[Freeipa-users] Failed installation

2012-10-17 Thread Bret Wortman
with # yum remove freeipa-server and then reinstalled it the same way, but ipa-server-install won't run no matter what I attempt. Any thoughts? I'm pretty new to IPA. Thanks! -- Bret Wortman The Damascus Group Fairfax, VA ___ Freeipa-users mailing list

Re: [Freeipa-users] Failed installation

2012-10-17 Thread Bret Wortman
I look next? On Wed, Oct 17, 2012 at 2:07 PM, Bret Wortman bret.wort...@damascusgrp.comwrote: Spot on. It was a fresh install of F17 and I neglected to # yum update first. I've done so, rebooted, and am trying again with better results. On Wed, Oct 17, 2012 at 1:45 PM, John Dennis jden

Re: [Freeipa-users] Failed installation

2012-10-17 Thread Bret Wortman
I think I have SELinux turned off but will double-check in the morning. And reply to the list -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Wednesday, October 17, 2012 at 3:17 PM, Rob Crittenden wrote: Bret Wortman wrote: Now it appears that whatever

Re: [Freeipa-users] Failed installation

2012-10-18 Thread Bret Wortman
Sorry, that wasn't clear at all, was it? The latest attempt was after I ran the cleanup. No joy; it's still failing at the same point and tomcat is definitely not running. On Thu, Oct 18, 2012 at 7:28 AM, Martin Kosek mko...@redhat.com wrote: On 10/18/2012 01:23 PM, Bret Wortman wrote: Tomcat

[Freeipa-users] User's choice: automount or autocreate?

2012-10-31 Thread Bret Wortman
and have it working well? I'd hate to spend time re-inventing a wheel if there's already an excellent example in the wild Thanks! -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users

Re: [Freeipa-users] User's choice: automount or autocreate?

2012-10-31 Thread Bret Wortman
That's what I needed to know. We'll set a system-wide policy and be done with it. Thanks! On Wed, Oct 31, 2012 at 9:43 AM, Stephen Gallagher sgall...@redhat.comwrote: On Wed 31 Oct 2012 08:56:14 AM EDT, Bret Wortman wrote: Has anyone set things up so that individual users have the option

[Freeipa-users] Sudo not working

2012-10-31 Thread Bret Wortman
going wrong during the search. -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo not working

2012-10-31 Thread Bret Wortman
2012 11:53:15 AM EDT, Bret Wortman wrote: I'm pretty certain there's a painfully simple solution to this that I'm not seeing, but my current configuration isn't picking up the freeipa sudoer rule that I've set. /etc/nsswitch.conf specifies: sudoers:files ldap /etc/nslcd.conf contains

Re: [Freeipa-users] Sudo not working

2012-10-31 Thread Bret Wortman
F17. On Wed, Oct 31, 2012 at 2:04 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: I had enabled debugging of sudo but am not clear on where that debugging is going. It's not stdout, and I'm not seeing anything in /var/log/messages. I'll try switching to SSS and see what

Re: [Freeipa-users] Sudo not working

2012-10-31 Thread Bret Wortman
Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: F17. I think you want /etc/ldap.conf then. The easiest way to be sure the right file is being used is to add sudoers_debug 1 to the file. This will present a lot of extra output so you'll know the file is being read. rob On Wed, Oct

Re: [Freeipa-users] Sudo not working

2012-11-01 Thread Bret Wortman
...@redhat.com wrote: Bret Wortman wrote: [root@fs1 etc]# more /etc/ldap.conf sudoers_debug: 1 [root@fs1 etc]# ls -l /etc/ldap.conf -rw-r--r--. 1 root root 17 Oct 19 14:54 /etc/ldap.conf Where should I see the extra output? I've had this set since last Friday and I'm not seeing any difference

Re: [Freeipa-users] Sudo not working

2012-11-01 Thread Bret Wortman
# numResponses: 1 -sh-4.2$ sudo su - [sudo] password for bretw: [root@fs1 ~]# On Thu, Nov 1, 2012 at 7:58 AM, Bret Wortman bret.wort...@damascusgrp.comwrote: That's got me closer now, as I'm at least getting an error message on stdout: [root@fs1 etc]# more nslcd.conf binddn uid=sudo,cn

