t team for all their help in solving this
one. I am back to a 100% functional environment, and when the perm fix
comes, we will all be much happier.
Kat
On 3/27/19 08:17, Alexander Bokovoy wrote:
On ti, 26 maalis 2019, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 26 maalis 2019, Kat v
Hi all,
Another weird question to ponder. In a client, working perfectly, and
DNS is defined in resolv.conf as the IPA master within the LOCATION
(yes, using the location feature of IPA). If I try to upgrade this same
client to a replica using ipa-replica-install it fails with
ipaserver.inst
',)]"].
[2019-03-24T12:06:49 requests.packages.urllib3.connectionpool] :
Starting new HTTPS connection (1): ipap.example.com
[2019-03-24T12:06:49 ipa-custodia-tester] : Failed to retrieve
key 'ca/subsystemCert cert-pki-ca': 406 Client Error: Failed to validate
message: No recipient
Hi all,
So I was searching around, still trying to find an answer, but sadly it
seems to never have been solved. I found a repeat of the exact same
error I have been seeing, and because of it, unable to add any new
replicas --
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.
Does anyone know of a way to apply an ipa-restore if you keep the same
hostname, but because the network changed, the host has a different IP
address? IP is outside of my control. It seems everything works except
named (of course) and pki-tomcat which don't want to start correctly. I
just can't
Well, I did try it, but no luck. Although it runs through, not all the
services are configured.
Opening a ticket with RedHat, we have an account.
On 2/22/19 10:04, Florence Blanc-Renaud wrote:
On 2/22/19 12:14 AM, Kat via FreeIPA-users wrote:
Hi all -
Trying to add a new replica and client
I wonder - is it possible to bring over the /tc/ipa/custodia/server.keys
and conf file before running the ipa-replica-install? Or would that make
it worse?
K
On 2/22/19 10:04, Florence Blanc-Renaud wrote:
On 2/22/19 12:14 AM, Kat via FreeIPA-users wrote:
Hi all -
Trying to add a new
Well, well, I always find fun things. so my previous email from
yesterday about the error with ipa-custodia failing a replica install -
I think I found the culprit. It seems to be related to installing "Let's
Encrypt" certs about a year ago. This is the first time I tried to add a
new replica s
Hi all -
Trying to add a new replica and client install is fine, but replica
install goes all along until it hits:
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to sta
Hi all,
Things have been going along smoothly and no issues with FreeIPA until
recently. Consider the following:
Original Config:
ipa-1 <---> ipa-2 <-|-> ipa-3 <---> ipa-4
Stage | Prod
Yes, this was not a perfect design because exactly what I feared
happened. The c
Hi all -
So this is something I found and wanted to post it to the team - this is
for RHEL and/or CentOS 7.3 thru 5 so far. It has to do with
selinux_provider and having to explicitly disable it in sssd or things
will randomly fail.
On heavily loaded clients, (and a fair load on IPA cluster)
Bokovoy wrote:
On ke, 15 elo 2018, Kat via FreeIPA-users wrote:
Hi all --
RHEL 7.5 as of yesterday and 4.5.4-10.el7_5.3 FreeIPA.
I am randomly seeing: Server not found in Kerberos database
for a host that seems to work just fine and understand that most
of the time you see normal authentication
ed with the connection
used by the krb5kdc.
On 8/15/18 10:05, Alexander Bokovoy wrote:
On ke, 15 elo 2018, Kat via FreeIPA-users wrote:
Hi all --
RHEL 7.5 as of yesterday and 4.5.4-10.el7_5.3 FreeIPA.
I am randomly seeing: Server not found in Kerberos database
for a host that seems to work
5 elo 2018, Kat via FreeIPA-users wrote:
Hi all --
RHEL 7.5 as of yesterday and 4.5.4-10.el7_5.3 FreeIPA.
I am randomly seeing: Server not found in Kerberos database
for a host that seems to work just fine and understand that most of
the time you see normal authentications happening for this
Hi all --
RHEL 7.5 as of yesterday and 4.5.4-10.el7_5.3 FreeIPA.
