18 May 2017, at 16:11, Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>> wrote: hi, there was a change that in the case of a missing csn ds wo

Re: [Freeipa-users] Cant locate CSN after yum update

hi, there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. Now, in your case the csn reported missing:

Re: [Freeipa-users] Replica cannot be reinitialized after upgrade

The messages you see could be transient messages, and if replication is working than this seems to be the case. If not we would need more data to investigate: deployment info, relicaIDs of all servers, ruvs, logs,. Here is some background info: there are some scenarios where a csn could

Re: [Freeipa-users] Fwd: dirsrv not starting after unplanned outage

looks like you lost your configuration files dse.ldif and its backup as well during the outage. could you check what you have in /etc/dirsrv/slapd- you can try to copy one of the *dse.ldif* to dse.ldif and try to restart, but that file maybe up to date. Ludwig On 05/09/2017 12:00 PM, Bret

Re: [Freeipa-users] LDAP Conflicts

you can start here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts you need first find out which conflict entries you have, which entries need to be preserved, and then can start to

Re: [Freeipa-users] consumer replica which does not show up in ruv list

On 03/07/2017 09:21 PM, lejeczek wrote: On 07/03/17 16:48, Ludwig Krispenz wrote: On 03/07/2017 05:29 PM, lejeczek wrote: On 07/03/17 12:39, Martin Babinsky wrote: On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote: hi, I presume I need to use ldapmodify/delete? I found

Re: [Freeipa-users] consumer replica which does not show up in ruv list

On 03/07/2017 05:29 PM, lejeczek wrote: On 07/03/17 12:39, Martin Babinsky wrote: On Tue, Mar 07, 2017 at 09:55:52AM +, lejeczek wrote: hi, I presume I need to use ldapmodify/delete? I found this(obfuscated by me):

Re: [Freeipa-users] replication breaks intermittently

On 03/01/2017 08:18 PM, pgb205 wrote: [01/Mar/2017:18:19:48 +] agmt="cn=meTo ipa2.internal.domain" (ipa2:389) - Can't locate CSN 582301c3000d0077 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. [01/Mar/2017:18:19:48 +]

Re: [Freeipa-users] unable to decode: {replica

On 02/28/2017 07:52 PM, lejeczek wrote: On 28/02/17 09:45, Petr Vobornik wrote: On 02/26/2017 11:35 AM, lejeczek wrote: hi everyone I first time see: unable to decode: {replica 60} 586eaffd000a003c 586eaffd000a003c Replica Update Vectors: on all four servers. What would be

Re: [Freeipa-users] how to resolve replication conflicts

On 02/16/2017 01:32 PM, Tiemen Ruiten wrote: Hello, I have a FreeIPA setup in which some masters suffered from a few uncontrolled shutdowns and now there are replication conflicts (which prevent from setting the Domain Level to 1). I was trying to follow the instructions here:

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

thanks for the info Ludwig On 01/20/2017 11:43 AM, Harald Dunkel wrote: On 01/19/17 16:23, Harald Dunkel wrote: Now I get this: [root@ipa1 ~]# kinit admin kinit: Generic error (see e-text) while getting initial credentials Fortunately this went away after a reboot of the servers. Phew

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/18/2017 02:57 PM, Harald Dunkel wrote: On 01/17/17 11:38, Sumit Bose wrote: On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote: It seems something got corrupted in my ipa setup. I found this in the sssd log file on Wheezy: (Tue Jan 17 10:19:02 2017)

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/18/2017 08:13 AM, Harald Dunkel wrote: Hi Ludwig, On 01/17/17 17:01, Ludwig Krispenz wrote: On 01/17/2017 04:48 PM, Harald Dunkel wrote: On 01/17/17 16:12, Harald Dunkel wrote: On 01/17/17 11:38, Sumit Bose wrote: On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/17/2017 04:48 PM, Harald Dunkel wrote: On 01/17/17 16:12, Harald Dunkel wrote: On 01/17/17 11:38, Sumit Bose wrote: On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote: It seems something got corrupted in my ipa setup. I found this in the sssd log file on Wheezy: (Tue Jan 17

