Re: [Freeipa-users] Possible trust issues

2014-11-11 Thread Sumit Bose
On Tue, Nov 11, 2014 at 07:52:22AM +0200, Alexander Bokovoy wrote: On Mon, 10 Nov 2014, William Muriithi wrote: less /var/log/sssd/sssd_example.loc.log (Mon Nov 10 15:58:21 2014) [sssd[be[example.loc]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa3-yyz-int.example.loc' as

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Rolf Nufable
never mind the problem on the server side, somehow it got fixed , I really don't know how though so in the client side , It is successful when installing free ipa client and the server discovery is fine, my freipa Client is 4.1.0 and my server is 4.0.3 (although somewhere I've read that

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Martin Kosek
It is still really hard to give advise as I do not know what's actually wrong. So are you trying to set up a sudo on your client or are you trying to log in with your client browser to FreeIPA server? These are 2 orthogonal actions. Who gives the Can't I connect to the ipa server error? As I said

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Rolf Nufable
well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? ) well I'm having this error in the client side when using the command su - ( user ) su - u...@example.com su : u...@example.com does not exist.

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Jakub Hrozek
On Tue, Nov 11, 2014 at 07:56:14AM +0100, Martin Kosek wrote: On 11/11/2014 06:37 AM, Rolf Nufable wrote: or could you guys direct me or guide me on how to deploy this ipa server? I've been successful deploying ipa version 3.3.5 before but this 4.0 and above series is really giving me a

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Jakub Hrozek
On Tue, Nov 11, 2014 at 02:07:57AM -0800, Rolf Nufable wrote: well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? ) well I'm having this error in the client side when using the command su - ( user

Re: [Freeipa-users] strange error deleting replica?

2014-11-11 Thread Martin Kosek
On 11/10/2014 06:58 PM, Janelle wrote: Hi -- Has anyone seen this before? # ipa-replica-manage del kermit.xyzzy.com --force unexpected error: [Errno -2] Name or service not known ?? Very confused as to What service or name is not known? This is 4.0.5 running on CentOS 7. ~J This

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Petr Vobornik
On 11.11.2014 11:11, Jakub Hrozek wrote: On Tue, Nov 11, 2014 at 02:07:57AM -0800, Rolf Nufable wrote: well I'm trying to setup sudo in my client machine, also I want to access the server web browser In the client machine ( is it possible though ? ) well I'm having this error in the client

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Martin Basti
IMHO It's DS bug, can you share DS error log? pspacek CCed to examine named logs. Martin^2 On 11/11/14 12:13, Walter van Lille wrote: Hi Martin, thanks for the reply. My version: bind-dyndb-ldap-2.3-5.el6.x86_64 The server doesn't have journalctl installed but I have the outputs from the

[Freeipa-users] Adjust settings for processes

2014-11-11 Thread Roman Naumenko
I'd like to adjust process settings on freeipa server to fit it better into virtual instance. Is it possible to change settings of java, ns-slapd and apache processes somewhere in config files and what those files are? For example: ServerLimit, StartServers and things like that typically set

Re: [Freeipa-users] DNS and $GENERATE Directive

2014-11-11 Thread Petr Spacek
On 10.11.2014 09:25, Martin Kosek wrote: On 11/08/2014 12:16 AM, Andrew Powell wrote: Is there a way to add a Bind $GENERATE directive line to FreeIPA to automatically name DHCP-assigned ranges? In a file-based Bind installation, I can have the following line in the forward example.com

Re: [Freeipa-users] Adjust settings for processes

2014-11-11 Thread Alexander Bokovoy
On Tue, 11 Nov 2014, Roman Naumenko wrote: I'd like to adjust process settings on freeipa server to fit it better into virtual instance. Is it possible to change settings of java, ns-slapd and apache processes somewhere in config files and what those files are?

[Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Vaclav Adamec
Hi, I'm getting Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available during ipa client install on CentOS 6.6 Packages openssh-server-6.1p1-5.el6.1.x86_64 and ipa-client-3.0.0-42.el6.centos.x86_64 Manual

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Martin Kosek
On 11/11/2014 08:48 AM, Natxo Asenjo wrote: Hi Nalin, On Mon, Nov 10, 2014 at 5:19 PM, Nalin Dahyabhai na...@redhat.com wrote: On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote: How can I debug this? First thing would be to run the daemon with additional logging - I usually use

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Walter van Lille
I've just cleaned out a ton of slapd_poll timed out messages from the output and changed the names to protect the innocent, :-) Here is the output as requested: *[05/Nov/2014:11:44:05 +0200] - SASL encrypted packet length exceeds maximum allowed limit (length=805634565, limit=2097152). Change

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Natxo Asenjo
hi Nali, On Tue, Nov 11, 2014 at 12:57 PM, Martin Kosek mko...@redhat.com wrote: So if the lurking double encoded certificate is in LDAP, and thus Apache DS shows is invalid (it shows as OK in my RHEL-7.0 server), maybe the easiest way to fix it would be to: - Open your Apache DS - Back up

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Petr Spacek
On 11.11.2014 13:13, Walter van Lille wrote: SASL encrypted packet length exceeds maximum allowed limit Martin, do you remember where is the appropriate knob? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Adjust settings for processes

2014-11-11 Thread Roman Naumenko
Alexander Bokovoy wrote on 11-11-14 6:52: On Tue, 11 Nov 2014, Roman Naumenko wrote: I'd like to adjust process settings on freeipa server to fit it better into virtual instance. Is it possible to change settings of java, ns-slapd and apache processes somewhere in config files and what those

Re: [Freeipa-users] Adjust settings for processes

2014-11-11 Thread Alexander Bokovoy
On Tue, 11 Nov 2014, Roman Naumenko wrote: Alexander Bokovoy wrote on 11-11-14 6:52: On Tue, 11 Nov 2014, Roman Naumenko wrote: I'd like to adjust process settings on freeipa server to fit it better into virtual instance. Is it possible to change settings of java, ns-slapd and apache

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Martin Kosek
On 11/11/2014 01:28 PM, Natxo Asenjo wrote: hi Nali, On Tue, Nov 11, 2014 at 12:57 PM, Martin Kosek mko...@redhat.com wrote: So if the lurking double encoded certificate is in LDAP, and thus Apache DS shows is invalid (it shows as OK in my RHEL-7.0 server), maybe the easiest way to fix it

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Martin Basti
Ludiwg (CCed) this seems like old (fixed?) DS bug. On 11/11/14 13:13, Walter van Lille wrote: I've just cleaned out a ton of slapd_poll timed out messages from the output and changed the names to protect the innocent, :-) Here is the output as requested: *[05/Nov/2014:11:44:05 +0200] - SASL

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Martin Kosek
On 11/11/2014 01:29 PM, Petr Spacek wrote: On 11.11.2014 13:13, Walter van Lille wrote: SASL encrypted packet length exceeds maximum allowed limit Martin, do you remember where is the appropriate knob? Do you mean nsslapd-sasl-max-buffer-size setting in cn=config? This is a related ticket

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Ludwig Krispenz
On 11/11/2014 02:14 PM, Martin Basti wrote: Ludiwg (CCed) this seems like old (fixed?) DS bug. hmm, it says limit is 2097152, so it already has the new setting, but the error message says the packet is 800MB* * On 11/11/14 13:13, Walter van Lille wrote: I've just cleaned out a ton of

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

2014-11-11 Thread Jakub Hrozek
On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote: I can certainly try, it would need to be compatible with CentOS 6.6 though. -M Thank you very much, can you try these packages? Please note they wouldn't fix your problem, but will hopefully shed some more light on what's

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Natxo Asenjo
hi, On Tue, Nov 11, 2014 at 2:13 PM, Martin Kosek mko...@redhat.com wrote: I meant IPA server running on RHEL/CentOS 6.5 or older... This is the one that can regenerate CAcert entry without double encoding. ok. So I removed the cacert object and ran ipa-ldap-updater --upgrade --ldapi (it

