Re: [Freeipa-users] Questions about 1.14 software bugs

Lukas, Thank you for responding. This particular issue was the one that was preventing us from using sssd 1.13 on RHEL 6.8. https://www.redhat.com/archives/freeipa-users/2016-July/msg00163.html Basically no matter what I did HBAC seemed to randomly break on some systems. The systems were

Re: [Freeipa-users] (no subject)

On 24/08/16 18:08, Sean Hogan wrote: Hi All, Would anyone be able to direct me to some docs regarding NFS automount with IPA. We are currently using this setup but to be specific I do not want the priv keys to be in the users mounted home. When I did the keygen I took the defaults for

Re: [Freeipa-users] Cleaning Up an Unholy Mess

On 08/25/2016 02:04 PM, Ian Harding wrote: > > On 08/25/2016 10:41 AM, Rob Crittenden wrote: >> Ian Harding wrote: >>> >>> On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: > I tried to simply uninstall and reinstall freeipa-dal and this > happened. > > It

Re: [Freeipa-users] Questions about 1.14 software bugs

Jakub, Thank you for responding. We’ll have to talk about upgrading to 1.14.1 internally. I appreciate your time, this is the sort of information I was looking for. Best, Dan > On Aug 25, 2016, at 3:39 PM, Jakub Hrozek wrote: > > On Thu, Aug 25, 2016 at 06:30:22PM

Re: [Freeipa-users] SUDO and group lookup in AD trust

On (25/08/16 11:30), Troels Hansen wrote: >Hmm, adding the CentOS SSSD 1.14 copr repo and running yum upgrade, >getting a version 1.14.1, clean cache DB (complaing about cache being >old version), Upgrade to 1.14.1 should not require puring sssd cache. If you are able to reproduce then please

Re: [Freeipa-users] Questions about 1.14 software bugs

On Thu, Aug 25, 2016 at 06:30:22PM +, Sullivan, Daniel [AAA] wrote: > Hi, > > I feel like I’ve been warned at least twice that sssd 1.14 has some known > regressions that make it unstable. We’re in the process of rolling it out to > our production environment (we can’t use 1.13 due to

Re: [Freeipa-users] Slow logins with multi site replication

On Thu, Aug 25, 2016 at 04:11:29PM +, Neal Harrington | i-Neda Ltd wrote: > > > Hi, > > > > > > > I am experiencing slow logins and sudo authentication for servers joined > > > to my FreeIPA domain. I have been following the other recent thread on > > > slow logins and believe my issue is

Re: [Freeipa-users] Questions about 1.14 software bugs

On (25/08/16 18:30), Sullivan, Daniel [AAA] wrote: >Hi, > >I feel like I’ve been warned at least twice that sssd 1.14 has some known >regressions that make it unstable. We’re in the process of rolling it out to >our production environment (we can’t use 1.13 due to another issue); so far it

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

Great! That worked. Thank you so much Rob. Your help is highly appreciated. On Thu, Aug 25, 2016 at 3:49 PM, Rob Crittenden wrote: > Linov Suresh wrote: > >> I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 >> is missing on both master and replica

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

Linov Suresh wrote: I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is missing on both master and replica servers. Do we need to add IPA server 2, ipa02 on both master and replica? No, it should replicate. I find it very strange that these are missing. I wonder what

[Freeipa-users] Questions about 1.14 software bugs

Hi, I feel like I’ve been warned at least twice that sssd 1.14 has some known regressions that make it unstable. We’re in the process of rolling it out to our production environment (we can’t use 1.13 due to another issue); so far it seems pretty stable, although if possible I’d like any

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is missing on both master and replica servers. Do we need to add IPA server 2, ipa02 on both master and replica? *[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net -b

Re: [Freeipa-users] sudo rules question on ubuntu 16.0.1

I'm still hoping someone can offer additional help. I see in the apt term.log these errors when downloading the freeipa-client package. Could this be the problem? Creating SSSD system user & group... adduser: Warning: The home directory `/var/lib/sss' does not belong to the user you are currently

Re: [Freeipa-users] Cleaning Up an Unholy Mess

On 08/25/2016 10:41 AM, Rob Crittenden wrote: > Ian Harding wrote: >> >> >> On 08/24/2016 06:33 PM, Rob Crittenden wrote: >>> Ian Harding wrote: I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea

Re: [Freeipa-users] Migrate users with password from one IPA to another

Rene Trippen wrote: Hi, I`ve got an IPA with a broken CA infrastructure (don`t know what happened, but new clients cannot be registered) It is even not possible to setup a new replica. It may be fairly straightforward to getting the CA back up. How is it broken? So, I wanted to setup a

Re: [Freeipa-users] Cleaning Up an Unholy Mess

Ian Harding wrote: On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON

Re: [Freeipa-users] Slow logins with multi site replication

> > Hi, > > > > I am experiencing slow logins and sudo authentication for servers joined to > > my FreeIPA domain. I have been following the other recent thread on slow > > logins and believe my issue is different. > > > > I have replication setup with 2 FreeIPA servers at each of 3 sites. The

