Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56
geschrieben:
On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM, Markus Roth wrote:
Hi all,
I want
On 04/07/2015 11:29 PM, Dmitri Pal wrote:
On 04/07/2015 03:04 PM, Natxo Asenjo wrote:
hi,
On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal d...@redhat.com
mailto:d...@redhat.com wrote:
On 04/03/2015 09:46 AM, Brian Topping wrote:
On Apr 3, 2015, at 6:48 AM, Tamas Papptom...@martos.bme.hu
Am 08.04.2015 um 10:27 schrieb Jakub Hrozek:
Can you run:
KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM
So that we can compare with the krb5_child.log you sent earlier? I
wonder if SSSD talks to a KDC that is slower or far away from your
client..
This is my trace from kinit:
[2422]
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see these:
[08/Apr/2015:13:06:47 +0600] NSACLPlugin - ACL PARSE ERR(rv=-5):
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:04 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 11:52 AM, Alexander
On 04/08/2015 01:40 PM, Alexander Frolushkin wrote:
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 5:12 PM
To: Alexander Frolushkin (SIB)
Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz
Subject: Re:
On 04/08/2015 12:04 PM, Martin Kosek wrote:
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I
Hi Ben
On Wed, Apr 8, 2015 at 12:39 PM, Ben .T.George bentech4...@gmail.com wrote:
HI
i am getting krb5kdc: Server error on ligs:
krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL
and the ipactl status is taking long time. Web interface is not able to
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 08, 2015 4:18 PM
To: Martin Kosek
Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 12:04 PM, Martin
HI Traino,
thanks for the info
i have checked the hots and confirmed that entry was ip FQDN Alias
format
And the DNS everything is working
[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp _kerberos._tcp
_kerberos._udp _kerberos-master._tcp _kerberos-master._udp _ntp._udp; do
echo ;
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:47 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz; Jakub Hrozek
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
In any case, upgrade
Sudo seems to be configured correctly but somehow it's not working
Even if I do a sudo -l under the admin user
[admin@ironhide tmp]$ sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep=COLORS
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 5:12 PM
To: Alexander Frolushkin (SIB)
Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On Wed, Apr 08,
On 04/08/2015 12:36 PM, Alexander Frolushkin wrote:
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 08, 2015 4:18 PM
To: Martin Kosek
Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz
Subject: Re: [Freeipa-users]
From: Jakub Hrozek [jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 2:01 PM
To: Martin Chamambo
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA, version: 4.1.0 and sudo configuration
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo
On Wed, Apr 08, 2015 at 11:40:08AM +, Alexander Frolushkin wrote:
After that, client are able to login via ssh on servers connected to 7.1
servers, but still no login on client servers connected to 7.0 IPA servers...
There we might be a problem with ACIs, can you check the logs on the
On 04/08/2015 12:12 PM, Alexander Frolushkin wrote:
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:04 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz
Subject: Re: [Freeipa-users]
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote:
Sudo seems to be configured correctly but somehow it's not working
Even if I do a sudo -l under the admin user
[admin@ironhide tmp]$ sudo -l
[sudo] password for admin:
Matching Defaults entries for admin on this host:
On 04/08/2015 11:52 AM, Alexander Frolushkin wrote:
Hello!
We used have a geo-replicated IPA with RHEL 7.0, and on one site ipa servers
was upgraded by mistake to RHEL 7.1 (ipa-server-4.1.0-18.el7_1.3.x86_64).
Now it is broken globally, in logs I see these:
[08/Apr/2015:13:06:47 +0600]
On one of accidently upgraded server I have following error in dirsrv logs:
[08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER
Element was too long, max allowable is 209715200 bytes. Change the
nsslapd-maxbersize attribute in cn=config to increase.
On (08/04/15 09:25), Chamambo Martin wrote:
Good day
I am running FreeIPA, version: 4.1.0 and everything is working well except
SUDO configuration.
ipa-client-install on CentOS 7.1 should configure sudo by default.
I have 3 questions
1: I have configured the bare minimum sudo
On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote:
I have these logs and cant seem to make sense of them
These are not the logs we asked for. What we need is debug_level=6 in
the sudo section, then run sudo, then attach
/var/log/sssd/sssd_sudo.log.
It would also be nice if you
I have this log after doing a debug_level=6 in the sudo section and have
attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
[root@ironhide ~]# tail -f /var/log/sssd/sssd_sudo.log
(Wed Apr 8 10:10:03 2015) [sssd[sudo]] [sysdb_domain_init_internal]
(0x0200): DB File for
HI
i am getting krb5kdc: Server error on ligs:
krb5kdc: Server error - while fetching master key K/M for realm SUN.LOCAL
and the ipactl status is taking long time. Web interface is not able to
athenticate.
If i issue ipactl restart, noting is happening
to solve this issue currently i am
Good day
I am running FreeIPA, version: 4.1.0 and everything is working well except
SUDO configuration.
I have 3 questions
1: I have configured the bare minimum sudo configuration without
hostgroups and netgroups , just sudo commands and sudo command groups that
have been added as sudo
On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth mar...@die5roths.de wrote:
Yersterday I did the installation of freeipa on my banana Pi with
modifying the source file ipalib/constants.py:('startup_timeout', 300).
I changed it to 900 s. And the setup process was successful! The start of
the
Martin Kosek mko...@redhat.com hat am 8. April 2015 um 10:59 geschrieben:
On 04/08/2015 07:57 AM, Markus Roth wrote:
Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56
geschrieben:
On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54
On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote:
Good day
I am running FreeIPA, version: 4.1.0 and everything is working well except
SUDO configuration.
I have 3 questions
1: I have configured the bare minimum sudo configuration without
hostgroups and netgroups ,
On Wed, Apr 08, 2015 at 10:11:01AM +0200, Martin (Lists) wrote:
Am 07.04.2015 um 18:27 schrieb Simo Sorce:
On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
Hallo
attached you can find the data from krb_child.log. As far as I can see
it, the three seconds are due to the
Am 08.04.2015 um 10:57 schrieb Jakub Hrozek:
Most of the host can only communicate in the local net, which has not
that much hosts (10). The wired ones are connected via GBit Network,
wireless it is up to 150MBit. Server is a Xeon E3-1225 with 8GB Mem. All
Systems have Fedora 21
I have these logs and cant seem to make sense of them
I have created the hostgroup mailservers and have added the sudo rule that
allows the users to execute sudo vim anyfile
(Wed Apr 8 09:58:45 2015) [sssd[be[ai.co.zw]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'IPA'
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
I have this log after doing a debug_level=6 in the sudo section and have
attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
(Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
On Wed, Apr 08, 2015 at 10:43:10AM +0200, Martin (Lists) wrote:
Am 08.04.2015 um 10:27 schrieb Jakub Hrozek:
Can you run:
KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM
So that we can compare with the krb5_child.log you sent earlier? I
wonder if SSSD talks to a KDC that is slower
Am 07.04.2015 um 18:27 schrieb Simo Sorce:
On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
Hallo
attached you can find the data from krb_child.log. As far as I can see
it, the three seconds are due to the communication with the kerberos
server. (1.2.3.4 is my server).
Do you
I have done below and its giving me the correct results and at the moment
LET ME enable debugging in sudo itself and see if that will get me somewhere
[root@ironhide ~]# getent netgroup mailservers
mailservers (ironhide.ai.co.zw,-,ai.co.zw)
(alvin.ai.co.zw,-,ai.co.zw)
On 04/08/2015 07:57 AM, Markus Roth wrote:
Endi Sukma Dewata edew...@redhat.com hat am 1. April 2015 um 23:56
geschrieben:
On 4/1/2015 4:29 PM, Markus Roth wrote:
Am Mittwoch, 1. April 2015, 16:04:54 schrieben Sie:
On 4/1/2015 11:56 AM, Endi Sukma Dewata wrote:
On 03/31/2015 01:54 PM,
On 04/08/2015 08:42 AM, Jan Pazdziora wrote:
Hello world!
The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well as adding
Hello Team,
I know that FreeIPA server supports management of public keys for each user and
it is a very convenient feature.
Are there any possible way to manage private keys as well including features
like re-issuing the key pair if it gets compromised?
Regards,
Andrey
--
Manage your
Hello, I have self-signed freeipa replica. The problem is that I lose my
freeipa primary server after hdd error.
Now I need to create new replication server but I can't without primary
server. I read this documentation and a lot of community correspondence
but don't find my issue:
Hi all,
When I installed FreeIPA, it created a default ID range (of which user admin
is currently the only user existing). Through the UI, I've found that one can
create additional ranges (and that the ipa tools will complain if a user has a
uid assigned manually that falls outside the defined
On 04/08/2015 02:19 PM, Alexander Frolushkin wrote:
On one of accidently upgraded server I have following error in dirsrv logs:
[08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER Element
was too long, max allowable is 209715200 bytes. Change the nsslapd-maxbersize
Coy Hile wrote:
Hi all,
When I installed FreeIPA, it created a default ID range (of which user
admin
is currently the only user existing). Through the UI, I've found that
one can
create additional ranges (and that the ipa tools will complain if a user
has a
uid assigned manually that
Hello world!
The ability to run FreeIPA server in a container was recently
improved by adding support for storing the server configuration and
data in a volume, making it easier to backup the server, upgrade it to
newer versions, as well as adding the ability to start a container
as a replica of
It looks like Vault is the functionality I was looking for.
