[Freeipa-users] Re: CA master reinstall via replication
On Tue, 13 Nov 2018, Fraser Tweedale wrote: On Mon, Nov 12, 2018 at 07:55:33PM -0500, Rob Foehl wrote: Incidentally, this is partly the result of not being able to upgrade in place: an attempted 4.6.3 to 4.6.4 upgrade on F27 currently fails when verifying the CA audit signing cert lifetime, as in this particular environment the IPA CA is signed by an external CA cert that expires in 2020. Is this bug-worthy? It's investiation-worthy. Please provide the output of: - certutil -d /etc/pki/pki-tomcat/alias -L - certutil -d /etc/pki/pki-tomcat/alias -L -n 'auditSigningCert cert-pki-ca' - getcert list Hey Fraser, Ever find any time to dig into the info I'd sent for this one? -Rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA for the maximally paranoid and overworked?
Charles, Helpful fo know. The snapshot methodology is what we’ve done as well, though we haven’t yet put it fully into production; I’ll still hold my breath if we need it, but it’s good to hear it has worked for you. Thanks! On Wed, Jan 9, 2019 at 13:28 Charles Hedrick wrote: > Rob mentioned issues with restoring data for one entry. We run on VMs, and > periodically take snapshots. > ... > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: is anyone running Debian as freeipa-client
Hi Eric, On 1/10/19 2:33 PM, Eric Engstrom via FreeIPA-users wrote: > >> I am using freeipa 4.4.4-3 and sssd 1.16.3-1 on Stretch. Just the >> client part of freeipa, of course. Requires systemd for running >> ipa-client-install, but it works fine for me. > > Harald, > > Could you be a bit more specific about the method of installing a client on > stretch? Are you downloading the packages manually and installing via dpkg > or what repositories are you referencing to get apt* to do the right thing - > presumably sid/unstable if the latter... > I manually picked up the freeipa packages for Sid and added them to my local backports repository for Stretch (without rebuild). I *did* a local backport of sssd 1.16.3-1, though. ipa-client-install command line on Stretch: ipa-client-install --no-ssh --no-sshd --no-nisdomain --no-sudo --no-ntp --no-dns-sshfp sed -i.bak -e 's/compat/files/g' -e 's/^sudoers\:/\#sudoers\:/' /etc/nsswitch.conf Your mileage may vary, of course. Regards Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org