[Freeipa-users] web interface: show all instead of just 20 entries?

2017-08-02 Thread Harald Dunkel via FreeIPA-users
Hi folks, a small suggestion for the web interface: An option "show all" would be nice, e.g. for the list of active users, user groups or hosts. Currently it just shows 20 entries, which is *way* too little. Please excuse if I was too blind to find a config option. freeipa is version 4.4.0-14

[Freeipa-users] Re: web interface: show all instead of just 20 entries?

2017-08-02 Thread Harald Dunkel via FreeIPA-users
Hi Petr, On Wed, 2 Aug 2017 12:48:32 +0200 Petr Vobornik via FreeIPA-users wrote: > > Hello, > > 20 was a hard-coded paging limit. Since FreeIPA 4.5 (not sure if also > in 4.4) the paging limit can be configured in Web UI under: "Top-right > corner

[Freeipa-users] howto replace an externally signed CA

2017-08-02 Thread Harald Dunkel via FreeIPA-users
Hi folks, Problem: I have setup freeipa using a bad external CA. Long story: I have setup my freeipa servers using ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca --subject="O=example AG,C=DE" --setup-dns --forwarder=... on ipa1.example.com. It created a csr, it was

[Freeipa-users] PKI debug files are not rotated

2017-08-03 Thread Harald Dunkel via FreeIPA-users
Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\ pki/pki-tomcat/ca/CS.cfg, setting debug.append=true

[Freeipa-users] Chromium complains about ipa's web server certificate

2017-08-11 Thread Harald Dunkel via FreeIPA-users
Hi folks, My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by an external root CA. Problem: Even though I have imported the root CA and clicked on all the trust checkboxes, chromium complains about the certificate of the web admin interface running on https://ipa1.example.com/ :

[Freeipa-users] Re: howto replace an externally signed CA

2017-08-11 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On Thu, 10 Aug 2017 17:21:19 +0200 Florence Blanc-Renaud wrote: > On 08/10/2017 04:47 PM, Harald Dunkel wrote: > > Hi folks, > > > > On Wed, 2 Aug 2017 16:24:00 +0200 > > Florence Blanc-Renaud wrote: > > > >> Hi, > >> > >> You can follow the steps

[Freeipa-users] Re: Chromium complains about ipa's web server certificate

2017-08-12 Thread Harald Dunkel via FreeIPA-users
Hi Fraser, On Fri, 11 Aug 2017 18:48:29 +1000 Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users > wrote: > > > > https://support.google.com/chrome/a/answer/7391219

[Freeipa-users] Re: sssd providing dns cache?

2017-07-07 Thread Harald Dunkel via FreeIPA-users
On Fri, 7 Jul 2017 08:27:53 + "wouter.hummelink--- via FreeIPA-users" wrote: > No, > I would suggest to add it. > But you can use nscd with [services passwd group netgroup] caches disabled. > I saw the documentation about this on RedHat's wiki,

[Freeipa-users] Re: howto replace an externally signed CA

2017-08-08 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: > Hi, > > You can follow the steps described here: >

[Freeipa-users] Re: AIX 7.1 as IPA Client

2017-09-15 Thread Harald Dunkel via FreeIPA-users
On Thu, 14 Sep 2017 11:09:22 +0200 Ronald Wimmer via FreeIPA-users wrote: > Does anyone have AIX 7 IPA Clients? Is there also an IPA client > installer around or do I have to go through this: > > https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients

[Freeipa-users] Re: ipa-cacert-manage vs NIS support

2017-10-23 Thread Harald Dunkel via FreeIPA-users
On Mon, 23 Oct 2017 08:29:30 +0300 Alexander Bokovoy via FreeIPA-users wrote: > On su, 22 loka 2017, Harald Dunkel wrote: > > >My problem is, that authentication appears to be broken on > >all NIS clients (2 AIX 6.1 hosts). The problem came up on >

[Freeipa-users] Re: ipa-getkeytab: PrincipalName not found

2017-11-12 Thread Harald Dunkel via FreeIPA-users
Hi Alex, On Fri, 10 Nov 2017 16:59:07 +0200 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote: > > > >ipa-getkeytab failed with > > > > Failed to parse result:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-14 Thread Harald Dunkel via FreeIPA-users
Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates). If it is not the case, please check first if there were AVC issues (if running in SElinux enforcing mode), and feel free

