Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Fraser Tweedale
On Tue, Mar 15, 2016 at 09:39:12AM +, Alessandro De Maria wrote: > Thank you Martin that's very helpful. > > The annoying thing about cut/paste from web ui is that the cert is not > wrapped at 60 chars like it should be, but I guess I'll have to wait for > the save certificate functionality.

Re: [Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 03/15/16 19:21, Jakub Hrozek wrote: > On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote: >> -BEGIN PGP SIGNED MESSAGE- >> >> Shouldn't it keep on trying, or retry after a few minutes? > > We don't have any such

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden
Janelle wrote: The groups don't go on the 2nd pass because they already went on the first meant. I meant to reply to this the other day as I have had a lot of experience with re-running migration. Group membership for an already existing group, does NOT come over on the 2nd pass. I have found it

Re: [Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Jakub Hrozek
On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi folks, > > If I reboot my LXC server, then sssd doesn't come up in some containers. > The logfile of an affected host shows > > - -- Reboot -- > Feb 27 17:17:23

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

2016-03-15 Thread thierry bordaz
Hi Daryl, Thanks again for those logs and info. It confirms that slapi-nis tree priming delays DS startup (~1min10s). As Alexander mentioned it is now fixed with a differed priming. My understanding is that krb5kdc startup is intense on DS. It is not clear why but you may be right it is

[Freeipa-users] sssd.service start operation timed out

2016-03-15 Thread Harald Dunkel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, If I reboot my LXC server, then sssd doesn't come up in some containers. The logfile of an affected host shows - -- Reboot -- Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security Services Daemon... Feb 27 17:17:53

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Janelle
The groups don't go on the 2nd pass because they already went on the first meant. I meant to reply to this the other day as I have had a lot of experience with re-running migration. Group membership for an already existing group, does NOT come over on the 2nd pass. I have found it is better to

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden
lejeczek wrote: On 15/03/16 15:57, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base:

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek
On 15/03/16 15:57, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology,

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden
lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames)

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek
On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Alexander Bokovoy
On Tue, 15 Mar 2016, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass:

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread Rob Crittenden
lejeczek wrote: > On 14/03/16 17:06, Rob Crittenden wrote: >> lejeczek wrote: >>> with... >>> >>> ipa: ERROR: group LDAP search did not return any result (search base: >>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>> groupofnames) >>> >>> I see users went in but later I

Re: [Freeipa-users] unable to authenticate using freeipa client

2016-03-15 Thread Rakesh Rajasekharan
yes the space was indeed the culprit... i cleaned up some and login works fine now.. Thanks !! On Tue, Mar 15, 2016 at 1:55 PM, Sumit Bose wrote: > On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > > I set up freeipa in my environment and works perfectly.

Re: [Freeipa-users] ipa replica failed PR_DeleteSemaphore

2016-03-15 Thread Ludwig Krispenz
On 03/14/2016 05:33 PM, Andrew E. Bruno wrote: On Mon, Mar 14, 2016 at 09:35:15AM +0100, Ludwig Krispenz wrote: On 03/12/2016 04:02 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016 at 06:08:04PM +0100, Ludwig Krispenz wrote: On 03/09/2016 05:51 PM, Andrew E. Bruno wrote: On Wed, Mar 09, 2016

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Alessandro De Maria
Thank you Martin that's very helpful. The annoying thing about cut/paste from web ui is that the cert is not wrapped at 60 chars like it should be, but I guess I'll have to wait for the save certificate functionality. Any idea of then that's planned for? Regards Alessandro On 15 March 2016 at

Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...

2016-03-15 Thread lejeczek
On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was

Re: [Freeipa-users] User certificate workflow

2016-03-15 Thread Martin Babinsky
On 03/15/2016 08:39 AM, Alessandro De Maria wrote: Hello, I would like to have authenticated users to upload a csr request and have their certificate automatically signed. Their certificate would expire in x days. Given the short life of the certificate, I would then like them to be able to

Re: [Freeipa-users] unable to authenticate using freeipa client

2016-03-15 Thread Sumit Bose
On Mon, Mar 14, 2016 at 05:50:34PM +0530, Rakesh Rajasekharan wrote: > I set up freeipa in my environment and works perfectly. > > But just on one host , I am not able to authenticate. I get a permission > denied eror. > > The sssd version I have is 1.12 > > the krb5_child log does point to

Re: [Freeipa-users] ipa-replica-install IPA startup timing issue

2016-03-15 Thread Alexander Bokovoy
On Mon, 14 Mar 2016, Daryl Fonseca-Holt wrote: Hello Thierry, In searching for a way to slow down the start of kadmind I discovered that the prepare-replica install-replica process was modifying /etc/sysconfig/krb5kdc to this: KRB5KDC_ARGS='-w 64' KRB5REALM=UOFMT1 KRB5KDC_ARGS='-w 64'