Re: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

I've now set up a test box using exactly the same install command, SSL certificate etc... The /etc/ipa/ca.crt contains only 3 certificates but they are not CA certificates that were included in the PKCS12 file: [root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in cert${i} -noout

[Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

Hi, We moved our CA-less FreeIPA install into production only few days ago and today I've noticed some problem with certificates. This is FreeIPA 4.2 installation on Centos 7.2. I've installed the first node with the following command: ipa-server-install \ -U \ -r $REALM \ -n

[Freeipa-users] regenerate certificate

hiI check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate thembut command "getcert list" shows epirtion certificates are related just to "CA:IPA" and certificate " CA:

Re: [Freeipa-users] IPA certificates expired, please help!

I have restarted the pki-cad and checked if communication with the CA is working, but no luck, Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of anything other than this? [root@caer ~]# ipa cert-show 1 Certificate:

Re: [Freeipa-users] FreeIPA Client Install 403 error

Rob, My apologies, I only provided a tail of the log, I should have provided more. I can see now there is much more detail in there. I followed your lead regarding the HTTP error log from the server and found this: [Wed Jul 20 14:33:39.410295 2016] [authz_core:error] [pid 27345] [client

Re: [Freeipa-users] FreeIPA Client Install 403 error

Rubin Binder wrote: Justin, Thank you very much for the prompt response. The log output is as follows: 2016-07-20T17:02:52Z DEBUG Starting external process 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com'

Re: [Freeipa-users] FreeIPA Client Install 403 error

Justin, Thank you very much for the prompt response. The log output is as follows: 2016-07-20T17:02:52Z DEBUG Starting external process 2016-07-20T17:02:52Z DEBUG args='/usr/sbin/ipa-join' '-s' 'ldap.mydomain.com' '-b' 'dc=mydomain,dc=com' '-h' 'centostest.mydomain.com' 2016-07-20T17:02:52Z

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting * * *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true".* Could you please

[Freeipa-users] IPA Replication failed: Your system may be partly configured. Run ipa-server-install --uninstall to clean up. Configuration of CA failed

I was trying to replicate our IPA server which is running on CentOS6.4, FreeIPA 3.0 and I got an error, *Your system may be partly configured.* *Run /usr/sbin/ipa-server-install --uninstall to clean up.* *Configuration of CA failed* I ran /usr/sbin/ipa-server-install --uninstall couple of times

Re: [Freeipa-users] FreeIPA Client Install 403 error

Could you please share with us the /var/log/ipaclient-install.log ? Kind regards, Justin Stephenson On 07/20/2016 01:23 PM, Rubin Binder wrote: Hello all, I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. The

Re: [Freeipa-users] IPA certificates expired, please help!

Thanks for your help Rob, I will create a separate thread for IPA replication issue. But we are still getting *ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=60=true=true

[Freeipa-users] FreeIPA Client Install 403 error

Hello all, I am testing Free IPA server for use under a test environment, so far smooth sailing and have it up and running, no problems. The problem is occurring during client installation. I have installed the ipa-client package on a clean CentOS 7 OS. When I execute ipa-client-install...

Re: [Freeipa-users] FreeIPA SSL certificates installed to multiple hosts

On Tue, 19 Jul 2016, Rob Crittenden wrote: Jeremy Utley wrote: Hello all! We're looking at replacing a lot of our currently self-signed internal SSL certificates in our infrastructure with certificates generated by the FreeIPA CA. However, I've run into something that I haven't been able to

Re: [Freeipa-users] AD trust with POSIX attributes

On Wed, 20 Jul 2016, Jan Karásek wrote: Hi, thank you. ldapsearch reply: search: 2 result: 32 No such object matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=RpcServices,CN=System,DC=rwe,DC=tt'

Re: [Freeipa-users] AD trust with POSIX attributes

Hi, thank you. ldapsearch reply: search: 2 result: 32 No such object matchedDN: CN=RpcServices,CN=System,DC=rwe,DC=tt text: 208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=RpcServices,CN=System,DC=rwe,DC=tt' actually when I look under the

[Freeipa-users] RPM Update fails on some replicas in ipa-server-upgrade

Hi all, today I updated all of our IPA servers (CentOS 7.2) with some minor RPM updates, but one of the replicas failed with: RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API', domain='ipa', localedir=None) Log excerpt (ipaupgrade.log) from this host: (Also available as

Re: [Freeipa-users] Unable to ssh after establishing trust

thank you! that was it From: Simpson Lachlan To: pgb205 ; Sumit Bose Cc: Freeipa-users Sent: Tuesday, July 19, 2016 7:30 PM Subject: RE: Re: [Freeipa-users] Unable to ssh after establishing

Re: [Freeipa-users] IPA certificates expired, please help!

Glad you got the certificates successfully renewed. Can you open a new e-mail thread on this new problem so we can keep the issues separated? IPA gets little information back when dogtag fails to install. You need to look in /var/log//debug for more information. The exact location depends

Re: [Freeipa-users] AD trust with POSIX attributes

These attributes should be available from port 389 and not the global catalog, please try a command such as: ldapsearch -H ldap:// -D "DOMAIN\Administrator" -W -b "cn=ypservers,cn=ypserv30,cn=rpcservices,CN=System,dc=example,dc=com" msSFU30OrderNumber msSFU30MaxUidNumber msSFU30MaxGidNumber

Re: [Freeipa-users] AD trust with POSIX attributes

Hi, thank you for the hint. In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py: It's working with msSFU30MaxUidNumber and msSFU30OrderNumber. If I understand it right, it is base uid number and the number of uids in range. If not discovered nor given via CLI, then it

Re: [Freeipa-users] HBAC and AD users

Sure - I've got tomorrow off, so it will be Friday morning. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 July 2016 at 17:14, Jakub Hrozek wrote: > On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan

Re: [Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

On Wed, Jul 20, 2016 at 09:27:34AM +0530, Visakh MV wrote: > Hi, > > > first case: As per your direction, things are going well even if we are > facing some issues as well. even like once logged in to ipa-client machine > with ipa user with certain privilege after that while using terminal "

Re: [Freeipa-users] HBAC and AD users

On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > On 19 July 2016 at 16:40, Jakub Hrozek wrote: > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > I think the thing that frustrates the most is that id u...@domain.com is > > >