<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt">1) 7839 TCP is open between the master and replica, do I need 7389 udp also? What about clients and replica?<br>I have the following ports opened and tested between master and replica. --> 389 (TCP), 636 (TCP), 88 (TCP), 464 (TCP), 80 (TCP), 443 (TCP), 7389 (TCP)<br>and 88 (UDP) 464 (UDP)<br>Do I need any more ports opened, I have to work with another team to get this done, so it will help having all the information.<br><br>2)I see you skip the connection check, what was failing? :-- Yes my replica install fails unless I user --skip connection check. I have tested the connection with the ports mentioned during the install.<br><br>3) In the ipareplica-install log this is reported:<br><br>Failed to setup the replication for cloning. :--- Yes but what is the solution?<br><br>4)
And in the debug log:<br><br>:- Also what is the solution for the Java.io error?<br><br><div><span><br></span></div><div> </div><div>Shreeraj
<br>----------------------------------------------------------------------------------------
<br>
<br>Change is the only Constant !</div><div style="display: block;" class="yahoo_quoted"> <br> <br> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"> <div dir="ltr"> <font face="Arial" size="2"> On Friday, February 14, 2014 10:21 AM, Rob Crittenden <rcritten@redhat.com> wrote:<br> </font> </div> <div class="y_msg_container">Shree wrote:<br>> The logs are attached here. I had a day off yesterday.<br><br>Is port 7389 open? I see you skip the connection check, what was failing?<br><br>In the ipareplica-install log this is reported:<br><br>Failed to setup the replication for cloning.<br><br>And in the debug log:<br><br>[12/Feb/2014:15:15:38][http-9445-2]: DatabasePanel setupReplication: <br>java.io.IOException: consumer initialization failed. -1 - LDAP
error: <br>Can't contact LDAP server<br><br>rob<br><br>> Shreeraj<br>> ----------------------------------------------------------------------------------------<br>><br>><br>> Change is the only Constant !<br>><br>><br>> On Thursday, February 13, 2014 6:41 AM, Rob Crittenden<br>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br>> Shree wrote:<br>> > Ok, failed at the same stage, would you like the entire<br>> > /var/log/ipareplica-install.log. If yes, should I attach to the email?<br>> ><br>> ><br>> ><br>> > pa : INFO File<br>> > "/usr/lib/python2.6/site-packages/ipaserver/install/installutils.py",<br>> > line 614, in run_script<br>> > return_value = main_function()<br>>
><br>> > File "/usr/sbin/ipa-replica-install", line 467, in main<br>> > (CA, cs) = cainstance.install_replica_ca(config)<br>> ><br>> > File<br>> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line<br>> > 1604, in install_replica_ca<br>> > subject_base=config.subject_base)<br>> ><br>> > File<br>> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line<br>> > 617, in configure_instance<br>> > self.start_creation(runtime=210)<br>> ><br>> > File "/usr/lib/python2.6/site-packages/ipaserver/install/service.py",<br>> > line 358, in start_creation<br>> > method()<br>> ><br>>
> File<br>> > "/usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py", line<br>> > 879, in __configure_instance<br>> > raise RuntimeError('Configuration of CA failed')<br>> ><br>> > ipa : INFO The ipa-replica-install command failed,<br>> > exception: RuntimeError: Configuration of CA failed<br>> ><br>> > Your system may be partly configured.<br>> > Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>> ><br>> > Configuration of CA failed<br>> > [<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> <mailto:<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a>> ~]#<br>> ><br>><br>> We need to see the full /var/log/ipareplica-install.log and the debug<br>> log
