On 17/03/15 13:32, Roberto Cornacchia wrote:
Hi there,
I've just installed freeIPA on a FC21 server and trying to perform
some sanity checks.
A first puzzle for me is: I have some DNS forwarders, which I selected
during installation.
They do work and they do appear in /etc/named.conf
On 17.3.2015 14:06, Martin Basti wrote:
> On 17/03/15 13:32, Roberto Cornacchia wrote:
>> Hi there,
>>
>> I've just installed freeIPA on a FC21 server and trying to perform some
>> sanity checks.
>>
>> A first puzzle for me is: I have some DNS forwarders, which I selected
>> during installation.
>>
Hi,
Altough I have this configuration in client .conf:
##
client 172.30.47.241 {
secret = 877909
shortname = VodafonePinarsuAPNYeni1
nastype = other
}
client 172.30.47.242 {
secret = 877909
shortna
We have a trust relationship established between our AD domain and our IPA
domain, and AD users can be found on the IPA server with id and getent passwd.
When a user tries to SSH to the IPA server with AD credentials, the logs show:
(Tue Mar 17 10:45:54 2015) [sssd[be[middlebury.edu]]] [sdap_sa
Tevfik Ceydeliler wrote:
> Hi,
> Altough I have this configuration in client .conf:
>
> ##
> client 172.30.47.241 {
>secret = 877909
>shortname = VodafonePinarsuAPNYeni1
>nastype = other
> }
>
> client 172.30.47.242 {
Hello,
I have a server - a master (has CA) - and it does not want to restart
after it has been running sometime. pki-tomcatd keeps failing. It starts
up with these errors, then adds a lot more. Maybe this might point you
to something that is know or a place I can start looking?
Any ideas?
~J
I see. Peter, Martin, thanks for the explanation. My worry was that
something went wrong in my reinstallation, glad to hear it is not the case.
Roberto
On 17 Mar 2015 14:51, "Petr Spacek" wrote:
> On 17.3.2015 14:06, Martin Basti wrote:
> > On 17/03/15 13:32, Roberto Cornacchia wrote:
> >> Hi th
On Tue, 17 Mar 2015, Guertin, David S. wrote:
We have a trust relationship established between our AD domain and our IPA
domain, and AD users can be found on the IPA server with id and getent passwd.
When a user tries to SSH to the IPA server with AD credentials, the logs show:
(Tue Mar 17 10
On 03/17/2015 11:14 AM, Andreas Skarmutsos Lindh wrote:
> Quick update: I think that I have solved it, by just deleting the entries
> holding nsuniqueid additional string. I went forward using a gui
> application for browsing LDAP structures.
> I guess a script for tackling this issue in a slightly
On 03/17/2015 04:35 PM, Janelle wrote:
> Hello,
>
> I have a server - a master (has CA) - and it does not want to restart after it
> has been running sometime. pki-tomcatd keeps failing. It starts up with these
> errors, then adds a lot more. Maybe this might point you to something that is
> know
On 3/17/15 9:06 AM, Martin Kosek wrote:
On 03/17/2015 04:35 PM, Janelle wrote:
Hello,
I have a server - a master (has CA) - and it does not want to restart after it
has been running sometime. pki-tomcatd keeps failing. It starts up with these
errors, then adds a lot more. Maybe this might point
On 03/17/2015 04:27 PM, Benjamin Reed wrote:
> On 3/17/15 7:33 AM, Martin Kosek wrote:
>> # ipa config-mod --enable-migration=true
>>
>> # echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
>> --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
>> --group-obj
On 3/17/15 12:09 PM, Martin Kosek wrote:
> I would still wished we fixed the original root cause why replication was
> failing for you - as this is the obviously expected way of upgrading to
> RHEL/CentOS 7.1 from RHEL-6 environment and I think/hope it would be less work
> than starting over (depen
On 03/17/2015 05:16 PM, Benjamin Reed wrote:
> On 3/17/15 12:09 PM, Martin Kosek wrote:
>> I would still wished we fixed the original root cause why replication was
>> failing for you - as this is the obviously expected way of upgrading to
>> RHEL/CentOS 7.1 from RHEL-6 environment and I think/hope
On 3/17/15 7:33 AM, Martin Kosek wrote:
> # ipa config-mod --enable-migration=true
>
> # echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> --user-ignore-attribute={krbPr
On 3/17/15 12:29 PM, Martin Kosek wrote:
> 1) Migrate users via SSSD and simply SSH or log in to any machine enrolled to
> the new IPA, as I showed in the example
I'll have my users who need working kerberos ssh in. The union of the
set of users who need kerberos and users who ssh is a circle. ;
> When you changed idrange, it helps to remove SSSD cache, both on IPA
> master and IPA clients and restart SSSD.
