Re: [Freeipa-users] hp-ux and IPA

Thank you, so it may work or may not work - we need to try such configuration first. I hoped somebody already do this and may share the experience :) BTW, I already do some part of this work before - for native IPA users it works, but of cause, without HBAC. WBR, Alexander Frolushkin Cell

[Freeipa-users] hp-ux and IPA

Hello. Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users from AD via IPA-AD trusts, or such way only work for systems with sssd? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764

[Freeipa-users] IPA - AD performance issue

sure is this a some kind of arch problem, or we have wrong settings somewhere. Just to mention, usually, this sid's is a indirect membership groups, local and does not affecting's any access rules for this user. WBR, Alexander Frolushkin Cell +79232508764 Work +7

Re: [Freeipa-users] FreeIPA state - performace, commercial usage

production, and I think in more simple conditions is could be nice and soft. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Vaclav Adamec Sent: Friday, August 21, 2015 8

[Freeipa-users] Problem with replica, again...

gracefully - it is a zombie now. What is the most clean way to restore this server, how I can re-install it with minimal problems for my IPA domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764

Re: [Freeipa-users] Unfamiliar message and crashes

Thank you for reply. # rpm -q 389-ds-base ipa-server slapi-nis 389-ds-base-1.3.3.1-16.el7_1.x86_64 ipa-server-4.1.0-18.el7_1.3.x86_64 slapi-nis-0.54-3.el7_1.x86_64 Okay, we will try to get it if it will happens again WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa

[Freeipa-users] Unfamiliar message and crashes

nd several crashes ns-slapd[31026]: segfault at 25 ip 7f7aa499c800 sp 7f7a4b7e14f0 error 4 in libslapd.so.0.0.0[7f7aa4948000+11c000] also noticed... Any thoughts, what to do? WBR, Alexander Frolushkin Cell +79232508764 Work +7

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

I'm sorry for being useless now to explore the problem :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Tuesday, June 23, 2015 2:51 PM To: Alexander Frolushkin (SIB) Cc: Tamas Papp; 'Christoph Kaminski'; freeipa

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

, IO was increased significally. Two of servers hangs after some time, a lot of dups appears on most IPA servers in domain. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Monday, June 22, 2015 6:21 PM To: Tamas Papp Cc

Re: [Freeipa-users] Antwort: Re: Antwort: clean-run doesn't work

Hello everyone. I can confirm this on VMWare, recently we have the similar issue when enabled dirsrv debug on 4 of our 19 IPA servers :( WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of

Re: [Freeipa-users] question on Active Directory and FreeIPA

Hello, Jakub! Could you please tell, what about sssd package in RHEL 6, when we can expect the fixes in official updates? Especially with our sensitive fixes (parentheses in AD groups names)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: freeipa

Re: [Freeipa-users] replication conflicts

Hello! Thanks, currently I'm trying to re-initialize all our replicas, hope this will fix most issues. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, June 17, 2015 6:40 PM To: Alexander Frolushkin (SIB) Cc: &#

Re: [Freeipa-users] replication conflicts

rocesses was not finished correctly after some replica remove. Slapd on replica id 10 last restarted yesterday 15:05 server local time. The same question, may it help if I tomorrow will do re-initialize all replicas from our relatively good-conditioned site? WBR, Alexander Frolushkin Cell +7923

Re: [Freeipa-users] replication conflicts

//xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed. errors Also during collection some of dirsrv instances hangs and was restarted. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, June 17, 2015 5:34 PM To: Alexander Frolushkin (SI

Re: [Freeipa-users] replication conflicts

Unfortunately, number of duplicates grows dramatically on most sites. Some servers already have over 40 duplicates. Could you please say, may I use re-initialize on falling replica from the good one to fix this? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig

Re: [Freeipa-users] replication conflicts

>conn=237 is from 10.99.75.82 which replica is this ? msk-rhidm-03.unix.megafon.ru:389: 10 On 06/17/2015 12:13 PM, Alexander Frolushkin wrote: This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin C

Re: [Freeipa-users] replication conflicts

This is not a good news, because replica id 20 is not exist for a some days already. It was recreated and now have id 23 WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, June 17, 2015 4:10 PM To: Alexander Frolushkin

Re: [Freeipa-users] replication conflicts

/Jun/2015:14:37:05 +0600] conn=237 op=7 EXT oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop" [17/Jun/2015:14:37:05 +0600] conn=237 op=7 RESULT err=0 tag=120 nentries=0 etime=0 [17/Jun/2015:14:37:07 +0600] conn=237 op=8 EXT oid="2.16.840.1.113730.3.5

Re: [Freeipa-users] replication conflicts

nn=293 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon...@unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru" WBR, Alexander

Re: [Freeipa-users] replication conflicts

e not yet found way to fix it completely. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, June 17, 2015 3:46 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com Subject: Re: [F

Re: [Freeipa-users] replication conflicts

k objects - freed 2 op stack objects [17/Jun/2015:10:08:04 +0600] - slapd stopped. [17/Jun/2015:10:08:06 +0600] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [17/Jun/2015:10:08:06 +0600] - SSL alert: Configured NSS Ciphers WBR, Alexander Frolushkin Cell +7923250

Re: [Freeipa-users] replication conflicts

on,dc=ru" It is also possible this entry on affected servers was previously duplicated and not correctly managed to delete (more recent dup was deleted). Is there any natural way to fix such issues? Maybe ipa-replica-manage force-sync, or ipa-replica-manage re-initialize on affected site ser

Re: [Freeipa-users] replication conflicts

This is correct, thank you for understanding and for helping! Replica with id 26 was created today, this is our new server which was included in domain just a few hours ago. Looks like this dup came right after this new replica creation. WBR, Alexander Frolushkin Cell +79232508764 Work

Re: [Freeipa-users] replication conflicts

, Alexander Frolushkin wrote: Hello. Just to remind if somebody still not familiar with our IPA installation :) We currently have 18 IPA servers in domain, on 8 sites in different regions across the Russia. And now, our new problem. Regularly we getting a nsds5ReplConflict records on some of our

Re: [Freeipa-users] replication conflicts

iginal one, only name with +nsuniqueid, and no such record on all other servers. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Tuesday, June 16, 2015 5:30 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com S

Re: [Freeipa-users] replication conflicts

very big distances between sites)? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Tuesday, June 16, 2015 3:52 PM To: freeipa-users@redhat.com Subject: Re: [Freeip

[Freeipa-users] replication conflicts

stops working on specific server while doubles still present. Thanks in forward... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764

Re: [Freeipa-users] RHEL 5.11 as IPA client

Okay, the situation now become completely cleared, thank you! WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Wednesday, June 10, 2015 4:46 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users

Re: [Freeipa-users] RHEL 5.11 as IPA client

This is not good at all... Firstly old sssd, now crypto issues... Can you also say, will HBAC and SUDO in IPA work for trusted AD users on RHEL 5 servers if we will enable vulnerable tls? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander

[Freeipa-users] RHEL 5.11 as IPA client

, Alexander Frolushkin Cell +79232508764 Work +79232507764

Re: [Freeipa-users] IPA and AD trusts

Thank you very much, I really missed this detail. Not good thing, this is not checked anywhere during replica installation... WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Tuesday, June 09

Re: [Freeipa-users] IPA and AD trusts

ocess exited, code=exited, status=1/FAILURE Jun 09 15:41:24 nw-rhidm02 systemd[1]: Failed to start Samba SMB Daemon. Jun 09 15:41:24 nw-rhidm02 systemd[1]: Unit smb.service entered failed state. Jun 09 15:41:26 nw-rhidm02 systemd[1]: Stopped Samba SMB Daemon. WBR, Alexander Frolushkin Cell +79232508764

[Freeipa-users] IPA and AD trusts

Hello! I need some clarification, because I already killed one of my replica twice... After new replica server installation, do I need to run ipa-adtrust-install on it? WBR, Alexander Frolushkin

Re: [Freeipa-users] AD trust problem

r there is no way to check trusts or AD servers connectivity? Because it seems like problem is site-related, only servers in two regions have problem with AD user groups... WBR, Alexander Frolushkin -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, Jun

[Freeipa-users] AD trust problem

e way to debug this issue? WBR, Alexander Frolushkin Cell +7923

Re: [Freeipa-users] AD user password change via ssh login

user password change via ssh login On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote: >> Hello. >> Maybe this is a little off topic, sorry if so. > >> Faced a strange behavior of server when trying to login a newly created user >> from AD, which have a p

[Freeipa-users] AD user password change via ssh login

account configuration If I further change the password of user manually from Windows, login works as expected. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она

Re: [Freeipa-users] Haunted servers?

548a81260010 And one server seems to be fixed completely. WBR, Alexander Frolushkin -Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Thursday, May 28, 2015 5:19 PM To: Alexander Frolushkin (SIB) Cc: freeipa-users@redhat.com; 'Janelle' Subject: Re

Re: [Freeipa-users] Haunted servers?

ivileges on our IPA servers, so I cannot completely guarantee nobody run this command ('ipa-replica-manage del --force --clean'. (with the option --force and --clean)) but after interrogation no one made a confession, including myself. WBR, Alexander Frolushkin Cell +7923

Re: [Freeipa-users] Haunted servers?

server, but right after that unable to decode: {replica 16} 548a81260010 548a81260010 reappeared on three other servers. Now I'm waiting response from support, they requested dirsrv logs form hanged server and from servers where error appeared again. WBR, Alexander F

Re: [Freeipa-users] Haunted servers?

