Re: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled

On (13/05/17 06:52), Harald Dunkel wrote: >Hi folks, > >RHEL 7.3, sssd 1.14.0: > >If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail >(without telling why) and users cannot login. *Extremely* painful. > >Do you think ipa-client-install could add > > selinux_provider = none

[Freeipa-users] ipa-client-install: please look for SELINUX=disabled

Hi folks, RHEL 7.3, sssd 1.14.0: If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail (without telling why) and users cannot login. *Extremely* painful. Do you think ipa-client-install could add selinux_provider = none to the generated sssd.conf file, if selinux is di

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03/05/17 11:47, Timo Aaltonen wrote: > > pam-auth-update configures pam, there's nothing else to be configured.. > I just ran ipa-client-install on Ubuntu zesty with freeipa-client > 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: > > services = nss, sudo, pam, ssh > >

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03.03.2017 16:53, Rob Crittenden wrote: > Harald Dunkel wrote: >> On 03/03/17 10:14, Jakub Hrozek wrote: >>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: This is systemd-only? Wouldn't it be better to create a working sssd.conf, no matter what? >>> >>>

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

Harald Dunkel wrote: > On 03/03/17 10:14, Jakub Hrozek wrote: >> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >>> >>> This is systemd-only? >>> >>> Wouldn't it be better to create a working sssd.conf, no matter >>> what? >> >> It is up to whoever is creating the sssd.conf. As I sa

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03/03/17 10:14, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >> >> This is systemd-only? >> >> Wouldn't it be better to create a working sssd.conf, no matter >> what? > > It is up to whoever is creating the sssd.conf. As I said, the change is > backwards-

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: > Hi Jakub, > > On 03/03/17 09:32, Jakub Hrozek wrote: > > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > >> Hi folks, > >> > >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > >> Debian Stretch > > ~~

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

Hi Jakub, On 03/03/17 09:32, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: >> Hi folks, >> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on >> Debian Stretch > ~~ > This is important I guess. > > Since SSSD 1.15, SSSD allows to socket-act

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~ This is important I guess. Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them ex

[Freeipa-users] ipa-client-install generates bad sssd.conf

Hi folks, running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian Stretch ipa-client-install creates a bad sssd.conf file, e.g. [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ip

Re: [Freeipa-users] IPA Client Install problems

Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0, PR

Re: [Freeipa-users] IPA Client Install problems

Tyrell Jentink wrote: First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust s

[Freeipa-users] IPA Client Install problems

First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows S

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

thanks for the inputs.. the issue was with my network, I was able to resolve it adding in the NETWORKING_IPV6=no in /etc/sysconfig/network possibly it was using IPv6 resolution and that was failing On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek wrote: > On 27.7.2016 19:29, Rakesh Rajasekhara

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > Hi, > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > On few clients the installation fails with the below error message. > > > I verified that the ipa master dns is resolvable. Not sure what could be > wrong here.

[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

Hi, I am running ipa server 4.2 and set it up without using "--setup-dns=no". On few clients the installation fails with the below error message. I verified that the ipa master dns is resolvable. Not sure what could be wrong here.. Joining realm failed: libcurl failed to execute the HTTP POST

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

rom:* Rob Crittenden *Sent:* 05 July 2016 18:01 *To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: Hi, I have successfully installed FreeIPA server version

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

m sure I'd already tried this several times. Thanks again, Neal. From: Rob Crittenden Sent: 05 July 2016 18:01 To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Neal Harrington | i-Neda Ltd wrote: Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc a

[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc and overall I'm very happy. I have

Re: [Freeipa-users] ipa-client-install

On 09.06.2016 22:36, David Zabner wrote: Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. This means that all future client installs fail because the host already exists. Is there any way to make sure that failure

[Freeipa-users] ipa-client-install

Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. This means that all future client installs fail because the host already exists. Is there any way to make sure that failure’s cause the host to be cleaned up? Is ther

Re: [Freeipa-users] ipa-client-install errors

, 2016 4:16 PM To: Gady Notrica Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr

Re: [Freeipa-users] ipa-client-install errors

On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > ># Ge

Re: [Freeipa-users] ipa-client-install errors

;> > /Failed to list certificates in /etc/ipa/nssdb: Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enro

Re: [Freeipa-users] ipa-client-install errors

hat is configured must be bad in some way. The log will tell how. rob Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install error

Re: [Freeipa-users] ipa-client-install errors

Original file attached - no changes to the file Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:52 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote

Re: [Freeipa-users] ipa-client-install errors

he log will tell how. rob Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys

Re: [Freeipa-users] ipa-client-install errors

erver = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re:

