On Tue, Apr 08, 2014 at 05:22:46PM -0700, Shree wrote:
Not sure if anyone read my last reply I was still not having any luck.
Anyways I found the file which was causing it to contact the old IP address
just a few minutes ago. Though I would share with you in case someone else
may need it. I
Not sure if anyone read my last reply I was still not having any luck. Anyways
I found the file which was causing it to contact the old IP address just a few
minutes ago. Though I would share with you in case someone else may need it. I
started going through the directory listed in the
Shree wrote:
Martin
First of all thank you so much for your detailed analysis. I got a
chance to finally take a look at it today. I tried your suggested
changes to the /etc/krb5.conf and I now get the following response.
[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM'
Rob
This is what I get.
[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
[14858] 1396278013.584391: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.584975: Sending request (188 bytes) to mydomain.com
[14858] 1396278013.585470: Retrying AS request with
Shree wrote:
Rob
This is what I get.
Realm is case-sensitive, try skarul...@mydomain.com
rob
[root@www ~]# KRB5_TRACE=/dev/stdout kinit skarul...@mydomain.com
[14858] 1396278013.584391: Getting initial credentials for
skarul...@mydomain.com
[14858] 1396278013.584975: Sending request (188
Martin
First of all thank you so much for your detailed analysis. I got a chance to
finally take a look at it today. I tried your suggested changes to the
/etc/krb5.conf and I now get the following response.
[root@www ~]# kinit
kinit: Cannot contact any KDC for realm 'MYDOMAIN.COM' while
It searching for ldap.mydomain.com because you still have DNS SRV record
_kerberos._udp.mydomain.com. pointing to it. I would start there.
As for the failure, I would check that the generated /etc/krb5.conf is correct:
~
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
If you look at the attached logs, you can see it is going to the correct dns
server. dig information is also correct. There is something else going on I can
figure out what?
Shreeraj
Change is the
On 03/21/2014 07:44 PM, Shree wrote:
Hi
Attaching the install log. It complains about unable to reach certain
ports, however my tests by using telnet were successful. Also to
refresh your memory the client should be reaching for the replica
lda2.mydomain.com and not ldap.mydomain.com which it
Hi
Attaching the install log. It complains about unable to reach certain ports,
however my tests by using telnet were successful. Also to refresh your memory
the client should be reaching for the replica lda2.mydomain.com and not
ldap.mydomain.com which it does for the most part but I found a
Can you help me figure out, below is some info on the existing working
configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root@test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains =
On 02/20/2014 02:58 PM, Shree wrote:
Can you help me figure out, below is some info on the existing working
configuration one one of the clients
1)Sudo version 1.7.4p5
2)[root@test500 ~]# sssd --version
1.9.2
3)These are the uncommented lines in /etc/sssd/sssd.conf
[sssd]
config_file_version
Dmitri, Rob, Lucas et al. Thank you for all your help and patience and pointing
me to the right direction. I was able to fix most of my issues. My setup is a
little complex where I am trying to have a master and the replica in different
networks and are in sync + each of them is serving a
Guys
Any word on this? New logs are attached to the email. I am still not able to
add clients using the replica. Let me know if you need any other information
and thanks for you help.
Shreeraj
Change
Shree wrote:
1) I have got a step furthur. My replica is not running CA Service. To
achieve this I had to remove the existing cert with this command
pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca -force
Now the replica looks like this
skarulkar@ldap2 tmp]$ sudo ipactl status
Here are a couple of things
[skarulkar@ldap2 ~]$ rpm -q ipa-client
ipa-client-3.0.0-26.el6_4.4.x86_64
and my /etc/krb5.conf looks like ..
===
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc =
root@test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root@test500 ~]#
Shreeraj
Change is the only Constant !
