Re: [Freeipa-users] unhappy replication?

On 09/09/2014 04:39 PM, Kat wrote: Anyone seen this before -- 2 freshly kicked CentOS 7 installs: On the replica from the ipa-replica-install : reports: Update failed! Status: [10 Total update abortedLDAP error: Referral] Your system may be partly configured. Run /usr/sbin/ipa-server-install

Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade

On 11/18/2014 07:44 PM, Will Sheldon wrote: No, not resolved yet I did test with GSSAPI (-Y) and like you it worked. :( Hello, Would it be possible to get server1/server2 logs (error/access) and config (dse.ldif) ?. Turning on replication logs would help (

Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade

it be possible to increase its value (5Mb) to see if it has an impact Thanks thierry On 11/19/2014 09:49 AM, thierry bordaz wrote: On 11/18/2014 07:44 PM, Will Sheldon wrote: No, not resolved yet I did test with GSSAPI (-Y) and like you it worked. :( Hello, Would it be possible to get server1/server2

Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade

On 11/20/2014 12:03 PM, dbisc...@hrz.uni-kassel.de wrote: Hi, On Thu, 20 Nov 2014, thierry bordaz wrote: Server1 successfully replicated to Server2, but Server2 fails to replicated to Server1. The replication Server2-Server1 is done with kerberos authentication. Server1 receives

Re: [Freeipa-users] strange error - disconnecting a replica?

On 12/05/2014 10:03 AM, thierry bordaz wrote: On 12/05/2014 10:00 AM, Martin Kosek wrote: On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all

Re: [Freeipa-users] strange error - disconnecting a replica?

On 12/05/2014 10:00 AM, Martin Kosek wrote: On 12/03/2014 06:23 PM, Janelle wrote: Hi all.. Was on vacation - now I'm back. Have a new problem I thought I would run by you -- I have replica agreements between a server and 3 others. They all show up in ipa-replica-manage list, BUT when I

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

Hello, Niranjan, may I have access to your test machine. thanks theirry On 12/09/2014 10:01 AM, Martin Kosek wrote: On 12/07/2014 03:01 PM, Niranjan M.R wrote: On 12/06/2014 12:24 AM, Dmitri Pal wrote: Hello, WE NEED HELP! The biggest and the most interesting feature of FreeIPA 4.1.2 is

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

On 12/09/2014 10:48 AM, Niranjan M.R wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2014 02:57 PM, thierry bordaz wrote: Hello, Niranjan, may I have access to your test machine. It's a vm on my laptop. I am trying to reproduce on another VM to which i can give access. I

Re: [Freeipa-users] Unit pki-tomcatd@pki-tomcat.service entered failed state @ vanilla install on jessie – with log attached

On 12/09/2014 01:54 PM, chymian wrote: hey people, after a successful install of ipa 4.0.5-2 on jessie, the named services started flawless during setup. see attached log, Installation summary (line 3107) but after reboot, it refuses to start. (did this install a couple times, on vanilla

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

On 12/09/2014 11:15 AM, thierry bordaz wrote: On 12/09/2014 10:48 AM, Niranjan M.R wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2014 02:57 PM, thierry bordaz wrote: Hello, Niranjan, may I have access to your test machine. It's a vm on my laptop. I am trying to reproduce

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

On 12/09/2014 04:07 PM, thierry bordaz wrote: On 12/09/2014 11:15 AM, thierry bordaz wrote: On 12/09/2014 10:48 AM, Niranjan M.R wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2014 02:57 PM, thierry bordaz wrote: Hello, Niranjan, may I have access to your test machine. It's

Re: [Freeipa-users] Unit pki-tomcatd@pki-tomcat.service entered failed state @ vanilla install on jessie – with log attached

On 12/09/2014 11:52 PM, chymian wrote: Am Dienstag, 9. Dezember 2014, 14:10:48 schrieb thierry bordaz: On 12/09/2014 01:54 PM, chymian wrote: hey people, after a successful install of ipa 4.0.5-2 on jessie, the named services started flawless during setup. see attached log, Installation

Re: [Freeipa-users] [Freeipa-interest] Announcing FreeIPA 4.1.2 - NEED HELP WITH 2FA/OTP!!!

On 12/11/2014 08:56 AM, Niranjan M.R wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/09/2014 11:14 PM, thierry bordaz wrote: On 12/09/2014 04:07 PM, thierry bordaz wrote: On 12/09/2014 11:15 AM, thierry bordaz wrote: On 12/09/2014 10:48 AM, Niranjan M.R wrote: On 12/09/2014 02:57

Re: [Freeipa-users] Replica re-initialization

On 12/12/2014 02:00 PM, Martin Kosek wrote: On 12/11/2014 06:19 PM, Matt Chesler wrote: I have a cluster of four IPA masters that should be performing fully meshed replication. I discovered yesterday that a recently created user only existed on a single master. After looking through all four

Re: [Freeipa-users] Unable to remove nsTombstone objects

On 03/18/2015 07:21 PM, Rich Megginson wrote: On 03/18/2015 11:07 AM, Kim Perrin wrote: ah, good question. Relevant errors around trying to use the ldif I included to remove replica ID 97 -- [18/Mar/2015:04:01:51 +] NSMMReplicationPlugin - CleanAllRUV Task: Waiting for all the replicas to

Re: [Freeipa-users] What am I missing? ipaca?

replica Identifier (1685,1690,1695 and 1585,1590,1595). Some of those Replica Identifiers are likely old one that need to cleared. Did you run CLEANRUV ? thanks thierry On 03/24/2015 11:20 AM, Łukasz Jaworski wrote: Hi, Wiadomość napisana przez thierry bordaz tbor...@redhat.com w dniu 24 mar 2015

Re: [Freeipa-users] What am I missing? ipaca?

On 03/24/2015 09:49 AM, Łukasz Jaworski wrote: Wiadomość napisana przez Martin Kosek mko...@redhat.com w dniu 23 mar 2015, o godz. 12:04: On 03/23/2015 04:07 AM, Janelle wrote: attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa1.example.com:389/o%3Dipaca) failed. Hm, I do not met

Re: [Freeipa-users] understanding RUVs?

On 04/21/2015 09:11 AM, Martin Kosek wrote: On 04/21/2015 01:26 AM, Janelle wrote: Hello, When I was working with OpenLDAP, and AD - and did not deal with RUVs the way I am with 389-ds and IPA. I am trying to understand what is normal for values. If I am looking at this (and seem to have no

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 07:15 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 1:07 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:58 PM, Andy Thompson wrote: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343- f0abc1a8,cn=username,cn=groups,c n=accounts,dc=mhbenp,dc=lin nscpentrywsi:

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 06:45 PM, Andy Thompson wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 29, 2015 12:28 PM To: Andy Thompson Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04/29

Re: [Freeipa-users] deleting ipa user

On 04/30/2015 12:41 PM, Andy Thompson wrote: You got a first replica where you failed to delete the entry. You got a second replica where you succeeded to delete the entry. On first replica you can see messages like: [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 02:43 PM, Andy Thompson wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 29, 2015 8:31 AM To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] deleting ipa user On 04/29/2015

Re: [Freeipa-users] deleting ipa user

On 04/29/2015 05:35 PM, Andy Thompson wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 29, 2015 11:28 AM To: Andy Thompson Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] deleting ipa user On 04

Re: [Freeipa-users] Problem with replication

This is looking like thread 13 prevents thread 12 run (and all the others). Now thread 13 is likely waiting for db page? We may need output of db_stat (db_state -N -h /var/lib/dirsrv/slapd-xxx/db/ -CA) thanks thierry On 05/06/2015 11:31 AM, Łukasz Jaworski wrote: ldapsearch hangs. Dirsrv is

Re: [Freeipa-users] more replication fun

On 05/07/2015 05:39 AM, Janelle wrote: On 5/6/15 8:12 PM, Vaclav Adamec wrote: Hi, Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode thread), if you are sure that's not any live replica server behind this id than just try cleanallruv.pl -w X -b dc= -r 9 Vasek On

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen when the master is more powerful than the consumer. If you are using VM you may try to get

Re: [Freeipa-users] replication again :-(

On 05/19/2015 07:47 AM, Martin Kosek wrote: On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users

