Thank you,
so it may work or may not work - we need to try such configuration first. I
hoped somebody already do this and may share the experience :)
BTW, I already do some part of this work before - for native IPA users it
works, but of cause, without HBAC.
WBR,
Alexander Frolushkin
Cell
Hello.
Is it possible to use IPA with HP-UX servers (ldapux) to authenticate users
from AD via IPA-AD trusts, or such way only work for systems with sssd?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
sure is this a some kind of arch problem, or we have wrong settings
somewhere.
Just to mention, usually, this sid's is a indirect membership groups, local and
does not affecting's any access rules for this user.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +7
production, and I think in more simple
conditions is could be nice and soft.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Vaclav Adamec
Sent: Friday, August 21, 2015 8
gracefully - it is a zombie now.
What is the most clean way to restore this server, how I can re-install it with
minimal problems for my IPA domain?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
Thank you for reply.
# rpm -q 389-ds-base ipa-server slapi-nis
389-ds-base-1.3.3.1-16.el7_1.x86_64
ipa-server-4.1.0-18.el7_1.3.x86_64
slapi-nis-0.54-3.el7_1.x86_64
Okay, we will try to get it if it will happens again
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: freeipa
nd several
crashes
ns-slapd[31026]: segfault at 25 ip 7f7aa499c800 sp 7f7a4b7e14f0 error 4
in libslapd.so.0.0.0[7f7aa4948000+11c000]
also noticed...
Any thoughts, what to do?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +7
I'm sorry for being useless now to explore the problem :(
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Tuesday, June 23, 2015 2:51 PM
To: Alexander Frolushkin (SIB)
Cc: Tamas Papp; 'Christoph Kaminski'; freeipa
, IO was increased significally.
Two of servers hangs after some time, a lot of dups appears on most IPA servers
in domain.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Monday, June 22, 2015 6:21 PM
To: Tamas Papp
Cc
Hello everyone.
I can confirm this on VMWare, recently we have the similar issue when enabled
dirsrv debug on 4 of our 19 IPA servers :(
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of
Hello, Jakub!
Could you please tell, what about sssd package in RHEL 6, when we can expect
the fixes in official updates? Especially with our sensitive fixes (parentheses
in AD groups names)?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
-Original Message-
From: freeipa
Hello!
Thanks, currently I'm trying to re-initialize all our replicas, hope this will
fix most issues.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, June 17, 2015 6:40 PM
To: Alexander Frolushkin (SIB)
Cc:
rocesses was not finished correctly after
some replica remove.
Slapd on replica id 10 last restarted yesterday 15:05 server local time.
The same question, may it help if I tomorrow will do re-initialize all replicas
from our relatively good-conditioned site?
WBR,
Alexander Frolushkin
Cell +7923
//xxx-rhidm0x.unix.megafon.ru:389/o%3Dipaca) failed.
errors
Also during collection some of dirsrv instances hangs and was restarted.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, June 17, 2015 5:34 PM
To: Alexander Frolushkin (SI
Unfortunately, number of duplicates grows dramatically on most sites. Some
servers already have over 40 duplicates.
Could you please say, may I use re-initialize on falling replica from the good
one to fix this?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: Ludwig
>conn=237 is from 10.99.75.82 which replica is this ?
msk-rhidm-03.unix.megafon.ru:389: 10
On 06/17/2015 12:13 PM, Alexander Frolushkin wrote:
This is not a good news, because replica id 20 is not exist for a some days
already. It was recreated and now have id 23
WBR,
Alexander Frolushkin
C
This is not a good news, because replica id 20 is not exist for a some days
already. It was recreated and now have id 23
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, June 17, 2015 4:10 PM
To: Alexander Frolushkin
/Jun/2015:14:37:05 +0600] conn=237 op=7 EXT oid="2.16.840.1.113730.3.5.12"
name="replication-multimaster-extop"
[17/Jun/2015:14:37:05 +0600] conn=237 op=7 RESULT err=0 tag=120 nentries=0
etime=0
[17/Jun/2015:14:37:07 +0600] conn=237 op=8 EXT oid="2.16.840.1.113730.3.5
nn=293 op=2 BIND dn="" method=sasl version=3
mech=GSSAPI
[17/Jun/2015:15:33:04 +0600] conn=293 op=2 RESULT err=0 tag=97 nentries=0
etime=0
dn="krbprincipalname=ldap/msk-rhidm-03.unix.megafon...@unix.megafon.ru,cn=services,cn=accounts,dc=unix,dc=megafon,dc=ru"
WBR,
Alexander
e not yet found way to fix it
completely.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, June 17, 2015 3:46 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com
Subject: Re: [F
k
objects - freed 2 op stack objects
[17/Jun/2015:10:08:04 +0600] - slapd stopped.