Re: [Freeipa-users] Adjust settings for processes

2014-11-11 Thread Rob Crittenden
Alexander Bokovoy wrote: On Tue, 11 Nov 2014, Roman Naumenko wrote: Alexander Bokovoy wrote on 11-11-14 6:52: On Tue, 11 Nov 2014, Roman Naumenko wrote: I'd like to adjust process settings on freeipa server to fit it better into virtual instance. Is it possible to change settings of java,

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Rob Crittenden
Vaclav Adamec wrote: Hi, I'm getting Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available during ipa client install on CentOS 6.6 Packages openssh-server-6.1p1-5.el6.1.x86_64 and

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Vaclav Adamec
Here it is: 2014-11-11T11:45:33Z DEBUG stderr= 2014-11-11T11:45:33Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2014-11-11T11:45:33Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2014-11-11T11:45:33Z INFO Configured /etc/ssh/ssh_config

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Rob Crittenden
Vaclav Adamec wrote: Here it is: 2014-11-11T11:45:33Z DEBUG stderr= 2014-11-11T11:45:33Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2014-11-11T11:45:33Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2014-11-11T11:45:33Z INFO Configured

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Rich Megginson
On 11/11/2014 06:20 AM, Ludwig Krispenz wrote: On 11/11/2014 02:14 PM, Martin Basti wrote: Ludiwg (CCed) this seems like old (fixed?) DS bug. hmm, it says limit is 2097152, so it already has the new setting, but the error message says the packet is 800MB* * *Right. That usually means the

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Martin Kosek
On 11/11/2014 02:47 PM, Natxo Asenjo wrote: hi, On Tue, Nov 11, 2014 at 2:13 PM, Martin Kosek mko...@redhat.com wrote: I meant IPA server running on RHEL/CentOS 6.5 or older... This is the one that can regenerate CAcert entry without double encoding. ok. So I removed the cacert

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Natxo Asenjo
hi, This seems to happen only in 32bits vm's. At least in my limited testing, 2 out 2 32bits hosts running 6.5 after upgrading have this problem. A amd64 host is ok. $ rpm -qa | grep certmonger certmonger-0.75.13-1.el6.x86_64 $ rpm -qa | grep certmonger certmonger-0.75.13-1.el6.i686 --

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Nalin Dahyabhai
On Tue, Nov 11, 2014 at 08:48:18AM +0100, Natxo Asenjo wrote: 2014-11-11 08:34:33 [11677] Certificate Local Signing Authority valid for 31473668s. 2014-11-11 08:34:33 [11677] Running result is 1481416576. 2014-11-11 08:34:33 [11677] Final result is 1481416576. Okay, that's weird. The result

Re: [Freeipa-users] Installed OpenSSH server does not support dynamically loading authorized user keys - no key login support

2014-11-11 Thread Vaclav Adamec
openssh-6.1p1-5.el6.1.x86_64 libssh2-1.4.2-1.el6.x86_64 openssh-clients-6.1p1-5.el6.1.x86_64 openssh-server-6.1p1-5.el6.1.x86_64 it's up2date centos66 with 6.1 openssh, but same issue is for 6.7. I'll check rpmspec if there is no issue with dynamically loading authorized user keys, I'm not aware

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Martin Basti
On 11/11/14 15:58, Rich Megginson wrote: On 11/11/2014 06:20 AM, Ludwig Krispenz wrote: On 11/11/2014 02:14 PM, Martin Basti wrote: Ludiwg (CCed) this seems like old (fixed?) DS bug. hmm, it says limit is 2097152, so it already has the new setting, but the error message says the packet is

Re: [Freeipa-users] FreeIPA unresponsive - Causes DOS situations

2014-11-11 Thread Rich Megginson
On 11/11/2014 10:37 AM, Martin Basti wrote: On 11/11/14 15:58, Rich Megginson wrote: On 11/11/2014 06:20 AM, Ludwig Krispenz wrote: On 11/11/2014 02:14 PM, Martin Basti wrote: Ludiwg (CCed) this seems like old (fixed?) DS bug. hmm, it says limit is 2097152, so it already has the new setting,

Re: [Freeipa-users] certmonger question

2014-11-11 Thread Nalin Dahyabhai
On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote: Since you mention that this seems to be specific to 32-bit boxes, I think I need to switch to that one to try to sort out what's happening here, since I'm on a 64-bit box. Okay, found it, and as 64-bit cleanliness sometimes is,

[Freeipa-users] strange DS errors trying to tune...

