[Freeipa-users] Re: Can the UPN searched for in a trust be modied?
On Wed, 2022-06-15 at 07:19 +0200, Sumit Bose via FreeIPA-users wrote: > it you have an AD user with samAccountName=abc in a domain called > ad.dom > which has set userPrincipalName=x...@example.com calling > > getent passwd x...@example.com > > should return the user entry for a...@ad.dom. > > If this does not work for you, please add debug_level=9 to the > [domain/...] and [nss] sections of sssd.conf, restart SSSD, try again > and send the logs. Please start with this on a IPA server. Thanks for the reply, Sumit. I did very bad thing and typed the wrong password multiple times and because of that, I thought the trust wasn't functioning in some way. The broken bit was actually my typing. :/ After I typed my password correctly, I was able to login to the masters. Sorry for the noise. -- Ranbir ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-server-certinstall -k
Charles Hedrick via FreeIPA-users wrote: > the error is > > The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556 When generating the key with OpenSSL you need to include "-extensions kdc_cert" rob > > > > *From:* Charles Hedrick via FreeIPA-users > > *Sent:* Wednesday, June 15, 2022 3:39 PM > *To:* freeipa-users@lists.fedorahosted.org > > *Cc:* Charles Hedrick > *Subject:* [Freeipa-users] ipa-server-certinstall -k > > ipa-server-certinstall works fine for http and ldap. But I can't get the > -k option to work. > > I've tried cert.pem and privkey.pem with and without chain.pem, as well > as fullchain.pem and privkey.pem (fullchain has both the cert and the > chain). > > The certs were issued by Internet2, which chains up to addtrust. > > kinit -n works fine if I install the pem files manually, so presumably > my files are valid. > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: ipa-server-certinstall -k
the error is The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC From: Charles Hedrick via FreeIPA-users Sent: Wednesday, June 15, 2022 3:39 PM To: freeipa-users@lists.fedorahosted.org Cc: Charles Hedrick Subject: [Freeipa-users] ipa-server-certinstall -k ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work. I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain). The certs were issued by Internet2, which chains up to addtrust. kinit -n works fine if I install the pem files manually, so presumably my files are valid. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] ipa-server-certinstall -k
ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work. I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain). The certs were issued by Internet2, which chains up to addtrust. kinit -n works fine if I install the pem files manually, so presumably my files are valid. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Install client fails in Ubuntu 22.04
[solved] As stated, SAN was missing in my certificates I resubmitted my certificate at the ipa server adding SAN with: # getcert resubmit -i -D $(hostname) Now I can execute ipa-client-install without a problem! Thanks! El vie, 27 may 2022 a la(s) 11:38, Gustavo Berman (gustavober...@gmail.com) escribió: > OpenSSL 3.0.2-0ubuntu1.1 is installed in 22.04 > Previous email with openssl and curl commands were runt in ubuntu 22.04 > > El vie, 27 may 2022 a la(s) 11:23, Rob Crittenden (rcrit...@redhat.com) > escribió: > >> Thanks, this is very helpful. I wonder if the same s_client and curl >> commands work from the Ubuntu 22.04 machine or if they'll fail in the >> same way. >> >> The cert lacks a DNS SAN for the hostname. I suspect this may be the >> issue (using the CN has been deprecated forever but was still allowed in >> most libraries). What version of OpenSSL is on 22.04? >> >> rob >> >> Gustavo Berman wrote: >> > Here's info obtained from the same client using openssl, you can se that >> > subject CN is fine. >> > >> > localadmin@fisica75:~$ echo | openssl s_client -showcerts -servername >> > ipaserver.fisica.cabib -connect ipaserver.fisica.cabib:443 2>/dev/null | >> > openssl x509 -inform pem -noout -text >> > Certificate: >> > Data: >> > Version: 3 (0x2) >> > Serial Number: 536805412 (0x1fff0024) >> > Signature Algorithm: sha256WithRSAEncryption >> > Issuer: O = FISICA.CABIB, CN = Certificate Authority >> > Validity >> > Not Before: Jul 14 14:25:06 2020 GMT >> > Not After : Jul 15 14:25:06 2022 GMT >> > Subject: O = FISICA.CABIB, CN = ipaserver.fisica.cabib >> > Subject Public Key Info: >> > Public Key Algorithm: rsaEncryption >> > Public-Key: (2048 bit) >> > Modulus: >> > 00:f5:93:fb:bc:b8:fe:de:48:e0:e1:e0:64:9e:2a: >> > a9:89:8f:9d:81:9b:ac:4a:81:79:21:60:23:d2:7b: >> > fa:52:1f:4c:fd:9d:27:88:c5:26:29:16:0d:36:f6: >> > 4c:8b:5e:98:14:33:84:8b:81:1f:fd:7c:52:d8:a9: >> > db:c2:69:cd:82:ba:81:9a:e8:a7:91:cb:08:4d:c5: >> > 14:26:c2:c4:23:c3:c3:9e:3a:e0:c7:98:ce:60:93: >> > fc:45:23:43:f2:f5:e7:a3:1f:5e:9a:09:3d:8f:68: >> > db:1e:39:61:68:2a:13:86:ad:70:37:ff:ef:12:76: >> > 0c:25:15:84:bf:fe:55:c5:23:bb:fb:18:21:3e:85: >> > 6d:11:f9:02:53:c6:0d:15:14:d1:fc:79:a0:34:db: >> > ff:f9:d7:e4:e2:4e:a5:2b:e3:58:b6:0a:c2:3e:c4: >> > a9:61:a9:11:53:d3:3b:7c:06:fe:f7:e6:e3:be:46: >> > 65:90:11:74:9b:79:13:23:27:28:3d:15:b9:e9:79: >> > 3c:3b:00:43:08:58:e9:08:ce:30:85:3d:a0:01:d2: >> > 63:d9:04:21:4e:19:97:9c:3a:c2:76:b4:4c:3a:1d: >> > fd:2c:51:fb:16:52:31:8c:60:2a:f3:f8:9a:d7:4c: >> > d8:c9:4b:f3:66:71:ad:e3:68:4c:80:f3:77:3c:9d: >> > ef:ab >> > Exponent: 65537 (0x10001) >> > X509v3 extensions: >> > X509v3 Authority Key Identifier: >> > >> F4:2B:56:59:29:C3:E4:51:54:1A:9C:3F:F8:47:F1:F7:B6:3B:14:32 >> > Authority Information Access: >> > OCSP - URI:http://ipa-ca.fisica.cabib/ca/ocsp >> > X509v3 Key Usage: critical >> > Digital Signature, Non Repudiation, Key Encipherment, >> > Data Encipherment >> > X509v3 Extended Key Usage: >> > TLS Web Server Authentication, TLS Web Client >> Authentication >> > X509v3 CRL Distribution Points: >> > Full Name: >> > URI:http://ipa-ca.fisica.cabib/ipa/crl/MasterCRL.bin >> >> > CRL Issuer: >> > DirName:O = ipaca, CN = Certificate Authority >> > X509v3 Subject Key Identifier: >> > >> 3E:8B:95:9F:DA:91:46:4C:2C:32:98:48:07:61:6A:30:6F:C1:B3:2D >> > X509v3 Subject Alternative Name: >> > othername: >> > UPN::HTTP/ipaserver.fisica.cabib@FISICA.CABIB, othername: >> > 1.3.6.1.5.2.2:: >> > Signature Algorithm: sha256WithRSAEncryption >> > Signature Value: >> > b6:fb:01:20:bf:2e:b8:75:b7:64:8e:bf:fd:37:59:52:56:15: >> > a6:87:56:cd:38:e6:de:f9:8c:5e:61:ae:89:94:a4:59:08:37: >> > ed:66:87:ae:67:de:7e:a5:7d:c4:46:9d:a3:e4:68:09:2d:7d: >> > bd:8c:34:02:d8:ad:ee:ed:c5:47:96:b2:69:22:45:e5:24:92: >> > 1f:15:b6:27:53:c0:de:cc:af:b4:7c:8c:89:82:12:29:44:0f: >> > 6d:19:67:6a:b4:2e:2e:24:51:0c:87:99:a9:4d:3b:01:21:6b: >> > e3:a2:2c:2e:b1:07:65:4c:c9:e0:f9:71:b6:ac:e4:3f:9d:c7: >> > 91:07:6d:74:bf:40:40:ba:db:d2:e1:9f:e0:9e:f4:00:5d:49: >> > 66:fa:de:43:5a:17:69:6e:b5:02:24:67:24:ab:88:14:55:48: >> > c0:31:41:b4:a9:46:da:31:e0:45:d7:4f:58:80:cc:65:d8:ba: >> >
[Freeipa-users] FreeIPA 4.9.10
The FreeIPA team would like to announce FreeIPA 4.9.10 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.9.10 * 1539: [RFE] Add code to check password expiration on ldap bind User can no longer do LDAP BIND operation with expired password. * 8803: Add support for managing IdP references FreeIPA can now authenticate users with the help of OAuth 2.0 identity providers supporting OAuth 2.0 Device Authorization Flow. IdPs known to work are Keycloak, Microsoft Azure, Google, Github, and Okta. Details on how to use Keycloak can be found in FreeIPA workshop: https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html * 8977: subid: subid-match displays the DN of the owner, not its UID. subid: subid-match now displays the UID of the range owner, not its DN. * 9128: Turn down debug from ipa-dnskeysyncd ipa-dnskeysyncd and ipa-ods-exporter daemons used to log all debug messages in the journal. The log level can now be configured by setting debug=True in /etc/ipa/dns.conf. For more information refer to default.conf(5). * 9147: ipa-server-install --uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory The uninstaller is now able to properly handle configurations originally done with authconfig instead of authselect. * 9150: Remove 'Remove' button from subid page subid ranges cannot be removed. A button in Web UI subid management page to remove the range was removed to not confuse users * 9159: [RFE] ipa-client-install should provide option to enable subid: sss in /etc/nsswitch.conf IPA installers now provide the ability to configure SSSD as datasource for subid * 9171: Boolean value not mapped on WebUI checkbox FreeIPA now properly exposes boolean LDAP values at IPA API Python and JSON-RPC levels. External IPA API consumers might need to switch from using "TRUE" and "FALSE" strings to True and False boolean values. * 9174: Update Suse support in freeipa FreeIPA client installer should now configure openSUSE 15.3 to Thumbleweed versions === Bug fixes FreeIPA 4.9.10 is a stabilization release for the features delivered as a part of 4.9 version series. There are more than 20 bug-fixes since FreeIPA 4.9.9 release. Details of the bug-fixes can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat. == Resolved tickets * https://pagure.io/freeipa/issue/1539[#1539] (https://bugzilla.redhat.com/show_bug.cgi?id=782917[rhbz#782917]) [RFE] Add code to check password expiration on ldap bind * https://pagure.io/freeipa/issue/8582[#8582] Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck * https://pagure.io/freeipa/issue/8803[#8803] Add support for managing IdP references * https://pagure.io/freeipa/issue/8804[#8804] Extend supported user authentication methods in IPA to allow IdP auth * https://pagure.io/freeipa/issue/8805[#8805] Extend `ipa-otpd` daemon to recognize IdP references * https://pagure.io/freeipa/issue/8977[#8977] (https://bugzilla.redhat.com/show_bug.cgi?id=2000947[rhbz#2000947]) subid: subid-match displays the DN of the owner, not its UID. * https://pagure.io/freeipa/issue/9121[#9121] (https://bugzilla.redhat.com/show_bug.cgi?id=2056508[rhbz#2056508]) Ipa server ignores max ticket lifetime when using spake preauth, issues ticket with 24h lifetime * https://pagure.io/freeipa/issue/9128[#9128] (https://bugzilla.redhat.com/show_bug.cgi?id=2059396[rhbz#2059396]) Turn down debug from ipa-dnskeysyncd * https://pagure.io/freeipa/issue/9136[#9136] (https://bugzilla.redhat.com/show_bug.cgi?id=1872467[rhbz#1872467]) Add tests for ipa-healthcheck setting command-line options in configuration * https://pagure.io/freeipa/issue/9140[#9140] Test test_rekey_keytype_DSA should be disabled * https://pagure.io/freeipa/issue/9145[#9145] Configure email subject line for IPA EPN * https://pagure.io/freeipa/issue/9146[#9146] Nightly test failure in `test_epn.py::TestEPN::test_EPN_config_file` * https://pagure.io/freeipa/issue/9147[#9147] (https://bugzilla.redhat.com/show_bug.cgi?id=1958777[rhbz#1958777]) ipa-server-install --uninstall fails on Fedora 33, returned non-zero exit status 2: Unable to disable feature: No such file or directory * https://pagure.io/freeipa/issue/9148[#9148] documentation build fails in readthedocs * https://pagure.io/freeipa/issue/9150[#9150] (https://bugzilla.redhat.com/show_bug.cgi?id=2063155[rhbz#2063155])
[Freeipa-users] Re: Upgrading from EL7.9 to EL8
Thanks Rob Angus From: Rob Crittenden Sent: 15 June 2022 14:15 To: FreeIPA users list Cc: Angus Clarke Subject: Re: [Freeipa-users] Upgrading from EL7.9 to EL8 Angus Clarke via FreeIPA-users wrote: > Hello > > I am planning the upgrade of one of our FreeIPA deployments from EL7.9 > > Previously, we have been quite good at upgrading through OS point > upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series > of FreeIPA software. > > Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 > FreeIPA which will receive the freeipa software from the Appstream > repository. At time of writing, that process will see me introducing a > replica running ipa-server 4.9.8 to my existing FreeIPA nodes running > ipa-server 4.6.8 > > Should I be concerned about more minor updates and find some way of > upgrading through different ipa-server (and dependencies) releases from > Appstream or do you think I should just run the procedure as described > above? Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. Running mixed versions is likely fine in most cases but we don't recommend doing it for very long and encourage a relatively fast migration (weeks not months). Be sure to watch the replication topology and maintain the service mix (e.g. at least 2 CAs), and at have one CA designated as the renewal master, CRL master, etc. It's all in the docs. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Upgrading from EL7.9 to EL8
On ke, 15 kesä 2022, Harald Dunkel via FreeIPA-users wrote: On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote: Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex) services integrated with each other, but without "deep" operating system integration. A few services talking with each other, so to say. And unlike others FreeIPA brings its own HA. ? No complaint, of course. I am just curious. Regards The same as with not doing backports to older OSes, FreeIPA depends on a *particular set* of integrated services and libraries, not just any. We choose to avoid some of tough to solve upgrade issues by doing upgrade by replication. Sometimes battles won by not fighting them. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/migrating_to_identity_management_on_rhel_8/index for more details on migration and upgrades. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Upgrading from EL7.9 to EL8
On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote: Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex) services integrated with each other, but without "deep" operating system integration. A few services talking with each other, so to say. And unlike others FreeIPA brings its own HA. ? No complaint, of course. I am just curious. Regards Harri ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm
This exception is caused by the configuration problem of /etc/krb.conf. It has been fixed. There is no problem with KDC service startup. ipactl restart -d --force root@fs-hiido-kerberos-21-117-149:/var/log/dirsrv/slapd-YYDEVOPS-COM# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: STOPPED ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful I'm breaking down ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Upgrading from EL7.9 to EL8
Angus Clarke via FreeIPA-users wrote: > Hello > > I am planning the upgrade of one of our FreeIPA deployments from EL7.9 > > Previously, we have been quite good at upgrading through OS point > upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series > of FreeIPA software. > > Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 > FreeIPA which will receive the freeipa software from the Appstream > repository. At time of writing, that process will see me introducing a > replica running ipa-server 4.9.8 to my existing FreeIPA nodes running > ipa-server 4.6.8 > > Should I be concerned about more minor updates and find some way of > upgrading through different ipa-server (and dependencies) releases from > Appstream or do you think I should just run the procedure as described > above? Major version upgrades via adding a new machine is the recommended and documented route. It includes retiring existing, older servers, so have a plan for that. Running mixed versions is likely fine in most cases but we don't recommend doing it for very long and encourage a relatively fast migration (weeks not months). Be sure to watch the replication topology and maintain the service mix (e.g. at least 2 CAs), and at have one CA designated as the renewal master, CRL master, etc. It's all in the docs. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm
n keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) I think it's stuck here. What do I need to do with this less /var/log/dirsrv/slapd-YYDEVOPS-COM/error [15/Jun/2022:19:39:48 +0800] - SSL alert: Security Initialization: Enabling default cipher set. [15/Jun/2022:19:39:48 +0800] - SSL alert: Configured NSS Ciphers [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_AES_128_GCM_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_CHACHA20_POLY1305_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_AES_256_GCM_SHA384: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [15/Jun/2022:19:39:48 +0800] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [15/Jun/2022:19:39:48 +0800] SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2 [15/Jun/2022:19:39:48 +0800] - 389-Directory/1.3.4.9 B2016.109.158 starting up [15/Jun/2022:19:39:48 +0800] - Setting ncache to: 7 to keep each chunk below 4Gbytes [15/Jun/2022:19:39:48 +0800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [15/Jun/2022:19:39:53 +0800] schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=dns,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=keys,cn=sec,cn=dns,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=dns,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=dns,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=groups,cn=compat,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=computers,cn=compat,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=ng,cn=compat,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target ou=sudoers,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=users,cn=compat,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target cn=vaults,cn=kra,dc=yydevops,dc=com does not exist [15/Jun/2022:19:39:53 +0800] NSACLPlugin - The ACL target
[Freeipa-users] Upgrading from EL7.9 to EL8
Hello I am planning the upgrade of one of our FreeIPA deployments from EL7.9 Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software. Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 FreeIPA which will receive the freeipa software from the Appstream repository. At time of writing, that process will see me introducing a replica running ipa-server 4.9.8 to my existing FreeIPA nodes running ipa-server 4.6.8 Should I be concerned about more minor updates and find some way of upgrading through different ipa-server (and dependencies) releases from Appstream or do you think I should just run the procedure as described above? Thanks Angus ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm
ipactl restart -d --force ipa: INFO: The ipactl command was successful root@fs-hiido-kerberos-21-117-149:/home/liangrui# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED ipa_memcached Service: RUNNING httpd Service: STOPPED ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful journal The service cannot be used because of system failure.Do you have any suggestions? Thank you very much It looks like the KDC service is not started. How can I check the cause? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
