Hi List
I've just tried to restart my IPA services after recently adding a new
replica (0 configuration changes on the IPA server otherwise!), but
ipactl fails when starting up named:
---
[root@lolpr-xyz-mstr slapd-XYZ-LOCAL]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Some information from the dirsrv error log (sanitized: XYZ = realm):
[01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up
[01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no
entries set up under cn=computers, cn=compat,dc=idm,dc=local
[01/Apr/2015:11:01:49
On 03/31/2015 04:50 PM, Janelle wrote:
On 3/31/15 6:49 AM, Dmitri Pal wrote:
On 03/31/2015 09:38 AM, Janelle wrote:
Hello again,
Is this a feature or a bug?
Migration mode - works fine the first time. However, if you need to run it a
second time because someone added either new users
On 04/01/2015 09:20 AM, Traiano Welcome wrote:
Some information from the dirsrv error log (sanitized: XYZ = realm):
[01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up
[01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no
entries set up under cn=computers,
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote:
Hello everyone.
We have a IPA 3 and AD domain trust.
Users from AD successfully logs on to linux servers via ssh and hbac rules
works fine with external groups. But not a sudo rules.
When rule defines as 'who' IPA users
Hi all,
we are going to have power maintenance and needed to shutdown two core
FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA
server? Anything I need to aware of?
--
Manage your subscription for the Freeipa-users mailing list:
On 03/31/2015 07:58 PM, Dmitri Pal wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
On 1.4.2015 04:47, Rob Crittenden wrote:
Janelle wrote:
Hello again...
Looking around, but probably just not in the right place. I would like
to be able to disable httpd on all but a pair of servers, so we kind of
force all updates to come from a master and slave pair. Just trying
to keep
Hi Martin
Thanks for the response. Check results inline:
On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote:
On 04/01/2015 09:20 AM, Traiano Welcome wrote:
Some information from the dirsrv error log (sanitized: XYZ = realm):
[01/Apr/2015:11:01:49 +0300] -
On Tue, 31 Mar 2015, Janelle wrote:
Hello again...
Looking around, but probably just not in the right place. I would like
to be able to disable httpd on all but a pair of servers, so we kind
of force all updates to come from a master and slave pair. Just
trying to keep updates defined to 2
On 04/01/2015 10:19 AM, Thomas Lau wrote:
Hi all,
we are going to have power maintenance and needed to shutdown two core
FreeIPA server. Is there have any sequence to shutdown and power on FreeIPA
server? Anything I need to aware of?
Hello,
IFAIK there is no recommended Trick. You can turn
Hi Jan,
Thanks for your response. But my problem is AmazonLinux does not support
ipa-client or sssd. No binaries available, lots of dependency issues
compiling from source.
So the route I have taken is to use FreeIPA on Fedora21. And use authconfig
to enumerate users/groups. And have a SSH
On 04/01/2015 07:09 AM, Prashant Bapat wrote:
Hi ,
Is there a way of making the nsAccountLock attribute (User enable/disable)
to be anonymously readable ?
I'm trying to implement a SSH key lookup sshd authorized key command
script. Based on this attribute the user will be allowed to
On Tue, 31 Mar 2015, Dmitri Pal wrote:
On 03/31/2015 05:30 PM, Andrew Holway wrote:
Hello FreeIPA people,
I must say that FreeIPA v4 looks very pretty and I am looking
forward to trying out the new features.
I'm wondering what application and tools can be used to authenticate
with the OTP
On 04/01/2015 07:52 AM, Traiano Welcome wrote:
Hi Dmitri
On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal d...@redhat.com wrote:
On 04/01/2015 04:14 AM, Traiano Welcome wrote:
Hi Martin
Thanks for the response. Check results inline:
On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky
On 1.4.2015 13:16, Ben .T.George wrote:
HI
i have installed latest FreeIPA 4.1.4 on RHEL 7.1
My DNS is working fine. I am getting good response
[root@kwtprsolipa01 ~]# for i in _ldap._tcp _kerberos._tcp _kerberos._udp
_kerberos-master._tcp _kerberos-master._udp _ntp._udp; do echo ; dig
Hi Dmitri
On Wed, Apr 1, 2015 at 3:06 PM, Dmitri Pal d...@redhat.com wrote:
On 04/01/2015 07:52 AM, Traiano Welcome wrote:
Hi Dmitri
On Wed, Apr 1, 2015 at 2:23 PM, Dmitri Pal d...@redhat.com wrote:
On 04/01/2015 04:14 AM, Traiano Welcome wrote:
Hi Martin
Thanks for the response.
