Re: [Freeipa-users] re-initialize replica

2015-10-05 Thread Rob Crittenden
Andrew E. Bruno wrote: > On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: >> On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: >>> On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: What's the best way to re-initialize a replica? Suppose one of your replicas

Re: [Freeipa-users] More replication fun

2015-10-05 Thread Rob Crittenden
Janelle wrote: > On 10/5/15 10:16 AM, Simo Sorce wrote: >> On 05/10/15 11:11, Janelle wrote: >>> So here is a fun question -- how is this possible? >>> >>> from ipa-replica-manage list-ruv >>> >>> ipa002.example.com 389 6 >>> ipa003.example.com 389 30 <- Huh??? >>> ipa003.example.com

Re: [Freeipa-users] More replication fun

2015-10-05 Thread Janelle
On 10/5/15 10:16 AM, Simo Sorce wrote: On 05/10/15 11:11, Janelle wrote: So here is a fun question -- how is this possible? from ipa-replica-manage list-ruv ipa002.example.com 389 6 ipa003.example.com 389 30 <- Huh??? ipa003.example.com 389 33 <- ipa004.example.com 389 24

Re: [Freeipa-users] re-initialize replica

2015-10-05 Thread Andrew E. Bruno
On Mon, Oct 05, 2015 at 12:40:42PM +0200, Martin Kosek wrote: > On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: > > On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: > >> What's the best way to re-initialize a replica? > >> > >> Suppose one of your replicas goes south.. is there a

Re: [Freeipa-users] AD Cross Realm Trust + AIX

2015-10-05 Thread David Fischer
Crony, I also am trying to setup both AIX 6.1 and AIX 7 clients. Is there anyway I could get you to post you working configurations? Thanks, David -Original Message-From: crony > To:

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan
Good morning, ​ Any suggestion what I should do?​ ​I still have ​$ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized Regards. On Fri, Oct 2, 2015 at 5:04 PM, Fujisan wrote: > I only have this: > > $ keyctl list @s > 1 key

Re: [Freeipa-users] DNS forwarding configuration randomly breaks and stops working

2015-10-05 Thread Petr Spacek
On 3.10.2015 01:47, nat...@nathanpeters.com wrote: > This issue has occured again and I am once again trying to troubleshoot it. > > show forwarder > -- > -bash-4.2$ ipa dnsconfig-show > Global forwarders: 10.21.0.14 > Allow PTR sync: TRUE > > attempt ping > >

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Alexander Skwar
Hi Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try to login with SSH and enter a password. kinit doesn't work. $ kinit -k kinit: Permission denied while getting initial credentials For this test, I was root and then did a "su - user" and then "kinit -k". Also after

Re: [Freeipa-users] Sudo default options

2015-10-05 Thread Pavel Březina
On 10/05/2015 10:58 AM, Andreas Calminder wrote: Hi, guessing this is a quite frequent question, but I can't find any solid information about the topic. I want to specify a set of default sudo options so I don't have to specify these options for every other sudo rule I create. There's supposed

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Prasun Gera
I was facing similar issues, and ended up changing the username from admin to something else since admin is a common name in brute force ssh attacks. It was getting locked out in spite of using fail2ban. I guess fail2ban can be tweaked to block the host before ipa blocks the admin account, but I

[Freeipa-users] separating authoritative servers from recursive servers

2015-10-05 Thread Brendan Kearney
i have two bind instances in somewhat of a multi-master server arrangement, where they share the same ldap backend via bind-dyndb-ldap. currently, they are authoritative and recursive servers, and i want to change things up a bit. i want to move the recursive function to a third device. for

Re: [Freeipa-users] DNS forwarding configuration randomly breaks and stops working

2015-10-05 Thread nathan
>>> Looking at the log entries, it appears that there may have been a >>> network >>> connectivity 'blip' (maybe a switch or router was restarted) at some >>> point >>> and even after connectivity was restored, the global forwarding was >>> failing because the "we can't contact our forwarder"

Re: [Freeipa-users] DNS forwarding configuration randomly breaks and stops working

2015-10-05 Thread nathan
>>> Looking at the log entries, it appears that there may have been a >>> network >>> connectivity 'blip' (maybe a switch or router was restarted) at some >>> point >>> and even after connectivity was restored, the global forwarding was >>> failing because the "we can't contact our forwarder"

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Rob Crittenden
Prasun Gera wrote: > I was facing similar issues, and ended up changing the username from > admin to something else since admin is a common name in brute force ssh > attacks. It was getting locked out in spite of using fail2ban. I guess > fail2ban can be tweaked to block the host before ipa blocks

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan
I just noticed I can log in to the web UI with user admin and his password. But when I try to configure firefox to use kerberos, I click on "Install Kerberos Configuration Firefox Extension" button, a message appears saying "Firefox prevented this site from asking you to install software on your

Re: [Freeipa-users] re-initialize replica

2015-10-05 Thread Martin Kosek
On 10/02/2015 06:00 PM, Andrew E. Bruno wrote: > On Fri, Oct 02, 2015 at 09:56:47AM -0400, Andrew E. Bruno wrote: >> What's the best way to re-initialize a replica? >> >> Suppose one of your replicas goes south.. is there a command to tell >> that replicate to re-initialize from the first master

