Re: [Freeipa-users] ipactl start fails for no apparent reason

2015-04-01 Thread Martin Babinsky
On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ = realm): [01/Apr/2015:11:01:49 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 starting up [01/Apr/2015:11:01:49 +0300] schema-compat-plugin - warning: no entries set up under cn=computers,

Re: [Freeipa-users] ipactl start fails for no apparent reason

2015-04-01 Thread Martin Babinsky
On 04/01/2015 10:14 AM, Traiano Welcome wrote: Hi Martin Thanks for the response. Check results inline: On Wed, Apr 1, 2015 at 10:37 AM, Martin Babinsky mbabi...@redhat.com wrote: On 04/01/2015 09:20 AM, Traiano Welcome wrote: Some information from the dirsrv error log (sanitized: XYZ

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Martin Babinsky
On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wrote: Neither came back with anything # ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b "dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-10 Thread Martin Babinsky
On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote: # ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

2015-11-11 Thread Martin Babinsky
On 11/10/2015 08:14 PM, Gronde, Christopher (Contractor) wrote: Removed the bad mapping. Krb5kdc service still will not start. Here is the access log. [10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 ADD dn="ou=Netscape Directory Team,cn=monitor" [10/Nov/2015:14:12:16 -0500] conn=Internal

Re: [Freeipa-users] Failed to start pki-tomcatd Service

2015-09-04 Thread Martin Babinsky
On 08/28/2015 05:46 PM, Alexandre Ellert wrote: Le 28 août 2015 à 17:41, Alexander Bokovoy a écrit : On Fri, 28 Aug 2015, Alexandre Ellert wrote: Le 28 août 2015 à 17:09, Alexander Bokovoy a écrit : On Wed, 26 Aug 2015, Alexandre Ellert wrote:

Re: [Freeipa-users] Cannot connect to FreeIPA web UI anymore

2015-10-02 Thread Martin Babinsky
On 10/02/2015 02:52 PM, Fujisan wrote: More info: I can initiate a ticket: $ kdestroy $ kinit admin but cannot view user admin: $ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

2015-12-02 Thread Martin Babinsky
On 12/01/2015 07:56 PM, Marc Boorshtein wrote: Great. Doesn't look like its made it into CentOS yet (still at 7.1). OK, going to go ahead and get it running on Fedora 23. Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Tue, Dec 1, 2015 at

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

2015-11-20 Thread Martin Babinsky
On 11/20/2015 04:08 PM, Ash Alam wrote: Most of the clients in my env are centos 6.6 with ipa 3.0.0 client installed. I if bring up a replica on centos 7.2 with ipa 4.2.3 server and then start phasing out the older 3.0.0 servers. Will the client that are still running the older client software

Re: [Freeipa-users] connection problems after reboot with unusual setting (Ubuntu 14.04 + freeipa docker)

2015-11-23 Thread Martin Babinsky
On 11/20/2015 04:44 PM, Karl Forner wrote: Hello, My server runs ubuntu 14.04 and uses sssd 1.12.5-1~trusty1. The freeipa server runs inside a docker (an adelton/freeipa-server), and the docker host pretends to be the freeIPA server by forwarding the appropriate ports. This works very fine.

Re: [Freeipa-users] Setup of freeipa 4.2.3 failed

2016-01-08 Thread Martin Babinsky
On 01/08/2016 01:06 PM, Markus Roth wrote: Hi all, I tried to install freeipa server (freeipa-server.armv7hl 4.2.3-1.1.fc23), but the installation failed. - Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing

Re: [Freeipa-users] ipa-server-install --uninstall leaves httpd crippled ?

