do you have a traceback in log? I'm curious where exactly this happened,
what is your FreeIPA version?
[1]
I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in
LXC :-) So it should work
2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <
On 09/01/18 18:18, Martin Basti via FreeIPA-users wrote:
Hello,
--auto-reverse won't create a reverse zone for private
address range, also it may have issues with the classless
subnet.
I suggest to create reverse zone manually after installation
with regards
Martin
It works for
Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
Giulio Casella via FreeIPA-users
writes:
Done, ipactl status report everything running,
That's not correct, see below.
but certificates don't renew.
Looking at certmonger (in debug mod) I
I meant traceback fot the DNS issue :-)
Could you please provide the reason why gssaproxy didn't start?
journalctl -xe
systemctl status gssproxy
journalctl -u gssproxy
2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hi,
>
> I have
That's weird. I've now tried a replica install on a fresh VM and it has
worked- exact same parameters as before ¬ ¬U, no "invalid
'dnszoneidnsname': only master zones can contain records". Maybe I had a
problem with the previous install failing and me cleaning up/retrying
incorrectly.
Never
Hi,
I have reproduced the problem on the LXC container. The full debug log is
at:
https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476
The bit failing is:
[root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw
--mkhomedir
...
ipa : DEBUG [11/22]:
On ti, 09 tammi 2018, lejeczek via FreeIPA-users wrote:
hi
I've install new IPA,
when I restart systemd ipa in /var/log/dirsrv/slapd-PRIVATE/errors I
see:
...
[09/Jan/2018:19:08:15.149362342 +] - NOTICE - ldbm_back_start -
total cache size: 3405774848 B;
[09/Jan/2018:19:08:15.207527697
Ah, wait, this new replica doesn't have CA and DNS. Will try various
combinations and post back.
On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles wrote:
> That's weird. I've now tried a replica install on a fresh VM and it has
> worked- exact same parameters as before ¬ ¬U, no
On Tue, Jan 09, 2018 at 03:26:57PM +, Marin BERNARD via FreeIPA-users wrote:
> Hi,
>
> We're using FreeIPA 4.5.0 on CentOS 7.4.
>
> We've set up a two-way trust between our 2 FreeIPA servers and our AD domain
> (forest an domain levels both on 2012 R2). So far, everything works as
>
I also had issues installing a replica under 7.4. Here are my notes. krb4 is
the new replica, krb1 and 2 the existing ones.
However a few things set up on krb4 didn't replicate to the krb1 and krb2.
There were enough issues that I did a full comparison of dumps from krb1 and
krb4. Use
hi
I've install new IPA,
when I restart systemd ipa in
/var/log/dirsrv/slapd-PRIVATE/errors I see:
...
[09/Jan/2018:19:08:15.149362342 +] - NOTICE -
ldbm_back_start - total cache size: 3405774848 B;
[09/Jan/2018:19:08:15.207527697 +] - ERR -
schema-compat-plugin - scheduled
Giulio Casella via FreeIPA-users
writes:
> Done, ipactl status report everything running,
That's not correct, see below.
> but certificates don't renew.
> Looking at certmonger (in debug mod) I can see:
>
> "Server at
I checked that all but it was no solution.
As the forwarded subdomain had a parent I think I needed the delegation anyways.
I need to setup another test for it but I'm pretty sure the same happens. Can
you check if it's a bug or so ?
___
FreeIPA-users
I suggest to check this
https://www.freeipa.org/page/Troubleshooting#Forward_zone_does_not_work
and also try
dig fwzone @forwarer
with both fwzone enabled and removed
2018-01-09 16:34 GMT+01:00 Matt . via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> I need to retest it but what I
On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote:
> Hello Jakub,
>
> thanks for helping me out.
>
> It works in the console. when an expired user logs in via ctl-alt-f he
> gets all the warnings.
OK, then the warnings are even passed to lightdm..
Is there any chance lightdm
On 08/01/18 22:46, Robbie Harwood wrote:
lejeczek via FreeIPA-users
writes:
$ ipa-client-install --no-ntp --force-join
krb5kdc[1560686](info): preauth (encrypted_timestamp) verify
failure: Preauthentication failed
But after many tries(randomly)
I have IPA domain with AD trust.
AD userc can login in IPA computers.
getent passwd ad_user@ad_domain and id ad_user@ad_domain
I can login via ssh with kerberos ticket for ad_user@ad_domain
I setup SAMBA for this article
https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
Hi,
The client systems are the FreeIPA servers! Both are running on up-to-date
CentOS 7.4 with sssd 1.15.2.
