Re: [Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller

On Wed, 04 Mar 2015, Ben .T.George wrote: HI i have re-installed IPA with latest 4.1 version. installed packages by using https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos # ipa-server-install went successfully without any error an it says the same on log files *[root@kwtpocpbis01 ~]

Re: [Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller

HI When i checked on IPA web panel, i can able to see my AD under trusted even though i got error while adding . ipa trust-add also *[root@kwtpocpbis01 ~]# ipa trustdomain-find "kwttestdc.com "* * Domain name: kwttestdc.com * * Domain NetBIOS name: K

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

> On 03 Mar 2015, at 18:40, Guertin, David S. wrote: > >> yes, I'm quite certain this is the client. > > Actually, it isn't, or at least it's not supposed to be. I've only ever > installed IPA on one machine, and the command I used to install it was > ipa-server-install (followed by ipa dnsco

[Freeipa-users] how can i fix ipa: ERROR: AD DC was unable to reach any IPA domain controller

HI i have re-installed IPA with latest 4.1 version. installed packages by using https://copr.fedoraproject.org/coprs/mkosek/freeipa/ repos # ipa-server-install went successfully without any error an it says the same on log files *[root@kwtpocpbis01 ~]# kinit admin* *Password for admin@SOLIPA.LO

[Freeipa-users] ntGroup MUST ntUserDomainId?

All, We're running ipa-server-3.0.0-42/389-ds-base-1.2.11.15-48 on CentOS 6.5 and synching to AD. We're able to synch users, but can't synch groups. When I was adding in the ntGroup objectclass, it appears that that requires ntUserDomainId to be set. Shouldn't that be ntGroupDomainId? I tried t

Re: [Freeipa-users] Possible for system to be member of both IPA domain and AD domain?

On 03/03/2015 02:54 PM, Erinn Looney-Triggs wrote: On Tuesday, March 03, 2015 02:41:58 PM Dmitri Pal wrote: On 03/03/2015 02:24 PM, Erinn Looney-Triggs wrote: Before I go charging down this path too far, I wanted to figure out whether it is possible for a RHEL 7 system to be a member of both an

Re: [Freeipa-users] Possible for system to be member of both IPA domain and AD domain?

On Tuesday, March 03, 2015 02:41:58 PM Dmitri Pal wrote: > On 03/03/2015 02:24 PM, Erinn Looney-Triggs wrote: > > Before I go charging down this path too far, I wanted to figure out > > whether it is possible for a RHEL 7 system to be a member of both an IPA > > domain and a separate AD domain? > >

Re: [Freeipa-users] Possible for system to be member of both IPA domain and AD domain?

On 03/03/2015 02:24 PM, Erinn Looney-Triggs wrote: Before I go charging down this path too far, I wanted to figure out whether it is possible for a RHEL 7 system to be a member of both an IPA domain and a separate AD domain? At this point trusts are not established between IPA and the AD, this w

[Freeipa-users] Possible for system to be member of both IPA domain and AD domain?

Before I go charging down this path too far, I wanted to figure out whether it is possible for a RHEL 7 system to be a member of both an IPA domain and a separate AD domain? At this point trusts are not established between IPA and the AD, this will happen around the 7.1 release, however, I woul

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Tue, 2015-03-03 at 17:40 +, Guertin, David S. wrote: > > yes, I'm quite certain this is the client. > > Actually, it isn't, or at least it's not supposed to be. I've only ever > installed IPA on one machine, and the command I used to install it was > ipa-server-install (followed by ipa dn

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Tue, 03 Mar 2015, Guertin, David S. wrote: I gather that you are running some version of RHEL 6.x (you never stated your exact setup). What do you get with Yes, this is RHEL 6.6 wbinfo -m # wbinfo -m BUILTIN CSNS MIDD wbinfo -i 'AD\user' # wbinfo -i 'MIDD\testuser' failed to call wbc

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

> I gather that you are running some version of RHEL 6.x (you never stated > your exact setup). What do you get with Yes, this is RHEL 6.6 > wbinfo -m # wbinfo -m BUILTIN CSNS MIDD > wbinfo -i 'AD\user' # wbinfo -i 'MIDD\testuser' failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not

Re: [Freeipa-users] Error with kerberos users

On 03/03/2015 12:35 PM, Günther J. Niederwimmer wrote: Hello, Am Dienstag, 3. März 2015, 11:15:14 schrieb Dmitri Pal: On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote: Hello, what is wrong on my setup? This is a "normal" install with ipa-server-install and ipa-client install on 5 KVM cli

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Tue, 03 Mar 2015, Guertin, David S. wrote: Can you show us your sssd.conf? When SSSD runs on IPA master it should not use extdom (ipa_s2n_exop_send and friends) at all. Sure, here's my sssd.conf: [domain/csns.middlebury.edu] cache_credentials = True krb5_store_password_if_offline = True ip

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

> yes, I'm quite certain this is the client. Actually, it isn't, or at least it's not supposed to be. I've only ever installed IPA on one machine, and the command I used to install it was ipa-server-install (followed by ipa dnsconfig-mod, ipa-adtrust-install, and ipa trust-add, as described in

Re: [Freeipa-users] Error with kerberos users

Hello, Am Dienstag, 3. März 2015, 11:15:14 schrieb Dmitri Pal: > On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote: > > Hello, > > > > what is wrong on my setup? > > This is a "normal" install with ipa-server-install and ipa-client install > > on 5 KVM clients. > > > > CentOs 7 > > > > > >

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Tue, Mar 03, 2015 at 07:13:24PM +0200, Alexander Bokovoy wrote: > On Tue, 03 Mar 2015, Guertin, David S. wrote: > >>Do these logs come from a client or the IPA server? Are you able to look up > >>the user on the IPA server at least? > > > >These come from the IPA server. So no, I can't even look

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

> Can you show us your sssd.conf? When SSSD runs on IPA master it should > not use extdom (ipa_s2n_exop_send and friends) at all. Sure, here's my sssd.conf: [domain/csns.middlebury.edu] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = csns.middlebury.edu id_provider =

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Tue, 03 Mar 2015, Guertin, David S. wrote: Do these logs come from a client or the IPA server? Are you able to look up the user on the IPA server at least? These come from the IPA server. So no, I can't even look up the user on the server. Can you paste (sanitized) logs from the sssd_be p

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

> Do these logs come from a client or the IPA server? Are you able to look up > the user on the IPA server at least? These come from the IPA server. So no, I can't even look up the user on the server. > Can you paste (sanitized) logs from the sssd_be process as well? They would > be located at /

Re: [Freeipa-users] Error with kerberos users

On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote: Hello, what is wrong on my setup? This is a "normal" install with ipa-server-install and ipa-client install on 5 KVM clients. CentOs 7 WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Mar 3 16:28

Re: [Freeipa-users] Auto disable users

On 03/03/2015 04:34 PM, Dmitri Pal wrote: > On 03/03/2015 07:22 AM, Martin Kosek wrote: >> On 03/03/2015 05:38 AM, Jason Prouty wrote: >>> >>> Is there a method to auto disable users who have logged in 90 days. >>> I have a security requirement to auto disable users who have not logged in >>> after

[Freeipa-users] Error with kerberos users

Hello, what is wrong on my setup? This is a "normal" install with ipa-server-install and ipa-client install on 5 KVM clients. CentOs 7 WARNING: Failed to create krb5 context for user with uid 22521 for server bbs.gjn.prv Mar 3 16:28:22 smtp1 rpc.gssd[6912]: doing error downcall Mar 3 1

Re: [Freeipa-users] Auto disable users

On 03/03/2015 07:22 AM, Martin Kosek wrote: On 03/03/2015 05:38 AM, Jason Prouty wrote: Is there a method to auto disable users who have logged in 90 days. I have a security requirement to auto disable users who have not logged in after 90 days. There is no such facility implemented in vanil

Re: [Freeipa-users] AD Group policy integration with FreeIPA

On 03/03/2015 09:32 AM, Jakub Hrozek wrote: On Tue, Mar 03, 2015 at 02:18:32PM +, Veera Veluchamy wrote: Hi All, Is it possible to sync Active Directory group policy with FreeIPA server. If yes please tell the steps how to do that. To accomplish what, access control? Cu