For common information - we also have a "ghost" replica id: unable to decode: {replica 16} 548a81260010 548a81260010 and trying to get it away with help of Red Hat support, but at this point - no luck... WBR, Alexander Frolushkin -Original Message- From: fre

Re: [Freeipa-users] ruv problem

Thank you. Do I need to run this on each of my 17 IPA servers in unix domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz Sent: Thursday, May 21, 2015 1:37 PM To

[Freeipa-users] ruv problem

decode: {replica 16} 548a81260010 548a81260010 Replica ID 16 not found" WBR, Alexander Frolu

Re: [Freeipa-users] Known issues with IPA on VM?

Just a guess, what is your deployment size? We have a two ipa domains, one have 3 servers (2 hw and 1 vm, no issues with dirsrv yet), another currently includes 16 vm servers, ant dirsrv hangs and crashes periodically… WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: David

Re: [Freeipa-users] Known issues with IPA on VM?

Hello. We have periodically hanging and crashing dirsrv in our ipa servers. All of them running in VM on Vmware. WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764 From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christoph Kaminski Sent

Re: [Freeipa-users] freeIPA and AD in multi-homed environment

, Alexander Frolushkin From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Арсений Черняков Sent: Tuesday, April 28, 2015 5:05 PM To: Alexander Bokovoy Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeIPA and AD in multi-homed environment Thank you

[Freeipa-users] Problems with users from AD trusted domain after update to IPA 4.1

m)<mailto:afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)> This is a big problem for us, because on that servers we cannot use HBAC & sudo, also we don't think primary AD group is a exception and cannot be used in IPA authorization. WBR, Alexa

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

ost is not new, it was removed from domain to test the privileges... WBR, Alexander Frolushkin -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, April 20, 2015 8:41 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; 'David Kupka' Subject: Re

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

-boun...@redhat.com] On Behalf Of Alexander Frolushkin Sent: Monday, April 20, 2015 5:06 PM To: 'David Kupka'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update >Hello! >This thread seams to solve similar issue: >https://www.redhat.co

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

>Hello! >This thread seams to solve similar issue: >https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html Thank You, but... On 3.3 I used this thread to make it work. But on 4.1: User, able to enroll: memberofindirect: cn=System: Read Replication Agreements,cn=permissions,cn=p

[Freeipa-users] Found new problem after 3.3 - 4.1 update

permissions is required to add new host to domain? WBR, Alexander Frolushkin Cell +79232508764 Work +79232507764

[Freeipa-users] Errors in dirsrv logs

ot;cn=meTonw-rhidm01.unix.ad.com" (nw-rhidm01:389): CSN 552de186000b0011 not found, we aren't as up to date, or we purged Maybe it begins to generate this error after one of our masters was re-initialized. Is there any way to fix it without complete replicas reinstallation?

Re: [Freeipa-users] user account without password

n all this servers. For now I cannot remember any issues related this complex. -Original Message- From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us] Sent: Monday, April 13, 2015 9:19 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com Subject: RE: [Freeipa

Re: [Freeipa-users] user account without password

-Original Message- From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us] Sent: Friday, April 10, 2015 9:27 PM To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com Subject: RE: [Freeipa-users] user account without password >> Also, if such account

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Thursday, April 09, 2015 11:51 AM To: Alexander Frolushkin (SIB); 'thierry bordaz' Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: thierry bordaz [mailto:tbor...@redhat.com] Sent: Wednesday, April 08, 2015 6:36 PM To: Alexander Frolushkin (SIB) Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/201

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

>> On one of accidently upgraded server I have following error in dirsrv logs: >> >> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER >> Element was too long, max allowable is 209715200 bytes. Change the >> nsslapd-maxbersize attribute in cn=config to increase. >> [08/Apr/2

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: Jakub Hrozek [mailto:jhro...@redhat.com] Sent: Wednesday, April 08, 2015 5:12 PM To: Alexander Frolushkin (SIB) Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On W

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:47 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz; Jakub Hrozek Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 >> In an

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: Ludwig Krispenz [mailto:lkris...@redhat.com] Sent: Wednesday, April 08, 2015 4:18 PM To: Martin Kosek Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 12:04 PM, Martin

Re: [Freeipa-users] Accident upgrade 3.3 to 4.1

-Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Wednesday, April 08, 2015 4:04 PM To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1 On 04/08/2015 11:52 AM, Alexander

[Freeipa-users] Accident upgrade 3.3 to 4.1

his catastrophe, or it is fatal? As it seems from the client servers, hbac is not working at all, maybe all other things as well :( With best rega

[Freeipa-users] AD users and IPA's sudo

bugs with similar error message, but at last on this RHEL 6.6 server sssd is fully updated. And sorry for the huge underlined message, it is generated automatically and I have no rights to avoid it in my mails :( With best regards, Alexander Frolushkin, Senior engineer in system administration