> dev="dm-0" ino=731584 scontext=system_u:system_r:named_t:s0
> > tcontext=unconfined_u:object_r:ipa_var_lib_t:s0 tclass=file permissive=1
> >
> > time->Fri Jul 22 04:17:44 2016
> > type=AVC msg=audit(1469153864.757:709): avc: denied { lock } for
> pid=1161
/
total 12
-rwxrwx---. 1 ods named unconfined_u:object_r:ipa_var_lib_t:s0 30 Jul 21
22:50 softhsm_pin*
drwxrws---. 3 ods named unconfined_u:object_r:ipa_var_lib_t:s0 4096 Jul 21
22:50 tokens/
On 21 July 2016 at 23:11, Roberto Cornacchia <roberto.cornacc...@gmail.com>
wrote:
> -
- FC23
- IPA 4.2.4
After a dnf update, bind was updated (no ipa updates), and named-pkcs11
doesn't start anymore.
$ /usr/sbin/named-pkcs11 -d 9 -g
21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
-d 9 -g
21-Jul-2016 23:08:50.332 built with
Hi there,
Although I can't see anything failing, the logs of all clients in my IPA
domain (FC22, freeipa 4.1.4) contain lots of these failures every day:
nov 23 10:43:34 hadron.hq.example.com gssproxy[742]: (OID: { 1 2 840 113554
1 2 2 }) Unspecified GSS failure. Minor code may provide more
Hi,
I have two hosts, photon and hadron, and an LDAP user roberto.
The user can login successfully on both machines.
The SSH pub key is uploaded
.
Running sss_ssh_authorizedkeys roberto from both clients returns the same
key.
Port 22 is open on both clients, sshd is running on both clients.
On
In Fedora, adding a local user to the group wheel makes it administrator
on that machine. In Gnome, you see this as the distinction between a
Normal and and Administrator account.
If the user is an LDAP user, how do we achieve the same?
--
Manage your subscription for the Freeipa-users mailing
there?
On 13 August 2015 at 16:34, Alexander Bokovoy aboko...@redhat.com wrote:
On Thu, 13 Aug 2015, Roberto Cornacchia wrote:
After some more investigation, I feel the problem I described can be
considered off topic, sorry about that. Initially I had the impression it
could have been more freeIPA
aboko...@redhat.com wrote:
On Thu, 20 Aug 2015, Roberto Cornacchia wrote:
I had Synology support inspect my configuration.
They said that the authorization for the mapping looks for attribute
GSSAuthName in LDAP, but doesn't find it. Therefore, they fall back to
mapping it to nobody.
Does
user in Synology. But that's not how I want it.
- Problem with all this is: no matter how I change these files, the next
time I would save something from the Synology UI, these files would be
overwritten
Frustrating :(
On 12 August 2015 at 13:33, Roberto Cornacchia roberto.cornacc...@gmail.com
.hq.spinque.com
On 12 August 2015 at 02:46, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Hi,
I am trying to use a Synology NAS station in my FreeIPA domain to host
automounted home directories (not created automatically for now).
I got almost everything working, but I seem to have
Enabled verbose output for rpc.idmapd as well, and now I see:
nfsidmap[5034]: nss_getpwnam: name 'test1_l@localdomain' does not map into
domain 'hq.spinque.com'
On 12 August 2015 at 12:28, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
I have used
RPCGSSDARGS=-vvv
RPCSVCGSSDARGS
Hi,
I am trying to use a Synology NAS station in my FreeIPA domain to host
automounted home directories (not created automatically for now).
I got almost everything working, but I seem to have a problem with
kerberized nfs.
The NAS logs in the LDAP domain and seems happy with the kerberos
I had this error during my first installation. It turned out the problem
was that port 8443 was already used by another process.
Roberto
On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote:
Hi all,
I want setup freeipa 4.1.3 on a fresh installed fedora 21.
The
:38 PM, Roberto Cornacchia wrote:
I had this error during my first installation. It turned out the problem
was that port 8443 was already used by another process.
Roberto
On 31 March 2015 at 19:54, Markus Roth mar...@die5roths.de wrote:
Hi all,
I want setup freeipa 4.1.3
thank you for the many useful answers I received!
