[Freeipa-users] Login to Web UI don't work after restart
Hello, currently I'm trying to get ipa working on a virtual environment, after we updated the kernel and restarted ipa, we can't login to our web ui. The time is totally correct, and nothing has changed except the kernel update. our current operatingsystem is CentOS 6.4 (with the newest updates) The Web UI always says 'Your session has expired. Please re-login.' ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] PKI-CAD couldn't start
btw. it was a new 'test' install.
So it wasn't an issue by making a new install.
The certs wasn't expired, and as said it couldn't get too far, but the
initscript didn't changed. i diff'd every config file of pki-ca.
i also tried to reproduce it on a second test machine, by shutting it down
and up some times on vmware esxi.
Btw. I only did a maintance mode on vmware esxi installed a new driver (an
intel driver for networking) then i stopped the maintance mode, and
shutdown the whole hypervisor.
Two machines were shutdown correct, but i think the ipa server didn't he
stucked by shutting down pki-ca (btw. this step takes a long time even when
rebooting from a shell)
then after the reboot of the hypervisor, the two other vm's started
correctly. only the ipa machine took a long time to be turned on. (btw. the
time was in sync)
but i didn't change any config file or init.d file. it was a clean install
where i only added groups / users and changed some dns things and added 2
hosts.
machine was / is a totally standard machine 2 intel nics, 4 harddrives, 1
processors e5 didn't know the correct spec, so nothing special.
the ipa machine was as already said a CentOS 6.4 with IdM and an ntp server
(btw. the config files say on virtual machines you shouldn't do this, but
since we have no chance to run any ntp outside of a vm we need to do it)
I think the problem caused by a ungraceful shutdown of the Idenity
Management. While it tried to shutdown PKI-CA.
As said even on a second test VM i couldn't reproduce it since i've always
shutdown correctly. never tried to shutdown the hypervisor off again.
But I can do it on monday.
I've also taken a look into catalina.out but there was only a socket error.
nothing that has something to do with the grep command.
I think the problem got caused by a chain of really bad steps that and i
was really unhappy to reach this kind of things.
i don't think the problem will getting reporduced that easily.
but still thanks for your help. maybe i just need to be more careful.
2013/7/12 Rob Crittenden
> Nathan Kinder wrote:
>
>> On 07/12/2013 01:58 PM, Dmitri Pal wrote:
>>
>>> On 07/12/2013 05:18 AM, natxo asenjo wrote:
>>>
On 07/12/2013 10:55 AM, Christian Schmitt wrote:
I can't start the IPA Service with service ipa start after an reboot.
> It fails on the pki-cad service, that only outputs
> 'grep --help' gives you more information.
>
> I'm really not sure whats the correct error and how to restart ipa now.
>
logs? look in /var/log/dirsrv/slapd-PKI-{**yourinstancename}/ , the
answer should be in one of the files in there.
This is a DS log, you need to look into the PKI-CA log. Unfortunately I
>>> do not recall its location from top of my head.
>>>
>> We need to see if /var/log/pki-ca/catalina.out gives any clues when the
>> startup fails.
>>
>
> I wonder if it is even getting that far. If it is failing with grep usage
> then I wonder if something is missing that the init script is looking for.
>
> rob
>
>
> __**_
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/**mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] PKI-CAD couldn't start
Currently this is the errors logfile: [root@dc01 slapd-PKI-IPA]# cat errors 389-Directory/1.2.11.15 B2013.105.2259 dc01.envisia.de:7389 (/etc/dirsrv/slapd-PKI-IPA) [12/Jul/2013:10:19:17 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:19:17 +0200] - slapd shutting down - waiting for 29 threads to terminate [12/Jul/2013:10:19:17 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:19:17 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:19:17 +0200] - All database threads now stopped [12/Jul/2013:10:19:17 +0200] - slapd stopped. [12/Jul/2013:10:31:20 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:31:23 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:31:23 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:32:18 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:32:18 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:32:18 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:32:18 +0200] - All database threads now stopped [12/Jul/2013:10:32:18 +0200] - slapd stopped. [12/Jul/2013:10:34:33 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:34:33 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [12/Jul/2013:10:34:34 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:34:34 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:35:16 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:35:16 +0200] - slapd shutting down - waiting for 29 threads to terminate [12/Jul/2013:10:35:16 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:35:16 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:35:16 +0200] - All database threads now stopped [12/Jul/2013:10:35:16 +0200] - slapd stopped. [12/Jul/2013:10:38:00 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:38:00 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:38:00 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:38:47 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:38:47 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [12/Jul/2013:10:38:48 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:38:48 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:39:32 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:39:32 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:39:32 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:39:32 +0200] - All database threads now stopped [12/Jul/2013:10:39:32 +0200] - slapd stopped. [12/Jul/2013:10:39:54 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:39:54 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:39:54 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:41:14 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:41:14 +0200] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [12/Jul/2013:10:41:14 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:41:14 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:41:57 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:41:57 +0200] - slapd shutting down - waiting for 29 threads to terminate [12/Jul/2013:10:41:57 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:41:57 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:41:57 +0200] - All database threads now stopped [12/Jul/2013:10:41:57 +0200] - slapd stopped. [12/Jul/2013:10:47:25 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:47:25 +0200] - slapd started. Listening on All Interfaces port 7389 for LDAP requests [12/Jul/2013:10:47:25 +0200] - Listening on All Interfaces port 7390 for LDAPS requests [12/Jul/2013:10:48:08 +0200] - slapd shutting down - signaling operation threads [12/Jul/2013:10:48:08 +0200] - slapd shutting down - closing down internal subsystems and plugins [12/Jul/2013:10:48:08 +0200] - Waiting for 4 database threads to stop [12/Jul/2013:10:48:08 +0200] - All database threads now stopped [12/Jul/2013:10:48:08 +0200] - slapd stopped. [12/Jul/2013:10:48:22 +0200] - 389-Directory/1.2.11.15 B2013.105.2259 starting up [12/Jul/2013:10:48:22 +0200] - slapd started. Li
Re: [Freeipa-users] Virtual Machines??
Did you used the --no-ntp option or freeipa? or did you use the internal freeipa ntp? 2013/7/9 natxo asenjo > On 07/08/2013 03:49 PM, Schmitt, Christian wrote: > >> Hello, is there currently a good way to install FreeIPA or IdM in >> virtual machines? >> Currently we having some Windows Hyper-V Hypervisors since we are >> planning to buy some Dell Hardware that can't run Linux yet, the Dell >> VRTX. >> Also we want to reuse our Windows Server Datacenter Licenses. >> Is there a good way to do it? >> > > we run a fully virtualized IdM environment on ESX. We did run in time > synch problems after a server was rebooted for updates, the time was way > out of sync. > > Running ntpdate to synchronize to the ntp server on boot with the > /etc/sysconfig/ntpdate config file was the solution for us. the iburst > option in ntp.conf works if your clock skew is not greater than 300 > seconds, but then you do not have login problems either. > > -- > groet, > natxo > > > __**_ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Virtual Machines??
Hello, is there currently a good way to install FreeIPA or IdM in virtual machines? Currently we having some Windows Hyper-V Hypervisors since we are planning to buy some Dell Hardware that can't run Linux yet, the Dell VRTX. Also we want to reuse our Windows Server Datacenter Licenses. Is there a good way to do it? At the moment I tried it, but I get a lot of problems when trying to login, i think that happens cause of the ntp server. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Replicate on Servers with diffrent Version (Minor)
Hello is it possible to replicate FreeIPA Server with diffrent Minor versions? Currently we are running a FreeIPA Server on Fedora 19 since CentOS/RHEL only has a FreeIPA 2.X Server and we wanted the features of FreeIPA 3.X. Would it be possible to replicate that Server to a Red Hat Enterprise Linux 7 FreeIPA Server when it's arrive, when the minor version is diffrent and it is a 3.X Server? or does the Major, Minor needs to be completly the same? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-dns-install on a remote host?
Yeah i know that feature, but when i have a View i need to declare two zonefiles (i need to create one by hand and the other will getting created by the ipa-dns) thats not exactly what i'm looking for since some sites shall be the same on both sites, like domain.tld and www.domain.tld are the same on both sites. but domain.tld is also a freeipa domain and intra.domain.tld should only be routed through clients but stash.domain.tld and jira.domain.tld should have both so that it is accessible through the internet but the local clients should use the local ips. isn't there a delegate like feature? or even a feature in freeipa that lets me delegate some entries only to internal hosts. 2013/7/5 Anthony Messina > On Friday, July 05, 2013 04:18:37 PM Schmitt, Christian wrote: > > Btw. are there any tips by having a second nameserver (public) that just > > gives out the important/public hosts? Or is there a good way in having a > > domain configured twice? like the internal ip for ipa-users and the > > external ip for the people outside of the internal firewall? > > Unrelated to FreeIPA, BIND has support for views, which may accomplish this > task for you: > http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#id2591409 > > -A > > -- > Anthony - http://messinet.com - http://messinet.com/~amessina/gallery > 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-dns-install on a remote host?
At the moment i configured bind to be a slave and just get the zone from the ipa dns. but still i think thats not the best way to do it. since i will also have some hosts in the zonefile that shouldn't be public. But I think that problem isn't related to ipa. I'm really happy about ipa right know and just playing around with it and hope that we could deploy it live, soon. Btw. are there any tips by having a second nameserver (public) that just gives out the important/public hosts? Or is there a good way in having a domain configured twice? like the internal ip for ipa-users and the external ip for the people outside of the internal firewall? P.S.: I'm not that much familiar with bind9/10. I'm just learning to use it correctly and make a good enviroment with ipa. 2013/7/5 Rob Crittenden > Schmitt, Christian wrote: > >> is it possible to install ipa-dns-install on a remote host that is only >> connect via vpn? >> >> I mean this i my current network structure: >> >> Host (Internet) Intranet >> VPN Access Provider tun < - > tun FreeIPA Server dc01 >> dc02 >> >> when i now try to ipa-dns-install with the ip from the client ip of the >> tun device of the FreeIPA Server i always get an error that the ip is >> not on my device. Is there an easy way of having the DNS of the FreeIPA >> Server on an Internet Machine? I mean it will work if i replicate the >> whole ipa-server but that is somehow a little bit of an overkill. >> > > We provide no tool to configure DNS as a standalone service. The > ipa-dns-install tool will only configure a bind server running on an IPA > master. > > It is possible to configure bind/bind-dyndb-ldap to run on another host > but you'd likely have performance issues and there could be problems at > upgrade if we make configuration changes (they wouldn't be applied to your > manually-configured instance). > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa-dns-install on a remote host?
is it possible to install ipa-dns-install on a remote host that is only connect via vpn? I mean this i my current network structure: Host (Internet) Intranet VPN Access Provider tun < - > tun FreeIPA Server dc01 dc02 when i now try to ipa-dns-install with the ip from the client ip of the tun device of the FreeIPA Server i always get an error that the ip is not on my device. Is there an easy way of having the DNS of the FreeIPA Server on an Internet Machine? I mean it will work if i replicate the whole ipa-server but that is somehow a little bit of an overkill. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
