Re: [Freeipa-users] Asking for help with crashed freeIPA istance

Flo, these are all the errors found: grep 'RESULT err=' access | perl -pe 's/.*(RESULT\s+err=\d+).*/$1/g' | sort -n | uniq -c | sort -n 2 RESULT err=6 95 RESULT err=32 200 RESULT err=14 2105 RESULT err=0 2017-01-05 8:10 GMT-06:00 Florence Blanc-Renaud : > On

Re: [Freeipa-users] pki-tomcat failure

On 11/01/2017 13:55, Petr Vobornik wrote: > On 01/10/2017 09:31 PM, Bob Hinton wrote: >> Hi, >> >> The pki-tomcatd services on our IPA servers seem to have stopped working. >> >> This seems to be related to the expiry of several certificates - >> >> [root@ipa001 ~]# getcert list | more >> Number

Re: [Freeipa-users] CA crt renew -- encoding mismatch

To sum up, our problem was we did not install new CA crt on all replicas, which should be probably done using "ipa-certupdate", but we missed that in the documentation. Regarding the certificates encoding, we noticed that after the upgrade v3 -> v4 IPA issues certificates in UTF8STRING and as

Re: [Freeipa-users] secondary out of sync on DNS again [solved]

working through it slowly now... :) On Wed, Jan 11, 2017 at 11:22 AM, Martin Basti wrote: > Have you tried the ldapsearch from the guide I sent you? > > > > On 11.01.2017 17:03, Outback Dingo wrote: >> >> I am still seeing this, and the same message about LDAP >> >>

Re: [Freeipa-users] secondary out of sync on DNS again [solved]

Have you tried the ldapsearch from the guide I sent you? On 11.01.2017 17:03, Outback Dingo wrote: I am still seeing this, and the same message about LDAP ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE

Re: [Freeipa-users] secondary out of sync on DNS again [solved]

Great :) On 11.01.2017 16:52, Outback Dingo wrote: damn... DMARC record removed, now synced On Wed, Jan 11, 2017 at 10:33 AM, Martin Basti wrote: Please try to create a new test user if it is replicated to other replicas. I see repl. conflicts please try to

Re: [Freeipa-users] secondary out of sync on DNS again

Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 123.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 124.100.IN-ADDR.ARPA Jan 11 08:45:56 ipa2.optimcloud.com named-pkcs11[2493]: automatic empty zone: 125.100.IN-ADDR.ARPA

Re: [Freeipa-users] secondary out of sync on DNS again

Please try to create a new test user if it is replicated to other replicas. I see repl. conflicts please try to investigate them, it may cause a missing zone

Re: [Freeipa-users] secondary out of sync on DNS again

Not realliy, not like last time but [root@ipa2 ~]# cd ipa_check_consistency/ [root@ipa2 ipa_check_consistency]# ./ipa_check_consistency -H ipa2.optimcloud.com -d OPTIMCLOUD.COM Directory Manager password: FreeIPA servers:ipa2STATE = Active Users1

Re: [Freeipa-users] secondary out of sync on DNS again

On 11.01.2017 15:32, Outback Dingo wrote: not sure why, but the secondary freeipa server is out of sync by a long shot now, missing dns domains and A records... tried ipa-replica-manage force-sync --from ipa.optimcloud.com doesnt seem to be working HELP! Do you see any errors in

[Freeipa-users] secondary out of sync on DNS again

not sure why, but the secondary freeipa server is out of sync by a long shot now, missing dns domains and A records... tried ipa-replica-manage force-sync --from ipa.optimcloud.com doesnt seem to be working HELP! -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] modify schema - add group email and display attribute

On 01/11/2017 01:58 PM, Sandor Juhasz wrote: > Ok, > > OID - check > ldapmodify - check > python scripts - check > These works on both ipa 3.x and ipa 4.x. > So the basic functionality is there for the new object class. > > js - i am stuck with, i have created the js files for the plugin, see

Re: [Freeipa-users] pki-tomcat failure

On 01/10/2017 09:31 PM, Bob Hinton wrote: > Hi, > > The pki-tomcatd services on our IPA servers seem to have stopped working. > > This seems to be related to the expiry of several certificates - > > [root@ipa001 ~]# getcert list | more > Number of certificates and requests being tracked: 8. >

Re: [Freeipa-users] modify schema - add group email and display attribute

Ok, OID - check ldapmodify - check python scripts - check These works on both ipa 3.x and ipa 4.x. So the basic functionality is there for the new object class. js - i am stuck with, i have created the js files for the plugin, see below. But i don't know how to generate the the index.

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

Thanks! I will take a look at that. Andy On 1/9/17 8:37 AM, Youenn PIOLET wrote: > Hey there, > > I got the same issue after upgrading my servers to 4.4.0 > The problem comes from duplicate entries in : > cn=permissions,cn=pbac,dc=example,dc=com > > I think FreeIPA upgrade fails to create ACL

Re: [Freeipa-users] Different cache on 2 IPA servers

Hi Sumit - On Jan 11, 2017, at 12:51 PM, Sumit Bose sb...@redhat.com wrote: > > I guess this is because the last update on one server was done with data > from LDAP while the other used data from the Global Catalog. In general > missing data in the GC should not remove the data read from

Re: [Freeipa-users] Different cache on 2 IPA servers

On Wed, Jan 11, 2017 at 11:01:22AM +0100, Troels Hansen wrote: > Hi, we have just seen a weird issue, which I need some advice on. > > We have 2 IPA 4.4 servere in a AD trust and a number of Linux clients > connected. > > A little story of what we experienced. > We had a AD user which

[Freeipa-users] Different cache on 2 IPA servers

Hi, we have just seen a weird issue, which I need some advice on. We have 2 IPA 4.4 servere in a AD trust and a number of Linux clients connected. A little story of what we experienced. We had a AD user which sometimes couldn't log in to a server, because his shell was being set to