After installing a replica on a fresh up to date install of FC17,
everything seems fine until a reboot. FreeIPA is running on the new
machine, etc.
But after the reboot ldap doesn't start on it's own and can't be made
to start manually. The origional FreeIPA instance, same software
versions, is ru
free...@noboost.org wrote:
Hi All,
NOTE: I posted this on the 389 forum, they rightly suggested this is
most likely and IPA issue.
Spec:
Redhat Enterprise Linux 6.3 x64
- ipa-server-2.2.0-16.el6.x86_64
- 389-ds-base-1.2.10.2-18.el6_3.x86_64
- 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64
We had
I wouldn't even know what to look for.
/var/lib/dirsrv/slapd-PKI-IPA/error is like a debug log. All I can tell
you is that I ran "ipa-csreplica-manage re-initialize --from master" on
my replica, then on my "master" a few minutes later.
-
*question everything*learn something*answer nothing*
-
Rich Megginson wrote:
On 08/03/2012 09:50 AM, Baptiste AGASSE wrote:
Hi,
Hi all,
i've a problem with winsync between ipa 2.2 on centos 6.3 and Active
directory 2008R2.
I'm following this documentation to enable synchronization:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/htm
Lucas Yamanishi wrote:
Is there any way to completely reinitialize the Dogtag instance atomically?
My PKI-IPA directory looks like this:
ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca'
'objectClass=*'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with sc
Rolf Brusletto wrote:
We had a rather severe issue last night on our primary IPA server(ver
2.2.0), but the replica is still happily plugging along, which very
nice. My question is, there is very, very little I can do with the
'master'. From what I've read, there ins't any replicaton, and I just
Steven Jones wrote:
Hi
Is there anyway to use something like a hardware key with IPA for select users
(such as myself)?
So the idea is I not only have a password but a piece of hardware I need to
login to my secure desktop.
We're looking into 2 factor auth but it isn't supported yet. Yo
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
> On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
>> An interesting problem has popped up and I am not sure where the issue
>> lies. Users logging in are presented with "cannot find name for user ID"
>> etc. etc. for all groups they a
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
> An interesting problem has popped up and I am not sure where the issue
> lies. Users logging in are presented with "cannot find name for user ID"
> etc. etc. for all groups they are a member of
>
> id returns nothing but the nu
Hi,
I lost my master so did a db2ldif on the replica and then a ldif2db on the
master and it seemed to work fine. Its been more stable than the replicas
which are on their 2nd rebuild in that many months...
:/
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wel
Hi
Is there anyway to use something like a hardware key with IPA for select users
(such as myself)?
So the idea is I not only have a password but a piece of hardware I need to
login to my secure desktop.
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Welling
On Wed, Aug 8, 2012 at 12:31 PM, Simo Sorce wrote:
> Unlike AD we do not force all client to be positioned in the same DNS
> zone, however if you have clients not belonging to the same DNS domain
> you may have to change the krb5.conf file on all members of the realm to
> add additional [domain_re
We had a rather severe issue last night on our primary IPA server(ver
2.2.0), but the replica is still happily plugging along, which very
nice. My question is, there is very, very little I can do with the
'master'. From what I've read, there ins't any replicaton, and I just
want to verify that
Is there any way to completely reinitialize the Dogtag instance atomically?
My PKI-IPA directory looks like this:
> ldapsearch -x -h localhost -p 7389 -D "cn=directory manager" -W -b 'o=ipaca'
> 'objectClass=*'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base with scope subtree
On Wed, Aug 8, 2012 at 12:33 PM, KodaK wrote:
> If you're not familiar with this document then you need to spend some
> quality time with it:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
That is, as a matter of fact, the guide I
On Wed, Aug 8, 2012 at 2:16 PM, Rob Ogilvie wrote:
> On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote:
>> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
>> > -I'm going to set up the IPA server with a new realm;
>> > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record
>>
On Wed, 2012-08-08 at 12:16 -0700, Rob Ogilvie wrote:
> On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote:
> > On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
> > > -I'm going to set up the IPA server with a new realm;
> > > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV reco
On Wed, Aug 8, 2012 at 11:52 AM, Simo Sorce wrote:
> On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
> > -I'm going to set up the IPA server with a new realm;
> > UNIX.MYCOMPANY.COM (do I need to have our DNS folks put an SRV record
> > up there for that? If so, what?)
>
> If your DNS peopl
On Wed, 2012-08-08 at 11:23 -0700, Rob Ogilvie wrote:
> So here's my plan, then... let me know if it seems like it'll make sense?
>
> -I'm going to uninstall everything IPA from the IPA server
> (ovm-auth.mycompany.com) after I unregister the client machines.
>
> -I'm going to set up the IPA serv
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with "cannot find name for user ID"
etc. etc. for all groups they are a member of
id returns nothing but the numbers, and a getent passwd
returns nothing, when running as the user.
However
So here's my plan, then... let me know if it seems like it'll make sense?
-I'm going to uninstall everything IPA from the IPA server
(ovm-auth.mycompany.com) after I unregister the client machines.
-I'm going to set up the IPA server with a new realm;
UNIX.MYCOMPANY.COM (do I need to have our DNS
On Wed, 2012-08-08 at 19:59 +0200, Petr Spacek wrote:
> On 08/08/2012 07:27 PM, Rob Ogilvie wrote:
> > On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote:
> >> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
> >> SRV records (or let IPA to manage it).
> >
> > Ugh, I hope
On 08/08/2012 07:27 PM, Rob Ogilvie wrote:
On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote:
Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
SRV records (or let IPA to manage it).
Ugh, I hope this doesn't end up pushing us back to NIS.
If I can get our infrastruct
On Wed, Aug 8, 2012 at 9:06 AM, Petr Spacek wrote:
> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
> SRV records (or let IPA to manage it).
Ugh, I hope this doesn't end up pushing us back to NIS.
If I can get our infrastructure guys to buy off on making a
unix.mycomp
Rob, you may want to read through this whole FAQ, but this one covers
what I'm talking about:
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#realms
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
___
On Wed, Aug 8, 2012 at 11:06 AM, Petr Spacek wrote:
> Best way is to create subdomain UNIX.MYCOMPANY.COM and fill it with proper
> SRV records (or let IPA to manage it).
Absolutely, this is the best way.
> You can configure each all servers and client statically with
> /etc/krb5.conf, but it is
On 08/08/2012 05:42 PM, Rob Ogilvie wrote:
On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote:
It's hard to tell with the obfuscation, but is your DOMAIN the same as
the one handled by the domain controller vm-mapsdc2?
Indeed, it is
You can only have one Kerberos realm named DOMAIN.
How do t
On Tue, Aug 7, 2012 at 7:03 PM, KodaK wrote:
> It's hard to tell with the obfuscation, but is your DOMAIN the same as
> the one handled by the domain controller vm-mapsdc2?
Indeed, it is
> You can only have one Kerberos realm named DOMAIN.
How do they know about each other?
> For example,
28 matches
Mail list logo
