Re: [Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

2016-12-14 Thread Florence Blanc-Renaud
On 12/13/2016 05:29 PM, jay wrote: Well Flo, the issue was IPV6 was disabled. As soon as I enabled it again, added that /etc/hosts entry back, and rebooted the server, things are working again! So is that now a requirement for 4.4.x? Server worked fine on 4.2 Hi Jay, this behavior was

Re: [Freeipa-users] With freeipa 4.4.0-14 on CentOS 7 cert-show fails

2016-12-14 Thread Alexander Bokovoy
On ke, 14 joulu 2016, Florence Blanc-Renaud wrote: On 12/13/2016 05:29 PM, jay wrote: Well Flo, the issue was IPV6 was disabled. As soon as I enabled it again, added that /etc/hosts entry back, and rebooted the server, things are working again! So is that now a requirement for 4.4.x? Server

Re: [Freeipa-users] ipa fails to start after centos 7.3 upgrade

2016-12-14 Thread Brian Candler
On 12/12/2016 19:53, Rob Verduijn wrote: I've recently upgraded to centos 7.3. Didn't intend to so soon but should have checked the anounce lists before launching my ansible update playbook. Most of my servers came through, and mostly also the ipa server. There were duplicate rpms and a

Re: [Freeipa-users] Change in list archives accessibility

2016-12-14 Thread Simo Sorce
On Mon, 2016-12-12 at 05:04 -0500, Simo Sorce wrote: > Dear freeipa-users, > in an attempt to identify how the recent wave of spamming activity > targets mailing list posters, I have temporarily disabled free access to > the archives. > This is not a permanent change and public access will be

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-14 Thread Florence Blanc-Renaud
On 12/14/2016 01:08 PM, beeth beeth wrote: Thanks David. I installed both the master and replica IPA servers with third-party certificates(Verisign), but I doubt that could be the issue, because I had no problem to run the same ipa-client-install command on a RHEL7 machine(of course, the

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-14 Thread beeth beeth
Thanks David. I installed both the master and replica IPA servers with third-party certificates(Verisign), but I doubt that could be the issue, because I had no problem to run the same ipa-client-install command on a RHEL7 machine(of course, the --hostname used a different hostname of the server).

[Freeipa-users] Replica Creation Issue

2016-12-14 Thread Christian McNamara
Hi all, I recently inherited a FreeIPA system that I believe is running v3.0, and I'm trying to upgrade to the latest version. Following documentation, I'm trying to create a replica but I'm running into problems connecting to the LDAP server. Here's the output I get when trying to prepare a

[Freeipa-users] Confirming no extra/special ports need to be opened for replication traffic?

2016-12-14 Thread Chris Dagdigian
Been reading various generations of documentation to find out if I need additional TCP or UDP ports opened for IPA replication between VPN-connected dataceners. I think the modern answer is no? We just need the standard IPA ports open between all of the IPA master/replicas that chat to each

Re: [Freeipa-users] Free IPA Openssh client install error

2016-12-14 Thread Sumit Bose
On Wed, Dec 14, 2016 at 03:18:52PM +, James Harrison wrote: > Hi,I installed the freeipa client on an Ubuntu Precise system (12.04) > > I get the following message at the end of the install: > "Installed OpenSSH server does not support dynamically loading authorized > user keys. Public key

Re: [Freeipa-users] Free IPA Openssh client install error

2016-12-14 Thread James Harrison
In the ipaclient-install.log I see: 2016-12-14T14:58:10Z DEBUG stderr= 2016-12-14T14:58:10Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2016-12-14T14:58:10Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2016-12-14T14:58:10Z INFO Configured

[Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Serhii Honchar
Hello, trying to get vSphere authenticate users using FreeIPA. I've made scheme changes as recommended in howto http://www.freeipa.org/page/HowTo/vsphere5_integration. But then faced following issue: Vsphere using "pagedResultsControl" and sets it's criticality to "True" on all it's requests to

