[Freeipa-users] Antwort: RE: Known issues with IPA on VM?

> Just a guess, what is your deployment size? > We have a two ipa domains, one have 3 servers (2 hw and 1 vm, no > issues with dirsrv yet), another currently includes 16 vm servers, > ant dirsrv hangs and crashes periodically… > we have 8 IPA servers, 4 bare metal and 4 vm's. We see the crashes

Re: [Freeipa-users] freeipa-samba integration and windows clients

Hi Yes, it's possible to operate freeIPA and Samba as you suggest, we have been doing so for some years now (with several freeIPA and Samba versions). Our end users use a mix of Windows and OSX laptops / workstations. These are not members of any kind of domain. They access our file servers via S

Re: [Freeipa-users] freeipa-samba integration and windows clients

On Wed, 06 May 2015, box 31978 wrote: Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentOS 7.1,

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

> On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote: >> Ok, I have attempted to set this up by adding the AD domain to my >> configuration and it still isn't working. >> I just want to confirm what I'm trying to accomplish here before I list >> what I've done to troubleshoot this. >> >> We have

Re: [Freeipa-users] more replication fun

On 5/6/15 8:12 PM, Vaclav Adamec wrote: Hi, Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode thread), if you are sure that's not any live replica server behind this id than just try "cleanallruv.pl -w X -b "dc=" -r 9" Vasek On Thu, May 7, 2015 at 2:25 AM, Janelle

Re: [Freeipa-users] more replication fun

Hi, Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode thread), if you are sure that's not any live replica server behind this id than just try "cleanallruv.pl -w X -b "dc=" -r 9" Vasek On Thu, May 7, 2015 at 2:25 AM, Janelle wrote: > > Hi again.. > > Seems to be an o

Re: [Freeipa-users] Known issues with IPA on VM?

Just a guess, what is your deployment size? We have a two ipa domains, one have 3 servers (2 hw and 1 vm, no issues with dirsrv yet), another currently includes 16 vm servers, ant dirsrv hangs and crashes periodically… WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: David De

[Freeipa-users] more replication fun

Hi again.. Seems to be an ongoing theme (replication). How does one remove these? unable to decode: {replica 9} 553ef80e00010009 55402c390009 I am hoping this is a stupid question with a really simple answer that I am simply missing? ~J -- Manage your subscription for the Freeip

Re: [Freeipa-users] freeipa-samba integration and windows clients

On 05/06/2015 05:11 PM, box 31978 wrote: Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentO

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote: Ok, I have attempted to set this up by adding the AD domain to my configuration and it still isn't working. I just want to confirm what I'm trying to accomplish here before I list what I've done to troubleshoot this. We have an AD domain cal

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

On 05/06/2015 12:14 AM, Nathan Peters wrote: From this link : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb The diagram in that section shows the client communicating with FreeIPA and FreeIP

[Freeipa-users] freeipa-samba integration and windows clients

Hello everyone, These days I'm testing integration between FreeIPA4 and Samba4 at file sharing level. Everything seems to work fine except share access from a standalone Windows client. This is the setup (everything is up-to-date): - ipa-server: CentOS 7.1, ipa-server 4.1, ipa-server-trust-ad plu

[Freeipa-users] Using CNAME to point to different domain name

Hello Team, We are hosting a few servers at Amazon and using their Elastic Load Balancing service that gives us a link to a load balancer in the following format: webserver-1234567890.us-east-1.elb.amazonaws.com I was looking for a ways to implement a shorter alias using CNAME like: webserver.

Re: [Freeipa-users] Removing REALM requirement and home directory location

That's great, I got it all working, perhaps you can answer one last question, although not sure this is going to be fixable or not. Anyway to get rid of the realm when using id, as you can see below, kinda messy. [root@linuxtest1 home]# su - aduser1 -sh-4.1$ id uid=1989603105(aduser1@sbx.local

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Oh I feel silly now. I had the wrong IP in DNS for the server, so although forward and reverse lookups were working, it was sending the update to a server that was not a DNS server. Strangely enough, the logs did not show this attempt to notify the wrong server, they just ignored it completely.

Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues

Ok, I have attempted to set this up by adding the AD domain to my configuration and it still isn't working. I just want to confirm what I'm trying to accomplish here before I list what I've done to troubleshoot this. We have an AD domain called corp.addomain.net. We have UPNs set so AD users logi

Re: [Freeipa-users] Credentials constantly revoked for admin user

On Mon, 04 May 2015, Andrew Morone wrote: I'm having this issue. I discovered when I would randomly get locked out of the admin account with the usual: kinit: Clients credentials have been revoked while getting initial credentials The scenario would go as follows: Sometimes I would try to issue

Re: [Freeipa-users] Revocation of Issuing CA certificates

Kamal Perera wrote: > Dear All, > > > How is the revocation of issuing CA certificates are handled? We are > using OCSP responders for revocation checking of certificates issued by > the Issuing CAs. So do we have to setup another OCSP or CRL distribution > point to let the applications to query

[Freeipa-users] Credentials constantly revoked for admin user

I'm having this issue. I discovered when I would randomly get locked out of the admin account with the usual: kinit: Clients credentials have been revoked while getting initial credentials The scenario would go as follows: Sometimes I would try to issue "kinit admin", with the correct credentials

Re: [Freeipa-users] Known issues with IPA on VM?

