Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
Hi, On Tue, 25 Nov 2014, Rich Megginson wrote: On 11/25/2014 12:32 PM, dbisc...@hrz.uni-kassel.de wrote: with the help of Thierry and Rich I managed to debug the running ns-slapd on Server1 (see below). The failing attempt of decoding the SASL data returns a not very fruitful -1 (SASL_FAIL, generic failure). Any ideas? Short summary: Server1 = running IPA server Server2 = intended IPA replica Both machines run the exact same, up-to-date version of CentOS 6.6. However: I had to run ipa-replica-install _without_ the option --setup-ca (didn't work, installation failed with some obscure Perl error), so there's no ns-slapd instance running for PKI-IPA. May this be related? [...] At this point, it's going to take more than a trivial amount of high latency back-and-forth on the mailling lists. I think we have probably run out of log levels for you to try. Please open a ticket against IPA. While this may turn out to be a bug in 389, at the moment it is only reproducible in your IPA environment. [...] I've opened Ticket #4807 https://fedorahosted.org/freeipa/ticket/4807 on this issue. [...] Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Replica Setup Issue
Hi Matt, I ran into this a couple of months ago. I ended up creating the replica without --setup-ca which first appeared to work, but then it turned out that replication is (at least for me) broken, cf. Ticket #4807 (https://fedorahosted.org/freeipa/ticket/4807). On Fri, 12 Dec 2014, Matt Chesler wrote: 1. Create replica ipa-1 from old-ipa-1 2. Followed procedure documented at http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master to make ipa-1 the node responsible for CRL generation and CA renewal 3. Prepare ipa-2 to be a replica by running 'ipa-replica-prepare ipa-2.example.com' on ipa-1 and copying over the resulting gpg 4. Ran ipa-replica-install on ipa-2 and received the following output/failure: === [root@ipa-2 ~]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info-ipa-2.example.com.gpg [...] [3/17]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname ipa-2.example.com -cs_port 9445 -client_certdb_dir /tmp/tmp-ATedaS -client_certdb_pwd -preop_pin SAW89xQS4ICFy5zYWv0m -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=EXAMPLE.COM -ldap_host ipa-2.example.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=EXAMPLE.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=EXAMPLE.COM -ca_server_cert_subject_name CN=ipa-2.example.com,O=EXAMPLE.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=EXAMPLE.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=EXAMPLE.COM -external false -clone true -clone_p12_file ca.p12 -clone_p12_password -sd_hostname ipa-1.example.com -sd_admin_port 443 -sd_admin_name admin -sd_admin_password -clone_start_tls true -clone_uri https://ipa-1.example.com:443' returned non-zero exit status 255 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of CA failed === [...] Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 3.0.0-42 Replication issue after Centos6.5-6.6 upgrade
On 12/15/2014 10:16 AM, dbisc...@hrz.uni-kassel.de wrote: Hi, On Tue, 25 Nov 2014, Rich Megginson wrote: On 11/25/2014 12:32 PM, dbisc...@hrz.uni-kassel.de wrote: with the help of Thierry and Rich I managed to debug the running ns-slapd on Server1 (see below). The failing attempt of decoding the SASL data returns a not very fruitful -1 (SASL_FAIL, generic failure). Any ideas? Short summary: Server1 = running IPA server Server2 = intended IPA replica Both machines run the exact same, up-to-date version of CentOS 6.6. However: I had to run ipa-replica-install _without_ the option --setup-ca (didn't work, installation failed with some obscure Perl error), so there's no ns-slapd instance running for PKI-IPA. May this be related? [...] At this point, it's going to take more than a trivial amount of high latency back-and-forth on the mailling lists. I think we have probably run out of log levels for you to try. Please open a ticket against IPA. While this may turn out to be a bug in 389, at the moment it is only reproducible in your IPA environment. [...] I've opened Ticket #4807 https://fedorahosted.org/freeipa/ticket/4807 on this issue. Thanks. See my comment https://fedorahosted.org/freeipa/ticket/4807#comment:1 - as mentioned in the thread, we will need more data/cooperation to continue with this one. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] freeipa server 4.1 with ipa client 2.2
Should a machine running ipa client version 2.2 (because it's running Centos 6.3) be able to work with a freeipa server version 4.1?The ipa-client-install script works ok and I see client machine listed as one of the hosts in the freeipa admin gui, but I'm not sure if the version of sssd running on the client (1.8) has all the functionality for e.g. ssh key access for users. Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Forest trust and AD child domain
On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote: Hi, As explained in the previous email, the getent is successful. *[root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*:**365600513:administra...@acme.windows.com 365600513%3aadministra...@acme.windows.com* In fact, our real problem is not the “wbinfo –n” but the following command: *[root@support1 sssd]# ipa group-add-member ad_users_external --external ACME\Domain Users* *[member user]:* *[member group]:* * Group name: ad_users_external* * Description: AD users external map* * External member: * * Member of groups: ad_users* * Failed members:* *member user:* *member group: ACME\Domain Users: Cannot find specified domain or server name* *-* *Number of members added 0* *-* We cannot add ACME’s domain users in the ad_users_external. I attached the sssd logs. Can you send the corresponding domain log file as well, it should be called sssd_linux.com.log or similar. bye, Sumit Regards 2014-12-12 21:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: OK. Command successful [root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*:365600513:administra...@acme.windows.com Log files attached Thanks 2014-12-12 21:32 GMT+01:00 Sumit Bose sb...@redhat.com: On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. no, it's only 'Active Directory domain range', this is good because with this type we generate the UIDs and GIDs algorithmically. In our case, the gidNumber is not set in the ACME\Domain Users AD group, nor in the WINDOWS\Domain Users. With a gidNumber attribute value, the 'wbinfo -n ACME\Domain Users' still command fails. no need to set the ID attributes in AD. But I should have mentioned that wbinfo is quite useless nowadays with FreeIPA because winbind is only used to assure some types of communication with AD. All user and group lookups and IP-mapping is done by SSSD. Please try getent group 'ACME\Domain Users' and send the sssd_nss.log and sssd_example.com.log files. bye, Sumit Thanks 2014-12-12 19:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. In our case, the gidNumber is not set in the ACME\Domain Users AD group, nor in the WINDOWS\Domain Users. With a gidNumber attribute value, the 'wbinfo -n ACME\Domain Users' still command fails. Thanks 2014-12-12 10:33 GMT+01:00 Sumit Bose sb...@redhat.com: On Fri, Dec
Re: [Freeipa-users] Forest trust and AD child domain
The file sssd_linux.com.log is empty. 2014-12-15 15:42 GMT+01:00 Sumit Bose sb...@redhat.com: On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote: Hi, As explained in the previous email, the getent is successful. *[root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*:**365600513:administra...@acme.windows.com 365600513%3aadministra...@acme.windows.com* In fact, our real problem is not the “wbinfo –n” but the following command: *[root@support1 sssd]# ipa group-add-member ad_users_external --external ACME\Domain Users* *[member user]:* *[member group]:* * Group name: ad_users_external* * Description: AD users external map* * External member: * * Member of groups: ad_users* * Failed members:* *member user:* *member group: ACME\Domain Users: Cannot find specified domain or server name* *-* *Number of members added 0* *-* We cannot add ACME’s domain users in the ad_users_external. I attached the sssd logs. Can you send the corresponding domain log file as well, it should be called sssd_linux.com.log or similar. bye, Sumit Regards 2014-12-12 21:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: OK. Command successful [root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*: 365600513:administra...@acme.windows.com Log files attached Thanks 2014-12-12 21:32 GMT+01:00 Sumit Bose sb...@redhat.com: On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. no, it's only 'Active Directory domain range', this is good because with this type we generate the UIDs and GIDs algorithmically. In our case, the gidNumber is not set in the ACME\Domain Users AD group, nor in the WINDOWS\Domain Users. With a gidNumber attribute value, the 'wbinfo -n ACME\Domain Users' still command fails. no need to set the ID attributes in AD. But I should have mentioned that wbinfo is quite useless nowadays with FreeIPA because winbind is only used to assure some types of communication with AD. All user and group lookups and IP-mapping is done by SSSD. Please try getent group 'ACME\Domain Users' and send the sssd_nss.log and sssd_example.com.log files. bye, Sumit Thanks 2014-12-12 19:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. In our case, the gidNumber is not set in the ACME\Domain Users AD
Re: [Freeipa-users] Forest trust and AD child domain
On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote: The file sssd_linux.com.log is empty. please add debug_level = 10 to the [domain/...] section in sssd.conf to enable logging for this part of SSSD. bye, Sumit 2014-12-15 15:42 GMT+01:00 Sumit Bose sb...@redhat.com: On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote: Hi, As explained in the previous email, the getent is successful. *[root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*:**365600513:administra...@acme.windows.com 365600513%3aadministra...@acme.windows.com* In fact, our real problem is not the “wbinfo –n” but the following command: *[root@support1 sssd]# ipa group-add-member ad_users_external --external ACME\Domain Users* *[member user]:* *[member group]:* * Group name: ad_users_external* * Description: AD users external map* * External member: * * Member of groups: ad_users* * Failed members:* *member user:* *member group: ACME\Domain Users: Cannot find specified domain or server name* *-* *Number of members added 0* *-* We cannot add ACME’s domain users in the ad_users_external. I attached the sssd logs. Can you send the corresponding domain log file as well, it should be called sssd_linux.com.log or similar. bye, Sumit Regards 2014-12-12 21:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: OK. Command successful [root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*: 365600513:administra...