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-13 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote: My concern is, it looks much more restricted than the old root CA cerificate: # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes

[Freeipa-users] Re: ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

2017-11-17 Thread Harald Dunkel via FreeIPA-users
to the new root CA. Would anybody mind to fix? Thanx very much Harri On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > a few months ago I had replaced the externally signed root > certificate on my servers (CentOS 7.3) using ipa-cacert-manage. > Problem:

[Freeipa-users] Re: ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

2017-11-16 Thread Harald Dunkel via FreeIPA-users
Hi Charles, On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote: > I’ve seen the same thing. Or at least I think it seems like it’s related. > > We have three servers, all on Centos. The initial one was installed under > 7.3, using defaults. That caused it to generate a self-signed CA.

[Freeipa-users] ipa-getkeytab: PrincipalName not found

2017-11-10 Thread Harald Dunkel via FreeIPA-users
Hi folks, maybe I missed something, but shouldn't admin have sufficient privileges to run # ipa-client-install --hostname stretch1.vs.example.de --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp # reboot : : # kinit admin # ipa-getkeytab -s ipa1.example.de -p

[Freeipa-users] ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage

2017-11-16 Thread Harald Dunkel via FreeIPA-users
Hi folks, a few months ago I had replaced the externally signed root certificate on my servers (CentOS 7.3) using ipa-cacert-manage. Problem: ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy, freeipa 3.0.2) fails. Apparently it stumbles over the old root certificate: #

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
Hi Flo and Andrew, thanx for you replies, but I think you missed the point: The new (external) root CA certificate and the new ipa CA certificate are *in* freeipa already, but on the host I had used for running ipa-cacert-manage to deploy this new PKI the database in

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-08 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote: Hi Harald, the external CAs and FreeIPA CA must be stored in the LDAP server (cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external CAs to the LDAP server is to run ipa-cacert-manage install. ACK You need

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: Here is what I see on the broken ipa server: [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
On 12/7/17 2:53 PM, Florence Blanc-Renaud wrote: Hi, if you run: ipa-cacert-manage install -t C,, ipa-certupdate then the new root certificate will be installed in all the required NSS databases. Do not forget to run ipa-certupdate on all the FreeIPA machines. This did not work:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
PS: I have derived another CA replica "ipa0" from ipa2. certutil shows different trustargs again. Shouldn't ipa2 and the new ipa0 have identical trustargs? [root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-06 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote: > Harald Dunkel via FreeIPA-users wrote: >> See attachment. >> >> Please note the "invalid certificate". Du you remember the thread >> on freeipa-devel about "ipa-client-install (3.0.2

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-06 Thread Harald Dunkel via FreeIPA-users
See attachment. Please note the "invalid certificate". Du you remember the thread on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails after root certificate change via ipa-cacert-manage" and the output of "ipa-certupdate -v" I had posted? Regards Harri debug.txt.gz

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-10 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > I would try to remove the new root CA from LDAP and re-import it using > ipa-cacert-manage install -t C,, > This should create the entry with the appropriate attributes. > > Flo Result: The new root CA

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-12 Thread Harald Dunkel via FreeIPA-users
Hi folks, any ideas about how to proceed? Is this bbr? Do I have to reactivate the old pki to get out of this mess? Every helpful comment is highly appreciated. Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-12 Thread Harald Dunkel via FreeIPA-users
Hi Flo, On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote: Hi, I would try to remove the new root CA from LDAP and re-import it using

[Freeipa-users] worst nightmare come true: ipa service doesn't start anymore

2017-12-06 Thread Harald Dunkel via FreeIPA-users
Hi folks, Platform: Centos 7.4, ipa 4.5.0-21 The ipa service cannot be started anymore. Error message: # systemctl status ipa * ipa.service - Identity, Policy, Audit Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code)

