Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

On (05/01/17 15:38), Jakub Hrozek wrote: >On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: >> Hi all,I having problems with a FreeIPA client running Ububtu Xenial. >> I can authenticate OK, I get a kerberos ticket, but cannot run sudo. >> I get 1 rule returned, which I expect. >>

Re: [Freeipa-users] FreeIPA + /etc/named.conf

On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz).

[Freeipa-users] FreeIPA + /etc/named.conf

Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._tcp.mds.xyz). sssd-ipa-1.14.0-43.el7_3.4.x86_64

Re: [Freeipa-users] DNS service fails to start on replica master

I re-read and walked through the troubleshooting steps. I have a mismatch in Key Version Numbers in the keytab file: Trying to renew the keytab file results in this error: Failed to parse result: PrincipalName not found. Retrying with pre-4.0 keytab retrieval method... Failed to parse result:

Re: [Freeipa-users] Assistance with Samba share intergration with IPA

Hello, replied inline below El mié, 28-12-2016 a las 18:15 -0500, William Muriithi escribió: > Hello > > I am trying to setup a samba share - actually replace winbind on a > current samba server and I am basing my change on these instructions. > >

Re: [Freeipa-users] DNS service fails to start on replica master

On 01/05/2017 04:11 PM, Jeff Goddard wrote: > I'm starting a new thread rather than continuing to submit under: > https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html. > > My problem is that I cannot get the DNS service to start on one of my > replica masters. From the previous

Re: [Freeipa-users] Replica issue / Certificate Authority

Hi @Fraser, tried the commands and certificates matched in both cases. @everyone I tried to look a little bit in the code, and the only references I saw are in https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit (4 references) And the only one

[Freeipa-users] DNS service fails to start on replica master

I'm starting a new thread rather than continuing to submit under: https://www.redhat.com/archives/freeipa-users/2017-January/msg00108.html. My problem is that I cannot get the DNS service to start on one of my replica masters. From the previous message thread: Hello, could you check this link

Re: [Freeipa-users] IPA to IPA migration

Timothy Geier wrote: > This is something I’ve looked at lately and a manual proof of concept I > just did (using ideas from > https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA) > makes it seem theoretically possible (though it looks like, barring the > migration

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

I guess my issue it totally different then as the files I have contain the correct values. I'll resubmit a new email with the correct subject line so as to start fresh. Thanks, Jeff On Thu, Jan 5, 2017 at 7:22 AM, Brian J. Murrell wrote: > On Wed, 2017-01-04 at 16:21

Re: [Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

I cannot. I get: dap_sasl_interactive_bind_s: Can't contact LDAP server (-1) On Thu, Jan 5, 2017 at 9:08 AM, Martin Basti wrote: > Hello, > > could you check this link https://fedorahosted.org/bind- > dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials: >

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: > Hi all,I having problems with a FreeIPA client running Ububtu Xenial. > I can authenticate OK, I get a kerberos ticket, but cannot run sudo. > I get 1 rule returned, which I expect. > Many thanks,James Harrison I would check if

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

On 01/04/2017 07:24 PM, Daniel Schimpfoessl wrote: From the logs: /var/log/dirsrv/slapd-DOMAIN-COM/errors ... a few warnings about cache size, NSACLPLugin and schema-compat-plugin [04/Jan/2017:12:14:21.392642021 -0600] slapd started. Listening on All Interfaces port 389 for LDAP requests

Re: [Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Hello, could you check this link https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a4.Invalidcredentials:bindtoLDAPserverfailed kinit prints nothing when it works, so it works in your case, can you after kinit as DNS service try to use ldapsearch -Y GSSAPI ? Martin

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote: > I don't want to hijack someone else's thread but I'm having what > appears to > be the same problem and have not seen a solution presented yet. The problem and solution were presented. These two messages basically embody the problem I had:

