Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Ade Lee
Actually, it looks like it fails even earlier than getting the domain info - that is, when the replica contacts the master and tries to get its cert chain. I think that you have modified the logs slightly? There are a couple of things that don't make sense. See annotated log below -- On Wed,

Re: [Freeipa-users] Minimum Disk Size

2015-02-04 Thread Innes, Duncan
Our standard RHEL6 OS install worked perfectly well for testing IPA with larger user/host numbers: part /boot --fstype=ext4 --size=256 --ondisk=sda --fsoptions noatime part pv.01 --size=1000 --grow --ondisk=sda volgroup vg_root pv.01 logvol / --vgname=vg_root --name=lv_root

Re: [Freeipa-users] IPA-adtrust and addition of replicas

2015-02-04 Thread Alexander Bokovoy
On Tue, 03 Feb 2015, William wrote: Maybe something to test? You can create a user on the replica without ipa-adtrust-install and watch after replication on whether ipaNTSecurityIdentifier appeared in the user's object in LDAP. I was thinking more unit test or beaker test actually, but I'm

[Freeipa-users] Automember enrolledby

2015-02-04 Thread Mark Esman
Hello all, I'm having a little trouble with the automember function using enrolledby attribute. I have tried a number of different regex's to define the username and automagically enroll the host into the specified host group: .*ipainstaller.* no quotes around regex .*ipainstaller.*

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Ade Lee
From the snippet of log below, it looks like the replica CA is trying to contact the master CA to obtain the security domain information and is failing to get a valid response. The message about spaces and parsing is basically the replica saying that it cannot understand the response -- or lack

Re: [Freeipa-users] CA Replication Installation Failing

2015-02-04 Thread Rob Crittenden
Les Stott wrote: Has anyone got any ideas on this? I am stuck with not being able to deploy a CA Replica and this is halting rollout of the project. Help please... Regards, What is the version of IPA on the master you are connecting to? Can you confirm on the existing master that

Re: [Freeipa-users] Automember enrolledby

2015-02-04 Thread Mark Esman
Thanks for the info Rob, Well, that's a big bummer. I am trying to write kickstart scripts with different IPA usernames such that they will automatically enroll machines into specific hostgroups (with associated permissions/roles/etc). Thanks for updating the ticket... I don't know if there's

Re: [Freeipa-users] AD/IPA login compatibility

2015-02-04 Thread Hugh
On 1/29/2015 4:26 PM, Dmitri Pal wrote: How are the domains connected? Do you use trust or sync? Trust. We wanted to have just one account and not need to install additional software on the AD servers if possible. 1) Is it possible to log into a workstation that's been joined to a domain with

Re: [Freeipa-users] Automember enrolledby

2015-02-04 Thread Rob Crittenden
Mark Esman wrote: Hello all, I'm having a little trouble with the automember function using enrolledby attribute. I have tried a number of different regex's to define the username and automagically enroll the host into the specified host group: .*ipainstaller.* no quotes around regex

Re: [Freeipa-users] CA Replication Installation Failing - SOLVED!

2015-02-04 Thread Les Stott
Guys, Thanks for your help. You pointed me in the right direction (checking the apache logs). In the end, it was missing modules in httpd.conf on the Master. I saw this error in /var/log/httpd/error_log [Wed Feb 04 21:26:00 2015] [warn] proxy: No protocol handler was valid for the URL

Re: [Freeipa-users] basic question on DNS configuration

2015-02-04 Thread Martin Basti
On 03/02/15 16:52, Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Roberto Cornacchia *Sent:* Tuesday, February 03, 2015 5:20 AM *To:* freeipa-users@redhat.com *Subject:* [Freeipa-users] basic question on DNS configuration

Re: [Freeipa-users] JSON error enrolling host (Fedora 21 / IPA 4.1.2)

2015-02-04 Thread Martin Basti
Hello, well it depends what exactly you did and what helped. I see Alexander gave you some hints about mDNS. If it was DNSSEC error you should see validation error messages in journalctl -u named-pkcs11 before you disabled DNSSEC validation. Martin^2 On 02/02/15 16:34, Gerardo Cuppari

Re: [Freeipa-users] autofs - nfsnobody

2015-02-04 Thread dbischof
Hi Gerardo, On Tue, 3 Feb 2015, Gerardo Cuppari wrote: Hello there again! I'm bothering you again because I am having some problems with autofs/NFS and IPA. All files created from a regular user (enrolled client) gets the nfsnobody user and group. Folder gets auto mounted. just a guess: I

Re: [Freeipa-users] basic question on DNS configuration

2015-02-04 Thread Martin Basti
On 04/02/15 11:39, Roberto Cornacchia wrote: Thank you Craig and Martin for your useful input. You both definitely recommend not to use example.com http://example.com for the internal IPA DNS. I was in any case going to avoid .local suffix and any invented top-level domain, after some

Re: [Freeipa-users] basic question on DNS configuration

2015-02-04 Thread Roberto Cornacchia
Thank you Craig and Martin for your useful input. You both definitely recommend not to use example.com for the internal IPA DNS. I was in any case going to avoid .local suffix and any invented top-level domain, after some reading on this topic. Using a subdomain like internal.example.com seems

[Freeipa-users] ipa replica (centos 6.5) integrate with AD 2008

2015-02-04 Thread alireza baghery
hi i integrated ipa (centos 6.5) with AD windows server 2008 and anything do work i install replica server as follow: #(ipaserve ipa): replica- prepare ipareplica. example. com - - ip- address 192. 168. 1. 2 scp /var/lib/ipa/replica- info- ipareplica. example. com. gpg