2016-05-26 Thread Martin Babinsky
On 05/26/2016 12:12 PM, lejeczek wrote: hi people I've noticed that --uninstall leaves httpd unable to restart. I think it's what was not cleaned up in /etc/httpd/alias I logs I see: [Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization failed. Certificate database:

Re: [Freeipa-users] IPA inaccessable after adding service principle

2016-02-15 Thread Martin Babinsky
On 02/15/2016 04:41 PM, Sumit Bose wrote: On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote: Hi guys I've just installed a RHEL7 server with ipa-server 4.2.0... Everything seems to work fine, until I add a service principle: (Running on a client, after a kinit) [root@dantooine ~]#

Re: [Freeipa-users] IPA 4.2.0 httpd errors

2016-02-21 Thread Martin Babinsky
On 02/19/2016 03:12 PM, Daryl Fonseca-Holt wrote: Hello, Doing a bulk load of 150,000+ users to an IPA 4.2.0 server running RedHat Enterprise Linux 7. Running 25 parallel ipa user-add at once, waiting for completion, then starting another 25, and so on. The httpd error_log is filling with

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Martin Babinsky
On 03/15/2016 08:39 AM, Alessandro De Maria wrote: Hello, I would like to have authenticated users to upload a csr request and have their certificate automatically signed. Their certificate would expire in x days. Given the short life of the certificate, I would then like them to be able to

Re: [Freeipa-users] Client enrolled but failed to obtain host TGT.

2016-04-22 Thread Martin Babinsky
On 04/21/2016 11:14 PM, Ask Stack wrote: Half the time ipa-client-install will fail at getting the TGT. Google showed posts like, Bug 845691 – ipa-client-install Failed to obtain host TGT . I reduced _kerberos-master._tcp'

Re: [Freeipa-users] krb5kdc service not starting

2016-04-26 Thread Martin Babinsky
On 04/26/2016 03:13 PM, Gady Notrica wrote: Hello world, I am having issues this morning with my primary IPA. See below the details in the logs and command result. Basically, krb5kdc service not starting - krb5kdc: Server error - while fetching master key. DNS is functioning. See below dig

Re: [Freeipa-users] What id my AD domain user password not available

2016-05-23 Thread Martin Babinsky
On 05/23/2016 02:42 PM, Ben .T.George wrote: Hi LIst, my Windows domain Admin is not giving domain admin user password. in this case how can i proceed ipa trust-add regards, Ben Hi Ben, You can ask your AD domain admin to create a shared secret for establishing trust. See the

Re: [Freeipa-users] Can't set nsslapd-sizelimit

2016-05-17 Thread Martin Babinsky
On 05/16/2016 11:19 PM, Giuseppe Sarno wrote: Hello, I am new to freeIPA and I am recently working on a project to integrate freeIPA with some legacy application which uses LDAP for user management. I have initially created our own ldap structure and I tried to run the code against

Re: [Freeipa-users] Automatic consistency checking

2016-05-05 Thread Martin Babinsky
On 05/05/2016 03:54 PM, Andrew Holway wrote: Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky
On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed:

Re: [Freeipa-users] ipa-client-install errors

2016-04-20 Thread Martin Babinsky
On 04/20/2016 07:12 PM, Gady Notrica wrote: Please find attached the install log Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re

Re: [Freeipa-users] Problem with ipa-getkeytab ?

2016-04-21 Thread Martin Babinsky
On 04/21/2016 04:53 PM, Günther J. Niederwimmer wrote: Hello, I found a HowTO on FreeIPA to install a HA Version for a Mailsystem. Now I have a Problem to get the Keytab on the second Server On the first Server I run. kinit admin ipa-getkeytab -s ipa.example.com -p imap/mail.example.com -k

Re: [Freeipa-users] AD cross-realm

2016-07-27 Thread Martin Babinsky
On 07/27/2016 11:35 AM, Abu Haris wrote: sir/madame, I am in great trouble in choosing FreeIPA for identity management. I want to know more about AD cross-realm trust and how it works. -- A.H Hi Abu, there is quite an extensive upstream documentation of IPA-AD trust workings and setup.

