Dear community,
we just moved our infrastructure (about 200 node cluster plus about 30
workstations) from NIS to FreeIPA (version 4.1.4 on FC 21).
We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on
Xen4).
Approx once a day, the Kerberos service on the primary server suddenl
On Wed, Jul 22, 2015 at 11:06:53AM +0200, Torsten Harenberg wrote:
> Dear community,
>
> we just moved our infrastructure (about 200 node cluster plus about 30
> workstations) from NIS to FreeIPA (version 4.1.4 on FC 21).
>
> We have two IPA servers (called "ipa" and "ipa2" both paravirtualized o
On Wed, 22 Jul 2015, Torsten Harenberg wrote:
Dear community,
we just moved our infrastructure (about 200 node cluster plus about 30
workstations) from NIS to FreeIPA (version 4.1.4 on FC 21).
We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on
Xen4).
Approx once a day, th
Dear Alexander, dear Sumit,
thank you very much indeed for the quick replies.
Am 22.07.15 um 11:21 schrieb Sumit Bose:
> Looks like there are issues getting the needed data from the local LDAP
> server. The message below about the master key points into the same
> direction. Can you check the 389
On Wed, 22 Jul 2015, Torsten Harenberg wrote:
Dear Alexander, dear Sumit,
thank you very much indeed for the quick replies.
Am 22.07.15 um 11:21 schrieb Sumit Bose:
Looks like there are issues getting the needed data from the local LDAP
server. The message below about the master key points int
On Wed, Jul 22, 2015 at 11:39:25AM +0200, Torsten Harenberg wrote:
> Dear Alexander, dear Sumit,
>
> thank you very much indeed for the quick replies.
>
> Am 22.07.15 um 11:21 schrieb Sumit Bose:
> > Looks like there are issues getting the needed data from the local LDAP
> > server. The message b
Apologies if this has been answered before but we're interested in
dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18
and following the docs here:
https://www.freeipa.org/page/Howto/DNSSEC
and
http://www.freeipa.org/page/Releases/4.1.0#DNSSEC_Support
# ipa-dns-install --dn
On Wed, 22 Jul 2015, Andrew E. Bruno wrote:
Apologies if this has been answered before but we're interested in
dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18
and following the docs here:
https://www.freeipa.org/page/Howto/DNSSEC
and
http://www.freeipa.org/page/Releases
On Wed, Jul 22, 2015 at 04:48:33PM +0300, Alexander Bokovoy wrote:
> On Wed, 22 Jul 2015, Andrew E. Bruno wrote:
> >Apologies if this has been answered before but we're interested in
> >dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server 4.1.0-18
> >and following the docs here:
> >https
> Le 20 juil. 2015 à 17:17, Alexander Bokovoy a écrit :
>
> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
>>
>>> Can you please show output from
>>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
>>
>> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
>
> This is original 'dc' definition:
>
On 07/22/2015 03:39 AM, Torsten Harenberg wrote:
Dear Alexander, dear Sumit,
thank you very much indeed for the quick replies.
Am 22.07.15 um 11:21 schrieb Sumit Bose:
Looks like there are issues getting the needed data from the local LDAP
server. The message below about the master key points
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
Le 20 juil. 2015 à 17:17, Alexander Bokovoy a écrit :
On Mon, 20 Jul 2015, Alexandre Ellert wrote:
Can you please show output from
fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema
# fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema
This is or
> Le 22 juil. 2015 à 17:09, Alexander Bokovoy a écrit :
>
> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>>
>>> Le 20 juil. 2015 à 17:17, Alexander Bokovoy a écrit :
>>>
>>> On Mon, 20 Jul 2015, Alexandre Ellert wrote:
> Can you please show output from
> fgrep -r 'dc' /etc/dirsr
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
Le 22 juil. 2015 à 17:09, Alexander Bokovoy a écrit :
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
Le 20 juil. 2015 à 17:17, Alexander Bokovoy a écrit :
On Mon, 20 Jul 2015, Alexandre Ellert wrote:
Can you please show output from
fgrep -r '
> Le 22 juil. 2015 à 17:43, Alexander Bokovoy a écrit :
>
> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>>
>>> Le 22 juil. 2015 à 17:09, Alexander Bokovoy a écrit :
>>>
>>> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
> Le 20 juil. 2015 à 17:17, Alexander Bokovoy a écrit
> :
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?
Server 1:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schema/00core.ldif:attributeTypes: ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domaincomponent' )
/etc/dirsrv/
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
Le 22 juil. 2015 à 18:08, Alexander Bokovoy a écrit :
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?
Server 1:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
/etc/dirsrv/schem
> Le 22 juil. 2015 à 18:40, Alexander Bokovoy a écrit :
>
> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
>>
>>> Le 22 juil. 2015 à 18:08, Alexander Bokovoy a écrit :
>>>
>>> On Wed, 22 Jul 2015, Alexandre Ellert wrote:
> # fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
> from both se
Dear Rich,
Am 22.07.2015 um 17:03 schrieb Rich Megginson:
>>
>
> It might be helpful to do a # debuginfo-install 389-ds-base ipa-server
> slapi-nis
> and follow the directions at
> http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
> to get a full stack trace
thanks for the hint. Did
On 07/22/2015 11:03 AM, Torsten Harenberg wrote:
Dear Rich,
Am 22.07.2015 um 17:03 schrieb Rich Megginson:
It might be helpful to do a # debuginfo-install 389-ds-base ipa-server
slapi-nis
and follow the directions at
http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs
to get a full s
Hi Rich,
Am 22.07.2015 um 19:25 schrieb Rich Megginson:
>
> No, probably not. I think it is either BIND or sssd.
from that I would say sssd:
[root@ipa ~]# netstat -p
Aktive Internetverbindungen (ohne Server)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program na
Hello everyone,
i am using fedora 22 server with copr repos enabled for freeipa 4.2,
according with the documentation i execute sudo dnf install -y
"*ipa-server" "*ipa-server-trust-ad" bind bind-dyndb-ldap however the
following error occurs
Error: package freeipa-server-trust-ad-4.1.4-2.fc22.x86
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi All,
I have been messing around with AD trust installs mainly around doing
ntlm_auth for a radius server.