Best,
Roberto
On 23 March 2015 at 10:07, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Dmitri, Rob, Jakub,
I found at least one of the major problems: chronyd.
This is what I get when I use ipa-client-install on a plain FC21 machine
On 24 March 2015 at 14:49, Dmitri Pal d...@redhat.com wrote:
On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
Hi there,
All the issues I reported in this long thread are SOLVED.
Thanks for closing the loop.
For completeness, I'm posting here the conclusions.
ipa-client-install
Thank you, dump sent privately
On 23 March 2015 at 13:33, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 12:33, Roberto Cornacchia wrote:
OK, thanks.
That would be Dynamic updates, right? Then it is enabled.
$ ipa dnszone-show --all
Zone name: hq.example.com
dn: idnsname
BTW, shouldn't named.conf contain an allow-update statement? Mine
doesn't. Or is this managed differently?
On 23 March 2015 at 12:16, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 10:21, Roberto
On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 10:21, Roberto Cornacchia wrote:
About the DNS update, this is what the debug log has to say:
Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket
: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: FALSE
nsrecord: ipa.hq.example.com.
objectclass: idnszone, top, idnsrecord
On 23 March 2015 at 12:27, Martin Basti mba...@redhat.com wrote:
On 23/03/15 12:19, Roberto Cornacchia wrote:
BTW, shouldn't named.conf contain
:
On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
Thanks Rob.
Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is just
to
learn more about
at 10:07, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Dmitri, Rob, Jakub,
I found at least one of the major problems: chronyd.
This is what I get when I use ipa-client-install on a plain FC21 machine,
*without* using --force-ntpd
WARNING: ntpd timedate synchronization service
, but could any of the latest FC updates have
created the issue?
Roberto
On 21 March 2015 at 17:26, Rob Crittenden rcrit...@redhat.com wrote:
Roberto Cornacchia wrote:
Hi Rob,
Yes, sssd is running and this is sssd.conf:
[domain/hq.example.com http://hq.example.com]
debug_level=9
rcrit...@redhat.com wrote:
Roberto Cornacchia wrote:
Indeed, id admin does not work and there is no sign of it in the log.
From the client (with admin-tools installed):
$ kinit admin
Password for ad...@hq.example.com mailto:ad...@hq.example.com:
$ ipa user-show admin
User login
...@redhat.com wrote:
On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
Two log files in attachment (the other files in /var/log/sssd are all
empty).
I'll also go through the troubleshooting page again, thanks
Do the logs include an id call for admin?
I do not see any instance of the word admin
netgroup: files
publickey: nisplus
automount: files
aliases:files nisplus
sudoers: files sss
On 21 Mar 2015 01:06, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 07:56 PM, Roberto Cornacchia wrote:
From https://fedorahosted.org/sssd/wiki/Troubleshooting, I see that
invoking getent should
53/udp 8082/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
On 20 March 2015 at 00:53, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
Yes.
[root@meson ~]# cat /etc/resolv.conf
search hq.example.com
nameserver 192.168.0.72
Sorry
Ah, I see, I had forgotten to enable debut in the nss section. Here its log.
On 21 March 2015 at 00:40, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Two log files in attachment (the other files in /var/log/sssd are all
empty).
I'll also go through the troubleshooting page again
log
On 21 March 2015 at 00:51, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Ah, I see, I had forgotten to enable debut in the nss section. Here its
log.
On 21 March 2015 at 00:40, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:
Two log files in attachment (the other files
for hq.example.zone?
You can check it in zone settings.
Are there any log entries in dns log related to nsupdate executed from a
client?
$ journalctl -b -u named-pkcs11
On 20/03/15 09:53, Roberto Cornacchia wrote:
It seems so:
$ firewall-cmd --list-all
FedoraServer (default, active
PM, Roberto Cornacchia wrote:
But the ipa server itself is also enrolled as a client, just after the
server installation, right?. And that worked fine.
Are these VMs?
There have been a similar case when the network was not set properly for
the virtual test environment.
On 20 March 2015
But the ipa server itself is also enrolled as a client, just after the
server installation, right?. And that worked fine.