@acme.windows.com Log files attached Thanks 2014-12-12 21:32 GMT+01:00 Sumit Bose sb...@redhat.com: On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. no, it's only 'Active Directory domain range', this is good because with this type we generate the UIDs and GIDs algorithmically. In our case, the gidNumber is not set in the ACME\Domain Users AD group, nor in the WINDOWS\Domain Users. With a gidNumber attribute value, the 'wbinfo -n ACME\Domain Users' still command fails. no need to set the ID attributes in AD. But I should have mentioned that wbinfo is quite useless nowadays with FreeIPA because winbind is only used to assure some types of communication with AD. All user and group lookups and IP-mapping is done by SSSD. Please try getent group 'ACME\Domain Users' and send the sssd_nss.log and sssd_example.com.log files. bye, Sumit Thanks 2014-12-12 19:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain:
Re: [Freeipa-users] freeipa server 4.1 with ipa client 2.2
On 12/15/2014 08:18 AM, Chris Card wrote: Should a machine running ipa client version 2.2 (because it's running Centos 6.3) be able to work with a freeipa server version 4.1? It should work. The ipa-client-install script works ok and I see client machine listed as one of the hosts in the freeipa admin gui, but I'm not sure if the version of sssd running on the client (1.8) has all the functionality for e.g. ssh key access for users. The client will be able to use only functionality it knows about and capable of. Chris -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Forest trust and AD child domain
On Mon, Dec 15, 2014 at 05:38:05PM +0100, Manuel Lopes wrote: Attached the sssd_linux.com.log file Regards Thank you, there is no request logged in the logs, did you run ipa group-add-member after restarting SSSD? Nevertheless I think I know what is happening, you hit an issue which should be fixed in SSSD 1.12.2, which version of SSSD are you running on which platform? bye, Sumit 2014-12-15 17:03 GMT+01:00 Sumit Bose sb...@redhat.com: On Mon, Dec 15, 2014 at 04:39:29PM +0100, Manuel Lopes wrote: The file sssd_linux.com.log is empty. please add debug_level = 10 to the [domain/...] section in sssd.conf to enable logging for this part of SSSD. bye, Sumit 2014-12-15 15:42 GMT+01:00 Sumit Bose sb...@redhat.com: On Sat, Dec 13, 2014 at 02:13:30PM +0100, Manuel Lopes wrote: Hi, As explained in the previous email, the getent is successful. *[root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*:**365600513:administra...@acme.windows.com 365600513%3aadministra...@acme.windows.com* In fact, our real problem is not the “wbinfo –n” but the following command: *[root@support1 sssd]# ipa group-add-member ad_users_external --external ACME\Domain Users* *[member user]:* *[member group]:* * Group name: ad_users_external* * Description: AD users external map* * External member: * * Member of groups: ad_users* * Failed members:* *member user:* *member group: ACME\Domain Users: Cannot find specified domain or server name* *-* *Number of members added 0* *-* We cannot add ACME’s domain users in the ad_users_external. I attached the sssd logs. Can you send the corresponding domain log file as well, it should be called sssd_linux.com.log or similar. bye, Sumit Regards 2014-12-12 21:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: OK. Command successful [root@support1 ~]# getent group 'ACME\Domain Users' domain us...@acme.windows.com:*: 365600513:administra...@acme.windows.com Log files attached Thanks 2014-12-12 21:32 GMT+01:00 Sumit Bose sb...@redhat.com: On Fri, Dec 12, 2014 at 08:41:27PM +0100, Manuel Lopes wrote: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of the range: 106600 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: WINDOWS.COM_id_range First Posix ID of the range: 73020 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1701591335-3855227394-3044674468 Range type: Active Directory domain range Range name: ACME.WINDOWS.COM_id_range First Posix ID of the range: 36560 Number of IDs in the range: 20 First RID of the corresponding RID range: 0 Domain SID of the trusted domain: S-1-5-21-1215373191-1991333051-3772904882 Range type: Active Directory domain range Number of entries returned 3 As we can see in the ouput of the command, the range type is ad POSIX attributes. no, it's only 'Active Directory domain range', this is good because with this type we generate the UIDs and GIDs algorithmically. In our case, the gidNumber is not set in the ACME\Domain Users AD group, nor in the WINDOWS\Domain Users. With a gidNumber attribute value, the 'wbinfo -n ACME\Domain Users' still command fails. no need to set the ID attributes in AD. But I should have mentioned that wbinfo is quite useless nowadays with FreeIPA because winbind is only used to assure some types of communication with AD. All user and group lookups and IP-mapping is done by SSSD. Please try getent group 'ACME\Domain Users' and send the sssd_nss.log and sssd_example.com.log files. bye, Sumit Thanks 2014-12-12 19:51 GMT+01:00 Manuel Lopes manuel.lope...@gmail.com: [root@support1 ~]# ipa idrange-find 3 ranges matched Range name: LINUX.COM_id_range First Posix ID of
[Freeipa-users] strange problem - IPA related?