On 1.4.2015 11:43, Prashant Bapat wrote:
Hi Jan,
Thanks for your response. But my problem is AmazonLinux does not support
ipa-client or sssd. No binaries available, lots of dependency issues
compiling from source.
So the route I have taken is to use FreeIPA on Fedora21. And use authconfig
ehlo,
CentOS 7.1 was finally released[1]. Yupi.
Fedora 21 was rewleased[2] few months ago.
People can use FreeIPA 4.1 without any problem.
So there's no more reason to maintain COPR repositories for older
distributions. It will significantly reduce extra dependencies in repositories.
It would
Markus
Not sure if this might be related, at least is a place where to look at..
https://bugzilla.redhat.com/show_bug.cgi?id=1196455
thanks
On 31/03/2015 10:54, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following
Please could someone explain to me what is happening internally?
In my head I have the following process
The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP
some LDAP module takes
On Wed, Apr 1, 2015 at 2:20 PM, Martin Babinsky mbabi...@redhat.com wrote:
On 04/01/2015 10:14 AM, Traiano Welcome wrote:
Hi Martin
Thanks for the response. Check results inline:
On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com
wrote:
On 04/01/2015 09:20 AM,
I had this error during my first installation. It turned out the problem
was that port 8443 was already used by another process.
Roberto
On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The
On 04/01/2015 10:14 AM, Traiano Welcome wrote:
Hi Martin
Thanks for the response. Check results inline:
On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote:
On 04/01/2015 09:20 AM, Traiano Welcome wrote:
Some information from the dirsrv error log (sanitized: XYZ =
On 1.4.2015 07:51, Jorgen Lundman wrote:
Hmm, that might be a challenge. bind-dyndb-ldap code implicitly assumes that
there is 1:1 mapping between DNS name-LDAP DN. This makes implementation of
dynamic updates much easier.
Well, you weren't wrong there. :) I did try a few different
On Wed, 01 Apr 2015, Andrew Holway wrote:
Please could someone explain to me what is happening internally?
In my head I have the following process
The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the
Traiano Welcome wrote:
Hi Dmitri
This is a freshly generated DS log (sanitized: XYZ = realm):
389-Directory/1.3.1.6 B2014.160.2139
lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL)
[01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting
Dude. You rock :-)
That was it !! All the entries were the wrong way round (not sure how
I missed that ... time for a visit to the optometrists)
Beer is in the mail!
And thanks to all @redhat for an excellent piece of software and for
all the help today!
On Wed, Apr 1, 2015 at 4:40 PM, Rob
Hmm, really? The port 8443 is already checked in FreeIPA 4.0.4 or later, based
on this ticket:
https://fedorahosted.org/freeipa/ticket/4564
If your installation crashed because port 8443 was occupied, the fix 4564 is
either incomplete or non-functional and we should fix it.
On 04/01/2015 01:38
Hello again,
This is a more general question as I am new to dirsrv a bit. I have
read through a lot of the docs, including 389-ds, but with regards to
IPA, well, I am not 100% clear and perhaps this could help others in the
future.
Are there guidelines or suggestions for RUV's and cleaning
Unfortunately I don't have the log anymore, as it was overwritten by the
following successful installation.
But the personal log I kept manually says (this was freeIPA 4.1.2):
...
Restarting the directory server
Restarting the KDC
Restarting the certificate server
CA did not start in 300.0s
It
On 04/01/2015 12:29 PM, Andrew Holway wrote:
Yes. But stored in LDAP.
Stored in LDAP salted I assume?
Yes. As the standard prescribes.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
Hi,
a RUV (replica update vector) is a structure which on each sever
maintains a state of updates it has seen from any other server, it is
used in a replication session to determine which updates have to be sent.
Normally you don't need to deal with it, only if you remove a replica it
is
Yes. But stored in LDAP.
Stored in LDAP salted I assume?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Thanks Alexander.
What happens to the passwords? Are they hashed by Kerberos?
On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com wrote:
On Wed, 01 Apr 2015, Andrew Holway wrote:
Please could someone explain to me what is happening internally?
In my head I have the following
On 04/01/2015 11:46 AM, Andrew Holway wrote:
Thanks Alexander.
What happens to the passwords? Are they hashed by Kerberos?
Yes. But stored in LDAP.
