I tried the GPO and that actually worked, thanks Robert. I had to specify
all the subdomains we use as well in the value field (we have IPA-clients
in several subdomains of i.rdmedia.com). It appears my issue is solved.
Looking forward to hear what the Microsoft guys say.
On 21 June 2017 at 00:41
Hi,
I am running two FreeIPA servers up-to-date on Fedora 25, ie. v4.4.4 of
FreeIPA, in a small office environment.
named-pkcs11 is logging quite many (~30 a day) errors like the below block:
LDAP error: Timed out: while modifying(replace) entry
'idnsname=ddns.ske1.bublar.,cn=dns,dc=ipa,dc=bub
Nothing? No suggestions?
Is it not possible to support DNS through a NAT?
-K
On 6/20/17 1:32 PM, Kat wrote:
Here is an odd problem (I think).
I am using IPA in one environment, and want to set up a replica in
another environment through natted connections. I can setup the client
to the NAT
For what its worth, I dug through my emails with Red Hat tech support and
this is what we got back from the Identity Management support team:
---
I did some additional research and found another customer which had a
similar issue - our IPA development team has added some additional comment
What you want is not possible because DNS resolves to one IP, not to a NAT’ed
IP.
Doing this differently is very hacky and totally unsupported. One host, one IP,
one DNS record. NAT doesn’t belong in this type of networking.
If you really wanted to shoot yourself in the foot, you can use Unbound
Hi
You are trying to setaup a replica behind a NAT?
I will try to picture it bellow
MASTER| - | NAT-DEVICE |- |REPLICA|
10.x.x.x | - |10.x.x.y 172.16.x.y|- |172.16.x.x |
Is this setup somewhat correct?
This makes fiew problems 1 UDP is stateles so You would ne
Ian Pilcher via FreeIPA-users wrote:
> On 06/20/2017 11:38 PM, Ian Pilcher wrote:
>> If I don't specify the SSL_DIR, the curl command works, so it
>> definitely seems to be an issue with the NSS database in
>> /etc/httpd/alias. I don't see anything obviously wrong with the trust
>> flags, though:
On 06/21/2017 01:39 AM, Florence Blanc-Renaud wrote:
your CA helpers are properly configured, except for the last one, which
should look like the following:
CA 'dogtag-ipa-ca-renew-agent':
is-default: no
ca-type: EXTERNAL
helper-location: /usr/libexec/certmonger/dogtag-ipa-ca-ren
On 06/21/2017 08:54 AM, Rob Crittenden wrote:
Ian Pilcher via FreeIPA-users wrote:
On 06/20/2017 11:38 PM, Ian Pilcher wrote:
# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert
I think I see the problem - I am really trying to do Split DNS in this
configuration. So I need to keep DNS working, but somehow there must be
a way to have the replica on the outside of the firewall understand that
there is split DNS involved. I am having an issue figuring out if
FreeIPA DNS
Hello guys,
I have problems with creation freeipa master replica.
ipa --version
VERSION: 4.3.1, API_VERSION: 2.164
Master server Idp+self sign CA
I want create full replica of master server
Host for replica in domain (ipa-client-install -U --domain= --server=
ipa1.itcapital.io --password= --princ
On ke, 21 kesä 2017, Robert Johnson via FreeIPA-users wrote:
For what its worth, I dug through my emails with Red Hat tech support and
this is what we got back from the Identity Management support team:
---
I did some additional research and found another customer which had a
similar iss
laurent2.perrin--- via FreeIPA-users wrote:
> Hi,
>
>
>
> I'm trying to setup a FreeIPA and Active Directory synchronisation
> following Red Hat
> documentation(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.ht
AHA
LOCATIONS!!!
Unless I am way off here - what I need to do is set the replica to NOT
be DNS, but then standup another replica inside the same "location" with
DNS and make sure the hosts in that location talk to it, and in the
inside location, they talk to the other host. The point is,
Well now that sounds a daunting endeavor. It would definitely be a last resort
type situation for sure. Thank you both for laying it out and I definitely
didn't expect it to be possible at all so at least its something.
I think the big problem we're having is the fact that we can't seem to cre
Oleg,
IIRC, this is a known issue:
https://pagure.io/freeipa/issue/6766
https://pagure.io/dogtagpki/issue/2644
https://pagure.io/dogtagpki/issue/2646
cheers
L.
--
"Mission Statement: To provide hope and inspiration for collective action,
to build collective power, to achieve collective tran
On ke, 21 kesä 2017, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 21 kesä 2017, Robert Johnson via FreeIPA-users wrote:
For what its worth, I dug through my emails with Red Hat tech support and
this is what we got back from the Identity Management support team:
---
I did some addit
We have observed this behavior too when using external trusts from machines
that both have external trusts to our account domains. Ie our windows resource
domain and our IPA domain both have external trusts with the account domain.
We have used the GPOs to point our windows boxes to IPA where ne
18 matches
Mail list logo