Re: [Freeipa-users] SLAPD stops answering

Hi, there seem to be to issues here, maybe related: a hanging slapd process and the retro CL errors. If the slapd process is not responding can we get a pstack or gdb backtrace (http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes) of the process ? About the Retro CL messages, is it

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

Hi On 12/22/2016 09:31 AM, Georgijs Radovs wrote: Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these servers are Masters and CAs, both are replicating between each other. But, when I run *ipa topologysegment-find* to view replication

Re: [Freeipa-users] modify schema - add group email and display attribute

On 12/21/2016 02:07 PM, Sandor Juhasz wrote: Hi, i would like to modify schema to have group objects extended with email and display name attribute. The reason is that we are trying to sync our ldap to our google apps. I don't know how much this doc

Re: [Freeipa-users] freeipa 4.1 replication conflict resolve issue

On 12/21/2016 05:11 AM, Ian Chen wrote: hello list, I tried to search for answer, but not solution come up yet. please help. the setup with multiple nodes has IPA version: ipa-server-4.1.0-18.el7.centos.4.x86_64 after adding a replication with an old node, replicaiton conflict occured.

Re: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start

On 10/27/2016 10:48 AM, Jochen Demmer wrote: Am 27.10.2016 um 10:21 schrieb Martin Basti: On 27.10.2016 10:02, Jochen Demmer wrote: Am 26.10.2016 um 17:31 schrieb Martin Basti: On 26.10.2016 17:25, Jochen Demmer wrote: Am 26.10.2016 um 16:48 schrieb Martin Basti: On

Re: [Freeipa-users] Replica Problem (Errors)

On 10/24/2016 01:21 PM, Günther J. Niederwimmer wrote: Hello Ludwig, thanks for the answer, Am Montag, 24. Oktober 2016, 09:53:21 schrieb Ludwig Krispenz: On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote: I have added on my ipa (Master) Server this user and ACI with a ldif file

Re: [Freeipa-users] Replica Problem (Errors)

Hi, On 10/23/2016 03:01 PM, Günther J. Niederwimmer wrote: Hello, I have added on my ipa (Master) Server this user and ACI with a ldif file ldapmodify -x -D 'cn=Directory Manager' -W dn: uid=system,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass:

Re: [Freeipa-users] Best and Secure Way for a System Account

On 10/21/2016 04:05 PM, Günther J. Niederwimmer wrote: Hello, Thanks for the answer, Am Freitag, 21. Oktober 2016, 07:11:58 schrieb Rich Megginson: On 10/21/2016 06:42 AM, Günther J. Niederwimmer wrote: Hello Martin and List, Pardon me, but anything is wrong with the ldif i ldapmodify -D

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m

Re: [Freeipa-users] Lots of error messages in logs after upgrade

On 10/19/2016 09:39 AM, Prashant Bapat wrote: Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went

Re: [Freeipa-users] replica DS failure deadlock

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). If replication

Re: [Freeipa-users] Different Database Generation ID

Hi, you get the "different database generation" if one side is built from scratch or reimported from a plain ldif without repl stat e information. replication will only work if both sides have the same data origin. About initlializing back and forth it depends on your topology if it can

Re: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed

Hi, you don't specify the version you are using: If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64 the following may apply: >>> we have identified an issue with this version, it includes a fix for 389-ds ticket #48766, which was incomplete and resolved shortly after the release of this version (it

Re: [Freeipa-users] Question about removed replica, take two

Hi, the RUV in the replication agreement is maintained to control changelog trimming, no changes should be deleted from the changelog which have not been seen by all consumers. Since not always a connection for a replication agreement can be established, eg if the consumer is down, this