Re: [Freeipa-users] named-pkcs11 fails to start on new replica

2016-07-14 Thread Martin Babinsky
On 07/13/2016 09:56 PM, Bob Hinton wrote: Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded

Re: [Freeipa-users] ipa-replica-prepare Certificate issuance failed

2016-07-04 Thread Martin Babinsky
On 07/04/2016 10:23 AM, Roderick Johnstone wrote: Hi I installed my first master ipa server (server1) many months ago (Redhat 7.1 IIRC) and made a replica server2 without problems. Now I'd like to bring online another replica (server3). All servers are now on Redhat 7.2

Re: [Freeipa-users] Gateway_timeout Error

2017-02-01 Thread Martin Babinsky
On 02/01/2017 10:22 AM, deepak dimri wrote: Hi All, I have two IPA servers - primary and secondary running. the secondary ipa server is installed using ipa replica image of primary. While doing the testing i realised that when i manually shut down my primary ipa server making my secondary

Re: [Freeipa-users] Gateway_timeout Error

2017-02-01 Thread Martin Babinsky
and again to luck either its throwing same gateway_error Regards, Deepak On Wed, Feb 1, 2017 at 3:03 PM, Martin Babinsky <mbabi...@redhat.com <mailto:mbabi...@redhat.com>> wrote: On 02/01/2017 10:22 AM, deepak dimri wrote: Hi All, I have two IPA servers - primary a

Re: [Freeipa-users] Gateway_timeout Error

2017-02-01 Thread Martin Babinsky
have notices that if i directly use the replica (bypassing proxy) URL then the objects shows after waiting for over a minute or so. When i use proxy pass then it just times out after few seconds. No clue why its behaving like this Many Thanks, Deepak On Wed, Feb 1, 2017 at 6:45 PM, Martin Bab

Re: [Freeipa-users] Trust between freeipa servers of different domains

2017-02-03 Thread Martin Babinsky
On 02/03/2017 03:49 PM, ivan lago wrote: Hello, Is it possible to configure 2 freeipa servers, serving different domains (let’s sal dom1.com and dom2.com ) to estabilish a trust so that users form one domain can use resources under the control of the other

Re: [Freeipa-users] ldapsearch for AD users

2017-02-21 Thread Martin Babinsky
On 02/21/2017 09:10 PM, Hanoz Elavia wrote: Hello, I've got the FreeIPA server with AD trust (Server 2008 R2) setup and running. I can login successfully on linux clients using AD credentials. I'm now trying to setup my Isilon storage appliance with mixed mode file sharing. The filer has

Re: [Freeipa-users] lost master master and soa

2017-02-13 Thread Martin Babinsky
On 02/13/2017 10:12 PM, Aaron Young wrote: hello So, I recently took over this site and a couple days into it, the first ipa server died because of disk corruption. Right now, I've built another ipa server to step into the topology as a replica, but I keep getting strange dns errors during

Re: [Freeipa-users] Cannot enter $ character in "group name" of "user groups"

2017-02-15 Thread Martin Babinsky
On 02/15/2017 10:57 AM, Dimitris Beletsiotis wrote: Hello, Despite the documentation that says that we can use $ in "group names" the web gui does not allow it, pls see attached. Is there some option to enable this? Thanks, Dimitris Beletsiotis The IdM documentation states that dollar sign

Re: [Freeipa-users] replica install - Insufficient 'add' privilege ?

2017-02-10 Thread Martin Babinsky
On 02/10/2017 01:29 PM, lejeczek wrote: hi everyone, I'm trying something mundane(can't think why, how my setup would be special/different) - replica installation - but I hit this: [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

2016-09-19 Thread Martin Babinsky
On 09/20/2016 12:17 AM, Simpson Lachlan wrote: -Original Message- On 09/19/2016 03:12 AM, Lachlan Musicman wrote: Hi Sometimes when I visit the ID Views page in the webgui, it is crushingly slow, and often it times out. Centos 7, ipa --version VERSION: 4.2.0, API_VERSION: 2.156 Is

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

2016-09-20 Thread Martin Babinsky
On 09/20/2016 08:33 AM, Alexander Bokovoy wrote: On Tue, 20 Sep 2016, Martin Babinsky wrote: On 09/20/2016 12:17 AM, Simpson Lachlan wrote: -Original Message- On 09/19/2016 03:12 AM, Lachlan Musicman wrote: Hi Sometimes when I visit the ID Views page in the webgui, it is crushingly

Re: [Freeipa-users] how to revert ipa-adtrust-install...

