[Freeipa-users] Insufficient 'write' privilege to the 'userCertificate'

2016-07-24 Thread mohammad sereshki 
hiI get below error from "getcert list",would you please help me to solve it?

 ca-error: Server denied our request, giving up: 2100 (RPC failed at server.  
Insufficient access: 
Insufficient 'write' privilege to the 'userCertificate' attribute of entry 
'krbprincipalname=ldap/ipasrv.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.).

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Insufficient access

2016-07-24 Thread mohammad sereshki 
hiI got below error , when I tried to check certificates, 
I ran kinit admin before and it was okaywould you please help me ?


ipa cert-show 1-
ipa: ERROR: Insufficient access: not allowed to perform this command
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ccache for local "host" service using default keytab

2016-07-24 Thread mohammad sereshki 
hiI get below error ,is there any suggestion to solve it?
ca-error: Error setting up ccache for local "host" service using default 
keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.



getcert list |less
Number of certificates and requests being tracked: 8.
Request ID '20140817125452':
    status: MONITORING
    ca-error: Error setting up ccache for local "host" service using 
default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'.
    stuck: no
    key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
    certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
 Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=EXAMPLE.COM
    subject: CN=t1vl068.example.com,O=EXAMPLE.COM
    expires: 2016-08-17 12:49:50 UTC
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
    track: yes
    auto-renew: yes
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] vaults and service accounts

2016-07-24 Thread Anthony Clark 
Hello All,

I have a crazy notion of storing a host's SSH private keys in a ipa vault,
so that a rebuilt host can use the same keys.

I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos
base repository, so I'm constrained to version 1.0 vaults.  I'm using this
page:
http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance

I'm trying these following steps but running into trouble:

ipa service-add ssh/test01.dev.redacted.net

certutil -N -d testcertdb

certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O=
DEV.REDACTED.NET'


ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/
test01.dev.redacted@dev.redacted.net

ipa vault-add testsshd02 --service ssh/
test01.dev.redacted@dev.redacted.net --type asymmetric
--public-key-file testsshd01-cert.pem

the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': Invalid
or unsupported vault public key: Could not unserialize key data."

Is there a preferred way to create a public key for asymmetric encryption
for a service vault?

Thanks,

Anthony Clark
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] replica cms issue

2016-07-24 Thread mohammad sereshki 
hiI get below error when I want to prepare a server as replica .would you 
please help me?

Certificate operation cannot be completed: Unable to communicate with CMS
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Announcing FreeIPA 4.3.2

2016-07-24 Thread Petr Vobornik 
The FreeIPA team would like to announce FreeIPA v4.3.2 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The
builds are available for Fedora 24 and rawhide. Experimental builds for
CentOS 7 will be available in the official FreeIPA CentOS7 COPR
repository


This announcement is also available on
http://www.freeipa.org/page/Releases/4.3.2

Fedora 24 update:
https://bodhi.fedoraproject.org/updates/freeipa-4.3.2-1.fc24

== Highlights in 4.3.2 ==
=== Enhancements ===
* added possibility to list/clean dangling RUV records for o=ipaca
suffix https://fedorahosted.org/freeipa/ticket/4987
* --domain-level  of `ipa-server-install` was deprecated
https://fedorahosted.org/freeipa/ticket/5907

=== Bug fixes ===
* fixed upgrade bug on servers without CA
https://fedorahosted.org/freeipa/ticket/5958
* fixed installation of server with DNS if A record didn't exist
https://fedorahosted.org/freeipa/ticket/5962
* fixed issue where A/ DNS records were not created for CA
https://fedorahosted.org/freeipa/ticket/5966
* fixed installation of CA less replica on domain level 1
https://fedorahosted.org/freeipa/ticket/5721
* fixed forward zone conflicts with automatic empty zones from BIND
https://fedorahosted.org/freeipa/ticket/5710
* fixed race condition with multiple simultaneous request from the same
principal https://fedorahosted.org/freeipa/ticket/5653

== Upgrading ==
Upgrade instructions are available on upgrade page
.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or
#freeipa channel on Freenode.

== Detailed Changelog since 4.3.2 ==
=== Abhijeet Kasurde (2) ===
* Added description related to 'status' in ipactl man page
* Updated ipa command man page

=== Alexander Bokovoy (1) ===
* otptoken: support Python 3 for the qr code

=== David Kupka (3) ===
* man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
* installer: positional_arguments must be tuple or list of strings
* installer: index() raises ValueError

=== Florence Blanc-Renaud (2) ===
* Do not allow installation in FIPS mode
* Fix session cookies

=== Fraser Tweedale (5) ===
* caacl: correctly handle full user principal name
* Prevent replica install from overwriting cert profiles
* Detect and repair incorrect caIPAserviceCert config
* upgrade: do not try to start CA if not configured
* Move normalize_hostname to where it is expected

=== Jan Cholasta (4) ===
* spec file: bump minimum required pki-core version
* build: fix client-only build
* makeapi: use the same formatting for `int` and `long` values
* replica install: do not set CA renewal master flag

=== Lenka Doudova (2) ===
* WebUI: Test creating user without private group
* Test fix: Cleanup for host certificate

=== Martin Babinsky (1) ===
* replica-prepare: do not add PTR records if there is no IPA managed
reverse zone

=== Martin Bašti (18) ===
* Add missing pre_common_callback to stageuser_add
* Revert "ipatests: extend permission plugin test with new expected output"
* make: fail when ACI.txt or API.txt differs from values in source code
* Upgrade: always start CA
* Set proper zanata project-version
* Translations: remove deprecated locale configuration
* Test: fix failing host_test
* Fix: exceptions in DNS tests should not have data attribute
* Translations: update translations for IPA 4.3.x
* Fix resolve_rrsets: RRSet is not hashable
* Translations: update ipa-4-3 translations
* Revert "Switch /usr/bin/ipa to Python 3"
* Use python2 for ipa cli
* Replica promotion: use the correct IPA domain for replica
* CA replica promotion: add proper CA DNS records
* CA replica promotion: fix forgotten import
* Fix replica install with CA
* Use copy when replacing files to keep SELinux context

=== Milan Kubík (3) ===
* ipatests: fix for change_principal context manager
* ipatests: Add test case for requesting a certificate with full principal.
* spec: Add python-sssdconfig dependency for python-ipatests package

=== Oleg Fayans (9) ===
* Added a kdestroy call to clean ccache at master/client uninstallation
* Added 5 more tests to Replica Promotion testsuite
* Fixed a failure in legacy_client tests
* Add test if replica is working after domain upgrade
* Improve reporting of failed tests in topology test suite
* Bugfixes in managed topology tests
* A workaround for ticket N 5348
* Increased certmonger timeout
* Test for incorrect client domain

=== Pavel Vomacka (3) ===
* Add X-Frame-Options and frame-ancestors options
* Add 'skip overlap check' checkbox into add zone dialog
* Add 'skip overlap check' checkbox to the add dns forward zone dialog

=== Petr Viktorin (23) ===
* dns plugin: Fix zone normalization under Python 3
* sysrestore: Iterate over a list of dict keys
* test_xmlrpc: Use absolute imports
* xmlrpc_test: Rename exception instance