Re: [Freeipa-users] ipa-client-install errors

g client Kerberos and LDAP configurations Gady Notrica -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-us

Re: [Freeipa-users] ipa-client-install errors

edhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don

Re: [Freeipa-users] ipa-client-install errors

hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root@prddb1 /]# ipa-rmkeytab -p ld

Re: [Freeipa-users] ipa-client-install errors

ntext initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20

Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote: On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authe

Re: [Freeipa-users] ipa-client-install errors

Thank you Martin, I have tried many different ways. I can't seem to be able to remove anything in the file. Gady From: Martin Basti [mailto:mba...@redhat.com] Sent: April 20, 2016 12:50 PM To: Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab

Re: [Freeipa-users] ipa-client-install errors

Please find attached the install log Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On

Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kin

Re: [Freeipa-users] ipa-client-install errors

On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: k

[Freeipa-users] ipa-client-install errors

Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos configuration

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/21/2016 02:29 PM, bahan w wrote: > Hello Martin. > > Thank you for your answer. Adding freeipa-users list back, so that others can follow the thread. > Excuse me for my ignorance, but may you tell me how the bug and resolution > work for FreeIPA ? This is probably not something that would

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 05:55 PM, bahan w wrote: > Ah sorry, for security reasons I didn't want to put the original name and I > made a mistake. > > Here we are, for the confusing lines : > ### > Assuming realm is the same as domain: > Generated basedn from realm: dc= > Discovery result: NO_ACCESS_TO_LDAP;

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated s

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 04:03 PM, bahan w wrote: > Re Martin. > > Here we are for the ipaclient-install.log : > > ### > 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'domain': '', 'force': False, 'realm_name': > '', 'krb5_offline_passwords': True, 'primary': False, 'm

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re Martin. Here we are for the ipaclient-install.log : ### 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '', 'force': False, 'realm_name': '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd': Fal

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Adding freeipa-users back, so that others can benefit from the answer. Can you please attach a full ipaclient-install.log DEBUG log somewhere so that we can get the full context of the bug? You may also want to open a RHEL-6 Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only maint

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 12:08 PM, bahan w wrote: > Hello ! > > I send you this mail because of the following topic. > > I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > access for security reasons. > > But now, I have a problem when I try to enroll a new host. > > Here is the comma

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm= --serv

Re: [Freeipa-users] ipa-client-install error

Hi Bahan, Hey. Try to remove the cert file in /etc/ipa of this client. And then retry. this was perfect :-) Thank you. Best regards. Bahan Andy Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is a

[Freeipa-users] ipa-client-install error

Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same iss

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote: > On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > > wrote: > > > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > > --request-cert it doe

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On 15.9.2015 03:29, Nathan Peters wrote: > I think it was not having dynamic updates enabled for the reverse zone. I Yes, that is it. See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/SyncPTR for more details. > enabled those and PTR sync on both the forward and reverse and now it seems to

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

I think it was not having dynamic updates enabled for the reverse zone. I enabled those and PTR sync on both the forward and reverse and now it seems to be working for a new client that I joined. What I'm not clear on at this point is why that is not a default setting. I know at some point I

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > --request-cert it does not create a host certificate for it. The host is > > properly joined but

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

Hi, can you check the journalctl -u named(-pkcs11) on server, they might be errors why PTR record has not been added. Do you have enabled dynamic updates for the reverse zone? Martin On 09/12/2015 10:42 PM, Youenn PIOLET wrote: Hi, I've seen the same issue recently on various clients using

Re: [Freeipa-users] ipa-client-install --request-cert fails

On 09/12/2015 03:14 PM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > >> hi, >> >> on a a centos 7.1 host when enrolling it with (among other) the switch >> --request-cert it does not create a host certificate for it. The host is >> properly joined but not certif

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

Hi, I've seen the same issue recently on various clients using ipa 3.3 and ipa 4.* during the first join on a clean OS. Can't confirm it was working before. Is it normal behavior? Allow PTR sync is enabled. Cheers, Le 12 sept. 2015 7:44 AM, "Nathan Peters" a écrit : > > On 9/11/2015 10:32 AM,

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo wrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not certificate is present. > > In the ipaclient-install.log file

[Freeipa-users] ipa-client-install --request-cert fails

hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for host

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On 9/11/2015 10:32 AM, Simo Sorce wrote: On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote: I have been trying to figure this out for a while now but when I join machine to FreeIPA, the installer properly creates forward DNS entries,and DNSSSHFP entries, but does not create rever

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote: > I have been trying to figure this out for a while now but when I join > machine to FreeIPA, the installer properly creates forward DNS > entries,and DNSSSHFP entries, but does not create reverse entries. > Without the PTR records,