OK, I cleared the cache and restarted sssd with:
sss_cache -E
systemctl restart sssd
Still no change in the error: Could not convert objectSID
[S-1-5-21-1983215674-46037090-64680646
On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler <
tevfik.ceydeli...@astron.yasar.com.tr> wrote:
> Hi,
> Altough I have this configuration in client .conf:
>
> ##
> client 172.30.47.241 {
>secret = 877909
>shortname = VodafonePinarsu
On Tue, 17 Mar 2015, Guertin, David S. wrote:
When you changed idrange, it helps to remove SSSD cache, both on IPA
master and IPA clients and restart SSSD.
OK, I cleared the cache and restarted sssd with:
sss_cache -E
systemctl restart sssd
Still no change in the error: Could not convert obje
On Tue, 2015-03-17 at 18:07 +0100, Natxo Asenjo wrote:
>
>
> On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler
> wrote:
> Hi,
> Altough I have this configuration in client .conf:
>
> ##
> client 172.30.47.241 {
>
> I don't think sss_cache -E removes cached idrange objects. You need to
> delete the databases in /var/lib/sss/db/.
OK, I stopped sssd, removed everything in /var/lib/sss/db, and restarted sssd.
Still no change -- I get the same error.
> You mean RHEL 7.1, right?
Yes, RHEL 7.1.
David Guertin
Thomas Raehalme writes:
>
> Hi,
>
> Previously we have used Atlassian Crowd as a source for user data in
> various applications, both in-house built and proprietary such as JIRA
> or Confluence. As we have deployed FreeIPA, I would like to start
> using it as the identity source. Unfortunately
Hi all
how can i fix this issue.? even i tried to trust add AD again. that too
failed.
from where i need to troubleshoot ?
On Tue, Mar 17, 2015 at 3:02 PM, Ben .T.George
wrote:
> Hi
>
> i did kinit
>
> [root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
> kinit: Keytab contains no suitab
On Tue, 17 Mar 2015, Ben .T.George wrote:
Hi
i did kinit
[root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
kinit: Keytab contains no suitable keys for
host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial
credentials
i destroyed and re-created. but still same
What did y
Hello,
I installed the ipa-server on an RHEL 7.1 system, uninstalled it and
reinstalled it with the same domain name as the first time. This somehow
creates problems with ssh authentication on the server from external
systems as well as from the server itself.
Steps:
1. ipa-server-install
2. servi
Sorry, the message got sent accidentally earlier before I could provide all
the details.
Version: 4.1.0 on RHEL 7.1 x86_64
Steps:
1. ipa-server-install
2. service sshd restart
3. kinit admin <- This always works
4. ssh admin@localhost <- This works for the
On 03/17/2015 12:12 PM, Janelle wrote:
On 3/17/15 9:06 AM, Martin Kosek wrote:
On 03/17/2015 04:35 PM, Janelle wrote:
Hello,
I have a server - a master (has CA) - and it does not want to
restart after it
has been running sometime. pki-tomcatd keeps failing. It starts up
with these
errors, th
Hi all,
Can anyone tell me how to script calls from the ipa server? I would like to be
able to do something like "ipa group-show unix_admin" in a script, but I don't
know how to pass Kerberos credentials that don't expire.
I'd appreciate some help, thanks!
Dan
--
Manage your subscription for
On 3/17/15 12:14 PM, Dmitri Pal wrote:
On 03/17/2015 12:12 PM, Janelle wrote:
On 3/17/15 9:06 AM, Martin Kosek wrote:
On 03/17/2015 04:35 PM, Janelle wrote:
Hello,
I have a server - a master (has CA) - and it does not want to
restart after it
has been running sometime. pki-tomcatd keeps fail
Hello all,
For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
environment. We've had 2 masters since the start. Several replicas
have had problems that required me to remove them. I’ve removed them
all (except the very last one) by running ‘ipa-server-install
--uninstall’ and
Kim Perrin wrote:
> Hello all,
>
> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
> environment. We've had 2 masters since the start. Several replicas
> have had problems that required me to remove them. I’ve removed them
> all (except the very last one) by running ‘ipa-se
Watson, Dan wrote:
> Hi all,
>
>
>
> Can anyone tell me how to script calls from the ipa server? I would like
> to be able to do something like ipa group-show unix_admin in a script,
> but I dont know how to pass Kerberos credentials that dont expire.
