[Freeipa-users] ipa-replica-install - unable to establish replication

I'm trying to setup a FreeIPA replica on 4.5.2 and the ipa-replica-install script dies with: [27/40]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 14 seconds elapsed [ldap://fll2aipa01stg.ipa-stg.chewy.net:389]

[Freeipa-users] Re: [Freeipa-users]Re: nsds5ReplConflict: missingEntry

On 07/28/2017 03:25 PM, email--- via FreeIPA-users wrote: I have no idea what that means, cn=servers has child objects that do exist on both servers. Is there a way to force replicate from another node and overwrite all local conflicts. the conflicts arise by replication as I tried to

[Freeipa-users] Re: [Freeipa-users]Re: nsds5ReplConflict: missingEntry

I have no idea what that means, cn=servers has child objects that do exist on both servers. Is there a way to force replicate from another node and overwrite all local conflicts. From: "freeipa-users" To: "freeipa-users"

[Freeipa-users] Errors in enrolling Ubuntu 14.04 Client to FreeIPA

I Cannot enrol and do the ipa-client-install on Ubuntu 14.04 to IPA Server (4.4). My IPA Server is having third party certificates for HTTP/LDAP. I have installed it using the suggestions in https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Other version of Ubuntu like 16.04

[Freeipa-users] 5 bad replicas, can't remove, need these clean before I can re-add secondary replicas.

Unable to remove any of these bad ipa-replica-manage list-ruv Directory Manager password: unable to decode: {replica 7} 585aae3e001a0007 585aae3e001a0007 unable to decode: {replica 8} 586520c8000f0008 586520c8000f0008 unable to decode: {replica 11} 58862e450004000b

[Freeipa-users] ipa-client-install using AD/ad_admin credentials

We want to let AD admins install new linux FreeIPA clients using their AD credentials. It looks like if fails using kinit in the script. If you run kinit 'AD\ad_admin' you get the same error. Is it feasible to do what we want? Does it make sense? We already have a system for managing the

[Freeipa-users] Re: nsds5ReplConflict: missingEntry

On 07/27/2017 07:49 PM, email--- via FreeIPA-users wrote: This is a new one, any ideas on how to get this to sync? ldapsearch -x -D "cn=directory manager" -W -b "dc=ipa,dc=example,dc=com" "nsds5ReplConflict=*" \* nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base

[Freeipa-users] Re: [Freeipa-users]ipa-client-install using AD/ad_admin credentials

Steve, We have the same problem with the web interface, from what I can tell you must either sync accounts, delegate account passwords with RADIUS (which works for the web interface but not kerberos) and/or use service accounts. Our systems use kickstart and auto-join ipa on deployment with a

[Freeipa-users] Re: replica-install --setup-ca fails

On 07/27/2017 08:29 PM, Mark Haney via FreeIPA-users wrote: Heh. That's the EXACT SAME error I kept getting whether I ran the install-ca from an existing replica, or when adding a CA while installing a new replica. Glad I'm not the only one seeing such weird errors. On Thu, Jul 27, 2017 at

[Freeipa-users] Re: Password History

John Trump via FreeIPA-users wrote: > I am using FreeIPA 4.4 and have implemented a password policy where > password history is set to 24. If a password admin or the user "admin" > resets a users password, the user is forced to change their password > upon logging in. At this point, the user is

[Freeipa-users] Account Settings not in sync for RADIUS authentication type. (Bugreport?)

Looks like a UI glitch (it's correct in LDAP) but when configuring users to use RADIUS auth, these settings to not show as enabed/selected on other ipa servers. Steps to repeat: 1) add user 2) disable all password options, select only RADIUS 3) configure proxy username and server. 4) check

[Freeipa-users] Re: 5 bad replicas, can't remove, need these clean before I can re-add secondary replicas. [SOLVED]

## Get all bad RUV ipa-replica-manage list-ruv ## Enter ldapmodify ldapmodify -D "cn=directory manager" -W -a ## Enter each of the following 1 line at a time. dn: cn=clean CLEAR_RUV_ID, cn=cleanallruv, cn=tasks, cn=config objectclass: extensibleObject replica-base-dn: dc=example,dc=com

[Freeipa-users] Re: 5 bad replicas, can't remove, need these clean before I can re-add secondary replicas.

All I see are responses like yours, how about a link or add it to the documentation since it's such a problem?! - Original Message - From: "Petr Vobornik" To: "freeipa-users" Cc: "Jake" Sent: Friday,

[Freeipa-users] FreeIPA 2FA CentOS 6

I have noticed that when I enable FreeIPA all my CentOS 7.x boxes work via SSH just fine, however none of my CentOS 6 boxes work. I read that 2FA didn't come until CentOS 7.1. So my question is does 2FA via SSH not work at all if you have a RHEL 6 / CentOS 6 server? Just curious. Thanks much.

[Freeipa-users] Re: FreeIPA 2FA CentOS 6

On (28/07/17 15:39), Devin Acosta via FreeIPA-users wrote: >I have noticed that when I enable FreeIPA all my CentOS 7.x boxes work via >SSH just fine, however none of my CentOS 6 boxes work. I read that 2FA >didn't come until CentOS 7.1. So my question is does 2FA via SSH not work >at all if you

[Freeipa-users] Re: Cronjob requesting krb tickets

Anton Semjonov writes: >>> It's much simpler to use a keytab for your service and let Kerberos >>> acquire a TGT automatically. You can either place the keytab in a >>> special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to >>> handle the keytab for you. With