[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4

[dbischof--- via FreeIPA-users]

Hi Florence,

On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote:
[...]

i shaved this thread a little, since it gets confusing. Hope i kept the 
interesting bits.

 The errors related to "Unable to find request for serial xxx" mean
 that the cert is tracked by certmonger, but there is no corresponding
 LDAP entry cn=xxx,ou=ca,ou=requests,o=ipaca on the local LDAP server.
 Is the replication still working between your two masters?

 "ipa cert-show" broken on ipa2 often points to an out-of-date
 certificate in /var/lib/ipa/ra-agent.{pem|key}. The content should be
 the same as on the renewal master, and also the same as in the entry
 uid=ipara,ou=People,o=ipaca (which should be replicated and identical
 on all the masters, except if you have replication issues).

 Replication appeared to be working, however, I did server maintenance
 today, ipa1 and ipa2 got upgraded and rebooted. ipa1 works fine, ipa2
 does not come up properly:

 --- ipa2
 $ ipactl status
 Directory Service: RUNNING
 krb5kdc Service: STOPPED
 kadmin Service: STOPPED

You need to have a look at krb5 logs to understand why kerberos failed 
to start. Please check 
https://www.freeipa.org/page/Troubleshooting/Kerberos for more 
information.

Turns out that kerberos starts when started manually with systemctl:

---
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: STOPPED
ipa: INFO: The ipactl command was successful
---

Kerberos log:

---
[...]
: NEEDED_PREAUTH: ad...@example.com for krbtgt/example....@example.com, 
Additional pre-authentication required
Jan 08 10:39:22 ipa2.example.com krb5kdc[21691](info): closing down fd 11
Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): AS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 
tkt=18 ses=18}, ad...@example.com for krbtgt/example....@example.com
Jan 08 10:39:39 ipa2.example.com krb5kdc[21692](info): closing down fd 11
Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): TGS_REQ (8 etypes {18 17 
20 19 16 23 25 26}) 141.51.x.y: ISSUE: authtime 1546940379, etypes {rep=18 
tkt=18 ses=18}, ad...@example.com for HTTP/ipa2.example....@example.com
Jan 08 10:40:32 ipa2.example.com krb5kdc[21692](info): closing down fd 11
---

 httpd Service: RUNNING
 ipa-custodia Service: STOPPED
 ntpd Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: STOPPED
 ipa: INFO: The ipactl command was successful
 ---

 --- ipa1
 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial
          Serial Number: 268304391 (0xffe0007)

 $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca
 [...]
 description: 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA
 RA,O=EXAMPLE.COM
 ---

 Looks good.

 --- ipa2
 $ openssl x509 -in /var/lib/ipa/ra-agent.pem -text -noout | grep Serial
          Serial Number: 268304391 (0xffe0007)

 $ ldapsearch -x -b uid=ipara,ou=People,o=ipaca
 [...]
 description: 2;44;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA
 RA,O=EXAMPLE.COM
 ---

 Looks bad.

So yes, the replication of the suffix o=ipaca seems broken. In a 
deployment with CA, the ldap server contains 2 different suffixes, one 
for the IdM data (your base DN as defined in /etc/ipa/default.conf) and 
another one for the CA, below o=ipaca.

You can have a look at 
https://www.freeipa.org/page/Troubleshooting/Directory_Server for 
replication troubleshooting, but the repl issue could be a consequence 
of kerberos server not starting.

I checked the troubleshooting pages and carried out the steps described in 
there, but my system (ipa2) appears to be ok as far as the steps go.

 --- /var/log/ipaupgrade.log
 [...]
 2018-12-28T10:55:53Z DEBUG The ipa-server-upgrade command failed,
 exception: RemoteRetrieveError: Failed to authenticate to CA REST API
 ---

 --- /var/log/dirsrv/slapd-EXAMPLE-COM/errors
 [...]
 [28/Dec/2018:11:55:55.559648469 +0100] - ERR - set_krb5_creds - Could not
 get initial credentials for principal [ldap/ipa2.example....@example.com]
 in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any
 KDC for requested realm)
 ---