[Freeipa-users] ipa-client-install not creating reverse DNS entries

I have been trying to figure this out for a while now but when I join a machine to FreeIPA, the installer properly creates forward DNS entries, and DNSSSHFP entries, but does not create reverse entries. Without the PTR records, kerberos logins are always failing on these machines. The reverse zon

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

Thanks for update. Adding mailing list back, to be aware of the results. Given this description, I wonder if this is hitting https://bugzilla.redhat.com/show_bug.cgi?id=1201454 that is planned to be fixed in next RHEL-6 minor version. On 06/03/2015 10:46 AM, bahan w wrote: > Hello again. > > The

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

On 06/02/2015 06:27 PM, bahan w wrote: > Hello ! > > I send you this mail because I have a problem linked with SSH and FreeIPA. > > I have multiple servers : > - One with FreeIPA server 3.0.0-26 > - The others with FreeIPA client 3.0.0-26 > > They are running on RHEL 6.4. > > I configured a roo

[Freeipa-users] ipa-client-install remove the passwordless connection with root

Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an

Re: [Freeipa-users] ipa-client-install --request-cert ERROR

On Sat, 16 May 2015, Günther J. Niederwimmer wrote: Hello, When I install a IPA client (Centos 7.1) I have this Error in the log. freeipa ERROR certmonger request for host certificate failed Is there a way to become this Certificate back ? I am nearly new on freeIPA and have mach problems :-(

[Freeipa-users] ipa-client-install --request-cert ERROR

Hello, When I install a IPA client (Centos 7.1) I have this Error in the log. freeipa ERROR certmonger request for host certificate failed Is there a way to become this Certificate back ? I am nearly new on freeIPA and have mach problems :-(. Thanks for the help, -- mit freundlichen Grüssen

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Quick question, if you have used Deion for ldap and Sudo, are all connections through Kerberos ? And all client and registered hosts will be in the same domain ? Gokul Sent from iPhone > On Mar 29, 2015, at 12:14 PM, Yogesh Sharma wrote: > > Thanks Gonzalo. Appreciate your help here, Let me

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Thanks Gonzalo. Appreciate your help here, Let me try this. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com | Web: www.initd.in * RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile]

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Yogesh you do not need to explain me anything. Most people around here are on the same boat and working on this stuff already for quite awhile. I forgot to mention this is for a PROPER sssd run, still you will need all those below as you will get some issues sorted (specially sudo related)

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Gonzalo, We have some running servers on Amazon Linux and it would be difficult to migrate all those to CentOS or RHEL as of now. Hence If you can provide the package's version then it would really help us till the time we do migration. For sure all over new Servers are going to be CentOS or RHEL

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Yogesh My personal experience using AWS Linux and LDAP is not a good one and mostly an utter nightmare in relation to packages. Personally I would recommend you to keep away from AWS Linux and get a Centos, Fedora or Redhat. Still, if you want to go ahead, I can give you the right versions for

[Freeipa-users] IPA Client Install on Amazon Linux

Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. *Best Regards,___

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

ah, ok. So I'm going to assume the problem with my server not being able to get a DNS record for any of the clients is why the user can't ssh into the clients. Thanks for the help, everyone! thx anthony On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden wrote: > Anthony Lanni wrote: > > I'm refe

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Anthony Lanni wrote: > I'm referring to the host certificate; I was looking at the web UI, > under Identity->Hosts in the server details page. The Host Certificate > section says 'No Valid Certificate'. > The server has a /etc/krb5.keytab file, and on the same page the > Enrollment section says 'Ke

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I'm referring to the host certificate; I was looking at the web UI, under Identity->Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host Provis

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/26/2015 05:52 PM, Anthony Lanni wrote: > kinit USER works perfectly; but I can't ssh into the client machine from > the server without it requesting a password. > > I think this is a DNS issue, actually. The server isn't resolving the name > of the client, so I'm ssh'ing with the IP address,

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the Ker

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I am not sure what you mean. So are you saying that "kinit USER" done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: > great, thanks. > > On a related note: the server still doesn't get a (client) kerberos ticket, > which means I can't kinit as a user and then log

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek wrote: > Ok,

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: > keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I > reinstalled keyutils and then ran the ipa-server-insta

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek wrote: > On 03/25/20

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/25/2015 04:11 AM, Dmitri Pal wrote: > On 03/24/2015 09:17 PM, Anthony Lanni wrote: >> While running ipa-server-install, it's failing out at the end with an error >> regarding the client install on the server. This happens regardless of how I >> input the options, but here's the latest command