2014-11-11 Thread Janelle
Hi all.. I continue to come up with strange and unusual problems. Here is a new one - use the dbmon.sh script and trying to tune the dbcache... This is on a replica BTW First -- THIS WORKS: INCR=60 BINDDN=cn=directory manager BINDPW=asecret VERBOSE=2 dbmon.sh and I see all the info I

Re: [Freeipa-users] strange DS errors trying to tune...

2014-11-11 Thread Rich Megginson
On 11/11/2014 11:30 AM, Janelle wrote: Hi all.. I continue to come up with strange and unusual problems. Here is a new one - use the dbmon.sh script and trying to tune the dbcache... This is on a replica BTW First -- THIS WORKS: INCR=60 BINDDN=cn=directory manager BINDPW=asecret VERBOSE=2

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-11 Thread Simo Sorce
On Tue, 11 Nov 2014 04:17:37 + Les Stott l...@imagine-sw.com wrote: -Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 1:59 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-11 Thread Simo Sorce
On Tue, 11 Nov 2014 14:19:02 -0500 Simo Sorce s...@redhat.com wrote: On Tue, 11 Nov 2014 04:17:37 + Les Stott l...@imagine-sw.com wrote: -Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 1:59 PM To: Les Stott Cc:

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-11 Thread Rob Crittenden
Fraser Tweedale wrote: On Tue, Nov 11, 2014 at 04:17:37AM +, Les Stott wrote: -Original Message- From: Fraser Tweedale [mailto:ftwee...@redhat.com] Sent: Tuesday, 11 November 2014 1:59 PM To: Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome

Re: [Freeipa-users] strange DS errors trying to tune...

2014-11-11 Thread Janelle
In this case it is the exact password and it worked in the first line but not in the second. Now to make things even more strange -- I have 8 replicas -- and 3 of them show this problem, the others do not -- WOW.. My brain is going to explode today. :-) ~J Rich Megginson

Re: [Freeipa-users] strange DS errors trying to tune...

2014-11-11 Thread Rich Megginson
On 11/11/2014 12:33 PM, Janelle wrote: In this case it is the exact password and it worked in the first line but not in the second. Now to make things even more strange -- I have 8 replicas -- and 3 of them show this problem, the others do not -- WOW.. My brain is going to explode today.

Re: [Freeipa-users] strange DS errors trying to tune...

2014-11-11 Thread Alexander Bokovoy
On Tue, 11 Nov 2014, Janelle wrote: In this case it is the exact password and it worked in the first line but not in the second. Now to make things even more strange -- I have 8 replicas -- and 3 of them show this problem, the others do not -- WOW.. cn=config subtree is not replicated in

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

2014-11-11 Thread Michael Lasevich
Sending you logs directly. Thanks. -M On 11/11/14, 5:33 AM, Jakub Hrozek wrote: On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote: I can certainly try, it would need to be compatible with CentOS 6.6 though. -M Thank you very much, can you try these packages? Please note

Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

2014-11-11 Thread Les Stott
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, 12 November 2014 6:33 AM To: Fraser Tweedale; Les Stott Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] how to overcome same serial number in cert issue on different master servers?

Re: [Freeipa-users] strange error deleting replica?

2014-11-11 Thread Martin Kosek
Adding freeipa-users list back. Would the ipa.strace log below then tell which name resolution fail? On 11/11/2014 05:36 PM, Janelle wrote: On all the systems, besides being in DNS (external server) they are all in /etc/hosts, so not sure why that would error. But indeed they all resolve in

Re: [Freeipa-users] Free ipa Configurations

2014-11-11 Thread Martin Kosek
On 11/12/2014 04:09 AM, Rolf Nufable wrote: I have another question, well I've achieved the state where I can't log in to my admin account in the server side, it happens because I'm changing the time of the server machine. but the time is really wrong. and I disabled NTP and the server