from /var/log/pki-ca.<br>><br>> rob<br>><br>> > Shreeraj<br>> ><br>> ----------------------------------------------------------------------------------------<br>> ><br>> ><br>> > Change is the only Constant !<br>> ><br>> ><br>> > On Wednesday, February 12, 2014 2:55 PM, Dmitri Pal <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>> > On 02/12/2014 04:57 PM, Shree wrote:<br>> >> If there aren't any other tests to perform, can I go ahead and<br>> >> uninstall the ipa client and configure this Vm as a replica?<br>> ><br>> > Thanks for trying. At least we know that certmonger can run by itself.<br>> > When you
install replica please collect all the install logs.<br>> > Is SELinux on/off?<br>> ><br>> >> Shreeraj<br>> >><br>> ----------------------------------------------------------------------------------------<br>> >><br>> >><br>> >> Change is the only Constant !<br>> >><br>> >><br>> >> On Wednesday, February 12, 2014 1:40 PM, Shree<br>> >> <<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>>><br>> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com" href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a> <mailto:<a ymailto="mailto:shreerajkarulkar@yahoo.com"
href="mailto:shreerajkarulkar@yahoo.com">shreerajkarulkar@yahoo.com</a>>><br>> wrote:<br>> >> "getcert list" returned a bunch of info, see below<br>> >><br>> >> <a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a> <mailto:<a ymailto="mailto:root@ldap2" href="mailto:root@ldap2">root@ldap2</a>> ~]# getcert list<br>> >> Number of certificates and requests being tracked: 2.<br>> >> Request ID '20140206184920':<br>> >> status: MONITORING<br>> >> stuck: no<br>> >> key pair storage:<br>> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>> >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'<br>> >> certificate:<br>> >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS<br>> >> Certificate
DB'<br>> >> CA: dogtag-ipa-retrieve-agent-submit<br>> >> issuer: CN=Certificate Authority,......................<br>> >> .............................<br>> >><br>> >> Shreeraj<br>> >><br>> ----------------------------------------------------------------------------------------<br>> >><br>> >><br>> >> Change is the only Constant !<br>> >><br>> >><br>> >> On Wednesday, February 12, 2014 12:43 PM, Dmitri Pal<br>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>> >> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>> >> On 02/12/2014 03:41 PM, Shree wrote:<br>> >>> So I uninstalled the ipa server and installed the client<br>> >>> (ipa-client-install) on the same VM pointing at the master and<br>> >>> everything seems to work OK. All the sudo rules etc. Are there any<br>> >>> tests I can do check connectivity that could be helpful before I<br>> >>> configure this as a "replica" again.<br>> >> Ask certmonger to get a certificate<br>> >><br>> >>><br>> >>> Shreeraj<br>> >>><br>> ----------------------------------------------------------------------------------------<br>> >>><br>> >>><br>> >>> Change is the only Constant !<br>>
>>><br>> >>><br>> >>> On Wednesday, February 12, 2014 11:46 AM, Dmitri Pal<br>> >>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>> wrote:<br>> >>> On 02/12/2014 02:09 PM, Shree wrote:<br>> >>>> Rob<br>> >>>> I really appreciate your help, please bear with me. At this point I<br>> >>>> need to take you back to my ipa-replica-install and what happened<br>> >>>> there.<br>> >>>><br>> >>>> [1] My
command: ipa-replica-install --setup-ca<br>> >>>> /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck<br>> >>>> This ended with a<br>> >>>> Done configuring NTP daemon (ntpd).<br>> >>>> A CA is already configured on this system.<br>> >>>><br>> >>>> [2] So did a pkiremove with the following command<br>> >>>> # pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca<br>> -force<br>> >>>><br>> >>>> [3] Re ran the ipa-replica-install command in step 1<br>> >>>> The install went a little further but ended below.<br>> >>>><br>> >>>> Configuring directory server for the CA (pkids): Estimated time 30<br>> >>>> seconds<br>> >>>> [1/3]:
creating directory server user<br>> >>>> [2/3]: creating directory server instance<br>> >>>> [3/3]: restarting directory server<br>> >>>> Done configuring directory server for the CA (pkids).<br>> >>>> ipa : ERROR certmonger failed starting to track certificate:<br>> >>>> Command '/usr/bin/ipa-getcert start-tracking -d<br>> >>>> /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p<br>> >>>> /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C<br>> >>>> /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned non-zero<br>> >>>> exit status 1<br>> >>>> Configuring certificate server (pki-cad): Estimated time 3 minutes<br>> >>>> 30 seconds<br>> >>>> [1/17]: creating certificate server
user<br>> >>>> [2/17]: creating pki-ca instance<br>> >>>> [3/17]: configuring certificate server instance<br>> >>>> ipa : CRITICAL failed to configure ca instance Command<br>> >>>> '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname<br>> >>>> .................<br>> >>>> ...........................<br>> >>>> Your system may be partly configured.<br>> >>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.<br>> >>>><br>> >>>> Configuration of CA failed<br>> >>>><br>> >>>> If I skip the "--setup-ca" option then the replica gets created<br>> >>>> without any CA services. The "master" and "replica" are in sync but<br>> >>>> I am unable to
run a ipa-client-install using the replica. Now I<br>> >>>> need to fix this to get a replica in place correctly.<br>> >>>><br>> >>>><br>> >>>> Shreeraj<br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>><br>> >>>><br>> >>>><br>> >>>> On Wednesday, February 12, 2014 10:42 AM, Rob Crittenden<br>> >>>> <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>><br>> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a
ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>> >>>> Shree wrote:<br>> >>>> > OK I thought CA is a part of IPA ? Below is from my master IPA<br>> server<br>> >>>> ><br>> >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a><br>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>>> ~]# ipactl status<br>> >>>> > Directory Service: RUNNING<br>> >>>> > KDC Service: RUNNING<br>> >>>> > KPASSWD Service: RUNNING<br>> >>>> > MEMCACHE Service: RUNNING<br>> >>>> > HTTP
Service: RUNNING<br>> >>>> > CA Service: RUNNING<br>> >>>> > [<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a><br>> <mailto:<a ymailto="mailto:root@ldap" href="mailto:root@ldap">root@ldap</a>>> ~]#<br>> >>>> ><br>> >>>> > I can certainly send you a log if needed.<br>> >>>><br>> >>>> It is part of IPA but the IPA server talks to it, not the clients<br>> >>>> directly.<br>> >>>><br>> >>>> I can only speculate what the client is doing without seeing the log<br>> >>>> files, but I suspect both masters are in DNS and IPA is trying to<br>>
>>>> enroll<br>> >>>> to the initial master which isn't available.<br>> >>>><br>> >>>> rob<br>> >>>><br>> >>>> > Shreeraj<br>> >>>> ><br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>> ><br>> >>>> ><br>> >>>> > Change is the only Constant !<br>> >>>> ><br>> >>>> ><br>> >>>> > On Wednesday, February 12, 2014 10:32 AM, Rob Crittenden<br>> >>>> > <<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>>
<mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>> wrote:<br>> >>>> > Shree wrote:<br>> >>>> > > Peter<br>> >>>> > > Actually I mentioned earlier that my clients are in a separate<br>> >>>> VLAN and<br>> >>>> > > cannot access the master. We have made provisions for the<br>> >>>> master and the<br>> >>>> > > replica to sync by opening the needed ports in the firewall. We<br>> >>>> have<br>> >>>> > > also opened up ports between the clients and the replica. I<br>> >>>> have tested<br>> >>>>
> > the connectivity for these ports.<br>> >>>> > > Perhaps you can tell me if what I am trying to achieve is even<br>> >>>> possible?<br>> >>>> > > i.e<br>> >>>> > > I seem to get stuck with making the replica with the "--setup-ca"<br>> >>>> > > option. Wthout that option I am able to create a replica and<br>> >>>> have it in<br>> >>>> > > sync with the master. However my ipa-client-install fails from<br>> >>>> clients<br>> >>>> > > as they try looking for the master for CA part of the install.<br>> >>>> ><br>> >>>> > Clients don't talk to the CA, they talk to an IPA server which<br>> >>>> talks to<br>>
>>>> > the CA.<br>> >>>> ><br>> >>>> > I think we need to see /var/log/ipaclient-install.log to see what is<br>> >>>> > going on.<br>> >>>> ><br>> >>>> > rob<br>> >>>> ><br>> >>>> > > Shreeraj<br>> >>>> > ><br>> >>>> ><br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>> > ><br>> >>>> > ><br>> >>>> > > Change is the only Constant !<br>> >>>> > ><br>> >>>> > ><br>> >>>> > > On Wednesday, February 12, 2014 12:45 AM, Petr
Spacek<br>> >>>> > > <<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>><br>> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>><br>> <mailto:<a ymailto="mailto:pspacek@redhat.com" href="mailto:pspacek@redhat.com">pspacek@redhat.com</a> <mailto:<a ymailto="mailto:pspacek@redhat.com"
href="mailto:pspacek@redhat.com">pspacek@redhat.com</a>>>>> wrote:<br>> >>>> > > On 11.2.2014 23:53, Shree wrote:<br>> >>>> > ><br>> >>>> > > > Following ports are opened between the<br>> >>>> > > > 1) Between the master and the replica (bi directional)<br>> >>>> > > > 2) client machine and the ipa replica (unidirectional).<br>> >>>> > > > When the replica was up it worked fine as far as syncing was<br>> >>>> > concerned.<br>> >>>> > > ><br>> >>>> > > > 80 tcp<br>> >>>> > > > 443 tcp<br>> >>>> > > > 389 tcp<br>> >>>> > >
> 636 tcp<br>> >>>> > > > 88 tcp<br>> >>>> > > > 464 tcp<br>> >>>> > > > 88 udp<br>> >>>> > > > 464 udp<br>> >>>> > > > 123 udp<br>> >>>> > > ><br>> >>>> > > > Shreeraj<br>> >>>> > > ><br>> >>>> > ><br>> >>>> ><br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>> > > ><br>> >>>> > > > Change is the only Constant !<br>> >>>> > > ><br>> >>>> > >
><br>> >>>> > > ><br>> >>>> > > > On Tuesday, February 11, 2014 2:22 PM, Dmitri Pal<br>> >>>> <<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>> >>>> > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a
ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>><br>> >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>>> wrote:<br>> >>>> > > ><br>> >>>> > > > On 02/11/2014 05:05 PM, Shree wrote:<br>> >>>> > > > Dimitri<br>> >>>> > > >> Sorry some the mail landed in my SPAM folder. Let answer your<br>> >>>> > > questions (thanks for your help man)<br>> >>>> > > > Please republish it on the list.<br>> >>>> > > > Do not reply to me directly.<br>> >>>> > > ><br>> >>>> > > > Did you set your first server with the CA? Does all ports<br>> >>>> that need<br>> >>>> > > > to be open in the firewall between primary or
server are<br>> >>>> actually<br>> >>>> > > > open?<br>> >>>> > > ><br>> >>>> > > ><br>> >>>> > > ><br>> >>>> > > >><br>> >>>> > > >> What I have done so far is uninstalled the replica and<br>> tried to<br>> >>>> > > install it again using the "--setup-ca" option. Previously I had<br>> >>>> > > failures and when I removed the "--setup-ca" option the<br>> >>>> installation<br>> >>>> > > succeeded (in a way). I understand now that I really need to<br>> >>>> fix the CA<br>> >>>> > > installation errors first.<br>> >>>>
> > >><br>> >>>> > > >><br>> >>>> > > >> 1)The workaround helped me go forward a bit but I got stuck<br>> >>>> at this<br>> >>>> > > point see below<br>> >>>> > > >> ===========<br>> >>>> > > >> [1/3]: creating directory server user<br>> >>>> > > >> [2/3]: creating directory server instance<br>> >>>> > > >> [3/3]: restarting directory server<br>> >>>> > > >> Done configuring directory server for the CA (pkids).<br>> >>>> > > >> ipa : ERROR certmonger failed starting to track<br>> >>>> > > certificate: Command
