I also looked at RUVs and here is what I found. I do not know if anything
here is helpful.
ldapsearch -ZZ -h ipa11.mgmt.crosschx.com -D "cn=Directory Manager" -W -b
"o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
| grep "nsds50ruv\|nsDS5ReplicaId"
nsDS5Rep
I ran another test. I started IPA with the ignore service failure option
and I tired doing ldap searches like this.
ldapsearch -H ldaps://ipa12.mgmt.crosschx.com
from both my laptop and from ipa11.mgmt and I get successful returns when
logging in as the admin user and as the directory manager.
I realized that I was not very clear in my statement about testing with
ldapsearch. I had initially run it without logging in with a DN. I was
just running the local ldapsearch -x command. I then tested on ipa12.mgmt
and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory
Manage
On Tue, May 02, 2017 at 11:10:12AM -0500, Kat wrote:
> Yeah, after I sent this email, I realized what I was trying to do and that,
> "Oh wait, this is not really going to work."
>
Indeed. This feature is usually used to chain an IPA CA into an
organisation's existing PKI, which is controlled by t
Is there any way this can be made to work? This server does not exist
in real life or seemingly in FreeIPA, but a ghost of it does.
ianh@vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks
1 IPA server matched
Server name: freeipa-dal.bpt.rocks
Min
I have a three node IPA cluster.
ipa11.mgmt - was a master over 6 months ago
ipa13.mgmt - current master
ipa12.mgmt
ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have
agreements between each other.
It appears that either ipa12.mgmt lost some level of its replication
agreemen
Would it be reasonable to request a feature for FreeIPA to enforce
password history reuse based on age, instead of a count? Meaning
configure FreeIPA to enforce that a password cannot be reused within the
last 1 year? Then we could remove the minimum time between password
changes, and not worry abo
Hi,
I have migrated some FreeIPA servers from 3.0.0-51 to 4.4.0-14 by adding new
replicas. There were a lot of issues, and I'm strugglig a bit with a
configuration management system set up by a central IT department, which
overrides files like sssd.conf, and I have to make exceptions to the pol
Any guidance for this one?
Summary - this seems to be the fatal error that causes the CA setup on
the replica to fail:
May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection:
The specified user cn=Replication Manager
masterAgreement1-usaeilidmp002.XXX.org-pki-tomcat,cn=conf
It turns out we had another 16.04 machine which was working fine. But as
soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3,
it stopped working too.
So it looks like I have a reproducing case for this and I can
investigate further - I suspect it's a behaviour change from th
Tickets on the FreeIPA host after connecting (with a password):
[adm.tie...@clients.rdmedia.com@neodymium ~]$ klist
Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1
Default principal: adm.tie...@clients.rdmedia.com
Valid starting Expires Service principal
05/03/201
> do you have 'sudo: files sss" or "sudoers: files sss"? The former
doesn't do anything, the latter is correct.
My mistake, I meant
sudoers: files sss
But oddly, out of the three 16.04 boxes I set up and enrolled, it was
missing on one of them - and this happened to be the one I was checking
On Wed, May 03, 2017 at 09:04:05AM +0100, Brian Candler wrote:
> Hi,
>
> I have FreeIPA set up under CentOS 7. When I use freeipa-client to add an
> ubuntu 14.04 client it works fine (*). However when do the same with ubuntu
> 16.04, sudo always refuses to run:
>
> $ sudo -s
> [sudo] password fo
On 05/02/2017 10:50 PM, Jay Fenlason wrote:
One of my users is having trouble because the FreeIPA web interface
does not work well with a DNS zone that contains more than 2000
entries. When he goes to Network Services->DNS->DNS Zones and selects
the problematic zone, he gets an error popup sayin
Hi,
I have FreeIPA set up under CentOS 7. When I use freeipa-client to add
an ubuntu 14.04 client it works fine (*). However when do the same with
ubuntu 16.04, sudo always refuses to run:
$ sudo -s
[sudo] password for brian.candler:
brian.candler is not allowed to run sudo on api-dev.int.ex
15 matches
Mail list logo
