Re: [Freeipa-users] IPA wont start, all services fail

On Thu, 21 Jan 2016, Simpson Lachlan wrote: -Original Message- From: Simpson Lachlan I would like to test a few things, but I'm finding it hard to find good examples. How can I test that the one way trust relationship between the FreeIPA server and the AD DC is still in effect? (

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

I don't know if this makes a difference too, but I performed the same checks on a different completely working and joined FreeIPA master, against other masters, and even against itself directly. It seems that no account, no keytab, and no host can see that mapping tree branch no matter who they

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

All checks below were performed from the host we are trying to turn into a replica and they were performed against the master who logs I also show The first check was to kinit admin and try the search. Surprisingly, the GSSAPI bind returns no results when we search that. In my previous email y

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 05:55 PM, bahan w wrote: > Ah sorry, for security reasons I didn't want to put the original name and I > made a mistake. > > Here we are, for the confusing lines : > ### > Assuming realm is the same as domain: > Generated basedn from realm: dc= > Discovery result: NO_ACCESS_TO_LDAP;

Re: [Freeipa-users] Cross Domain Trust

Hi Lukas, such a realm does not exists, but it is my user principal name in AD, due to legacy compatibility with Exchange. Best regards, Fabian -Ursprüngliche Nachricht- Von: Lukas Slebodnik [mailto:lsleb...@redhat.com] Gesendet: Montag, 18. Januar 2016 18:03 An: Zoske, Fabian Cc: free

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message- > From: Simpson Lachlan > I would like to test a few things, but I'm finding it hard to find good > examples. > > How can I test that the one way trust relationship between the FreeIPA server >and the AD DC is still in effect? (FreeIPA trusts AD, AD does not tr

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 9:22 AM > >ses=4294967295 subj=kernel pid=18340 comm="httpd" reason="memory > >violation" sig=11 type=ANOM_ABEND msg=audit(1453325558.988:1245): > >auid=4294967295 uid=991 gid=987

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 9:22 AM > To: Simpson Lachlan > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA wont start, all services fail > > On Wed, 20 Jan 2016, Simpson Lachlan wrote: > >> -

Re: [Freeipa-users] IPA wont start, all services fail

On Wed, 20 Jan 2016, Simpson Lachlan wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Thursday, 21 January 2016 8:44 AM To: Simpson Lachlan Cc: tbor...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA wont start, all services fail

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message- > From: Alexander Bokovoy [mailto:aboko...@redhat.com] > Sent: Thursday, 21 January 2016 8:44 AM > To: Simpson Lachlan > Cc: tbor...@redhat.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA wont start, all services fail > > On Wed, 20 Jan 2016, Simpson L

Re: [Freeipa-users] IPA wont start, all services fail

On Wed, 20 Jan 2016, Simpson Lachlan wrote: -Original Message- Is there any coredump available with 389-ds crashing? I've asked you to use http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes to enable coredumps for 389-ds in one of previous discussions, was it done? You seem

Re: [Freeipa-users] FreeIPA AD Trust

On Wed, 20 Jan 2016, Andrew Meyer wrote: So then should I say yes to continue?  I don't have samba configured on here.   Its just running FreeIPA... Yes, but please do follow my suggestion when running ipa-adtrust-install. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-user

Re: [Freeipa-users] IPA wont start, all services fail

> -Original Message- > > Is there any coredump available with 389-ds crashing? I've asked you to use > http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes to enable > coredumps for 389-ds in one of previous discussions, was it done? > You seemed to get diverted to winbindd cor

Re: [Freeipa-users] FreeIPA AD Trust

So then should I say yes to continue?  I don't have samba configured on here.   Its just running FreeIPA... On Wednesday, January 20, 2016 3:14 PM, Alexander Bokovoy wrote: On Wed, 20 Jan 2016, Andrew Meyer wrote: >So I'm getting this when trying to setup a trust between 2012r2 and Fr

Re: [Freeipa-users] FreeIPA AD Trust

On Wed, 20 Jan 2016, Andrew Meyer wrote: So I'm getting this when trying to setup a trust between 2012r2 and FreeIPA on CentOS 7.2  [user@asm-dns01 ~]$ sudo ipa-adtrust-install I don't recommend running ipa-adtrust-install under sudo as you do. sudo would keep some of user-related environment t

[Freeipa-users] FreeIPA AD Trust

So I'm getting this when trying to setup a trust between 2012r2 and FreeIPA on CentOS 7.2  [user@asm-dns01 ~]$ sudo ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log==Th

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/20/2016 12:24 PM, Nathan Peters wrote: Now we are starting to get somewhere (although a resolution still is not visible) :) First, thank you Petr and Rob for your help on this issue. I apologize for our hard to parse server names. I'm not a fan of them myself and in earlier reports I

