Re: [Freeipa-users] Revisiting ILO [SOLVED]

2013-11-20 Thread KodaK
Not exactly "solved" but I'll call it that, since there is no way to change the login attribute. I've requested this feature, but I requested it through support and I'm sure it will die in a queue somewhere. On Wed, Nov 6, 2013 at 6:25 AM, Dmitri Pal wrote: > On 11/05/2013 02:51 PM, KodaK wro

[Freeipa-users] Lesson learned: don't do this.

2013-11-20 Thread KodaK
Just wanted to pass along an issue I just had. We have some legacy local users on some boxes, and we need to have a mix of those local users and IPA users in the same groups. In order for that to happen (at least on AIX) I need to create a group in IPA with the GID of the local group. This can b

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Terry Soucy
The ldap/serverB keytab was renewed with the ipa-getkeytab command, but not put into place. Since the existing keytab in /etc/dirsrv/ds.keytab was no longer valid, replication stopped. I've since exported it a couple more times from each of the servers in an attempt to get it working again, but non

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Rob Crittenden
Terry Soucy wrote: I have the keytab with the oldest version number shown in the kvno command, but when I put that into place, I get no joy. A lot more details are required. Did you change or renew the keytab? Did it suddenly stop working, and when? Logs? /var/log/dirsrv/slapd-REALM/error an

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Steven Jones
Hi, 6.4 is a lot more stable than 6.3 so make an update a priority IMHO. Not 100% sure what you mean but if they simply are out of sync then, 2 ways, (make a full ldap2file backup first). 1) un-install IPA server on B, reboot and re-install on B. 2) You can force a re-sync at the command line

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Rich Megginson
On 11/20/2013 01:06 PM, Terry Soucy wrote: I have the keytab with the oldest version number shown in the kvno command, but when I put that into place, I get no joy. I don't know. Perhaps someone with ipa kerberos expertise can help. Terry On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Terry Soucy
The service principal ldap/serverB was exported but not put into place at /etc/dirsrv/ds.keytab. Replication started failing, dns couldn't connect, the work generally started coming to an end. I've re-exported the service principal to a keytab file. If I export from serverA using the ipa-getkeytab

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Terry Soucy
I have the keytab with the oldest version number shown in the kvno command, but when I put that into place, I get no joy. Terry On Wed, Nov 20, 2013 at 4:05 PM, Terry Soucy wrote: > The service principal ldap/serverB was exported but not put into place at > /etc/dirsrv/ds.keytab. Replication s

Re: [Freeipa-users] out of sync replicas

2013-11-20 Thread Rich Megginson
On 11/20/2013 12:37 PM, Terry Soucy wrote: I am currently having the following issue. Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two server multimaster setup. Servers A is running fine, but Server B is out of sync. More specifically, the ldap service principal is out of s

[Freeipa-users] out of sync replicas

2013-11-20 Thread Terry Soucy
I am currently having the following issue. Running Redhat IPA on RHEL6.3 (ipa-server-3.0.0.25) in a basic two server multimaster setup. Servers A is running fine, but Server B is out of sync. More specifically, the ldap service principal is out of sync between the two servers, which is leading to