Sumit,
I have set the names of all the Domain Controllers to be resolvable to the IP
of the one reachable Domain Controller in /etc/hosts
/etc/hosts:Reachable_IP_BOX 172.10.10.1DC1
172.10.10.1DC2 172.10.10.1..
However, I still see the
On Mon, Jul 18, 2016 at 11:56:24AM +, Sullivan, Daniel [AAA] wrote:
> Hi, Jakub,
>
> In line with your performance tuning document referenced prior in this
> thread, I’ve actually already implemented the three configuration changes
> you specified (prior to identifying this issue). Right now
> Are also users that are not part of this group misbehaving?
Not that I am aware of. I’ll get you a real answer though. Are there any
known workarounds to the @ problem used to transform group names (i.e. a more
robust ‘override_space’ option)? I looked a the doc briefly but can’t find
On Mon, Jul 18, 2016 at 01:36:30PM +, Sullivan, Daniel [AAA] wrote:
> > Are also users that are not part of this group misbehaving?
>
> Not that I am aware of. I’ll get you a real answer though. Are there any
> known workarounds to the @ problem used to transform group names (i.e. a more
Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
logs, but same
Grant Wu wrote:
Thanks for the information. Do you know if there are any plans to
support cross-realm trust with general KDCs?
https://fedorahosted.org/freeipa/ticket/4867
rob
--
Manage your subscription for the Freeipa-users mailing list:
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > > > On (16/07/16 10:19), Martin Štefany wrote:
> > > > >
> > > > > Hello
On 07/18/2016 03:57 PM, Rob Crittenden wrote:
> Grant Wu wrote:
>> Thanks for the information. Do you know if there are any plans to
>> support cross-realm trust with general KDCs?
>
> https://fedorahosted.org/freeipa/ticket/4867
>
> rob
In general, IPA contains krb5 component which can be in
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> certmonger. Look like certificates were renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no response to
>
Sumit Bose wrote:
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that
Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.
The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.
[root@caer ~]#
*Update: my webserver and LDAP certificates were expired at 2016-07-18
15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
*Could you please help us? *
[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status:
Hi all,
Did any ipa/sssd developer had a chance to take a look at this issue?
Updating to the latest version available for CentOS 7 didn't fix it:
ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
On Mon, 2016-07-18 at 11:42 -0400, Rob Crittenden wrote:
> That I'm not sure. Kai might know.
Since there were several open questions, we discussed that on IRC.
To summarize here: if you want to install a CA that should be trusted by all
applications on a system, you probably shouldn't install
On 07/18/2016 06:12 AM, Petr Spacek wrote:
On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote:
Would a DNS view (bind) work?
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm
Also, depending on what you are using for NAT, some devices will mangle the
reply payload of A record
Ok, the bad news is that it didn't last. We are still having the same
problem - HBAC is rejecting users because not all jobs are being discovered
on the host.
I turned the debug_level up to 10 as requested, but to be honest, it's
impossible to find anything in the logs because it's so verbose -
I think the thing that frustrates the most is that id u...@domain.com is
returning correct data on both but they can't loginand I can't even
show that this is the case because now they can login. Difficult to
reproduce :/
--
The most dangerous phrase in the language is, "We've always done
On 7/18/2016 9:50 AM, Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that upgrade to F24 broke things again. This time no AVCs, empty
On Mon, Jul 18, 2016 at 09:17:06AM +1000, Lachlan Musicman wrote:
> Previously we did have the default_domain_suffix set, but we had to unset
> it. I can't remember why we had to - something to do with
> ownership/permissions and our filesystem (IBM v7000) not playing nice iirc.
> We really wanted
On Fri, Jul 15, 2016 at 04:35:54PM +, Sullivan, Daniel [AAA] wrote:
>
> Jakub,
>
> Thank you for replying to me. Before I forget I will say that I am still on
> sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had
> any problems logging into that system yet. That
On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> Ok, I've just spoken with my colleague that has been involved in the IPA
> roll out, and he said he thought that override_space wasn't compatible with
> ID overrides?
I haven't tested that to be honest. But just using my
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > On (16/07/16 10:19), Martin Štefany wrote:
> > >
> > > Hello Sumit,
> > >
> > > seems that upgrade to F24 broke things again. This time no AVCs, empty
> > > SSSD
> > >
I logged into my IPA master, and found that the cert had expired again, we
renewed these certificates about 18 months ago.
Our environment is CentOS 6.4 and IPA 3.0.0-26.
I followed the Redhat documentation, How do I manually renew Identity
Management (IPA) certificates after they have
Thanks for the information. Do you know if there are any plans to support
cross-realm trust with general KDCs?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote:
> Would a DNS view (bind) work?
>
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm
>
> Also, depending on what you are using for NAT, some devices will mangle the
> reply payload of A record lookups as they traverse NAT to avoid
Hi, Jakub,
In line with your performance tuning document referenced prior in this thread,
I’ve actually already implemented the three configuration changes you specified
(prior to identifying this issue). Right now I am focusing on the use case
documented below, because as of right now I am
26 matches
Mail list logo