[Freeipa-users] Problem adding DNS Zones

2012-11-16 Thread Bret Wortman
'dns.project.net' does not have a corresponding A/ record # ipa dnsrecord-find project.net dns Record name: dns A record: a.b.c.d Number of entries returned 1 # host dns.project.net dns.project.net has address a.b.c.d # -- Bret

[Freeipa-users] IPA'd users not going through .bashrc

2012-11-19 Thread Bret Wortman
I've noticed that my users who are provided identities through IPA aren't having their .bashrc and other login profile files run when they log in. I tried googling this issue but haven't found anything. Has anyone else encountered this? Puppet 3.0.1 from puppetlabs' repos on F17. -- Bret

Re: [Freeipa-users] IPA'd users not going through .bashrc

2012-11-19 Thread Bret Wortman
Never mind. Had the default shell set to /bin/sh. On Mon, Nov 19, 2012 at 10:22 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: I've noticed that my users who are provided identities through IPA aren't having their .bashrc and other login profile files run when they log in. I tried

Re: [Freeipa-users] Announcing FreeIPA v3.1.0 Release

2012-12-11 Thread Bret Wortman
from trusted/invalid realms __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http

Re: [Freeipa-users] ipa-replica-install fails

2012-12-11 Thread Bret Wortman
I'm working through them and may simply abandon the idea of automating the replica install. On Tue, Dec 11, 2012 at 2:09 PM, Dmitri Pal d...@redhat.com wrote: On 12/11/2012 12:09 PM, Bret Wortman wrote: On Tue, Dec 11, 2012 at 11:25 AM, Dmitri Pal d...@redhat.com wrote: On 12/11/2012

Re: [Freeipa-users] Announcing FreeIPA v3.0.2 Release

2012-12-12 Thread Bret Wortman
/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users -- Bret Wortman The Damascus Group Fairfax, VA http://bretwortman.com/ http://twitter.com/BretWortman ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] ipa-replica-install fails

2012-12-12 Thread Bret Wortman
...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Bret Wortman [bret.wort...@damascusgrp.com] *Sent:* Wednesday, 12 December 2012 8:12 a.m. *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] ipa-replica-install fails I'm working through them and may simply abandon the idea

Re: [Freeipa-users] Kerberos and Cisco

2012-12-21 Thread Bret Wortman
Thanks, all. I'll report back. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Friday, December 21, 2012 at 6:23 PM, Dmitri Pal wrote: On 12/21/2012 05:40 PM, Mike Mercier wrote: Hi Bret, I tried this once in the past with no success. If I recall

Re: [Freeipa-users] Howto re-deploy an IPA-client using kickstart

2013-01-24 Thread Bret Wortman
It works like a champ for me. -- Bret Wortman http://bretwortman.com/ http://twitter.com/bretwortman On Thursday, January 24, 2013 at 6:53 PM, Dmitri Pal wrote: On 01/24/2013 11:34 AM, Matthew Barr wrote: Just reading this over, and the RFE, I've got another possible option. Our

Re: [Freeipa-users] Trouble creating replica

2013-02-19 Thread Bret Wortman
noticed that, according to /var/log/pki-ca/catalina.out and /var/log/pki-ca/debug, this hasn't successfully run since 05-Feb. And no, I'm not sure what happened on that day to change things, but I'm trying to find out. (At least, I assume this logdir relates to dogtag) * * *Bret Wortman* http

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread Bret Wortman
-install -U --uninstall # ipa-server-install will I lose the hosts, policies users I already have configured? Does this stand a chance of getting me back up to where I can clone this box and get healthy again? * * *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread Bret Wortman
Eureka! Someone had deleted the contents of /etc/dirsrv/slapd-PKI-IPA/dse.ldif. I replaced it from a saved copy and now everything's working as expected. Thanks everyone for your contributions, patience, and indulgence. And for a wonderful product! * * *Bret Wortman* http://damascusgrp.com

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread Bret Wortman
I'm running 2.2.0-1.fc17.x86_64 And FWIW, the replica data file I was able to create after this just installed successfully on the new host. * * *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Wed, Feb 20, 2013 at 9:47