On Wednesday, February 19, 2014 1:17 PM, Rob Crittenden
Shree wrote:
root@test500 ~]# rpm -q ipa-client
ipa-client-2.2.0-16.el6.x86_64
[root@test500 ~]#
You'll definitely want to update to 2.2.0-17, that fixes CVE-2012-5484
Unfortunately our logging around discovery was rather horrible in 2.2.x
so it is difficult to know exactly what is going on.
Rob
You were right. After upgrading the client to the
ipa-client-3.0.0-37.el6.x86_64 version I started seeing a warning during the
client install that went something like
=
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the
Rob
I am giving it a fresh start and I notice similar issues.
1) I wasn't able to use the --setup-ca while running the ipa-replica-install
on the replica. It stopped the install after the ntpd step see below.
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
2) So
Shree wrote:
The logs are attached here. I had a day off yesterday.
Is port 7389 open? I see you skip the connection check, what was failing?
In the ipareplica-install log this is reported:
Failed to setup the replication for cloning.
And in the debug log:
Shree wrote:
1) 7839 TCP is open between the master and replica, do I need 7389 udp
also? What about clients and replica?
I have the following ports opened and tested between master and replica.
-- 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389
(TCP)
and 88 (UDP) 464
Shree wrote:
Ok, failed at the same stage, would you like the entire
/var/log/ipareplica-install.log. If yes, should I attach to the email?
pa : INFO File
/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py,
line 614, in run_script
return_value =
Peter
Actually I mentioned earlier that my clients are in a separate VLAN and cannot
access the master. We have made provisions for the master and the replica to
sync by opening the needed ports in the firewall. We have also opened up ports
between the clients and the replica. I have tested the
Shree wrote:
Peter
Actually I mentioned earlier that my clients are in a separate VLAN and
cannot access the master. We have made provisions for the master and the
replica to sync by opening the needed ports in the firewall. We have
also opened up ports between the clients and the replica. I
OK I thought CA is a part of IPA ? Below is from my master IPA server
[root@ldap ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@ldap ~]#
I can certainly send you a log if needed.
Rob
I really appreciate your help, please bear with me. At this point I need to
take you back to my ipa-replica-install and what happened there.
[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
This ended with a
Done configuring NTP
On 02/12/2014 02:09 PM, Shree wrote:
Rob
I really appreciate your help, please bear with me. At this point I
need to take you back to my ipa-replica-install and what happened there.
[1] My command: ipa-replica-install --setup-ca
/var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck
Lukas
I read the information on those two links, my problem is different. My replica
is working fine, the database has all the records. My problem is I am not able
to use the replica for ipa-client -install. In one of my replies I sent
information that kinit was trying to access my master
Following ports are opened between the
1) Between the master and the replica (bi directional)
2) client machine and the ipa replica (unidirectional).
When the replica was up it worked fine as far as syncing was concerned.
80 tcp
443 tcp
389 tcp
636 tcp
88 tcp
464 tcp
88 udp
464 udp
On 02/09/2014 07:44 AM, Rob Crittenden wrote:
Shree wrote:
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even
supports this.Our replica is in a separate network and all the
appropriate ports are opened between the master and the replica. The
replica got created successfully
Lucas (sorry my previous email may have got sent improperly edited.
My typical command looks like this (domain name changed due to disclosure
reasons)
# ipa-client-install --domain=mydomain.com --server=ldap2.mydomain.com
--hostname=test500.mydomain.com -d
master = ldap.mydomain.com
Shree wrote:
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even
supports this.Our replica is in a separate network and all the
appropriate ports are opened between the master and the replica. The
replica got created successfully and is in sync with the master
(except the CA
On (06/02/14 18:33), Shree wrote:
First of all, the ipa-replica-install did not allow me to use the --setup-ca
option complaining that a cert already exists, replicate creation was
successful after I skipped the option.
Seems like the replica is one except
1) There is no CA Service running on
Lukas
Perhaps I should explain the design a bit and see if FreeIPA even supports
this.Our replica is in a separate network and all the appropriate ports are
opened between the master and the replica. The replica got created
successfully and is in sync with the master (except the CA services
35 matches
Mail list logo