On 01/26/2016 05:39 PM, Terry John wrote:
> Thanks for this. I've had a look today
> We are running:
>
> ipa-server.x86_64 3.0.0-47.el6.centos
>
> and some of the directives did not work, namely allowWeakCipher,
> sslVersionMin and sslVersionMax . So I commented the
Adding freeipa-users list back, so that others benefit from the discussion.
On 01/26/2016 07:47 PM, Izzo, Anthony wrote:
> The error I'm getting is that the option "raw" is invalid. The dnsrecord-del
> command includes a "--raw" switch on RHEL6, but not on RHEL7. I am not using
> the switch, b
On 01/26/2016 09:45 PM, Ash Alam wrote:
> I didnt want to dig up an old thread but i am running into this issue. The
> old thread points to Pki 10.2.6 as the solution but i am not seeing that
> package on centos 7.2.
>
> STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> con
I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.
When I try though the cli I get this error :
ipa: ERROR: communication with CIFS server was unsuccessful
When I try through the web ui I get :
IPA Error 4016: RemoteRetrieveError
Following debugging steps and setting
On Wed, 27 Jan 2016, Simpson Lachlan wrote:
At the end of the installation of the ipa-adtrust-install, there is a
message along the lines of:
Add the following service records to your DNS server for DNS zone
unix.co.org.au:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
_ldap._tcp.dc._msdc
I don't know if this is a bug or intended behavior, but if I set those values
also in named.conf manually, forwarding of arpa zones works.
I had to do this :
---snip---
forward only;
forwarders { 10.21.0.14; 10.21.0.15; };
---snip---
Previously my file looked like this
---snip ---
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
I have my FreeIPA server setup with a forward only policy for DNS.
If I perform an nslookup against either of the configured forward servers, I
can do a reverse lookup properly.
If I perform the same nslookup against my local server, it will not find the
entry.
I have confirmed that there are
At the end of the installation of the ipa-adtrust-install, there is a message
along the lines of:
Add the following service records to your DNS server for DNS zone
unix.co.org.au:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
_ldap._tcp.dc._msdcs
_kerberos._tcp.Default-First-Site-Nam
https://fedorahosted.org/freeipa/ticket/5575
^--- That was the one. It triggered differently for me because I had manually
re-replaced the aci in the dc=domain,dc=mapping tree branch.
Had I left it alone it would have triggered exactly as in thebug report.
However, that bug report did let me
Hi All,
I am working on automated deployment of ipa clients through a program called
salt and have been seeing an issue.
Specifically, calls to ipa.server.internal/ipa/json occasionally return a 500
error. This tends to occur while using ipa-client-install and ipa-dns commands.
I am on free-ipa
On 26.01.2016 21:51, Martin Basti wrote:
On 26.01.2016 21:03, Nathan Peters wrote:
After some more investigation, it appears that there may be more ACIs
missing.
I added the missing permission (System: Read Replication Agreements)
on all my masters, and then the installation failed at thi
On 26.01.2016 21:03, Nathan Peters wrote:
After some more investigation, it appears that there may be more ACIs missing.
I added the missing permission (System: Read Replication Agreements) on all my
masters, and then the installation failed at this point :
---
[28/43]
I didnt want to dig up an old thread but i am running into this issue. The
old thread points to Pki 10.2.6 as the solution but i am not seeing that
package on centos 7.2.
STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-
After some more investigation, it appears that there may be more ACIs missing.
I added the missing permission (System: Read Replication Agreements) on all my
masters, and then the installation failed at this point :
---
[28/43]: setting up initial replication
Starting repl
Lukas Slebodnik wrote:
> On (26/01/16 12:47), Rob Crittenden wrote:
>> Günther J. Niederwimmer wrote:
>>> Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz:
>>> Hello Ludwig,
>>>
you got a replicaid (97) leftover form the previous install for the
o=ipaca backend. The ot
On (26/01/16 12:47), Rob Crittenden wrote:
>Günther J. Niederwimmer wrote:
>> Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz:
>> Hello Ludwig,
>>
>>> you got a replicaid (97) leftover form the previous install for the
>>> o=ipaca backend. The other backend is ok, ipa-replica-m
The users I have are authenticated off Active Directory. I can remove the
user from /etc/passwd but don¹t know how to have the user still be
authenticated from Active Directory instead of I believe Kerberos. Does
that make any sense?
