Re: [Freeipa-users] Replication has stopped and server errors

2017-01-13 Thread sipazzo
far. Thank you. From: sipazzo To: Martin Basti ; Freeipa-users Sent: Friday, January 6, 2017 1:03 PM Subject: Re: [Freeipa-users] Replication has stopped and server errors I have changed the number of db locks to 4. After restart, each server reports a lot of these type errors

Re: [Freeipa-users] Replication has stopped and server errors

2017-01-06 Thread sipazzo
one host on each of the servers. I have waited 30 minutes and the results are:ipa1-dev - deletion replicated to all serversipa2-dr - deletion replicated to all servers ipa1-dr, ipa1-prod, ipa2-dev, ipa2-prod - deletions not replicated From: Martin Basti To: sipazzo ; Freeipa-users Sent: Fr

[Freeipa-users] Replication has stopped and server errors

2017-01-06 Thread sipazzo
I have 6 ipaservers in 3 locations running 4.2.0-15.0.1on RHEL 7. Ipa1-dev is the CARenewal and CRL Master server and where most of our updates (host enrollment,password changes) end up taking place. Servers hadbeen running fine. Over the holidays we started having some replication issuesand loo

Re: [Freeipa-users] certificates expired - won't renew

2016-08-01 Thread sipazzo
AMPLE.COM     subject: CN=ipa3.example.com,O=EXAMPLE.COM     expires: 2016-07-29 20:38:41 UTC     key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment     eku: id-kp-serverAuth,id-kp-clientAuth     pre-save command:     post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv

Re: [Freeipa-users] certificates expired - won't renew

2016-07-29 Thread sipazzo
xpires: 2016-08-26 16:41:24 UTC     expires: 2016-06-06 23:36:29 UTC     expires: 2016-06-06 23:36:28 UTC     expires: 2016-06-06 23:36:28 UTC     expires: 2016-06-06 23:37:09 UTC Again thank you, as always. From: Rob Crittenden To: sipazzo ; "freeipa-users@redhat.com" Sent: F

Re: [Freeipa-users] certificates expired - won't renew

2016-07-29 Thread sipazzo
ld, unsupported format. Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. From: sipazzo To: "freeipa-users@redhat.com" Sent: Friday, July 29, 2016 9:06 AM Subject: certificates expired - won't renew

[Freeipa-users] certificates expired - won't renew

2016-07-29 Thread sipazzo
I have seen many threads on this so sorry to bring it up again but I have a freeipa domain, with 4 ipa servers running on redhat 6 version 3.0.0-50. The certificates are expired/expiring and will not renew and it is causing many issues for us. I have tried the many suggestions I have see in the

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo
Sat, Aug 15, 2015 at 1:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-19 Thread sipazzo
njo wrote: > > > > > >On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden ><mailto:rcrit...@redhat.com>> wrote: > > > >    sipazzo wrote: > > > > > >        and my users are able to authenticate to the directory but the hbac > >       

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-17 Thread sipazzo
: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The "allow-all" rule has been di

[Freeipa-users] HBAC rules not applying to Solaris clients

2015-08-15 Thread sipazzo
Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide in setting up the solaris clients: 3.8. Configuring a Solaris System as a FreeIPA Client |   | |   |   |   |   |   | | 3.8. Configuring a Sola

Re: [Freeipa-users] keytab issue with service principal

2015-06-30 Thread sipazzo
Thank you so much, that was it - just a wrong command. Appreciate the help and quick response. From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:39 PM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30 at 19:34 +

Re: [Freeipa-users] keytab issue with service principal

2015-06-30 Thread sipazzo
@example.com while getting initial credentials Simo just responded that I had the command wrong. I re-ran it as he indicated and received a service ticket. Thank you both so much. From: Alexander Bokovoy To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 12:16 PM Subject

Re: [Freeipa-users] keytab issue with service principal

2015-06-30 Thread sipazzo
oracledb/oracledbsrvr.example@example.com    2 06/30/15 17:12:13 oracledb/oracledbsrvr.example@example.com From: Simo Sorce To: sipazzo Cc: Freeipa-users Sent: Tuesday, June 30, 2015 11:52 AM Subject: Re: [Freeipa-users] keytab issue with service principal On Tue, 2015-06-30

[Freeipa-users] keytab issue with service principal

2015-06-30 Thread sipazzo
I am trying to troubleshoot kerberos authentication for an oracle service (oracledb) and getting the following error when testing the service keytab on the database server (oracledbsrvr): oracle@oracledbsrvr ~]# kinit -kt /opt/oracle/admin/oracledb.keytab -S oracledb/oracledbsrvr.example.com kin

Re: [Freeipa-users] Need to replace cert for ipa servers

2015-03-27 Thread sipazzo
. On Wed, 3/25/15, Rob Crittenden wrote: Subject: Re: [Freeipa-users] Fw: Need to replace cert for ipa servers To: "sipazzo" , "freeipa-users@redhat.com" Date: Wednesday, March 25, 2015, 2:43 PM sipazzo wrote: > Ok I finally was able to get a sandbox environm

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-24 Thread sipazzo
  CT,, NWF_GD   u,u,u Showing that the IPA Dogtag cert is now listed whereas it was not previously.  From: sipazzo To: Rob Crittenden ; "freeipa-users@redhat.com" Sent: Friday, March 13, 2015 1:32 PM Subject: Re: [Freeipa-users] Fw: Need

