[Freeipa-users] kinit not working for some accounts

2017-06-29 Thread Tiemen Ruiten via FreeIPA-users
Hello, I've just noticed that kinit is not working for several but not all accounts in our FreeIPA domain (4.4.0-14.el7.centos.7). I get the following error: on the client: [root@caesium tiemen]# KRB5_TRACE=/dev/stdout kinit *dba* [7827] 1498729905.996951: Resolving unique ccache of type

[Freeipa-users] Re: kinit not working for some accounts

2017-06-29 Thread Tiemen Ruiten via FreeIPA-users
Nevermind, the users didn't have a password set. On 29 June 2017 at 12:02, Tiemen Ruiten wrote: > Hello, > > I've just noticed that kinit is not working for several but not all > accounts in our FreeIPA domain (4.4.0-14.el7.centos.7). I get the following > error: > > on

[Freeipa-users] Re: password reset privileges

2017-08-09 Thread Tiemen Ruiten via FreeIPA-users
where to look at this point. Do you have any pointers? On 4 August 2017 at 19:19, Rob Crittenden <rcrit...@redhat.com> wrote: > Tiemen Ruiten via FreeIPA-users wrote: > > As I mentioned in my first mail, that doesn't work. For testing, I > > created a new role that contains the

[Freeipa-users] password reset privileges

2017-08-04 Thread Tiemen Ruiten via FreeIPA-users
Hello, I setup an LDAP User Federation in Keycloak to our FreeIPA domain. Unfortunately, the password reset functionality appears to only work when the user Keycloak binds as is in the admins group. I tried both the User Administrator and helpdesk roles, but always got this error: Caused by:

[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Tiemen Ruiten via FreeIPA-users
a custom role with "System: Change User > password" permissions would seem to be the right way. > > Make a privilege that contains only that permission (and and other missing > permissions down the road) add it to a new role and then > assign that role to your user. >

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-21 Thread Tiemen Ruiten via FreeIPA-users
logy of the trust. > > BTW, I reproduced the original issue in a lab at the interop here at > Microsoft HQ and I'm going to talk to Microsoft guys to find out what is > happening there in reality. > > > >> Rob Johnson >> >> On Tue, Jun 20, 2017 at 3:04 PM, Alexander Bokov

[Freeipa-users] GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-20 Thread Tiemen Ruiten via FreeIPA-users
Hello, I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: rpm versions are 4.4.0-14.el7.centos.7) with a two-way, non-transitive, external trust to an Active Directory domain in another forest, clients.rdmedia.com, (Windows Server 2012R2). I've setup the trust using the

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-20 Thread Tiemen Ruiten via FreeIPA-users
On 20 June 2017 at 18:07, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: > >> Hello, >> >> I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: >> rpm >> versions are

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

2017-06-20 Thread Tiemen Ruiten via FreeIPA-users
Please see the attached screenshot for the Trust settings, and thank you for your time. On 20 June 2017 at 19:36, Tiemen Ruiten <t.rui...@rdmedia.com> wrote: > On 20 June 2017 at 18:07, Alexander Bokovoy <aboko...@redhat.com> wrote: > >> On ti, 20 kesä 2017, Tiemen Ruiten

[Freeipa-users] Re: ipa-server-install failing at wait_for_open_ports

2017-09-22 Thread Tiemen Ruiten via FreeIPA-users
Besides checking your hosts file, also double-check that localhost actually has an ipv6 address. On 22 September 2017 at 07:43, Maciej Drobniuch via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hey Eric, > > To me looks like either the /etc/hosts file is wrongly configured/dns

[Freeipa-users] SERVFAIL for one hostname

2020-04-21 Thread Tiemen Ruiten via FreeIPA-users
Hello, Since a few days ago, we're having issues with resolution of this hostname: download.wisselkoersenvoorjeadministratie.nl Our FreeIPA DNS servers return SERVFAIL for that particular hostname. What's funny, after I do a (successful) lookup directly at one of the configured forwarders,

[Freeipa-users] Re: SERVFAIL for one hostname

2020-04-21 Thread Tiemen Ruiten via FreeIPA-users
On Tue, Apr 21, 2020 at 1:10 PM Tiemen Ruiten wrote: > Hello, > > On Tue, Apr 21, 2020 at 12:46 PM François Cami wrote: > >> Hi, >> >> On Tue, Apr 21, 2020 at 12:19 PM Tiemen Ruiten via FreeIPA-users >> wrote: >> > >> > Hello, >> >

[Freeipa-users] Re: SERVFAIL for one hostname

2020-04-21 Thread Tiemen Ruiten via FreeIPA-users
Hello, On Tue, Apr 21, 2020 at 12:46 PM François Cami wrote: > Hi, > > On Tue, Apr 21, 2020 at 12:19 PM Tiemen Ruiten via FreeIPA-users > wrote: > > > > Hello, > > > > Since a few days ago, we're having issue

[Freeipa-users] Re: SERVFAIL for one hostname

2020-04-24 Thread Tiemen Ruiten via FreeIPA-users
Hello, On Tue, Apr 21, 2020 at 1:20 PM Tiemen Ruiten wrote: > On Tue, Apr 21, 2020 at 1:10 PM Tiemen Ruiten > wrote: > >> Hello, >> >> On Tue, Apr 21, 2020 at 12:46 PM François Cami wrote: >> >>> Hi, >>> >>> On Tue, Apr 21,

[Freeipa-users] Re: SERVFAIL for one hostname

2020-04-29 Thread Tiemen Ruiten via FreeIPA-users
Hello Petr, Thank you for the pointers. Even without DNSSEC validation, the query doesn't return the A-record. Delv also returns SERVFAIL. What I do see at DNSViz , is "NSEC3 proving non-existence of

[Freeipa-users] Re: pki-tomcatd fails to start with LDAP error authentication failed (48)

2021-07-02 Thread Tiemen Ruiten via FreeIPA-users
Hello, I had this same problem. After the most recent update I was getting > Authentication Failed (48) in the tomcat debug log during the database > upgrade. Rolling back 389-ds-base from 1.4.3.16-16 to 1.4.3.16-13 resolved > that issue. Thank you. > > >> Try downgrading 389-ds-base. >> >>

[Freeipa-users] pki-tomcatd fails to start with LDAP error authentication failed (48)

2021-07-01 Thread Tiemen Ruiten via FreeIPA-users
Hello, On a newly installed CentOS 8 IPA master (a few days ago), the pki-tomcatd@pki-tomcat service fails to start and logs LDAP authentication failed (48) in /var/log/pki/pki-tomcat/ca/debug.2021-07-01.log. See below. This happened after I dnf upgraded the master and replica at the same time,

[Freeipa-users] ipa user-del fails with `ipa: ERROR: non-public: KeyError: 'ipauniqueid'`

2021-08-03 Thread Tiemen Ruiten via FreeIPA-users
Hello, OS: up-to-date CentOS 8, ipa versions 4.9.2-4.module_el8.4.0+846+96522ed7.x86_64 I'm getting a traceback in the httpd log when I try to delete a test user. See below. It appears the ipaUniqueId is missing for the user? I can see the user with ipa user-show: [root@ipa-02 /]# ipa user-show