Re: [Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Simo Sorce
On Wed, 2016-12-14 at 19:29 +0200, Alexander Bokovoy wrote: > On ke, 14 joulu 2016, Serhii Honchar wrote: > >Alexander, > >as per RFC2696 in such case: > >--- > > > >If the server does not support this control, the server > > MUST return an error of unsupportedCriticalExtension if the client > >

Re: [Freeipa-users] Failed ipa-client-install with IPA Replica

2016-12-14 Thread beeth beeth
Hi Flo, Thanks for the great hint! I reran the ipa-client-install on the rhel6 box(ipadev6), and monitored the access log file you mentioned on the replica: # ipa-client-install --domain=ipa.example.com --server=ipaprd2.example.com --hostname=ipadev6.example.com -d ( ipaprd2 = primary IPA

Re: [Freeipa-users] ipa-server-install fails at DogTag restart

2016-12-14 Thread Fraser Tweedale
On Wed, Dec 14, 2016 at 05:35:35PM +, Tommy Nikjoo wrote: > Hi, > > I'm trying to install FreeIPA on CentOS 7 using the yum package, but I > keep getting an error when it tries to restart DogTag > > [26/31]: restarting certificate server > ipa.ipaserver.install.cainstance.CAInstance:

Re: [Freeipa-users] Confirming no extra/special ports need to be opened for replication traffic?

2016-12-14 Thread Martin Babinsky
On 12/14/2016 05:50 PM, Chris Dagdigian wrote: Been reading various generations of documentation to find out if I need additional TCP or UDP ports opened for IPA replication between VPN-connected dataceners. I think the modern answer is no? We just need the standard IPA ports open between all

Re: [Freeipa-users] Confirming no extra/special ports need to be opened for replication traffic?

2016-12-14 Thread Chris Dagdigian
Much appreciated, thank you! Martin Babinsky wrote: IIRC in IPA v3.0 there was 7389 port used for CA replication, but in more recent versions this is not required anymore. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

[Freeipa-users] ipa-server-install fails at DogTag restart

2016-12-14 Thread Tommy Nikjoo
Hi, I'm trying to install FreeIPA on CentOS 7 using the yum package, but I keep getting an error when it tries to restart DogTag [26/31]: restarting certificate server ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart the Dogtag instance.See the installation log for

Re: [Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Alexander Bokovoy
On ke, 14 joulu 2016, Serhii Honchar wrote: Alexander, as per RFC2696 in such case: --- If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical, --- So in case slapi-nis plugin doesn't support

Re: [Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Alexander Bokovoy
On ke, 14 joulu 2016, Serhii Honchar wrote: Hello, trying to get vSphere authenticate users using FreeIPA. I've made scheme changes as recommended in howto http://www.freeipa.org/page/HowTo/vsphere5_integration. But then faced following issue: Vsphere using "pagedResultsControl" and sets it's

Re: [Freeipa-users] FreeIPA and vSphere

2016-12-14 Thread Serhii Honchar
Alexander, as per RFC2696 in such case: --- If the server does not support this control, the server MUST return an error of unsupportedCriticalExtension if the client requested it as critical, --- So in case slapi-nis plugin doesn't support "paged results control", it is quite incorrect

Re: [Freeipa-users] ACIerrors is httpd log

2016-12-14 Thread Rob Crittenden
Jim Richard wrote: > just now getting back to this, have been truncating httpd logs via cron > since then to keep from filing up my disk. > > So, does this ring any bells :) No but the complete, unredacted logs were VERY helpful, thanks. So the code looks like this in 3.0, which IIRC you are

[Freeipa-users] Free IPA Openssh client install error

2016-12-14 Thread James Harrison
Hi,I installed the freeipa client on an Ubuntu Precise system (12.04) I get the following message at the end of the install: "Installed OpenSSH server does not support dynamically loading authorized user keys. Public key authentication of IPA users will not be available." Any clues? Is there a