Re: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled

On (13/05/17 06:52), Harald Dunkel wrote: >Hi folks, > >RHEL 7.3, sssd 1.14.0: > >If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail >(without telling why) and users cannot login. *Extremely* painful. > >Do you think ipa-client-install could add > > selinux_provider =

[Freeipa-users] ipa-client-install: please look for SELINUX=disabled

Hi folks, RHEL 7.3, sssd 1.14.0: If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail (without telling why) and users cannot login. *Extremely* painful. Do you think ipa-client-install could add selinux_provider = none to the generated sssd.conf file, if selinux is

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03/05/17 11:47, Timo Aaltonen wrote: > > pam-auth-update configures pam, there's nothing else to be configured.. > I just ran ipa-client-install on Ubuntu zesty with freeipa-client > 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: > > services = nss, sudo, pam, ssh > >

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03.03.2017 16:53, Rob Crittenden wrote: > Harald Dunkel wrote: >> On 03/03/17 10:14, Jakub Hrozek wrote: >>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: This is systemd-only? Wouldn't it be better to create a working sssd.conf, no matter what? >>> >>>

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

Harald Dunkel wrote: > On 03/03/17 10:14, Jakub Hrozek wrote: >> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >>> >>> This is systemd-only? >>> >>> Wouldn't it be better to create a working sssd.conf, no matter >>> what? >> >> It is up to whoever is creating the sssd.conf. As I

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On 03/03/17 10:14, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: >> >> This is systemd-only? >> >> Wouldn't it be better to create a working sssd.conf, no matter >> what? > > It is up to whoever is creating the sssd.conf. As I said, the change is >

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: > Hi Jakub, > > On 03/03/17 09:32, Jakub Hrozek wrote: > > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > >> Hi folks, > >> > >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > >> Debian Stretch > >

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

Hi Jakub, On 03/03/17 09:32, Jakub Hrozek wrote: > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: >> Hi folks, >> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on >> Debian Stretch > ~~ > This is important I guess. > > Since SSSD 1.15, SSSD allows to

Re: [Freeipa-users] ipa-client-install generates bad sssd.conf

On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~ This is important I guess. Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them

[Freeipa-users] ipa-client-install generates bad sssd.conf

Hi folks, running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian Stretch ipa-client-install creates a bad sssd.conf file, e.g. [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider =

Re: [Freeipa-users] IPA Client Install problems

Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0,

[Freeipa-users] IPA Client Install problems

First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

thanks for the inputs.. the issue was with my network, I was able to resolve it adding in the NETWORKING_IPV6=no in /etc/sysconfig/network possibly it was using IPv6 resolution and that was failing On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek wrote: > On 27.7.2016

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > Hi, > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > On few clients the installation fails with the below error message. > > > I verified that the ipa master dns is resolvable. Not sure what could be > wrong

[Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

Hi, I am running ipa server 4.2 and set it up without using "--setup-dns=no". On few clients the installation fails with the below error message. I verified that the ipa master dns is resolvable. Not sure what could be wrong here.. Joining realm failed: libcurl failed to execute the HTTP

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

<rcrit...@redhat.com> *Sent:* 05 July 2016 18:01 *To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query Neal Harrington | i-Neda Ltd wrote: Hi, I have successfully installed FreeIPA server version

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

already tried this several times. Thanks again, Neal. From: Rob Crittenden <rcrit...@redhat.com> Sent: 05 July 2016 18:01 To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ss

Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Neal Harrington | i-Neda Ltd wrote: Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc

[Freeipa-users] ipa-client-install --ssh-trust-dns and user ssh key query

Hi, I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2, including replication between servers. I have a few dozen Ubuntu 14.04 servers joined into IPA for authentication with various user groups controlling access, sudo permissions etc and overall I'm very happy. I

Re: [Freeipa-users] ipa-client-install

On 09.06.2016 22:36, David Zabner wrote: Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. This means that all future client installs fail because the host already exists. Is there any way to make sure that

[Freeipa-users] ipa-client-install

Occassionally in our system we will see a failure in ipa-client-install script and the cleanup will leave around the host in ipa. This means that all future client installs fail because the host already exists. Is there any way to make sure that failure’s cause the host to be cleaned up? Is

Re: [Freeipa-users] ipa-client-install errors

, 2016 4:16 PM To: Gady Notrica Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr

Re: [Freeipa-users] ipa-client-install errors

On (20/04/16 20:10), Gady Notrica wrote: >[root@cd-s-prd-db1 krb5.include.d]# ls -l > >-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca > >-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin > > > >[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca > >#

Re: [Freeipa-users] ipa-client-install errors

Command >> >> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero >> >> > exit status 255/ >> >> This is unrelated to the enrollment problem. >> >> rob >> >> > >> >> > Disabling client K

Re: [Freeipa-users] ipa-client-install errors

will tell how. rob Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for y

Re: [Freeipa-users] ipa-client-install errors

Original file attached - no changes to the file Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:52 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote

Re: [Freeipa-users] ipa-client-install errors

Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady Notrica wrote: > Thank you guys for your help. > > Still can't enroll t

Re: [Freeipa-users] ipa-client-install errors

] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM [root@prddb1]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 3:14 PM To: Gady Notrica; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Gady

Re: [Freeipa-users] ipa-client-install errors

-Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command

Re: [Freeipa-users] ipa-client-install errors

] On Behalf Of Gady Notrica Sent: April 20, 2016 2:12 PM To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Any specific command in particular to remove that keytab? Since these don't work [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM

Re: [Freeipa-users] ipa-client-install errors

hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root@prddb1

Re: [Freeipa-users] ipa-client-install errors

initialization failed [root@cprddb1 /]# Gady -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: April 20, 2016 1:59 PM To: Martin Basti; Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors Martin Basti wrote: > > > On 20.04.2

Re: [Freeipa-users] ipa-client-install errors

Martin Basti wrote: On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos

Re: [Freeipa-users] ipa-client-install errors

Thank you Martin, I have tried many different ways. I can't seem to be able to remove anything in the file. Gady From: Martin Basti [mailto:mba...@redhat.com] Sent: April 20, 2016 12:50 PM To: Gady Notrica; freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

: [Freeipa-users] ipa-client-install errors On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab

Re: [Freeipa-users] ipa-client-install errors

Please find attached the install log Gady -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky Sent: April 20, 2016 1:04 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-install errors

Re: [Freeipa-users] ipa-client-install errors

On 04/20/2016 06:00 PM, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed:

Re: [Freeipa-users] ipa-client-install errors

On 20.04.2016 18:00, Gady Notrica wrote: Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed:

[Freeipa-users] ipa-client-install errors

Hello World, I am having these errors trying to install ipa-client-install. Every other machine is fine and they IPA servers are functioning perfectly Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1 Kerberos authentication failed: kinit: Improper format of Kerberos

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/21/2016 02:29 PM, bahan w wrote: > Hello Martin. > > Thank you for your answer. Adding freeipa-users list back, so that others can follow the thread. > Excuse me for my ignorance, but may you tell me how the bug and resolution > work for FreeIPA ? This is probably not something that

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 05:55 PM, bahan w wrote: > Ah sorry, for security reasons I didn't want to put the original name and I > made a mistake. > > Here we are, for the confusing lines : > ### > Assuming realm is the same as domain: > Generated basedn from realm: dc= > Discovery result:

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Re Martin. Here we are for the ipaclient-install.log : ### 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with options: {'domain': '', 'force': False, 'realm_name': '', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir': True, 'create_sshfp': True, 'conf_sshd':

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 04:03 PM, bahan w wrote: > Re Martin. > > Here we are for the ipaclient-install.log : > > ### > 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with > options: {'domain': '', 'force': False, 'realm_name': > '', 'krb5_offline_passwords': True, 'primary': False,

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Ah sorry, for security reasons I didn't want to put the original name and I made a mistake. Here we are, for the confusing lines : ### Assuming realm is the same as domain: Generated basedn from realm: dc= Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=, kdc=None, basedn=dc= Validated

[Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Hello ! I send you this mail because of the following topic. I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous access for security reasons. But now, I have a problem when I try to enroll a new host. Here is the command I try : ### ipa-client-install --domain= --realm=

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

On 01/20/2016 12:08 PM, bahan w wrote: > Hello ! > > I send you this mail because of the following topic. > > I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous > access for security reasons. > > But now, I have a problem when I try to enroll a new host. > > Here is the

Re: [Freeipa-users] ipa-client-install and nsslapd-allow-anonymous-access: off

Adding freeipa-users back, so that others can benefit from the answer. Can you please attach a full ipaclient-install.log DEBUG log somewhere so that we can get the full context of the bug? You may also want to open a RHEL-6 Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only

Re: [Freeipa-users] ipa-client-install error

Hi Bahan, Hey. Try to remove the cert file in /etc/ipa of this client. And then retry. this was perfect :-) Thank you. Best regards. Bahan Andy Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is

[Freeipa-users] ipa-client-install error

Hi, I want to install ipa client: ipa-client-install -d I get the following error: Verifying that "MyFreeIPA Server" (realm None) is an IPA server Init LDAP connection to: "MyFreeIPA Server" Error checking LDAP: Connect error: TLS error -8054:You are attempting to import a cert with the same

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote: > On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > > wrote: > > > > > on a a centos 7.1 host when enrolling it with (among other) the switch >

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

I think it was not having dynamic updates enabled for the reverse zone. I enabled those and PTR sync on both the forward and reverse and now it seems to be working for a new client that I joined. What I'm not clear on at this point is why that is not a default setting. I know at some point

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

Hi, can you check the journalctl -u named(-pkcs11) on server, they might be errors why PTR record has not been added. Do you have enabled dynamic updates for the reverse zone? Martin On 09/12/2015 10:42 PM, Youenn PIOLET wrote: Hi, I've seen the same issue recently on various clients

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > > > on a a centos 7.1 host when enrolling it with (among other) the switch > > --request-cert it does not create a host certificate for it. The host

Re: [Freeipa-users] ipa-client-install --request-cert fails

On 09/12/2015 03:14 PM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo > wrote: > >> hi, >> >> on a a centos 7.1 host when enrolling it with (among other) the switch >> --request-cert it does not create a host certificate for it. The host is >>

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

Hi, I've seen the same issue recently on various clients using ipa 3.3 and ipa 4.* during the first join on a clean OS. Can't confirm it was working before. Is it normal behavior? Allow PTR sync is enabled. Cheers, Le 12 sept. 2015 7:44 AM, "Nathan Peters" a écrit : >

[Freeipa-users] ipa-client-install --request-cert fails

hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo wrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not certificate is present. > > In the

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote: > I have been trying to figure this out for a while now but when I join > machine to FreeIPA, the installer properly creates forward DNS > entries,and DNSSSHFP entries, but does not create reverse entries. > Without the PTR

[Freeipa-users] ipa-client-install not creating reverse DNS entries

I have been trying to figure this out for a while now but when I join a machine to FreeIPA, the installer properly creates forward DNS entries, and DNSSSHFP entries, but does not create reverse entries. Without the PTR records, kerberos logins are always failing on these machines. The reverse

Re: [Freeipa-users] ipa-client-install not creating reverse DNS entries

On 9/11/2015 10:32 AM, Simo Sorce wrote: On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote: I have been trying to figure this out for a while now but when I join machine to FreeIPA, the installer properly creates forward DNS entries,and DNSSSHFP entries, but does not create

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

Thanks for update. Adding mailing list back, to be aware of the results. Given this description, I wonder if this is hitting https://bugzilla.redhat.com/show_bug.cgi?id=1201454 that is planned to be fixed in next RHEL-6 minor version. On 06/03/2015 10:46 AM, bahan w wrote: Hello again. The

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

On 06/02/2015 06:27 PM, bahan w wrote: Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on

[Freeipa-users] ipa-client-install remove the passwordless connection with root

Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on each of them. On one specific server, I created an

Re: [Freeipa-users] ipa-client-install --request-cert ERROR

On Sat, 16 May 2015, Günther J. Niederwimmer wrote: Hello, When I install a IPA client (Centos 7.1) I have this Error in the log. freeipa ERROR certmonger request for host certificate failed Is there a way to become this Certificate back ? I am nearly new on freeIPA and have mach problems

[Freeipa-users] ipa-client-install --request-cert ERROR

Hello, When I install a IPA client (Centos 7.1) I have this Error in the log. freeipa ERROR certmonger request for host certificate failed Is there a way to become this Certificate back ? I am nearly new on freeIPA and have mach problems :-(. Thanks for the help, -- mit freundlichen Grüssen

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Thanks Gonzalo. Appreciate your help here, Let me try this. *Best Regards,__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in* RHCE, VCE-CIA, RackSpace Cloud U [image: My LinkedIn Profile]

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Quick question, if you have used Deion for ldap and Sudo, are all connections through Kerberos ? And all client and registered hosts will be in the same domain ? Gokul Sent from iPhone On Mar 29, 2015, at 12:14 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks Gonzalo. Appreciate your

[Freeipa-users] IPA Client Install on Amazon Linux

Hello, Is there any repo available for Amazon Linux to install IPA Client OR below is the only way to do as found from freeipa-user mail archive. http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html Thanks for the help. *Best

Re: [Freeipa-users] IPA Client Install on Amazon Linux

Yogesh My personal experience using AWS Linux and LDAP is not a good one and mostly an utter nightmare in relation to packages. Personally I would recommend you to keep away from AWS Linux and get a Centos, Fedora or Redhat. Still, if you want to go ahead, I can give you the right versions for

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into a client machine without a password. Going the other way works fine, however. thx anthony On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Anthony Lanni wrote: I'm referring to the host certificate; I was looking at the web UI, under Identity-Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/26/2015 05:52 PM, Anthony Lanni wrote: kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I am not sure what you mean. So are you saying that kinit USER done on server fails? With what error? On 03/26/2015 05:28 PM, Anthony Lanni wrote: great, thanks. On a related note: the server still doesn't get a (client) kerberos ticket, which means I can't kinit as a user and then log into

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

I'm referring to the host certificate; I was looking at the web UI, under Identity-Hosts in the server details page. The Host Certificate section says 'No Valid Certificate'. The server has a /etc/krb5.keytab file, and on the same page the Enrollment section says 'Kerberos Key Present, Host

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

kinit USER works perfectly; but I can't ssh into the client machine from the server without it requesting a password. I think this is a DNS issue, actually. The server isn't resolving the name of the client, so I'm ssh'ing with the IP address, and that's not going to work since it's not in the

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

ah, ok. So I'm going to assume the problem with my server not being able to get a DNS record for any of the clients is why the user can't ssh into the clients. Thanks for the help, everyone! thx anthony On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com wrote: Anthony Lanni

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the keyutils dependency fixed anyway :-) Martin On 03/25/2015 06:59 PM, Anthony Lanni wrote: keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/25/2015 04:11 AM, Dmitri Pal wrote: On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command:

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I reinstalled keyutils and then ran the ipa-server-install again, and this time it completed without error. Thanks very much, Martin and Dmitri! thx anthony On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com

Re: [Freeipa-users] ipa-client-install failure

Hi there, All the issues I reported in this long thread are SOLVED. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd [...] Synchronizing time with KDC...

Re: [Freeipa-users] ipa-client-install failure

On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: Hi there, All the issues I reported in this long thread are SOLVED. Thanks for closing the loop. For completeness, I'm posting here the conclusions. ipa-client-install did enroll the client but failed in several points: $

Re: [Freeipa-users] ipa-client-install failure

On 24 March 2015 at 14:49, Dmitri Pal d...@redhat.com wrote: On 03/24/2015 09:43 AM, Roberto Cornacchia wrote: Hi there, All the issues I reported in this long thread are SOLVED. Thanks for closing the loop. For completeness, I'm posting here the conclusions. ipa-client-install

Re: [Freeipa-users] ipa-client-install failing on new ipa-server

On 03/24/2015 09:17 PM, Anthony Lanni wrote: While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N

[Freeipa-users] ipa-client-install failing on new ipa-server

While running ipa-server-install, it's failing out at the end with an error regarding the client install on the server. This happens regardless of how I input the options, but here's the latest command: ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n example.com -p passwd1 -a

Re: [Freeipa-users] ipa-client-install failure

On 23.3.2015 12:33, Roberto Cornacchia wrote: OK, thanks. That would be Dynamic updates, right? Then it is enabled. $ ipa dnszone-show --all Zone name: hq.example.com dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE

Re: [Freeipa-users] ipa-client-install failure

Thank you, dump sent privately On 23 March 2015 at 13:33, Petr Spacek pspa...@redhat.com wrote: On 23.3.2015 12:33, Roberto Cornacchia wrote: OK, thanks. That would be Dynamic updates, right? Then it is enabled. $ ipa dnszone-show --all Zone name: hq.example.com dn:

Re: [Freeipa-users] ipa-client-install failure

BTW, shouldn't named.conf contain an allow-update statement? Mine doesn't. Or is this managed differently? On 23 March 2015 at 12:16, Roberto Cornacchia roberto.cornacc...@gmail.com wrote: On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote: On 23.3.2015 10:21, Roberto

Re: [Freeipa-users] ipa-client-install failure

On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote: On 23.3.2015 10:21, Roberto Cornacchia wrote: About the DNS update, this is what the debug log has to say: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket:

Re: [Freeipa-users] ipa-client-install failure

OK, thanks. That would be Dynamic updates, right? Then it is enabled. $ ipa dnszone-show --all Zone name: hq.example.com dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com Zone name: hq.example.com. Active zone: TRUE Authoritative nameserver: ipa.hq.example.com. Administrator

Re: [Freeipa-users] ipa-client-install failure

Dmitri, Rob, Jakub, I found at least one of the major problems: chronyd. This is what I get when I use ipa-client-install on a plain FC21 machine, *without* using --force-ntpd WARNING: ntpd timedate synchronization service will not be configured as conflicting service (chronyd) is enabled Use

Re: [Freeipa-users] ipa-client-install failure

About the DNS update, this is what the debug log has to say: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket: HQ.EXAMPLE.COM send_gssrequest *; Communication with 192.168.0.72#53 failed: operation canceled* *Reply from SOA query:* ;;

Re: [Freeipa-users] ipa-client-install failure

On 23.3.2015 10:21, Roberto Cornacchia wrote: About the DNS update, this is what the debug log has to say: Found zone name: hq.example.com The master is: ipa.hq.example.com start_gssrequest Found realm from ticket: HQ.EXAMPLE.COM send_gssrequest *; Communication with 192.168.0.72#53

Re: [Freeipa-users] ipa-client-install failure

Thanks Rob. Knowing that /etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. I'm not very keen on fixing it post-installation (except if this is just to learn more about the issue), even if this seems to solve problems. I'm not going to deploy

Re: [Freeipa-users] ipa-client-install failure

On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote: Thanks Rob. Knowing that /etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. I'm not very keen on fixing it post-installation (except if this is just to learn more about the

Re: [Freeipa-users] ipa-client-install failure

On 03/22/2015 11:24 AM, Roberto Cornacchia wrote: Thanks Rob. Knowing that /etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. I'm not very keen on fixing it post-installation (except if this is just to learn more about the issue), even if

Re: [Freeipa-users] ipa-client-install failure

Hi Rob, Yes, sssd is running and this is sssd.conf: [domain/hq.example.com] debug_level=9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hq.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = meson.hq.example.com chpass_provider =

Re: [Freeipa-users] ipa-client-install failure

Indeed, id admin does not work and there is no sign of it in the log. From the client (with admin-tools installed): $ kinit admin Password for ad...@hq.example.com: $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID:

Re: [Freeipa-users] ipa-client-install failure

Roberto Cornacchia wrote: Indeed, id admin does not work and there is no sign of it in the log. From the client (with admin-tools installed): $ kinit admin Password for ad...@hq.example.com mailto:ad...@hq.example.com: $ ipa user-show admin User login: admin Last name: Administrator

Re: [Freeipa-users] ipa-client-install failure

/etc/nsswitch.conf: passwd: files shadow: files group: files hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files

Re: [Freeipa-users] ipa-client-install failure

It seems so: $ firewall-cmd --list-all FedoraServer (default, active) interfaces: em2 sources: services: cockpit dhcpv6-client ssh ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp 8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp 8011/tcp

  1   2   3   >