Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Martin Kosek
On Tue, 2012-05-01 at 18:31 -0400, Dmitri Pal wrote: On 05/01/2012 06:15 PM, Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden
Steven Jones wrote: So this opens a chicken and egg? ie when RHEL6.3 comes out and I upgrade the IPA server(s) to 6.3 all the older 6.2 clients will break? but I cant upgrade the clients until after the servers are doneif so that is a huge and ugly looking task that is one way No,

Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability

2012-05-02 Thread Matthew Davidson
Sorry about not supplying the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various documents and not had much luck. ThanksMatt

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Matthew Davidson
Run: klist -kt /etc/krb5.keytab to see what keys are available. It shows the master server and itself. When you ran ipa-client-install were any errors reported? None It appears that basic nss services aren't working. Can you do: id mdavidsonid: mdavidson: No such user getent passwd

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Matthew Davidson
To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started web surfing in an

Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability

2012-05-02 Thread Jakub Hrozek
On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote: Sorry about not supplying the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Rob Crittenden
Matthew Davidson wrote: To clarify one point. I used the current redhat documents to setup the two systems. Red_Hat_Enterprise_Linux-5-Configuring_Identity_Management-en-US Red_Hat_Enterprise_Linux-6-Identity_Management_Guide-en-US SSH does not seem to be discussed and that is when I started

Re: [Freeipa-users] Error in Installation - unable to create CA

2012-05-02 Thread Rob Crittenden
shabahang elmian wrote: Hello, I would be thankful if some one can help me to resolve the problem. We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is. It would appear that the CA process didn't start. Details on your

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Matthew Davidson
Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.comDNS domain 'example.com' is not configured for automatic KDC address lookup.KDC address will be set to fixed value. Discovery was successful!Hostname: rhel6.example.comRealm: EXAMPLE.COMDNS Domain:

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Dmitri Pal
On 05/02/2012 12:43 PM, Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful!

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Rob Crittenden
Matthew Davidson wrote: Hi Rob [root@rhel5 ~]# ipa-client-install --domain=EXAMPLE.COM --server=rhel6.example.com DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: rhel6.example.com Realm:

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Matthew Davidson
Dmitri,1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit adminPassword for ad...@example.com: [root@rhel5 ~]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: ad...@example.com Valid starting

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Dmitri Pal
On 05/02/2012 02:50 PM, Matthew Davidson wrote: Dmitri, 1) Do you have admin account on IPA side? Yes. And judging by the command below admin does log in, or am I mistaken? [root@rhel5 ~]# kinit admin Password for ad...@example.com: [root@rhel5 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0

Re: [Freeipa-users] Error in Installation - unable to create CA

2012-05-02 Thread Dmitri Pal
On 05/02/2012 11:34 AM, Rob Crittenden wrote: shabahang elmian wrote: Hello, I would be thankful if some one can help me to resolve the problem. We need to see /var/log/ipaserver-install.log and potentially /var/log/pki-ca/debug to determine what the problem is. It would appear that the CA

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Matthew Davidson
Is this from the client or from the server? I bet on the server. That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files. thanksMatt Date: Wed, 2 May 2012 14:57:24 -0400 From: d...@redhat.com To:

Re: [Freeipa-users] red hat 5 and red hat 6 compatability

2012-05-02 Thread Rob Crittenden
Matthew Davidson wrote: Is this from the client or from the server? I bet on the server. That is from the client. I sent a reply to Rob about the DNS, but I was under the assumption that the client was using the config files. We recommend using a different realm name for the IPA realm, it

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10

2012-05-02 Thread Steven Bernstein
-users -- next part -- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/freeipa-users/attachments/20120502/51a0eaec/attachment.html -- Message: 2 Date: Wed, 02 May 2012 14:57:24 -0400 From: Dmitri Pal d

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA server on 6.3 collide with IPA server on 6.2?