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan
It is actually on the ipa server that ipa commands are not working. On ipa clients, I do not have errors. On Mon, Oct 5, 2015 at 12:27 PM, Fujisan wrote: > I just noticed I can log in to the web UI with user admin and his password. > > But when I try to configure firefox

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Sumit Bose
On Mon, Oct 05, 2015 at 09:00:13AM +0200, Alexander Skwar wrote: > Hi > > Hm, there's nothing at all in the /var/log/sssd/krb5_child.log when I try > to login with SSH and enter a password. Can you try to increase the debug_level to 0xFFF0? > > kinit doesn't work. > > $ kinit -k > kinit:

Re: [Freeipa-users] Sudo default options

2015-10-05 Thread Andreas Calminder
All right, Thanks a million! /andreas On 10/05/2015 11:29 AM, Pavel Březina wrote: On 10/05/2015 10:58 AM, Andreas Calminder wrote: Hi, guessing this is a quite frequent question, but I can't find any solid information about the topic. I want to specify a set of default sudo options so I

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

2015-10-05 Thread Dominik Korittki
Am 01.10.2015 um 21:52 schrieb Rob Crittenden: Dominik Korittki wrote: Hello folks, I am running two FreeIPA Servers with around 100 users and around 15.000 hosts, which are used by users to login via ssh. The FreeIPA servers (which are Centos 7.0) ran good for a while, but as more and more

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan
I uninstalled the ipa server and reinstalled it. Then restored the backup. And then the following: $ keyctl list @s 3 keys in keyring: 437165764: --alswrv 0 65534 keyring: _uid.0 556579409: --alswrv 0 0 user: ipa_session_cookie:host/zaira2.opera@OPERA 286806445: ---lswrv 0 65534

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

2015-10-05 Thread Tomas Babej
On 10/01/2015 05:06 PM, Dominik Korittki wrote: > Hello folks, > > I am running two FreeIPA Servers with around 100 users and around 15.000 > hosts, which are used by users to login via ssh. The FreeIPA servers > (which are Centos 7.0) ran good for a while, but as more and more hosts > got

Re: [Freeipa-users] ssh and sudo password authentication not working with freeipa-client 3.3.4-0ubuntu3.1 on Ubuntu 14.04

2015-10-05 Thread Alexander Skwar
Hi Hm, when I'm root, "kinit -k" works: # kinit -k # Just not as a user. As a user, I get the "kinit: Permission denied while getting initial credentials" error message. Regards, Alexander 2015-10-05 9:00 GMT+02:00 Alexander Skwar < alexanders.mailinglists+nos...@gmail.com>: > Hi > > Hm,

Re: [Freeipa-users] SUDO does not always works on first try

2015-10-05 Thread Zoske, Fabian
Dear Jakub, I found only the following entries in the /var/log/auth.log: Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): conversation failed Oct 5 11:57:38 hl-srv10 sudo: pam_unix(sudo:auth): auth could not identify password for [f.zo...@de.eu.local] Oct 5 11:57:38 hl-srv10 sudo:

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Fujisan
I was going to ask about the ipa command error on the ipa server and how to fix it. But then I just tried again and it works. $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/zaira/admin Login shell: /bin/bash UID: 1000 GID: 1000 Account

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-05 Thread Petr Vobornik
On 10/05/2015 12:55 PM, Fujisan wrote: It is actually on the ipa server that ipa commands are not working. On ipa clients, I do not have errors. On Mon, Oct 5, 2015 at 12:27 PM, Fujisan wrote: I just noticed I can log in to the web UI with user admin and his password.

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Rob Crittenden
Torsten Harenberg wrote: > Hi Janelle, > > Am 04.10.2015 um 19:25 schrieb Janelle: >> Just wondering if anyone knows why this happens from time to time on >> servers: >> >> $ kinit admin >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> there are no failed

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Janelle
On 10/5/15 7:39 AM, Rob Crittenden wrote: Torsten Harenberg wrote: Hi Janelle, Am 04.10.2015 um 19:25 schrieb Janelle: Just wondering if anyone knows why this happens from time to time on servers: $ kinit admin kinit: Clients credentials have been revoked while getting initial credentials

Re: [Freeipa-users] admin loses access?

2015-10-05 Thread Rob Crittenden
Janelle wrote: > On 10/5/15 7:39 AM, Rob Crittenden wrote: >> Torsten Harenberg wrote: >>> Hi Janelle, >>> >>> Am 04.10.2015 um 19:25 schrieb Janelle: Just wondering if anyone knows why this happens from time to time on servers: $ kinit admin kinit: Clients credentials

[Freeipa-users] More replication fun

2015-10-05 Thread Janelle
So here is a fun question -- how is this possible? from ipa-replica-manage list-ruv ipa002.example.com 389 6 ipa003.example.com 389 30 <- Huh??? ipa003.example.com 389 33 <- ipa004.example.com 389 24 ~Janelle -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] More replication fun

2015-10-05 Thread Simo Sorce
On 05/10/15 11:11, Janelle wrote: So here is a fun question -- how is this possible? from ipa-replica-manage list-ruv ipa002.example.com 389 6 ipa003.example.com 389 30 <- Huh??? ipa003.example.com 389 33 <- ipa004.example.com 389 24 ipa003 was reinstalled but the RUV