Rajnesh Kumar Siwal wrote:
We are trying to setup the IPA replication but it says Connection
check failed!.
We disabled the firewall and found the same result.
---
[root@ipa2 /]#
Hi Rob,
Thanks for the quick reply.
I tried logging iptables in the replica also, but no log for dropped packet :-
I would appreciate if you could please let me know what these login actually do.
1. Looks to me as getting tgt for admin
2. Is it trying to login though ssh to ipa1 server ?
On 5.2.2013 15:15, Rajnesh Kumar Siwal wrote:
Is there any other log file that may suggest something.
It would be great if we could figure out whats the cause of the error.
I would recommend to run tcpdump on one of the servers and look to what is
sent over the wire. It is most effective way.
Finally , I installed it with --skip-conncheck:-
Now DNS fails to start.
I tried ipa-dns-install too:-
[root@ipa2 log]# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
==
On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to 'all'.
(Mon
Hi,
I've just upgraded from F16 to F18 and thus freeipa v3.1.2.
It basically works, on the command line. ipa user-show xxx works.
The Web UI however no longer works. I get the login window with Your
session has expired. Please re-login., no matter whether I use kerberos
or password login.
Simo Sorce wrote:
On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to
Thanks, Bob/Simo.
On Tue, Feb 5, 2013 at 8:24 PM, Rob Crittenden rcrit...@redhat.com wrote:
Simo Sorce wrote:
On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
On 02/05/2013 09:52 AM, Thomas Sailer wrote:
Hi,
I've just upgraded from F16 to F18 and thus freeipa v3.1.2.
It basically works, on the command line. ipa user-show xxx works.
The Web UI however no longer works. I get the login window with Your
session has expired. Please re-login., no matter
On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote:
Finally , I installed it with --skip-conncheck:-
Now DNS fails to start.
I tried ipa-dns-install too:-
[root@ipa2 log]# ipa-dns-install
The log file for this installation can be found in
/var/log/ipaserver-install.log
On Tue, 2013-02-05 at 16:59 +0100, Petr Spacek wrote:
On 5.2.2013 15:45, Rajnesh Kumar Siwal wrote:
Finally , I installed it with --skip-conncheck:-
Now DNS fails to start.
I tried ipa-dns-install too:-
[root@ipa2 log]# ipa-dns-install
The log file for this installation can be found
Last time the installation of replica failed. So this is second time I
did it (The logs in the mail are from the second time after I
uninstalled the ipa2).
After installing the replica, I restarted IPA and failed to start the KDC too.
So, kinit admin is now failing.
On 5.2.2013 17:15, Rajnesh Kumar Siwal wrote:
Last time the installation of replica failed. So this is second time I
did it (The logs in the mail are from the second time after I
uninstalled the ipa2).
After installing the replica, I restarted IPA and failed to start the KDC too.
So, kinit
Both of these replica are in the same network.
I have disabled the iptables on both
Selinux disable.
still the output of kinit admin is the same
kinit: Cannot contact any KDC for realm
strace output attached.
On Tue, Feb 5, 2013 at 9:45 PM, Rajnesh Kumar Siwal
rajnesh.si...@gmail.com wrote:
Rajnesh Kumar Siwal wrote:
Both of these replica are in the same network.
I have disabled the iptables on both
Selinux disable.
still the output of kinit admin is the same
kinit: Cannot contact any KDC for realm
strace output attached.
strace isn't really helpful in this case.
Is the KDC
Thanks, John!
See the log below. The only thing that looks strange to me is
expiration_timestamp=1970-01-01T01:00:00. Where does this time come from?
Tom
[Tue Feb 05 16:16:53.798117 2013] [:error] [pid 6843] ipa: INFO: ***
PROCESS START ***
[Tue Feb 05 16:16:53.914486 2013] [:error] [pid
On 02/05/2013 12:11 PM, Thomas Sailer wrote:
Thanks, John!
See the log below. The only thing that looks strange to me is
expiration_timestamp=1970-01-01T01:00:00. Where does this time come from?
That's the initial value of zero on the expiration timestamp, the
beginning of the UNIX epoch,
On 02/05/2013 03:52 PM, Thomas Sailer wrote:
Hi,
I've just upgraded from F16 to F18 and thus freeipa v3.1.2.
It basically works, on the command line. ipa user-show xxx works.
The Web UI however no longer works. I get the login window with Your
session has expired. Please re-login., no matter
When I am trying to restart ipa, it fails to start the services to I
manually started LDAP and krb5kdc, now kinit admin is fine :-
How shall I proceed now ?
-
[root@ipa2 ~]# /etc/init.d/ipa status
Directory Service:
On 02/05/2013 06:32 PM, John Dennis wrote:
% ipactl status
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-cad Service: RUNNING
ipa: INFO: The ipactl command was successful
Apparently, it isn't...
On 02/05/2013 06:47 PM, Petr Vobornik wrote:
Open Web Console in browser (in FF: 'Tools/Web Developer/Web Console',
in Chrome hit F12).
I'm using firefox. I'm getting a javascript warning about
getAttributeNode being deprecated, and some css complaints.
The first post just gets one's own
Thomas Sailer wrote:
On 02/05/2013 06:32 PM, John Dennis wrote:
% ipactl status
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-cad Service: RUNNING
ipa: INFO: The ipactl command was successful
On 02/05/2013 01:40 PM, Thomas Sailer wrote:
On 02/05/2013 06:32 PM, John Dennis wrote:
% ipactl status
# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-cad Service: RUNNING
ipa: INFO: The ipactl
On 02/05/2013 08:02 PM, Rob Crittenden wrote:
Can you see if you have 60basev3.ldif in
/etc/dirsrv/slapd-YOUR-REALM/schema ?
That was indeed not there (only 60basev2.ldif).
I've copied it, restarted dirsrv.
ipa user-show admin works (it did work before though).
You'll want to look at
Thomas Sailer wrote:
On 02/05/2013 08:02 PM, Rob Crittenden wrote:
Can you see if you have 60basev3.ldif in
/etc/dirsrv/slapd-YOUR-REALM/schema ?
That was indeed not there (only 60basev2.ldif).
I've copied it, restarted dirsrv.
ipa user-show admin works (it did work before though).
You'll
Still unable to start bind :-
[root@ipa2 ~]# ipa-replica-conncheck --replica ipa1.xyz.dmz
Check connection from master to remote replica 'ipa1.xyz.dmz':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP
As a workaround I modified named.conf to use simple authentication and
was able to start bind However I am looking for a better resolution.
--
dynamic-db ipa {
library ldap.so;
Two more issues:-
1. I am still not able to login into the WebUI of ipa2 (Replica
Server). It displays Internal Server Error
2. Are there any logs to make sure that the Replication is working fine ?
___
Freeipa-users mailing list
I am missing these two entries in ipa1 (The Master that was installed first):-
HTTP/ipa2.xyz@xyz.dmz
DNS/ipa2.xyz@xyz.dmz
The above entries are present only in ipa2.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
29 matches
Mail list logo