[17/Jun/2015:10:08:06 +0600] SSL Initialization - Configured SSL version range:
min: TLS1.0, max: TLS1.2
[17/Jun/2015:10:08:06 +0600] - SSL alert: Configured NSS Ciphers
WBR,
Alexander Frolushkin
Cell +7923250
on,dc=ru"
It is also possible this entry on affected servers was previously duplicated
and not correctly managed to delete (more recent dup was deleted).
Is there any natural way to fix such issues? Maybe ipa-replica-manage
force-sync, or ipa-replica-manage re-initialize on affected site ser
This is correct, thank you for understanding and for helping!
Replica with id 26 was created today, this is our new server which was included
in domain just a few hours ago. Looks like this dup came right after this new
replica creation.
WBR,
Alexander Frolushkin
Cell +79232508764
Work
, Alexander Frolushkin wrote:
Hello.
Just to remind if somebody still not familiar with our IPA installation :)
We currently have 18 IPA servers in domain, on 8 sites in different regions
across the Russia.
And now, our new problem.
Regularly we getting a nsds5ReplConflict records on some of our
iginal one, only name with +nsuniqueid, and
no such record on all other servers.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Tuesday, June 16, 2015 5:30 PM
To: Alexander Frolushkin (SIB)
Cc: freeipa-users@redhat.com
S
very
big distances between sites)?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Tuesday, June 16, 2015 3:52 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeip
stops working on
specific server while doubles still present.
Thanks in forward...
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
Okay, the situation now become completely cleared, thank you!
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Wednesday, June 10, 2015 4:46 PM
To: Alexander Frolushkin (SIB)
Cc: freeipa-users
This is not good at all... Firstly old sssd, now crypto issues...
Can you also say, will HBAC and SUDO in IPA work for trusted AD users on RHEL 5
servers if we will enable vulnerable tls?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
-Original Message-
From: Alexander
,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
Thank you very much, I really missed this detail.
Not good thing, this is not checked anywhere during replica installation...
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, June 09
ocess exited,
code=exited, status=1/FAILURE
Jun 09 15:41:24 nw-rhidm02 systemd[1]: Failed to start Samba SMB Daemon.
Jun 09 15:41:24 nw-rhidm02 systemd[1]: Unit smb.service entered failed state.
Jun 09 15:41:26 nw-rhidm02 systemd[1]: Stopped Samba SMB Daemon.
WBR,
Alexander Frolushkin
Cell +79232508764
Hello!
I need some clarification, because I already killed one of my replica twice...
After new replica server installation, do I need to run ipa-adtrust-install on
it?
WBR,
Alexander Frolushkin
r there is no way to
check trusts or AD servers connectivity? Because it seems like problem is
site-related, only servers in two regions have problem with AD user groups...
WBR,
Alexander Frolushkin
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, Jun
e way to debug this issue?
WBR,
Alexander Frolushkin
Cell +7923
user password change via ssh login
On Tue, Jun 02, 2015 at 06:21:59AM +0000, Alexander Frolushkin wrote:
>> Hello.
>> Maybe this is a little off topic, sorry if so.
>
>> Faced a strange behavior of server when trying to login a newly created user
>> from AD, which have a p
account configuration
If I further change the password of user manually from Windows, login works as
expected.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
Информация в этом сообщении предназначена исключительно для конкретных лиц,
которым она
548a81260010
And one server seems to be fixed completely.
WBR,
Alexander Frolushkin
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Thursday, May 28, 2015 5:19 PM
To: Alexander Frolushkin (SIB)
Cc: freeipa-users@redhat.com; 'Janelle'
Subject: Re
ivileges on our IPA servers, so I cannot
completely guarantee nobody run this command ('ipa-replica-manage del
--force --clean'. (with the option --force and --clean))
but after interrogation no one made a confession, including myself.
WBR,
Alexander Frolushkin
Cell +7923
server,
but right after that
unable to decode: {replica 16} 548a81260010 548a81260010
reappeared on three other servers.
Now I'm waiting response from support, they requested dirsrv logs form hanged
server and from servers where error appeared again.
WBR,
Alexander F
For common information - we also have a "ghost" replica id:
unable to decode: {replica 16} 548a81260010 548a81260010
and trying to get it away with help of Red Hat support, but at this point - no
luck...
