Re: [Freeipa-users] Is It OK to mix RHEL7 and CentOS 7 IPA domain servers?

On 06/05/2015 03:16 PM, Sina Owolabi wrote: > Hi > > Due to our subscriptions running out, OT: time to renew! :-) > I'm forced to have to use > CentOS7 in our domain as IPA replica servers to join our existing > RHEL7 server. > > Is this OK, or are there any issues I should be aware of? > > Th

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Solved

Hi Dmitri, Prasun Thanks for those tickets. I have commented Dimitri's with a reference to this thread. Cheers Chris From: Dmitri Pal To: freeipa-users@redhat.com Date: 07.06.2015 22:33 Subject:Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Hi Thierry, thanks for you answer. I was away for a long time, this is why my post comes later . This timing issue is coming when you try to upgrade from rhel 6 (ipa-3.0) to rhel7 (ipa4.xx) ? I have a physical machine for the master and a VM as replica. The solution is to use a physical machine

Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain

On 06/05/2015 03:14 PM, Sina Owolabi wrote: Odd, sssd sudo up and started working properly after I added debug to the clients I was interested in. I didnt see any errors in the logs at all. This may indicate a race condition. Does it hang up again if you disable debugging? Very strange. Th

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Hello James, The fact that the master is more powerfull than the replica increase the possibility to hit that bug. The bug fix is on the master side. The master is made smarter to adapt its replication flow to the speed of the consumer. The bug is fixed in 389-ds-base-1.3.3.1-10.el7 and 389-ds

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz : > Hello James, > > The fact that the master is more powerfull than the replica increase the > possibility to hit that bug. > The bug fix is on the master side. The master is made s

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Hi, Would you update your master to 389-ds-base-1.2.11.15-56.el6, before attempting the upgrade to 7 ? thanks thierry On 06/08/2015 12:30 PM, James James wrote: My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz

Re: [Freeipa-users] Certificate expired/renew problems

John Desantis wrote: Marc, Unfortunately, I've never had to promote a replica to become the CA master in our environment. Is the host that's reporting the error the URL of the old master or the replica? Did you check the CS.cfg to see if the replica certificate is present vs. the old master?

Re: [Freeipa-users] FreeIPA web UI Freezing up

> On Fri, 05 Jun 2015, Nathan Peters wrote: >>I had originally set this up with AD trust but when we found out that >>our alternative UPNs were not supported we switched to ad sync. I >>removed the trust relationship from the webui by deleting all trusts >>showing in the ui. >> >>I then set it up

Re: [Freeipa-users] FreeIPA web UI Freezing up

> On 06/05/2015 03:31 PM, nat...@nathanpeters.com wrote: >>> I have noticed that happen a couple times in the last few days. >>> FreeIPA >>> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server >>> 2008R2 domain controller. >>> >>> The web ui will stop working and just show a blank

Re: [Freeipa-users] FreeIPA web UI Freezing up

On 06/08/2015 10:02 AM, nat...@nathanpeters.com wrote: On 06/05/2015 03:31 PM, nat...@nathanpeters.com wrote: I have noticed that happen a couple times in the last few days. FreeIPA server 4.1.3 on CentOS 7 with a sync relationship to a Windows server 2008R2 domain controller. The web ui will s

Re: [Freeipa-users] FreeIPA web UI Freezing up

>>> Is it possible this is an old winsync agreement that is no longer >>> valid? >> I have only ever made a single winsync agreement on this server that I >> know of. How would I tell if an agreement is no longer valid? >> >> > > ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectc

Re: [Freeipa-users] FreeIPA web UI Freezing up

On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote: Is it possible this is an old winsync agreement that is no longer valid? I have only ever made a single winsync agreement on this server that I know of. How would I tell if an agreement is no longer valid? ldapsearch -xLLL -D "cn=directo

[Freeipa-users] LDAP authentication for JIRA using FreeIPA

Hi All we are interested to know if anybody has succeeded (or for that matter failed) in using FreeIPA to provide user authentication for Atlassian products such as JIRA or Confluence? Somewhere in an Atlassian ticket I saw that FreeIPA is not officially supported, so I guess that should set ou

Re: [Freeipa-users] Certificate expired/renew problems

Ok I found my issue. I didn't realize the server I initially tried to setup as the new master CA was 32 bit. What clued me in was the renew_ca_cert and stop_pkicad commands including a 64bit path in setting the certificates to be tracked in certmonger. But that path didn't exist on this server..

