On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote:
> I don't want to hijack someone else's thread but I'm having what
> appears to
> be the same problem and have not seen a solution presented yet.
The problem and solution were presented. These two messages basically
embody the problem I had:
[ Sent just to the list. Hopefully Martin is on it. ]
On Thu, 2016-12-22 at 10:06 +0100, Martin Babinsky wrote:
>
> Hi Brian,
Hi Martin,
> DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env
> variable
> to /etc/dirsrv/ds.keytab.
Ah-ha!
This was the problem. When I upgraded from
Some additional information. I can't seem to use the CLI either.
Perhaps that is expected:
# kinit admin
Password for ad...@example.com:
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
Default principal: ad...@example.com
Valid starting ExpiresService principal
21
On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote:
> Okay, I believe that this is the problem:
>
> On 21.12.2016 15:53, Brian J. Murrell wrote:
> > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107
> > connection from local to /var/run/slapd-EXAMPLE.COM.so
On Wed, 2016-12-21 at 15:04 +0100, Petr Spacek wrote:
>
> I'm really curious what you will find out :-)
It seems to be like this, over and over again:
[21/Dec/2016:09:39:02.124732240 -0500] conn=77025 fd=107 slot=107 connection
from 10.75.22.1 to 10.75.22.247
[21/Dec/2016:09:39:02.125630906 -05
On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote:
>
> You can try to add line
> KRB5_TRACE=/dev/stdout
> to
> /etc/sysconfig/ipa-dnskeysyncd
[27472] 1482320667.240500: Retrieving
ipa-dnskeysyncd/server.example@example.com from
FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype
On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote:
>
> So there are actually no issues with credentials, it needs more
> debugging, in past we have similar case but we haven't found the
> root
> cause why it doesn't have the right credentials after kinit.
So, to be clear, all I did was kini
On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote:
>
> On 19.12.2016 13:19, Brian J. Murrell wrote:
> > On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
> > > Hello,
> > >
> > > could you recheck with SElinux in permissive mode?
> &
On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote:
>
> Hello,
>
> could you recheck with SElinux in permissive mode?
Yeah, still happens even after doing:
# setenforce 0
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
--
Manage your subscription for the Fre
On Fri, 2016-12-16 at 22:53 -0500, Brian J. Murrell wrote:
> Hi,
>
> After upgrading to EL 7.3 which included an upgrade of IPA from
> 4.2.0-
> 15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting:
>
> 22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...
Hi,
After upgrading to EL 7.3 which included an upgrade of IPA from 4.2.0-
15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting:
22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...
22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server failed:
{'desc': 'Invalid credent
On Mon, 2016-05-30 at 13:43 +0200, Petr Spacek wrote:
>
> Can you query the SOA record from the reverse zone, please?
>
> $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA
Ahhh. That's the problem. The subnet is 10.8.0.0/24 so the query
should be for 0.8.10.in-addr.arpa.
Sometimes it just takes a
I have a FreeIPA 4.2.0 on CentOS 7.2. I have dynamic DNS updates
working for a forward zone but they are failing (NOTAUTH) for a reverse
zone. Here are configuration of the two zones:
dn: idnsname=example.com.,cn=dns,dc=example,dc=com
Zone name: example.com.
Active zone: TRUE
Authoritati
On Thu, 2015-11-05 at 16:25 -0500, Rob Crittenden wrote:
> What is "flaky" about it?
It will fail and then without doing anything else except waiting a
second or two, a second invocation will succeed.
But I think I know why. It seems to fail on the slave server but pass
on the primary server.
On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote:
> I am trying to re-enroll clients after re-installing their O/S (EL6)
> using:
>
> # ipa-client-install --force-join ...
>
> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I
> am
> finding tha
I am trying to re-enroll clients after re-installing their O/S (EL6)
using:
# ipa-client-install --force-join ...
Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I am
finding that after doing that for a given host, trying to ssh to it
from another enrolled IPA client I am getti
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
OK. I have refreshed my memory of how Kerberos works.
> The sequence above:
>
> - Sets a random Kerberos key for a principal named
> aster...@example.com
>on IPA KDC and stores it to the local keytab file asterisk.keytab
Yes. T
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
> You need to explain what are you trying to achieve first.
Sure. It is entirely likely that I am misunderstanding what I should
be doing.
A system service needs to be able to authenticate to the service
imap/linux.example.com as a give
I've put a kerberos principle into a keytab:
# klist -k asterisk.keytab
Keytab name: FILE:asterisk.keytab
KVNO Principal
--
8 aster...@example.com
using:
# ipa-getkeytab -s server.example.com -p asterisk -k /tmp/aste
On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote:
> BTW, there was related thread on freeipa-users in the past, with some
> links to
> related information:
>
> https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html
So this writeup seems to ignore the fact that Apache and the
c
On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote:
> Due to the bug in mod_nss that prevents SNI from functioning (i.e.
> limits a port to a single certificate) I need to add SANs
> (SubjectAltName) to the certificate that freeipa created for the
> webserver (Server-Cert) so th
On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote:
> Hello,
Hi,
> It is the right way to do it AFAIK,
Indeed, no. It's a hack around the lack of SNI support in mod_nss.
> however it would only work with FreeIPA 4.0
> or older:
>
> https://fedorahosted.org/freeipa/ticket/3977
That's righ
Due to the bug in mod_nss that prevents SNI from functioning (i.e.
limits a port to a single certificate) I need to add SANs
(SubjectAltName) to the certificate that freeipa created for the
webserver (Server-Cert) so that I can add more virtual hosts to the
same Apache instance (yes, I know this is
Thanks much! That got things back up and running.
Now to go fix the errant configuration management recipe.
Cheers,
b.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On 13-10-03 11:49 AM, Rob Crittenden wrote:
Can clues on how it got to this point? Files changed, etc?
Not really. This machine has been sitting mostly dormant in fact since
I was last working on it a week or two ago.
What does the dbmodules section of /etc/krb5.conf look like?
And ther
I have a FreeIPA server set up on EL 6.4 with the following package
versions:
ipa-admintools-3.0.0-26.el6_4.4.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64
ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
ipa-client-3.0.0-26.el6_4.4.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
krb5-server-1.10.3-10.el6_
26 matches
Mail list logo
