Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request"
On Fri, 25 Nov 2011, Craig T wrote: > Hi Alexander, > > I took "Steven Jones's advice" and updated the IPA client to > ipa-client-2.1.1-4.el6.x86_64 and the client started working > perfectly! Ok, great! -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request"
Hi Alexander, I took "Steven Jones's advice" and updated the IPA client to ipa-client-2.1.1-4.el6.x86_64 and the client started working perfectly! cya Craig On Fri, Nov 25, 2011 at 06:50:10AM +0200, Alexander Bokovoy wrote: > On Fri, 25 Nov 2011, Craig T wrote: > > Did anyone end up finding a solution to this issue? > > > > --- > > $ sudo ipa-client-install > > Discovery was successful! > > Hostname: testpc.example.com > > Realm: EXAMPLE.COM > > DNS Domain: example.com > > IPA Server: testvm-389.example.com > > BaseDN: dc=example,dc=com > > > > Continue to configure the system with these values? [no]: yes > > Enrollment principal: admin > > Password for ad...@example.com: > > > > Joining realm failed because of failing XML-RPC request. > > This error may be caused by incompatible server/client major versions. > > > Check /var/log/ipaclient-install.log for details. > > -- > / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request"
On Fri, 25 Nov 2011, Craig T wrote: > Did anyone end up finding a solution to this issue? > > --- > $ sudo ipa-client-install > Discovery was successful! > Hostname: testpc.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: testvm-389.example.com > BaseDN: dc=example,dc=com > > Continue to configure the system with these values? [no]: yes > Enrollment principal: admin > Password for ad...@example.com: > > Joining realm failed because of failing XML-RPC request. > This error may be caused by incompatible server/client major versions. > Check /var/log/ipaclient-install.log for details. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. > > regards > > Steven Jones > Which SSSD version is that? There was a bug (#741751) in the HBAC host group processing that got fixed in sssd-1.5.1-53 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA
Bluecoat, "Generally the user attribute type is "cn" for common name" is this correct for IPA? I have created a user group "internet-access" I want users in here have Internet access.. cn=internet-access,dc=groups,dc=unix,dc=vuw,dc=ac,dc=nz ? I also I assume need to create a user with sufficient privileges to query this user-group.I assume an anonymous bind wont do it? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 25 November 2011 2:42 p.m. To: FreeIPAUsers Subject: [Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA Hi, I need to get the above hardware to talk to IPA, I have had no joy at all. So who in Red Hat can I get the above hardware vendors to talk to to get me howtos? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Sun Solar SAN, Bluecoat proxy and Bluearc NAS connections to IPA
Hi, I need to get the above hardware to talk to IPA, I have had no joy at all. So who in Red Hat can I get the above hardware vendors to talk to to get me howtos? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] "Joining realm failed because of failing XML-RPC request"
Hi, Have you tried installing the later rhel client rpm on the scientific linux machine? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Craig T [free...@noboost.org] Sent: Friday, 25 November 2011 1:04 p.m. To: FreeIPAUsers Subject: [Freeipa-users] "Joining realm failed because of failing XML-RPC request" Hi, Did anyone end up finding a solution to this issue? --- $ sudo ipa-client-install Discovery was successful! Hostname: testpc.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: testvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for ad...@example.com: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. Specs: Server: Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) ipa-server-selinux-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-python-2.1.1-4.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-2.1.1-4.el6.x86_64 Client: Scientific Linux release 6.1 (Carbon) ipa-client-2.0.0-23.el6.x86_64 ipa-python-2.0.0-23.el6.x86_64 Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] "Joining realm failed because of failing XML-RPC request"
Hi, Did anyone end up finding a solution to this issue? --- $ sudo ipa-client-install Discovery was successful! Hostname: testpc.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: testvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Enrollment principal: admin Password for ad...@example.com: Joining realm failed because of failing XML-RPC request. This error may be caused by incompatible server/client major versions. Specs: Server: Red Hat Enterprise Linux Server release 6.2 Beta (Santiago) ipa-server-selinux-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-client-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-python-2.1.1-4.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-2.1.1-4.el6.x86_64 Client: Scientific Linux release 6.1 (Carbon) ipa-client-2.0.0-23.el6.x86_64 ipa-python-2.0.0-23.el6.x86_64 Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, I have created a brand new workstation, brand new user group and brand new host group.when I go to create a HBAC rule the user group fails to appear.. So it looks like the ipa setup is broken.terminally.? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 25 November 2011 9:21 a.m. To: Rob Crittenden Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working I went debug_level 3 I am getting access denied by hbac rules Screenshot from the log incl. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Thursday, 24 November 2011 6:42 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working Steven Jones wrote: > When I add a host to the hbac rule and not a host group I can login > > Something is wrong with the host group(s).damned if I can see what. I'd bump up debugging in sssd (sssd.conf (5)) on the server you're logging into. It should tell you the evaluation it is making and why it is failing. You'll need to restart sssd after adding debug_level. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] HBAC rules not working
Hi, Yes I got there already, but thanks I made a new rule and per host works fine, not if I try and use a host group via CLI, so its not the gui I think..I can see one difference I'm testing that theory now. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: JR Aquino [jr.aqu...@citrix.com] Sent: Thursday, 24 November 2011 4:02 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC rules not working On Nov 23, 2011, at 5:41 PM, Steven Jones wrote: > Hi, > > Even a reboot doesnt fix the ghost host group issue... > > Can it be dont via the cli? ipa hbacrule-add-host --hostgroups=hostgroup_name hbacrule_name Also you may be running into a problem with source hosts... You do need to specify from which hosts you are allowing ssh if I recall correctly. Assuming that you want to permit _from_ any source host: ipa hbacrule-mod --srchostcat=all hbacrule_name ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket
Yes. Check - OK, it hasnt expired yet this morning regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Adam Young [ayo...@redhat.com] Sent: Thursday, 24 November 2011 4:59 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket So let me get this straight: A system that works fine one day does not work the next. You have a Kerberos TIcket, it expires. The webUI doesn't work. You then do a kinit and reload the browser, and it does not work. THen you go through the initialization steps, including configuring the browser, and then the webUI does work? I can't see how that is possible. All that the browser config does is sets a couple of values in the properties that allows the browser forward the Kerberos TGT to the FreeIPA site. Are those values are somehow getting unset? There is something else going on. THe next time, before you re-init the tgt or anything, go through the steps here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html and check the values for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users