I am randomly seeing: Server not found in Kerberos database
for a host that seems to work just fine and understand that most of the
time you see normal authentications happening for this same host, so it
is not happening all the
John
That makes no sense - when I add DNS records, I can check the box for
including PTR record and it updates. What is the point of having PTR
Sync if PTR sync never happens? From reading man page on nsupdate, I am
not even sure how that is going to work with IPA? Does not seem to make
much
Hi
If this is set:
Allow PTR sync: TRUE
Then why, when a host is added with ipa host-add, does only the forward
DNS record get set and not the PTR?
Anywhere else to look?
Thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.or
:
On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
Anyone seen this before? Can't find anything in searches.
(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)
On a client, running RHEL 7.4, and IPA server is RHEL 7.5
$ipa user-show freddy --all
hi
Where would be a good place to look in either sssd or somewhere in the
system if we are seeing a mixture of UserID lookups in this format:
usern...@domain.example.com <--- this makes sense
BUT - also seeing:
usern...@domain.example.com@domain.eexample.com <--- This does not??
I am very
Hi all - Here is an odd one.
I have a group of userIDs that login via SSH keys (stored in
.ssh/authorized_keys and NOT in IPA) to a system enrolled in IPA of
course. Actually all the systems are enrolled in IPA, so that should be
a given.
Environment - RHEL 7.4 or 7.5 with current IPA on all
?
Just looking for any suggestions before I go the drastic route which
might mean we have to regen a lot of keytabs that I don't want to have
to do.
Thanks
K
On 5/22/18 10:24, Alexander Bokovoy wrote:
On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
Anyone seen this before? Can't fin
Now if only I could figure out how this happened??!
Weirdness indeed. Had to re-install python-gssapi and then reboot the
server.
everything working flawlessly now.
-K
On 5/22/18 10:24, Alexander Bokovoy wrote:
On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
Anyone seen this before
BUT - using your logic - I removed just python-gssapi and re-installed
it and everything works again.
Should have tried that.
Kat
On 5/22/18 10:24, Alexander Bokovoy wrote:
On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
Anyone seen this before? Can't find anything in searches.
(C
cyrus-sasl-gssapi-2.1.26-21.el7.x86_64
still scratching my head
On 5/22/18 10:24, Alexander Bokovoy wrote:
On ti, 22 touko 2018, Kat via FreeIPA-users wrote:
Anyone seen this before? Can't find anything in searches.
(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-
Anyone seen this before? Can't find anything in searches.
(Client - ipa-client-4.5.4-10.el7_5.1.x86_64)
(Server - ipa-server-4.5.4-10.el7_5.1.x86_64)
On a client, running RHEL 7.4, and IPA server is RHEL 7.5
$ipa user-show freddy --all
ipa: ERROR: ImportError: No module named gssapi
Traceback
before doing any of this. :-)
Kat
On 5/21/18 13:33, Mark Reynolds wrote:
On 05/21/2018 02:02 PM, Kat via FreeIPA-users wrote:
Stopping 389-ds was the first step for sure - I would not fall for
that one! :-)
No access to Dir Manager,
I don't know what this means either, but please try
asks for directory Manager Password, and I give the new one an sadly, no
joy in mudville.
BUT - maybe that is part of what I am doing wrong to test it?
Kat
On 5/21/18 12:31, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
My bad - I thought the link I shared would indicate that is the
/18 10:49, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
No suggestions at all?
https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password
If would help if you included the version and distro and more details on
how you tried to change the password.
rob
:-(
On 5/16/18 09:08
No suggestions at all?
:-(
On 5/16/18 09:08, Kat wrote:
Hi -
Have a replica I did not install CA on. Want to add it. I had lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root
Hi -
Have a replica I did not install CA on. Want to add it. I had lost the
Directory Manager password, so I followed procedure to change it by
editing dse.ldif and replacing the rootpw, but no matter what I do I
keep getting:
[root@ipa-rep2 ~]# ipa-ca-install
Directory Manager (existing mas
I am trying to add a new replica.
It was added a a client with no issues, and DIG and nslookup show that
the DNS records both forward and reverse are perfect.
All DNS records, again, both directions, for all IPA servers are good
and checked from the client.
And yet, no matter what I do, I c
3, Florence Blanc-Renaud wrote:
On 03/17/2018 05:21 PM, Alexander Bokovoy via FreeIPA-users wrote:
On Sat, 17 Mar 2018, Kat via FreeIPA-users wrote:
But why would it work perfectly with CentOS on VBox, but not Fedora?
