Re: [Freeipa-users] backing up and starting over...

On Thu, 22 Dec 2016 16:48:10 -0500 Robert wrote: RS> I tried to create a replica. It went well for the directory server, but RS> then: RS> RS> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 RS> seconds [1/27]: creating certificate server user RS> [2/27]: configuring

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 20/12/2016 08:07, Petr Spacek wrote: I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way The modified deployment page is here:

[Freeipa-users] replica running trust-agents can't resolve AD users - which of these sssd errors should I be focusing on?

Hi folks, Summary: Replica w/ Trust agents can't resolve AD users. Not sure which debug_level=log error I should focus on. Would appreciate extra eyeballs on this .. Have a brand new replica (v4.4) running and after installing the AD trust agents I still can't recognize users who exist in

Re: [Freeipa-users] Ipa cert automatic renew Failing.

On 12/21/2016 07:52 PM, Lucas Diedrich wrote: Hello guys, I'm having some trouble with, whats is happening with my server is that i'm hiting an old BUG (https://bugzilla.redhat.com/show_bug.cgi?id=1033273). Talking to mbasti over irc he oriented me to send this to the email list. The problem

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

On 12/22/2016 09:31 AM, Georgijs Radovs wrote: Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these servers are Masters and CAs, both are replicating between each other. But, when I run *ipa topologysegment-find* to view replication agreements

Re: [Freeipa-users] DNS reverse zone is not managed by this server

Hi Martin Thank you for reply. 1. The dig is returning proper PTR record. I've added it manually to the zone and it's working. 2. The problem exists while adding host entries or A records with "create reverse" option. 3. If I'll bind a host with ipa-client-install the PTR record gets created in

Re: [Freeipa-users] backing up and starting over...

On 12/21/2016 10:26 PM, Robert Story wrote: I'm running a small instance of freeipa on CentOS 7 in our lab, for about 20 machines. Since CentOS 7.3 came out and upgraded from 4.2 to 4.4, things have gotten flaky. e.g. clicking on a user get the spinning 'Working' dialog and can take 3-5 minutes

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

Hello, Martin! Thank you for your help, conflicts resolved. All is well. FreeIPA is awesome! ) On 2016.12.22. 11:01, Martin Babinsky wrote: On 12/22/2016 09:31 AM, Georgijs Radovs wrote: Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

Hi On 12/22/2016 09:31 AM, Georgijs Radovs wrote: Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these servers are Masters and CAs, both are replicating between each other. But, when I run *ipa topologysegment-find* to view replication

Re: [Freeipa-users] DNS reverse zone is not managed by this server

Hi Martin Appreciate your help! On Thu, Dec 22, 2016 at 10:48 AM, Martin Basti wrote: > > > On 22.12.2016 09:37, Maciej Drobniuch wrote: > > Hi Martin > > Thank you for reply. > > 1. The dig is returning proper PTR record. I've added it manually to the > zone and it's

[Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these servers are Masters and CAs, both are replicating between each other. But, when I run *ipa topologysegment-find* to view replication agreements for *domain* and *ca* suffixes it returns

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 12/21/2016 07:22 PM, Brian J. Murrell wrote: On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote: Okay, I believe that this is the problem: On 21.12.2016 15:53, Brian J. Murrell wrote: [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection from local to

Re: [Freeipa-users] DNS reverse zone is not managed by this server

On 22.12.2016 09:37, Maciej Drobniuch wrote: Hi Martin Thank you for reply. 1. The dig is returning proper PTR record. I've added it manually to the zone and it's working. I was asking for SOA and zone name, IMO there is nothing secret about reverse zone name from private address space

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Yey!! It fixed the problem over the new CA Master now, i finally can see and search for the certs. But, in the replicas i can't browse for them, it prompts me this (IPA Error 4301: CertificateOperationError), should i ran the post-save command in all replicas? Thanks. Em qui, 22 de dez de 2016

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 22.12.2016 17:53, Brian Candler wrote: On 20/12/2016 08:07, Petr Spacek wrote: I've tried to clarify things in man pages and on web as well. Please have a look to changes and let us know if it is better or not, and preferably what can be improved and in which way The modified deployment

[Freeipa-users] NTLM SASL?

Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism? It appears not at first attempt: # yum install cyrus-sasl-ntlm # ldapsearch -Y NTLM SASL/NTLM authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7)

Re: [Freeipa-users] DNS reverse zone is not managed by this server

On 22.12.2016 10:57, Maciej Drobniuch wrote: Hi Martin Appreciate your help! On Thu, Dec 22, 2016 at 10:48 AM, Martin Basti > wrote: On 22.12.2016 09:37, Maciej Drobniuch wrote: Hi Martin Thank you for reply. 1. The dig is

Re: [Freeipa-users] NTLM SASL?

On to, 22 joulu 2016, Brian Candler wrote: Question: does FreeIPA (or specifically the 389 directory server) implement the NTLM SASL mechanism? No, it doesn't. Even if you install cyrus-sasl-ntlm module, 389-ds will not be able to authenticate: [22/Dec/2016:14:16:08.920773153 +0200] conn=20

Re: [Freeipa-users] Ipa cert automatic renew Failing.