Re: [Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-13 Thread sipazzo
This environment is over 350 servers, many of which are in production so I may have to wait a bit for change management approval to attempt to resolve this issue, particularly if you think it might break something.  I will keep you updated on my progress. Thank you much. From: sipazzo

[Freeipa-users] Fw: Need to replace cert for ipa servers

2015-03-12 Thread sipazzo
? -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, March 11, 2015 7:20 PM To: sipazzo; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Need to replace cert for ipa servers sipazzo wrote: > Tha

Re: [Freeipa-users] Need to replace cert for ipa servers

2015-03-11 Thread sipazzo
and Solaris clients so are not using sssd in all cases. I know this is asking a lot but appreciate any help you can give. Thank you. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Wednesday, Marc

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

2015-03-11 Thread sipazzo
This is how use the automounter to automatically create home directories for ipa users under /export/home/ and mount them under /home/ on Solaris 10, as well as copy over the profile files and assign appropriate owner and group: We first created a service account called "auth" in ipa to allow lda

Re: [Freeipa-users] Need to replace cert for ipa servers

2015-03-11 Thread sipazzo
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Wednesday, March 04, 2015 2:57 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Need to replace cert for ipa servers On 03/04/2015 04:32 PM, sipazzo wrote: Good afternoon, we h

Re: [Freeipa-users] Need to replace cert for ipa servers

2015-03-10 Thread sipazzo
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers  On 03/04/2015 04:32 PM, sipazzo wrote: Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured with the built in dogtag certificate

[Freeipa-users] Need to replace cert for ipa servers

2015-03-04 Thread sipazzo
Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured with the built in dogtag certificate CA and then one of my co-workers added our GoDaddy certificate to the certificate bundle. My understandi

[Freeipa-users] freeipa managed sudoers on Solaris 10

2015-01-23 Thread sipazzo
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics:   1. Re: Having trouble running FreeIPA with SRV records on       externally managed DNS (Petr Spacek)   2. freeipa managed sudoers on Solaris 10 (sipazzo

[Freeipa-users] freeipa managed sudoers on Solaris 10

2015-01-19 Thread sipazzo
I am having trouble finding relevant documentation on using freeipa to manage sudoers for a Solaris client. Has anyone successfully set this up without adding a bunch of non-standard packages? I am running freeipa 3.0.0-42 and any help is appreciated. -- Manage your subscription for the Freeip

Re: [Freeipa-users] Password policy for admin account not working

2015-01-14 Thread sipazzo
policy for admin account not working To: "sipazzo" , "Freeipa-users@redhat.com" Date: Monday, January 12, 2015, 11:48 AM sipazzo wrote: > > Good morning, I created a "service" password policy that prevents password expiration and gave it a priority of

[Freeipa-users] Password policy for admin account not working

2015-01-12 Thread sipazzo
Good morning, I created a "service" password policy that prevents password expiration and gave it a priority of 0. I then created a "service" user group and applied the policy to the group. I added my admin user to this group so their password would not expire. However, it continues to expire a

Re: [Freeipa-users] sudo utilizing sssd rhel6.6

2014-12-05 Thread sipazzo
is much easier to maintain. Thanks again. _ On Wed, 12/3/14, Lukas Slebodnik wrote: Subject: Re: [Freeipa-users] sudo utilizing sssd rhel6.6 To: "sipazzo" Cc: freeipa-users@redhat.com Date: Wednesday, December 3, 2014, 7:38 AM On (0

[Freeipa-users] sudo utilizing sssd rhel6.6

2014-12-03 Thread sipazzo
Good morning, I have a fairly new ipa domain (server version 3.0.0-42 and clients mixed 3.0.0-37 and 3.0.0-42) set up with a mix of rhel6, rhel5 and solaris. It seemed like my sudo config using sssd in rhel6.5 was working and then we patched to 6.6 and it is broken. I had followed these setup i

Re: [Freeipa-users] Solaris 10 client configuration using profile

2014-10-28 Thread sipazzo
using profile To: "sipazzo" , "Freeipa-users@redhat.com" Date: Tuesday, October 28, 2014, 3:29 PM Rob Crittenden wrote: > sipazzo wrote: >> Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indic

Re: [Freeipa-users] Solaris 10 client configuration using profile

2014-10-28 Thread sipazzo
bject: Re: [Freeipa-users] Solaris 10 client configuration using profile To: "sipazzo" , "Freeipa-users@redhat.com" Date: Monday, October 27, 2014, 3:41 PM sipazzo wrote: > /var/ldap exists on both client and server and I was able to sudo to root and generate the *.db

Re: [Freeipa-users] Solaris 10 client configuration using profile

2014-10-27 Thread sipazzo
am unsure of the next step to troubleshoot this issue. On Sat, 10/11/14, Alexander Bokovoy wrote: Subject: Re: [Freeipa-users] Solaris 10 client configuration using profile To: "Rob Crittenden" Cc: "sipazzo" , "Freei

[Freeipa-users] Solaris 10 client configuration using profile

2014-10-10 Thread sipazzo
Hello, I am trying to set up a default profile for my Solaris 10 IPA clients as recommended. I generated a profile on a Solaris with the attributes I needed except I got an "invalid parameter" error when specifying the domainName attribute like this -a domainName=example.com even though this par