Re: [Freeipa-users] 7.x replica install from 6.x master fails

On 04/15/2016 05:13 PM, Ott, Dennis wrote: > My master began life as OS 6.2 / IPA 2.1.3 / pki-9.0.3 and does not have a > cert database at: > > /etc/pki/pki-tomcat/alias > > At: > > /var/lib/pki-ca/alias right > > subsystemCert cert-pki-ca has a serial number of 18 (0x12) > > At: > >

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

Kilian Ries wrote: I'm not quite familiar with the db2index.pl script ... what am i doing wrong? db2index.pl -n userRoot -D cn=admin -w ldap_bind: No such object (32) Failed to search the server for indexes, error (32) db2index.pl -n userRoot -D cn=admin -w -v -t entryrdn ldap_bind: No such

[Freeipa-users] Username attribute in trusted domain

We’re trying to setup FreeIPA to be a good provider of UIDs and GIDs for our mostly RHEL systems. Overall, that works great. The issue I’m running into is that we need to have the same consistent UIDs and GIDs for our Isilon system which serves up both CIFS and NFS. Each user of the Isilon

Re: [Freeipa-users] 7.x replica install from 6.x master fails

This allowed the replica install to complete. Thank you. However, when I try to kinit admin on the replica I get: kinit: Invalid UID in persistent keyring name while getting default ccache After some research I found that by commenting out this line in /etc/krb5.conf default_ccache_name =

[Freeipa-users] ipa -v ping lies about the cert database

Hi folks, If I run "kinit admin; ipa -v ping" as a regular user, then I get ipa: INFO: trying https://ipa2.example.com/ipa/json ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa:

Re: [Freeipa-users] Error setting up Replication: ldap service principals is missing. Replication agreement cannot be converted

On 04/15/2016 10:14 AM, Kilian Ries wrote: Hi, on auht01 i see the following error just before installation fails: [14/Apr/2016:15:57:09 +0200] - database index operation failed BAD 1031, err= Unknown error [14/Apr/2016:15:57:09 +0200] - add: attempt to index 625 failed; rc=

Re: [Freeipa-users] ipa -v ping lies about the cert database

On 15/04/16 11:42, Harald Dunkel wrote: Hi folks, If I run "kinit admin; ipa -v ping" as a regular user, then I get ipa: INFO: trying https://ipa2.example.com/ipa/json ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

On 15/04/16 13:31, Harald Dunkel wrote: Hi folks, I have no luck with the ipa cli, so I wonder if it is possible to ldapsearch for disabled or enabled users? A command line like ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody doesn't show :-(. Every helpful

Re: [Freeipa-users] ipa -v ping lies about the cert database

Hi David, > Hello Harri, > > the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the > permissions are set to: > > $ ls -dl /etc/ipa/nssdb/ > drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ > > $ ls -l /etc/ipa/nssdb/ > total 80 > -rw-r--r--. 1 root root 65536 Apr

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

hi Harald, On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel wrote: > Hi folks, > > I have no luck with the ipa cli, so I wonder if it is > possible to ldapsearch for disabled or enabled users? > A command line like > > ldapsearch -LLL -Y GSSAPI -b

[Freeipa-users] howto ldapsearch for disabled/enabled users?

Hi folks, I have no luck with the ipa cli, so I wonder if it is possible to ldapsearch for disabled or enabled users? A command line like ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody doesn't show :-(. Every helpful hint is highly welcome Harri -- Manage