I think thers something seriously wrong with my system
not able to run any IPA commands
klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@xyz.com
Valid starting Expires Service principal
2016-08-23T16:26:36 2016-08-24T16:26:22 krbtgt/xyz@xyz.com
My disk was getting filled too fast
logs under /var/log/dirsrv was coming around 5 gb quickly filling up
Is there a way to make the logging less verbose
On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek wrote:
> On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
> > I was able to
Hello IPA team,
Is there a way to implement IPA to IPA trust between different domains?
We are thinking of using more than one domain, however we will need users to
cross login from one domain to another.
Regards,
Andrey
--
Manage your subscription for the Freeipa-users mailing list:
i changed the loggin level to 4 . Modifying nsslapd-accesslog-level
But, the hang is still there. though I dont see the sigfault now
On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan <
rakesh.rajasekha...@gmail.com> wrote:
> My disk was getting filled too fast
>
> logs under
We were in the final stages of migrating FreeIPA from 3.0 to 4.2. During the
migration, both the 3.0 replicas and the 4.2 replicas were in the replica pool.
User account changes made to 3.0 would replicate to 4.2 just fine, but changes
wouldn’t replicate from 4.2 to 3.0.
Admins should have
Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and
use it for httpd (Web GUI), without breaking anything else? I've acquired one
and added it to nssdb (/etc/httpd/alias).
# certutil -L -d /etc/httpd/alias
Certificate Nickname
On Tue, 23 Aug 2016, Zak Wolfinger wrote:
We were in the final stages of migrating FreeIPA from 3.0 to 4.2.
During the migration, both the 3.0 replicas and the 4.2 replicas were
in the replica pool. User account changes made to 3.0 would replicate
to 4.2 just fine, but changes wouldn’t
Hello !
I am using IPA 3.0.0 on RedHat 6.6 servers.
I have two masters and this evening, I realized that one of them was
desynchronized, some users and groups were missing.
I was wondering if there was an ipa command to resynchronize replica which
are not sync with the other ?
Thank you in
On Tue, 23 Aug 2016, Alexander Bokovoy wrote:
On Tue, 23 Aug 2016, Zak Wolfinger wrote:
We were in the final stages of migrating FreeIPA from 3.0 to 4.2.
During the migration, both the 3.0 replicas and the 4.2 replicas were
in the replica pool. User account changes made to 3.0 would replicate
Is there any way to control the default gid for AD trust users? At the moment
each user has it's own default group, e.g.:
uid=22603(user@ad.domain) gid=22603(user@ad.domain)
It would be nice to be able to set this to an actual group.
Thanks.
--
Orion Poplawski
Technical Manager
On 8/16/2016 11:09 AM, Alexander Bokovoy wrote:
On Tue, 16 Aug 2016, Zarko Dudic wrote:
Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca
And verification with command :
# openssl req -in
Ah. I see. I mixed those up but I see that those would have to be
consistent.
However, I have been trying to beat some invalid RUV to death for a long
time and I can't seem to kill them.
For example, bellevuenfs has 9 and 16 which are invalid:
[ianh@seattlenfs ~]$ ldapsearch -ZZ -h
On 23.8.2016 09:07, Martin Basti wrote:
>
>
> On 23.08.2016 02:08, Matt . wrote:
>> Hi Guys,
>>
>> What is the way to notify or update a Bind slave which is not an IPA server ?
>>
>> Do I need to manuallu add an also-notify to the /etc/bind.conf on the
>> IPA master or is there a different way
Thanks Jakub,
I've attached a file with the output from looking in the log files
mentioned in the link you gave me.
I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is tba
-sadm (is that good or bad?)
Any advice is
On 08/23/2016 11:26 AM, Tony Brian Albers wrote:
Thanks Jakub,
I've attached a file with the output from looking in the log files
mentioned in the link you gave me.
I'm not sure exactly what is wrong, I don't know how to interpret
messages like: name 'tba-sadm' matched without domain, user is
On 08/23/2016 11:52 AM, Ian Harding wrote:
Ah. I see. I mixed those up but I see that those would have to be
consistent.
However, I have been trying to beat some invalid RUV to death for a long
time and I can't seem to kill them.
For example, bellevuenfs has 9 and 16 which are invalid:
On 08/22/2016 09:46 PM, Zarko Dudic wrote:
Hi all,
IPA version: ipa-server-4.2.0-15.0.1.el7_2.18.x86_64
Kernel: 3.8.13-118.10.2.el7uek.x86_64
I start seeing pop-up window titled "Unknown Error" with message
"error" and buttons Retry and Cancel. It happens when selecting almost
anything on
Hi guys,
I've been trying to get sudo to work for our day-to-day admin who have
their own usergroup in IPA called subadmin.
For some reason I can't really get sudo to work, I suspect I am missing
something simple, but I can't really figure out what it is.
This is my config:
# ipa sudorule-find
I've followed the procedure in this thread:
https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html
and found my list of RUV that don't have an existing replica id.
I've tried to remove them like so:
[root@seattlenfs ianh]# ldapmodify -D "cn=directory manager" -W -a
Enter LDAP
On 23.08.2016 02:08, Matt . wrote:
Hi Guys,
What is the way to notify or update a Bind slave which is not an IPA server ?
Do I need to manuallu add an also-notify to the /etc/bind.conf on the
IPA master or is there a different way how to accomplish this ?
I hope this is possible and anyone
looks like you are searching the nstombstone below "o=ipaca", but you
are cleaning ruvs in "dc=bpt,dc=rocks",
your attrlist_replace error refers to the bpt,rocks backend, so you
should search the tombstone entry ther, then determine which replicaIDs
to remove.