I think you want to use credentials in
Thanks for the reply Rob.
On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
> Kim Perrin wrote:
>> Hello all,
>>
>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>> environment. We've had 2 masters since the start. Several replicas
>> have had problems that required
On 03/17/2015 03:41 PM, Janelle wrote:
On 3/17/15 12:14 PM, Dmitri Pal wrote:
On 03/17/2015 12:12 PM, Janelle wrote:
On 3/17/15 9:06 AM, Martin Kosek wrote:
On 03/17/2015 04:35 PM, Janelle wrote:
Hello,
I have a server - a master (has CA) - and it does not want to
restart after it
has been
I’ve been getting messages like these when I try the id command for a test AD
domain user:
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_get_primary_name]
(0x0400): Processing object farus@test.osuwmc
(Tue Mar 17 17:10:34 2015) [sssd[be[unix.test.osuwmc]]] [sdap_save_user]
(0x04
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote:
> Thanks for the reply Rob.
>
> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
>> Kim Perrin wrote:
>>> Hello all,
>>>
>>> For nearly 2 years I’ve been running a Freeipa 3 (currently 3.0.0-42)
>>> environment. We've had 2 masters since th
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote:
> On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin
> wrote:
>> Thanks for the reply Rob.
>>
>> On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
>>> Kim Perrin wrote:
Hello all,
For nearly 2 years I’ve been running a Freeipa 3 (c
On 03/17/2015 06:27 PM, Kim Perrin wrote:
On Tue, Mar 17, 2015 at 3:09 PM, Kim Perrin wrote:
On Tue, Mar 17, 2015 at 2:52 PM, Kim Perrin wrote:
Thanks for the reply Rob.
On Tue, Mar 17, 2015 at 2:06 PM, Rob Crittenden wrote:
Kim Perrin wrote:
Hello all,
For nearly 2 years I’ve been runni
David,
I had a very similar issue which I posted to the list today. Your notes
indirectly helped me. I think we both had two ends to the same puzzle.
It looks like the range for your AD domain defined in ³ipa idrange-find
‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf.
For
On 03/17/2015 08:30 PM, Gould, Joshua wrote:
It looks like the range for your AD domain defined in ³ipa idrange-find
‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf.
For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have
ldap_idmap_range_min = 182460
ldap_
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for the AD domain.
# ipa idrange-mod --base-id=10 --range-size=90 --rid-base=0
Range name: TEST.OSUWMC_id_range
Modified ID range "TE
Dear Alex
i already enable debugging and this is what i am getting on error_log while
running : ipa trust-add --type=ad infra.com --admin Administrator --password
[Wed Mar 18 08:10:17.470460 2015] [:error] [pid 15176] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Mar 18 08:10:17.470571 2015] [:
On Tue, 17 Mar 2015, Guertin, David S. wrote:
When you changed idrange, it helps to remove SSSD cache, both on IPA
master and IPA clients and restart SSSD.
OK, I cleared the cache and restarted sssd with:
sss_cache -E
systemctl restart sssd
Still no change in the error: Could not convert obje
Hi,
I've made a few changes (and hopefully improvements) to freeipa.org wiki
concerning mainly test contribution and documentation.
These changes namely consist of:
- Contribute page [1] - the structure is a bit different (for previous
version see [2]), and there is a new paragraph Testing that is
On Tue, 17 Mar 2015, Gould, Joshua wrote:
I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
to match whats in ipa idrange-find --all for the AD domain.
# ipa idrange-mod --base-id=10 --range-size=90 --rid-base=0
Range name: TEST.OSUWMC_id_range
--
Joshua or Erinn, can either of you please help us improve the docs and file a
bug for the Windows integration guide, about the section you are concerned with?
This is a direct link:
https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207&component=doc-Windows_Integrati
Looks like a bug, yes. I am just not sure whether in missing Saltstack SELinux
module or the actual SELinux policy. You can try filing a bug to SELinux policy.