On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com
mailto:aboko...@redhat.com wrote:
On Wed, 01 Apr 2015, Andrew Holway
Ludwig Krispenz wrote:
Hi,
a RUV (replica update vector) is a structure which on each sever
maintains a state of updates it has seen from any other server, it is
used in a replication session to determine which updates have to be sent.
Normally you don't need to deal with it, only if you
On 04/01/2015 11:14 AM, Luiz Fernando Vianna da Silva wrote:
Hello All.
I've searched the archives of this mailing list looking for an answer
for this one, but all I found lead me nowhere. L
Closest thread to help me was:
Hello All.
I’ve searched the archives of this mailing list looking for an answer for this
one, but all I found lead me nowhere. ☹
Closest thread to help me was:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00153.html
Has anyone figured out a way to have expired password changes
Hi
if you got the NTPs in sync and using the same timzeone on both it
should be ok
thanks
On 2015-04-01 23:41, Steven Jones wrote:
Hi,
Would IPA have issues if one master is one one side of the Pacific
(New Zealand) and another in the USA?
regards
Steven J
--
Manage your
On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote:
Hello,
After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
have it all working rather nice but with self signed certificates which is
not ideal.
(This is actually amazing btw guys. Like wow. The QR-Codes
On Thu, 2015-04-02 at 00:22 +0100, g.fer.or...@unicyber.co.uk wrote:
Hi
if you got the NTPs in sync and using the same timzeone on both it
should be ok
All operations use UTC, so you can set whatever timezone you want on the
machines.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
On Wed, 01 Apr 2015, Guertin, David S. wrote:
The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in
my original post.) The client installs without errors, and I can get a
Kerberos ticket for the admin user. But when I
On 04/01/2015 02:28 PM, Guertin, David S. wrote:
The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my
original post.) The client installs without errors, and I can get a Kerberos
ticket for the admin user. But when
On Wed, 01 Apr 2015, Andrew Holway wrote:
On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote:
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
I understand from previous discussions that client certificates are not
yet
supported in FreeIPA, instead I understand
On 04/01/2015 12:32 PM, Ben .T.George wrote:
Hi
I have re-installed verything from RHEL 7.1 DVD and current ipa
version is 4.0.1
everything is working including AD trust.
but my web interface always giving Your session has expired. Please
re-login.
i faced the issue before that time i
I've just set up an IPA domain that is working with our RHEL 6 clients. (The
servers are running RHEL 7.) But about half of our Linux servers are running
RHEL 5, and I'd like to be able to add these as clients as well. Unfortunately
I haven't been able to get it working. Before I get too deep
Hello Dmitri.
Server is running: ipa-server-3.0.0-37.el6.x86_64
My kerberos configuration looks like this on a client:
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1
On 4/1/15 9:32 AM, Ben .T.George wrote:
Hi
I have re-installed verything from RHEL 7.1 DVD and current ipa
version is 4.0.1
everything is working including AD trust.
but my web interface always giving Your session has expired. Please
re-login.
i faced the issue before that time i
Hello,
After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
have it all working rather nice but with self signed certificates which is
not ideal.
(This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP
android app. wtf??!! :)
I'm scratching around trying
Hello Yves.
I was browsing the mailing list archives and found your email from December
2013
(https://www.redhat.com/archives/freeipa-users/2013-December/msg00083.html).
I have successfully found a way to have sudo on AIX work with the sudo rules on
IPA, just like Linux clients.
Give me a
On Wed, 2015-04-01 at 12:33 -0400, Dmitri Pal wrote:
On 04/01/2015 12:29 PM, Andrew Holway wrote:
Yes. But stored in LDAP.
Stored in LDAP salted I assume?
Yes. As the standard prescribes.
Except for the RC4 keys, but the whole keyset is encrypted with the
master key, so the
Guertin, David S. wrote:
Ive just set up an IPA domain that is working with our RHEL 6 clients.
(The servers are running RHEL 7.) But about half of our Linux servers
are running RHEL 5, and Id like to be able to add these as clients as
well. Unfortunately I havent been able to get it
Hi Yves.
First a little background information regarding sudo on AIX: Most sudo packages
compiled for AIX are _NOT_ compiled with LDAP support.
