On Tue, Jun 07, 2016 at 08:21:21PM +, Nathan Peters wrote:
> I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on
> Fedora 23.
>
> When I try to sudo on this host, it fails. Here are the log entries from
> /var/log/secure. Note that we have several hundred CentOS
I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on
Fedora 23.
When I try to sudo on this host, it fails. Here are the log entries from
/var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines
where this works fine.
Is this a new bug in CentOS
Nathan Peters wrote:
I get this when doing almost anything on only one of my Fedora 23
FreeIPA 4.3.0 servers. The rest work fine.
This server also tends to crash quite a bit and the others do not.
What crashes?
Any tips on what I should be looking for or how to fix that ?
I'd look in the
I get this when doing almost anything on only one of my Fedora 23 FreeIPA 4.3.0
servers. The rest work fine.
This server also tends to crash quite a bit and the others do not.
Any tips on what I should be looking for or how to fix that ?
Some operations failed.
Hide
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns --no-forwarders
--setup-ca
installer fails at:
[10/23]: importing CA chain to RA certificate database
[error] RuntimeError: Unable to retrieve CA chain:
Kay Zhou Y wrote:
Hi Rob,
Actually certmonger service is failed after restart it, but without its active
the two 389-ds and apache certs could be renewed as well.. it's weird..
root@ecnshlx3039-test2(SH):~ #systemctl status certmonger
certmonger.service - Certificate monitoring and PKI
Thanks a ton Alexander, this permission fixed everything :)
2016-06-07 17:08 GMT+03:00 Alexander Bokovoy :
> On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
>
>> Hi Alexander!
>>
>> Here's the config (mostly auto-generated by ipa-client-install):
>>
>>
Hello,
I'm having issues with freeipa replication. Currently we have 4 Freeipa
servers, in a master - master relationship with replication
agreements between all servers.
I noticed the replication failure messages in the logs late last week
and upon investigation found stale replication
Greetings all …
I’m trying to pinpoint a problem when creating the AD trust using the following
command below. The error message and related details provided below. There is
a Bugzilla on it, however, I cannot locate any updated versions from
RHEL/Oracle Linux channels. That gives me the
dan.finkelst...@high5games.com wrote:
This advice has gotten me much further, thanks. We didn't have an HBAC
rule for admin and, now with it in place, connection checks and other
commands appear to be working that haven't worked before. I'm still
getting caught on the CA portion of the replica
Bret Wortman wrote:
On 06/03/2016 01:04 PM, Rob Crittenden wrote:
Bret Wortman wrote:
On 06/03/2016 11:02 AM, Rob Crittenden wrote:
Bret Wortman wrote:
I'm not sure I'd call what we have "success" just yet. ;-)
You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
see
No, neither HOTP works...
Op 07-06-16 om 17:09 schreef Prashant
Bapat:
Do HOTP tokens work fine ?
On 7 June 2016 at 20:37, Winfried de
Heiden
wrote:
Hello
The RH Bugzilla is pretty much unnavigable by anyone who doesn't know
the magic words, so i'm asking here. Apologies in advance if misdirected.
The Web UI has a couple of fairly annoying (sorry) deficiencies:
- unable to sort on columns, eg: In DNS Zones, the sort is on hostname,
hi users,
some network devices need and look up special type of a
user, in my case it's dell powerconnect switch which - when
uses radius - needs,eg: $enable5$.
I this something that IPA will be ok with? will have no
problems if I create such a user? I don't suppose IPA have
full support
Michael Rainey (Contractor) wrote:
Greetings Community,
I have a question about restoring the DNA Ranges on my IPA servers. A
couple of weeks ago I took down one of my servers which involved a few
issues I had created for myself, but luckily I managed to recover.
Today I noticed that the DNA
Do HOTP tokens work fine ?
On 7 June 2016 at 20:37, Winfried de Heiden wrote:
> Hi all,
>
>
> Yes I check that one also. The IPA-server is running ntp and is is sync.
> The FreeOTP app is running on my phone which is synced by network, all
> looks fine
>
>
> Forgot to mention;
Hi all,
Yes I check that one also. The IPA-server is
running ntp and is is sync. The FreeOTP app is running on my
phone which is synced by network, all looks fine
Forgot to mention; this IPA-server is running on Fedora ARM on a
Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
do this:
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir
If this is TOTP (time based) you want to double check the time is properly
set in both the server (NTP) and the device that is generating the OTP
tokens. I have had issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander Bokovoy wrote:
> On
>From your errors, it looks like sssd is not able to find the autofs
entries. In order to confirm that, you can add the autofs mapping manually
to your config file (under /etc/auto.* depending on your config), and test
if that works. If you can get that to work, the problem lies in
freeipa/sssd
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.
Ok.
Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ
(6 etypes {18 17 16
23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
For the benefit, or added confusion, of future generations, some
observations
ipa-ca-install, run successful replica instantiation w/o --setup-ca
fails consistently with the errors in my orig post. Never figured out
what the script was finding that needed purging. After a multitude of
On Tue, 07 Jun 2016, Konstantin M. Khankin wrote:
Hi Alexander!
Here's the config (mostly auto-generated by ipa-client-install):
-
[domain/gsk.loc]
One thing I noticed was that once I had set up the proxy as per the
document from Jan, I was getting access denied to /ipa until I disabled the
Kerberos authentication stuff:
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
# AuthType GSSAPI
# AuthName "Kerberos
Hi all,
I tried the FreeIPA webUI, ssh and "su -
otpuser", all the same result.
Winny
Op 07-06-16 om 15:02 schreef Alexander
Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I am
Hi Alexander!
Here's the config (mostly auto-generated by ipa-client-install):
-
[domain/gsk.loc]
cache_credentials = True
krb5_store_password_if_offline = True
I have done like You said. Here is output:
[root@nfsclient ~]# automount -vvvf
1 Starting automounter version 5.1.1-3.fc23, master map auto.master
2 using kernel protocol version 5.02
3 mounted indirect on /misc with timeout 300, freq 75 seconds
4 mounted indirect on /net with timeout 300,
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I am trying to setup Freeipa with otp using the freeotp app. All looks fine,
adding the user to the FreeOTP app also works fine. The users looks like:
ipa user-show otpuser
User login: otpuser
First name: otp
Last name: user
Home
Hi all,
I am trying to setup Freeipa with otp using the freeotp app. All
looks fine, adding the user to the FreeOTP app also works fine.
The users looks like:
ipa user-show otpuser
User login: otpuser
First name: otp
Last
On 06/03/2016 01:04 PM, Rob Crittenden wrote:
Bret Wortman wrote:
On 06/03/2016 11:02 AM, Rob Crittenden wrote:
Bret Wortman wrote:
I'm not sure I'd call what we have "success" just yet. ;-)
You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
see how we go.
Rob, would
30 matches
Mail list logo