Florence, for some creepy reason the cert from pkidbuser is different from subsystem certs, and this pkidbuser is outdated now, but i can't manage one way to re-issue it. I had to change the CA server because of that, and the Selinux in the old CA Server was disabled, on the new one is in

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On Thu, 2016-12-22 at 08:24 +0100, Petr Spacek wrote: > On 21.12.2016 21:36, Brian J. Murrell wrote: > > Some additional information. I can't seem to use the CLI either. > > Perhaps that is expected: > > > > # kinit admin > > Password for ad...@example.com: > > > > # klist > > Ticket cache:

Re: [Freeipa-users] NTLM SASL?

On Thu, 2016-12-22 at 11:42 +, Brian Candler wrote: > Question: does FreeIPA (or specifically the 389 directory server) > implement the NTLM SASL mechanism? > > It appears not at first attempt: > > # yum install cyrus-sasl-ntlm > # ldapsearch -Y NTLM > SASL/NTLM authentication started >

Re: [Freeipa-users] replica running trust-agents can't resolve AD users - which of these sssd errors should I be focusing on?

On to, 22 joulu 2016, Chris Dagdigian wrote: Hi folks, Summary: Replica w/ Trust agents can't resolve AD users. Not sure which debug_level=log error I should focus on. Would appreciate extra eyeballs on this .. Have a brand new replica (v4.4) running and after installing the AD trust

Re: [Freeipa-users] backing up and starting over...

On Thu, 22 Dec 2016 09:25:52 +0100 Florence wrote: FBR> you can find more information about backup and restore procedure in this FBR> guide [1]. But, as stated in the documentation, the safest method would FBR> rather be to install a replica [2]. FBR> [...] FBR> [2] FBR>

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

I do not believe I changed the DM password. I know I had to update the admin passwords regularly. Only during the startup using ipactl start --force I am able to connect to the service using the password for DM and it returns: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter:

Re: [Freeipa-users] NTLM SASL?

On 22/12/2016 12:48, Simo Sorce wrote: Sorry Brian but we do not support SASL NTLM or SASL SPNEGO/NTLM at this time, to do that you not only need the mechanism but also a way for that mechanism to either contact a NT-like Domain Controller or have direct access to the NT password hashes for any

[Freeipa-users] really dumb question - is an IPA replica automatically a client as well?

Working on a messy multi-AD / multi-child-domain environment ... Just deployed my 1st replica server after the v4.4 upgrade The IPA replica seems fine and "ipactl status" reports no issues. The webUI clearly shows all of the values/config that came over from the master However the replica

Re: [Freeipa-users] really dumb question - is an IPA replica automatically a client as well?

On to, 22 joulu 2016, Chris Dagdigian wrote: Working on a messy multi-AD / multi-child-domain environment ... Just deployed my 1st replica server after the v4.4 upgrade The IPA replica seems fine and "ipactl status" reports no issues. The webUI clearly shows all of the values/config that

Re: [Freeipa-users] NTLM SASL?

On 22/12/2016 14:08, Alexander Bokovoy wrote: dn: cn=config changetype: modify replace: nsslapd-allowed-sasl-mechanisms - # accepted, but doesn't change the value of the attribute So for now, I've set "nsslapd-allowed-sasl-mechanisms: GSSAPI EXTERNAL". But that means this server is in a

Re: [Freeipa-users] Ipa cert automatic renew Failing.

On 12/22/2016 01:15 PM, Lucas Diedrich wrote: Florence, for some creepy reason the cert from pkidbuser is different from subsystem certs, and this pkidbuser is outdated now, but i can't manage one way to re-issue it. I had to change the CA server because of that, and the Selinux in the old CA

Re: [Freeipa-users] backing up and starting over...

On Thu, 22 Dec 2016 13:02:18 +0100 Martin wrote: MB> On 22.12.2016 09:25, Florence Blanc-Renaud wrote: MB> > On 12/21/2016 10:26 PM, Robert Story wrote: MB> >> I'm running a small instance of freeipa on CentOS 7 in our lab, for MB> >> about 20 MB> >> machines. Since CentOS 7.3 came out and

Re: [Freeipa-users] [Freeipa-devel] Certificate expiration consequences

On 12/22/2016 12:22 PM, Pablo Hinojosa wrote: Hi all, I have realized my Freeipa webui ssl certificate is near to expire. It is supposed to auto-renew but it seems I am affected by this bug/defect (maybe due to a missconfigured installation). Here

Re: [Freeipa-users] NTLM SASL?

On 22/12/2016 11:42, Brian Candler wrote: Now, under cn=config, I see: nsslapd-allowed-sasl-mechanisms: (i.e. empty). I tried changing this to "NTLM" and it accepted the change. Aside: I'm also stuck changing it back to what it was :-( None of these works: dn: cn=config changetype: