My first primary FreeIPA Master server has gone belly up. When I try to
start the server it shows this message in the "error' log. However the
other issue i have is when I try to start the server using "ipactl start"
it times out after 300 seconds, how do I get past this issue?
Hello all,
We've been re-using old host names and IP addresses for a new
deployment of nodes, and recently I've been seeing the messages pasted
below in the slapd-DC.DC.DC "error" log on our nodes.
[17/Aug/2016:10:30:30 -0400] - replica_generate_next_csn:
opcsn=57b475cd00120004 <=
After some debugging, I found the error:
cut =
ipa : DEBUGstderr=
ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs: {'idnsseckeyref':
['pkcs11:object=a1'], 'dn':
'cn=KSK-2014073634Z-a1,cn=keys,idnsname=myzone.com.,cn=dns,dc=int,dc=gtrs,dc=de',
'cn':
Howdy!
Trying to figure out how to get past the error: Clone URI does not match
available subsystems when running ipa-ca-install on new ipa server.
A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL 6.7.
We just recently (within the last month) added a new FreeIPA 4.2 server
On 08/16/2016 03:43 PM, Deepak Dimri wrote:
> Hi All,
>
> I am looking to write ansible playbook to automatically register my EC2
> instances as freeIPA clients to my IPA Server and then add the client(s) to a
> particular hostgroup based on EC2 tag value. For example EC2 tag key value=
> prod
On Wed, 17 Aug 2016, Jan Karásek wrote:
Hi,
please could somebody explain how and and with which account IPA is
accessing DC in IPA - AD trust scenario. Is is possible to simulate
with ldapsearch some query to AD with the same permission as IPA
server?
Depends on what trust we have. For
Hi,
please could somebody explain how and and with which account IPA is accessing
DC in IPA - AD trust scenario. Is is possible to simulate with ldapsearch some
query to AD with the same permission as IPA server?
We have some issues with reading ldap object from AD and I would like to
On Wed, Aug 17, 2016 at 03:49:32PM +0200, Jan Karásek wrote:
> Hi,
>
> please could somebody explain how and and with which account IPA is accessing
> DC in IPA - AD trust scenario. Is is possible to simulate with ldapsearch
> some query to AD with the same permission as IPA server?
>
> We
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote:
> On Tue, 16 Aug 2016, David Kowis wrote:
>> On 08/15/2016 09:27 PM, David Kowis wrote:
>>> On 08/15/2016 08:05 PM, Rob Crittenden wrote:
David Kowis wrote:
> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>> This is weird as LDAP SASL &
On 17.8.2016 14:38, Guido Schmitz wrote:
>>> Still, there is one problem:
>>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>>> in LDAP (under attribute idnsSecAlgorithm in the entry
>>>
On 17.8.2016 09:52, Arthur Fayzullin wrote:
> any news?
Not really, we are waiting for SELinux policy maintainers to pick this up.
For the time being, you can try this:
1. Switch to permissive mode
$ setenforce 0
2. Watch audit log for new AVCs:
$ tail -f /var/log/audit.log | grep AVC >
>> Still, there is one problem:
>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses
>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7
>> in LDAP (under attribute idnsSecAlgorithm in the entry
>>
The FreeIPA team is proud to announce bind-dyndb-ldap version 10.1.
It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/
The new version has also been built for Fedora 24+:
https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea30aafae1
Latest news:
10.1
[1]
>
> Now it is getting interesting :-)
>
> First of all, what version of FreeIPA packages and on what distro are you
> using? There are significant differences between package versions.
I am running Fedora 23 (inside an LXC on a Proxmox host) with FreeIPA
4.3.1 from COPR.
>
> The export is
any news? I've tried to make selinux permissive and write new policy,
that didn't help.
require {
type ipa_var_lib_t;
type named_t;
class dir read;
class file { write open lock read getattr };
}
#= named_t ==
allow named_t ipa_var_lib_t:dir
On Wed, Aug 17, 2016 at 10:52:53AM +0530, Kaamel Periora wrote:
> Thanks.
>
> One last question :)
>
> Will that be feasible to have all the systems (CA, RA, OCSP) on top of
> fedora and upgrade the OS as well as CS with the latest ones time to time.
> This should not affect the exiting data or
16 matches
Mail list logo