Re: [Freeipa-users] secondary out of sync on DNS again [solved]
working through it slowly now... :) On Wed, Jan 11, 2017 at 11:22 AM, Martin Basti wrote: > Have you tried the ldapsearch from the guide I sent you? > > > > On 11.01.2017 17:03, Outback Dingo wrote: >> >> I am still seeing this, and the same message about LDAP >> >> ./ipa_check_consistency -H >> ipa2.optimcloud.com -d OPTIMCLOUD.COM >> Directory Manager password: >> FreeIPA servers:ipa2STATE >> = >> Active Users1 OK >> Stage Users 0 OK >> Preserved Users 0 OK >> User Groups 4 OK >> Hosts 8 OK >> Host Groups 2 OK >> HBAC Rules 1 OK >> SUDO Rules 0 OK >> DNS Zones 26 OK >> LDAP Conflicts YES FAIL >> Ghost Replicas NO OK >> Anonymous BIND YES OK >> Replication Status ipa 0 >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for >> instance 'ipa' are being synchronized, please ignore message 'all >> zones loaded' >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in >> dn_to_dnsname(): multi-valued RDNs are not supported >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to >> convert DN >> 'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com' >> to DNS name: not implemented >> Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: >> ldap_sync_search_entry failed: not implemented >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> 150.217.162.in-addr.arpa/IN: loaded serial 1484150526 >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> optimvoice.co/IN: loaded serial 1484150526 >> Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone >> optimcloud.com/IN: loaded serial 1484150526 >> >> On Wed, Jan 11, 2017 at 10:56 AM, Martin Basti wrote: >>> >>> Great :) >>> >>> >>> On 11.01.2017 16:52, Outback Dingo wrote: >>>> >>>> damn... DMARC record removed, now synced >>>> >>>> On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti >>>> wrote: >>>>> >>>>> Please try to create a new test user if it is replicated to other >>>>> replicas. >>>>> >>>>> >>>>> I see repl. conflicts please try to investigate them, it may cause a >>>>> missing >>>>> zone >>>>> >>>>> >>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >>>>> >>>>> >>>>> could you check what do you have in journalctl -u named-pkcs11 on >>>>> replica >>>>> with missing entries? >>>>> >>>>> Martin >>>>> >>>>> >>>>> On 11.01.2017 16:27, Outback Dingo wrote: >>>>>> >>>>>> Not realliy, not like last time but >>>>>> [root@ipa2 ~]# cd ipa_check_consistency/ >>>>>> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H >>>>>> ipa2.optimcloud.com -d OPTIMCLOUD.COM >>>>>> Directory Manager password: >>>>>> FreeIPA servers:ipa2STATE >>>>>> = >>>>>> Active Users1 OK >>>>>> Stage Users 0 OK >>>>>> Preserved Users 0 OK >>>>>> User Groups 4 OK >>>>>> Hosts 8 OK >>>>>> Host Groups 2 OK >>>>>> HBAC Rules 1 OK >>>>>> SUDO Rules 0 OK >>>>>> DNS Zones 26 OK >>>>>> LDAP Conflicts YES FAIL >>>>>> Ghost Replicas NO OK >>>>>> Anonymous BIND YES OK >>>>>> Replication Status ipa 0 >>>>>> >>>>>> >>>>>> >>>>>> [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling >>>>>> operation threads - op stack size 1 max work q size 3 max work q stack >>>>>> size 3 >>>>>> [07/Jan/2017:23:59:33.080148204 -0500] slapd shutt
Re: [Freeipa-users] secondary out of sync on DNS again [solved]
I am still seeing this, and the same message about LDAP ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1 OK Stage Users 0 OK Preserved Users 0 OK User Groups 4 OK Hosts 8 OK Host Groups 2 OK HBAC Rules 1 OK SUDO Rules 0 OK DNS Zones 26 OK LDAP Conflicts YES FAIL Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa 0 Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: LDAP data for instance 'ipa' are being synchronized, please ignore message 'all zones loaded' Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: bug in dn_to_dnsname(): multi-valued RDNs are not supported Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: failed to convert DN 'idnsname=store+nsuniqueid=44fbbd0e-d80a11e6-ad7498e5-1ca0119b,idnsname=optimcloud.com.,cn=dns,dc=optimcloud,dc=com' to DNS name: not implemented Jan 11 11:02:06 ipa2.optimcloud.com named-pkcs11[2516]: ldap_sync_search_entry failed: not implemented Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone 150.217.162.in-addr.arpa/IN: loaded serial 1484150526 Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone optimvoice.co/IN: loaded serial 1484150526 Jan 11 11:02:07 ipa2.optimcloud.com named-pkcs11[2516]: zone optimcloud.com/IN: loaded serial 1484150526 On Wed, Jan 11, 2017 at 10:56 AM, Martin Basti wrote: > > Great :) > > > On 11.01.2017 16:52, Outback Dingo wrote: >> >> damn... DMARC record removed, now synced >> >> On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: >>> >>> Please try to create a new test user if it is replicated to other >>> replicas. >>> >>> >>> I see repl. conflicts please try to investigate them, it may cause a >>> missing >>> zone >>> >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html >>> >>> >>> could you check what do you have in journalctl -u named-pkcs11 on replica >>> with missing entries? >>> >>> Martin >>> >>> >>> On 11.01.2017 16:27, Outback Dingo wrote: >>>> >>>> Not realliy, not like last time but >>>> [root@ipa2 ~]# cd ipa_check_consistency/ >>>> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H >>>> ipa2.optimcloud.com -d OPTIMCLOUD.COM >>>> Directory Manager password: >>>> FreeIPA servers:ipa2STATE >>>> = >>>> Active Users1 OK >>>> Stage Users 0 OK >>>> Preserved Users 0 OK >>>> User Groups 4 OK >>>> Hosts 8 OK >>>> Host Groups 2 OK >>>> HBAC Rules 1 OK >>>> SUDO Rules 0 OK >>>> DNS Zones 26 OK >>>> LDAP Conflicts YES FAIL >>>> Ghost Replicas NO OK >>>> Anonymous BIND YES OK >>>> Replication Status ipa 0 >>>> >>>> >>>> >>>> [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling >>>> operation threads - op stack size 1 max work q size 3 max work q stack >>>> size 3 >>>> [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting >>>> for 26 threads to terminate >>>> [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request >>>> to SVRCore. You may need to run systemd-tty-ask-password-agent to >>>> provide the password. >>>> [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security >>>> Initialization: Enabling default cipher set. >>>> [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers >>>> [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: >>>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled >>>> [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: >>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled >>>> [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: >>>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled >>>> [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: >>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled >>>> [08/Jan/2017:00:01:43.355929413 -0500] SSL a
Re: [Freeipa-users] secondary out of sync on DNS again
damn... DMARC record removed, now synced On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: > Please try to create a new test user if it is replicated to other replicas. > > > I see repl. conflicts please try to investigate them, it may cause a missing > zone > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > > could you check what do you have in journalctl -u named-pkcs11 on replica > with missing entries? > > Martin > > > On 11.01.2017 16:27, Outback Dingo wrote: >> >> Not realliy, not like last time but >> [root@ipa2 ~]# cd ipa_check_consistency/ >> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H >> ipa2.optimcloud.com -d OPTIMCLOUD.COM >> Directory Manager password: >> FreeIPA servers:ipa2STATE >> = >> Active Users1 OK >> Stage Users 0 OK >> Preserved Users 0 OK >> User Groups 4 OK >> Hosts 8 OK >> Host Groups 2 OK >> HBAC Rules 1 OK >> SUDO Rules 0 OK >> DNS Zones 26 OK >> LDAP Conflicts YES FAIL >> Ghost Replicas NO OK >> Anonymous BIND YES OK >> Replication Status ipa 0 >> >> >> >> [07/Jan/2017:23:59:33.034771024 -0500] slapd shutting down - signaling >> operation threads - op stack size 1 max work q size 3 max work q stack >> size 3 >> [07/Jan/2017:23:59:33.080148204 -0500] slapd shutting down - waiting >> for 26 threads to terminate >> [08/Jan/2017:00:01:43.342292791 -0500] SSL alert: Sending pin request >> to SVRCore. You may need to run systemd-tty-ask-password-agent to >> provide the password. >> [08/Jan/2017:00:01:43.348739255 -0500] SSL alert: Security >> Initialization: Enabling default cipher set. >> [08/Jan/2017:00:01:43.349917267 -0500] SSL alert: Configured NSS Ciphers >> [08/Jan/2017:00:01:43.350819261 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.352925341 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.354043098 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled >> [08/Jan/2017:00:01:43.354944795 -0500] SSL alert: >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.355929413 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.356793063 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.357650823 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> [08/Jan/2017:00:01:43.358754848 -0500] SSL alert: >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.359655681 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.360741758 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.361650705 -0500] SSL alert: >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.362718051 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled >> [08/Jan/2017:00:01:43.363594439 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> [08/Jan/2017:00:01:43.365599343 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.366719360 -0500] SSL alert: >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.368835924 -0500] SSL alert: >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled >> [08/Jan/2017:00:01:43.370913228 -0500] SSL alert: >> TLS_RSA_WITH_AES_256_GCM_SHA384: enabled >> [08/Jan/2017:00:01:43.372972786 -0500] SSL alert: >> TLS_RSA_WITH_AES_256_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.375008604 -0500] SSL alert: >> TLS_RSA_WITH_AES_256_CBC_SHA256: enabled >> [08/Jan/2017:00:01:43.377060277 -0500] SSL alert: >> TLS_RSA_WITH_AES_128_GCM_SHA256: enabled >> [08/Jan/2017:00:01:43.379147161 -0500] SSL alert: >> TLS_RSA_WITH_AES_128_CBC_SHA: enabled >> [08/Jan/2017:00:01:43.381215466 -0500] SSL alert: >> TLS_RSA_WITH_AES_128_CBC_SHA256: enabled >> [08/Jan/2017:00:01:43.410666701 -0500] SSL Initialization - Configured >> SSL version range: min: TLS1.0, max: TLS1.2 >> [08/Jan/2017:00:01:43.412541954 -0500] 389-Directory/1.3.5.10 >> B2016.341. starting up >> [08/Jan/2017:00:01:43.432516181 -0500] default_mr_indexer_create: >> wa
Re: [Freeipa-users] secondary out of sync on DNS again
8:45:57 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'ipa.optimcloud.com//IN': 2001:500:1::803f:235#53 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone optimcloud.com/IN: loaded serial 1484142356 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone 252.91.54.in-addr.arpa/IN: sending notifies (serial 1484142357) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone optimcloud.com/IN: sending notifies (serial 1484142356) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone optimvoice.com/IN: loaded serial 1484142357 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone optimvoice.com/IN: sending notifies (serial 1484142357) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone virsum.com/IN: loaded serial 1484142357 Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: zone virsum.com/IN: sending notifies (serial 1484142357) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: 5 master zones from LDAP instance 'ipa' loaded (5 zones defined, 0 inactive, 0 failed to load) Jan 11 08:45:57 ipa2.optimcloud.com named-pkcs11[2493]: checkhints: unable to get root NS rrset from cache: not found Jan 11 08:46:02 ipa2.optimcloud.com named-pkcs11[2493]: zone 150.217.162.in-addr.arpa/IN: sending notifies (serial 1484142357) Jan 11 08:46:02 ipa2.optimcloud.com named-pkcs11[2493]: zone 252.91.54.in-addr.arpa/IN: sending notifies (serial 1484142357) Jan 11 08:46:02 ipa2.optimcloud.com named-pkcs11[2493]: zone optimvoice.com/IN: sending notifies (serial 1484142357) Jan 11 08:46:02 ipa2.optimcloud.com named-pkcs11[2493]: zone optimcloud.com/IN: sending notifies (serial 1484142356) Jan 11 08:46:02 ipa2.optimcloud.com named-pkcs11[2493]: zone virsum.com/IN: sending notifies (serial 1484142357) Jan 11 09:01:31 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'com/DS/IN': 2001:500:2f::f#53 Jan 11 09:01:31 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'com/DS/IN': 2001:7fe::53#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'com/DS/IN': 2001:dc3::35#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'com/DS/IN': 2001:7fd::1#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'com/DS/IN': 2001:503:ba3e::2:30#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:7fe::53#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:dc3::35#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53 Jan 11 09:01:32 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'net/DNSKEY/IN': 2001:503:231d::2:30#53 Jan 11 09:29:37 ipa2.optimcloud.com named-pkcs11[2493]: zone optimcloud.com/IN: sending notifies (serial 1484144977) Jan 11 09:38:56 ipa2.optimcloud.com named-pkcs11[2493]: zone optimvoice.com/IN: sending notifies (serial 1484145536) Jan 11 09:39:28 ipa2.optimcloud.com named-pkcs11[2493]: zone optimvoice.com/IN: sending notifies (serial 1484145568) Jan 11 10:03:23 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'yandex.ru/A/IN': 2a02:6b8::1#53 Jan 11 10:03:23 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'yandex.ru/A/IN': 2a02:6b8:0:1::1#53 Jan 11 10:23:12 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53 Jan 11 10:23:12 ipa2.optimcloud.com named-pkcs11[2493]: error (network unreachable) resolving 'optimvpn.com/ANY/IN': 2001:7fd::1#53 lines 147-209/209 (END) On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: > Please try to create a new test user if it is replicated to other replicas. > > > I see repl. conflicts please try to investigate them, it may cause a missing > zone > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > > could you check what do you have in journalctl -u named-pkcs11 on replica > with missing entries? > > Martin > > > On 11.01.2017 16:27, Outback Dingo wrote: >> >> Not realliy, not like last time but >> [root@ipa2 ~]# cd ipa_check_consistency/ >> [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H >> ipa2
Re: [Freeipa-users] secondary out of sync on DNS again
