Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 21.12.2016 21:36, Brian J. Murrell wrote: > Some additional information. I can't seem to use the CLI either. > Perhaps that is expected: > > # kinit admin > Password for ad...@example.com: > > # klist > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m > Default principal: ad...@example.

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Okay, I believe that this is the problem: On 21.12.2016 15:53, Brian J. Murrell wrote: > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 connection > from local to /var/run/slapd-EXAMPLE.COM.socket ... > [21/Dec/2016:09:39:12.064476101 -0500] conn=77028 op=0 BIND dn="" method=sa

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 21.12.2016 13:05, Brian J. Murrell wrote: > On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote: >> >> You can try to add line >> KRB5_TRACE=/dev/stdout >> to >> /etc/sysconfig/ipa-dnskeysyncd > > [27472] 1482320667.240500: Retrieving > ipa-dnske

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

On 20.12.2016 12:41, Brian J. Murrell wrote: > On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: >> >> So there are actually no issues with credentials, it needs more >> debugging, in past we have similar case but we haven't found the >> root >> cause why it doesn't have the right credential

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 8.12.2016 10:12, Pieter Nagel wrote: > On Thu, Dec 8, 2016 at 10:59 AM, Alexander Bokovoy > wrote: > >> It is really simply: your DNS domain named as your Kerberos realm must >> be under your control, one way or another, to allow automatic discovery >> of resources to work. >> > > Thanks, thi

Re: [Freeipa-users] Kerberos realm for different domain

On 15.12.2016 23:59, Brian Candler wrote: >> On Sun, Dec 11, 2016 at 11:31 PM, David Kupka > > wrote: >> >> >> yes you can do it. DNS domain and Kerberos realm are two different >> things. It's common and AFAIK recommended to capitalize DNS domain >> to get the

Re: [Freeipa-users] ipa-dnskeysyncd not starting

On 19.12.2016 14:07, Rob Verduijn wrote: > Hello, > > I'm running ipa on centos 7.3 with the latest patches applied. > > It seem to run fine however the ipa-dnskeysyncd keeps failing to start and > I keep seeing this message in my logs: > > ipa-dnskeysyncd[25663]: ipa : INFO LDAP bin

Re: [Freeipa-users] Kerberos realm for different domain

On 10.12.2016 19:20, Alexander Bokovoy wrote: > On la, 10 joulu 2016, William Muriithi wrote: >> Stephen >>> >>> Can you have a domain that belongs to a Kerberos realm with a completely >>> different domain? For example, could example.com belong to the >>> ANOTHERDOMAIN.COM realm as long as we cont

Re: [Freeipa-users] Naming a FreeIPA domain and router differences

On 8.12.2016 22:40, Harry Kashouli wrote: > Ah, I think I totally misread the DNS page, the first time... > https://www.freeipa.org/page/DNS > > > Looks like I should put the router on int.custom.com as a domain, and I can > create the freeipa domain as domain.custom.com It depends on you how yo

Re: [Freeipa-users] Still unclear about relation between IPA DNS domain and company DNS domain.

On 7.12.2016 14:57, Brian Candler wrote: > On 07/12/2016 08:58, freeIPA users list wrote: >> On ke, 07 joulu 2016, List dedicated to discussions about use, configuration >> and deployment of the IPA server. wrote: >>> I know the Quick Start Guide and Deployment Recommendations cover this in >>> dep

Re: [Freeipa-users] Freeipa on ARM (raspberry pi) - OpenJDK vs. Oracle JDK

On 1.12.2016 09:07, Winfried de Heiden wrote: > Hi all, > > Started as "just because it's possible" running FreeIPA on a BananaPI or > Raspberry PI turned to out to be rather succesfull and for more than a year I > use FreeIPA at home. > > OK, running on small boards like Raspberry PI it never

Re: [Freeipa-users] Ping forwarded domain name.

On 25.11.2016 14:48, TomK wrote: > On 11/25/2016 4:00 AM, Petr Spacek wrote: >> On 25.11.2016 05:57, TomK wrote: >>> On 11/24/2016 4:49 AM, Petr Spacek wrote: >>>> On 24.11.2016 06:08, TomK wrote: >>>>> On 11/23/2016 3:28 AM, Martin Basti wrote: >>

Re: [Freeipa-users] Ping forwarded domain name.