No changes - still VirtualBox, just CentOS vs Fedora.
Different software, i
te:
On Sat, 17 Mar 2018, Kat via FreeIPA-users wrote:
But why would it work perfectly with CentOS on VBox, but not Fedora?
No changes - still VirtualBox, just CentOS vs Fedora.
Different software, including different (much older) kernel and glibc.
I'm not really interested in Virtu
But why would it work perfectly with CentOS on VBox, but not Fedora?
No changes - still VirtualBox, just CentOS vs Fedora.
On 3/17/18 01:55, Alexander Bokovoy wrote:
On pe, 16 maalis 2018, Kat via FreeIPA-users wrote:
Hi
Any ideas - VirtualBox - Fedora 27 server 4 CPUs and 4G ram (started
So it is Fedora.
CentOS 7, with 2 CPUs and 1G ram works like a charm. Seems there is
something with Fedora 27 that is just not going to work no matter how
much resource I give it.
I have a workaround (CentOS), but you guys should look into it.
Cheers
Kat
On 3/16/18 15:28, Kat wrote:
Hi
A
Hi
Any ideas - VirtualBox - Fedora 27 server 4 CPUs and 4G ram (started at
2+2) and it STILL dies at trying to restart the CA and fails after 300.0s
I have systems smaller than this running FreeIPA, so I can't believe it
is a resource? Maybe a Fedora thing? Is there some way to increase the
n't be wrong, right?
rob
On Feb 28, 2018, at 16:54, Rob Crittenden wrote:
Kat via FreeIPA-users wrote:
Ok, here I go again - this does not make sense. Looking at this
topology - but for a moment, ignore IPAP1, as that is the one I an
trying to add:
The problem is - IPAC1 is on the other
Ok, here I go again - this does not make sense. Looking at this
topology - but for a moment, ignore IPAP1, as that is the one I an
trying to add:
The problem is - IPAC1 is on the other side of a firewall from IPAP1,
and only IPAC is permitted to talk to it, but that should not be a problem.
Good morning
What, if anything, would cause a TTL to be different in a DNS config for
IPA?
;; ADDITIONAL SECTION:
c.example.com. 1200 IN A 10.1.2.2
c1.example.com 1200 IN A 10.1.2.3
p.example.com. 86400 IN A 10.1.2.4
p1.example.com. 86400 IN
Hi
Wondering if anyone has tried to integrate Spotfire serer using FreeIPA
and Kerberos.
Thanks
K
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
seconds elapsed
Update succeeded
So who knows - maybe I outsmarted it.
So the installer failed at some point and then you ran the upgrader?
It is possible that there are still things that remain unconfigured,
perhaps subtle things.
rob
Kat
On 2/6/18 13:03, Rob Crittenden wrote:
Kat via
: The ipactl command was successful
And everything checks out - even created some objects/users and
replication seems to be working just fine.
I did run a re-init just to make sure:
# ipa-replica-manage re-initialize --from=E
Update in progress, 3 seconds elapsed
Update succeeded
So who knows - maybe I
works great BTW)
-k
On 2/5/18 09:58, Simo Sorce wrote:
On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote:
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in one location) can talk to C and D (in another location)
Trying to add E,
ique VPCs, used
"location" settings to have DNS work properly (this works great BTW)
-k
On 2/5/18 09:58, Simo Sorce wrote:
On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote:
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in on
stead.
They are all DNS servers too, but because of the unique VPCs, used
"location" settings to have DNS work properly (this works great BTW)
-k
On 2/5/18 09:58, Simo Sorce wrote:
On Sun, 2018-02-04 at 14:28 -0600, Kat via FreeIPA-users wrote:
This is a new one I have not seen before.
This is a new one I have not seen before.
Have 4 servers, trying to add a 5th.
Master A and B (in one location) can talk to C and D (in another location)
Trying to add E, which is a new location with the master to replicate
from being D.