On 05/06/2015 12:25 AM, Martin Kosek wrote: On 05/06/2015 07:48 AM, Christoph Kaminski wrote: Hi we have some undefinably problems here with IPA inside a VM (rhev/kvm). We has often zombie processes (defunct) with certmonger and dirsrv and segfaults (dmesg)... We have 8 IPA servers, 4 Hardware

[Freeipa-users] Logging into Samba shares from non-domain trust Win7 PCs using IPA for Samba password auth.

Hi, The goal is to have a common password to give users access to a Linux system via PuTTY/SSH and Samba file-shares where currently for historical reasons we have 2 passwords, which is a real PITA. The PuTTY logins work great but I need to get the logins for the Samba4 shares working from Win7 P

Re: [Freeipa-users] FreeIPA 4.1.4 DNS notifications not being sent to slaves

Hello! On 5.5.2015 00:24, nat...@nathanpeters.com wrote: > bind.x86_6432:9.9.4-20.el7.centos.pkcs11 > @mkosek-freeipa > bind-dyndb-ldap.x86_64 6.1-1.el7.centos This version works for me (tested on Fedora 21). > And for reference here are the relev

Re: [Freeipa-users] Problem with replication

dbstat: MacBookPro-10DDB1EAF1CC-1522:~ ender$ cat FILE Default locking region information: 139 Last allocated locker ID 0x7fff Current maximum unused locker ID 9 Number of lock modes 200 Initial number of locks allocated 0 Initial number of lockers allocated 200 I

Re: [Freeipa-users] Problem with replication

This is looking like thread 13 prevents thread 12 run (and all the others). Now thread 13 is likely waiting for db page? We may need output of db_stat (db_state -N -h /var/lib/dirsrv/slapd-xxx/db/ -CA) thanks thierry On 05/06/2015 11:31 AM, Łukasz Jaworski wrote: ldapsearch hangs. Dirsrv is no

Re: [Freeipa-users] Problem with replication

>> ldapsearch hangs. Dirsrv is not responding now. > if the server is hanging, can you get a pstack >> Thread 45 (Thread 0x7fc6a562d700 (LWP 1868)): #0 0x7fc6b2f1aae3 in select () from /lib64/libc.so.6 #1 0x7fc6b5492a99 in DS_Sleep () from /usr/lib64/dirsrv/libslapd.so.0 #2 0x7fc6

Re: [Freeipa-users] Known issues with IPA on VM?

Running FreeIPA 4.1 on Fedora 21 on Xenserver 6.2 in HVM mode. No issues. Kind Regards, David 2015-05-06 11:15 GMT+02:00 Alexander Frolushkin < alexander.frolush...@megafon.ru>: > Hello. > > We have periodically hanging and crashing dirsrv in our ipa servers. > > All of them running in VM on V

Re: [Freeipa-users] Problem with replication

On 05/06/2015 11:10 AM, Łukasz Jaworski wrote: Hi, ipactl stops working after dirsrv-stop/start. There are many changes in the changelog: from 39399 to 44397 (…) # 44393, changelog dn: changenumber=44393,cn=changelog # 44394, changelog dn: changenumber=44394,cn=changelog # 44395, changelog

Re: [Freeipa-users] Known issues with IPA on VM?

Hello. We have periodically hanging and crashing dirsrv in our ipa servers. All of them running in VM on Vmware. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christoph Kaminski Sent: We

Re: [Freeipa-users] Problem with replication

Hi, ipactl stops working after dirsrv-stop/start. There are many changes in the changelog: from 39399 to 44397 (…) # 44393, changelog dn: changenumber=44393,cn=changelog # 44394, changelog dn: changenumber=44394,cn=changelog # 44395, changelog dn: changenumber=44395,cn=changelog # 44396, chan

Re: [Freeipa-users] Problem with replication

please reply to the mailing list On 05/06/2015 11:00 AM, Łukasz Jaworski wrote: Hi, ipactl stops working after dirsrv-stop/start. There are many changes in the changelog: from 39399 to 44397 (…) # 44393, changelog dn: changenumber=44393,cn=changelog # 44394, changelog dn: changenumber=44394,c

Re: [Freeipa-users] Problem with replication

Hi, there seem to be different issues, - I don't know what the ipactl status is looking for when it generates the error message about no matching master, but I don't think it is related to the retro changelog. - the retro changelog errors for adding and deleting -- the add failures are about a

Re: [Freeipa-users] Split Horizon DNS config

On 6.5.2015 10:06, Petr Spacek wrote: > General advice about views is > 'do not use them' :-) > > It is much cleaner to put internal names in a sub-domain like int.example.com. > (while example.com. is the public-facing domain) and restrict access to this > sub-domain using ACL. > > In long term

Re: [Freeipa-users] Split Horizon DNS config

On 5.5.2015 07:42, Christoph Kaminski wrote: > Hi > > can someone validate this config for bind + split horizon (only the views > part): > > acl internal { > 127.0.0.1; > 172.16.0.0/12; > }; > > view "internal" > { > match-clients {

[Freeipa-users] Problem with replication

Hi, One of our replica hanged up morning. Error log after dirsrv restart: [06/May/2015:09:28:15 +0200] - Retry count exceeded in delete [06/May/2015:09:28:15 +0200] DSRetroclPlugin - delete_changerecord: could not delete change record 38376 (rc: 51) [06/May/2015:09:28:15 +0200] - Operation error