Ludwig
On 08/23/2016 09:20
- On Aug 11, 2016, at 3:56 PM, Jakub Hrozek jhro...@redhat.com wrote:
> On Thu, Aug 11, 2016 at 03:11:10PM +0200, Troels Hansen wrote:
>> Hi, we are curretly workig on a larger IPA test project and I have a problems
>> which have been buggin me for some time now:
>
> Which version?
Most
Thanks Simon,
Is this a known issue? We're on Centos 7.2 and yes, the sssd version is
1.13
/tony
On Tue, 2016-08-23 at 06:49 +, Simpson Lachlan wrote:
> What version of sssd are you using?
>
> We found that it wouldn't work w sssd<1.14
>
> On the IPA server, it would say "yep rule
On Tue, Aug 23, 2016 at 06:24:23AM +, Tony Brian Albers wrote:
> Hi guys,
>
> I've been trying to get sudo to work for our day-to-day admin who have
> their own usergroup in IPA called subadmin.
>
> For some reason I can't really get sudo to work, I suspect I am missing
> something simple,
On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote:
> Thanks Simon,
>
> Is this a known issue? We're on Centos 7.2 and yes, the sssd version is
> 1.13
>
> /tony
IIRC Simpson's issue was related to using AD trusts and
default_domain_suffix. I would recommend looking at logs first
What version of sssd are you using?
We found that it wouldn't work w sssd<1.14
On the IPA server, it would say "yep rule applies", but then on any particular
machine it wouldn't (well, it would - but only intermittently).
There's a COPR repo for Centos7 if you aren't on Fedora/RedHat.
Cheers
On Tue, Aug 23, 2016 at 08:42:42AM +0200, Troels Hansen wrote:
>
>
> - On Aug 11, 2016, at 3:56 PM, Jakub Hrozek jhro...@redhat.com wrote:
>
> > On Thu, Aug 11, 2016 at 03:11:10PM +0200, Troels Hansen wrote:
> >> Hi, we are curretly workig on a larger IPA test project and I have a
> >>
On 23.8.2016 15:07, Rakesh Rajasekharan wrote:
> I was able to fix that may be temporarily... when i checked the network..
> there was another process that was running and consuming a lot of network (
> i have no idea who did that. I need to seriously start restricting people
> access to this
Running RHEL 7.2:
ipa-client-4.2.0-15.el7_2.18
sssd-ipa-1.13.0-40.el7_2.12.x86_64
ipa-server-4.2.0-15.el7_2.18.x86_64
I have a sudo rule where I try to give sudo access based on a AD group.
# groups drext...@net.dr.dk
drext...@net.dr.dk : drext...@net.dr.dk ...
Not sure if it's related or not but I also reported an instance of similar
behavior of this on Ubuntu 16.0.1
On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers
wrote:
> Hi guys,
>
> I've been trying to get sudo to work for our day-to-day admin who have
> their own
OK, but what kind of records are you talking about then ?
2016-08-23 12:25 GMT+02:00 Petr Spacek :
> On 23.8.2016 09:07, Martin Basti wrote:
>>
>>
>> On 23.08.2016 02:08, Matt . wrote:
>>> Hi Guys,
>>>
>>> What is the way to notify or update a Bind slave which is not an IPA
On 23.8.2016 12:43, Matt . wrote:
> OK, but what kind of records are you talking about then ?
I'm not sure what else should I say.
NS records: the ones added by
$ ipa record-add @ --ns-rec=.
(please note the trailing period)
Does it answer your question?
Petr^2 Spacek
>
> 2016-08-23 12:25
siology.io wrote:
i've noticed that some of my users (imported from openldap) don't have
personal user groups, but the new ones that i make within freeipa do.
Is there a way of marking the existing accounts such that they get user
groups made for them ? I couldn't seem to see the groups that
Fraser Tweedale wrote:
On Mon, Aug 22, 2016 at 11:52:46PM +, Z D wrote:
Hello,
There is the error on ver 4.2 while viewing certs: "IPA Error
4301: CertificateOperationError", next it read " Certificate
operation cannot be completed: Unable to communicate with CMS
([Errno 113] No route to
Pavel Březina wrote:
On 08/23/2016 01:55 PM, Tony Brian Albers wrote:
Here you are:
[root ~]# ldapsearch -Y GSSAPI -b $dc
'(ou=*)' -s onelevel
# profile, $domain
dn: ou=profile,$dc
objectClass: top
objectClass: organizationalUnit
ou: profiles
ou: profile
# search result
search: 4
result:
i've noticed that some of my users (imported from openldap) don't have
personal user groups, but the new ones that i make within freeipa do.
Is there a way of marking the existing accounts such that they get user
groups made for them ? I couldn't seem to see the groups that IPA is making
in the
Hi Rob,
I was concerned, just because it nowhere clearly stated what ipa-ca-agent /
caAdminCert with default serial id #6 is used for and how it affects the system
when expired.
So if it is not needed by IPA, I also do not strictly need to recreate a new
valid Cert for that.
Is it sure,
realstarhealer wrote:
Hi Rob,
I was concerned, just because it nowhere clearly stated what
ipa-ca-agent / caAdminCert with default serial id #6 is used for and how
it affects the system when expired.
It isn't used at all. This is the admin cert typically used when
interfacing with the
And then allow the ip of the ipa server for update or tranfser on the slave ?
Because I don't see anything coming in.
2016-08-23 12:47 GMT+02:00 Petr Spacek :
> On 23.8.2016 12:43, Matt . wrote:
>> OK, but what kind of records are you talking about then ?
>
> I'm not sure
On 23.8.2016 13:21, Matt . wrote:
> And then allow the ip of the ipa server for update or tranfser on the slave ?
>
> Because I don't see anything coming in.
The config has two parts:
1. master (IPA DNS)
40 matches
Mail list logo