Hi all.. Not sure if this is IPA related, but here it is: 1. IPA 4.1.2 install on CentOS 7 2. IPA 4.1.2 install on Fedora 21 So both systems are systemd based - the fedora system reboots in less than 30 seconds. The CentOS system reboots and has strange timers showing that it is waiting on various targets and servoces -- having trouble tracking it donw, but the bottom line is the CentOS 7 box takes almost 10-15 minutes to reboot. Thoughts? Ideas?? I know there is something in the startup that seems to MAYBE be related to the fedora-domain vs rhel-domain settings in some of the IPA python scripts -- or maybe not. Just thought I would see if anyone else is seeing something like this. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange problem - IPA related?
On 12/15/2014 01:28 PM, Janelle wrote: Hi all.. Not sure if this is IPA related, but here it is: 1. IPA 4.1.2 install on CentOS 7 2. IPA 4.1.2 install on Fedora 21 So both systems are systemd based - the fedora system reboots in less than 30 seconds. The CentOS system reboots and has strange timers showing that it is waiting on various targets and servoces -- having trouble tracking it donw, but the bottom line is the CentOS 7 box takes almost 10-15 minutes to reboot. Thoughts? Ideas?? I know there is something in the startup that seems to MAYBE be related to the fedora-domain vs rhel-domain settings in some of the IPA python scripts -- or maybe not. Just thought I would see if anyone else is seeing something like this. ~J DNS timeouts? FW settings? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] trust non-IPA certificate client
I have one client using a certificate issued by a third party provider such that any secure (TLS) LDAP queries are refused since the certificates were not issued by IPA. Since there are only a few clients with foreign certificates, can the CA simply be added to the NSS database used by the 389 directory server so IPA will establish a secure connection with them? Steve -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] strange problem - IPA related?
Identical configurations on the same subnet - using same DNS resolvers.. Both host-based FWs disabled just because I thought that too. Time to do some more studying of systemd and all the dependencies. ~J On 12/15/14 4:34 PM, Dmitri Pal wrote: On 12/15/2014 01:28 PM, Janelle wrote: Hi all.. Not sure if this is IPA related, but here it is: 1. IPA 4.1.2 install on CentOS 7 2. IPA 4.1.2 install on Fedora 21 So both systems are systemd based - the fedora system reboots in less than 30 seconds. The CentOS system reboots and has strange timers showing that it is waiting on various targets and servoces -- having trouble tracking it donw, but the bottom line is the CentOS 7 box takes almost 10-15 minutes to reboot. Thoughts? Ideas?? I know there is something in the startup that seems to MAYBE be related to the fedora-domain vs rhel-domain settings in some of the IPA python scripts -- or maybe not. Just thought I would see if anyone else is seeing something like this. ~J DNS timeouts? FW settings? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Clients in multiple domains, any known issues?
Hello. I have so far been running IPA on RHEL6, with a single domain (and a matching realm). I now have a use-case where it looks like I'll need to set up a new IPA realm, with the IPA servers in one DNS domain and the IPA clients in multiple (2-4) other domains. The servers will be running RHEL6 or RHEL7 with the bundled IPA. The clients are running mainly RHEL5 and RHEL6, and have hostnames that don't exist in DNS. Are there any known issues with this type of setup? I know, it sounds a bit hairy, but apart from that? :) Regards Eivind Olsen -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project