Looking at SaltStack Troubleshooting guide, would switching to rpm_script_t
help?
http://docs.saltstack.com/en/latest/topics/troubleshoo
HI List
i was following this link :
http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
to setup IPA server
my IPA version is 4.1.2
every setps in this tutorials was passed without any error
even "*Allow access for users from AD domain to protected resources*"
went successfully
On Tue, Mar 17, 2015 at 11:37:24AM +0300, Ben .T.George wrote:
> HI List
>
> i was following this link :
> http://www.freeipa.org/page/Active_Directory_trust_setup#Assumptions
> to setup IPA server
>
> my IPA version is 4.1.2
>
> every setps in this tutorials was passed without any error
>
> ev
HI
i have enabled debug
here is my sssd.conf
[root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
[domain/solaris.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = solaris.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kwtpocpbis01.so
another thing i notice is:
[root@kwtpocpbis01 ~]# kinit admin
Password for admin@SOLARIS.LOCAL:
[root@kwtpocpbis01 ~]# ipa trust-fetch-domains infra.com
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.7/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/py
i tried to establish trust again and got below output. Is this the expected
one. i can see " Insufficient access: CIFS server denied your credentials"
here too.
[root@kwtpocpbis01 ~]# ipa trust-add --type=ad infra.com --admin
Administrator --password
ipa: DEBUG: importing all plugin modules in
'
On Tue, Mar 17, 2015 at 12:57:27PM +0300, Ben .T.George wrote:
> HI
>
> i have enabled debug
>
> here is my sssd.conf
>
> [root@kwtpocpbis01 ~]# cat /etc/sssd/sssd.conf
> [domain/solaris.local]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = solaris.local
> i
HI
i have changed like this:
[root@kwtpocpbis01 yum.repos.d]# more /etc/sssd/sssd.conf
[domain/solaris.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = solaris.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = kwtpocpbis01.solaris.l
On 03/16/2015 08:01 PM, Benjamin Reed wrote:
> So given my RHEL6 machine started on an older FreeIPA 3.0, was a
> self-signed cert, and has gone through all kinds of hell and I'm having
> an impossible time setting up new master(s), I've decided to start over.
>
> I installed the EPEL7 FreeIPA 4.1
Oops sorry
here is the logs
==> sssd_pam.log <==
(Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
0x7fdea7263bd0
(Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Mar 17 14:33:23 2015) [sssd[pam]] [sbus_message_handler] (0x4000):
Received
On Tue, Mar 17, 2015 at 02:38:41PM +0300, Ben .T.George wrote:
> here is separated logs:
>
> tail -f sssd_solaris.local.log
Thank you, see inline:
> (Tue Mar 17 14:35:45 2015) [sssd[be[solaris.local]]] [sdap_get_tgt_recv]
> (0x0400): Child responded: 14 [Decrypt integrity check failed], expired
Hi
i did kinit
[root@kwtpocpbis01 sssd]# kinit -kt /etc/dirsrv/ds.keytab
kinit: Keytab contains no suitable keys for
host/kwtpocpbis01.solaris.local@SOLARIS.LOCAL while getting initial
credentials
i destroyed and re-created. but still same
On Tue, Mar 17, 2015 at 2:45 PM, Jakub Hrozek wrote
Hi there,
I've just installed freeIPA on a FC21 server and trying to perform some
sanity checks.
A first puzzle for me is: I have some DNS forwarders, which I selected
during installation.
They do work and they do appear in /etc/named.conf
forward first;
forwarders {
I was helping a friend out with his environment that was experiencing the same
issue. CC'ing him as well.
Between his ipa servers, the conflicted values were the same just time stamp
that created the conflict? (I'm still not sure what caused the conflict in the
first place). So what we did to
Thanks, I'll look into that. Would you mind sharing the script used to
clean up the entries? That would save me some time.
Not expecting anything that I can run blindly and that will magically solve
my problems, but some hints would definitely be appreciated :-)
- Andreas
On Mon, Mar 16, 2015 at
Quick update: I think that I have solved it, by just deleting the entries
holding nsuniqueid additional string. I went forward using a gui
application for browsing LDAP structures.
I guess a script for tackling this issue in a slightly more automated way
could probably be of value to other people.
Hi,
do you have the DS access logs from your servers from the time around
the conflicting entry was created ?
Thanks,
Ludwig
On 03/17/2015 11:14 AM, Andreas Skarmutsos Lindh wrote:
Quick update: I think that I have solved it, by just deleting the
entries holding nsuniqueid additional string.
63 matches
Mail list logo