Re: [Freeipa-users] replication again :-(

On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing

Re: [Freeipa-users] Slow user logon with IPA

On 04/14/2015 05:36 PM, Mateusz Malek wrote: On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote: On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote: On 04/10/2015 08:13 AM, Mateusz Malek wrote: I'm about to migrate my OpenLDAP-based environment to FreeIPA, however I've hit some

Re: [Freeipa-users] Errors in dirsrv logs

On 04/16/2015 09:52 AM, Alexander Frolushkin wrote: Hello again. Now, in addition to connection - conn= fd=xxx Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. messages, we have on six of our 16

Re: [Freeipa-users] Replica status 'last update ended'

On 04/13/2015 08:31 AM, Martin Kosek wrote: On 04/11/2015 11:34 AM, Christoph Kaminski wrote: Hi All with the cmd: ipa-replica-manage -v list myipaserver I can see the status of the replication... But I dont understand the field 'last update ended'. What shows the field? The last

Re: [Freeipa-users] Replication issues

Hello Prashant, If you are able to reproduce the problem (ipasshpubkey not replicated), would you enable replication and plugin logging (http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#Troubleshooting) and provide the access/errors logs ? thanks thierry On

Re: [Freeipa-users] Replication issues

On 04/07/2015 10:51 AM, Prashant Bapat wrote: Hi Thierry, Thanks for the reply. Turned out that the slapi-plugin was not ignoring the replicated operations. Problem solved. Great news ! regards thierry Regards. --Prashant On 6 April 2015 at 23:25, thierry bordaz tbor...@redhat.com

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

On 04/08/2015 12:36 PM, Alexander Frolushkin wrote: -Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 08, 2015 4:18 PM To: Martin Kosek Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz Subject: Re: [Freeipa-users

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

On 04/08/2015 02:19 PM, Alexander Frolushkin wrote: On one of accidently upgraded server I have following error in dirsrv logs: [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

On 04/09/2015 07:51 AM, Martin Kosek wrote: On 04/09/2015 05:59 AM, Alexander Frolushkin wrote: -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 08, 2015 6:36 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

On 04/09/2015 07:59 AM, Alexander Frolushkin wrote: -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Thursday, April 09, 2015 11:51 AM To: Alexander Frolushkin (SIB); 'thierry bordaz' Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com Subject: Re: [Freeipa-users

Re: [Freeipa-users] replication again :-(

On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running

Re: [Freeipa-users] replication again :-(

On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really

Re: [Freeipa-users] Which client is noisy?

On 06/01/2015 05:10 PM, Innes, Duncan wrote: Petr, We're using a different domain for IPA thankfully (unix.example.com), but the AD guys control DNS and don't want to touch anything in the DNS that might affect their example.com records. Everything is on the same VLANs, so I didn't want to

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

GMT+02:00 thierry bordaz tbor...@redhat.com mailto:tbor...@redhat.com: On 05/15/2015 05:11 PM, James James wrote: ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Hi James, Unfortunately there is no workaround. This is a timing issue mostly seen

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Hi, Would you update your master to 389-ds-base-1.2.11.15-56.el6, before attempting the upgrade to 7 ? thanks thierry On 06/08/2015 12:30 PM, James James wrote: My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz tbor

Re: [Freeipa-users] Antwort: clean-run doesn't work

On 06/22/2015 10:22 AM, Tamas Papp wrote: On 06/19/2015 11:12 AM, Christoph Kaminski wrote: for this problem you can see the thread Haunted servers? here on ml. There is a solution from me for this but it doesnt work 100% :/ I would rather rerun the replication. we have a Ticket @Red Hat

Re: [Freeipa-users] Antwort: Re: thousands DSRetroclPlugin mesages

On 06/24/2015 10:02 AM, Christoph Kaminski wrote: freeipa-users-boun...@redhat.com schrieb am 29.04.2015 17:51:46: Am 29.04.2015 um 15:43 schrieb Ludwig Krispenz: On 04/29/2015 03:17 PM, Martin (Lists) wrote: Am 27.04.2015 um 09:45 schrieb Ludwig Krispenz: On 04/26/2015 10:49 AM,