Re: [Freeipa-users] Two masters and one of them is desynchronized

On 08/25/2016 04:41 PM, bahan w wrote: Hello everyone. Could you explain to me about this field Sent/Skipped please ? if replication is enabled all changes on a server are logged into the changelog -changes coming from clients and internal changes (eg mmeberof update, passwordpolocy

[Freeipa-users] Migrate users with password from one IPA to another

Hi, I`ve got an IPA with a broken CA infrastructure (don`t know what happened, but new clients cannot be registered) It is even not possible to setup a new replica. So, I wanted to setup a new IPA Server with new CA, and I want to move all users with their passwords to the new IPA instance. I`ve

Re: [Freeipa-users] Two masters and one of them is desynchronized

Hello everyone. Could you explain to me about this field Sent/Skipped please ? I checked the doc and found this : ### Sent/Skipped : The number of changes that were sent from the supplier and the number skipped in the replication update. The numbers are kept in suppliers’ memory only and are

Re: [Freeipa-users] SUDO and group lookup in AD trust

On Thu, Aug 25, 2016 at 11:30:52AM +0200, Troels Hansen wrote: > Hmm, adding the CentOS SSSD 1.14 copr repo and running yum upgrade, getting a > version 1.14.1, clean cache DB (complaing about cache being old version), I > can getent users, but log log in for no obvious reason (system error in

Re: [Freeipa-users] SUDO and group lookup in AD trust

Hmm, adding the CentOS SSSD 1.14 copr repo and running yum upgrade, getting a version 1.14.1, clean cache DB (complaing about cache being old version), I can getent users, but log log in for no obvious reason (system error in secure.log). Downgrading to official RHEL 7.2 SSSD-1.13 restores

Re: [Freeipa-users] SUDO and group lookup in AD trust

On (25/08/16 10:05), Troels Hansen wrote: >Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem > >https://fedorahosted.org/sssd/ticket/2919 > Meanwhile, you can test upstream version https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-14/ LS -- Manage your subscription

Re: [Freeipa-users] SUDO and group lookup in AD trust

yes. On Thu, Aug 25, 2016 at 10:05:36AM +0200, Troels Hansen wrote: > Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem > > https://fedorahosted.org/sssd/ticket/2919 > > Am I correct? > > - On Aug 25, 2016, at 9:24 AM, Troels Hansen t...@casalogic.dk wrote: > > >

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

All of the troubleshooting seems fine. However, Running libconv.pl gives me this output - Recommendations - 1. You have unindexed components, this can be caused from a search on an unindexed attribute, or your returned results exceeded the allidsthreshold. Unindexed components are

Re: [Freeipa-users] Two masters and one of them is desynchronized

I just noticed that you have many skipped entries, Sent/Skipped: 3 / 9045345 that could be an effect of fractional replication which reiterates the same sequence of changes. This is fixed in recent releases, but looks like your on RHEL 6.6 Ludwig On 08/24/2016 06:33 PM, bahan w wrote: Hey

Re: [Freeipa-users] SUDO and group lookup in AD trust

Hmm, seems waiting for RHEL 7.3 and SSSD 1.14 will solve this problem https://fedorahosted.org/sssd/ticket/2919 Am I correct? - On Aug 25, 2016, at 9:24 AM, Troels Hansen t...@casalogic.dk wrote: > Hmm, sometimes the man page actually helps > > It seems setting

Re: [Freeipa-users] Two masters and one of them is desynchronized

The replication agreements to the "unsync" master says that update has started, so it looks like replication connection is active. You need to check the access and error logs of bot sides and check if tehre is replication traffic On 08/24/2016 06:33 PM, bahan w wrote: Hey guys. I performed

Re: [Freeipa-users] SUDO and group lookup in AD trust

Hmm, sometimes the man page actually helps It seems setting "default_domain_suffix" to allow users to log in, without the domain part changes use_fully_qualified_names default to true, without the option of setting it false. So, we have two options: - Have users always use their full

Re: [Freeipa-users] SUDO and group lookup in AD trust

On Thu, Aug 25, 2016 at 08:42:28AM +0200, Troels Hansen wrote: > Yes and no > > Have tried setting it to both true and false, but doesn't make a huge > difference. > > Current result with "use_fully_qualified_names = false" > > LDAP search from sssd_sudo.log shows SSSD finding a sudo

Re: [Freeipa-users] SUDO and group lookup in AD trust

Yes and no Have tried setting it to both true and false, but doesn't make a huge difference. Current result with "use_fully_qualified_names = false" LDAP search from sssd_sudo.log shows SSSD finding a sudo rule... (Thu Aug 25 08:15:27 2016) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]

Re: [Freeipa-users] Two masters and one of them is desynchronized

Le 24 août 2016 18:42, "bahan w" a écrit : > Hey guys. > > I rechecked and in fact I also have the same message on the multi master > setup with one master unsynchronized : > ### > Master: :389 ldap://:389/ > Replica ID: 4 > Replica Root: dc= > Max CSN: