On (13/05/17 06:52), Harald Dunkel wrote:
>Hi folks,
>
>RHEL 7.3, sssd 1.14.0:
>
>If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
>(without telling why) and users cannot login. *Extremely* painful.
>
>Do you think ipa-client-install could add
>
> selinux_provider =
Hi folks,
RHEL 7.3, sssd 1.14.0:
If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
(without telling why) and users cannot login. *Extremely* painful.
Do you think ipa-client-install could add
selinux_provider = none
to the generated sssd.conf file, if selinux is
On 03/05/17 11:47, Timo Aaltonen wrote:
>
> pam-auth-update configures pam, there's nothing else to be configured..
> I just ran ipa-client-install on Ubuntu zesty with freeipa-client
> 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:
>
> services = nss, sudo, pam, ssh
>
>
On 03.03.2017 16:53, Rob Crittenden wrote:
> Harald Dunkel wrote:
>> On 03/03/17 10:14, Jakub Hrozek wrote:
>>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
This is systemd-only?
Wouldn't it be better to create a working sssd.conf, no matter
what?
>>>
>>>
Harald Dunkel wrote:
> On 03/03/17 10:14, Jakub Hrozek wrote:
>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
>>>
>>> This is systemd-only?
>>>
>>> Wouldn't it be better to create a working sssd.conf, no matter
>>> what?
>>
>> It is up to whoever is creating the sssd.conf. As I
On 03/03/17 10:14, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
>>
>> This is systemd-only?
>>
>> Wouldn't it be better to create a working sssd.conf, no matter
>> what?
>
> It is up to whoever is creating the sssd.conf. As I said, the change is
>
On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
> Hi Jakub,
>
> On 03/03/17 09:32, Jakub Hrozek wrote:
> > On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> >> Hi folks,
> >>
> >> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> >> Debian Stretch
> >
Hi Jakub,
On 03/03/17 09:32, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
>> Hi folks,
>>
>> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
>> Debian Stretch
> ~~
> This is important I guess.
>
> Since SSSD 1.15, SSSD allows to
On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> Hi folks,
>
> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> Debian Stretch
~~
This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them
Hi folks,
running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian
Stretch ipa-client-install creates a bad sssd.conf file, e.g.
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider =
Thank you, Rob.
For reference, my full log can be found here: http://pastebin.com/6VLaQjYw
But I would postulate that the interesting bit is this:
> 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query:
>
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>
> ;; flags:; ZONE: 0,
First off... new to the list, thank you in advance for your assistance!
My server is Fedora 24 Server, running in a VirtualBox virtual machine. I
have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories,
and dnf says it's up to date. FreeIPA has a trust set up with an Windows
thanks for the inputs..
the issue was with my network,
I was able to resolve it adding in the NETWORKING_IPV6=no in
/etc/sysconfig/network
possibly it was using IPv6 resolution and that was failing
On Thu, Jul 28, 2016 at 1:37 PM, Petr Spacek wrote:
> On 27.7.2016
On 27.7.2016 19:29, Rakesh Rajasekharan wrote:
> Hi,
>
> I am running ipa server 4.2 and set it up without using "--setup-dns=no".
>
> On few clients the installation fails with the below error message.
>
>
> I verified that the ipa master dns is resolvable. Not sure what could be
> wrong
Hi,
I am running ipa server 4.2 and set it up without using "--setup-dns=no".
On few clients the installation fails with the below error message.
I verified that the ipa master dns is resolvable. Not sure what could be
wrong here..
Joining realm failed: libcurl failed to execute the HTTP
<rcrit...@redhat.com>
*Sent:* 05 July 2016 18:01
*To:* Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and
user ssh key query
Neal Harrington | i-Neda Ltd wrote:
Hi,
I have successfully installed FreeIPA server version
already tried this several
times.
Thanks again,
Neal.
From: Rob Crittenden <rcrit...@redhat.com>
Sent: 05 July 2016 18:01
To: Neal Harrington | i-Neda Ltd; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install --ssh-trust-dns and user ss
Neal Harrington | i-Neda Ltd wrote:
Hi,
I have successfully installed FreeIPA server version 4.2.0 on CentOS
7.2, including replication between servers. I have a few
dozen Ubuntu 14.04 servers joined into IPA for authentication with
various user groups controlling access, sudo permissions etc
Hi,
I have successfully installed FreeIPA server version 4.2.0 on CentOS 7.2,
including replication between servers. I have a few dozen Ubuntu 14.04 servers
joined into IPA for authentication with various user groups controlling access,
sudo permissions etc and overall I'm very happy.
I
On 09.06.2016 22:36, David Zabner wrote:
Occassionally in our system we will see a failure in ipa-client-install script
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already exists.
Is there any way to make sure that
Occassionally in our system we will see a failure in ipa-client-install script
and the cleanup will leave around the host in ipa.
This means that all future client installs fail because the host already
exists.
Is there any way to make sure that failure’s cause the host to be cleaned up?
Is
, 2016 4:16 PM
To: Gady Notrica
Cc: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
On (20/04/16 20:10), Gady Notrica wrote:
>[root@cd-s-prd-db1 krb5.include.d]# ls -l
>
>-rw-r--r--. 1 root root 224 Apr
On (20/04/16 20:10), Gady Notrica wrote:
>[root@cd-s-prd-db1 krb5.include.d]# ls -l
>
>-rw-r--r--. 1 root root 224 Apr 9 07:24 domain_realm_ipa_candeal_ca
>
>-rw-r--r--. 1 root root 118 Apr 9 07:24 localauth_plugin
>
>
>
>[root@cd-s-prd-db1 krb5.include.d]# cat domain_realm_ipa_candeal_ca
>
>#
Command
>>
>> > ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero
>>
>> > exit status 255/
>>
>> This is unrelated to the enrollment problem.
>>
>> rob
>>
>> >
>>
>> > Disabling client K
will tell how.
rob
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote:
> Thank you guys for y
Original file attached - no changes to the file
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:52 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote
Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady Notrica wrote:
> Thank you guys for your help.
>
> Still can't enroll t
]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[root@prddb1]#
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 3:14 PM
To: Gady Notrica; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Gady
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Any specific command
] On Behalf Of Gady Notrica
Sent: April 20, 2016 2:12 PM
To: Rob Crittenden; Martin Basti; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Any specific command in particular to remove that keytab?
Since these don't work
[root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM
hi Gady,
On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote:
> Any specific command in particular to remove that keytab?
>
> Since these don't work
>
> [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab
> Kerberos context initialization failed
> [root@prddb1
initialization failed
[root@cprddb1 /]#
Gady
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: April 20, 2016 1:59 PM
To: Martin Basti; Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
Martin Basti wrote:
>
>
> On 20.04.2
Martin Basti wrote:
On 20.04.2016 18:00, Gady Notrica wrote:
Hello World,
I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos
Thank you Martin, I have tried many different ways. I can't seem to be able to
remove anything in the file.
Gady
From: Martin Basti [mailto:mba...@redhat.com]
Sent: April 20, 2016 12:50 PM
To: Gady Notrica; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
: [Freeipa-users] ipa-client-install errors
On 04/20/2016 06:00 PM, Gady Notrica wrote:
Hello World,
I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab
Please find attached the install log
Gady
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Martin Babinsky
Sent: April 20, 2016 1:04 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] ipa-client-install errors
On 04/20/2016 06:00 PM, Gady Notrica wrote:
Hello World,
I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed:
On 20.04.2016 18:00, Gady Notrica wrote:
Hello World,
I am having these errors trying to install ipa-client-install. Every
other machine is fine and they IPA servers are functioning perfectly
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed:
Hello World,
I am having these errors trying to install ipa-client-install. Every other
machine is fine and they IPA servers are functioning perfectly
Error trying to clean keytab: /usr/sbin/ipa-rmkeytab returned 1
Kerberos authentication failed: kinit: Improper format of Kerberos
On 01/21/2016 02:29 PM, bahan w wrote:
> Hello Martin.
>
> Thank you for your answer.
Adding freeipa-users list back, so that others can follow the thread.
> Excuse me for my ignorance, but may you tell me how the bug and resolution
> work for FreeIPA ?
This is probably not something that
On 01/20/2016 05:55 PM, bahan w wrote:
> Ah sorry, for security reasons I didn't want to put the original name and I
> made a mistake.
>
> Here we are, for the confusing lines :
> ###
> Assuming realm is the same as domain:
> Generated basedn from realm: dc=
> Discovery result:
Re Martin.
Here we are for the ipaclient-install.log :
###
2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
options: {'domain': '', 'force': False, 'realm_name':
'', 'krb5_offline_passwords': True, 'primary': False, 'mkhomedir':
True, 'create_sshfp': True, 'conf_sshd':
On 01/20/2016 04:03 PM, bahan w wrote:
> Re Martin.
>
> Here we are for the ipaclient-install.log :
>
> ###
> 2016-01-20T14:55:48Z DEBUG /usr/sbin/ipa-client-install was invoked with
> options: {'domain': '', 'force': False, 'realm_name':
> '', 'krb5_offline_passwords': True, 'primary': False,
Ah sorry, for security reasons I didn't want to put the original name and I
made a mistake.
Here we are, for the confusing lines :
###
Assuming realm is the same as domain:
Generated basedn from realm: dc=
Discovery result: NO_ACCESS_TO_LDAP; server=None, domain=,
kdc=None, basedn=dc=
Validated
Hello !
I send you this mail because of the following topic.
I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
access for security reasons.
But now, I have a problem when I try to enroll a new host.
Here is the command I try :
###
ipa-client-install --domain= --realm=
On 01/20/2016 12:08 PM, bahan w wrote:
> Hello !
>
> I send you this mail because of the following topic.
>
> I have FreeIPA 3.0.0.25 with RHEL 6.6 and I deactivated the anonymous
> access for security reasons.
>
> But now, I have a problem when I try to enroll a new host.
>
> Here is the
Adding freeipa-users back, so that others can benefit from the answer.
Can you please attach a full ipaclient-install.log DEBUG log somewhere so that
we can get the full context of the bug? You may also want to open a RHEL-6
Bugzilla as FreeIPA 3.0.0 is no longer developed upstream, but only
Hi Bahan,
Hey.
Try to remove the cert file in /etc/ipa of this client.
And then retry.
this was perfect :-) Thank you.
Best regards.
Bahan
Andy
Hi,
I want to install ipa client: ipa-client-install -d
I get the following error:
Verifying that "MyFreeIPA Server" (realm None) is
Hi,
I want to install ipa client: ipa-client-install -d
I get the following error:
Verifying that "MyFreeIPA Server" (realm None) is an IPA server
Init LDAP connection to: "MyFreeIPA Server"
Error checking LDAP: Connect error: TLS error -8054:You are attempting
to import a cert with the same
On Mon, Sep 14, 2015 at 09:59:40AM +0200, Jan Pazdziora wrote:
> On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> > On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo
> > wrote:
> >
> > > on a a centos 7.1 host when enrolling it with (among other) the switch
>
I think it was not having dynamic updates enabled for the reverse zone.
I enabled those and PTR sync on both the forward and reverse and now it
seems to be working for a new client that I joined.
What I'm not clear on at this point is why that is not a default
setting. I know at some point
Hi,
can you check the journalctl -u named(-pkcs11) on server, they might be
errors why PTR record has not been added.
Do you have enabled dynamic updates for the reverse zone?
Martin
On 09/12/2015 10:42 PM, Youenn PIOLET wrote:
Hi,
I've seen the same issue recently on various clients
On Sat, Sep 12, 2015 at 03:14:35PM +0200, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo
> wrote:
>
> > on a a centos 7.1 host when enrolling it with (among other) the switch
> > --request-cert it does not create a host certificate for it. The host
On 09/12/2015 03:14 PM, Natxo Asenjo wrote:
> On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo
> wrote:
>
>> hi,
>>
>> on a a centos 7.1 host when enrolling it with (among other) the switch
>> --request-cert it does not create a host certificate for it. The host is
>>
Hi,
I've seen the same issue recently on various clients using ipa 3.3 and ipa
4.* during the first join on a clean OS. Can't confirm it was working
before. Is it normal behavior?
Allow PTR sync is enabled.
Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters" a
écrit :
>
hi,
on a a centos 7.1 host when enrolling it with (among other) the switch
--request-cert it does not create a host certificate for it. The host is
properly joined but not certificate is present.
In the ipaclient-install.log file I see this:
2015-09-12T09:34:02Z ERROR certmonger request for
On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo
wrote:
> hi,
>
> on a a centos 7.1 host when enrolling it with (among other) the switch
> --request-cert it does not create a host certificate for it. The host is
> properly joined but not certificate is present.
>
> In the
On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
> I have been trying to figure this out for a while now but when I join
> machine to FreeIPA, the installer properly creates forward DNS
> entries,and DNSSSHFP entries, but does not create reverse entries.
> Without the PTR
I have been trying to figure this out for a while now but when I join a
machine to FreeIPA, the installer properly creates forward DNS entries,
and DNSSSHFP entries, but does not create reverse entries. Without the
PTR records, kerberos logins are always failing on these machines.
The reverse
On 9/11/2015 10:32 AM, Simo Sorce wrote:
On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
I have been trying to figure this out for a while now but when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create
Thanks for update. Adding mailing list back, to be aware of the results.
Given this description, I wonder if this is hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1201454
that is planned to be fixed in next RHEL-6 minor version.
On 06/03/2015 10:46 AM, bahan w wrote:
Hello again.
The
On 06/02/2015 06:27 PM, bahan w wrote:
Hello !
I send you this mail because I have a problem linked with SSH and FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on
Hello !
I send you this mail because I have a problem linked with SSH and FreeIPA.
I have multiple servers :
- One with FreeIPA server 3.0.0-26
- The others with FreeIPA client 3.0.0-26
They are running on RHEL 6.4.
I configured a root user on each of them.
On one specific server, I created an
On Sat, 16 May 2015, Günther J. Niederwimmer wrote:
Hello,
When I install a IPA client (Centos 7.1) I have this Error in the log.
freeipa ERROR certmonger request for host certificate failed
Is there a way to become this Certificate back ?
I am nearly new on freeIPA and have mach problems
Hello,
When I install a IPA client (Centos 7.1) I have this Error in the log.
freeipa ERROR certmonger request for host certificate failed
Is there a way to become this Certificate back ?
I am nearly new on freeIPA and have mach problems :-(.
Thanks for the help,
--
mit freundlichen Grüssen
Thanks Gonzalo. Appreciate your help here, Let me try this.
*Best Regards,__*
*Yogesh Sharma*
*Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in
http://www.initd.in*
RHCE, VCE-CIA, RackSpace Cloud U
[image: My LinkedIn Profile]
Quick question, if you have used Deion for ldap and Sudo, are all connections
through Kerberos ? And all client and registered hosts will be in the same
domain ?
Gokul
Sent from iPhone
On Mar 29, 2015, at 12:14 PM, Yogesh Sharma yks0...@gmail.com wrote:
Thanks Gonzalo. Appreciate your
Hello,
Is there any repo available for Amazon Linux to install IPA Client OR below
is the only way to do as found from freeipa-user mail archive.
http://www.redhat.com/archives/freeipa-users/2013-October/msg00058.html
Thanks for the help.
*Best
Yogesh
My personal experience using AWS Linux and LDAP is not a good one and
mostly an utter nightmare in relation to packages.
Personally I would recommend you to keep away from AWS Linux and get a
Centos, Fedora or Redhat.
Still, if you want to go ahead, I can give you the right versions for
great, thanks.
On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into a client machine
without a password. Going the other way works fine, however.
thx
anthony
On Thu, Mar 26, 2015 at 7:14 AM, Martin Kosek
Anthony Lanni wrote:
I'm referring to the host certificate; I was looking at the web UI,
under Identity-Hosts in the server details page. The Host Certificate
section says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the
Enrollment section says
On 03/26/2015 05:52 PM, Anthony Lanni wrote:
kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and
I am not sure what you mean. So are you saying that kinit USER done on server
fails? With what error?
On 03/26/2015 05:28 PM, Anthony Lanni wrote:
great, thanks.
On a related note: the server still doesn't get a (client) kerberos ticket,
which means I can't kinit as a user and then log into
I'm referring to the host certificate; I was looking at the web UI, under
Identity-Hosts in the server details page. The Host Certificate section
says 'No Valid Certificate'.
The server has a /etc/krb5.keytab file, and on the same page the Enrollment
section says 'Kerberos Key Present, Host
kinit USER works perfectly; but I can't ssh into the client machine from
the server without it requesting a password.
I think this is a DNS issue, actually. The server isn't resolving the name
of the client, so I'm ssh'ing with the IP address, and that's not going to
work since it's not in the
ah, ok. So I'm going to assume the problem with my server not being able to
get a DNS record for any of the clients is why the user can't ssh into the
clients.
Thanks for the help, everyone!
thx
anthony
On Thu, Mar 26, 2015 at 10:44 AM, Rob Crittenden rcrit...@redhat.com
wrote:
Anthony Lanni
Ok, thanks for reaching back. BTW, next RHEL-6 minor release should have the
keyutils dependency fixed anyway :-)
Martin
On 03/25/2015 06:59 PM, Anthony Lanni wrote:
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the
On 03/25/2015 04:11 AM, Dmitri Pal wrote:
On 03/24/2015 09:17 PM, Anthony Lanni wrote:
While running ipa-server-install, it's failing out at the end with an error
regarding the client install on the server. This happens regardless of how I
input the options, but here's the latest command:
keyutils is already installed but /bin/keyctl was 0 length (!). Anyway I
reinstalled keyutils and then ran the ipa-server-install again, and this
time it completed without error.
Thanks very much, Martin and Dmitri!
thx
anthony
On Wed, Mar 25, 2015 at 5:34 AM, Martin Kosek mko...@redhat.com
Hi there,
All the issues I reported in this long thread are SOLVED.
For completeness, I'm posting here the conclusions.
ipa-client-install did enroll the client but failed in several points:
$ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
[...]
Synchronizing time with KDC...
On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
Hi there,
All the issues I reported in this long thread are SOLVED.
Thanks for closing the loop.
For completeness, I'm posting here the conclusions.
ipa-client-install did enroll the client but failed in several points:
$
On 24 March 2015 at 14:49, Dmitri Pal d...@redhat.com wrote:
On 03/24/2015 09:43 AM, Roberto Cornacchia wrote:
Hi there,
All the issues I reported in this long thread are SOLVED.
Thanks for closing the loop.
For completeness, I'm posting here the conclusions.
ipa-client-install
On 03/24/2015 09:17 PM, Anthony Lanni wrote:
While running ipa-server-install, it's failing out at the end with an
error regarding the client install on the server. This happens
regardless of how I input the options, but here's the latest command:
ipa-server-install --setup-dns -N
While running ipa-server-install, it's failing out at the end with an error
regarding the client install on the server. This happens regardless of how
I input the options, but here's the latest command:
ipa-server-install --setup-dns -N --idstart=1000 -r EXAMPLE.COM -n
example.com -p passwd1 -a
On 23.3.2015 12:33, Roberto Cornacchia wrote:
OK, thanks.
That would be Dynamic updates, right? Then it is enabled.
$ ipa dnszone-show --all
Zone name: hq.example.com
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com.
Active zone: TRUE
Thank you, dump sent privately
On 23 March 2015 at 13:33, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 12:33, Roberto Cornacchia wrote:
OK, thanks.
That would be Dynamic updates, right? Then it is enabled.
$ ipa dnszone-show --all
Zone name: hq.example.com
dn:
BTW, shouldn't named.conf contain an allow-update statement? Mine
doesn't. Or is this managed differently?
On 23 March 2015 at 12:16, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 10:21, Roberto
On 23 March 2015 at 10:35, Petr Spacek pspa...@redhat.com wrote:
On 23.3.2015 10:21, Roberto Cornacchia wrote:
About the DNS update, this is what the debug log has to say:
Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket:
OK, thanks.
That would be Dynamic updates, right? Then it is enabled.
$ ipa dnszone-show --all
Zone name: hq.example.com
dn: idnsname=hq.example.com.,cn=dns,dc=hq,dc=example,dc=com
Zone name: hq.example.com.
Active zone: TRUE
Authoritative nameserver: ipa.hq.example.com.
Administrator
Dmitri, Rob, Jakub,
I found at least one of the major problems: chronyd.
This is what I get when I use ipa-client-install on a plain FC21 machine,
*without* using --force-ntpd
WARNING: ntpd timedate synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use
About the DNS update, this is what the debug log has to say:
Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53 failed: operation canceled*
*Reply from SOA query:*
;;
On 23.3.2015 10:21, Roberto Cornacchia wrote:
About the DNS update, this is what the debug log has to say:
Found zone name: hq.example.com
The master is: ipa.hq.example.com
start_gssrequest
Found realm from ticket: HQ.EXAMPLE.COM
send_gssrequest
*; Communication with 192.168.0.72#53
Thanks Rob.
Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is just to
learn more about the issue), even if this seems to solve problems. I'm not
going to deploy
On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
Thanks Rob.
Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is just to
learn more about the
On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:
Thanks Rob.
Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is
just to learn more about the issue), even if
Hi Rob,
Yes, sssd is running and this is sssd.conf:
[domain/hq.example.com]
debug_level=9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hq.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = meson.hq.example.com
chpass_provider =
Indeed, id admin does not work and there is no sign of it in the log.
From the client (with admin-tools installed):
$ kinit admin
Password for ad...@hq.example.com:
$ ipa user-show admin
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID:
Roberto Cornacchia wrote:
Indeed, id admin does not work and there is no sign of it in the log.
From the client (with admin-tools installed):
$ kinit admin
Password for ad...@hq.example.com mailto:ad...@hq.example.com:
$ ipa user-show admin
User login: admin
Last name: Administrator
/etc/nsswitch.conf:
passwd: files
shadow: files
group: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc:files
services: files
It seems so:
$ firewall-cmd --list-all
FedoraServer (default, active)
interfaces: em2
sources:
services: cockpit dhcpv6-client ssh
ports: 8009/tcp 443/tcp 7999/tcp 464/tcp 9443/tcp 636/tcp 88/udp 464/udp
8010/tcp 88/tcp 7990/tcp 123/udp 80/tcp 389/tcp 7389/tcp 9444/tcp 9445/tcp
8011/tcp
1 - 100 of 266 matches
Mail list logo