[Freeipa-users] DNS Module (DNSSEC) NSEC§

Hello, I can't find a way to integrate NSEC3, all DOC's I found is only for DNSSEC, but not including NSEC3. Can any help me to set up this correct ? Thanks for a answer, -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Now we are starting to get somewhere (although a resolution still is not visible) :) First, thank you Petr and Rob for your help on this issue. I apologize for our hard to parse server names. I'm not a fan of them myself and in earlier reports I had been reformatting everything nicely with dc

Re: [Freeipa-users] IE10 Dialogs close on Enter keypress

On 01/07/2016 06:11 AM, Jim Groffen wrote: Hello, I found that when running FreeIPA Web UI on IE10 that modal dialogs close when enter is pressed. Normal functionality is to 'submit' the dialog on an enter keypress. I found a solution by adding a type="button" attribute to the close button of t

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated s

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 04:03 PM, bahan w wrote: > Re Martin. > > Here we are for the ipaclient-install.log : > > ### > 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'domain': '', 'force': False, 'realm_name': > '', 'krb5_offline_passwords': True, 'primary': False, 'm

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re Martin. Here we are for the ipaclient-install.log : ### 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '', 'force': False, 'realm_name': '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': Fal

Re: [Freeipa-users] Unable to search HBAC Rule

Hi Martin, FreeIPA version 4.1.0 Will look into the Workaround. Thanks *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com | Web: www.initd.in * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

Re: [Freeipa-users] Unable to search HBAC Rule

On 20.01.2016 14:26, Yogesh Sharma wrote: Hi, We have created a user with HBAC Admin permission which has below permission (Default as provided by IPA): System: Add HBAC Rule System: Add HBAC Service Groups System: Add HBAC Services System: Delete HBAC Rule System: Delete HBAC Service Group

[Freeipa-users] UNABLE TO SEARCH HBAC RULE

Hi, We have created a user with HBAC Admin permission which has below permission (Default as provided by IPA): System: Add HBAC Rule System: Add HBAC Service Groups System: Add HBAC Services System: Delete HBAC Rule System: Delete HBAC Service Groups System: Delete HBAC Services System: Manage HB

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Adding freeipa-users back, so that others can benefit from the answer. Can you please attach a full ipaclient-install.log DEBUG log somewhere so that we can get the full context of the bug? You may also want to open a RHEL-6 Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only maint

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 12:08 PM, bahan w wrote: > Hello ! > > I send you this mail because of the following topic. > > I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > access for security reasons. > > But now, I have a problem when I try to enroll a new host. > > Here is the comma

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm= --serv

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

On Wed, 20 Jan 2016, Anon Lister wrote: So I had the same problem. For me it ended up being that some attribute was not created correctly in 389 using the instructions in the guide. I don't remember what it was off the top of my head. Something about a default user or group SID I think. Had to tu

Re: [Freeipa-users] Fwd: Creating Trusts with AD - (RH#878168, FIPA#3266)

So I had the same problem. For me it ended up being that some attribute was not created correctly in 389 using the instructions in the guide. I don't remember what it was off the top of my head. Something about a default user or group SID I think. Had to turn samba logging up. Eventually it shows t

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

On 01/20/2016 12:31 AM, Rob Crittenden wrote: Nathan Peters wrote: [18/Jan/2016:09:28:33 -0800] conn=18732 op=10 ADD dn="cn=replica,cn=dc\3Ddev-globalrelay\2Cdc\3Dnet,cn=mapping tree,cn=config" [18/Jan/2016:09:28:33 -0800] conn=18732 op=10 RESULT err=68 tag=105 nentries=0 etime=0 [18/Jan/2

Re: [Freeipa-users] ns-slapd using all CPU ressources

On 20.01.2016 09:29, Domingues Luis Filipe wrote: Hi, Thanks, this is actually the version we are running. Do you have a link to the ticket? I tried to find it on the bug tracer but I have always a ticket not found. Luis Link to DS ticket https://fedorahosted.org/389/ticket/48379 -

Re: [Freeipa-users] IPA wont start, all services fail

On 01/20/2016 09:20 AM, Alexander Bokovoy wrote: On Tue, 19 Jan 2016, Simpson Lachlan wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Let's start from the beginning: - What distribution you are running? Centos, Linux release 7.2.1511 (Core) - Wha

Re: [Freeipa-users] idoverride-add gives incorrect, inconsistant results?

On Wed, Jan 20, 2016 at 09:15:47AM +1100, Lachlan Musicman wrote: > 1.13.0 I suspect it's 7.2, then. Did you alrady update to the latest available version (1.13.0-41)? If yes, do you have logfiles? See https://fedorahosted.org/sssd/wiki/Troubleshooting -- Manage your subscription for the Freeip

Re: [Freeipa-users] ns-slapd using all CPU ressources

Hi, Thanks, this is actually the version we are running. Do you have a link to the ticket? I tried to find it on the bug tracer but I have always a ticket not found. Luis -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of L

Re: [Freeipa-users] IPA wont start, all services fail

On Tue, 19 Jan 2016, Simpson Lachlan wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Let's start from the beginning: - What distribution you are running? Centos, Linux release 7.2.1511 (Core) - What IPA packages are installed? [root@vmts-linuxid