Re: [Freeipa-users] Trouble creating replica

2013-02-20 Thread Bret Wortman
Mine was not.  — Bret Wortman On Wed, Feb 20, 2013 at 8:16 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/20/2013 06:00 PM, KodaK wrote: On Wed, Feb 20, 2013 at 8:41 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Eureka! Someone

Re: [Freeipa-users] Trouble creating replica

2013-02-21 Thread Bret Wortman
Rich, 389-ds-base-1.2.11.5-1.fc17.x86_64. The box is a DL360G8. * * *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Wed, Feb 20, 2013 at 9:03 PM, Rich Megginson rmegg...@redhat.com wrote: On 02/20/2013 06:43 PM, Bret

Re: [Freeipa-users] Trouble creating replica

2013-02-21 Thread Bret Wortman
Thanks for the bug link. We let the developer we thought had messed things up out of the 4x4 cell we had stashed him in. He's still blinking from sunlight but the doctors tell us the facial twitching will stop in a month or two. * * *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com

Re: [Freeipa-users] Replica installation failing

2013-03-19 Thread Bret Wortman
I'm now rebuilding on F17 and Martin's going to try my scenario, which should have worked. Who knows, I may have borked it somehow.  — Bret Wortman On Tue, Mar 19, 2013 at 10:19 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: Generation difference. Wrong version of the software -- the F18

[Freeipa-users] Can't update ssh keys

2013-08-09 Thread Bret Wortman
? Thanks! * * *Bret Wortman* http://damascusgrp.com/http://bl-1.com/click/load/UGEKOwRiVGFQNQBtADA-b0231 http://about.me/wortmanbrethttp://bl-1.com/click/load/ADFbalA2W25VMAZrVWQ-b0231 ___ Freeipa-users mailing list Freeipa-users@redhat.com https

Re: [Freeipa-users] Can't update ssh keys

2013-08-09 Thread Bret Wortman
V3.1.something. I'm not at the office again till Monday. On Fri, Aug 9, 2013 at 1:22 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: Any time I try to use the command-line utilities to add a host (this includes ipa-client-install): #ipa host-mod host.damascusgrp.com http

Re: [Freeipa-users] Can't update ssh keys

2013-08-12 Thread Bret Wortman
I can get the host keys in okay, it's the user keys that are giving me fits. No combination of fields seems to work. Before we troubleshoot very far, I will update to a newer release and try again. Every now and again, I just need the right motivation to upgrade. * * *Bret Wortman* http

[Freeipa-users] Upgrade failed -- how to recover?

2013-08-13 Thread Bret Wortman
exit status 1 and numerous certmonger errors similar to this one. Finally, there's a stacktrace from ipapython/admintool.pyhttp://bl-1.com/click/load/BzYIOV0-b0221AT1QOFc6BjE-b0231, line 171 which ends the whole thing. What's my best plan for re-attempting this upgrade? * * *Bret Wortman* http

Re: [Freeipa-users] Upgrade failed -- how to recover?

2013-08-13 Thread Bret Wortman
fine. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Tue, Aug 13, 2013 at 10:29 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: I just upgraded my IPA master from F17 to F18 and, in the process, updated IPA to 3.1.5-1. Apparently, though, all is not well

Re: [Freeipa-users] Upgrade failed -- how to recover?

2013-08-14 Thread Bret Wortman
Rob, I got past this, as you indicated, by doing that after first running: # ipa-ldap-updater --ldapi ./schema.update Using a schema.update tip file I found in a note from you after some hard core googling. Should that extra step have been necessary? * * *Bret Wortman* http://damascusgrp.com

Re: [Freeipa-users] Upgrade failed -- how to recover?

