On Tue, Apr 08, 2014 at 05:22:46PM -0700, Shree wrote:
> Not sure if anyone read my last reply I was still not having any luck.
> Anyways I found the file which was causing it to contact the old IP address
> just a few minutes ago. Though I would share with you in case someone else
> may need it
Not sure if anyone read my last reply I was still not having any luck. Anyways
I found the file which was causing it to contact the old IP address just a few
minutes ago. Though I would share with you in case someone else may need it. I
started going through the directory listed in the krb5.conf
Excellent Rob
I see that it is trying the IP address on the main master (ldap.mydomain) and
not the ldap2.mydomain. So how do I fix it or where do I find that?
Shreeraj
Change is the only Constant !
On
Shree wrote:
Rob
This is what I get.
Realm is case-sensitive, try skarul...@mydomain.com
rob
[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
[14858] 1396278013.584391: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.584975: Sending request (188 by
Rob
This is what I get.
[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
[14858] 1396278013.584391: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.584975: Sending request (188 bytes) to mydomain.com
[14858] 1396278013.585470: Retrying AS request with ma
Shree wrote:
Martin
First of all thank you so much for your detailed analysis. I got a
chance to finally take a look at it today. I tried your suggested
changes to the /etc/krb5.conf and I now get the following response.
[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM'
Martin
First of all thank you so much for your detailed analysis. I got a chance to
finally take a look at it today. I tried your suggested changes to the
/etc/krb5.conf and I now get the following response.
[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while getting
It searching for ldap.mydomain.com because you still have DNS SRV record
_kerberos._udp.mydomain.com. pointing to it. I would start there.
As for the failure, I would check that the generated /etc/krb5.conf is correct:
~
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
def
If you look at the attached logs, you can see it is going to the correct dns
server. dig information is also correct. There is something else going on I can
figure out what?
Shreeraj
Change is the onl
On 03/21/2014 07:44 PM, Shree wrote:
Hi
Attaching the install log. It complains about unable to reach certain
ports, however my tests by using telnet were successful. Also to
refresh your memory the client should be reaching for the replica
lda2.mydomain.com and not ldap.mydomain.com which it
Hi
Attaching the install log. It complains about unable to reach certain ports,
however my tests by using telnet were successful. Also to refresh your memory
the client should be reaching for the replica lda2.mydomain.com and not
ldap.mydomain.com which it does for the most part but I found a co
On 03/19/2014 10:37 PM, Shree wrote:
> Hello
> I was able to successfully move all my clients to the replica except on the
> process I had to upgrade the client to "ipa-client-3.0.0-37.el6.x86_64" and
> some times run a --uninstall
>
> . Bit it works for the most part. Have been struggling with
Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing
me to the right direction. I was able to fix most of my issues. My setup is a
little complex where I am trying to have a master and the replica in different
networks and are in sync + each of them is serving a diffe
On 02/20/2014 02:58 PM, Shree wrote:
Can you help me figure out, below is some info on the existing working
configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root@test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version =
Can you help me figure out, below is some info on the existing working
configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root@test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = mydoma
On 02/19/2014 06:52 PM, Shree wrote:
Rob
You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning
during the client install that went something like
=
Autodiscovery of servers for failover cannot work with this configur
Rob
You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the
client install that went something like
=
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installa
Shree wrote:
root@test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root@test500 ~]#
You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
Unfortunately our logging around discovery was rather horrible in 2.2.x
so it is difficult to know exactly what is going on.
root@test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root@test500 ~]#
Shreeraj
Change is the only Constant !
On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
wrote:
Shree wr
Shree wrote:
Here are a couple of things
[skarulkar@ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64
What is the version on the client that is failing to enroll?
rob
and my /etc/krb5.conf looks like ..
===
includedir /var/lib/sss/pu
Here are a couple of things
[skarulkar@ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64
and my /etc/krb5.conf looks like ..
===
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/
Shree wrote:
1) I have got a step furthur. My replica is not running CA Service. To
achieve this I had to remove the existing cert with this command
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
Now the replica looks like this
skarulkar@ldap2 tmp]$ sudo ipactl status
[
Guys
Any word on this? New logs are attached to the email. I am still not able to
add clients using the replica. Let me know if you need any other information
and thanks for you help.
Shreeraj
Change
Rob
The logs are attached in the email chain. If you need fresh ones, I can try to
replicate it again.
Shreeraj
Change is the only Constant !
On Tuesday, February 18, 2014 11:19 AM, Rob Crittenden
Shree wrote:
Rob
I am giving it a fresh start and I notice similar issues.
1) I wasn't able to use the "--setup-ca" while running the
ipa-replica-install on the replica. It stopped the install after the
ntpd step see below.
Done configuring NTP daemon (ntpd).
A CA is already configured on this
Rob
I am giving it a fresh start and I notice similar issues.
1) I wasn't able to use the "--setup-ca" while running the ipa-replica-install
on the replica. It stopped the install after the ntpd step see below.
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
2) S
Shree wrote:
1) 7839 TCP is open between the master and replica, do I need 7389 udp
also? What about clients and replica?
I have the following ports opened and tested between master and replica.
--> 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389
(TCP)
and 88 (UDP) 464 (UD
Shree wrote:
The logs are attached here. I had a day off yesterday.
Is port 7389 open? I see you skip the connection check, what was failing?
In the ipareplica-install log this is reported:
Failed to setup the replication for cloning.
And in the debug log:
[12/Feb/2014:15:15:38][http-9445-2
Shree wrote:
Ok, failed at the same stage, would you like the entire
/var/log/ipareplica-install.log. If yes, should I attach to the email?
pa : INFO File
"/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",
line 614, in run_script
return_value = main_functi
On 02/12/2014 02:09 PM, Shree wrote:
Rob
I really appreciate your help, please bear with me. At this point I
need to take you back to my ipa-replica-install and what happened there.
[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
Rob
I really appreciate your help, please bear with me. At this point I need to
take you back to my ipa-replica-install and what happened there.
[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
This ended with a
Done configuring NTP
OK I thought CA is a part of IPA ? Below is from my master IPA server
[root@ldap ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ldap ~]#
I can certainly send you a log if needed.
Shree wrote:
OK I thought CA is a part of IPA ? Below is from my master IPA server
[root@ldap ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ldap ~]#
I can certainly send you a
Shree wrote:
Peter
Actually I mentioned earlier that my clients are in a separate VLAN and
cannot access the master. We have made provisions for the master and the
replica to sync by opening the needed ports in the firewall. We have
also opened up ports between the clients and the replica. I have
Peter
Actually I mentioned earlier that my clients are in a separate VLAN and cannot
access the master. We have made provisions for the master and the replica to
sync by opening the needed ports in the firewall. We have also opened up ports
between the clients and the replica. I have tested the
On 11.2.2014 23:53, Shree wrote:
Following ports are opened between the
1) Between the master and the replica (bi directional)
2) client machine and the ipa replica (unidirectional).
When the replica was up it worked fine as far as syncing was concerned.
80 tcp
443 tcp
389 tcp
636 tcp
Following ports are opened between the
1) Between the master and the replica (bi directional)
2) client machine and the ipa replica (unidirectional).
When the replica was up it worked fine as far as syncing was concerned.
80 tcp
443 tcp
389 tcp
636 tcp
88 tcp
464 tcp
88 udp
464 udp
123
Lukas
I read the information on those two links, my problem is different. My replica
is working fine, the database has all the records. My problem is I am not able
to use the replica for ipa-client -install. In one of my replies I sent
information that kinit was trying to access my master instea
Lucas (sorry my previous email may have got sent improperly edited.
My typical command looks like this (domain name changed due to disclosure
reasons)
# ipa-client-install --domain=mydomain.com --server=ldap2.mydomain.com
--hostname=test500.mydomain.com -d
master = ldap.mydomain.com
replica
On 02/09/2014 07:44 AM, Rob Crittenden wrote:
Shree wrote:
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even
supports this.Our replica is in a separate network and all the
appropriate ports are opened between the master and the replica. The
"replica" got created successfull
Shree wrote:
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even
supports this.Our replica is in a separate network and all the
appropriate ports are opened between the master and the replica. The
"replica" got created successfully and is in sync with the master
(except the CA
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even supports
this.Our replica is in a separate network and all the appropriate ports are
opened between the master and the replica. The "replica" got created
successfully and is in sync with the master (except the CA services wh
On (06/02/14 18:33), Shree wrote:
>First of all, the ipa-replica-install did not allow me to use the --setup-ca
> option complaining that a cert already exists, replicate creation was
> successful after I skipped the option.
>Seems like the replica is one except
>1) There is no CA Service running
Ahh!!! Sooo much better!! I was following the kickstart instructions here:
http://docs.fedoraproject.org/en-US/Fedora/16/html/FreeIPA_Guide/kickstart.html
Thanks again!!
Guy
On 05/21/2013 09:47 AM, Rob Crittenden wrote:
Guy Matz wrote:
Thanks for the reply. I *think* I'm doing this corre
Guy Matz wrote:
Thanks for the reply. I *think* I'm doing this correctly . . .
On the master:
[root@ipadevmstr log]# host cpuppettest.collmedia.net
cpuppettest.collmedia.net has address 192.168.8.28
[root@ipadevmstr log]# ipa host-add cpuppettest.collmedia.net
--password=secret
Thanks for the reply. I *think* I'm doing this correctly . . .
On the master:
[root@ipadevmstr log]# host cpuppettest.collmedia.net
cpuppettest.collmedia.net has address 192.168.8.28
[root@ipadevmstr log]# ipa host-add cpuppettest.collmedia.net
--password=secret
--
On 05/20/2013 05:18 PM, Guy Matz wrote:
> Hi! I'm trying the following ipa-client-install:
> [root@cpuppettest log]# hostname
> cpuppettest
> [root@cpuppettest log]# hostname -f
> cpuppettest.collmedia.net
> [root@cpuppettest log]# /usr/sbin/ipa-client-install
> --domain=collmedia.net --enable-dns
47 matches
Mail list logo