However, as I was unable to see some of the needed resources, I
thought maybe IPA may need a kick.
So I ran the following command
`ipactl
On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote:
> >>>/lib64/libpthread.so.0
> >>>#1 0x7fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so
> >>>#2 0x7fb8565f19a5 in ps_send_results ()
> >>>#3 0x7fb8544facab in _pt_root () from /lib64/libnspr4.so
> >>>#4 0x7f
Bill,
Can you let us know what version of FreeIPA you're using? The most likely due
to the occurrence of "NT_STATUS_INVALID_PARAMETER" which is most likely a time
skew issue between AD and IPA. Can you verify this? Thanks!
-- Dave
- Original Message -
> From: "William Graboyes"
> To:
On 07/22/2015 01:17 PM, Jakub Hrozek wrote:
On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote:
/lib64/libpthread.so.0
#1 0x7fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so
#2 0x7fb8565f19a5 in ps_send_results ()
#3 0x7fb8544facab in _pt_root () from /lib64/li
On 07/22/2015 01:47 PM, Torsten Harenberg wrote:
Am 22.07.2015 um 21:32 schrieb Rich Megginson:
On 07/22/2015 01:17 PM, Jakub Hrozek wrote:
On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote:
/lib64/libpthread.so.0
#1 0x7fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so
Am 22.07.2015 um 21:32 schrieb Rich Megginson:
> On 07/22/2015 01:17 PM, Jakub Hrozek wrote:
>> On Wed, Jul 22, 2015 at 11:25:12AM -0600, Rich Megginson wrote:
>> /lib64/libpthread.so.0
>> #1 0x7fb8544f5440 in PR_WaitCondVar () from /lib64/libnspr4.so
>> #2 0x7fb8565f19a5 in p
On Wed, 22 Jul 2015, William Graboyes wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi All,
I have been messing around with AD trust installs mainly around doing
ntlm_auth for a radius server.
However, as I was unable to see some of the needed resources, I
thought maybe IPA may need a
On Wed, Jul 22, 2015 at 11:14:51AM -0700, William Graboyes wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi All,
>
> I have been messing around with AD trust installs mainly around doing
> ntlm_auth for a radius server.
>
> However, as I was unable to see some of the needed reso
Am 22.07.2015 um 21:49 schrieb Rich Megginson:
>>
>> but strage: there is no bind binary:
>
> Then I'm not sure what's going on.
currently there is a java process on ldaps:
[root@ipa ~]# netstat -p -n | grep 636
tcp6 0 0 132.195.124.12:636 132.195.124.12:36546
VERBUNDEN 800/ns-
On 07/22/2015 02:09 PM, Torsten Harenberg wrote:
Am 22.07.2015 um 21:49 schrieb Rich Megginson:
but strage: there is no bind binary:
Then I'm not sure what's going on.
currently there is a java process on ldaps:
[root@ipa ~]# netstat -p -n | grep 636
tcp6 0 0 132.195.124.12:636
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Dave,
There is no actual AD at this time. Thanks :)
On 7/22/15 12:22 PM, Dave Sirrine wrote:
> Bill,
>
> Can you let us know what version of FreeIPA you're using? The most
> likely due to the occurrence of "NT_STATUS_INVALID_PARAMETER" which
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Alexander,
Thank you for the pointers, However it seems that I am still not
getting the ipaNTSecurityIdentifier returned. Even after re-running
the ipa-adtrust-install --add-sids (which I believe it gave me the
option for on initial install, and
Hello,
I’m looking for an example sssd.conf migrationconfiguration that will allow for
the user to seamlessly authenticate to LDAP or freeIPA prior to installation of
the freeipa client.
This would be during migration to generate kerberos hashes for each user while
still providing legacy LDAP
Good morning,
Am 22.07.15 um 19:25 schrieb Rich Megginson:
> On 07/22/2015 11:03 AM, Torsten Harenberg wrote:
>> Dear Rich,
>>
>> Am 22.07.2015 um 17:03 schrieb Rich Megginson:
>>> It might be helpful to do a # debuginfo-install 389-ds-base ipa-server
>>> slapi-nis
>>> and follow the directions at
On 07/22/2015 06:40 PM, Alexander Bokovoy wrote:
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
Le 22 juil. 2015 à 18:08, Alexander Bokovoy a
écrit :
On Wed, 22 Jul 2015, Alexandre Ellert wrote:
# fgrep -r 0.9.2342.19200300.100.1.25 /etc/dirsrv
from both servers?
Server 1:
# fgrep -r 0.9.
Maybe related or not:
even after rebooting both IPA servers, the "secondary" has every 5
minutes (not only during startup)
[23/Jul/2015:08:00:25 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) (
Huu.. situation is getting worse.
Even after a full reboot, slapd does not start at all anymore on the
primary server.
This is the full log (looks like the realm is missing suddenly?):
[23/Jul/2015:07:40:53 +0200] - slapd stopped.
[23/Jul/2015:08:25:06 +0200] - Config Warning: - nsslapd-maxdescr
On Thu, 23 Jul 2015, Ludwig Krispenz wrote:
- Directory server starts just fine but serves only port 389
- krb5kdc starts just fine and works fine with LDAP server
- Dogtag tries to use LDAP server via port 636 and fails
We need to see why port 636 is disabled.
why do you think so ? There is:
40 matches
Mail list logo