Re: [Freeipa-users] FreeIPA web UI Freezing up

> On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote: > This looks like incremental update is successful . . . > >> nsds5replicaUpdateInProgress: FALSE >> nsds5replicaLastInitStart: 0 >> nsds5replicaLastInitEnd: 0 > > . . . but this indicates that the sync agreement has never been > initialized,

[Freeipa-users] Internal FreeIPA Administrators cannot search DNS records

I am trying my best to figure out why any FreeIPA internal 'administrators' that I create cannot search DNS entries. The builtin admin user can search and get results for DNS entries just fine, but we would rather not share this account with every sysadmin in our staff. I have created a new role

Re: [Freeipa-users] FreeIPA web UI Freezing up

On 06/08/2015 12:49 PM, nat...@nathanpeters.com wrote: On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote: This looks like incremental update is successful . . . nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 . . . but this indicates that the syn

Re: [Freeipa-users] FreeIPA web UI Freezing up

> [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config > objectclass=nsDSWindowsReplicationAgreement > Enter LDAP Password: > dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain > \2Cdc\3Dnet,cn=mapping tree,cn=config > nsds7WindowsReplicaSubtree: OU=Staff,DC=

Re: [Freeipa-users] FreeIPA web UI Freezing up

On 06/08/2015 01:09 PM, nat...@nathanpeters.com wrote: [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config objectclass=nsDSWindowsReplicationAgreement Enter LDAP Password: dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain \2Cdc\3Dnet,cn=mapping tree,cn=c

Re: [Freeipa-users] FreeIPA web UI Freezing up

>> == >> um WTF? making it a one way only agreement invalidates the >> lastinitstart >> value? >> == > > Looks like a bug. Ok, this is a pretty serious bug if making it one way can knock it offline permanently. Where should I file this bug report? > ipa-replica-manage re

Re: [Freeipa-users] FreeIPA web UI Freezing up

On 06/08/2015 01:19 PM, nat...@nathanpeters.com wrote: == um WTF? making it a one way only agreement invalidates the lastinitstart value? == Looks like a bug. Ok, this is a pretty serious bug if making it one way can knock it offline permanently. Where should I file th

Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA

Yes, it's fine. -- Sent from mobile On June 8, 2015 18:47:41 Christopher Lamb wrote: Hi All we are interested to know if anybody has succeeded (or for that matter failed) in using FreeIPA to provide user authentication for Atlassian products such as JIRA or Confluence? Somewhere in an At

Re: [Freeipa-users] FreeIPA web UI Freezing up

> On 06/08/2015 01:19 PM, nat...@nathanpeters.com wrote: == um WTF? making it a one way only agreement invalidates the lastinitstart value? == >>> Looks like a bug. >> Ok, this is a pretty serious bug if making it one way can knock it >> offline >>

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Yes, as soon as 389-ds-base-1.2.11.15-56.el6 will be available, I will update the master. Rich Megginson says that 389-ds-base-1.2.11.15-56.el6 will be shipped with rhel 6.7. Thus I will wait for 6.7 before trying to update the master and create a rhel 7 replica. Many thanks. 2015-06-08 14:

Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA

Might want to search the 'compat' tree Craig White System Administrator O 623-201-8179   M 602-377-9752 SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of T

[Freeipa-users] Unable to prepare replica file after changing Directory Manager & PKI Admin Password on Freeipa-3.0.0

Hello Per http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password, I had changed my dm_password and followed steps two and three of this how to... Then when I run `ipa-replica-prepare -p $(cat ~/dm_password) --ip-address=172.17.0.6 ipa.us-west-2.domain.net --ca=/root/cacert.p12 --de