Thanks,
___
Warren Birnbaum : Infrastructure S
Birnbaum, Warren (ETW) wrote:
> Hello,
>
> I am trying to add a user into FreeIPA that already exists in
> /etc/passwd. How can I add him into FreeIPA and employ all the
> functionality?
What is your goal in keeping the user in both systems?
rob
--
Manage your subscription for the Freeipa-use
Hello,
I am trying to add a user into FreeIPA that already exists in /etc/passwd. How
can I add him into FreeIPA and employ all the functionality?
Thanks,
Warren
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http:/
Günther J. Niederwimmer wrote:
> Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz:
> Hello Ludwig,
>
>> you got a replicaid (97) leftover form the previous install for the
>> o=ipaca backend. The other backend is ok, ipa-replica-manage del did the
>> cleanup, but ipa-csreplica-m
Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz:
Hello Ludwig,
> you got a replicaid (97) leftover form the previous install for the
> o=ipaca backend. The other backend is ok, ipa-replica-manage del did the
> cleanup, but ipa-csreplica-manage doesn't. So you have to clean it
>
On 01/26/2016 10:00 AM, Martin Basti wrote:
On 26.01.2016 17:39, Terry John wrote:
Thanks for this. I've had a look today
We are running:
ipa-server.x86_64 3.0.0-47.el6.centos
and some of the directives did not work, namely allowWeakCipher, sslVersionMin
and ss
thank you! Out of curiosity has anyone been able to automate this using
chef/puppet etc?
On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek wrote:
> Did you follow the instructions in the error message? There is also a
> longer
> description here:
>
>
> https://access.redhat.com/documentation/en-US/
On 26.01.2016 17:39, Terry John wrote:
Thanks for this. I've had a look today
We are running:
ipa-server.x86_64 3.0.0-47.el6.centos
and some of the directives did not work, namely allowWeakCipher, sslVersionMin
and sslVersionMax . So I commented them out
The lda
Thanks for this. I've had a look today
We are running:
ipa-server.x86_64 3.0.0-47.el6.centos
and some of the directives did not work, namely allowWeakCipher, sslVersionMin
and sslVersionMax . So I commented them out
The ldapupdater then seems happy but when I went t
On 01/26/2016 05:13 PM, wodel youchi wrote:
> Hi,
>
> For the first problem I redid the import using this syntax
> ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat
> --user-ignore-objectclass qmailuser --continue ldap://192.168.1.121:389
>
> and it worked, all accounts we
Hi,
For the first problem I redid the import using this syntax
ipa -d -v migrate-ds --bind-dn "cn=admin,dc=example,dc=com" --with-compat
--user-ignore-objectclass qmailuser --continue ldap://192.168.1.121:389
and it worked, all accounts were imported successfully.
The thing I don't know where th
Hi,
you got a replicaid (97) leftover form the previous install for the
o=ipaca backend. The other backend is ok, ipa-replica-manage del did the
cleanup, but ipa-csreplica-manage doesn't. So you have to clean it
manually by an ldap command.
Execute the following mod on one of the servers:
l
On 01/26/2016 04:22 PM, Izzo, Anthony wrote:
> I have a FreeIPA 4.2 server (on RHEL7) and a FreeIPA 3.0 client (on RHEL6).
