[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Kristian Petersen via FreeIPA-users
I checked the logs that turned up after running the find command suggested by Jochen and only a couple of them turned up anything that mention pki or pki-tomcat: from /var/log/audit/audit.log: type=SERVICE_START msg=audit(1508873851.623:163448): pid=1 uid=0 auid=4294967295 ses=4294967295

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

2017-10-26 Thread Lachlan Musicman via FreeIPA-users
On 27 October 2017 at 07:38, Rob Crittenden wrote: > Lachlan Musicman via FreeIPA-users wrote: > > > > > ipa -version > > VERSION: 4.5.0, API_VERSION: 2.228 > > It shouldn't be even trying port 7389 with v4.5.0. Very old versions of > IPA used to use two separate 389-ds

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

2017-10-26 Thread Lachlan Musicman via FreeIPA-users
On 27 October 2017 at 07:38, Rob Crittenden wrote: > Lachlan Musicman via FreeIPA-users wrote: > > > > When I look at the ID Views in the interface, I get an "IPA Error 903: > > InternalError". > > See /var/log/httpd/error_log for details, there may be a python backtrace. >

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

2017-10-26 Thread Lachlan Musicman via FreeIPA-users
On 27 October 2017 at 10:32, Lachlan Musicman wrote: > On 27 October 2017 at 07:38, Rob Crittenden wrote: > >> Lachlan Musicman via FreeIPA-users wrote: >> > >> > When I look at the ID Views in the interface, I get an "IPA Error 903: >> > InternalError".

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Florence Blanc-Renaud via FreeIPA-users
On 10/26/2017 04:58 PM, Kristian Petersen via FreeIPA-users wrote: I am having problems with the server that currently is my main CA and was considering trying to switch that function to a different server.  I have tried some of the stuff I found online but the CA role can't be enabled on

[Freeipa-users] Re: Sync against AD group

2017-10-26 Thread Rob Crittenden via FreeIPA-users
Miguel Angel Coa M. wrote: > Rob, > My idea about A/D group is centralize the users for the winsync because > some are in one OU and others in others (but i see this isn't possible) > > eg. > > Example2.com <-- Domain root > Builtin <-- Default > . > . > Users <-- Default users ->

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Kristian Petersen via FreeIPA-users
When I recently updated one of my IPA servers (it reports 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up because pki-tomcatd kept failing. I was able to get it running for now by ignoring the failure of that one service, but I haven't been able to to determine the

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Rob Crittenden via FreeIPA-users
Nicholas Hinds wrote: > I tried running `sudo service named-pkcs11 stop` before the yum update, > but FreeIPA still returned NXDOMAIN responses temporarily. You want the service named. > It seems like these responses occur about 10 seconds after the last log > entry in /var/log/ipaupgrade.log

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Jochen Hein via FreeIPA-users
Kristian Petersen via FreeIPA-users writes: > When I recently updated one of my IPA servers (it reports > 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up > because pki-tomcatd kept failing. I was able to get it running for now by

[Freeipa-users] Swiching which FreeIPA server is the main CA

2017-10-26 Thread Kristian Petersen via FreeIPA-users
I am having problems with the server that currently is my main CA and was considering trying to switch that function to a different server. I have tried some of the stuff I found online but the CA role can't be enabled on another server because it is broken on the one that has it right now. Hence

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Kristian Petersen via FreeIPA-users
The dirsrv log just shows a bunch of the following: [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-ipa 2.chem.byu.edu-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object)

[Freeipa-users] Re: Port 389

2017-10-26 Thread Simo Sorce via FreeIPA-users
On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote: > Hello IPA, > >   Hopefully a quick question. > > RHEL 7.3 IPA 4.4 > >  I have been digging around RHEL docs > https://access.redhat.com/solutions/357673 for firewall ports and it > says > 389 is required for replication of

[Freeipa-users] Re: Port 389

2017-10-26 Thread Sean Hogan via FreeIPA-users
Ok.. no worries. Thanks Simo From: Simo Sorce via FreeIPA-users To: FreeIPA users list Cc: Sean Hogan , Simo Sorce Date: 10/26/2017 02:17 PM Subject:

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

2017-10-26 Thread Jochen Hein via FreeIPA-users
Kristian Petersen via FreeIPA-users writes: > The dirsrv log just shows a bunch of the following: > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error: > could not bind id [cn=Replication Manager cloneAgreement1-ipa >

[Freeipa-users] Re: Replica stopped working: pki-ca port failed?

2017-10-26 Thread Rob Crittenden via FreeIPA-users
Lachlan Musicman via FreeIPA-users wrote: > When I first installed our replica, it worked just fine - I could add a > user and see it on the master server. And vice versa. > > I recently went back to take a look and make sure everything was working > - and it's not. > > ipactl status shows

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Nicholas Hinds via FreeIPA-users
I tried running `sudo service named-pkcs11 stop` before the yum update, but FreeIPA still returned NXDOMAIN responses temporarily. It seems like these responses occur about 10 seconds after the last log entry in /var/log/ipaupgrade.log ("The ipa-server-upgrade command was successful"). Based on

[Freeipa-users] Re: yum update caused FreeIPA to temporarily return NXDOMAIN for valid records

2017-10-26 Thread Nicholas Hinds via FreeIPA-users
On Thu, Oct 26, 2017 at 9:17 AM Rob Crittenden wrote: > Nicholas Hinds wrote: > > I tried running `sudo service named-pkcs11 stop` before the yum update, > > but FreeIPA still returned NXDOMAIN responses temporarily. > > You want the service named. > That service does not

[Freeipa-users] Port 389

2017-10-26 Thread Sean Hogan via FreeIPA-users
Hello IPA, Hopefully a quick question. RHEL 7.3 IPA 4.4 I have been digging around RHEL docs https://access.redhat.com/solutions/357673 for firewall ports and it says 389 is required for replication of IPA servers and clients to IPA servers. FreeIPA docs say this: SSL/startTLS When