Re: [Freeipa-users] Server replication stopped working

-- Youenn Piolet piole...@gmail.com <mailto:piole...@gmail.com> / / 2016-09-26 9:42 GMT+02:00 Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>>: On 09/25/2016 09:35 PM, Youenn PIOLET wrote: Hi there, Same issue for me in a my 15 ipa-servers mult

Re: [Freeipa-users] replicas removed, but incorrectly

xo.ase...@gmail.com>> wrote: hi, On Mon, Sep 26, 2016 at 3:06 PM, Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>> wrote: On 09/26/2016 02:56 PM, Natxo Asenjo wrote: so the command has not been successful in the kdc03. in the

Re: [Freeipa-users] replicas removed, but incorrectly

On 09/26/2016 02:56 PM, Natxo Asenjo wrote: On Mon, Sep 26, 2016 at 1:54 PM, Natxo Asenjo <natxo.ase...@gmail.com <mailto:natxo.ase...@gmail.com>> wrote: On Mon, Sep 26, 2016 at 1:50 PM, Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>> w

Re: [Freeipa-users] replicas removed, but incorrectly

On 09/26/2016 01:36 PM, Natxo Asenjo wrote: hi, I recently upgraded a centos 6.8 realm to centos 7.2 and it almost went correctly. Now I see some errors in /var/log/dirsrv/slapd-INSTANCENAME/errors 26/Sep/2016:13:20:15 +0200] attrlist_replace - attr_replace (nsslapd-referral,

Re: [Freeipa-users] Server replication stopped working

On 09/25/2016 09:35 PM, Youenn PIOLET wrote: Hi there, Same issue for me in a my 15 ipa-servers multi-master grid just after the update. The replication is completely broken except on 3/15 nodes. This is the second time I have to fully reinitialize the whole cluster for similar reason. I

Re: [Freeipa-users] FreeIPA upgrade from ipa-server-4.2.0-15.0.1.el7.centos.18 to ipa-server-4.2.0-15.0.1.el7.centos.19 (went sideways)

was going during update and reboot. There have been cases when a dse.ldif was lost after crashing/rebooting a VM, but the missing lock directory is new to me. On Fri, Sep 23, 2016 at 12:18 AM, Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>> wrote: can you

Re: [Freeipa-users] FreeIPA upgrade from ipa-server-4.2.0-15.0.1.el7.centos.18 to ipa-server-4.2.0-15.0.1.el7.centos.19 (went sideways)

can you check if you have /var/lock/dirsrv/slapd-RSINC-LOCAL if the server user has permissions to write into this directory and its subdirs or if any pid file still exists in /var/lock/dirsrv/slapd-RSINC-LOCAL/server On 09/23/2016 07:29 AM, Devin Acosta wrote: Tonight, I noticed there

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

Hi, On 09/13/2016 07:37 PM, Rakesh Rajasekharan wrote: Hi All, Have finally made some progress with this.. after changing the checkpoint interval to 180, my hangs have gone down now.. However, I faced a similar hang yesterday... users were not able to login.. , though this time the ns-slapd

Re: [Freeipa-users] Two masters and one of them is desynchronized

On 08/25/2016 04:41 PM, bahan w wrote: Hello everyone. Could you explain to me about this field Sent/Skipped please ? if replication is enabled all changes on a server are logged into the changelog -changes coming from clients and internal changes (eg mmeberof update, passwordpolocy

Re: [Freeipa-users] Two masters and one of them is desynchronized

I just noticed that you have many skipped entries, Sent/Skipped: 3 / 9045345 that could be an effect of fractional replication which reiterates the same sequence of changes. This is fixed in recent releases, but looks like your on RHEL 6.6 Ludwig On 08/24/2016 06:33 PM, bahan w wrote: Hey

Re: [Freeipa-users] Two masters and one of them is desynchronized

The replication agreements to the "unsync" master says that update has started, so it looks like replication connection is active. You need to check the access and error logs of bot sides and check if tehre is replication traffic On 08/24/2016 06:33 PM, bahan w wrote: Hey guys. I performed