2016-09-19 Thread Martin Babinsky
On 09/19/2016 09:49 AM, Martin Babinsky wrote: On 09/17/2016 12:43 PM, lejeczek wrote: On 15/09/16 22:37, Rob Crittenden wrote: What do you mean control? If you don't want ipactl to manage the smb service, look for an entry in cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

2016-09-19 Thread Martin Babinsky
On 09/19/2016 03:12 AM, Lachlan Musicman wrote: Hi Sometimes when I visit the ID Views page in the webgui, it is crushingly slow, and often it times out. Centos 7, ipa --version VERSION: 4.2.0, API_VERSION: 2.156 Is there a reason, can I do something to fix this? cheers L. -- The most

Re: [Freeipa-users] Port and protocol for winsync

2016-09-23 Thread Martin Babinsky
On 09/23/2016 01:09 PM, malo wrote: Hello, I am currently trying to setup the winsyncagreement between my AD and my FreeIPA servers. The network topology allows me to only connect the FreeIPA server to the 636 port of AD, using TLS. It seems that FreeIPA wants to connect to the port 389

Re: [Freeipa-users] DNS ceases on both Master & Replica after several days

2016-10-04 Thread Martin Babinsky
On 10/04/2016 06:25 AM, Richard Harmonson wrote: After successful installation and use of DNS with forwarding first on a Master and Replica, several days pass then it stops. Using 'ipactl status' shows named service stopped. Using 'ipactl restart' services, DNS is running but stops again several

Re: [Freeipa-users] ipa-replica-install fails because dirsrv failed to start

2016-10-27 Thread Martin Babinsky
On 10/27/2016 10:48 AM, Jochen Demmer wrote: Am 27.10.2016 um 10:21 schrieb Martin Basti: On 27.10.2016 10:02, Jochen Demmer wrote: Am 26.10.2016 um 17:31 schrieb Martin Basti: On 26.10.2016 17:25, Jochen Demmer wrote: Am 26.10.2016 um 16:48 schrieb Martin Basti: On

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

2016-11-08 Thread Martin Babinsky
On 11/08/2016 05:13 PM, Ask Stack wrote: I thought /etc/krb5.conf controls which kerberos server the clients talk to. As a test, I removed /etc/krb5.conf and rebooted the client. After reboot, I can still log in and "kinit user" . Removing /etc/krb5.keytab, however would stop user from logging

Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3

2016-11-07 Thread Martin Babinsky
On 11/07/2016 01:31 AM, Prasun Gera wrote: Getting this in yum check all after update to 7.3 ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client: ipa-client-4.4.0-12.el7.x86_64 ipa-client-common-4.4.0-12.el7.noarch has installed conflicts freeipa-client-common:

Re: [Freeipa-users] Remove AD domain in auth commands

2016-11-08 Thread Martin Babinsky
On 11/07/2016 09:11 PM, James Harrison wrote: Hello Sorry didn't explain. The ipa is the default domain, but I also want to use the Windows domain to authenticate, but I want the OS to detect what realm to use in the ssh command. Thanks On Mon, 7 Nov, 2016 at 11:48, Martin Basti

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-08 Thread Martin Babinsky
,u Server-Cert u,u,u PROD.X.COM <http://PROD.X.COM> IPA CA CT,C,C looks just like you suggested. Any other suggestion? On 7 November 2016 at 10:56, Martin Babinsky <mbabi...@r

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

2016-11-07 Thread Martin Babinsky
On 11/04/2016 04:52 PM, Alessandro De Maria wrote: Hello, I have a FreeIPA installation that is working very nicely, we already have configured many hosts and so far we are quite happy with it. I was trying to connect Ansible to fetch hosts from FreeIPA using the freeipa.py script

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

2016-10-19 Thread Martin Babinsky
On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with pki-tomcat. I had serveral certificate that was expired and pki-tomcat did not start anymore. I set the dateon the server before certificate expiration and then pki-tomcat starts properly. Then I try to resubmit the

Re: [Freeipa-users] Promote CA-less replica

2016-10-19 Thread Martin Babinsky
On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, Hi, Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions: 1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? IPA-intergrated DNS stores records in

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

2016-10-18 Thread Martin Babinsky
*From:* Martin Basti <mba...@redhat.com> *Sent:* Tuesday, October 18, 2016 8:40 AM *To:* Deepak Dimri; Martin Babinsky; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7 On 18.10.2016 13:52,