2013-08-14 Thread Bret Wortman
DEBUG Process finished, return code=0 Does that help at all? Do you need more? I'm upgrading a slave today and will try just doing the --upgrade (_if_ the automatic upgrade has issues again). * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Wed, Aug 14, 2013 at 9:10 AM

[Freeipa-users] Replication woes

2013-08-19 Thread Bret Wortman
'ipamaster.foo.net' has no replication agreement for 'bad2.foo.net' # * * What I need to do is remove bad1 completely and then remove bad2 and re-add it as a replica. Any ideas? * * *Bret Wortman* http://damascusgrp.com/http://bl-1.com/click/load/U2JdbwdjBThROQZmAzA-b0231 http://about.me/wortmanbrethttp://bl-1

Re: [Freeipa-users] Replication woes

2013-08-19 Thread Bret Wortman
Not according to my poll of the good ones, so here goes. Thanks, Rob. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 10:35 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: The software is actually gone from both boxes -- one

Re: [Freeipa-users] Replication woes

2013-08-19 Thread Bret Wortman
the master back working again while I troubleshoot this connectivity issue? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 11:11 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: How can I tell if this is working? It's been 10

Re: [Freeipa-users] Replication woes

2013-08-19 Thread Bret Wortman
failure. Minor code may provide more information (Server ldap/localh...@spx.net not found in Kerberos database)) errno 2 (No such file or directory) Did I build something incorrectly when that server was set up originally? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret

[Freeipa-users] Fwd: Replication woes

2013-08-19 Thread Bret Wortman
. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:02 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2013-08-19 at 13:51 -0400, Bret Wortman wrote: So, any idea how to fix the Kerberos problem? If your server is trying to get a tgt for ldap

Re: [Freeipa-users] Replication woes

2013-08-20 Thread Bret Wortman
working; it tends to hang the master's DNS and other services until I Ctrl-C out and ipactl restart it. I'm afraid to venture out without a net here and make things worse * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Mon, Aug 19, 2013 at 2:21 PM, Bret Wortman

Re: [Freeipa-users] Replication woes

2013-08-20 Thread Bret Wortman
down this path? I'm now seeing messages about having the max number of CleanAllRUV tasks (4) and not being able to enqueue any more. So I'm really stuck now and don't know how soon I can get the files requested over to Rich for analysis. * * *Bret Wortman* http://damascusgrp.com/ http://about.me

[Freeipa-users] Scorched earth

2013-08-28 Thread Bret Wortman
? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Fwd: Scorched earth

2013-08-28 Thread Bret Wortman
to hear it! * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Wed, Aug 28, 2013 at 9:56 AM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: Today, I'm going to wipe my master, install f18 from scratch, then install the freeipa-server RPMs again

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-28 Thread Bret Wortman
, Aug 28, 2013 at 8:56 PM, Jatin Nansi jna...@redhat.com wrote: On 08/29/2013 12:16 AM, Bret Wortman wrote: Ugh. Well that certainly hurts, but I just don't see an alternative. I hope Puppet can at least make the re-enrollment a bit easier. I'm still hand-copying some of the configuration

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
entry or ipa host-del the system. After the replica install is done: 7. Shut down and delete the ipamaster2 VM. 8. Upgrade existing replicas to F18 and latest IPA version. 9. Establish replication agreements with now-functioning ipamaster. Does that sound right? * * *Bret Wortman* http

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2013-08-29 at 08:07 -0400, Bret Wortman wrote: Okay, I have a replica built and running. My original, sick server is ipamaster and the new one is ipamaster2. All I've done thus far on ipamaster2 is run ipa-replica

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
to ipamaster after it's been erased reinstalled? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 9:21 AM, Simo Sorce s...@redhat.com wrote: On Thu, 2013-08-29 at 09:14 -0400, Bret Wortman wrote: On Thu, Aug 29, 2013 at 9:09 AM, Simo Sorce s

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
, and then somehow make ipamaster be a CA using Dogtag? Will that screw up all the clients? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 9:24 AM, Bret Wortman bret.wort...@damascusgrp.comwrote: Agreed, but not always possible. I had a replica

Re: [Freeipa-users] Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
On Thu, Aug 29, 2013 at 11:10 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: A bit of googling has led me to understand that we must have created the original server with --selfsign, and that locked us into something bad which is now causing us problems. I'm not sure how

[Freeipa-users] Fwd: Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
On Thu, Aug 29, 2013 at 11:40 AM, Rob Crittenden rcrit...@redhat.comwrote: Bret Wortman wrote: On Thu, Aug 29, 2013 at 11:10 AM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Bret Wortman wrote: A bit of googling has led me to understand that we must