Thanks,
Marin
De : Alexander Bokovoy
Envoyé : Tuesday, January 9, 2018 4:44:36 PM
À : FreeIPA users list
Cc : Marin
Hello,
--auto-reverse won't create a reverse zone for private address range, also
it may have issues with the classless subnet.
I suggest to create reverse zone manually after installation
with regards
Martin
2018-01-09 14:29 GMT+01:00 lejeczek via FreeIPA-users <
I cannot check if it is bug, you have to provide how your zone with
delegation and forward zone look like first :-)
2018-01-09 19:19 GMT+01:00 Matt . via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> I checked that all but it was no solution.
>
> As the forwarded subdomain had a
Giulio Casella via FreeIPA-users
writes:
> Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
>> Giulio Casella via FreeIPA-users
>> writes:
>>
>>> Done, ipactl status report everything running,
>>
>> That's
Hi Marti,
On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> it looks that replica is trying to add records to your forward zone. What
> is the hostname of the replica?
>
Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded
Hello Jakub,
thanks for helping me out.
It works in the console. when an expired user logs in via ctl-alt-f he
gets all the warnings.
I will try to increase pam verbosity and report back.
Greetings, J.
2018-01-08 14:59 GMT+01:00 Jakub Hrozek :
> On Mon, Jan 08, 2018 at
Hi Fraser,
Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users
wrote:
After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at
server. Request failed with status 500: Non-2xx response
hi eveyone
I'm running an installation inside a lxc container and I was
expecting installer to create reverse zone.
$ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns
--auto-reverse --no-forwarders
but..
...
BIND DNS server will be configured to serve IPA domain with:
Forwarders:
On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users
wrote:
> Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
> > "CA replica" just means any IPA master that has the Dogtag CA
> > installed.
> >
> > You have a Dogtag CA. That CA uses an LDAP database,
On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users
wrote:
> Hi Fraser,
>
> Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:
> > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users
> > wrote:
> > > After some time, requests go
On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote:
> Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
> > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'),
> > not the FreeIPA DIT. You should check on a CA replica.
> >
>
> I don't have a
On 06/01/18 19:54, lejeczek via FreeIPA-users wrote:
hi
I'm trying to install replica, process fails:
..
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting
On 08/01/18 09:36, Florence Blanc-Renaud wrote:
On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote:
hi
I'm trying to install replica, process fails:
..
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring
Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
"CA replica" just means any IPA master that has the Dogtag CA
installed.
You have a Dogtag CA. That CA uses an LDAP database, which has
basedn `o=ipaca'. That database should have the entry I indicated,
whose `userCertificate'
Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'),
not the FreeIPA DIT. You should check on a CA replica.
I don't have a replica right now (I'm in the middle of a disaster!)...
Some more detail: setting
Fedora 26Freeipa 4.4
When trying to start ipactl I get the below output which never ceases. Seems
like it may have a few things in common with other dirsrv issues that we've
benhaving on our other CENTOS replicas.
ipactl -d statusipa: DEBUG: importing all plugin modules in
On ti, 09 tammi 2018, Marin BERNARD via FreeIPA-users wrote:
Hi,
We're using FreeIPA 4.5.0 on CentOS 7.4.
We've set up a two-way trust between our 2 FreeIPA servers and our AD
domain (forest an domain levels both on 2012 R2). So far, everything
works as expected, and we're able to perform SSO
Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches
ra-agent.pem.
Removed, only the matching one remains.
You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is
Hi,
We're using FreeIPA 4.5.0 on CentOS 7.4.
We've set up a two-way trust between our 2 FreeIPA servers and our AD domain
(forest an domain levels both on 2012 R2). So far, everything works as
expected, and we're able to perform SSO to both FreeIPA instances with AD
accounts.
In our AD
I need to retest it but what I did was:
- Create forward only zone for a subdomain
- Add the delegation for the subdomain to the parent
Nslookups did not work.
I disabled the forward zone and it started to work.
___
FreeIPA-users mailing list --
Hi,
We're using FreeIPA 4.5.0 on CentOS 7.4.
We've set up a two-way trust between our 2 FreeIPA servers and our AD domain
(forest an domain levels both on 2012 R2). So far, everything works as
expected, and we're able to perform SSO to both FreeIPA instances with AD
accounts.
In our AD
Hi All:
I did on centos 7 with replication of servers no problem but after install
cluster
I try reboot , it cause cermonger service faul and login serveice fail ,
when I ssh to this A serverit take half minutes or FTP always time out.
After that I have to stop cluster in B server and try stop
39 matches
Mail list logo