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

On 06/22/2015 11:50 AM, Tamas Papp wrote: Fascinating. Can you Red Hat guys reproduce this in you test environment? Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. About the test case, you installed a server+replicas (version ?), then turn on errorlog-level (do you

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

On 06/22/2015 02:39 PM, Tamas Papp wrote: On 06/22/2015 02:20 PM, thierry bordaz wrote: On 06/22/2015 11:50 AM, Tamas Papp wrote: Fascinating. Can you Red Hat guys reproduce this in you test environment? Most of my tests are on RHEV with RHEL 7.1, I have not seen a crash of DS. About

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

- replace: nsslapd-accesslog-level nsslapd-accesslog-level:256 EOF After this, IO was increased significally. Two of servers hangs after some time, a lot of dups appears on most IPA servers in domain. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 *From:*thierry bordaz [mailto:tbor

Re: [Freeipa-users] replication conflicts

hangs and was restarted. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 *From:*Ludwig Krispenz [mailto:lkris...@redhat.com] *Sent:* Wednesday, June 17, 2015 5:34 PM *To:* Alexander Frolushkin (SIB) *Cc:* 'thierry bordaz'; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users

Re: [Freeipa-users] replication conflicts

-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site servers from normal servers could help? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 *From:*thierry bordaz [mailto:tbor...@redhat.com] *Sent:* Wednesday, June 17, 2015 3:15 PM *To:* Alexander

Re: [Freeipa-users] replication conflicts

Hello Alexander, How did you initialize that new replica 26. Either 'cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=unix,dc=megafon,dc=ru' was not part of the total init data, or a DEL of that entry happened on replica 26 (before a new ADD) but the DEL was not replicated to

Re: [Freeipa-users] replication conflicts

...@redhat.com] *Sent:* Wednesday, June 17, 2015 3:53 PM *To:* thierry bordaz *Cc:* Alexander Frolushkin (SIB); freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] replication conflicts On 06/17/2015 11:45 AM, thierry bordaz wrote: On 06/17/2015 11:22 AM, Alexander Frolushkin wrote

Re: [Freeipa-users] replication conflicts

conflicts. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 *From:*thierry bordaz [mailto:tbor...@redhat.com] *Sent:* Wednesday, June 17, 2015 6:16 PM *To:* Alexander Frolushkin (SIB) *Cc:* 'Ludwig Krispenz'; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] replication conflicts

Re: [Freeipa-users] Migration error?

On 06/16/2015 09:02 AM, Ludwig Krispenz wrote: On 06/16/2015 05:07 AM, Janelle wrote: On 6/15/15 1:12 PM, Rob Crittenden wrote: Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Usually means there is a replication conflict entry. You may be able to get more details on what failed

Re: [Freeipa-users] Antwort: Re: Haunted servers?

On 05/29/2015 08:16 AM, Christoph Kaminski wrote: freeipa-users-boun...@redhat.com schrieb am 28.05.2015 13:23:26: Von: Alexander Frolushkin alexander.frolush...@megafon.ru An: 'thierry bordaz' tbor...@redhat.com Kopie: freeipa-users@redhat.com freeipa-users@redhat.com Datum: 28.05.2015 13

Re: [Freeipa-users] Which client is noisy?

Hello, From a DS point of view, you may use logconv.pl to get a rapid summary of the received activity (DS access logs). You may take the same period of time on each server and compare the results. It will give hints to know if the difference comes from bind, connections, replication session,

Re: [Freeipa-users] Haunted servers?

to get it away with help of Red Hat support, but at this point - no luck... WBR, Alexander Frolushkin -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Janelle Sent: Tuesday, May 26, 2015 8:56 PM To: thierry bordaz; Martin

Re: [Freeipa-users] Haunted servers?

, they requested dirsrv logs form hanged server and from servers where error appeared again. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Thursday, May 28, 2015 1:24 PM To: Alexander Frolushkin (SIB

Re: [Freeipa-users] Haunted servers?

Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Thursday, May 28, 2015 1:49 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com; 'Janelle' Subject: Re: [Freeipa-users] Haunted servers? On 05/28/2015 09:33 AM

Re: [Freeipa-users] changing the default for changelog trimmimg

On 07/03/2015 02:03 PM, Petr Spacek wrote: On 3.7.2015 11:45, thierry bordaz wrote: On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: Hi, 389-ds allows to configure the max size of the replication changelog either by setting a maximum record number or a maximum age of changes. freeIPA does

Re: [Freeipa-users] changing the default for changelog trimmimg

On 07/03/2015 02:28 PM, Petr Spacek wrote: On 3.7.2015 14:21, thierry bordaz wrote: On 07/03/2015 02:03 PM, Petr Spacek wrote: On 3.7.2015 11:45, thierry bordaz wrote: On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: Hi, 389-ds allows to configure the max size of the replication changelog

Re: [Freeipa-users] dirsrv access logs flooded from single connection id

On 06/29/2015 06:34 PM, Andrew E. Bruno wrote: On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: Our dirsrv access logs on our freeipa master server are getting flooded with this: [29/Jun/2015:12:02:09 -0400] conn=215758

Re: [Freeipa-users] dirsrv access logs flooded from single connection id

On 07/02/2015 04:14 PM, Andrew E. Bruno wrote: On Thu, Jul 02, 2015 at 11:04:00AM +0200, thierry bordaz wrote: On 06/29/2015 06:34 PM, Andrew E. Bruno wrote: On Mon, Jun 29, 2015 at 10:29:24AM -0600, Rich Megginson wrote: On 06/29/2015 10:13 AM, Andrew E. Bruno wrote: Our dirsrv access logs

Re: [Freeipa-users] changing the default for changelog trimmimg

On 06/30/2015 03:54 PM, Ludwig Krispenz wrote: Hi, 389-ds allows to configure the max size of the replication changelog either by setting a maximum record number or a maximum age of changes. freeIPA does not use this setting. In the context of ticket

Re: [Freeipa-users] replication again :-(

On 05/21/2015 06:09 PM, Janelle wrote: On 5/21/15 8:12 AM, Ludwig Krispenz wrote: On 05/21/2015 03:59 PM, Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was

Re: [Freeipa-users] replication again :-(

On 05/21/2015 01:36 PM, Janelle wrote: On 5/20/15 7:53 AM, Mark Reynolds wrote: On 05/20/2015 10:17 AM, thierry bordaz wrote: On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote

Re: [Freeipa-users] Haunted servers?

On 05/26/2015 08:47 AM, Martin Kosek wrote: On 05/26/2015 12:20 AM, Janelle wrote: On 5/24/15 3:12 AM, Janelle wrote: And just like that, my haunted servers have all returned. I am going to just put a gun to my head and be done with it. :-( Why do things run perfectly and then suddenly ???

Re: [Freeipa-users] Sudden replication failure

On 08/18/2015 08:39 PM, Martin Kosek wrote: On 08/10/2015 10:05 PM, Burke Rosen wrote: Hello, I'm running two replicated freeIPA servers. One of them spontaneously failed. After taking the misbehaving server down, the remaining replicant handled everything fine. I restored the system to its

Re: [Freeipa-users] 3/4 replica failure - unknown reasons why

On 11/11/2015 04:20 PM, Andrew Krause wrote: Yesterday I came in to 3 of my 4 freeipa replicas in an unusable state and replication was not connecting any of the hosts to each other. My first/primary host was still servicing authentication requests, but the others were in varying states of

Re: [Freeipa-users] 3/4 replica failure - unknown reasons why

% or more of our authentication requests. The other 3 nodes are basically just a hot standby. At this point we’re hoping it was a fluke, we’ve tightened our monitoring and awareness since we have no way to explain the root cause. On Nov 12, 2015, at 2:38 AM, thierry bordaz <tbor...@redhat.com>

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

On 10/07/2015 11:19 AM, Martin Kosek wrote: On 10/05/2015 02:13 PM, Dominik Korittki wrote: Am 01.10.2015 um 21:52 schrieb Rob Crittenden: Dominik Korittki wrote: Hello folks, I am running two FreeIPA Servers with around 100 users and around 15.000 hosts, which are used by users to login