Although sudo’s documentation states that sudo supports different LDAP
implementations, other than OpenLDAP, I suppose it doesn’t work well with AIX’s
On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote:
HI
yes i have creared cache. tried from different browsers, tried from
portable browser, configure kerbros plugin in firefox
this is what i got from inspect:
http://s9.postimg.org/51c5809xr/kerb.jpg
Just to be sure, the
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
I understand from previous discussions that client certificates are not yet
supported in FreeIPA, instead I understand one can use service
certificates. From an OpenVPN standpoint I'm guessing this is fine because
a vpn client can
Hello Dmitri.
Server is running: ipa-server-3.0.0-37.el6.x86_64
My kerberos configuration looks like this on a client:
# cat /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1
On 04/01/2015 06:52 PM, Janelle wrote:
On 4/1/15 9:32 AM, Ben .T.George wrote:
Hi
I have re-installed verything from RHEL 7.1 DVD and current ipa version is 4.0.1
everything is working including AD trust.
but my web interface always giving Your session has expired. Please re-login.
i faced
On 4/1/2015 2:29 AM, Martin Kosek wrote:
On 03/31/2015 07:58 PM, Dmitri Pal wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
...
Done configuring directory server
everything is default.
but now the issue solved after many restart,kinit ipactl restart
don't still don't know how it got fixed
Regards,
Ben
On Wed, Apr 1, 2015 at 8:31 PM, Nalin Dahyabhai na...@redhat.com wrote:
On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote:
HI
yes i
Il 01/Apr/2015 19:36 Rob Crittenden rcrit...@redhat.com ha scritto:
Guertin, David S. wrote:
I’ve just set up an IPA domain that is working with our RHEL 6 clients.
(The servers are running RHEL 7.) But about half of our Linux servers
are running RHEL 5, and I’d like to be able to add
The 5.x ipa-client should work fine. What isn't working?
I cannot SSH in as an AD user. (Sorry, I should have mentioned that in my
original post.) The client installs without errors, and I can get a Kerberos
ticket for the admin user. But when I try to SSH in as an AD domain user, the
login
On 04/01/2015 07:46 PM, Ben .T.George wrote:
everything is default.
but now the issue solved after many restart,kinit ipactl restart
don't still don't know how it got fixed
We collected all known potential issues that can have this behavior on this
page:
Hi,
I'm not gicing up on this, so I'm testing.
I'm unsure at the moment about the keytab. The keytab is normally for
the user that needs to be able to do stuff, but in this case we need
one for the loadbalancer name or the client maybe combined ?
I lost that overvieuw... would be nice to
On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote:
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
I understand from previous discussions that client certificates are not
yet
supported in FreeIPA, instead I understand one can use service
certificates. From an
In regards to the hangs in the Directory Server that were observed, it
seems related thread 15 that is polling waiting for something to come
through the pipe which never happens. The default poll timeout is
180(or 30 minutes!). Reducing this timeout should resolve the hang.
Example:
#
HI
yes i have creared cache. tried from different browsers, tried from
portable browser, configure kerbros plugin in firefox
this is what i got from inspect:
http://s9.postimg.org/51c5809xr/kerb.jpg
Regards,
Ben
On Wed, Apr 1, 2015 at 7:35 PM, Dmitri Pal d...@redhat.com wrote:
On
On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the
Am Mittwoch, 1. April 2015, 16:56:51 schrieb Endi Sukma Dewata:
On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
...
Done
Hi
I have re-installed verything from RHEL 7.1 DVD and current ipa version is
4.0.1
everything is working including AD trust.
but my web interface always giving Your session has expired. Please
re-login.
i faced the issue before that time i destroyed kerbros ticket (Kdestroy)
and initiated
HI
i have checked from chrome and got 401 error: This is what exactly i
reported 3 weeks back :(
http://s1.postimg.org/41ik3o1hr/kerb.jpg
Regards,
Ben
On Wed, Apr 1, 2015 at 7:45 PM, Ben .T.George bentech4...@gmail.com wrote:
HI
yes i have creared cache. tried from different browsers,
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The ipa-server-install shows the following output:
...
Done configuring directory server (dirsrv).
Configuring certificate server
Hi,
Would IPA have issues if one master is one one side of the Pacific (New
Zealand) and another in the USA?
regards
Steven J
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the
We have multiple distributed replicas running in the following locations:
East coast AMER
West coast AMER
London EMEA
and have had no issues with replication or performance. (max ping is about
120ms)
Will Sheldon
On April 1, 2015 at 3:50:23 PM, Steven Jones (steven.jo...@vuw.ac.nz)
75 matches
Mail list logo