On 20 March 2015 at 18:55, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
No, sorry about the confusion, i shouldn't have posted so quickly.
When I use the correct
=photon.hq.example.com
And then it behaves precisely like the previous client.
So something seems wrong in the server.
On 20 March 2015 at 18:18, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
Update:
I tried from another client. Also FC21, same network, same settings from
the same DHCP.
But obviously
Update:
I tried from another client. Also FC21, same network, same settings from
the same DHCP.
But obviously it must have something different because it partially
succeeded.
- I do not get errors about LDAP users.
- I do not get errors about DNS update
However:
- I still get the initial error
No, sorry about the confusion, i shouldn't have posted so quickly.
When I use the correct domain (hq.example.com), then I really get all the
same errors as before, also in the new client.
On 20 Mar 2015 18:39, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 01:25 PM, Roberto Cornacchia
ipv6 re-enabled. No luck yet :(
On 20 March 2015 at 17:06, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 10:56 AM, Roberto Cornacchia wrote:
The zone settings:
$ ipa dnszone-show --all
Zone name: hq.example.com.
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone
for the ipa server itself.
On 20 March 2015 at 20:24, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
No, all real machines.
I'm really sorry it's taking so much of your time.
I had tried almost everything on a VM setting first, and everything was
fine
SSSD logs are empty so far.
Isn't sssd.conf written by ipa-client-install? If I raise the debug level
after client installation, what activities do you suggest to attempt from
the client?
On 20 March 2015 at 22:37, Dmitri Pal d...@redhat.com wrote:
On 03/20/2015 05:28 PM, Roberto Cornacchia
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
Hi there,
I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.
Except one detail. We have
posted (all about
freeIPA) and never really answered.
Best,
Roberto
On 19 March 2015 at 19:36, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:
On 03/06/2015 10:56 AM, Roberto Cornacchia
creation is out of the game, doesn't it?
That's what I find confusing. What's the recommended way?
On 19 March 2015 at 20:49, Dmitri Pal d...@redhat.com wrote:
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,
I do realise my question is borderline and I accept
Hi,
This should really work like a charm, and I'm sure it is a stupid mistake
of mine if it doesn't, but I really can't find out what goes wrong.
Both IPA server and client are on FC21, very up to date.
Server installation (standard, with dns) worked well. Required ports open
in the firewall.
Thanks, Jakub.
On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:
On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:
It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly
[root@meson ~]# dig ipa.hq.spinque.com
humph, sorry about the confusion, I missed one in my anonymisation step..
that would be dig ipa.hq.example.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
...@redhat.com wrote:
On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
Hi,
This should really work like a charm, and I'm sure it is a stupid
mistake of mine if it doesn't, but I really can't find out what goes wrong.
Both IPA server and client are on FC21, very up to date.
Server installation
I see. Peter, Martin, thanks for the explanation. My worry was that
something went wrong in my reinstallation, glad to hear it is not the case.
Roberto
On 17 Mar 2015 14:51, Petr Spacek pspa...@redhat.com wrote:
On 17.3.2015 14:06, Martin Basti wrote:
On 17/03/15 13:32, Roberto Cornacchia
Hi there,
I've just installed freeIPA on a FC21 server and trying to perform some
sanity checks.
A first puzzle for me is: I have some DNS forwarders, which I selected
during installation.
They do work and they do appear in /etc/named.conf
forward first;
forwarders {
Hi there,
I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to work
like a charm.
Except one detail. We have Synology NAS station, which uses DSM 5.0.
The ideal plan is to use it as host for shared NFS home dirs once we switch
our
, Craig White wrote:
*From:* freeipa-users-boun...@redhat.com [
mailto:freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com]
*On Behalf Of *Roberto Cornacchia
*Sent:* Tuesday, February 03, 2015 5:20 AM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] basic question on DNS
Hi guys,
I can't wait to get freeIPA installed in our small enterprise, but I'd
first like to get a couple of basic things straight.
My first doubt is about the DNS configuration. Currently, we use a setting
that I guess is rather common for small enterprises:
We own an example.com domain which
50 matches
Mail list logo