Re: [Freeipa-users] Fwd: Fwd: Scorched earth

2013-08-29 Thread Bret Wortman
What passpharase would this be encrypted with? If it's something I set a year ago and never needed to know again, then we may be screwed. If it's saved somewhere, where should I look? * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 11:58 AM, Rob

[Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Bret Wortman
to proceed now? *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Aug 29, 2013 at 2:59 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: Okay, I got the cacert.p12 (turns out it was taking my passphrase, but the messages looked like errors to my addled

Re: [Freeipa-users] Fwd: Fwd: Fwd: Scorched earth

2013-08-30 Thread Bret Wortman
On Fri, Aug 30, 2013 at 5:03 AM, Petr Viktorin pvikt...@redhat.com wrote: On 08/30/2013 10:23 AM, Bret Wortman wrote: Morning update. I made the change Rob suggested to /etc/ipa/default.conf, which appeared to work, but didn't quite. It asked me to back out the whole server installation

Re: [Freeipa-users] Exporting data?

2013-09-04 Thread Bret Wortman
can't always give quick data. Frustrating all around. But we'll get through it one way or the other. I hope to have the latest batch of logs over for analysis later this morning. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Wed, Sep 4, 2013 at 9:40 AM, Dmitri Pal d

Re: [Freeipa-users] Exporting data?

2013-09-04 Thread Bret Wortman
1.2.3.4#39992 (foo.net) : zone transfer 'foo.net/AXFR/IN' denied * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Wed, Sep 4, 2013 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Wed, 2013-09-04 at 09:40 -0400, Dmitri Pal wrote: On 09/04/2013 09:26 AM, Petr Spacek wrote

Re: [Freeipa-users] Exporting data?

2013-09-05 Thread Bret Wortman
D'Oh! Thanks, Petr. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Thu, Sep 5, 2013 at 2:33 AM, Petr Spacek pspa...@redhat.com wrote: On 4.9.2013 20:23, Bret Wortman wrote: ...and I tried exporting the DNS data but ended up with a bunch of files that looked

Re: [Freeipa-users] Exporting data?

2013-09-05 Thread Bret Wortman
: Size limit exceeded named[925]: connection to the LDAP server was lost named[925]: successfully reconnected to LDAP server I think my master has, to stick with technical terminology, completely lost the plot. And I'm equally certain it's because of something I did to it * * *Bret Wortman

[Freeipa-users] Trouble in ipa-ca-install

2013-09-09 Thread Bret Wortman
have to leave ipamaster7 in place as my master. Thanks! * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trouble in ipa-ca-install

2013-09-09 Thread Bret Wortman
Never mind. I just gave up and re-installed my original master from scratch. We're just going to accept the pain of re-enrolling all the clients and resetting all the user passwords. Whatever had gone wrong inside my database was just too much. This gets us clean again. * * *Bret Wortman* http

[Freeipa-users] Where should new clients register?

2013-09-25 Thread Bret Wortman
Does it make a difference which replica (or master) a new client registers with? I've traditionally tried to match them up with the closest ones, but if it doesn't make any real difference, I'll just grab whoever answers first and be done with it. * * *Bret Wortman* http://damascusgrp.com/ http

[Freeipa-users] Error trying to enroll new client

2013-09-26 Thread Bret Wortman
. Installation failed. Rolling back changes. # I've seen the unable to sync time error before and have still been able to enroll, but something's different with this host. It also does this when I try to enroll with other replicas as well. Thoughts? * * *Bret Wortman* http://damascusgrp.com/ http

[Freeipa-users] Best place to start debugging sudo issue

2013-10-01 Thread Bret Wortman
, this is happening. What's the best way to start debugging this? I'm not looking for someone to do the work for me, but some pointers to the right logfiles or extra flags would be helpful. Thanks! * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret

Re: [Freeipa-users] Best place to start debugging sudo issue

2013-10-01 Thread Bret Wortman
. Thanks, Rob. * * *Bret Wortman* http://damascusgrp.com/ http://about.me/wortmanbret On Tue, Oct 1, 2013 at 10:53 AM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: One some of my nodes, attempting to sudo yields this: $ sudo su - sudo: ldap_start_tls_s(): Connect error

[Freeipa-users] sudo client on CentOS 6.4?

2013-10-29 Thread Bret Wortman
I have sudoers_debug set to "1", but this is producing no output that I've been able to find. Not surprising, since it looks like the sudo command itself isn't ever querying ldap at all What should I try next? -- Bret Wortman ht

Re: [Freeipa-users] sudo client on CentOS 6.4?

2013-10-29 Thread Bret Wortman
That did the trick. I'll update Puppet accordingly. Thanks, Rob. Bret On 10/29/2013 10:09 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm trying to bring some CentOS 6.4 systems into our IPA network, and everything seems to be working find except sudo (which works against all our Fedora

[Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-16 Thread Bret Wortman
grp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description:

Re: [Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-17 Thread Bret Wortman
On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U

Re: [Freeipa-users] Replica master in strange state -- how to resolve?

2013-12-17 Thread Bret Wortman
On 12/17/2013 09:15 AM, Rob Crittenden wrote: Bret Wortman wrote: On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica

[Freeipa-users] Can't delete user

2013-12-20 Thread Bret Wortman
server seems to be involved, because during and after the hang, I can't kinit -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature

Re: [Freeipa-users] Can't delete user

2013-12-20 Thread Bret Wortman
: On 12/20/2013 09:06 AM, Bret Wortman wrote: Has anyone seen a problem where a user account can't be deleted either through the CLI or the web interface? In both methods, the attempt just hangs and I'm not sure what of the messages I'm

[Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-13 Thread Bret Wortman
n = .spx.net [sssd] services = nss, pam, ssh config_file_version = 2 domains = .spx.net, spx.net [nss] [pam] [sudo] [autofs] [ssh] Is there anything else relevant that I should be looking

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-13 Thread Bret Wortman
They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew the whole file away and the same thing happened. Where is this key coming from if not from IPA? On 01/13/2014 02:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I've

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-14 Thread Bret Wortman
to use via Google yet. Any guidance? On 01/14/2014 05:43 AM, Jan Cholasta wrote: On 13.1.2014 22:18, Jakub Hrozek wrote: On Mon, Jan 13, 2014 at 02:44:29PM -0500, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-14 Thread Bret Wortman
incorrect) : # cat /var/lib/sss/pubconf/known_hosts : it now contained the bad key again. On 01/13/2014 02:52 PM, Dmitri Pal wrote: On 01/13/2014 02:44 PM, Bret Wortman wrote: They're definitely different. I deleted the one in the file, then tried again. It put the bad key back in the file. I blew

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-15 Thread Bret Wortman
The fingerprint does match. On 01/15/2014 03:33 AM, Jan Cholasta wrote: On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-15 Thread Bret Wortman
No, that was me conflating this problem on two different machines, rs512 and zw131. Sorry about that. Bret On 01/15/2014 12:53 AM, Simo Sorce wrote: On Tue, 2014-01-14 at 06:46 -0500, Bret Wortman wrote: I was assuming that the key was being re-inserted by the ssh authentication request

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-16 Thread Bret Wortman
Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Jan 16, 2014, at 4:42 AM, Jan Cholasta jchol...@redhat.com wrote: OK

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-16 Thread Bret Wortman
comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote: Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how

Re: [Freeipa-users] Odd problem with SSSD and SSH keys

2014-01-16 Thread Bret Wortman
between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain. On 16.1.2014 18:19, Bret Wortman wrote: It did. I just needed the motivation to figure out which version

[Freeipa-users] CS.cfg empty

2014-01-26 Thread Bret Wortman
We had to reboot the IPA server on a standalone network recently, and this IPA server is the only one on that network; there are no replicas. Upon restarting, the IPA software refused to start because, after a couple hours of tracking things down, our /etc/pki-ca/CS.cfg file is zero-length.

