On Fri, Jul 14, 2017 at 09:57:44AM +1200, Patrick McHale via FreeIPA-users
> I have had a success with installing the FreeIPA system but I needed to add
> another client in order to reproduce the steps required for
> building a client to authenticate with the server. I
On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via FreeIPA-users
> I am getting an error logging into a FreeIPA server from a new FreeIPA
> client. I have reset the password for the user using "kinit admin" but still
> no joy. Is there another password that is
On Thu, Jul 13, 2017 at 07:22:58PM -, bogusmaster--- via FreeIPA-users
> I've uploaded them here: goo.gl/hiFHKE
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
This indicates that the user cannot be found on the server. There are
Apologies for hijacking the thread but you reminded me of a longstanding
issue - I can't manually use kinit on my client nodes. As I operate a jump
server that means I get a ticket on first login but when i login to other
client systems the ticket gives me entry but doesn't follow me.
On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote:
> Hi Jakub,
> Apologies for hijacking the thread but you reminded me of a longstanding
> issue - I can't manually use kinit on my client nodes. As I operate a jump
> server that means I get a ticket on first login but
I also observed one peculiar thing when it comes to group membership of the
group which is used in my HBAC rule.
When I issue getent group ad_users on the server, I get:
In the FreeIPA's web UI membership looks like follows:
Thanks for that Jakub.
Following a review of the output I've found that this is simply a known
conflict with OTP:
On Fri, Jul 14, 2017 at 9:20 AM Jakub Hrozek wrote:
> On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy
looks like you lost your configuration files dse.ldif and its backup as well
could you check what you have in /etc/dirsrv/slapd-
you can try to copy one of the *dse.ldif* to dse.ldif and try to
restart, but that file maybe up to date.
On 07/14/2017 04:22 PM, email--- via FreeIPA-users
On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users
> > Can you do a test on the server by calling
> > id username(a)ad.domain
> > and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> > well?
> I uploaded these files to the same
We relocated a rack recently across the states and are no longer able to start
sudo ipactl start
Starting Directory Service
Failed to start Directory Service: Command '/bin/systemctl start
dirsrv@IPA-EXAMPLE-COM.service' returned non-zero exit status 1
Thanks a lot for replying,
Yes, your suggestion is working. Doesn't seem that elegant though,
since a partition is mounted several times. However it's practical and I
can't figure out how else it could be done.
From mount stats, the first two are from fstab mount and appears only
from Journal, maybe it's kerberos issues
Jul 14 12:11:28 server02.ipa.example.com named-pkcs11: Failed to get
initial credentials (TGT) using principal 'DNS/server02.ipa.example.com' and
keytab 'FILE:/etc/named.keytab' (Cannot contact any KDC for realm
Copied over the dse.ldif.startOK to dse.ldif and it started. Thank You,
Cc: "Ludwig Krispenz"
Sent: Friday, July 14, 2017 10:35:55 AM
> On Fri, Jul 14, 2017 at 10:00:20AM -, bogusmaster--- via FreeIPA-users
> yes, but I think this is only a side effect. SSSD cannot resolve a
> global catalog server. Does
> dig SRV _gc._tcp.td.mydomain.com
> return anything when called on the IPA server?
I'm not sure when the last time this service was running/working, any ideas are
IPA Version: ipa-server-4.4.0-14.el7.centos.7.x86_64
[1/8]: saving configuration
[2/8]: disabling listeners
[3/8]: enabling DS global lock
The only thing I would be interested in knowing is if there is a
performance penalty to mounting NFS locally. Ideally, it should be smart
enough to know that, but I'm not sure if it is.
On 14 Jul 2017 6:08 pm, "Petros Triantafyllidis" wrote:
> Thanks a lot for replying,
Prasun Gera via FreeIPA-users
> The only thing I would be interested in knowing is if there is a
> performance penalty to mounting NFS locally. Ideally, it should be smart
> enough to know that, but I'm not sure if it is.
On my NFS server /home is a
On 07/13/2017 09:57 PM, Fraser Tweedale wrote:
OK, I think I understand.
ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
set up with a certificate issued by the IPA CA, which your browser
does not trust.
There are two ways forward here:
1. You can use
Mail list logo