Re: [Freeipa-users] Public Key Authentication Failing
Re-Enrolling the server has fixed it, but what has caused this, is still an issue. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma yks0...@gmail.com wrote: Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma yks0...@gmail.com wrote: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381@172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com ,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2:
[Freeipa-users] Cannot uninstall ipa-server
Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services ### It hangs forever. Anyway to perform the uninstallation manually ? I throught I saw a method somewhere concerning the removal of the files contained in the following folders : ### /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore ### Is it true ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot uninstall ipa-server
ipa-server-install --uninstall --unattended ~J On 8/19/15 7:41 AM, bahan w wrote: Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services ### It hangs forever. Anyway to perform the uninstallation manually ? I throught I saw a method somewhere concerning the removal of the files contained in the following folders : ### /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore ### Is it true ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules not applying to Solaris clients
Ah I would love to help but have only been a Unix sysadmin for a couple years now (came from Windows side of house) and have little coding ability. Still happy to help in any way I can though if you can find a place/need for me. You have all been very helpful to me so I would like to give back if I can. From: Jakub Hrozek jhro...@redhat.com To: Martin Kosek mko...@redhat.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Wednesday, August 19, 2015 12:23 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: https://github.com/jhrozek/pam_hbac btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC rules not applying to Solaris clients
Thanks Bob, I have tried to implement this and cannot seem to get it to work for me even though it seems straightforward. I tried both with using a user.allow file and adding the netgroup to /etc/passwd as well as moving lines around in the pam.conf and many different versions of pam.conf but it results in either everyone being able to login or no one being able to login. Do you mind sharing your pam.conf with me? I have the following relevant entries in nsswitch.conf passwd: files ldapgroup: files ldapshadow: files ldapnetgroup: ldap From: Bob harv...@gmail.com To: Natxo Asenjo natxo.ase...@gmail.com Cc: Freeipa-users freeipa-users@redhat.com Sent: Saturday, August 15, 2015 10:46 AM Subject: Re: [Freeipa-users] HBAC rules not applying to Solaris clients For Solaris we are using the pam_list module to control which LDAP users can have system access. The pam_list module allow netgroups to be listed in a user.allow file. On Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cannot uninstall ipa-server
Janelle wrote: ipa-server-install --uninstall --unattended I don't think it is the prompt that's hanging. I'd either wait to see whether it clears things up itself or try to figure out what service is hanging. Some of the timeouts are 5 minutes IIRC so it may take a while in the worse case scenario. The files/directories you refer to are the hints that the uninstaller uses to know how to restore the system to as close to pre-install condition as possible. I don't know that it is all that consumable if done manually. rob ~J On 8/19/15 7:41 AM, bahan w wrote: Hello. After an unsuccessfull installation of ipa-server, 3.0.0-42, I try to uninstall it, but the uninstallation hangs at the following step : ### ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services ### It hangs forever. Anyway to perform the uninstallation manually ? I throught I saw a method somewhere concerning the removal of the files contained in the following folders : ### /var/lib/ipa/sysrestore /var/lib/ipa-client/sysrestore ### Is it true ? Best regards. Bahan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
Thanks for the valuable information. I will use CentOS7 for both client and server. Hope you all the best. On Wed, Aug 19, 2015 at 9:22 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote: On 08/17/2015 01:15 PM, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS *6* machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Hello, We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too many dependencies that are not there. Running purely on CentOS-7.1 looks as the least painful way to me. You can still of course have clients (SSSD) on CentOS-6. Jakub, can you please remind me what are the limitation with regards to SSSDOTP on RHEL-6? The SSSD code is there, but the Kerberos library version is the limit. We can't rebase to a newer one but at the same time it's impossible to backport the changes. Sorry, but new features sometimes require using a new system.. Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 will not be possible of course, that's expected. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Public Key Authentication Failing + Failed to Authenticate New User with Public Key