WBR,
Alexander Frolushkin
-Original Message-
From: fre
Thank you. Do I need to run this on each of my 17 IPA servers in unix domain?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Thursday, May 21, 2015 1:37 PM
To
decode: {replica 16} 548a81260010 548a81260010
Replica ID 16 not found"
WBR,
Alexander Frolu
Just a guess, what is your deployment size?
We have a two ipa domains, one have 3 servers (2 hw and 1 vm, no issues with
dirsrv yet), another currently includes 16 vm servers, ant dirsrv hangs and
crashes periodically…
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: David
Hello.
We have periodically hanging and crashing dirsrv in our ipa servers.
All of them running in VM on Vmware.
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Christoph Kaminski
Sent
,
Alexander Frolushkin
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Арсений Черняков
Sent: Tuesday, April 28, 2015 5:05 PM
To: Alexander Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] freeIPA and AD in multi-homed environment
Thank you
m)<mailto:afrolush...@ad.com),236667642(rhidm-sa-adm...@ad.com),236658193(sib-dwh-sa-adm...@ad.com)>
This is a big problem for us, because on that servers we cannot use HBAC &
sudo, also we don't think primary AD group is a exception and cannot be used in
IPA authorization.
WBR,
Alexa
ost is not new, it was removed from domain to test the privileges...
WBR,
Alexander Frolushkin
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, April 20, 2015 8:41 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; 'David Kupka'
Subject: Re
-boun...@redhat.com] On Behalf Of Alexander Frolushkin
Sent: Monday, April 20, 2015 5:06 PM
To: 'David Kupka'; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update
>Hello!
>This thread seams to solve similar issue:
>https://www.redhat.co
>Hello!
>This thread seams to solve similar issue:
>https://www.redhat.com/archives/freeipa-users/2013-January/msg00153.html
Thank You, but...
On 3.3 I used this thread to make it work.
But on 4.1:
User, able to enroll:
memberofindirect: cn=System: Read Replication
Agreements,cn=permissions,cn=p
permissions is required to add new host to domain?
WBR,
Alexander Frolushkin
Cell +79232508764
Work +79232507764
ot;cn=meTonw-rhidm01.unix.ad.com" (nw-rhidm01:389): CSN 552de186000b0011
not found, we aren't as up to date, or we purged
Maybe it begins to generate this error after one of our masters was
re-initialized.
Is there any way to fix it without complete replicas reinstallation?
n all this servers. For now I cannot
remember any issues related this complex.
-Original Message-
From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us]
Sent: Monday, April 13, 2015 9:19 PM
To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com
Subject: RE: [Freeipa
-Original Message-
From: Nordgren, Bryce L -FS [mailto:bnordg...@fs.fed.us]
Sent: Friday, April 10, 2015 9:27 PM
To: Alexander Frolushkin (SIB); 'Martin Kosek'; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] user account without password
>> Also, if such account
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Thursday, April 09, 2015 11:51 AM
To: Alexander Frolushkin (SIB); 'thierry bordaz'
Cc: 'Ludwig Krispenz'; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 08, 2015 6:36 PM
To: Alexander Frolushkin (SIB)
Cc: 'Ludwig Krispenz'; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/201
>> On one of accidently upgraded server I have following error in dirsrv logs:
>>
>> [08/Apr/2015:13:24:12 +0300] connection - conn=1095 fd=131 Incoming BER
>> Element was too long, max allowable is 209715200 bytes. Change the
>> nsslapd-maxbersize attribute in cn=config to increase.
>> [08/Apr/2
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Wednesday, April 08, 2015 5:12 PM
To: Alexander Frolushkin (SIB)
Cc: 'Martin Kosek'; freeipa-users@redhat.com; Ludwig Krispenz; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On W
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:47 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz; Jakub Hrozek
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
>> In an
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 08, 2015 4:18 PM
To: Martin Kosek
Cc: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 12:04 PM, Martin
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 08, 2015 4:04 PM
To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
Thierry Bordaz
Subject: Re: [Freeipa-users] Accident upgrade 3.3 to 4.1
On 04/08/2015 11:52 AM, Alexander
his catastrophe, or it is fatal?
As it seems from the client servers, hbac is not working at all, maybe all
other things as well :(
With best rega
bugs with similar error message, but at last on
this RHEL 6.6 server sssd is fully updated.
And sorry for the huge underlined message, it is generated automatically and I
have no rights to avoid it in my mails :(
With best regards,
Alexander Frolushkin,
Senior engineer in system administration
63 matches
Mail list logo