'/usr/bin/ipa-getcert start-tracking -d<br>> >>>> > > /etc/dirsrv/slapd-PKI-IPA -n Server-Cert -p<br>> >>>> > > /etc/dirsrv/slapd-PKI-IPA/pwdfile.txt -C<br>> >>>> > > /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA' returned<br>> >>>> non-zero exit<br>> >>>> > > status 1<br>> >>>> > > >> Configuring certificate server (pki-cad): Estimated time 3<br>> >>>> minutes<br>> >>>> > > 30 seconds<br>> >>>> > > >> [1/17]: creating certificate server user<br>> >>>> > > >> [2/17]: creating pki-ca instance<br>> >>>> > > >> [3/17]: configuring certificate server instance<br>> >>>>
> > >> ipa : CRITICAL failed to configure ca instance Command<br>> >>>> > > '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname<br>> >>>> > > ldap2.macosforge.org -cs_port 9445 -client_certdb_dir<br>> >>>> /tmp/tmp-ipJSsT<br>> >>>> > > -client_certdb_pwd XXXXXXXX -preop_pin OlGXcjPVXoQcuuQkGgoG -<br>> >>>> > > >> ===========<br>> >>>> > > >> 2) No we do not use IPA for a DNS server.<br>> >>>> > > >><br>> >>>> > > >><br>> >>>> > > >> 3)The reason for this could be that I had installed the<br>> replica<br>> >>>> > > without the "--setup-ca".<br>>
>>>> > > >><br>> >>>> > > >> Shreeraj<br>> >>>> > > >><br>> >>>> > ><br>> >>>> ><br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>> > > >><br>> >>>> > > >><br>> >>>> > > >><br>> >>>> > > >> Change is the only Constant !<br>> >>>> > > >><br>> >>>> > > >><br>> >>>> > > >><br>> >>>> > > >> On Monday, February 10, 2014 12:43 PM, Dmitri Pal<br>> >>>> > <<a
ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>><br>> >>>> > > <mailto:<a ymailto="mailto:dpal@redhat.com"
href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>><br>> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a> <mailto:<a ymailto="mailto:dpal@redhat.com" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>>>>> wrote:<br>> >>>> > > >><br>> >>>> > > >> On 02/09/2014 07:44 AM, Rob
Crittenden wrote:<br>> >>>> > > >>> Shree wrote:<br>> >>>> > > >>>> Lukas<br>> >>>> > > >>>> Perhaps I should explain the design a bit and<br>> >>>> > > > see if FreeIPA even<br>> >>>> > > >>>> supports this.Our replica is in a separate<br>> >>>> > > > network and all the<br>> >>>> > > >>>> appropriate ports are opened between the master<br>> >>>> > > > and the replica. The<br>> >>>> > > >>>> "replica" got created successfully and is in<br>> >>>> > > > sync with the
master<br>> >>>> > > >>>> (except the CA services which I mentioned<br>> >>>> > > > earlier)<br>> >>>> > > >>>> Now,when I try to run ipa-client-install on<br>> >>>> > > > hosts in the new network<br>> >>>> > > >>>> using the replica, it complains that about<br>> >>>> > > > "Cannot contact any KDC for<br>> >>>> > > >>>> realm".<br>> >>>> > > >>>> I am wondering it my hosts in the new network<br>> >>>> > > > are trying to access the<br>> >>>> > > >>>> "master" for certificates since the replica<br>>
>>>> > > > does not have any CA<br>> >>>> > > >>>> services running? I couldn't find any obvious<br>> >>>> > > > proof of this even running<br>> >>>> > > >>>> the install in a debug mode. Do I need to open<br>> >>>> > > > ports between the new<br>> >>>> > > >>>> hosts and the master for CA services?<br>> >>>> > > >>>> At this point I cannot disable or move the<br>> >>>> > > > master, it needs to function<br>> >>>> > > >>>> in its location but I need<br>> >>>> > > >>><br>>
>>>> > > >>> No, the clients don't directly talk to the CA.<br>> >>>> > > >>><br>> >>>> > > >>> You'd need to look in<br>> >>>> > > > /var/log/ipaclient-install.log to see what KDC<br>> >>>> > > >>> was found and we were trying to use. If you have<br>> >>>> > > > SRV records for both<br>> >>>> > > >>> but we try to contact the hidden master this will<br>> >>>> > > > happen. You can try<br>> >>>> > > >>> specifying the server on the command-line with<br>> >>>> > > > --server but this will<br>> >>>> > > >>>
be hardcoding things and make it less flexible<br>> >>>> > > > later.<br>> >>>> > > >>><br>> >>>> > > >>> rob<br>> >>>> > > >>><br>> >>>> > > >>>> Shreeraj<br>> >>>> > > >>>><br>> >>>> > > ><br>> >>>> > ><br>> >>>> ><br>> >>>><br>> ----------------------------------------------------------------------------------------<br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>>
Change is the only Constant !<br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>> On Saturday, February 8, 2014 1:29 AM, Lukas<br>> >>>> > > > Slebodnik<br>> >>>> > > >>>> <<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:lslebodn@redhat.com"
href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>><br>> >>>> > <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>><br>> >>>> <mailto:<a
ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>><br>> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a> <mailto:<a ymailto="mailto:lslebodn@redhat.com" href="mailto:lslebodn@redhat.com">lslebodn@redhat.com</a>>>>>> wrote:<br>> >>>> > > >>>> On (06/02/14 18:33), Shree wrote:<br>> >>>> > > >>>><br>> >>>> > > >>>>> First of all, the ipa-replica-install did<br>> >>>> > > > not allow me to use<br>> >>>> > > >>>> the --setup-ca<br>> >>>> > >
>>>>> option complaining that a cert already<br>> >>>> > > > exists, replicate creation was<br>> >>>> > > >>>>> successful after I skipped the option.<br>> >>>> > > >>>>> Seems like the replica is one except<br>> >>>> > > >>>>> 1) There is no CA Service running on the<br>> >>>> > > > replica (which I guess is<br>> >>>> > > >>>> expected)<br>> >>>> > > >>>>> and<br>> >>>> > > >>>>> 2) I am unable to run ipa-client-install<br>> >>>> > > > successfully on any clients<br>> >>>> > > >>>> using<br>>
>>>> > > >>>>> the replica. (I don't have the option of<br>> >>>> > > > using the primary master as<br>> >>>> > > >>>> it is<br>> >>>> > > >>>>> configured in a segregated environment.<br>> >>>> > > > Only the master and replica<br>> >>>> > > >>>> are<br>> >>>> > > >>>>> allowed to sync.<br>> >>>> > > >>>>> Debug shows it fails at<br>> >>>> > > >>>>><br>> >>>> > > >>>>> ipa : DEBUG stderr=kinit: Cannot<br>> >>>>
> > > contact any KDC for realm<br>> >>>> > > >>>> 'mydomainname.com' while getting initial<br>> >>>> > > > credentials<br>> >>>> > > >>>><br>> >>>> > > >>>>><br>> >>>> > > >>>>><br>> >>>> > > >>>><br>> >>>> > > >>>> I was not able to install replica witch CA on<br>> >>>> > > > fedora 20,<br>> >>>> > > >>>> Bug is already reported<br>> >>>> <a href="https://fedorahosted.org/pki/ticket/816" target="_blank">https://fedorahosted.org/pki/ticket/816</a><br>> >>>> > >
>>>><br>> >>>> > > >>>> Guys from dogtag found a workaround<br>> >>>> > > >>>> <a href="https://fedorahosted.org/pki/ticket/816#comment:12" target="_blank">https://fedorahosted.org/pki/ticket/816#comment:12</a><br>> >>>> > > >>>><br>> >>>> > > >>>> Does it work for you?<br>> >>>> > > >>>><br>> >>>> > > >>>> LS<br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > > >>>><br>> >>>> > >
>>>> _______________________________________________<br>> >>>> > > >>>> Freeipa-users mailing list<br>> >>>> > > >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>><br>> >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <mailto:<a
ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>>><br>> >>>> > > >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >>>> > > >>>><br>> >>>> > > >>><br>> >>>> > > >>> _______________________________________________<br>>
>>>> > > >>> Freeipa-users mailing list<br>> >>>> > > >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a
ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>><br>> >>>> > <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>>><br>> >>>> ><br>> >>>> > > >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >>>> > > >><br>> >>>> > > >> What server provides DNS capabilities to the clients?<br>> >>>> > > >> Do you use IPA DNS or some other DNS?<br>> >>>> > > >> Clients seem to