Any suggestion please. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:37 PM, Yogesh Sharma yks0...@gmail.com wrote: Re-Enrolling the server has fixed it, but what has caused this, is still an issue. *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 1:23 AM, Yogesh Sharma yks0...@gmail.com wrote: Majority of sssd logs are filled with below error: (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Wed Aug 19 01:22:24 2015) [sssd[be[klikpay.int]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] *Best Regards,* *__* *Yogesh Sharma* *Email: yks0...@gmail.com yks0...@gmail.com | Web: www.initd.in http://www.initd.in/ * *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified* https://www.fb.com/yks http://in.linkedin.com/in/yks https://twitter.com/checkwithyogesh http://google.com/+YogeshSharmaOnGooglePlus On Wed, Aug 19, 2015 at 12:44 AM, Yogesh Sharma yks0...@gmail.com wrote: Team. We are using public key authentication instead of password. It was working fine but a day latter it has stopped working. The same key is working for if change the username. For eg: Initially we created a user - ipa1 with ssh public key, but after sometime it has stopped working, now the same key is working if we create ipa2 user but with ipa1 user it fail to accept the keys. Below are ssh logs of failed attempt: root@yogesh-ubuntu-pc:/home/yogesh# ssh -i /root/.ssh/id_rsa vg4381@172.16.32.24 -vv OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 172.16.32.24 [172.16.32.24] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c00 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha...@libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com, ssh-rsa-cert-...@openssh.com,ssh-rsa, ecdsa-sha2-nistp256-cert-...@openssh.com, ecdsa-sha2-nistp384-cert-...@openssh.com, ecdsa-sha2-nistp521-cert-...@openssh.com, ssh-ed25519-cert-...@openssh.com,ssh-dss-cert-...@openssh.com, ssh-dss-cert-...@openssh.com ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-...@openssh.com,aes256-...@openssh.com, chacha20-poly1...@openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com, umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com, hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com, hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com ,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com ,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com, hmac-sha1-...@openssh.com,umac-64-...@openssh.com,
Re: [Freeipa-users] HBAC rules not applying to Solaris clients
On Tue, Aug 18, 2015 at 09:05:14PM +0200, Martin Kosek wrote: On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been disabled, my nsswitch.conf file looks good and I have tried different configs of pam.d, including the provided example to try to resolve the issue. Am I missing some steps? HBAC enforcement is provided by sssd so doesn't work in Solaris. one might try using solaris' RBAC system: http://www.oracle.com/technetwork/systems/security/custom-roles-rbac-jsp-140865.html You would have to distribute your changes to all solaris systems. There is a RBAC ldap schema http://docs.oracle.com/cd/E19455-01/806-5580/6jej518q5/index.html for solaris, but I have never tried using it with freeipa. -- Groeten, natxo Alternatively, you can also contribute to Jakub Hrozek's pam_hbac project: https://github.com/jhrozek/pam_hbac btw I have quite a few changes from the last weeks, so yes, I'm still working on this, but the progress is slow, RHEL maintenance tends to eat most time.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa v4 on CentOS6
On Tue, Aug 18, 2015 at 09:02:14PM +0200, Martin Kosek wrote: On 08/17/2015 01:15 PM, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS *6* machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't support OTP authentication. Hello, We do not plan backporting FreeIPA 4.0+ on CentOS-6, there is simply too many dependencies that are not there. Running purely on CentOS-7.1 looks as the least painful way to me. You can still of course have clients (SSSD) on CentOS-6. Jakub, can you please remind me what are the limitation with regards to SSSDOTP on RHEL-6? The SSSD code is there, but the Kerberos library version is the limit. We can't rebase to a newer one but at the same time it's impossible to backport the changes. Sorry, but new features sometimes require using a new system.. Advanced conversations like https://fedorahosted.org/sssd/ticket/2335 will not be possible of course, that's expected. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Sudden replication failure
On 08/18/2015 08:39 PM, Martin Kosek wrote: On 08/10/2015 10:05 PM, Burke Rosen wrote: Hello, I'm running two replicated freeIPA servers. One of them spontaneously failed. After taking the misbehaving server down, the remaining replicant handled everything fine. I restored the system to its original working state by uninstalling ipa-server from the non-functional server and re-replicating from the working server. All is well, but I am trying to figure out what might have caused the problem in the first place. Below are first few (presumably) relevant lines of the the error log. Can someone help me interpret them? Thank you, -Burke Rosen This line is interesting: [08/Aug/2015:04:11:06 -0700] repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: 2010061412 remote server: (null). But I wonder how it is possible this was triggered, we did not bump the data version in IPA Replica version plugin since 2010 as you can see. So for some reason, it seems that the version was not passed correctly when the connection between replicas was being established. I guess we will not find out the root cause, given you successfully rebuilt the server. I am still CCing Ludwig and Thierry for reference. Hello, The DS master (or replica) sent a start-replication session with an empty GUID payload (added by ipa plugin). It should happen if you mixed DS and/or IPA version, is it the case ? thanks thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project