87627 -0500] NSACLPlugin - The ACL target cn=ad,cn=etc,dc=optimcloud,dc=com does not exist [11/Jan/2017:10:13:13.805429364 -0500] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=optimcloud,dc=com does not exist [11/Jan/2017:10:13:13.806532806 -0500] NSACLPlugin - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=optimcloud,dc=com does not exist = On Wed, Jan 11, 2017 at 10:24 AM, Martin Basti wrote: > > > On 11.01.2017 15:32, Outback Dingo wrote: >> >> not sure why, but the secondary freeipa server is out of sync by a >> long shot now, missing dns domains and A records... tried >> ipa-replica-manage force-sync --from ipa.optimcloud.com >> >> doesnt seem to be working >> >> HELP! >> > > Do you see any errors in /var/log/dirsrv/slapd-*/errors on servers? > > Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] secondary out of sync on DNS again
not sure why, but the secondary freeipa server is out of sync by a long shot now, missing dns domains and A records... tried ipa-replica-manage force-sync --from ipa.optimcloud.com doesnt seem to be working HELP! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] DNS wildcards record for domain
a bit at a loss here, whats the proper way to add a DNS wildcard for a domain name to resolve to www.acmewidgets.com if someone type just the domain acmewigets.com in a browser ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] List SPAM
Im still getting nude porn spam emails and pics from a user Kimi Rachel -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
> According to log, it looks that replication has been restored a week ago > > can you use https://github.com/peterpakos/ipa_check_consistency to check > what else is missing? > > If it finds missing entries, probably re-initialization will be needed > > Martin really odd... i just did a yum update -y during our conversation on both servers, now ipa2 is synced again... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On Tue, Dec 27, 2016 at 6:47 AM, Martin Basti wrote: > > > On 27.12.2016 12:40, Outback Dingo wrote: >> >> On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: >>> >>> >>> On 27.12.2016 00:25, Outback Dingo wrote: >>>> >>>> Seems my secondary ipa server is somehow out of sync with the master, >>>> is there any way to force a sync update ? >>>> >>> Can you elaborate more? >>> >>> What exactly from DNS records is out of sync? >>> >>> Martin >> >> >> it appears as though at least one A record is missing there might be >> more but thats the first i noticed > > > > Can you please search for replication conflicts > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html > > and do you have any replication errors in /var/log/dirsrv/slapd-*/errors > log on servers? > > Martin from the master ipa [root@ipa dingo]# cat /var/log/dirsrv/slapd-*/errors 389-Directory/1.3.4.0 B2016.215.1556 ipa.optimcloud.com:636 (/etc/dirsrv/slapd-OPTIMCLOUD-COM) [20/Dec/2016:22:38:51 -0500] - SSL alert: Configured NSS Ciphers [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled [20/Dec/2016:22:38:51 -0500] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [20/Dec/2016:2
Re: [Freeipa-users] IPA Servers out of sync - DNS records
On Tue, Dec 27, 2016 at 5:59 AM, Martin Basti wrote: > > > On 27.12.2016 00:25, Outback Dingo wrote: >> >> Seems my secondary ipa server is somehow out of sync with the master, >> is there any way to force a sync update ? >> > > Can you elaborate more? > > What exactly from DNS records is out of sync? > > Martin it appears as though at least one A record is missing there might be more but thats the first i noticed -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA Servers out of sync - DNS records
Seems my secondary ipa server is somehow out of sync with the master, is there any way to force a sync update ? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] New IPA Servers
Ok so trying to setup a replca to deploy 2 new freeipa servers on AWS... migrating from old servers going away, It was suggested to create a replica then promote it. this issue is the public ip for the new server is not the same as the servers IP on AWS... so which one do i use ??? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] new IPA Servers
trying to deploy new ipa servers so i can take down the old ones prior to a move however the install is failing with. zone optimcloud.com. already exists in DNS and is handled by server(s): ipa.optimcloud.com., ipa2.optimcloud.com. so how can i get around this... note the old servers are going away forever. but i need them alive until the new ones are ready -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CentOS 7.2 Certificate Issue with chrome
Freshly installed IPA went to the web ui and got this in google chrome This site can’t provide a secure connection ipa3.optimcloud.com doesn't adhere to security standards. ERR_SSL_SERVER_CERT_BAD_FORMAT -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA Client in Docker