[Freeipa-users] Re: ipa-cacert-manage vs NIS support

2017-10-22 Thread Harald Dunkel via FreeIPA-users
On Fri, 20 Oct 2017 20:42:25 +0300 Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > On pe, 20 loka 2017, Harald Dunkel via FreeIPA-users wrote: > >Hi folks, > > > >I had to replace the CA chain about 3 months ago, using >

[Freeipa-users] Re: certmonger upgrade failure

2018-06-25 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 6/25/18 4:53 PM, Rob Crittenden via FreeIPA-users wrote: > > We'd need to see what certs are being tracked, getcert list. > This gets stuck, too: [root@ipa1 ~]# getcert list Error org.freedesktop.DBus.Error.TimedOut I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but

[Freeipa-users] Re: certmonger upgrade failure

2018-06-26 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 6/25/18 7:10 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but the conclusion ("please reboot") is not helpful. I did. The dbus developers don't think it should ever be res

[Freeipa-users] certmonger upgrade failure

2018-06-23 Thread Harald Dunkel via FreeIPA-users
Hi folks, I managed to get rid of the corrupted entry and to create a new user account. But there are still problems. The upgrade from Centos 7.4 to 7.5 got stuck for 5 to 10 minutes. : Installing : libxkbcommon-0.7.1-1.el7.x86_64 297/787 Updating :

[Freeipa-users] Re: ipa user-mod --rename failed

2018-06-20 Thread Harald Dunkel via FreeIPA-users
Hi Thierry, On 6/20/18 6:02 PM, thierry bordaz via FreeIPA-users wrote: > Hi Harald, > > I wonder if error on ipa1 can not be part of the problem > > [20/Jun/2018:12:16:31.885644563 +0200] - ERR - ldbm_back_modrdn - > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set >

[Freeipa-users] Re: certmonger upgrade failure

2018-07-02 Thread Harald Dunkel via FreeIPA-users
On 6/28/18 2:19 PM, Harald Dunkel via FreeIPA-users wrote: The dbus problem has been resolved by reinstalling the dbus RPMs. journalctl still shows a lot of "Connection refused" messages for dbus, see attachment. certmonger appears to be running when started on the command

[Freeipa-users] mailing list archive out of date

2017-10-20 Thread Harald Dunkel via FreeIPA-users
Hi folks, trying to solve some NIS problems I noticed that the archive of this mailing list on https://www.redhat.com/archives/freeipa-users/ seems to be out of date. Is this expected? Regards Harri ___ FreeIPA-users mailing list --

[Freeipa-users] ipa-cacert-manage vs NIS support

2017-10-20 Thread Harald Dunkel via FreeIPA-users
Hi folks, I had to replace the CA chain about 3 months ago, using ipa-cacert-manage. Question: Does this affect freeipa's NIS support? Is there a hidden certificate somewhere I missed to renew? The freeipa servers are running Centos 7.3 and 7.4. Every helpful comment is highly appreciated

[Freeipa-users] Re: mailing list archive out of date

2017-10-20 Thread Harald Dunkel via FreeIPA-users
On Fri, 20 Oct 2017 12:30:50 +0200 Rob Crittenden via FreeIPA-users wrote: > > the list moved earlier this year to > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/ > Thanx very much for your pointer. Apparently the old

[Freeipa-users] Re: certmonger upgrade failure

2018-07-04 Thread Harald Dunkel via FreeIPA-users
Hi folks, On 6/28/18 9:08 AM, Harald Dunkel via FreeIPA-users wrote: On 6/27/18 5:59 PM, Rob Crittenden via FreeIPA-users wrote: I don't see anything obviously wrong. I'd try launching certmonger from a shell to see what you get: # certmonger -d 9 certmonger works fine on the command line

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2018-01-10 Thread Harald Dunkel via FreeIPA-users
On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote: Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates). If it is not the case, please check first if there were AVC

[Freeipa-users] Re: how to avoid ntpd?