Thank you Rob and Dmitri for your responses.
Regards,
Andrey
On 4/8/15, 5:59 PM, Rob Crittenden rcrit...@redhat.com wrote:
Andrey Ptashnik wrote:
Hello Team,
I know that FreeIPA server supports management of public keys for
I'm looking at the following link for recovering expired certificates on
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do
not find one. I see the other three:
auditSigningCert cert-pki-ca
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system
If I want to install the CA
I’m having issues with getting my RHEL 7 server running Freeipa 4 to join my
Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below listed
errors popping up. I’ve tried both creating the trust from Freeipa and just
this morning I setup the trust on the AD
On Wed, 08 Apr 2015, Aric Wilisch wrote:
I’m having issues with getting my RHEL 7 server running Freeipa 4 to
join my Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below
listed errors popping up. I’ve tried both creating the trust from
Freeipa and just
Andrey Ptashnik wrote:
Hello Team,
I know that FreeIPA server supports management of public keys for each
user and it is a very convenient feature.
Are there any possible way to manage private keys as well including
features like re-issuing the key pair if it gets compromised?
I assume you
On 04/08/2015 11:31 AM, Andrey Ptashnik wrote:
Hello Team,
I know that FreeIPA server supports management of public keys for each
user and it is a very convenient feature.
First of all IPA does not support user certs yet. It supports SSH public
keys if this is what you are referring to.
On 04/08/2015 12:42 PM, Aric Wilisch wrote:
I'm having issues with getting my RHEL 7 server running Freeipa 4 to
join my Windows 2012R2 domain.
DNS checks out fine. When I try to establish the join I get the below
listed errors popping up. I've tried both creating the trust from
Freeipa and
Прохоров Сергей wrote:
Hello, I have self-signed freeipa replica. The problem is that I lose my
freeipa primary server after hdd error.
Now I need to create new replication server but I can't without primary
server. I read this documentation and a lot of community correspondence
but don't
On 04/08/2015 07:12 AM, Прохоров Сергей wrote:
Hello, I have self-signed freeipa replica. The problem is that I lose
my freeipa primary server after hdd error.
Now I need to create new replication server but I can't without
primary server. I read this documentation and a lot of community
On 04/08/2015 06:54 AM, Ben .T.George wrote:
HI Traino,
thanks for the info
i have checked the hots and confirmed that entry was ip FQDN
Alias format
And the DNS everything is working
[root@kwtprsolipa01 slapd-SUN-LOCAL]# for i in _ldap._tcp
_kerberos._tcp _kerberos._udp
John Williams wrote:
I'm looking at the following link for recovering expired certificates on
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a
subsystemCert I do not find one. I see the other three:
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL 7 IPA
servers (one master and two duplicates). I'm trying to ensure that if one
server goes down, the remain server(s) will still allow logins. With the RHEL 6
clients this is easy -- the line
ipa_server = _srv_,
Guertin, David S. wrote:
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL
7 IPA servers (one master and two duplicates). I'm trying to ensure that
if one server goes down, the remain server(s) will still allow logins.
With the RHEL 6 clients this is easy -- the line
For all my sudo commands i do sudo command_name_here
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Craig White [cwh...@skytouchtechnology.com]
Sent: Thursday, April 09, 2015 1:52 AM
To: freeipa-users@redhat.com
Subject:
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 08, 2015 6:36 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 02:19 PM,
On 04/09/2015 05:59 AM, Alexander Frolushkin wrote:
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 08, 2015 6:36 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users]
Good day
I managed to configure sudo and its working for all my centos 6.6 and RHEL 6.6
clients. somehow i managed to change the sudo rules ,sudo comands and sudo
groups to be less restrictive ,thats when i managed to access root owned files
using sudo
thanx for your help
My advice when
Dne 8.4.2015 v 17:43 James James napsal(a):
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured
rpm -q sssd
sssd-1.11.6-30.el6_6.4.x86_64
rpm -q ipa-client
ipa-client-3.0.0-42.el6.x86_64
[test2.user@app001 ~]$ sudo su - weblogic
[sudo] password for test2.user:
Sorry, user test2.user is not allowed to execute '/bin/su - weblogic' as root
on app001.stt.local.
[test2.user@app001 ~]$ sudo -l
On 04/08/2015 04:04 PM, Guertin, David S. wrote:
I have a mixed environment of RHEL 5 and RHEL 6 clients, and three
RHEL 7 IPA servers (one master and two duplicates). I'm trying to
ensure that if one server goes down, the remain server(s) will still
allow logins. With the RHEL 6 clients
64 matches
Mail list logo