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

2016-10-17 Thread Martin Babinsky
On 10/18/2016 12:30 AM, Matt . wrote: Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread Martin Babinsky
On 10/25/2016 10:27 AM, bahan w wrote: Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt

Re: [Freeipa-users] error; Allocation of a new value

2016-11-24 Thread Martin Babinsky
On 11/24/2016 07:30 PM, lejeczek wrote: On 24/11/16 17:14, lejeczek wrote: hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of

Re: [Freeipa-users] error; Allocation of a new value

2016-11-25 Thread Martin Babinsky
On 11/25/2016 12:48 PM, lejeczek wrote: On 25/11/16 07:52, Martin Babinsky wrote: On 11/24/2016 07:30 PM, lejeczek wrote: On 24/11/16 17:14, lejeczek wrote: hi I see this: 2 ranges matched Range name: xx.id_range First Posix ID of the range: 195240 Number

Re: [Freeipa-users] Add 4.4 replica to 4.3 server fails

2016-11-28 Thread Martin Babinsky
On 11/27/2016 11:38 PM, Jochen Hein wrote: Jochen Hein writes: 2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend

Re: [Freeipa-users] Wrong timestamp on ipaclient-install.log file and authentication problem

2016-11-15 Thread Martin Babinsky
On 11/15/2016 03:45 PM, Tamer Ataol wrote: Hi, I am trying to make ipa-client-install work on Ubuntu 14.04.5. Everything works except it doesn't get ldap users from IPA Master. I dig issue a little bit and found out that ipaclient-install.log under /var/log/ directory uses wrong timestamp.

Re: [Freeipa-users] minimise impact compromised host

2016-11-16 Thread Martin Babinsky
On 11/16/2016 02:33 PM, Petr Spacek wrote: On 16.11.2016 14:01, Stijn De Weirdt wrote: hi all, we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab). in particular, it looks like it possible to retrieve

Re: [Freeipa-users] Actions for a stolen/compromised IPA Client

2016-11-16 Thread Martin Babinsky
On 11/16/2016 10:04 AM, Paessens, Daniel wrote: Currently am I looking for a workable solution for the following situation: Let's say that an ipa client has been stolen (or compromised). What can we do to block all access from it, towards IPA (and rest) For example if we use the command

Re: [Freeipa-users] [Freeipa-devel] pam_winbind(sshd:auth): pam_get_item returned a password

2016-11-16 Thread Martin Babinsky
On 11/16/2016 10:41 AM, rajat gupta wrote: I am using FreeIPA version 4.4.0 and Active Directory trust setup. on Active Directory side I am using UPN suffix. Following are my setup. AD DOMANIN :- corp.addomain.com UPN suffix :- usern...@mydomain.com

Re: [Freeipa-users] minimise impact compromised host

2016-11-16 Thread Martin Babinsky
On 11/16/2016 03:10 PM, Sumit Bose wrote: On Wed, Nov 16, 2016 at 02:41:34PM +0100, Martin Babinsky wrote: On 11/16/2016 02:33 PM, Petr Spacek wrote: On 16.11.2016 14:01, Stijn De Weirdt wrote: hi all, we are looking how to configure whatever relevant policy to minimise the impact

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-16 Thread Martin Babinsky
Sean Hogan Inactive hide details for Martin Babinsky ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub,Martin Babinsky ---11/16/2016 09:33:08 AM---On 11/16/2016 05:14 PM, Sean Hogan wrote: > Hi Jakub, From: Martin Babinsky <mbabi...@redhat.com> To: Sean Hogan/D

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

2016-11-16 Thread Martin Babinsky
On 11/16/2016 05:14 PM, Sean Hogan wrote: Hi Jakub, Thanks... here is output *klist -ke* [root@server1 rusers]# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 1 host/server1.ipa.local@IPA.LOCAL

Re: [Freeipa-users] IPA 4.4 replica installation failing

2016-11-18 Thread Martin Babinsky
On 11/17/2016 03:51 PM, Baird, Josh wrote: Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error