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
What is the impact of IPA not working properly? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Martin Kosek [mko...@redhat.com] Sent: Thursday, 3 May 2012 1:52 a.m. To: Rob Crittenden

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden
Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them Right, this is why we fixed the bug.

Re: [Freeipa-users] Freeipa-users Digest, Vol 46, Issue 10

2012-05-02 Thread Dmitri Pal
/attachments/20120502/51a0eaec/attachment.html -- Message: 2 Date: Wed, 02 May 2012 14:57:24 -0400 From: Dmitri Pal d...@redhat.com mailto:d...@redhat.com To: Matthew Davidson m...@mldserviceslex.com mailto:m...@mldserviceslex.com Cc: freeipa

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:28 PM, Steven Jones wrote: Hi, proper isnt defined as such, but yes in an ideal world Trouble is we have so many servers that we patch over 2 or 3 early start mornings, until now we did test first, then prod.now we have to start to separate them also will IPA

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Rob Crittenden
Steven Jones wrote: What is the impact of IPA not working properly? That is a bit of a loaded question. It depends on your definition of properly but basically if IPA server isn't working, none of your auth or identity works. Depending on what state sssd thinks the server is in it may fall

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:29 PM, Steven Jones wrote: What is the impact of IPA not working properly? You need to differentiate client system that uses IPA for identity lookups and authentication and administrative station where you have ipa-admintools package installed. It is not recommended to have this

[Freeipa-users] Replication status

2012-05-02 Thread Ian Levesque
Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as a result of suspending resuming the VM it's

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi, Sorry, I used IPA I should have used lower case eg, But ipa command still won't work properly as its API is higher that the server's. The way I read that is a client will have limited command line capability? that would be Ok over say some weeks while we upgraded. regards Steven Jones

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Steven Jones
Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com

Re: [Freeipa-users] Replication status

2012-05-02 Thread Dan Scott
Hi, I'm definitely interested in this too. You can use ipa-replica-manage -v list $HOSTNAME to get detailed status information. I also found this: http://directory.fedoraproject.org/wiki/Howto:ReplicationMonitoring But I believe that it needs to have the Directory Manager password

Re: [Freeipa-users] Replication status

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:46 PM, Ian Levesque wrote: Hi, I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our replica's IPA processes were hung (likely as

Re: [Freeipa-users] ipa-client install error

2012-05-02 Thread Dmitri Pal
On 05/02/2012 05:54 PM, Steven Jones wrote: Hi, BTW, is this advice in the admin guide? I would suggest its worth stating. Noted. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272

Re: [Freeipa-users] Replication status

2012-05-02 Thread Rich Megginson
On 05/02/2012 04:11 PM, Ian Levesque wrote: On May 2, 2012, at 5:56 PM, Dmitri Pal wrote: I'm curious how members of this list are monitoring their IPA servers' replication status. `ipa-replica-manage list` doesn't actually tell you if your replica is working. I just realized that our

Re: [Freeipa-users] Replication status

2012-05-02 Thread Ian Levesque
On May 2, 2012, at 6:48 PM, Rich Megginson wrote: Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV tombstone entry at the base of each suffix.

Re: [Freeipa-users] Replication status

2012-05-02 Thread Rich Megginson
On 05/02/2012 07:36 PM, Ian Levesque wrote: On May 2, 2012, at 6:48 PM, Rich Megginson wrote: Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need to expose the RUV

[Freeipa-users] bluearc and IPA

2012-05-02 Thread Steven Jones
Hi, Has anyone got a Bluearc storage NAS working with IPA? if so do you have any notes please? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list

Re: [Freeipa-users] Replication status

2012-05-02 Thread Rob Crittenden
Rich Megginson wrote: On 05/02/2012 07:36 PM, Ian Levesque wrote: On May 2, 2012, at 6:48 PM, Rich Megginson wrote: Is there any way to expose the nsDS5ReplicationAgreement objectClass to a less privileged account; i.e., an account solely designed to check replication status? You also need