Hi all,
I have a small setup with two masters and several clients at one
location. I have noticed that when the first master goes down for
maintenance or failure, the other server is unable to authenticate
users. Is there a setting that needs to be made in order to achieve this
as long as th
On Wed, Jul 11, 2018 at 09:16:19PM -, Mike Conner via FreeIPA-users wrote:
> To the /etc/krb5.conf file on the client, I changed from this:
>
> [realms]
> CS.GRINNELL.EDU = {
> kdc = ipa.cs.grinnell.edu:88
> master_kdc = ipa.cs.grinnell.edu:88
> admin_server = ipa.cs.grinnell.edu
On Wed, Jul 11, 2018 at 09:42:14PM -, Mike Conner via FreeIPA-users wrote:
> sssd_nss.log during attempted lookup of slyme...@grinnell.edu account:
> https://pastebin.com/gLFnhZ9s
This is somewhat helpful, at least this snippet:
(Wed Jul 11 16:33:22 2018) [sssd[nss]] [cache_req_search_cache]
(
On Thu, Jul 12, 2018 at 10:21:24AM +0300, Petros Triantafyllidis via
FreeIPA-users wrote:
> Hi all,
> I have a small setup with two masters and several clients at one location.
> I have noticed that when the first master goes down for maintenance or
> failure, the other server is unable to authe
On to, 12 heinä 2018, tolotos--- via FreeIPA-users wrote:
Hi,
we have done some additional testing and debugging.
It seems there some problems with the extdom-extop plugin in the directory
server.
If we set ignore_group_members, the first request get a good response.
(tested by: server: sssct
On ke, 11 heinä 2018, Mike Conner via FreeIPA-users wrote:
So you're saying the client is probably not finding the AD KDC through DNS SRV
calls? I think that I've tested all the DNS configs that are called for in the
documentation. What could I do to test whether the AD realm's KDC is being
di
On to, 12 heinä 2018, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Jul 12, 2018 at 10:21:24AM +0300, Petros Triantafyllidis via
FreeIPA-users wrote:
Hi all,
I have a small setup with two masters and several clients at one location.
I have noticed that when the first master goes down for main
On Thu, Jul 12, 2018 at 10:54:55AM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
> On to, 12 heinä 2018, tolotos--- via FreeIPA-users wrote:
> > Hi,
> >
> > we have done some additional testing and debugging.
> >
> > It seems there some problems with the extdom-extop plugin in the directory
On to, 12 heinä 2018, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Jul 12, 2018 at 10:54:55AM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
On to, 12 heinä 2018, tolotos--- via FreeIPA-users wrote:
> Hi,
>
> we have done some additional testing and debugging.
>
> It seems there some proble
Hi,
no we don't have special timeout settings in sssd.conf. Wich parameters you
would recommend to set?
Due to the assumption that all seem to work at the moment when all
caches/buffers are empty, we experiment with modifying the cache files in
/var/lib/sss/db/cache*.ldb with the ldb-tools. An
On Thu, Jul 12, 2018 at 08:49:37AM -, tolotos--- via FreeIPA-users wrote:
> Hi,
>
> no we don't have special timeout settings in sssd.conf. Wich parameters you
> would recommend to set?
>
> Due to the assumption that all seem to work at the moment when all
> caches/buffers are empty, we exp
Hello, everyone
I've got problem similar to:
https://serverfault.com/questions/253960/adding-subject-alternate-names-san-to-an-existing-cert-signing-request-csr
So, there is a HP crypto device for which i should issue certificate (via
FreeIPA CA), it allows you to generate CSR, and there is no a
On Thu, Jul 12, 2018 at 09:26:09AM -, vitenbergd--- via FreeIPA-users wrote:
> Hello, everyone
>
> I've got problem similar to:
> https://serverfault.com/questions/253960/adding-subject-alternate-names-san-to-an-existing-cert-signing-request-csr
>
> So, there is a HP crypto device for which i
Hi,
hmm, it seems that it has done in a different way. We have compat tree acive
and it contains the ad users without a problem.
Best Regards,
Axel
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to f
Hi,
the *.ldb files are manipulated on the server. On the client, we have removed
the cache via sssctl.
What logs exactly, besides the logs i already posted?
Best Regards,
Axel
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
Further investigation suggests this might have something to do with gssproxy.
I was expecting to find the HTTP keytab at /etc/httpd/conf/ipa.keytab, but now
see it is in /var/lib/ipa/gssproxy. This problem only occurs if the PHP script
is executed by the apache user in the context of the HTTP
On Thu, 2018-07-12 at 12:02 +, Ryan Slominski via FreeIPA-users
wrote:
> Further investigation suggests this might have something to do with
> gssproxy. I was expecting to find the HTTP keytab at
> /etc/httpd/conf/ipa.keytab, but now see it is in
> /var/lib/ipa/gssproxy. This problem only oc
Hello everyone,
Did I not post my question correctly? Is there more information I should have
posted? Should I file a bug report?
From: Miller, Jim via FreeIPA-users
[mailto:freeipa-users@lists.fedorahosted.org]
Sent: Wednesday, July 11, 2018 4:49 PM
To: freeipa-users@lists.fedorahosted.or
Aha!
This (from the domain log) shed some light:
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user]
(0x0400): Processing user slyme...@grinnell.edu
(Thu Jul 12 08:13:33 2018) [sssd[be[cs.grinnell.edu]]] [sdap_save_user]
(0x1000): Mapping user [slyme...@grinnell.edu] objectS
Thanks Simo,
I've got this working now using PHP's shell_exec and a bash script that invokes
curl directly (as opposed to using libcurl in PHP). This allows me to clear
the environment (unset GSS_USE_PROXY).
Here is the final solution for reference:
PHP script now looks like:
Shell script
Hello,
I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica.
Currently the master has all services (DNS, CA, KRA) and it's prepared for
one-way trust with AD.
Unfortunately, I have a lot of issues with the replica!
The replica setup was:
ipa-replica-install --setup-ca --setup-dns --
Hello,
I want to create an IPA "system" account that will be able to enroll clients
(nothing else). There a discussion (around 2016) but it looks that is not
relevant with the FreeIPA 4.5. Also, I cannot find anything in the Red Hat's
KB.
So, what is the correct way to create a system account
Also seems to be set:
freeipaclient$ dig +short -t SRV _kerberos._udp.cs.domain.dom
0 100 88 ipa.cs.domain.com.
freeipaclients$ dig +short -t SRV _kerberos._udp.domain.com
0 100 88 kdc1.domain.com.
0 100 88 kdc2.domain.com.
___
FreeIPA-users mailing list
On Thu, Jul 12, 2018 at 09:50:14AM -, tolotos--- via FreeIPA-users wrote:
> Hi,
>
> the *.ldb files are manipulated on the server. On the client, we have removed
> the cache via sssctl.
>
> What logs exactly, besides the logs i already posted?
SSSD NSS and domain logs of the failing lookup
24 matches
Mail list logo