Re: [Freeipa-users] clean-ruv

On 08/24/2016 01:08 AM, Ian Harding wrote: On 08/23/2016 03:14 AM, Ludwig Krispenz wrote: On 08/23/2016 11:52 AM, Ian Harding wrote: Ah. I see. I mixed those up but I see that those would have to be consistent. However, I have been trying to beat some invalid RUV to death for a long time

Re: [Freeipa-users] clean-ruv

e a couple times and that seems to be what got me into this mess... Thank you for your help. On 08/23/2016 01:37 AM, Ludwig Krispenz wrote: looks like you are searching the nstombstone below "o=ipaca", but you are cleaning ruvs in "dc=bpt,dc=rocks", your attrlist_replace

Re: [Freeipa-users] clean-ruv

looks like you are searching the nstombstone below "o=ipaca", but you are cleaning ruvs in "dc=bpt,dc=rocks", your attrlist_replace error refers to the bpt,rocks backend, so you should search the tombstone entry ther, then determine which replicaIDs to remove. Ludwig On 08/23/2016 09:20

Re: [Freeipa-users] replica_generate_next_csn messages in dirsrv error logs

, I was able to reproduce the errors by "bulk" deleting 39 DNS entries, and only the MASTER reported "replica_generate_next_csn" entries. Given the size of the logs, I think it would be pointless to do any kind of sanitization. I'll go ahead and gzip them for you and email you off-l

Re: [Freeipa-users] replica_generate_next_csn messages in dirsrv error logs

13:50:49 -0400] conn=1395 op=4160 RESULT err=0 tag=103 nentries=0 etime=0 csn=57b4a4c30016 I'm positive that I was the only one performing DNS updates during this time, and I was only using 1 console. Thanks, John DeSantis 2016-08-18 10:09 GMT-04:00 Ludwig Krispenz <lkris...@redh

Re: [Freeipa-users] replica_generate_next_csn messages in dirsrv error logs

he time syncing)? I know that these questions are probably leaning more towards the 389ds team, so feel free to pass me over to them if need be. I think I can address the ds related questions, but I don't know about console and dns to assess if the behaviour is normal Again, thank you

Re: [Freeipa-users] replica_generate_next_csn messages in dirsrv error logs

On 08/17/2016 08:54 PM, John Desantis wrote: Hello all, We've been re-using old host names and IP addresses for a new deployment of nodes, and recently I've been seeing the messages pasted below in the slapd-DC.DC.DC "error" log on our nodes. [17/Aug/2016:10:30:30 -0400] -

Re: [Freeipa-users] Problem with replication

On 08/12/2016 04:10 PM, Louis Francoeur wrote: Since the rpm update to ipa-server-dns-4.2.0-15.0.1.el7.centos.18.x86_64 (running on Centos 7), most of my replication started to failed with: what do you mean by "most of", if some servers still work and others don't is there something

Re: [Freeipa-users] Could not delete change record

On 07/12/2016 11:25 AM, Christophe TREFOIS wrote: Hi, I have 3 replicas running 4.1 and 3 replicas running 4.2. One of the 4.2 replicas is the new master (CRL) and is at the moment replicating against the old 4.1 cluster (we are in the process of migrating). Upon restart of the 4.2

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

don't need to reveal any real data, jsur which objectclasses and attributes the entry has On 2016-07-05 10:51, Ludwig Krispenz wrote: well, this does not have more information: #0 0x7efe7167c4c0 in ipapwd_keyset_free () from /usr/lib64/dirsrv/plugins/libipa_pwd_extop.so No symbol table info

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

containing arbitrar octets. Please open a ticket to get this worked on: https://fedorahosted.org/freeipa/newticket Ludwig On 07/05/2016 12:07 AM, Omar AKHAM wrote: Ok, here is a new core file : http://pastebin.com/2cJQymHd Best regards On 2016-07-04 09:39, Ludwig Krispenz wrote: On 07/03/2016 03

