Re: [Freeipa-users] Replication time and relation to cache size

2016-07-07 Thread Martin Kosek
On 06/21/2016 05:19 PM, Ash Alam wrote: > anyone have any thoughts on this? > > Thank You > > On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: > > Hello > > I have been going through the lists but i have not found the answer

Re: [Freeipa-users] Deny bind for external LDAP if password is expired

2016-07-07 Thread Prashant Bapat
Anyone ?! On 6 July 2016 at 22:36, Prashant Bapat wrote: > Hi, > > We are using FreeIPA's LDAP as the base for user authentication in a > different application. So far I have created a sysaccount which does the > lookup etc for a user and things are working as expected. I'm

Re: [Freeipa-users] Error with DNS forwarding on replica.

2016-07-07 Thread Petr Spacek
On 15.6.2016 09:37, Nuno Higgs wrote: > Hello Petr, > > [root@slave ~]# cat /var/log/ipareplica-install.log | grep -i DNSSEC | grep > -i not | grep -i support > > It’s empty. Interesting. At this point I'm unable to say what happened to your install. If it happens again please get back to us

Re: [Freeipa-users] Replication time and relation to cache size

2016-07-07 Thread thierry bordaz
On 07/07/2016 03:47 PM, Martin Kosek wrote: On 06/21/2016 05:19 PM, Ash Alam wrote: anyone have any thoughts on this? Thank You On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: Hello I have been going through the lists

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone
On 07/07/16 15:02, Rob Crittenden wrote: Roderick Johnstone wrote: On 05/07/16 11:52, Roderick Johnstone wrote: On 04/07/2016 15:12, Martin Babinsky wrote: On 07/04/2016 10:23 AM, Roderick Johnstone wrote: Hi I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC)

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Rob Crittenden
Roderick Johnstone wrote: On 05/07/16 11:52, Roderick Johnstone wrote: On 04/07/2016 15:12, Martin Babinsky wrote: On 07/04/2016 10:23 AM, Roderick Johnstone wrote: Hi I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC) and made a replica server2 without

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Petr Spacek
On 7.7.2016 11:32, Günther J. Niederwimmer wrote: > Hello Petr, > > Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: >> On 23.6.2016 15:27, Günther J. Niederwimmer wrote: >>> Hello Martin, >>> >>> Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: On 20.06.2016

Re: [Freeipa-users] How to automatically group new users under Stage Users when users are synced from AD

2016-07-07 Thread Martin Kosek
On 06/26/2016 06:57 PM, Supratik Goswami wrote: > Hi > > I am using ipa-server-4.2.0 in my environment, it is having winsync > agreement > with the AD server. > I want to move all new users to "Stage Users" state automatically when they > are > synced from the AD, can anyone please guide me

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Petr Vobornik
On 07/07/2016 05:09 PM, Roderick Johnstone wrote: On 07/07/16 15:02, Rob Crittenden wrote: Roderick Johnstone wrote: On 05/07/16 11:52, Roderick Johnstone wrote: On 04/07/2016 15:12, Martin Babinsky wrote: On 07/04/2016 10:23 AM, Roderick Johnstone wrote: Hi I installed my first master ipa

Re: [Freeipa-users] Problem with properly removing replica master from cluster

2016-07-07 Thread Petr Vobornik
On 07/04/2016 05:54 PM, Christophe TREFOIS wrote: Dear all, First of all, thanks to mbasti for helping out so far. We have a 3-node master cluster (—setup-ca) on 4.1 and setup a 4th using 4.2.0 as we want to migrate there. First, we had some orphan entries in ipa-replica-manage list. We

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone
On 07/07/16 16:30, Petr Vobornik wrote: On 07/07/2016 05:09 PM, Roderick Johnstone wrote: On 07/07/16 15:02, Rob Crittenden wrote: Roderick Johnstone wrote: On 05/07/16 11:52, Roderick Johnstone wrote: On 04/07/2016 15:12, Martin Babinsky wrote: On 07/04/2016 10:23 AM, Roderick Johnstone

Re: [Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Rob Crittenden
Troels Hansen wrote: Hi, we have 2 IPA servers setup in replication. All works fine, except sometimes I see unable to authenticate. It goes on for like 2-5 minutes, and then everything works again. When looking at the logs I see nothing, except err?53 which means incorrect password, but its NOT!