On 25.11.2016 05:57, TomK wrote: > On 11/24/2016 4:49 AM, Petr Spacek wrote: >> On 24.11.2016 06:08, TomK wrote: >>> On 11/23/2016 3:28 AM, Martin Basti wrote: >>>> >>>> >>>> On 23.11.2016 03:48, TomK wrote: >>>>> On 11/22/2016 1

Re: [Freeipa-users] Ping forwarded domain name.

probably you have NetworkManager >>>>>> there >>>>>> that is editing /etc/resolv.conf >>>>>> >>>>>> https://ask.fedoraproject.org/en/question/67752/how-do-i-add-a-search-domain-using-networkmanager/ >>>>>> >>

Re: [Freeipa-users] Ping forwarded domain name.

On 22.11.2016 13:57, TomK wrote: > On 11/22/2016 2:59 AM, Martin Basti wrote: >> Hey, >> >> >> On 22.11.2016 06:33, TomK wrote: >>> Hey Guy's, >>> >>> I'm forwarding a domain dom.abc.xyz from a Windows Server 2012 over to >>> my dual Free IPA server. The Free IPA servers are authoritative for >>>

Re: [Freeipa-users] keytab kvno differs between ipa servers

On 21.11.2016 13:29, Bjarne Blichfeldt wrote: > IPA: VERSION: 4.4.0, API_VERSION: 2.213 > > This may be for lack of understanding the process, but.. > > When I retrieve a keytab for a principal using ipa-getkeytab, the kvno is > increased on the idm. > In our test environment we have two ipa ser

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 18:26, Stijn De Weirdt wrote: > hi petr, > > this is a different question: what can we do such that compromised host > can do a little as possible if the admin doesn't (yet) know the host is > compromised. > > the default policy allows way too much. For

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 17:47, Stijn De Weirdt wrote: >>> this is a different question: what can we do such that compromised host >>> can do a little as possible if the admin doesn't (yet) know the host is >>> compromised. >>> >>> the default policy allows way too much. >> >> For any useful advice we need mo

Re: [Freeipa-users] IPA 4.4 and Trust Agents/Controllers

On 16.11.2016 16:40, Baird, Josh wrote: > Hi, > > I'm currently testing an IPA 4.3 (RHEL 7.2) to IPA 4.4 (RHEL 7.3) upgrade and > had a few questions about the concept of trust agents/controllers. > > Prior to IPA 4.4, were all IPA masters (that 'ipa-adtrust-install' was ran > on) considered '

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 15:33, Stijn De Weirdt wrote: > hi martin, > we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab). in particular, it looks like it possible to retrieve any user token once >>

Re: [Freeipa-users] Client x.x.xx - RFC 1918 response from Internet in /var/log/messages

On 16.11.2016 12:56, Bjarne Blichfeldt wrote: > Just updated a couple of free-ipa servers to: > ipa-server-dns-4.4.0-12.el7.noarch > redhat-release-server-7.3-7.el7.x86_64 > > Before the update, I resolved the issue with RFC messages by: > /etc/named.conf: > options { >disable-empty-zone "10.i

Re: [Freeipa-users] minimise impact compromised host

On 16.11.2016 14:01, Stijn De Weirdt wrote: > hi all, > > we are looking how to configure whatever relevant policy to minimise the > impact of compromised IPA hosts (ie servers with a valid host keytab). > > in particular, it looks like it possible to retrieve any user token once > you have acces

Re: [Freeipa-users] SRV (mixed?) records

On 10.11.2016 12:08, lejeczek wrote: > > > On 10/11/16 10:44, Petr Spacek wrote: >> This is non-standard situation so it asks for non-standard commands. >> >> I would try: >> $ ipa privilege-mod 'DNS Servers' >> --addattr=member=krbprincipal

Re: [Freeipa-users] SRV (mixed?) records

On 10.11.2016 11:32, lejeczek wrote: > > > On 10/11/16 06:51, Petr Spacek wrote: >> On 9.11.2016 16:57, lejeczek wrote: >>> >>> On 09/11/16 14:35, Martin Basti wrote: >>>> >>>> On 09.11.2016 15:33, lejeczek wrote: >>>>> >

Re: [Freeipa-users] bind-dyndb-ldap and replication requirements

On 10.11.2016 06:43, David Kupka wrote: > On 10/11/16 01:14, Brendan Kearney wrote: >> i am asking this for a friend who is trying to figure out how to get >> bind-dyndb-ldap working against openldap on ubuntu. she does not have >> replication between two or more ldap instances, and needs to figur

Re: [Freeipa-users] SRV (mixed?) records

On 9.11.2016 16:57, lejeczek wrote: > > > On 09/11/16 14:35, Martin Basti wrote: >> >> >> On 09.11.2016 15:33, lejeczek wrote: >>> >>> >>> On 09/11/16 13:48, Martin Basti wrote: On 09.11.2016 14:11, lejeczek wrote: > > > On 09/11/16 12:43, Martin Basti wrote: >> >>>

Re: [Freeipa-users] attrlist_replace - attr_replace : failed

On 8.11.2016 15:19, lejeczek wrote: > hi everyone > > I have a three servers which seemingly!? work but all three log: > > attrlist_replace - attr_replace (nsslapd-referral, ldap://swir.xx.xx > > and swir.xx.xx is the server which ipa-replica-prepared and on it I see: > > attrlist_replace - att

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

dentials or so. It would help if you described how you bound to LDAP using ldapsearch. Petr^2 Spacek > > Or maybe this is a reflection of some FreeIPA server way of life > configuration, like sssd. > > -rsd > > > On 07/11/2016 05:10, Petr Spacek wrote: >> On 6.11.2016

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

On 6.11.2016 06:06, Raul Dias wrote: > Hello, > > It seems that DHCP with LDAP on Fedora 24 (FreeIPA) is broken. > > Can anyone confirm? > > Doing an strace -e trace=network does not show any attempt to connect to the > ldap server. > > OTOH, the same config on a Ubuntu 16.10 works fine. Hello

Re: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.

l, the ordering of the servers does not matter as long as they can resolve records properly. The key problem is > answer. Occasionally, that server will seemingly loose track of the IPA > server, and stop returning results... And that happened while I was trying ... It should just work if you

Re: [Freeipa-users] Is this a bigger Problem DNSSEC ?

On 25.10.2016 15:49, Günther J. Niederwimmer wrote: > Hello, > > FreeIPA 4.3.1 > CentOS 7.2 > > > I found today in /var/log/messages this entries > > Is the DNSSEC now broken ? > > Thanks for a answer > > ct 25 15:41:29 ipa ipa-dnskeysyncd: Traceback (most recent call last): > Oct 25 15:41:2

Re: [Freeipa-users] dns_tkey_negotiategss: failure GSSAPI error [...] Message stream modified.

On 27.10.2016 04:43, Tyrell Jentink wrote: >> 2016-10-26T23:30:40Z DEBUG Writing nsupdate commands to >> > /etc/ipa/.dns_update.txt: >> > 2016-10-26T23:30:40Z DEBUG debug >> > >> > update delete trainmaster.ipa.rxrhouse.net. IN A >> > show >> > send >> > >> > update delete trainmaster.ipa.rxrhouse.

Re: [Freeipa-users] Lots of error messages in logs after upgrade

On 19.10.2016 10:14, Ludwig Krispenz wrote: > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: >> Some more info. >> >> This is happening on one of the hosts for which replica-info file was >> generated but for some reason the replica installation failed. So I went >> ahead and deleted and created

Re: [Freeipa-users] DNS question on named.ca

On 19.10.2016 00:55, Sean Hogan wrote: > > Hi all, > >I have a DNS question on how/why my IPA DNS servers are trying to hit > the root DNS internet servers. My IPA servers are in private networks only > serving DNS for the private domains they manage but recently the network > team > indicat

Re: [Freeipa-users] bind-dyndb-ldap issues

On 13.10.2016 01:42, Brendan Kearney wrote: > On 10/12/2016 02:35 AM, Petr Spacek wrote: >> Hello, >> >> these are debug messages and are harmless. Apparently you have verbose/debug >> messages enabled in named.conf: >> >> arg "verbose_

Re: [Freeipa-users] bind-dyndb-ldap issues

Hello, these are debug messages and are harmless. Apparently you have verbose/debug messages enabled in named.conf: arg "verbose_checks yes"; If you want to get rid of these messages, just remove the line. What version of bind-dyndb-ldap are you using? Sufficiently new versions sho

Re: [Freeipa-users] FreeIPA Server Hosting - Public Cloud vs Private Cloud

On 5.10.2016 11:16, Deepak Dimri wrote: > Hi All, > > I want to understand if there are any best practices wrt FreeIPA Server > deployment in Public vis a vis Private cloud. Lets assume a case that most > IPA Clients are hosted in private clouds at multiple data centers or across > AWS VPCs.

Re: [Freeipa-users] DNS ceases on both Master & Replica after several days

On 5.10.2016 08:59, Martin Basti wrote: > > > On 05.10.2016 03:10, Richard Harmonson wrote: >> >> On 10/04/2016 06:25 AM, Richard Harmonson wrote: >> > After successful installation and use of DNS with forwarding >> first on a >> > Master and Replica, several days pass then it sto

Re: [Freeipa-users] IPA Server is not coming backup

Hi, The important line is around > named-pkcs11[3511]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information Unfortunately the log is truncated so it does not show the actual error. Please see https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart I hope

Re: [Freeipa-users] bind crashes on rndc reload

On 20.9.2016 00:33, Anthony Joseph Messina wrote: > On Monday, September 19, 2016 2:16:55 PM CDT Petr Spacek wrote: >> On 12.9.2016 11:55, Anthony Joseph Messina wrote: >>> On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote: >>>> Hi, >>>&g

Re: [Freeipa-users] bind crashes on rndc reload

On 12.9.2016 11:55, Anthony Joseph Messina wrote: > On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote: >> Hi, >> >> I have a major issue with my setup: >> Fedora 24 >> freeipa-common-4.3.2-2.fc24.noarch >> freeipa-admintools-4.3.2-2.fc24.noarch >> freeipa-server-dns-4.3.2-2.fc24.noa

Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1

On 31.8.2016 00:23, Timo Aaltonen wrote: > On 29.08.2016 10:34, Timo Aaltonen wrote: >> On 21.04.2016 22:01, Timo Aaltonen wrote: >>> >>> ps. Debian unstable will have 4.3.1 once the package has gone through >>> the NEW queue because the packaging got split in certain ways >> >> No it did not, beca

Re: [Freeipa-users] Slow logins with multi site replication

however I would prefer to avoid >> the manual step of configuring and updating this (planning to expand out to >> a few hundred servers over 4-5 sites). Manually setting these is likely to >> lead to mistakes and it just feels inelegant compared to DNS SRV records. >>

Re: [Freeipa-users] Two masters and one of them is desynchronized

the tests described in the link Petr provided. Thank >> you for this. Every one of this command is OK on both masters. >> >> I'm checking the access logs from dirsrv now. >> >> Any other tracks to follow ? Increase the log level on the replica failing >> to syn

Re: [Freeipa-users] Two masters and one of them is desynchronized

replica failing > to sync ? > > Best regards. > > Bahan > > On Wed, Aug 24, 2016 at 8:41 AM, Petr Spacek wrote: > >> On 23.8.2016 22:44, bahan w wrote: >>> Hello ! >>> >>> I am using IPA 3.0.0 on RedHat 6.6 servers. >>> >>&g

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

>> >> >> >> On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < >> rakesh.rajasekha...@gmail.com> wrote: >> >>> My disk was getting filled too fast >>> >>> logs under /var/log/dirsrv was coming around 5 gb quickly filling up >

Re: [Freeipa-users] Two masters and one of them is desynchronized

On 23.8.2016 22:44, bahan w wrote: > Hello ! > > I am using IPA 3.0.0 on RedHat 6.6 servers. > > I have two masters and this evening, I realized that one of them was > desynchronized, some users and groups were missing. > > I was wondering if there was an ipa command to resynchronize replica whi

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

32) > [23/Aug/2016:12:49:50 +] - Retry count exceeded in delete > [23/Aug/2016:12:49:50 +] DSRetroclPlugin - delete_changerecord: could > not delete change record 3292734 (rc: 51) > > > Can i do something about this error.. I treid to restart ipa a couple of > time but that did not

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

sends a NOTIFY message to the slave. Log on slave should tell you if it is receiving something or not. -- Petr^2 Spacek > > 2016-08-23 12:47 GMT+02:00 Petr Spacek : >> On 23.8.2016 12:43, Matt . wrote: >>> OK, but what kind of records are you talking about then ? >&g

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

16-08-23 12:25 GMT+02:00 Petr Spacek : >> On 23.8.2016 09:07, Martin Basti wrote: >>> >>> >>> On 23.08.2016 02:08, Matt . wrote: >>>> Hi Guys, >>>> >>>> What is the way to notify or update a Bind slave which is not an IPA >&g

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.8.2016 09:07, Martin Basti wrote: > > > On 23.08.2016 02:08, Matt . wrote: >> Hi Guys, >> >> What is the way to notify or update a Bind slave which is not an IPA server ? >> >> Do I need to manuallu add an also-notify to the /etc/bind.conf on the >> IPA master or is there a different way ho

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

>> the SYNC_RECV are not many though just around 80-90 and today that was >> around 20 only >> >> >> I have for now increased tcp_max_syn_backlog to 5000. >> For now the slowness seems to have gone.. but I will do a try adding the >> clients again tomorrow a

Re: [Freeipa-users] Very slow enrolment process

On 22.8.2016 03:42, William Muriithi wrote: > Hello, > > I have systems that were previously using openLDAP and plan to migrate > them to freeIPA. I have a problem I have been struggling with since > Thursday. The client take 10 to 15 minutes to finish the enrolment > process. > > I can't find

Re: [Freeipa-users] dns/ldap failing after temporary storage problem

t; On 19 August 2016 at 15:59, Petr Spacek wrote: > >> On 19.8.2016 15:26, Tiemen Ruiten wrote: >>> Managed to fix it: had to stop dirsrv@IPA-RDMEDIA-COM and put the >> server's >>> hostname on the line with nsslapd-localhost >> >> Uh, this is q

Re: [Freeipa-users] dns/ldap failing after temporary storage problem

On 19.8.2016 15:26, Tiemen Ruiten wrote: > Managed to fix it: had to stop dirsrv@IPA-RDMEDIA-COM and put the server's > hostname on the line with nsslapd-localhost Uh, this is quite brutal. There might be some other server-specific options. If you can dig up older dse.ldif from the same server, I

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

On 18.8.2016 17:23, Rakesh Rajasekharan wrote: > Hi > > I am migrating to freeipa from openldap and have around 4000 clients > > I had openned a another thread on that, but chose to start a new one here > as its a separate issue > > I was able to change the nssslapd-maxdescriptors adding an ldif

Re: [Freeipa-users] FreeIPA and slave MIT slave KDCs

anges again.) If you want to try the pure KDC slave, please let us know how it worked. I'm curious :-) Petr^2 Spacek > Best regards > > On Fri, Jul 22, 2016 at 10:14 AM, Petr Spacek wrote: > >> On 21.7.2016 22:05, Diogenes S. Jesus wrote: >>> Hi everyone. >&g

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 17.8.2016 19:58, Guido Schmitz wrote: > After some debugging, I found the error: > > cut = > ipa : DEBUGstderr= > ipa.ipapython.dnssec.bindmgr.BINDMgr: INFO attrs: {'idnsseckeyref': > ['pkcs11:object=a1'], 'dn': > 'cn=KSK-2014073634Z-a1,cn=keys,idnsname=myzo

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 17.8.2016 14:38, Guido Schmitz wrote: >>> Still, there is one problem: >>> My old KSK uses algorithm 7 (RSASHA1NSEC3SHA1) and IPA (by default) uses >>> algorithm 8 (RSASHA256). The old key is correctly marked as algorithm 7 >>> in LDAP (under attribute idnsSecAlgorithm in the entry >>> cn=KSK-ti

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

your inputs, I'll keep an eye on those bug reports. >> >> Roberto >> >> On 22 July 2016 at 09:51, Petr Spacek > <mailto:pspa...@redhat.com>> wrote: >> >> On 22.7.2016 04:43, Ben Lipton wrote: >> > I'm not

[Freeipa-users] Announcing bind-dyndb-ldap version 10.1

The FreeIPA team is proud to announce bind-dyndb-ldap version 10.1. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 24+: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea30aafae1 Latest news: 10.1 [1] Prevent

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 17.8.2016 12:34, Guido Schmitz wrote: >> >> Now it is getting interesting :-) >> >> First of all, what version of FreeIPA packages and on what distro are you >> using? There are significant differences between package versions. > > I am running Fedora 23 (inside an LXC on a Proxmox host) with F

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 16.8.2016 14:48, Guido Schmitz wrote: >> >> Any tool which can do key import from file into PKCS#11 token should work, in >> theory. > > I've tried pkcs11-tool from the OpenSC project and p11tool from GnuTLS. > p11tool seems to be able to take some (undocumented?) flags from the > command line

Re: [Freeipa-users] Limited "self" registration to IPA and an IPA group

On 16.8.2016 00:34, Steven Jones wrote: > Hi, > > > I have a request to do limited automatic/self provisioning of users > provisioning to specifc server. The idea is a lecturer would setup students > into IPA and select a specific user group from a limited drop down menu. > > > Is this poss

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

On 15.8.2016 20:18, Linov Suresh wrote: > We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 > > > We can only add the clients from IPA Server 01, not from IPA Server 02. > When I tried to add the client from IPA Server 02, getting the error, > > > ipa: ERROR: Insufficient access: SASL

Re: [Freeipa-users] Original java script I ahave been TRYING to modify to use the flatness that is IPA.

On 15.8.2016 19:45, Michael Sean Conley wrote: > > Hey gang, so this is the original file I was using to get us hooked in via > LDAPS for the webpage. > Note - it has OU's instead of CN's, > > Anyway, I'm still at a loss. > > What do you folks think? > > > > className="org.apache.karaf

Re: [Freeipa-users] Troubleshooting Forest-Trust to AD

On 12.8.2016 02:18, Paul Smith wrote: > I'm having issues establishing Trust with an existing Active Directory > domain (Windows Server 2012 R2). I can get IPA up and running and have > spent the day troubleshooting DNS\Kerberos > > I think the main issue is something remaining in kerberos but i'm

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 15.8.2016 12:14, Guido Schmitz wrote: > On 12.08.2016 13:58, Petr Spacek wrote: >> On 12.8.2016 13:26, Guido Schmitz wrote: >>> Hi! >>> >>> I want to migrate my existing DNS setup to FreeIPA. As this existing >>> setup already uses DNSSEC,

Re: [Freeipa-users] freeipa server capacity planning

On 13.8.2016 13:00, Rakesh Rajasekharan wrote: > Hi, > > I have successfully running freeipa setup across my envs.. and now planning > to move it to one of the prod envs where we have around 4000 clients. The most important characteristics to consider is: What the clients do? Do they cache intel

Re: [Freeipa-users] Does FreeIPA require ICMP to be allowed? Can it cause login speed issues?

On 12.8.2016 22:03, Jake wrote: > Hey Guys, > Can anyone tell me if there are issues caused by blocking ICMP requests > between ipa clients, ipa servers and ad servers? For IPv4: In theory, if your network is in ideal state and no service ever goes down (unrealistic), it should work. In practi

Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install

On 15.8.2016 03:29, David Kowis wrote: > On 08/14/2016 07:57 PM, David Kowis wrote: >> On 08/14/2016 02:31 PM, David Kowis wrote: >>> Perhaps someone else has had this error before, or maybe just knows what >>> I need to do? >> >> Digging through the mailing list, I only find this guy: >> https://w

Re: [Freeipa-users] ldaps Java script issues with RH IdM - odd that I cannot make it connect...

On 12.8.2016 19:13, Michael Sean Conley wrote: > role.filter= > (member=uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com) I suspect that this filter is incorrect. Likely, it should be only "(uid=%u,cn=users,cn=accounts,dc=aba,dc=house,dc=com)". I hope it helps. -- Petr^2 Space

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 12.8.2016 13:58, Petr Spacek wrote: > On 12.8.2016 13:26, Guido Schmitz wrote: >> Hi! >> >> I want to migrate my existing DNS setup to FreeIPA. As this existing >> setup already uses DNSSEC, I want to import my current DNSSEC keys into >> FreeIPA to have a sm

Re: [Freeipa-users] DNS migration to FreeIPA and import of existing DNSSEC keys

On 12.8.2016 13:26, Guido Schmitz wrote: > Hi! > > I want to migrate my existing DNS setup to FreeIPA. As this existing > setup already uses DNSSEC, I want to import my current DNSSEC keys into > FreeIPA to have a smooth transition over to IPA's DNS. (The authorative > DNS servers for the zones ar

Re: [Freeipa-users] Why is user status different on each master replica?

On 10.8.2016 17:19, Martin Basti wrote: > > > On 09.08.2016 23:04, Larry Rosen wrote: >> >> This user was locked out due to Max Failure policy = 5 >> >> If they’re supposed to be replicas, why the different status? >> >> [root@il10 ~]# ipa user-status lramey >> >> --- >> >> A

Re: [Freeipa-users] FreeIPA Session Management (WebUI, Kerberos, ...?)

On 9.8.2016 21:37, Joe Thielen wrote: > First off, let me say THANK YOU to all of you who've helped make FreeIPA > what it is. I think it's a fantastic project and it's amazing what it has > achieved. > > Second off, I'm still quite new to FreeIPA, especially the internals. This > includes Kerbe

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

On 3.8.2016 22:22, Alston, David wrote: > Greetings! > >>> 2. Active Directory must never know anything about a DNS domain >>> freeipa.company.com (I'm not sure why) >> Correct because if that happened then AD considers the whole subdomain as >> part of its realm and trust routing will not work.

Re: [Freeipa-users] How to delete a managed group

On 3.8.2016 00:58, Bob Hinton wrote: > Hi, > > Something went wrong when trying to restore some preserved users so I > deleted them and then tried to recreate them. This failed with - > > ipa: ERROR: Unable to create private group. A group 'X' already exists. > > Trying to delete this group

Re: [Freeipa-users] Notification System

On 2.8.2016 16:13, Sébastien Julliot wrote: > Hy everyone, > > Currently migrating to FreeIPA, I find myself writing several scripts to > notify users (on account creation, on birthdays, one week before account > deletion, ...). > > A global notification system would be very handy and I see here

Re: [Freeipa-users] slow login with freeipa 4.2.0

On 1.8.2016 09:08, Jakub Hrozek wrote: > On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote: >> Thanks Jakub for the detailed analysis... with those inputs , I was able to >> nail down the issue. >> >> I had migrated this host from openldap to freeipa.. However, nslcd daemon >> was

Re: [Freeipa-users] ipa-client install failurres, Could not resolve host: ipa-master-in.xyz.com; Unknown error

On 27.7.2016 19:29, Rakesh Rajasekharan wrote: > Hi, > > I am running ipa server 4.2 and set it up without using "--setup-dns=no". > > On few clients the installation fails with the below error message. > > > I verified that the ipa master dns is resolvable. Not sure what could be > wrong here.

Re: [Freeipa-users] Replicating users/groups from AD

On 25.7.2016 15:30, Simo Sorce wrote: > On Mon, 2016-07-25 at 08:24 -0500, Alston, David wrote: >> Greetings! >> >> Yes, I had been hoping there would be a way to incorporate domain >> trusts between Active Directory and FreeIPA while the clients relying >> on these for identity management sha

Re: [Freeipa-users] Freeipa and FQDN requirement

On 25.7.2016 14:49, Ilan Green wrote: > Hello, > Customer wants to switch between the IPA server FQDN and short name in > /etc/hosts (having the short name first) post IPA install? > > Can anyone please confirm that the suggestions & reservations listed by Simo > Sorce in the following thread

Re: [Freeipa-users] Bypass pre-hashed passwords verification

On 25.7.2016 14:00, Sébastien Julliot wrote: > Looks like I spoke too fast. Using ldappasswd, no problems with ldap > queries. > > But kinit rejects my password .. AFAIK this works only for LDAP ADD operation. Rob, do you remember? Petr^2 Spacek > Le 25/07/2016 à 11:58, Sébastien Julliot a écri

Re: [Freeipa-users] Question DNS: DNS views & FreeIPA

On 22.7.2016 18:50, Günther J. Niederwimmer wrote: > Hello List, > > what is the best way to include a local DNS Server? Could you be more specific? What exactly are you trying to achieve? > Can I configure on a IPA DNS Server (extern) views for a internal DNS > without > problems ? > > Is t

Re: [Freeipa-users] FreeIPA and slave MIT slave KDCs

On 21.7.2016 22:05, Diogenes S. Jesus wrote: > Hi everyone. > > I'm currently planning on deploying FreeIPA as the Master KDC (among other > things to leverage from the API and some other built-in features - like > replicas). > However I find (correct if I'm wrong) FreeIPA not very modular - there

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

On 22.7.2016 04:43, Ben Lipton wrote: > I'm not familiar enough with Fedora release engineering to know how this gets > fixed permanently, but I'll share some investigation I've done. > > This appears to be due to a change in the selinux-policy-targeted package that > happened recently. As of the

Re: [Freeipa-users] non-authoritative tricks for DNS resolution

On 18.7.2016 23:06, Brendan Kearney wrote: > On 07/18/2016 06:12 AM, Petr Spacek wrote: >> On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: >>> Would a DNS view (bind) work? >>> >>> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm >>>

Re: [Freeipa-users] non-authoritative tricks for DNS resolution

On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote: > Would a DNS view (bind) work? > > http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm > > Also, depending on what you are using for NAT, some devices will mangle the > reply payload of A record lookups as they traverse NAT to avoid h

Re: [Freeipa-users] Can I migrate group password hashes from NIS?