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

On 10/07/2015 05:03 PM, Dominik Korittki wrote: Am 07.10.2015 um 15:25 schrieb thierry bordaz: On 10/07/2015 11:19 AM, Martin Kosek wrote: On 10/05/2015 02:13 PM, Dominik Korittki wrote: Am 01.10.2015 um 21:52 schrieb Rob Crittenden: Dominik Korittki wrote: Hello folks, I am running two

Re: [Freeipa-users] stubborn old replicas

On 08/27/2015 09:41 AM, Ludwig Krispenz wrote: On 08/27/2015 09:08 AM, Martin Kosek wrote: On 08/26/2015 05:31 PM, Simo Sorce wrote: On Wed, 2015-08-26 at 06:36 -0700, Janelle wrote: Hello all, My biggest problem is losing replicas and then trying to delete the entries and rebuild them.

Re: [Freeipa-users] Search 'hosts'

On 09/14/2015 08:18 AM, Martin Kosek wrote: On 09/12/2015 01:12 AM, Craig White wrote: ipa-server-4.1.0-18.el7_1.4.x86_64 Maybe I was spoiled but from the web ui, I can't seem to search for hosts or DNS names - all searches seem to return nothing at all User searches work (thankfully)

Re: [Freeipa-users] user delete command hangs kdc and ldap stop responding

Hi, If it hangs again, could you get a pstack of the slapd process And also dump the db info 'db_stat -h /var/lib/dirsrv/slapd-/db -N -CA'. This would help to know which thread holds the lock that that blocks those operations ? thanks thierry On 09/18/2015 09:20 PM, HECTOR LOPEZ

Re: [Freeipa-users] Want faster user-add

On 01/04/2016 01:03 PM, Martin Kosek wrote: On 12/22/2015 04:16 PM, Simo Sorce wrote: On Tue, 2015-12-22 at 10:24 +0100, thierry bordaz wrote: On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote: Hi all, Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core 256-GB RAM Oracle x4470 M2

Re: [Freeipa-users] Want faster user-add

On 12/21/2015 05:55 PM, Daryl Fonseca-Holt wrote: Hi all, Environment: RHEL6 with IPA 3.0 at current RedHat level. 64-core 256-GB RAM Oracle x4470 M2. During our migration from NIS on Solaris 140,000+ accounts will be added. After tuning per the guides dbmon.sh shows no roevicts and we get

Re: [Freeipa-users] Preserved users not replicated to new master (FreeIPA 4.2.0)

Hi Justin, I was trying to reproduce this but I think I am missing some steps. Do you mind reviewing my testcase to check what is missing ? The test case is : install master M, prepare replica (+copy of gpg), install replica (new master) R. On R: * Authenticate as

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] IPA wont start, all services fail

On 01/20/2016 09:20 AM, Alexander Bokovoy wrote: On Tue, 19 Jan 2016, Simpson Lachlan wrote: -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Let's start from the beginning: - What distribution you are running? Centos, Linux release 7.2.1511 (Core) -

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

Hello Deryl, My understanding is that ns-slapd is first slow to startup. Then when krb5kdc is starting it may load ns-slapd. We identified krb5kdc may be impacted by the number of users accounts. From the ns-slapd errors log it is not clear why it is so slow to start. Would

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

by the number of users. You may issue something like 'ipa user-find ' and the access log should show if the authentication phase is really slow. thanks theirry On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote: On 03/11/16 02:40, thierry bordaz wrote: Hello Deryl, My understanding

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

as an experiment for now. I need to advance the project into High Availability testing but cannot do so without a functioning replica. Regards, Daryl On 03/14/16 09:20, thierry bordaz wrote: Hi Daryl, Thanks for all the data. I will look at the pstacks. A first look shows that you capture import, bind

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

missed the link) and will be back to you. have a good week end thierry On 03/11/2016 02:52 PM, Daryl Fonseca-Holt wrote: On 03/11/16 02:40, thierry bordaz wrote: Hello Deryl, My understanding is that ns-slapd is first slow to startup. Then when krb5kdc is starting it may load ns-slapd

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

cah/ipa/slapd-pstacks.console Thanks, Daryl On 03/11/16 02:40, thierry bordaz wrote: Hello Deryl, My understanding is that ns-slapd is first slow to startup. Then when krb5kdc is starting it may load ns-slapd. We identified krb5kdc may be impacted by the number of users accou