Re: [Freeipa-users] Password sync settings not working

2016-07-07 Thread Martin Kosek
Good! Thanks for confirmation (I suspected PEBKAC, thus my questions). Martin On 07/02/2016 10:01 PM, Joshua J. Kugler wrote: > Thanks. In a case of extreme PEBKAC, I had copied the example and failed to > update the DN. It works now. > > j > > > On Monday, June 13, 2016 09:35:53 Martin

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Petr Spacek
On 23.6.2016 15:27, Günther J. Niederwimmer wrote: > Hello Martin, > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST schrieb Petr Spacek: On 18.6.2016 15:03,

Re: [Freeipa-users] k5login not working?

2016-07-07 Thread Sumit Bose
On Wed, Jul 06, 2016 at 04:59:36PM -0400, Jeffery Harrell wrote: > Oh wow, I see. I did some playing around with > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin in search of a > minimum-change scenario and found that this: > > [plugins] > localauth = { > module =

Re: [Freeipa-users] +dnssec in vendor repos - when?

2016-07-07 Thread Petr Spacek
On 6.7.2016 10:35, lejeczek wrote: > seems like official repos, centos at least lags a bit behind, currently it's > 4.2.0 - question - does this support fully secure dns ? Version 4.2.0 is not the best for DNSSEC deployment. IPA 4.3.1 contains important fixes related to DNSSEC. Please note that

Re: [Freeipa-users] dns zone forward - no valid signature found

2016-07-07 Thread Petr Spacek
On 6.7.2016 16:37, lejeczek wrote: > hi everybody > > I think this was working some time ago, but for while queries IPA's DNS > forwards wound up like this: > > validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found > validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit

Re: [Freeipa-users] ipa-ods-exporter failed ?

2016-07-07 Thread Günther J . Niederwimmer
Hello Petr, Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: > On 23.6.2016 15:27, Günther J. Niederwimmer wrote: > > Hello Martin, > > > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: > >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: > >>> Hello, > >>>

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-07 Thread Roderick Johnstone
On 05/07/16 11:52, Roderick Johnstone wrote: On 04/07/2016 15:12, Martin Babinsky wrote: On 07/04/2016 10:23 AM, Roderick Johnstone wrote: Hi I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC) and made a replica server2 without problems. Now I'd like to bring

Re: [Freeipa-users] Problem with properly removing replica master from cluster

2016-07-07 Thread Christophe TREFOIS
Hi Petr, The cleaning task worked. No more errors. Thanks for that. Kind regards, — Christophe Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSITÉ DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing

[Freeipa-users] ipa-server-upgrade fails on PKI CentOS 7.2

2016-07-07 Thread Matt .
Hi, I have some issue with the ipa-server-upgrade command where PKI fails. This seems to be a known issue but I'm unsure where to report it as it's fixed in FC https://bugzilla.redhat.com/show_bug.cgi?id=1328522 Does someone have a clue how to get around this ? Thanks! Matt -- Manage your

[Freeipa-users] Sync & BaseDN change

2016-07-07 Thread Brad Cesarone
Hello I have two questions 1) Is it possible to sync/replicate with another ldap server? i.e Oracle Identity Manager 2) If #1 is true, is it possible to sync with two different suffixs? 3) Is it possible to either install IPA with a custom ldap Suffix or change the suffix once it is created?

Re: [Freeipa-users] Sync & BaseDN change

2016-07-07 Thread Petr Spacek
On 7.7.2016 01:44, Brad Cesarone wrote: > I have two questions > 1) Is it possible to sync/replicate with another ldap server? i.e Oracle > Identity Manager IPA provides one-time import script called ipa-migrate-ds, see

Re: [Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen
You mean the /var/log/dirsrv//error right? Clean except for when I do ipa backup, which actually doesn't look like tis errors, but more info.. However, sometimes, at 0:20 I have: [07/Jul/2016:00:15:41 +0200] NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Periodic unable to authenticate

2016-07-07 Thread Troels Hansen
Hi, we have 2 IPA servers setup in replication. All works fine, except sometimes I see unable to authenticate. It goes on for like 2-5 minutes, and then everything works again. When looking at the logs I see nothing, except err?53 which means incorrect password, but its NOT!