2018-01-17 Thread Harald Dunkel via FreeIPA-users
On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote: That's fine but it doesn't address the original problem: he doesn't want anything managing the clock on his system at all: "some ipa servers in my environment are not permitted to change the clock." These are LXC containers

[Freeipa-users] Re: ERR - attrlist_replace - attr_replace

2018-01-15 Thread Harald Dunkel via FreeIPA-users
On 01/15/2018 09:47 AM, Ludwig Krispenz via FreeIPA-users wrote: Hi Harri, the suffix object maintains a list of referrals to be returned if the server is in read only mode. It is updated based on the supplier ruv and only uses the url. If a ruv contains the same url for different replica ids

[Freeipa-users] how to avoid ntpd?

2018-01-15 Thread Harald Dunkel via FreeIPA-users
Hi folks, some ipa servers in my environment are not permitted to change the clock. If I use "systemctl mask ntpd" to avoid the "degraded" returned by "systemctl status", then ipactl fails without the ntpd service: # ipactl restart Stopping pki-tomcatd Service Restarting Directory Service

[Freeipa-users] ERR - attrlist_replace - attr_replace

2018-01-14 Thread Harald Dunkel via FreeIPA-users
Hi folks, /var/log/messages includes tons of error messages like Jan 15 07:34:56 ipa1 ns-slapd: [15/Jan/2018:07:34:56.684472891 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:58 ipa1 ns-slapd:

[Freeipa-users] ipa user-mod --rename failed

2018-06-20 Thread Harald Dunkel via FreeIPA-users
Hi folks, something got corrupted in my ldap database (again). After running % ipa user-mod --rename=bobk bobs I get % getent passwd bobs % getent passwd bobk % The UID became unusable. (Highly painful, because this user is cut off from EMails.) This is what I

[Freeipa-users] Re: ipa user-mod --rename failed

2018-06-20 Thread Harald Dunkel via FreeIPA-users
PS: Running ipa-replica-manage force-sync --from ipa0.example.de to sync a "good" replica to a bad one did not help. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: ipa user-mod --rename failed

2018-06-20 Thread Harald Dunkel via FreeIPA-users
Hi Thierry, On 6/20/18 3:31 PM, thierry bordaz via FreeIPA-users wrote: Hi Harald, anything noticeable in the error logs when the problem occurred ? (DB_DEADLOCK) I found something in the slapd error log files on the bad replicas (attached). Other replicas show tons of lines like :

[Freeipa-users] Re: ipa user-mod --rename failed

2018-06-22 Thread Harald Dunkel via FreeIPA-users
On 6/22/18 2:09 PM, Harald Dunkel wrote: I found something new: "ipa-replica-manage list-ruv" shows an error # ipa-replica-manage list-ruv unable to decode: {replica 7} 58809c7c00030007 58809c7c00030007 PS: Never mind, that was an old problem. I just forgot. Regards Harri

[Freeipa-users] Re: ipa user-mod --rename failed

2018-06-22 Thread Harald Dunkel via FreeIPA-users
Hi Thierry, On 6/21/18 7:19 PM, thierry bordaz via FreeIPA-users wrote: Hi Harald, Sorry to be back late. There is not enough detail to confirm but my feeling is that the MODRDN (write) failed to update the changelog because of many replication agreements (read) competing with it. It

[Freeipa-users] Re: confused about ipa-dns-install not creating reverse zone

2018-08-03 Thread Harald Dunkel via FreeIPA-users
PS: The logfile says 2018-08-03T08:25:31Z INFO Checking DNS domain 10.0.10.in-addr.arpa., please wait ... 2018-08-03T08:26:01Z INFO Reverse zone 10.0.10.in-addr.arpa. for IP address 10.0.10.7 already exists But I doubt that this is correct. dig returns [root@idms00 centos]# dig -x 10.0.10.7

[Freeipa-users] sssd is going down and up and down and up and down and ... until it breaks

2018-07-26 Thread Harald Dunkel via FreeIPA-users
Hi folks, Apparently sssd goes down and up again and again. I found this in /var/log/daemon.log on our git server: Jul 23 18:02:08 git01 sssd[be[example.de]]: Shutting down Jul 23 18:02:08 git01 sssd[pam]: Shutting down Jul 23 18:02:08 git01 sssd[nss]: Shutting down Jul 23 18:02:09 git01

[Freeipa-users] confused about ipa-dns-install not creating reverse zone

2018-08-02 Thread Harald Dunkel via FreeIPA-users
Hi folks, I am confused: Setting up a new freeipa service (CentOS 7.5) using ipa-server-install or ipa-dns-install it asks me Do you want to search for missing reverse zones? [yes]: yes But then it did not create a reverse zone :-(. This doesn't look like documented. There is no

[Freeipa-users] Do you want to search for missing reverse zones?

