[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

do you have a traceback in log? I'm curious where exactly this happened, what is your FreeIPA version? [1] I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in LXC :-) So it should work 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users <

[Freeipa-users] Re: should ipa-server-install fail to auto create reverse zone?

On 09/01/18 18:18, Martin Basti via FreeIPA-users wrote: Hello,  --auto-reverse won't create a reverse zone for private address range, also it may have issues with the classless subnet. I suggest to create reverse zone manually after installation with regards Martin It works for

[Freeipa-users] Re: Expired certificate problem

Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto: Giulio Casella via FreeIPA-users writes: Done, ipactl status report everything running, That's not correct, see below. but certificates don't renew. Looking at certmonger (in debug mod) I

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

I meant traceback fot the DNS issue :-) Could you please provide the reason why gssaproxy didn't start? journalctl -xe systemctl status gssproxy journalctl -u gssproxy 2018-01-09 21:29 GMT+01:00 Alex Corcoles via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hi, > > I have

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

That's weird. I've now tried a replica install on a fresh VM and it has worked- exact same parameters as before ¬ ¬U, no "invalid 'dnszoneidnsname': only master zones can contain records". Maybe I had a problem with the previous install failing and me cleaning up/retrying incorrectly. Never

[Freeipa-users] Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Hi, I have reproduced the problem on the LXC container. The full debug log is at: https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476 The bit failing is: [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw --mkhomedir ... ipa : DEBUG [11/22]:

[Freeipa-users] Re: new IPA install - dirsrv errors: schema-compat-plugin, NSACLPlugin

On ti, 09 tammi 2018, lejeczek via FreeIPA-users wrote: hi I've install new IPA, when I restart systemd ipa in /var/log/dirsrv/slapd-PRIVATE/errors I see: ... [09/Jan/2018:19:08:15.149362342 +] - NOTICE - ldbm_back_start - total cache size: 3405774848 B; [09/Jan/2018:19:08:15.207527697

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

Ah, wait, this new replica doesn't have CA and DNS. Will try various combinations and post back. On Tue, Jan 9, 2018 at 10:03 PM, Alex Corcoles wrote: > That's weird. I've now tried a replica install on a fresh VM and it has > worked- exact same parameters as before ¬ ¬U, no

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

On Tue, Jan 09, 2018 at 03:26:57PM +, Marin BERNARD via FreeIPA-users wrote: > Hi, > > We're using FreeIPA 4.5.0 on CentOS 7.4. > > We've set up a two-way trust between our 2 FreeIPA servers and our AD domain > (forest an domain levels both on 2012 R2). So far, everything works as >

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. However a few things set up on krb4 didn't replicate to the krb1 and krb2. There were enough issues that I did a full comparison of dumps from krb1 and krb4. Use

[Freeipa-users] new IPA install - dirsrv errors: schema-compat-plugin, NSACLPlugin

hi I've install new IPA, when I restart systemd ipa in /var/log/dirsrv/slapd-PRIVATE/errors I see: ... [09/Jan/2018:19:08:15.149362342 +] - NOTICE - ldbm_back_start - total cache size: 3405774848 B; [09/Jan/2018:19:08:15.207527697 +] - ERR - schema-compat-plugin - scheduled

[Freeipa-users] Re: Expired certificate problem

Giulio Casella via FreeIPA-users writes: > Done, ipactl status report everything running, That's not correct, see below. > but certificates don't renew. > Looking at certmonger (in debug mod) I can see: > > "Server at

[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled

I checked that all but it was no solution. As the forwarded subdomain had a parent I think I needed the delegation anyways. I need to setup another test for it but I'm pretty sure the same happens. Can you check if it's a bug or so ? ___ FreeIPA-users

[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled

I suggest to check this https://www.freeipa.org/page/Troubleshooting#Forward_zone_does_not_work and also try dig fwzone @forwarer with both fwzone enabled and removed 2018-01-09 16:34 GMT+01:00 Matt . via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > I need to retest it but what I

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

On Tue, Jan 09, 2018 at 12:48:39PM +0100, Johan Vermeulen wrote: > Hello Jakub, > > thanks for helping me out. > > It works in the console. when an expired user logs in via ctl-alt-f he > gets all the warnings. OK, then the warnings are even passed to lightdm.. Is there any chance lightdm

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

On 08/01/18 22:46, Robbie Harwood wrote: lejeczek via FreeIPA-users writes: $ ipa-client-install --no-ntp --force-join krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed But after many tries(randomly)

[Freeipa-users] AD trust and SAMBA

I have IPA domain with AD trust. AD userc can login in IPA computers. getent passwd ad_user@ad_domain and id ad_user@ad_domain I can login via ssh with kerberos ticket for ad_user@ad_domain I setup SAMBA for this article https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

Hi, The client systems are the FreeIPA servers! Both are running on up-to-date CentOS 7.4 with sssd 1.15.2. Thanks, Marin De : Alexander Bokovoy Envoyé : Tuesday, January 9, 2018 4:44:36 PM À : FreeIPA users list Cc : Marin

[Freeipa-users] Re: should ipa-server-install fail to auto create reverse zone?