When I run client install, no issues at all. Then I t
Trying to setup a sudo rule for a small group of users to have "sudo su
-" on all hosts, and then use !authenticate, but can't seem to make it
work. Any docs on doing this?
thanks
K
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.o
Curious if anyone has done any configuration in using Apache Knox and
integrating into IPA for Kerberos auth?
thanks
K
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fed
Hi all,
Looking to proxy some applications with a reverse proxy. Want to ingrate
with IPA to do auth on the front end of the proxy so it passes kerberos
tickets to the back-end applications. Any suggestions on which proxy
would be best for this and integrating with IPA?
Just to clarify I am
Hi all,
Has anyone seen this before:
1. User created, and being used for logins, no issues. Works just fine.
2. At one point, keytab file is retrieved via getkeytab, which also works.
3. After the keytab is retrieved, the password no longer seems to work???
Weirdness - am I missing something
Hi All,
If you setup DNS but did not enable the reverse zone during the initial
install, is there a way to add/enable it after the fact? I can script
adding in all the PTR records, but wanted to find out how to
create/enable the reverse zone once you have already installed.
Thanks
K
___
Hi all --
I have a couple of offices I am trying to hook up with FreeIPA. We have
point-t-point VPN running between the two. For some reason, whenI try to
add the VPN server as a client to the IPA server on the other side, I am
seeing:
Failed to update DNS records.
Missing A/ record(s) f
Hi,
If I have a simple pair of FreeIPA servers and one is showing different
failed auth times for a user -- is this a good indication they are out
of sync? Should I not see same failures on both?
-k
___
FreeIPA-users mailing list -- freeipa-users@li
AHA
LOCATIONS!!!
Unless I am way off here - what I need to do is set the replica to NOT
be DNS, but then standup another replica inside the same "location" with
DNS and make sure the hosts in that location talk to it, and in the
inside location, they talk to the other host. The point is,
I think I see the problem - I am really trying to do Split DNS in this
configuration. So I need to keep DNS working, but somehow there must be
a way to have the replica on the outside of the firewall understand that
there is split DNS involved. I am having an issue figuring out if
FreeIPA DNS
Nothing? No suggestions?
Is it not possible to support DNS through a NAT?
-K
On 6/20/17 1:32 PM, Kat wrote:
Here is an odd problem (I think).
I am using IPA in one environment, and want to set up a replica in
another environment through natted connections. I can setup the client
to the NAT
Here is an odd problem (I think).
I am using IPA in one environment, and want to set up a replica in
another environment through natted connections. I can setup the client
to the NAT server, but here is the tricky part - IPA is also DNS. So if
I try to bring the DNS setup over with --
ipa-re
I found it just after I sent the email. Thanks - sorry to trouble you.
-K
On 6/19/17 12:28 PM, Tomasz Torcz wrote:
On Mon, Jun 19, 2017 at 12:19:02PM -0500, Kat via FreeIPA-users wrote:
Trying to find the new replica installation procedure for doing it.
Apparently ipa-replica-prepare, etc is
Trying to find the new replica installation procedure for doing it.
Apparently ipa-replica-prepare, etc is no longer the way, although all
the Rehdat docs say it is.
:-(
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubs
Hi all,
Having a problem with a new server install on RHEL 7 -
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
30 seconds
[1/31]: creating certificate server user
[2/31]: configuring certificate server instance
ipa.ipaserv
Never mind -- if I use ipa-getkeytab, it works perfectly.
What is the difference between what getkeytab and ktutil by hand does?
Is it documented?
-K
On 6/5/17 9:18 AM, Kat wrote:
Ok, I guess I am not understanding something here. What am I missing?
The PW is correct, but no matter what I d
Ok, I guess I am not understanding something here. What am I missing?
The PW is correct, but no matter what I do, I can't use the keytab file
for a user as shown below:
[root@ipa ~]# ktutil
ktutil: addent -password -p cyb...@example.com -k 1 -e
aes256-cts-hmac-sha1-96
Password for cyb...@exa
causes
the problems? Or am I missing the boat completely?
-K
On 6/2/17 7:59 AM, Simo Sorce wrote:
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
Hi,
I have read several pages on getting IPA and Clouder Manager working
together to make nice with Kerberos, however, having an
Hi,
I have read several pages on getting IPA and Clouder Manager working
together to make nice with Kerberos, however, having an issue following
the various steps. When I run through CM set and put the primary account
in I run into the classic "Preauth required" and yet, I can kinit the
accou
64 matches
Mail list logo