 --- ipa-checkcerts.py
 [...]
 ipa: ERROR: ra.get_certificate(): EXCEPTION (Invalid Credential.)
 ra.get_certificate(): EXCEPTION (Invalid Credential.)
 ipa: INFO: Checking permissions and ownership
 Checking permissions and ownership
 ipa: INFO: Failures:
 Failures:
 ipa: INFO: Unable to find request for serial 268304391
 Unable to find request for serial 268304391
 ipa: INFO: Unable to find request for serial 268304394
 Unable to find request for serial 268304394
 ipa: INFO: Unable to find request for serial 268304393
 Unable to find request for serial 268304393
 ipa: INFO: Unable to find request for serial 268304392
 Unable to find request for serial 268304392
 ipa: INFO: Unable to find request for serial 268304390
 Unable to find request for serial 268304390
 ipa: INFO: RA agent description does not match 2;44;CN=Certificate
 Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM in LDAP and
 2;268304391;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM
 expected
 ipa: INFO: RA agent certificate not found in LDAP RA agent certificate not
 found in LDAP
 [...]
 ---

 The root cause appears to be the wrong IPA RA certificate in ipa2's
 LDAP, right? I guess this has to fixed by manually importing the
 proper certificate using ldapmodify, similar to the procedure
 described in [1]?

It is possible to manually modify the IPA RA cert in ipa2's ldap server 
but this won't solve the replication issue. It will however allow you to 
run ipa cert-show.

Unfortunately, it doesn't (ipa2):

---
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid 
Credential.)
---

Kerberos log:

---
Jan 08 15:42:45 ipa2.example.com krb5kdc[23520](info): AS_REQ (8 etypes {18 17 
16 23 20 19 25 26}) 141.51.124.20: NEEDED_PREAUTH: 
host/ipa2.example....@example.com for krbtgt/example....@example.com, 
Additional pre-authentication required
---

Works ok on ipa1.

I'm unsure how to proceed here. My obvious problem is ipa2 not getting 
upgraded properly:

---
[...]
2019-01-08T09:46:07Z INFO [Updating HTTPD service IPA configuration]
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/usr/sbin/selinuxenabled
2019-01-08T09:46:07Z DEBUG Process finished, return code=1
2019-01-08T09:46:07Z DEBUG stdout=
2019-01-08T09:46:07Z DEBUG stderr=
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/bin/systemctl --system daemon-reload
2019-01-08T09:46:07Z DEBUG Process finished, return code=0
2019-01-08T09:46:07Z DEBUG stdout=
2019-01-08T09:46:07Z DEBUG stderr=
2019-01-08T09:46:07Z INFO [Updating HTTPD service IPA WSGI configuration]
2019-01-08T09:46:07Z INFO Nothing to do for configure_httpd_wsgi_conf
2019-01-08T09:46:07Z INFO [Updating mod_nss protocol versions]
2019-01-08T09:46:07Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:07Z INFO Protocol versions already updated
2019-01-08T09:46:07Z INFO [Updating mod_nss cipher suite]
2019-01-08T09:46:07Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:07Z DEBUG Cipher suite already updated
2019-01-08T09:46:07Z INFO [Updating mod_nss enabling OCSP]
2019-01-08T09:46:07Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:07Z INFO [Fixing trust flags in /etc/httpd/alias]
2019-01-08T09:46:07Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:07Z INFO Trust flags already processed
2019-01-08T09:46:07Z INFO [Moving HTTPD service keytab to gssproxy]
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/usr/sbin/selinuxenabled
2019-01-08T09:46:07Z DEBUG Process finished, return code=1
2019-01-08T09:46:07Z DEBUG stdout=
2019-01-08T09:46:07Z DEBUG stderr=
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/bin/systemctl restart gssproxy.service
2019-01-08T09:46:07Z DEBUG Process finished, return code=0
2019-01-08T09:46:07Z DEBUG stdout=
2019-01-08T09:46:07Z DEBUG stderr=
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/bin/systemctl is-active gssproxy.service
2019-01-08T09:46:07Z DEBUG Process finished, return code=0
2019-01-08T09:46:07Z DEBUG stdout=active

2019-01-08T09:46:07Z DEBUG stderr=
2019-01-08T09:46:07Z DEBUG Restart of gssproxy.service complete
2019-01-08T09:46:07Z DEBUG Starting external process
2019-01-08T09:46:07Z DEBUG args=/bin/systemctl start httpd.service
2019-01-08T09:46:09Z DEBUG Process finished, return code=0
2019-01-08T09:46:09Z DEBUG stdout=
2019-01-08T09:46:09Z DEBUG stderr=
2019-01-08T09:46:09Z DEBUG Starting external process
2019-01-08T09:46:09Z DEBUG args=/bin/systemctl is-active httpd.service
2019-01-08T09:46:09Z DEBUG Process finished, return code=0
2019-01-08T09:46:09Z DEBUG stdout=active

2019-01-08T09:46:09Z DEBUG stderr=
2019-01-08T09:46:09Z DEBUG Start of httpd.service complete
2019-01-08T09:46:09Z INFO [Removing self-signed CA]
2019-01-08T09:46:09Z DEBUG Self-signed CA is not installed
2019-01-08T09:46:09Z INFO [Removing Dogtag 9 CA]
2019-01-08T09:46:09Z DEBUG Dogtag is version 10 or above
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:09Z INFO [Checking for deprecated KDC configuration files]
2019-01-08T09:46:09Z INFO [Checking for deprecated backups of Samba 
configuration files]
2019-01-08T09:46:09Z DEBUG raw: ca_is_enabled(version=u'2.229')
2019-01-08T09:46:09Z DEBUG ca_is_enabled(version=u'2.229')
2019-01-08T09:46:09Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2019-01-08T09:46:09Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f8d6ccff5a8>
2019-01-08T09:46:09Z DEBUG raw: kra_is_enabled(version=u'2.229')
2019-01-08T09:46:09Z DEBUG kra_is_enabled(version=u'2.229')
2019-01-08T09:46:09Z DEBUG Cleaning up after pkispawn for the CA subsystem
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z INFO [Add missing CA DNS records]
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:09Z INFO IPA CA DNS records already processed
2019-01-08T09:46:09Z INFO [Removing deprecated DNS configuration options]
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO [Ensuring minimal number of connections]
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO [Updating GSSAPI configuration in DNS]
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO [Updating pid-file configuration in DNS]
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:09Z INFO DNS is not configured
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysrestore/sysrestore.state'
2019-01-08T09:46:09Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:09Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:09Z INFO [Upgrading CA schema]
2019-01-08T09:46:10Z DEBUG Processing schema LDIF file 
/usr/share/pki/server/conf/schema-certProfile.ldif
2019-01-08T09:46:10Z DEBUG Processing schema LDIF file 
/usr/share/pki/server/conf/schema-authority.ldif
2019-01-08T09:46:10Z DEBUG Not updating schema
2019-01-08T09:46:10Z INFO CA schema update complete (no changes)
2019-01-08T09:46:10Z INFO [Verifying that CA audit signing cert has 2 year 
validity]
2019-01-08T09:46:10Z DEBUG caSignedLogCert.cfg profile validity range is 720
2019-01-08T09:46:10Z INFO [Update certmonger certificate renewal configuration]
2019-01-08T09:46:10Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:10Z DEBUG Starting external process
2019-01-08T09:46:10Z DEBUG args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n 
Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
2019-01-08T09:46:10Z DEBUG Process finished, return code=0
2019-01-08T09:46:10Z DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIED/4ABTANBgkqhkiG9w0BAQsFADBHMSUwIwYDVQQKExxE
[...]
Serial Number: 268304389 (0xffe0005)
[...]
n7aRLXFxWB8va5AxibMHYUJb08nWJRqHHwufF/YQnJdskFuDyAM=
-----END CERTIFICATE-----

2019-01-08T09:46:10Z DEBUG stderr=
2019-01-08T09:46:10Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:10Z DEBUG Starting external process
2019-01-08T09:46:10Z DEBUG args=/usr/bin/certutil -d 
dbm:/etc/dirsrv/slapd-EXAMPLE-COM/ -L -n Server-Cert -a -f 
/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
2019-01-08T09:46:10Z DEBUG Process finished, return code=0
2019-01-08T09:46:10Z DEBUG stdout=-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgIED/4ABDANBgkqhkiG9w0BAQsFADBHMSUwIwYDVQQKExxE
[...]
Serial Number: 268304388 (0xffe0004)
[...]
7D6pk95Rgq6g73cZmogJBfJicVF0odkf2VkvV/aJCxTtZ4xkVds=
-----END CERTIFICATE-----

2019-01-08T09:46:10Z DEBUG stderr=
2019-01-08T09:46:10Z DEBUG Loading Index file from 
'/var/lib/ipa/sysrestore/sysrestore.index'
2019-01-08T09:46:10Z DEBUG Starting external process
2019-01-08T09:46:10Z DEBUG args=/usr/bin/certutil -d 
dbm:/etc/pki/pki-tomcat/alias -L -f /etc/pki/pki-tomcat/alias/pwdfile.txt
2019-01-08T09:46:10Z DEBUG Process finished, return code=0
2019-01-08T09:46:10Z DEBUG stdout=
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
subsystemCert cert-pki-ca                                    u,u,u

2019-01-08T09:46:10Z DEBUG stderr=
2019-01-08T09:46:11Z INFO Certmonger certificate renewal configuration already 
up-to-date
2019-01-08T09:46:11Z INFO [Enable PKIX certificate path discovery and 
validation]
2019-01-08T09:46:11Z DEBUG Loading StateFile from 
'/var/lib/ipa/sysupgrade/sysupgrade.state'
2019-01-08T09:46:11Z INFO PKIX already enabled
2019-01-08T09:46:11Z INFO [Authorizing RA Agent to modify profiles]
2019-01-08T09:46:11Z INFO [Authorizing RA Agent to manage lightweight CAs]
2019-01-08T09:46:11Z INFO [Ensuring Lightweight CAs container exists in Dogtag 
database]
2019-01-08T09:46:11Z DEBUG Created connection context.ldap2_140245392902928
2019-01-08T09:46:11Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2019-01-08T09:46:11Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f8d6cea4fc8>
2019-01-08T09:46:12Z DEBUG Destroyed connection context.ldap2_140245392902928
2019-01-08T09:46:12Z INFO [Adding default OCSP URI configuration]
2019-01-08T09:46:12Z INFO [Ensuring CA is using LDAPProfileSubsystem]
2019-01-08T09:46:12Z INFO [Migrating certificate profiles to LDAP]
2019-01-08T09:46:12Z DEBUG Created connection context.ldap2_140245366754832
2019-01-08T09:46:12Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
2019-01-08T09:46:12Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f8d6b5db128>
2019-01-08T09:46:12Z DEBUG Destroyed connection context.ldap2_140245366754832
2019-01-08T09:46:12Z DEBUG request GET 
https://ipa2.example.com:8443/ca/rest/account/login
2019-01-08T09:46:12Z DEBUG request body ''
2019-01-08T09:46:12Z DEBUG response status 401
2019-01-08T09:46:12Z DEBUG response headers Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 CET
WWW-Authenticate: Basic realm="Certificate Authority"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 951
Date: Tue, 08 Jan 2019 09:46:12 GMT

2019-01-08T09:46:12Z DEBUG response body '<html> [...] HTTP Status 401 [...] message 
[...] This request requires HTTP authentication. [...] </html>'
2019-01-08T09:46:12Z ERROR IPA server upgrade failed: Inspect 
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2019-01-08T09:46:12Z DEBUG   File 
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File 
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", 
line 54, in run
    server.upgrade()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 2085, in upgrade
    upgrade_configuration()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 1952, in upgrade_configuration
    ca_enable_ldap_profile_subsystem(ca)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", 
line 396, in ca_enable_ldap_profile_subsystem
    cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1814, in migrate_profiles_to_ldap
    _create_dogtag_profile(profile_id, profile_data, overwrite=False)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 
1820, in _create_dogtag_profile
    with api.Backend.ra_certprofile as profile_api:
  File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 
1302, in __enter__
    raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA 
REST API'))

2019-01-08T09:46:12Z DEBUG The ipa-server-upgrade command failed, exception: 
RemoteRetrieveError: Failed to authenticate to CA REST API
2019-01-08T09:46:12Z ERROR Unexpected error - see /var/log/ipaupgrade.log for 
details: RemoteRetrieveError: Failed to authenticate to CA REST API
2019-01-08T09:46:12Z ERROR The ipa-server-upgrade command failed. See 
/var/log/ipaupgrade.log for more information
---


Mit freundlichen Gruessen/With best regards,

--Daniel.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org