Re: [Freeipa-users] AD Group policy integration with FreeIPA

On Tue, Mar 03, 2015 at 02:18:32PM +, Veera Veluchamy wrote: > Hi All, > > Is it possible to sync Active Directory group policy with > FreeIPA server. If yes please tell the steps how to do that. To accomplish what, access control? Currently it's not possible in the trust s

[Freeipa-users] AD Group policy integration with FreeIPA

Hi All, Is it possible to sync Active Directory group policy with FreeIPA server. If yes please tell the steps how to do that. Thanks, Veerakumar V Infrastructure Application Support [Aspire Systems] This e-mail message and any attachments are for the sole use of the intende

Re: [Freeipa-users] Unable to Install IPA

I do not think these are related, this should be just mod_ssl, thinking that port 443 does not use SSL (slightly related bug - https://bugzilla.redhat.com/show_bug.cgi?id=1023168). If you uninstall mod_ssl, the warning should disappear. I see Endi just replied in other part of this thread, so let

Re: [Freeipa-users] Unable to Install IPA

On 2/28/2015 1:01 PM, Hadoop Solutions wrote: Hi Rob, please find the attached log of /var/log/ipaserver-install.log kindly let me know the solution for this.. Thanks, Shaik Hi, I see this near the bottom of the ipaserver-install.log. # Attemptin

Re: [Freeipa-users] Unable to Install IPA

Hi Martin, please find the below HTTPD error logs [Sun Mar 01 04:27:57 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Sun Mar 01 04:27:57 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sun Mar 01 04:27:57 2015] [warn] Init:

Re: [Freeipa-users] Auto disable users

On 03/03/2015 05:38 AM, Jason Prouty wrote: > > > Is there a method to auto disable users who have logged in 90 days. > I have a security requirement to auto disable users who have not logged in > after 90 days. > There is no such facility implemented in vanilla FreeIPA. I think there was anot

Re: [Freeipa-users] Unable to Install IPA

On 02/28/2015 07:18 AM, Rob Crittenden wrote: > Hadoop Solutions wrote: >> Hi Rob, >> >> please find the attached log of /var/log/ipaserver-install.log >> >> kindly let me know the solution for this.. > > Can you see if you have any SElinux failures? > > # ausearch -m AVC -ts recent > > I see s

Re: [Freeipa-users] ipa group-add-member failed

On Tue, 03 Mar 2015, Ben .T.George wrote: HI Alexander, please find below error_log Sorry Ben, this is unusable. You need to follow http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Debugging_trust, where it asks you to enable debugging in smb.conf.empty and re-establish trust. Given that

Re: [Freeipa-users] ipa group-add-member failed

HI Alexander, please find below error_log [Tue Mar 03 11:32:15.786252 2015] [suexec:notice] [pid 4754] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Mar 03 11:32:15.936866 2015] [auth_digest:notice] [pid 4754] AH01757: generating secret for digest authentication ... [Tue Mar 0

Re: [Freeipa-users] ipa group-add-member failed

On Tue, 03 Mar 2015, Ben .T.George wrote: HI thanks for the replay. iwas going through the replays and find that you suggested to check firewall and DNS What do you see in /var/log/httpd/error_log as result of dumping netr_LogonControl2Ex structure? You never showed that. Like in https://www

Re: [Freeipa-users] ipa group-add-member failed

HI thanks for the replay. iwas going through the replays and find that you suggested to check firewall and DNS *[root@kwtpocpbis01 ~]# systemctl status firewalld* *firewalld.service - firewalld - dynamic firewall daemon* * Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)* *

Re: [Freeipa-users] how can i avoid error :ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides

On Tue, 03 Mar 2015, Ben .T.George wrote: HI i am getting below error while trying* ipa trust-fetch-domains kwttestdc.com * ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides time is synced through ntpd

Re: [Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

On Mon, Mar 02, 2015 at 09:33:04PM +, Guertin, David S. wrote: > > Lets separate issues. > > > > 1. Adding AD user to "IPA group" in AD. > >Did you re-login as that user on Windows side and then tried to logon > >to IPA server? > > Yes. > > > 2. What do SSSD logs say about the login

[Freeipa-users] how can i avoid error :ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides

HI i am getting below error while trying* ipa trust-fetch-domains kwttestdc.com * ipa: ERROR: AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides time is synced through ntpd and there is no time difference between ad a