Re: [Freeipa-users] ipa-client-install failure

On 03/24/2015 02:49 PM, Dmitri Pal wrote: > On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: >> Hi there, >> >> All the issues I reported in this long thread are SOLVED. > > Thanks for closing the loop. Indeed! > >> For completeness, I'm posting here the conclusions. >> >> ipa-client-install d

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=10

[Freeipa-users] ipa-client-install failing on new ipa-server

While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n example.com -p passwd1 -a pa

Re: [Freeipa-users] ipa-client-install failure

On 24 March 2015 at 14:49, Dmitri Pal wrote: > On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: > > Hi there, > > All the issues I reported in this long thread are SOLVED. > > > Thanks for closing the loop. > > For completeness, I'm posting here the conclusions. > > ipa-client-install did en

Re: [Freeipa-users] ipa-client-install failure

On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: Hi there, All the issues I reported in this long thread are SOLVED. Thanks for closing the loop. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $ ipa-client-install

Re: [Freeipa-users] ipa-client-install failure

Hi there, All the issues I reported in this long thread are SOLVED. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd [...] Synchronizing time with KDC... Unable

Re: [Freeipa-users] ipa-client-install failure

Thank you, dump sent privately On 23 March 2015 at 13:33, Petr Spacek wrote: > On 23.3.2015 12:33, Roberto Cornacchia wrote: > > OK, thanks. > > That would be "Dynamic updates", right? Then it is enabled. > > > > $ ipa dnszone-show --all > > Zone name: hq.example.com > > dn: idnsname=hq.exampl

Re: [Freeipa-users] ipa-client-install failure

On 23.3.2015 12:33, Roberto Cornacchia wrote: > OK, thanks. > That would be "Dynamic updates", right? Then it is enabled. > > $ ipa dnszone-show --all > Zone name: hq.example.com > dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com > Zone name: hq.example.com. > Active zone: TRUE >

Re: [Freeipa-users] ipa-client-install failure

OK, thanks. That would be "Dynamic updates", right? Then it is enabled. $ ipa dnszone-show --all Zone name: hq.example.com dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator

Re: [Freeipa-users] ipa-client-install failure

On 23/03/15 12:19, Roberto Cornacchia wrote: BTW, shouldn't named.conf contain an "allow-update" statement? Mine doesn't. Or is this managed differently? It is not needed. bind-dyndb-ldap plugin overrides this configuration, you just need to enable updates in IPA zone setting. Martin On 23

Re: [Freeipa-users] ipa-client-install failure

BTW, shouldn't named.conf contain an "allow-update" statement? Mine doesn't. Or is this managed differently? On 23 March 2015 at 12:16, Roberto Cornacchia wrote: > > > On 23 March 2015 at 10:35, Petr Spacek wrote: > >> On 23.3.2015 10:21, Roberto Cornacchia wrote: >> > About the DNS update, th

Re: [Freeipa-users] ipa-client-install failure

On 23 March 2015 at 10:35, Petr Spacek wrote: > On 23.3.2015 10:21, Roberto Cornacchia wrote: > > About the DNS update, this is what the debug log has to say: > > > > Found zone name: hq.example.com > > The master is: ipa.hq.example.com > > start_gssrequest > > Found realm from ticket: HQ.EXAMPLE

Re: [Freeipa-users] ipa-client-install failure

On 23.3.2015 10:21, Roberto Cornacchia wrote: > About the DNS update, this is what the debug log has to say: > > Found zone name: hq.example.com > The master is: ipa.hq.example.com > start_gssrequest > Found realm from ticket: HQ.EXAMPLE.COM > send_gssrequest > *; Communication with 192.168.0.72#5

Re: [Freeipa-users] ipa-client-install failure

About the DNS update, this is what the debug log has to say: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket: HQ.EXAMPLE.COM send_gssrequest *; Communication with 192.168.0.72#53 failed: operation canceled* *Reply from SOA query:* ;; ->>HE

Re: [Freeipa-users] ipa-client-install failure

Dmitri, Rob, Jakub, I found at least one of the major problems: chronyd. This is what I get when I use ipa-client-install on a plain FC21 machine, *without* using --force-ntpd WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use -

Re: [Freeipa-users] ipa-client-install failure

On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote: > Thanks Rob. > > Knowing that /etc/nsswitch.conf is created wrongly is a step forward, > although we don't know why that happens yet. > I'm not very keen on fixing it post-installation (except if this is just to > learn more abou

Re: [Freeipa-users] ipa-client-install failure

On 03/22/2015 11:24 AM, Roberto Cornacchia wrote: Thanks Rob. Knowing that /etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. I'm not very keen on fixing it post-installation (except if this is just to learn more about the issue), even if this

  1   2   3   >