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

, Ludwig Krispenz wrote: please keep the discussion on the mailing list On 07/01/2016 01:17 PM, Omar AKHAM wrote: Which package to install ? ipa-debuginfo? yes 2 other crashes last night, with a different user bind this time : rawdn = 0x7f620003a200 "uid=XXX,cn=users,cn=accounts,dc=XXX,

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

10\311\377+b\177\000\000\250\311\377+b\177", '\000' , "\002\000\000\000 \305\363Tb\177\000\000\377\377\37 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", '\000' bind_target_entry = 0x0 On 2016-06-30 18:16, Ludwig Kris

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: On 06/30/2016 02:27 PM, d...@mdfive.dz wrote: Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

should look into it Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM

Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day

can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name: ipa-server Arch: x86_64

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

On 06/28/2016 10:33 AM, Natxo Asenjo wrote: hi Ludwig, On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz <lkris...@redhat.com <mailto:lkris...@redhat.com>> wrote: On 06/28/2016 09:50 AM, Natxo Asenjo wrote: I'd like to have internally all sort of ldap access, but

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

On 06/28/2016 09:50 AM, Natxo Asenjo wrote: On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy > wrote: On Tue, 28 Jun 2016, Natxo Asenjo wrote: hi, according to the RHDS documentation (

Re: [Freeipa-users] replication - ruv errors

On 06/07/2016 06:17 PM, Andy Brittingham wrote: Hello, I'm having issues with freeipa replication. Currently we have 4 Freeipa servers, in a master - master relationship with replication agreements between all servers. I noticed the replication failure messages in the logs late last week

Re: [Freeipa-users] Can't set nsslapd-sizelimit

On 05/17/2016 12:49 PM, Ludwig Krispenz wrote: On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap

Re: [Freeipa-users] Can't set nsslapd-sizelimit

On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against

Re: [Freeipa-users] krb5kdc service not starting

-- From: Alexander Bokovoy [mailto:aboko...@redhat.com <mailto:aboko...@redhat.com>] Sent: April 27, 2016 1:19 PM To: Gady Notrica Cc: Ludwig Krispenz; freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] krb5kdc service not start

Re: [Freeipa-users] IPA vulnerability management SSL

wanted to add Noriko, but hit send to quickly On 04/28/2016 01:26 PM, Ludwig Krispenz wrote: On 04/28/2016 12:06 PM, Martin Kosek wrote: On 04/28/2016 01:23 AM, Sean Hogan wrote: Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2

Re: [Freeipa-users] IPA vulnerability management SSL

On 04/28/2016 12:06 PM, Martin Kosek wrote: On 04/28/2016 01:23 AM, Sean Hogan wrote: Hi Martin, No joy on placing - in front of the RC4s I modified my nss.conf to now read # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite

Re: [Freeipa-users] krb5kdc service not starting

: cid:image002.jpg@01CBD419.622CDF90* <http://www.linkedin.com/profile/view?id=36869324=tab_pro> *From:*Ludwig Krispenz [mailto:lkris...@redhat.com] *Sent:* April 27, 2016 10:58 AM *To:* Gady Notrica *Cc:* Rob Crittenden; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] krb5kdc service not

Re: [Freeipa-users] krb5kdc service not starting

.candeal.ca ns-slapd[9830]: [27/Apr/2016:10:26:17 -0400] dse - Please edit the file to correct the reported problems and then restart the server. [root@cd-p-ipa1 log]# Gady *From:*Ludwig Krispenz [mailto:lkris...@redhat.com] *Sent:* April 27, 2016 10:06 AM *To:* Gady Notrica *Cc:* Rob Crittenden

Re: [Freeipa-users] krb5kdc service not starting

to correct the reported problems and then restart the server. we need the logs from that time Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 26, 2016 2:44 PM To: Gady Notrica; Ludwig Krispenz; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kd

Re: [Freeipa-users] krb5kdc service not starting

On 04/26/2016 03:26 PM, Gady Notrica wrote: Here... [root@cd-p-ipa1 log]# ipactl status Directory Service: STOPPED Directory Service must be running in order to obtain status of other services ipa: INFO: The ipactl command was successful [root@cd-p-ipa1 log]# systemctl status

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

ipaca) failed. Greets Kilian Von: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> im Auftrag von Ludwig Krispenz <lkris...@redhat.com> Gesendet: Donnerstag, 14. April 2016 16:46 An: freeipa-users@redhat.com Betreff: Re: [Freeipa

Re: [Freeipa-users] Zombie Replica !