Re: [Freeipa-users] Replication time and relation to cache size

On 07/07/2016 03:47 PM, Martin Kosek wrote: On 06/21/2016 05:19 PM, Ash Alam wrote: anyone have any thoughts on this? Thank You On Fri, Jun 10, 2016 at 2:59 PM, Ash Alam > wrote: Hello I have been going through the lists

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/31/2017 03:37 PM, Harald Dunkel wrote: Hi Thierry, On 01/30/17 09:10, thierry bordaz wrote: I understand your concern and in fact it is difficult to anticipate a potential bad impact of this cleanup. However,I think it is safe to get rid of the following entry. Before doing so you

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/23/2017 08:43 AM, Harald Dunkel wrote: Hi Thierry, On 01/20/17 14:17, thierry bordaz wrote: I agree that it is looking like the conflict entry is the most up-to-date one. To try to repair, it would help if you can search groups cn=System: Read DNS Configuration,cn=permissions,cn=pbac

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/23/2017 05:09 PM, Harald Dunkel wrote: Hi Thierry, On 01/23/17 11:59, thierry bordaz wrote: We need to get a clear status before trying to swap them. For example in your attachment the valid entry is member of 'DNS Admin' while the conflict one is not. So possibly the valid entry

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/24/2017 04:18 PM, Harald Dunkel wrote: Hi Thierry, On 01/24/17 15:01, thierry bordaz wrote: Hopefully yes, but there were 2 conflicts that already made some problems: deleting entry "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/24/2017 12:36 PM, Harald Dunkel wrote: Hi Thierry, On 01/23/17 17:45, thierry bordaz wrote: On 01/23/2017 05:09 PM, Harald Dunkel wrote: I created a full replica (including CA) in an LXC container today ("ipabak"). The idea is to take a snapshot of the whole container,

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/26/2017 10:55 AM, Harald Dunkel wrote: Hi Thierry, good new: I got rid of most of the conflicting entries. There are only 2 left (see below). They look circular somehow. That is excellent news. Great ! Please note that the unwanted list of ipa servers is empty. The official list

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/27/2017 12:51 PM, Harald Dunkel wrote: Hi Thierry, On 01/26/17 16:55, thierry bordaz wrote: Those entries are managed entries and it is not possible to delete them from direct ldap command. A solution proposed by Ludwig is not first make them unmanaged: cn=ipaservers+nsuniqueid

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/24/2017 02:22 PM, Harald Dunkel wrote: On 01/24/17 12:57, thierry bordaz wrote: If I understand correctly the iterations of development I do not understand why, at this point, you need to reconnect ipabak. After you create ipabak replica, you take a snapshot of it (let ipabak_0

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

On 01/20/2017 12:23 PM, Harald Dunkel wrote: On 01/18/17 16:22, Ludwig Krispenz wrote: I think the procedure in the link about renaming is only needed if you want to keep both entries with a "normal" dn. But you want to get rid of the conflict entries. Since you have to cleanup each of

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

b.com/richm/scripts/wiki/dbmon.sh <https://github.com/richm/scripts/wiki/dbmon.sh> thanks Rakesh On Mon, Aug 29, 2016 at 8:16 PM, thierry bordaz <tbor...@redhat.com <mailto:tbor...@redhat.com>> wrote: H

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

-dbcachesize and nsslapd-cachememsize to 200MB I will again start migrating hosts back to IPA and see if I face the earlier issue. I will update back once I have something Thanks, Rakesh On Thu, Aug 25, 2016 at 2:17 PM, thierry bordaz <tbor...@redhat.c

Re: [Freeipa-users] Replication broken

Hi Timothy, The changenumber counter is protected by a lock and we should not see duplicate value.. except if there is a bug :-( Retrieving the time when changenumber=112697,cn=changelog was created and the time when you saw the error, can you see any error in operations (access log) or in

Re: [Freeipa-users] Replication broken

, thierry bordaz wrote: Hi Timothy, The changenumber counter is protected by a lock and we should not see duplicate value.. except if there is a bug :-( Retrieving the time when changenumber=112697,cn=changelog was created and the time when you saw the error, can you see any error in operations

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400]

  1   2   >