> I am aware of the incompatibility between versions for ipa-admintools (in my
> case I'm trying to use ipa dnsrecord-del). I was just wondering if there is
> a workaround
Did you follow the instructions in the error message? There is also a longer
description here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
Martin
On 01/26/2016 04:38 PM, Ash
Hello Ludwig,
Am Dienstag, 26. Januar 2016, 14:48:31 CET schrieb Ludwig Krispenz:
> On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote:
> > Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz:
> >> On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
> >>> I set up a CentOS 7
I wanted to follow up on this as i finally gotten around to doing the
upgrade. I an running into this error. I also found a bugzilla ticket. Do
you have to do some type of schema upgrade like you do with active
directory?
https://bugzilla.redhat.com/show_bug.cgi?id=1235766
STDERR: ipa
I have a FreeIPA 4.2 server (on RHEL7) and a FreeIPA 3.0 client (on RHEL6). I
am aware of the incompatibility between versions for ipa-admintools (in my case
I'm trying to use ipa dnsrecord-del). I was just wondering if there is a
workaround that would allow me, from my 3.0 client, to delete a
On 01/26/2016 02:20 PM, wodel youchi wrote:
> Hi,
>
> In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser
> objectClasses, I don't know if this is what is causing the problem.
That's probably it. Can you please try to lowercaser 'qmailUser' in the FreeIPA
config and try th
On 01/26/2016 12:30 PM, Günther J. Niederwimmer wrote:
Hello Ludwig,
Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz:
On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
Hello List,
I set up a CentOS 7.2 System with two master Server now I found this 1000
x
Error on my
Hi,
In the above log (httpd log) the LDAPEntry contains qmailuser and qmailUser
objectClasses, I don't know if this is what is causing the problem.
Another thing, I can't import groups as well, I did add a simple group to
my ldap
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
obj
Hi again,
This is what I get from httpd error_log
[Tue Jan 26 13:38:02.394757 2016] [:error] [pid 7427] ipa: WARNING: GID
number 1000 of migrated user jean.doe does not point to a known group.
[Tue Jan 26 13:38:02.397928 2016] [:error] [pid 7427]
LDAPEntry(ipapython.dn.DN('uid=jean.doe,cn=users,c
Thanks David.
Generally for Operating systems like Amazon Linux etc which does not have a
IPA-Client, we generally use SSSD to get things working.
In such cases, what would be optimal way to configure the SRV records as
--domain parameter won't be present.
On Mon, Jan 25, 2016 at 5:16 PM, Dav
Hello Ludwig,
Am Dienstag, 26. Januar 2016, 11:03:27 CET schrieb Ludwig Krispenz:
> On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
> > Hello List,
> >
> > I set up a CentOS 7.2 System with two master Server now I found this 1000
> > x
> > Error on my first master?
> >
> > attrlist_replac
Thanks I will try and report back.
I am using Centos 7.2x64 with latest updates
and ipa-server-4.2.0-15.el7.centos.3.x86_64
Regards
2016-01-26 10:53 GMT+01:00 Martin Kosek :
> On 01/26/2016 10:16 AM, wodel youchi wrote:
> > Hi,
> >
> > I am a newbie in freeipa. I am trying to use it with our m
On 01/26/2016 09:45 AM, Günther J. Niederwimmer wrote:
Hello List,
I set up a CentOS 7.2 System with two master Server now I found this 1000 x
Error on my first master?
attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.xxx.at:389/
o%3Dipaca) failed.
did you install and reinsta
On 01/26/2016 10:16 AM, wodel youchi wrote:
> Hi,
>
> I am a newbie in freeipa. I am trying to use it with our mail server.
Cool! What is your version of the FreeIPA server? It will be important for
further investigation.
> Our mail server uses openldap with one external schema : qmail.schema, w
Hi,
I am a newbie in freeipa. I am trying to use it with our mail server.
Our mail server uses openldap with one external schema : qmail.schema, we
use it especially for mailQuota, mailAlternateAddress,
mailForwardingAddress and AccountStatus.
I tried to import this schema to freeipa using ipa-l
Hello List,
I set up a CentOS 7.2 System with two master Server now I found this 1000 x
Error on my first master?
attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.xxx.at:389/
o%3Dipaca) failed.
the second is harmless I read ;-)
NSMMReplicationPlugin - replication keep alive e
45 matches
Mail list logo