On Wed, May 11, 2016 at 5:53 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 05:33:55PM +0200, Outback Dingo wrote: > > > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > > > > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > > > > > Also http://www.freeipa.org/page/Docker and > > > https://github.com/adelton/docker-freeipa. > > > > great now the question im afraid to ask is how can i migrate my running > > FreeIPA into the docker freeipa and save myself a whole server :) > > Start by understanding that FreeIPA in container is still proof of > concept. > > You probably already have at least one replica -- just create the > FreeIPA server in the container as another replica in your environment. > That way you can test it gradually -- point clients to it, add it to > DNS. I would not recommend attempting to convert existing installation > in one swoop, by replacing it in place. > yupp step by step, small personal enviironment mostly for personal dev lab and dns for my domains. > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA Client in Docker
On Wed, May 11, 2016 at 4:31 PM, Jan Pazdziora wrote: > On Wed, May 11, 2016 at 04:19:48PM +0200, Martin Basti wrote: > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > > >not to fork the subject, but it would be nice it there was a freeipa > > >server on docker > > > > https://hub.docker.com/r/adelton/freeipa-server/ > > Also http://www.freeipa.org/page/Docker and > https://github.com/adelton/docker-freeipa. > > great now the question im afraid to ask is how can i migrate my running FreeIPA into the docker freeipa and save myself a whole server :) > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA Client in Docker
On Wed, May 11, 2016 at 4:19 PM, Martin Basti wrote: > > > On 11.05.2016 16:13, Outback Dingo wrote: > > > > On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora > wrote: > >> On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: >> > Our apps are running in a docker image based on Ubuntu 14.04 that >> cannot be changed to redhat. We want to install freeipa-clietn within this >> docker so that our app >> > Uses freeipa ldap as against default ldap. >> > >> > The freeipa-client gets successfully installed in Ubuntu 14.04 plain >> machine, that why is why I am hoping making it run in a Ubun14.04 docker >> should also be very much possible. >> > >> > As you can see the things get stuck in not starting bus process >> properly(this problem is not seen in ubuntu on plain machine). I cannot see >> much debug statements by enabling —debug option in ipa-client-install. >> > Its not clear why this process doesn’t get started and what is missing >> in container as against plain machine which is making this install fail. >> > >> > I am on to this issue for 2 full days now. I am pasting whatever debug >> statements I got during install, here: >> > >> > Command >> > — >> > ipa-client-install —domain= —server= hostname= >> jupyterhub.com --no-ntp --no-dns-sshfp >> > >> > >> > >> > Log (After Error starts to happen) >> > — >> > Attached >> > >> > My main suspect is dbus service unable to start in this container where >> it launches on a plain machine. >> >> Certainly. >> >> What steps did you take to make dbus startable in the container? Do >> you have the dbus package installed? >> >> > not to fork the subject, but it would be nice it there was a freeipa > server on docker > > > https://hub.docker.com/r/adelton/freeipa-server/ > > this? > possibly, maybe, ive not tried to deploy this under DC/OS mesosphere yet... might give it a go > > > >> -- >> Jan Pazdziora >> Senior Principal Software Engineer, Identity Management Engineering, Red >> Hat >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA Client in Docker
On Wed, May 11, 2016 at 3:50 PM, Jan Pazdziora wrote: > On Tue, May 03, 2016 at 09:27:44PM +, Hosakote Nagesh, Pawan wrote: > > Our apps are running in a docker image based on Ubuntu 14.04 that cannot > be changed to redhat. We want to install freeipa-clietn within this docker > so that our app > > Uses freeipa ldap as against default ldap. > > > > The freeipa-client gets successfully installed in Ubuntu 14.04 plain > machine, that why is why I am hoping making it run in a Ubun14.04 docker > should also be very much possible. > > > > As you can see the things get stuck in not starting bus process > properly(this problem is not seen in ubuntu on plain machine). I cannot see > much debug statements by enabling —debug option in ipa-client-install. > > Its not clear why this process doesn’t get started and what is missing > in container as against plain machine which is making this install fail. > > > > I am on to this issue for 2 full days now. I am pasting whatever debug > statements I got during install, here: > > > > Command > > — > > ipa-client-install —domain= —server= hostname= > jupyterhub.com --no-ntp --no-dns-sshfp > > > > > > > > Log (After Error starts to happen) > > — > > Attached > > > > My main suspect is dbus service unable to start in this container where > it launches on a plain machine. > > Certainly. > > What steps did you take to make dbus startable in the container? Do > you have the dbus package installed? > > not to fork the subject, but it would be nice it there was a freeipa server on docker > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CentOS 7 new install - no client ssh
client cant ssh - any ideas ssh di...@xxx.xxx.xxx.xxx di...@xxx.xxx.xxx.xxx's password: Permission denied, please try again. di...@xxx.xxx.xxx.xxx's password: cat sssd/sssd_somehost.com.log (Thu Mar 17 02:44:30 2016) [sssd[be[somehost.com]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. (Thu Mar 17 02:44:30 2016) [sssd[be[osomehost.com]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] CentOS 7 new install - no client ssh
On Thu, Mar 17, 2016 at 8:44 AM, Jakub Hrozek wrote: > On Thu, Mar 17, 2016 at 07:43:41AM +0100, Outback Dingo wrote: > > client cant ssh - any ideas > > > > ssh di...@xxx.xxx.xxx.xxx > > di...@xxx.xxx.xxx.xxx's password: > > Permission denied, please try again. > > di...@xxx.xxx.xxx.xxx's password: > > > > > > cat sssd/sssd_somehost.com.log > > (Thu Mar 17 02:44:30 2016) [sssd[be[somehost.com]]] > [krb5_auth_store_creds] > > (0x0010): unsupported PAM command [249]. > > (Thu Mar 17 02:44:30 2016) [sssd[be[osomehost.com]]] > > [krb5_auth_store_creds] (0x0010): password not available, offline auth > may > > not work. > > Please follow: > https://fedorahosted.org/sssd/wiki/Troubleshooting > > how about... your clock it off run ntpdate pool.ntp.org and fixed > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA UI Internal Server Error
On Sun, Dec 28, 2014 at 6:25 PM, Alexander Bokovoy wrote: > > > - Original Message - > > Outback Dingo wrote: > > > So Ive installed a new IPA today on Fedora 21 the gui is throwing > > > internal server errors > > > uname -a > > > Linux ipa.optimcloud.com <http://ipa.optimcloud.com> > > > 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 > x86_64 > > > x86_64 GNU/Linux > > > cat /etc/redhat-release > > > Fedora release 21 (Twenty One) > > > anyone seen this before? is there a fix ? > > > > > > [Sat Dec 27 13:21:01.443607 2014] [wsgi:error] [pid 6508] [client > > > 192.168.70.22:39545 <http://192.168.70.22:39545>] Truncated or > oversized > > > response headers received from daemon process 'ipa': > > > /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ > > > [Sat Dec 27 13:21:02.159216 2014] [core:notice] [pid 6499] AH00052: > > > child pid 6544 exit signal Segmentation fault (11) > > > [Sat Dec 27 13:21:02.161311 2014] [core:notice] [pid 6499] AH00052: > > > child pid 6574 exit signal Segmentation fault (11) > > > [Sat Dec 27 13:21:03.384996 2014] [wsgi:error] [pid 7288] ipa: INFO: > *** > > > PROCESS START *** > > > [Sat Dec 27 13:21:03.385754 2014] [wsgi:error] [pid 7287] ipa: INFO: > *** > > > PROCESS START *** > > > [Sat Dec 27 13:21:10.286973 2014] [wsgi:error] [pid 7286] [client > > > 192.168.70.22:39978 <http://192.168.70.22:39978>] Truncated or > oversized > > > response headers received from daemon process 'ipa': > > > /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ > > > [Sat Dec 27 13:21:11.172689 2014] [core:notice] [pid 6499] AH00052: > > > child pid 7288 exit signal Segmentation fault (11) > > > [Sat Dec 27 13:21:12.543688 2014] [wsgi:error] [pid 7301] ipa: INFO: > *** > > > PROCESS START *** > > > > That's a new one to me. Getting a backtrace from the core would be very > > useful. > If this is with httpd 2.4.10-15 from testing, then downgrade httpd to > 2.4.10-9 from stable. > I've encountered it as well, 2.4.10-15.fc21 breaks mod_wsgi. > > https://admin.fedoraproject.org/updates/FEDORA-2014-17195/httpd-2.4.10-15.fc21 Yupp that did in fact correct my issue also IPA appaears okay so far now after the downgrade > > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA UI Internal Server Error
On Sun, Dec 28, 2014 at 8:22 AM, Rob Crittenden wrote: > Outback Dingo wrote: > > So Ive installed a new IPA today on Fedora 21 the gui is throwing > > internal server errors > > uname -a > > Linux ipa.optimcloud.com <http://ipa.optimcloud.com> > > 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 > > x86_64 GNU/Linux > > cat /etc/redhat-release > > Fedora release 21 (Twenty One) > > anyone seen this before? is there a fix ? > > > > [Sat Dec 27 13:21:01.443607 2014] [wsgi:error] [pid 6508] [client > > 192.168.70.22:39545 <http://192.168.70.22:39545>] Truncated or oversized > > response headers received from daemon process 'ipa': > > /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ > > [Sat Dec 27 13:21:02.159216 2014] [core:notice] [pid 6499] AH00052: > > child pid 6544 exit signal Segmentation fault (11) > > [Sat Dec 27 13:21:02.161311 2014] [core:notice] [pid 6499] AH00052: > > child pid 6574 exit signal Segmentation fault (11) > > [Sat Dec 27 13:21:03.384996 2014] [wsgi:error] [pid 7288] ipa: INFO: *** > > PROCESS START *** > > [Sat Dec 27 13:21:03.385754 2014] [wsgi:error] [pid 7287] ipa: INFO: *** > > PROCESS START *** > > [Sat Dec 27 13:21:10.286973 2014] [wsgi:error] [pid 7286] [client > > 192.168.70.22:39978 <http://192.168.70.22:39978>] Truncated or oversized > > response headers received from daemon process 'ipa': > > /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ > > [Sat Dec 27 13:21:11.172689 2014] [core:notice] [pid 6499] AH00052: > > child pid 7288 exit signal Segmentation fault (11) > > [Sat Dec 27 13:21:12.543688 2014] [wsgi:error] [pid 7301] ipa: INFO: *** > > PROCESS START *** > > That's a new one to me. Getting a backtrace from the core would be very > useful. > > Question is wheres the core file... i dont see one > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA UI Internal Server Error
So Ive installed a new IPA today on Fedora 21 the gui is throwing internal server errors uname -a Linux ipa.optimcloud.com 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux cat /etc/redhat-release Fedora release 21 (Twenty One) anyone seen this before? is there a fix ? [Sat Dec 27 13:21:01.443607 2014] [wsgi:error] [pid 6508] [client 192.168.70.22:39545] Truncated or oversized response headers received from daemon process 'ipa': /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ [Sat Dec 27 13:21:02.159216 2014] [core:notice] [pid 6499] AH00052: child pid 6544 exit signal Segmentation fault (11) [Sat Dec 27 13:21:02.161311 2014] [core:notice] [pid 6499] AH00052: child pid 6574 exit signal Segmentation fault (11) [Sat Dec 27 13:21:03.384996 2014] [wsgi:error] [pid 7288] ipa: INFO: *** PROCESS START *** [Sat Dec 27 13:21:03.385754 2014] [wsgi:error] [pid 7287] ipa: INFO: *** PROCESS START *** [Sat Dec 27 13:21:10.286973 2014] [wsgi:error] [pid 7286] [client 192.168.70.22:39978] Truncated or oversized response headers received from daemon process 'ipa': /usr/share/ipa/wsgi.py, referer: https://ipa.optimcloud.com/ipa/ui/ [Sat Dec 27 13:21:11.172689 2014] [core:notice] [pid 6499] AH00052: child pid 7288 exit signal Segmentation fault (11) [Sat Dec 27 13:21:12.543688 2014] [wsgi:error] [pid 7301] ipa: INFO: *** PROCESS START *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Blocking Sites?
You probably want like a squid or oops proxy filter if you mean for filtering web traffic. On Wed, Nov 26, 2014 at 4:51 PM, Fraser Tweedale wrote: > On Wed, Nov 26, 2014 at 04:31:38AM +, Rolf Nufable wrote: > > Goodmorning > > Is there a function in freeipa that blocks websites? > > Hi Rolf, > > FreeIPA does not have this feature. It is a centralised identity > management system providing authentication and access control for > hosts and services managed by an organisation. > > HTH, > > Fraser > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] curious about monkeysphere
Im curious about monkeysphere http://web.monkeysphere.info/ and how it might compare, integrate, enhance freeipa . any thoughts, or ideas, or is what it does basically already covered via freeipa? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa and EDUROAM
On Sun, Nov 23, 2014 at 8:51 AM, Cosme Corrêa wrote: > Hi, > > I am an "EDUROAM administrator". > We use openldap, but i would like to migrate to freeipa. > > Has anyone done this before? > > Any help would be greatly appreciated. > can you help define what eduroam is? are you referring to the federated wireless network infrastructures being deployed by universities around the world? > > > -- > Cosme Faria Corrêa > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to retrieve CA chain: mismatched tag: line 29, column 2
RECALL it works as long as another app isnt in the way :) disregard On Sat, Nov 22, 2014 at 2:43 PM, Outback Dingo wrote: > Fresh Fedora 21 Server, did the yum update -y after install > then ran > > ipa-server-install -a 123XXX123 --hostname=ipa1.domain.com -r DOMAIN.COM > -p 123XXX123 -n domain.com -U --setup-dns --forwarder=8.8.8.8 > --forwarder=8.8.4.4 > > and got > > BIND DNS server will be configured to serve IPA domain with: > Forwarders:8.8.8.8, 8.8.4.4 > Reverse zone(s): 70.168.192.in-addr.arpa. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute > [1/38]: creating directory server user > [2/38]: creating directory server instance > [3/38]: adding default schema > [4/38]: enabling memberof plugin > [5/38]: enabling winsync plugin > [6/38]: configuring replication version plugin > [7/38]: enabling IPA enrollment plugin > [8/38]: enabling ldapi > [9/38]: configuring uniqueness plugin > [10/38]: configuring uuid plugin > [11/38]: configuring modrdn plugin > [12/38]: configuring DNS plugin > [13/38]: enabling entryUSN plugin > [14/38]: configuring lockout plugin > [15/38]: creating indices > [16/38]: enabling referential integrity plugin > [17/38]: configuring certmap.conf > [18/38]: configure autobind for root > [19/38]: configure new location for managed entries > [20/38]: configure dirsrv ccache > [21/38]: enable SASL mapping fallback > [22/38]: restarting directory server > [23/38]: adding default layout > [24/38]: adding delegation layout > [25/38]: creating container for managed entries > [26/38]: configuring user private groups > [27/38]: configuring netgroups from hostgroups > [28/38]: creating default Sudo bind user > [29/38]: creating default Auto Member layout > [30/38]: adding range check plugin > [31/38]: creating default HBAC rule allow_all > [32/38]: initializing group membership > [33/38]: adding master entry > [34/38]: configuring Posix uid/gid generation > [35/38]: adding replication acis > [36/38]: enabling compatibility plugin > [37/38]: tuning directory server > [38/38]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > [9/27]: creating RA agent certificate database > [10/27]: importing CA chain to RA certificate database > [error] RuntimeError: Unable to retrieve CA chain: mismatched tag: line > 29, column 2 > Unable to retrieve CA chain: mismatched tag: line 29, column 2 > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Unable to retrieve CA chain: mismatched tag: line 29, column 2
Fresh Fedora 21 Server, did the yum update -y after install then ran ipa-server-install -a 123XXX123 --hostname=ipa1.domain.com -r DOMAIN.COM -p 123XXX123 -n domain.com -U --setup-dns --forwarder=8.8.8.8 --forwarder=8.8.4.4 and got BIND DNS server will be configured to serve IPA domain with: Forwarders:8.8.8.8, 8.8.4.4 Reverse zone(s): 70.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: mismatched tag: line 29, column 2 Unable to retrieve CA chain: mismatched tag: line 29, column 2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 11:20 AM, Fraser Tweedale wrote: > On Wed, Oct 22, 2014 at 03:23:56PM +0200, Lukas Slebodnik wrote: > > On (22/10/14 17:10), Fraser Tweedale wrote: > > >Further to my earlier email, I have written a blog post about all > > >these matters, with a particular focus on the custom package repo. > > > > > >I will update it tomorrow with a bit more about the package > > >"flavours" topic. For now, all the details for enabling and using > > >the custom repo are in the post. Check it out and let me know if > > >you spot any issues. > > > > > > > http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ > > > > > The disadvantage of this approach is that users need to rely on updating > > of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA > > > > In my opinion, it's better to write howto (script) which will configure > all > > necessary ports/files and portmaster will take care of updating ports. > > https://www.freebsd.org/doc/handbook/ports-using.html#portmaster > > > > LS > > Each has its advantages and disadvantages; people can choose what > works for them. Hopefully - not too far in the future - people > won't have to choose, when binary package "flavours" are > implemented. When that happens, a small effort will be needed to > define the FreeIPA flavour and ensure it gets included in the > official package repos. > Actually I would be inclined to assist with a ports build, so it could be done correctly from the ports tree and work towards having it adopted into mainline. > > Fraser > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server
On Thu, Oct 23, 2014 at 12:23 AM, Lukas Slebodnik wrote: > On (22/10/14 17:10), Fraser Tweedale wrote: > >Further to my earlier email, I have written a blog post about all > >these matters, with a particular focus on the custom package repo. > > > >I will update it tomorrow with a bit more about the package > >"flavours" topic. For now, all the details for enabling and using > >the custom repo are in the post. Check it out and let me know if > >you spot any issues. > > > > > http://blog-ftweedal.rhcloud.com/2014/10/configuring-freebsd-as-a-freeipa-client/ > > > The disadvantage of this approach is that users need to rely on updating > of non standard repo. https://frase.id.au/pkg/${ABI}_FreeIPA > > In my opinion, it's better to write howto (script) which will configure all > necessary ports/files and portmaster will take care of updating ports. > https://www.freebsd.org/doc/handbook/ports-using.html#portmaster > > LS > > As an avid BSD user, with FreeIPA cloud deployed, ill fire up some FreeBSD VMs and see if i can get a running system, using the thread here, and the doc thats been written to "sanity" check things and possibly help out with the packaging if I can. I only need to consider, that I run Launchd on my FreeBSD systems, so ill need to go deeper, with modified start scripts. Ill do a few rc based stock installs of 10.1 See how we go. > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project