On 04/07/2016 07:23 AM, Prashant Bapat wrote: What I have done now was to add a new server, ipa02 and configured replication again and things are fine. However on IPA1 the 389 ds error logs have reference to the dead ipa2 replica. [07/Apr/2016:04:13:11 +] NSMMReplicationPlugin -

Re: [Freeipa-users] start and stop of ipa commands in systemd

On 04/04/2016 01:40 PM, Martin (Lists) wrote: Am 04.04.2016 um 09:06 schrieb Martin Babinsky: On 04/01/2016 08:53 PM, Martin (Lists) wrote: Hallo I have a question regarding enabling/disabling separate ipa parts in systemd. Is it necessarry or required to have httpd, directory server, named

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/14/2016 05:33 PM, Andrew E. Bruno wrote: On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote: On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: [09/Mar/2016:11:33:03 -0500] NSMMReplicationPlugin - changelog

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 05:21:50PM +0100, Ludwig Krispenz wrote: On 03/09/2016 04:46 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 10:37:05AM -0500, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 04:13:28PM +0100, Ludwig Krispenz wrote

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

On 03/09/2016 03:46 PM, Andrew E. Bruno wrote: Hello, We had a replica fail today with: [09/Mar/2016:09:39:59 -0500] NSMMReplicationPlugin - changelog program - _cl5NewDBFile: PR_DeleteSemaphore: /var/lib/dirsrv/slapd-CBLS-CCR-BUFFALO-EDU/cldb/e909b405-2cb811e5-ac0b8f7e-e0b1a377.sema; NSPR

Re: [Freeipa-users] lock table errors

On 02/23/2016 05:10 PM, Andy Thompson wrote: On 02/23/2016 03:02 PM, Andy Thompson wrote: Came across one of my replicas this morning with the following in the error log [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available lock entries [20/Feb/2016:17:23:38 -0500]

Re: [Freeipa-users] lock table errors

On 02/23/2016 03:43 PM, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, February 23, 2016 9:31 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] lock table

Re: [Freeipa-users] lock table errors

On 02/23/2016 03:02 PM, Andy Thompson wrote: Came across one of my replicas this morning with the following in the error log [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available lock entries [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Deleting

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

On 02/22/2016 11:51 PM, Timothy Geier wrote: What’s the established procedure to start a 389 instance without any replication agreements enabled? The only thing that seemed close on google (http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html) seems risky

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

The crash is an abort because of a failed assertion in the kerberos code Thread 1 (Thread 0x7fa7d4c88700 (LWP 3125)): #0 0x7fa7e6ace5f7 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x7fa7e6acfce8 in abort () from /lib64/libc.so.6 No symbol table info available.

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

is wrong. I also tried to set TLS_REQCERT to allow just to be sure (in case that bad cert is provided). On 2016/02/12 16:57, Ludwig Krispenz wrote: On 02/12/2016 03:35 PM, Filip Pytloun wrote: It's the same as for idm01: [12/Feb/2016:15:24:26 +0100] NSMMReplicationPlugin - agmt="cn=meTo

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

On 02/12/2016 03:06 PM, Filip Pytloun wrote: Hello, even when enabling replication logging, I get nothing useful in logs: [12/Feb/2016:14:57:00 +0100] NSMMReplicationPlugin - agmt="cn=meToidm02.tcpcloud.eu" (idm02:389): Trying secure startTLS slapi_ldap_init_ext [12/Feb/2016:14:57:00 +0100]

Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

59 +0100] conn=15 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [12/Feb/2016:15:33:59 +0100] conn=15 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [12/Feb/2016:15:34:00 +0100] conn=15 TLS1.2 128-bit AES-GCM [12/Feb/2016:15:34:00 +0100] conn=15 op=-1 fd=64 closed - B1 On

Re: [Freeipa-users] Master Error with two Master CentOS 7.2

On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote: Hello List, I set up a CentOS 7.2 System with two master Server now I found this 1000 x Error on my first master? attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.xxx.at:389/ o%3Dipaca) failed. did you install and

Re: [Freeipa-users] Master Error with two Master CentOS 7.2

On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote: Hello Ludwig, Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz: On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote: Hello List, I set up a CentOS 7.2 System with two master Server now I found this 1000 x Error on my

Re: [Freeipa-users] Master Error with two Master CentOS 7.2

, 14:48:31 CET schrieb Ludwig Krispenz: On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote: Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz: On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote: I set up a CentOS 7.2 System with two master Server now I found this 1000 x E

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/25/2016 01:43 PM, Martin Kosek wrote: On 01/25/2016 01:34 PM, thierry bordaz wrote: On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin -

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] Incremental update failed and requires administrator action

could you get a core dump from the crash: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes Ludwig On 01/25/2016 12:08 PM, bahan w wrote: Hello ! I recently installed a replica (master2) in addition of my master (master1) with IPA 3.0.0-47 on RHEL6.6. I don't know from when

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/22/2016 04:48 AM, Nathan Peters wrote: Here are the results for that aci search using a non gssapi bind by directory manager on the old master that we are attempting to join agains. I don't see anything in this list that would indicate that some users should or should not have access

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/21/2016 08:50 AM, Nathan Peters wrote: I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly. It seems that no account, no keytab, and no host can

Re: [Freeipa-users] ns-slapd using all CPU ressources

Hi, if you are running 389-ds 1.3.4+ you may hit, ticket #48379. It id fixed and a new build is in preparation Ludwig On 01/19/2016 03:39 PM, Domingues Luis Filipe wrote: Hi, Reading the backtrace I have 30 threads with the same stack: Thread 6 (Thread 0x7f572efed700 (LWP 1335)): #0

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/18/2016 04:47 AM, Nathan Peters wrote: This is another issue I'm not sure how to debug or solve in 4.3.0. A failed replica installation left a replica with stuff in the tree, but not configured properly on the localhost. I did ipa-server-install --uninstall as suggested by the

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

On 01/15/2016 08:32 AM, Nathan Peters wrote: I think I've finally started to make some progress on this. I did a lot of googling and found some stuff to run manually in 389 ds through ldapmodify commands to clean RUVs. During this process the server crashed and when it came back online,

Re: [Freeipa-users] Issues with 'A replication agreement for the host already exists', when it very much doesn't

On 12/21/2015 05:49 PM, Alex Williams wrote: I began installing a new ipa4 replica this morning and it all went wrong. The ipa-replica-install script got all the way to restarting ipa with systemctl at the very end, having set up replication and then fell over, because systemctl couldn't find

Re: [Freeipa-users] Purge old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 file

Hi, On 12/22/2015 11:43 AM, David Goudet wrote: Hi, I have multimaster replication environment. On each replica, folder /var/lib/dirsrv/slapd-/cldb/ has big size (3~GB) and old entries in /var/lib/dirsrv/slapd-xxx/cldb/xxx.db4 have three month year old: sudo dbscan -f

Re: [Freeipa-users] Restricting access to unencrypted LDAP connections

you could set minssf: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/SecureConnections.html#requiring-secure-connections On 11/18/2015 07:24 AM, Prashant Bapat wrote: Hi, We have a pair of freeipa servers (4.1.4) and a bunch of Linux clients

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

----Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Tuesday, November 10, 2015 9:48 AM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov> Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authenticat

  1   2   >