Hello, --auto-reverse won't create a reverse zone for private address range, also it may have issues with the classless subnet. I suggest to create reverse zone manually after installation with regards Martin 2018-01-09 14:29 GMT+01:00 lejeczek via FreeIPA-users <

[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled

I cannot check if it is bug, you have to provide how your zone with delegation and forward zone look like first :-) 2018-01-09 19:19 GMT+01:00 Matt . via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > I checked that all but it was no solution. > > As the forwarded subdomain had a

[Freeipa-users] Re: Expired certificate problem

Giulio Casella via FreeIPA-users writes: > Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto: >> Giulio Casella via FreeIPA-users >> writes: >> >>> Done, ipactl status report everything running, >> >> That's

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

Hi Marti, On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > it looks that replica is trying to add records to your forward zone. What > is the hostname of the replica? > Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded

[Freeipa-users] Re: Centos7.4: users not seeing password expired notifications

Hello Jakub, thanks for helping me out. It works in the console. when an expired user logs in via ctl-alt-f he gets all the warnings. I will try to increase pam verbosity and report back. Greetings, J. 2018-01-08 14:59 GMT+01:00 Jakub Hrozek : > On Mon, Jan 08, 2018 at

[Freeipa-users] Re: Expired certificate problem

Hi Fraser, Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto: On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote: After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response

[Freeipa-users] should ipa-server-install fail to auto create reverse zone?

hi eveyone I'm running an installation inside a lxc container and I was expecting installer to create reverse zone. $ ipa-server-install -p ${myPass} -a ${myPass} --setup-dns --auto-reverse --no-forwarders but.. ... BIND DNS server will be configured to serve IPA domain with: Forwarders:   

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote: > Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: > > "CA replica" just means any IPA master that has the Dogtag CA > > installed. > > > > You have a Dogtag CA. That CA uses an LDAP database,

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote: > Hi Fraser, > > Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto: > > On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users > > wrote: > > > After some time, requests go

[Freeipa-users] Re: Expired certificate problem

On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote: > Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto: > > You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), > > not the FreeIPA DIT. You should check on a CA replica. > > > > I don't have a

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 06/01/18 19:54, lejeczek via FreeIPA-users wrote: hi I'm trying to install replica, process fails: ..   [3/5]: creating anonymous principal   [4/5]: starting the KDC   [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin   [1/2]: starting

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 08/01/18 09:36, Florence Blanc-Renaud wrote: On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote: hi I'm trying to install replica, process fails: ..    [3/5]: creating anonymous principal    [4/5]: starting the KDC    [5/5]: configuring KDC to start on boot Done configuring

[Freeipa-users] Re: Expired certificate problem

Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: "CA replica" just means any IPA master that has the Dogtag CA installed. You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate'

[Freeipa-users] Re: Expired certificate problem

Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto: You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica. I don't have a replica right now (I'm in the middle of a disaster!)... Some more detail: setting

[Freeipa-users] Unable to start dirsrv

Fedora 26Freeipa 4.4 When trying to start ipactl I get the below output which never ceases. Seems like it may have a few things in common with other dirsrv issues that we've benhaving  on our other CENTOS replicas.   ipactl -d statusipa: DEBUG: importing all plugin modules in

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

On ti, 09 tammi 2018, Marin BERNARD via FreeIPA-users wrote: Hi, We're using FreeIPA 4.5.0 on CentOS 7.4. We've set up a two-way trust between our 2 FreeIPA servers and our AD domain (forest an domain levels both on 2012 R2). So far, everything works as expected, and we're able to perform SSO

[Freeipa-users] Re: Expired certificate problem

Il 09/01/2018 14:42, Fraser Tweedale ha scritto: Remove all the userAttribute values except the one that matches ra-agent.pem. Removed, only the matching one remains. You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is

[Freeipa-users] sudo fails as the Kerberos realm from an alternate UPN suffix

Hi, We're using FreeIPA 4.5.0 on CentOS 7.4. We've set up a two-way trust between our 2 FreeIPA servers and our AD domain (forest an domain levels both on 2012 R2). So far, everything works as expected, and we're able to perform SSO to both FreeIPA instances with AD accounts. In our AD

[Freeipa-users] Re: Forwarders don't work when enabled but do work when disabled

I need to retest it but what I did was: - Create forward only zone for a subdomain - Add the delegation for the subdomain to the parent Nslookups did not work. I disabled the forward zone and it started to work. ___ FreeIPA-users mailing list --

[Freeipa-users] sudo fails as the Kerberos realm from an alternate UPN suffix

Hi, We're using FreeIPA 4.5.0 on CentOS 7.4. We've set up a two-way trust between our 2 FreeIPA servers and our AD domain (forest an domain levels both on 2012 R2). So far, everything works as expected, and we're able to perform SSO to both FreeIPA instances with AD accounts. In our AD

[Freeipa-users] Cluster fail with certmenger fail

Hi All: I did on centos 7 with replication of servers no problem but after install cluster I try reboot , it cause cermonger service faul and login serveice fail , when I ssh to this A serverit take half minutes or FTP always time out. After that I have to stop cluster in B server and try stop