Re: [Freeipa-users] Not able to pass through ipa-replica-install on centos 7

2016-10-16 Thread Martin Babinsky
On 10/15/2016 12:41 PM, Deepak Dimri wrote: Thanks Martin for the reply. when i try 'ipa-client-install --uninstall' then i am getting bellow message: ipa-client-install --uninstall IPA client is configured as a part of IPA server on this system. Refer to ipa-server-install for

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-16 Thread Martin Babinsky
On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: Hello, IPA 4.3.1 I have a big Problem with my LDAP Read User (ldapbind) I like to install dovecot with IPA, but I must have "mailAternateAddress" I found a Plugin for this, but now I cant read this Attributes :-(. Is this the actual way

Re: [Freeipa-users] help

2016-10-16 Thread Martin Babinsky
On 10/17/2016 02:44 AM, 郑磊 wrote: Hello everyone, I'm using freeipa, and having a test and research with the function of freeipa. At the same time, I have carried on the chinese translation to the web interface, also added own function module in web interface. However, For these changes I

Re: [Freeipa-users] Best and Secure Way for a System Account

2016-10-17 Thread Martin Babinsky
I mean I must have a ACI like access to attribute= Have any a hint or link to understand this Problem? Thanks for a answer and help, Am Montag, 17. Oktober 2016, 07:35:26 schrieb Martin Babinsky: On 10/16/2016 12:22 PM, Günther J. Niederwimmer wrote: Hello, IPA 4.3.1 I have a

Re: [Freeipa-users] Confirming no extra/special ports need to be opened for replication traffic?

2016-12-14 Thread Martin Babinsky
On 12/14/2016 05:50 PM, Chris Dagdigian wrote: Been reading various generations of documentation to find out if I need additional TCP or UDP ports opened for IPA replication between VPN-connected dataceners. I think the modern answer is no? We just need the standard IPA ports open between all

Re: [Freeipa-users] new IPA Servers

2016-12-01 Thread Martin Babinsky
On 12/01/2016 05:50 PM, Outback Dingo wrote: trying to deploy new ipa servers so i can take down the old ones prior to a move however the install is failing with. zone optimcloud.com. already exists in DNS and is handled by server(s): ipa.optimcloud.com., ipa2.optimcloud.com. so how can i get

Re: [Freeipa-users] Loss of initial master in multi master setup

2016-12-01 Thread Martin Babinsky
On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote: Hi IPA Gurus, I had a 3 site multi master IPA replication setup (1 office and 2 datacentres) with 2 IPA servers at each site. Each server was replicating successfully to 3 other servers (the other local site server and one server at

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-01-03 Thread Martin Babinsky
On 01/02/2017 11:22 PM, Alan Latteri wrote: I upgraded our FreeIPA server from Cent7.2 to 7.3 which also upgraded freeipa to 4.4. On some clients they failed to re-authenticate post upgrade. I then did an ipa-client-install —uninstall , and then tried re-joining to IPA server with

Re: [Freeipa-users] ipa replica installation help

2017-01-04 Thread Martin Babinsky
On 01/04/2017 07:21 AM, Ben .T.George wrote: HI while trying to create ipa replica, i am getting below error, Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created

Re: [Freeipa-users] FreeIPA 4.4 - Can't find topology segment, nsunique attribute

2016-12-22 Thread Martin Babinsky
On 12/22/2016 09:31 AM, Georgijs Radovs wrote: Hello everyone! Today, I've updated 2 FreeIPA servers from version 4.2 to version 4.4. Both of these servers are Masters and CAs, both are replicating between each other. But, when I run *ipa topologysegment-find* to view replication agreements

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-22 Thread Martin Babinsky
On 12/21/2016 07:22 PM, Brian J. Murrell wrote: On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote: Okay, I believe that this is the problem: On 21.12.2016 15:53, Brian J. Murrell wrote: [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection from local to

Re: [Freeipa-users] Funny Looking Records

2017-03-24 Thread Martin Babinsky
a-users >Go to http://freeipa.org for more info on the project These are replication conflicts, please consult https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html on how to handle the

Re: [Freeipa-users] consumer replica which does not show up in ruv list

2017-03-07 Thread Martin Babinsky
uestion, how did you end up with such entry? Did you happen to upgrade multiple IPA masters at once? -- Martin Babinsky -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project