not be able to see replica KDC and try<br>> >>>> > > > to access hidden<br>> >>>> > > >> master but they can know about this master only via DNS.<br>> >>>> > ><br>> >>>> > ><br>> >>>> > > Shree, make sure that command<br>> >>>> > > $ dig -t SRV _kerberos._udp.ipa.example<br>> >>>> > > on the client returns both IPA servers (in ANSWER section).<br>> >>>> > ><br>> >>>> > > --<br>> >>>> > > Petr^2 Spacek<br>> >>>> > ><br>> >>>> > ><br>> >>>> > ><br>> >>>> >
><br>> >>>> > ><br>> >>>> > > _______________________________________________<br>> >>>> > > Freeipa-users mailing list<br>> >>>> > > <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a
ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>>><br>> >>>> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >>>> > ><br>> >>>> ><br>> >>>> ><br>> >>>> ><br>> >>>><br>> >>>><br>> >>>><br>> >>>><br>> >>>><br>> >>>> _______________________________________________<br>>
>>>> Freeipa-users mailing list<br>> >>>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >>> I suggest that you temporarily try to install a client in place of<br>> >>> the replica and see why it does not install.<br>> >>> The log above suggests
that certmonger that is a part of the replica<br>> >>> fails to connect to the first master. We need to understand the<br>> >>> reason why it fails. Then we would be able to make your replica be<br>> a CA.<br>> >>> I suspect that CA related communication between replica and master is<br>> >>> not going through for some reasons.<br>> >>> The install log would be really helpful.<br>> >>> Please see<br>> >>> <a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a><br>> <<a href="http://www.freeipa.org/page/Troubleshooting" target="_blank">http://www.freeipa.org/page/Troubleshooting</a>>to collect the right logs.<br>> >>><br>> >>> --<br>> >>> Thank you,<br>> >>> Dmitri Pal<br>>
>>><br>> >>> Sr. Engineering Manager for IdM portfolio<br>> >>> Red Hat Inc.<br>> >>><br>> >>><br>> >>> -------------------------------<br>> >>> Looking to carve out IT costs?<br>> >>> www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>><br>> >>><br>> >>><br>> >>><br>> >>> _______________________________________________<br>> >>> Freeipa-users mailing list<br>> >>> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a
ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >>> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >>><br>> >>><br>> >><br>> >><br>> >> --<br>> >> Thank you,<br>> >> Dmitri Pal<br>> >><br>> >> Sr. Engineering Manager for IdM portfolio<br>> >> Red Hat Inc.<br>> >><br>> >><br>> >> -------------------------------<br>> >> Looking to carve out IT costs?<br>> >> www.redhat.com/carveoutcosts/ <<a
href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>><br>> >><br>> >><br>> >><br>> >><br>> >><br>> >> _______________________________________________<br>> >> Freeipa-users mailing list<br>> >> <a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>> >> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> >><br>> >><br>> ><br>> ><br>> > --<br>> > Thank you,<br>> > Dmitri Pal<br>> ><br>> > Sr. Engineering Manager for IdM portfolio<br>> > Red Hat Inc.<br>> ><br>> ><br>> > -------------------------------<br>> > Looking to carve out IT costs?<br>> > www.redhat.com/carveoutcosts/ <<a href="http://www.redhat.com/carveoutcosts/" target="_blank">http://www.redhat.com/carveoutcosts/</a>><br>> ><br>> ><br>> ><br>> ><br>> ><br>> ><br>> > _______________________________________________<br>> > Freeipa-users mailing list<br>> > <a ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <mailto:<a ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><br>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>> ><br>><br>><br>><br><br><br><br></div> </div> </div> </div> </div></body></html>