[Freeipa-users] Fwd: ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

-- Forwarded message -- From: Jeff Goddard Date: Thu, Jan 5, 2017 at 8:57 AM Subject: Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} To: Martin Basti On Thu, Jan 5, 2017 at

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Running the command displays no output. Here is the config file output: # This file is sourced by dirsrv upon startup to set # the default environment for all directory server instances. # To set instance specific defaults, use the file in the same # directory called dirsrv-instance where

[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get a kerberos ticket, but cannot run sudo. I get 1 rule returned, which I expect. Many thanks,James Harrison (Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30

[Freeipa-users] Effect of reversing trust relationship

Hello, Curious, two weeks ago, we established a two way trust between AD and FreeIPA. This has been working fine till yesterday when AD started having DNS issues. I am 99% certain trust had nothing to do with DNS issue, but want to reverse the trust and see if we could fair better My question

Re: [Freeipa-users] 2FA and AllowNTHash

On 05/01/2017 10:57, Maciej Drobniuch wrote: Maybe I'll paraphrase the question. It would suffice if I could tell IPA to use pass+otp only instead of both (Password+ pass+otp) for particular hosts. So for example users from hosts X can login with OTP only. Sorry, I don't understand that.

Re: [Freeipa-users] 2FA and AllowNTHash

Hi Brian Thank You for your answer. It started working, not sure yet why it did not work. I need to do some extensive testing. So, I've actually followed the blogposts you've mentioned to setup ipanthash + freeradius. Maybe I'll paraphrase the question. It would suffice if I could tell IPA to

Re: [Freeipa-users] IPA 4.4.0: clcache_load_buffer_bulk error

Hi, Got the same messages :) (and I almost got all other problems you posted on this list since your 4.4 upgrade) If anyone can tell us if we have to do anything to clean problematic CSN... Happy new year to all freeipa-users! -- Youenn Piolet piole...@gmail.com 2016-12-24 9:33 GMT+01:00

Re: [Freeipa-users] ipa replica installation help

On Thu, Jan 05, 2017 at 01:08:58PM +0300, Ben .T.George wrote: > HI > > there is no filrewall running on both servers, > > [root@zkwipamstr01 ~]# systemctl status firewalld > ● firewalld.service - firewalld - dynamic firewall daemon >Loaded: loaded (/usr/lib/systemd/system/firewalld.service;

Re: [Freeipa-users] ipa replica installation help

HI there is no filrewall running on both servers, [root@zkwipamstr01 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs:

Re: [Freeipa-users] ipa replica installation help

On Thu, Jan 05, 2017 at 12:43:47PM +0300, Ben .T.George wrote: > HI, > > on master server and replica server, i have enabled ipv6 > > below on master server > > [root@zkwipamstr01 ~]# ip addr | grep inet6 > > inet6 fe80::250:56ff:fea0:3857/64 scope link > > [root@zkwipamstr01 ~]#

Re: [Freeipa-users] ipa replica installation help

HI, on master server and replica server, i have enabled ipv6 below on master server [root@zkwipamstr01 ~]# ip addr | grep inet6 inet6 fe80::250:56ff:fea0:3857/64 scope link [root@zkwipamstr01 ~]# systemctl restart pki-tomcatd@pki-tomcat [root@zkwipamstr01 ~]# netstat -tunap | grep 8009

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 04.01.2017 22:21, Jeff Goddard wrote: I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet. Here is the output of journalctl -xe after having tried to start named: Jan 04 15:48:42

Re: [Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

On 04.01.2017 23:40, Jason B. Nance wrote: Hello everyone, I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an Active Directory domain controller. When a client attempts to lookup any DNS record other than those to which FreeIPA is authoritative the client

Re: [Freeipa-users] ipa replica installation help

On 01/05/2017 07:10 AM, Ben .T.George wrote: > HI > > yes i did the same and still port is not listening. > > [root@zkwipamstr01 ~]# cat /etc/hosts > 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6