On 12.7.2016 17:13, Joanna Delaporte wrote: > Hi Rob, > > I'm sorry, I don't know how to list available pre-defined attributes, and I > wasn't able to find it just now looking through the help menu. Is the > attribute key grpassword, grouppassword, or something else? The attribute called 'userpas

Re: [Freeipa-users] DNS service named in one of our IPA server cannot start

On 9.7.2016 02:47, lm gnid wrote: > Hello, > > In one of our IPA server, named service suddenly cannot start, so I followed > the link bellow: > https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart > > Found some errors like bellow: > > ==> messages <== > > Jul 8 23:30:30 eup

Re: [Freeipa-users] steps to debug SOA serial being out of sync?

. That is it. Petr^2 Spacek > Anthony > > On Mon, Jul 11, 2016 at 3:33 AM, Petr Spacek wrote: > >> On 8.7.2016 19:13, Anthony Clark wrote: >>> Hello All, >>> >>> I have two FreeIPA servers set up as follows: >>> >>> ns01: ipa-server-

Re: [Freeipa-users] steps to debug SOA serial being out of sync?

On 8.7.2016 19:13, Anthony Clark wrote: > Hello All, > > I have two FreeIPA servers set up as follows: > > ns01: ipa-server-install --realm=DEV.REDACTED.NET --mkhomedir --setup-dns > --ssh-trust-dns --forwarder=1.2.3.4 > > ns02: ipa-replica-install > /var/lib/ipa/replica-info-ns02.dev.redacted

Re: [Freeipa-users] Error with DNS forwarding on replica.

n please get back to us and we will investigate. Petr^2 Spacek > > Thanks > Nuno > >> On 15 Jun 2016, at 07:45, Petr Spacek wrote: >> >> On 14.6.2016 17:29, Nuno Higgs wrote: >>> Hello, >>> >>> I am running CentOS7: >>> >>

Re: [Freeipa-users] ipa-ods-exporter failed ?

On 7.7.2016 11:32, Günther J. Niederwimmer wrote: > Hello Petr, > > Am Donnerstag, 7. Juli 2016, 09:14:35 CEST schrieb Petr Spacek: >> On 23.6.2016 15:27, Günther J. Niederwimmer wrote: >>> Hello Martin, >>> >>> Am Donnerstag, 23. Juni 2016, 15:02:18 CES

Re: [Freeipa-users] Sync & BaseDN change

On 7.7.2016 01:44, Brad Cesarone wrote: > I have two questions > 1) Is it possible to sync/replicate with another ldap server? i.e Oracle > Identity Manager IPA provides one-time import script called ipa-migrate-ds, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/

Re: [Freeipa-users] ipa-ods-exporter failed ?

On 23.6.2016 15:27, Günther J. Niederwimmer wrote: > Hello Martin, > > Am Donnerstag, 23. Juni 2016, 15:02:18 CEST schrieb Martin Basti: >> On 20.06.2016 18:48, Günther J. Niederwimmer wrote: >>> Hello, >>> >>> Am Montag, 20. Juni 2016, 09:54:11 CEST sc

Re: [Freeipa-users] dns zone forward - no valid signature found

On 6.7.2016 16:37, lejeczek wrote: > hi everybody > > I think this was working some time ago, but for while queries IPA's DNS > forwards wound up like this: > > validating @0x7f85dc00f9a0: swir.my.dom A: no valid signature found > validating @0x7f85dc00f9a0: swir.my.dom A: bad cache hit (swir.my.

Re: [Freeipa-users] +dnssec in vendor repos - when?

On 6.7.2016 10:35, lejeczek wrote: > seems like official repos, centos at least lags a bit behind, currently it's > 4.2.0 - question - does this support fully secure dns ? Version 4.2.0 is not the best for DNSSEC deployment. IPA 4.3.1 contains important fixes related to DNSSEC. Please note that

Re: [Freeipa-users] Kerberois FreeIPA Question

On 3.7.2016 14:19, Günther J. Niederwimmer wrote: > Hello, > > Is it possible to create a kerberos Ticket for a secondary domain ? > > CentOS 7.2 IPA 4.3.1 > My installing, > I have a IPAServer for > > Domain > test.com > > LDAP & Kerberos > TEST.COM > > now i like to include a other Domain >

  1   2   3   4   5   6   7   >