Re: [Freeipa-users] CS.cfg empty

2014-01-27 Thread Bret Wortman
be an enormous task. Big, but not enormous. And I should have had a backup, especially knowing there was a scheduled power outage coming up. Because those are always problem-free ;-) Bret On 01/27/2014 04:14 AM, Martin Kosek wrote: On 01/27/2014 01:51 AM, Bret Wortman wrote: We had to reboot

Re: [Freeipa-users] CS.cfg empty

2014-01-27 Thread Bret Wortman
/etc/pki/pki-tomcat/ca (assuming this is Dogtag 10) or under /var/log/pki/server/upgrade ? Ade On Mon, 2014-01-27 at 06:17 -0500, Bret Wortman wrote: Martin, The only other systems I have running IPA are on another network. I could take their CS.cfg file and try to modify it to fit what this one

[Freeipa-users] Can't delete users

2014-02-05 Thread Bret Wortman
ake up to 10 minutes to complete. What can I be looking at to diagnose and/or debug this? We ought to be able to delete users, not just disable them, right? -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret

Re: [Freeipa-users] Can't delete users

2014-02-05 Thread Bret Wortman
Fortunately, I can trigger it at will. ;-) I'll get the packages loaded set up and see what I can find. On 02/05/2014 10:36 AM, Martin Kosek wrote: On 02/05/2014 04:24 PM, Bret Wortman wrote: We've discovered something odd in our current FreeIPA setup (F18, IPA 3.1.5-1.fc18.x86_64

Re: [Freeipa-users] Upgrade form Centos to Fedora (3.0.0 - 3.3.3)

2014-02-05 Thread Bret Wortman
Rob, To add the second master-with-CA, is it as simple as doing this on one of the replicas? # ipa-ca-install /path/to/replica-info-hostname.foo.net.gpg Bret On 02/05/2014 04:35 AM, Rob Crittenden wrote: Will Sheldon wrote: Hello IPA users :) We have implemented IPA using the packaged

[Freeipa-users] Trying to use the CLI logs me out

2014-02-21 Thread Bret Wortman
SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. --

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-21 Thread Bret Wortman
Connection to ipamaster closed. [desktop]$ On 02/21/2014 01:27 PM, Jakub Hrozek wrote: On Fri, Feb 21, 2014 at 01:15:52PM -0500, Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-21 Thread Bret Wortman
Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-21 Thread Bret Wortman
D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 21, 2014, at 2:13 PM, Mauricio Tavares raubvo...@gmail.com wrote: On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman bret.wort...@damascusgrp.com wrote

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-25 Thread Bret Wortman
, ipa_session_cookie:ad...@damascusgrp.com, @s], [/* 27 vars */] unfinished ... Interesting, or just noise? On 02/21/2014 02:50 PM, Bret Wortman wrote: D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-25 Thread Bret Wortman
Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittenden rcrit...@redhat.com wrote: Bret Wortman wrote: I don't know

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-25 Thread Bret Wortman
I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running

Re: [Freeipa-users] Trying to use the CLI logs me out

2014-02-26 Thread Bret Wortman
results) using the -c option. Bret On 02/25/2014 08:32 PM, Bret Wortman wrote: I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittenden rcrit...@redhat.com wrote

[Freeipa-users] Password issues

2014-03-06 Thread Bret Wortman
size (number of passwords): 0 Character classes: 2 Min length: 8 Max failures: 6 Failure reset interval (seconds): 60 Lockout duration (seconds): 600 -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret

Re: [Freeipa-users] Password issues

2014-03-06 Thread Bret Wortman
Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM, Sumit Bose wrote: On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote: Strange behavior now with our passwords (and we still haven't solved our

Re: [Freeipa-users] Password issues

2014-03-06 Thread Bret Wortman
Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that. On 03/06/2014 08:08 AM, Bret Wortman wrote: Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not. On 03/06/2014 07:55 AM

Re: [Freeipa-users] Password issues

2014-03-06 Thread Bret Wortman
In 26 years, I guarantee this will be someone else's problem. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Mar 6, 2014, at 8:25 PM, Dmitri Pal d...@redhat.com wrote: On 03/06/2014 08:10 AM, Bret Wortman wrote: Just found with some fresh Googling an email from Rob

[Freeipa-users] Badly corrupted IPA

2014-03-27 Thread Bret Wortman
sitant to go too far. This machine, however, is my program manager's workstation, so it's pretty important to get back up and running. Thanks, -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret

  1   2   3   >