2018-08-02 Thread Harald Dunkel via FreeIPA-users
Hi folks, I am confused: Setting up a new freeipa service (CentOS 7.5) using ipa-server-install or ipa-dns-install it asks me Do you want to search for missing reverse zones? [yes]: yes But then it did not create a reverse zone :-( This doesn't look like

[Freeipa-users] openldap and freeipa

2018-07-30 Thread Harald Dunkel via FreeIPA-users
Hi folks, apparently openldap-server is considered as deprecated by RedHat: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality I wonder what this means for Freeipa? Will all of

[Freeipa-users] ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

2018-03-12 Thread Harald Dunkel via FreeIPA-users
Hi folks, somehow my ipa servers became out of sync. ipa4 has an additional host entry, not known on the others. On examining I stumbled over this: [root@ipa0 ~]# ipa-replica-manage clean-dangling-ruv unable to decode: {replica 7} 58809c7c00030007 58809c7c00030007 unable to decode:

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

2018-03-13 Thread Harald Dunkel via FreeIPA-users
Hi Thierry, On 03/12/18 17:52, thierry bordaz via FreeIPA-users wrote: Hi Harald, What version of DS are you running ? We have a reproducer (not systematic) for versions before https://bugzilla.redhat.com/show_bug.cgi?id=1516309 but we have not reproduced it since then, you may need to

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

2018-03-13 Thread Harald Dunkel via FreeIPA-users
Hi Ludwig, On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote: Hi, to get rid of this ruv entry with replicaid 7 you could try to run the cleanallruv task directly. On any server (and onöy on one) run ldapmodify . -D "cn=directory manager" |dn: cn=clean 7, cn=cleanallruv, 

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

2018-03-13 Thread Harald Dunkel via FreeIPA-users
PS: I see tons of error messages like : Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.819967301 +0100] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68] Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.824391203 +0100] - ERR - DSRetroclPlugin - write_replog_db - An

[Freeipa-users] Re: ipa-replica-manage: unable to decode: {replica 7} 58809c7c000300070000 58809c7c000300070000

2018-03-14 Thread Harald Dunkel via FreeIPA-users
Hi Ludwig, On 03/13/18 14:47, Ludwig Krispenz via FreeIPA-users wrote: On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote: Hi Ludwig, On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote: Hi, to get rid of this ruv entry with replicaid 7 you could try to run

[Freeipa-users] Re: certmonger upgrade failure

2018-06-28 Thread Harald Dunkel via FreeIPA-users
On 6/27/18 5:59 PM, Rob Crittenden via FreeIPA-users wrote: I don't see anything obviously wrong. I'd try launching certmonger from a shell to see what you get: # certmonger -d 9 certmonger works fine on the command line, AFAICT. I think this is the problem: # systemctl status certmonger

[Freeipa-users] Re: is running sssd and nscd in parallel a better option?

2018-10-08 Thread Harald Dunkel via FreeIPA-users
Hi Jakub, On 9/21/18 3:24 PM, Jakub Hrozek via FreeIPA-users wrote: On Wed, Sep 19, 2018 at 02:04:28PM +0200, Harald Dunkel via FreeIPA-users wrote: I still have the problem that sometimes some sssd components disappear somehow, e.g. sssd_pam. The logfile on our mail gateway said : (Tue Sep

[Freeipa-users] is running sssd and nscd in parallel a better option?

2018-09-19 Thread Harald Dunkel via FreeIPA-users
Hi folks, I read somewhere that it is not recommended to run nscd to cache passwd on ipa clients, but I wonder: What if? I still have the problem that sometimes some sssd components disappear somehow, e.g. sssd_pam. The logfile on our mail gateway said : (Tue Sep 18 22:34:28 2018) [sssd[pam]]