[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
Hi Rob, Turns out this was a DNS issue, thank you for responding. We had our /etc/resolv.conf pointing to local host and adding another ipa server as the top nameserver solved the issue. This begs the question by default installing with the ansible playbook it adds the localhost has the nameserver, which is the preferred setup? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
Further troubleshooting.
If I run:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-unhealthly.ipa.server before the
re-initialise it complete successfully and a klist shows Default principal:
ldap/unhealthly.ipa.server
After the LDAP error shows and the re-initialise is cancelled I see kinit:
Generic error (see e-text) while getting initial credentials.
In the healthy server if I look at /var/log/krb5kdc.log I see when the
re-initialise in progress:
TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17),
aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 10.100.104.7: ISSUE:
authtime 1714662555, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
ldap/healthy.ipa.server for ldap/unhealthy.ipa.server
Thanks,
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
Hi Freeipa users, I have a replica that has been failing replication for a while, so I have tried the following command to re-initialize (a back up of the server did not work): ipa-replica-manage -vd re-initialize --from healthly.ipa.server On the replica that I run this command I just see Update in progress, 1606 seconds elapsed from the above command. I see no errors in /var/log/dirsrv/slapd/errors on the replica, but on the healthy.ipa.server after 1000 seconds elapsed I see: ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=healthy.ipa.server-to-unhealthly.ipa.server" (unhealty:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () Any ideas how I can overcome this issue? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Expiring password Notification email template - images
Hi FreeIPA Users, Does anyone know if its possible to include inline images in the email template for Expiring Password Notification? I've experimented with including base64 encoding but the message just shows a white box with a black outline. I think this is a limited of our email client, and tried swapping to using CID embedded image but have no way of pointing the template to the image file. Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Upgrade issues from 4.9.11 to 4.10.2 pki-tomcatd fails to start
Hi Rob, Cheers, I looked in those logs as well, but nothing in particular is standing out as an error. After a week trying to find a solution, I think we'll build new servers and migrate the data from working servers as a way to move forward. It seems a safer option upgrading from el9 to el9 anyways. Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Upgrade issues from 4.9.11 to 4.10.2 pki-tomcatd fails to start
Hi, I tried looking at the pki debug log again and the main warning that stood out was that /var/lib/ipa/pki-ca/publish did not exist. I recreated the folder with chown root:pkiuser, chmod 775, and restarted the service, and the error disappeared in the log, but the service still not start. Is this important and should it contain the MasterCRL.bin that appears to now be missing from my configuration? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Upgrade issues from 4.9.11 to 4.10.2 pki-tomcatd fails to start
Hi Freeipa Users, I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd. My java/tomcat versions are Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1 When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘: Failed to estable a new connection: [Errno 113] No route to host’)) I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I see my cert is valid until 2025. If I run getcert list I see: Number of certificates and requests being tracked: 0 In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist Is there any way to solve this error? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Upgrade issues from 4.9.11 to 4.10.2 pki-tomcatd fails to start
Hi Freeipa Users, I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd. My java/tomcat versions are Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1 When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘: Failed to estable a new connection: [Errno 113] No route to host’)) I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I see my cert is valid until 2025. If I run getcert list I see: Number of certificates and requests being tracked: 0 In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist Is there any way to solve this error? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Upgrade issues from 4.9.11 to 4.10.2 pki-tomcatd fails to start
Hi Freeipa Users, I have upgraded one of my ipa replicas from 4.9.11 to 4.10.2 however I am struggling to get pki-tomcatd@pki-tomcat to start both via ipactl start and systemctl start pki-tomcatd. My java/tomcat versions are Java: Idm-pki-java 11.4.2-1.el9 Java-11-openjdk-headless 1:11.0.22.0.7-2.el9 Java-17-openjdk-headless 1:17.0.10.0.7-2.el9 Javapackages-filesystem 6.0.0-4.el9 Javapackages-tools 6.0.0-4.el9 Tzdata-java 2023d-1.elp Tomat: Idm-tomcatjss 8.4.0-1.el9 Tomcat 1:9.0.62-37.el9_3.1 Tomcat-el-3.0-api.noarch 1:9.0.62-37.el9_3.1 Tomcat-jsp-2.3-api 1:9.0.2-37.el9_3.1 Tomcat-lib 1:9.0.62-37.el9_3.1 Tomcat-servlet-4.0-api 1:9.0.62-37.el9_3.1 When I run journalctl -xeu pki-tomcatd@pki-tomcat I see: Ipa-pki-wait-running: Created connection http://:8080/ca WARNING: Some of the specified [protocols are not supported by the SSL engine and have been skipped: [[TLSv1, TLSv1]] Ipa-pki-wait-running: Connection failed: HTTPConnectionPool(host=, port=8080): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused by NewConnectionError(‘: Failed to estable a new connection: [Errno 113] No route to host’)) I’ve attempted to follow https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I see my cert is valid until 2025. If I run getcert list I see: Number of certificates and requests being tracked: 0 In the /var/log/ipaupgrade.log i see: ERROR: No kra subsystem in instance pki-tomcat If I run pki-server subsystem-find Subsystem ID: ca Instance ID: pki-tomcat Enabled: true If I run ipa-server-upgrade it fails with the same message. If I run ipactl start –ignore-service-failures it tries to run the ipa-server-upgrade If I run pkidestroy -i pki-tomcat -s KRA ERROR: PKI subsystem ‘KRA’ for instance ‘/var/lib/pki-pki-tomcat’ does not exist Is there any way to solve this error? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] DNS resolution failures
Hi Freeipa-users, We are currently running Freeipa version 4.9.11 on Rocky 8.8. We have noticed over the last few months that external name resolution e.g. google.com fails to resolve on multiple Freeipa replicas even though the service named-pkcs11 remains up and running and journalctl or logs aren’t showing up any obvious errors to why this might be happening. We temporarily fix this by restarting the service, but the problem comes back at random times. We currently have 39 DNS Zones Our DNS Global Configuration has a forward policy of forward only, though the individual zones are set to forward first. I’ve read a few articles that say maybe changing the forward policy might fix it, but nothing that mentions how to double check if changing the policy will fix it. Are there any useful troubleshooting checks I could run to either help explain why our service keeps failing at random intervals or confirm any changes would fix the issue without the risk of potential downtime of our DNS service? Many Thanks, Tania -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: External bind with certs with sysaccounts
Hi Rob, As a company we turn off anonymous bind for security reasons, but have a number of sysaccounts that are used in scripts to bind as that bind user and complete an ldapsearch (e.g get list of users, get monitoring metrics). We also have systems such as phabricator that require a sysaccount to connect to freeipa for user login. At the moment the search and binds are completed using user and password, but we'd like to move away from having to store the password anywhere and instead use certificates ideally provided by the freeipa server. Hope this makes more sense. Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] External bind with certs with sysaccounts
Hi Freeipa-users, Is is possible to create a binddn account in cn=sysaccounts and attach certs to the account so it can be used in scripts to bind using external bind with certs? I know how to create my sysaccount and I found https://www.freeipa.org/page/V4/User_Certificates which provides instructions on attaching certificates to user accounts but not sure how this references to attaching certs to sysaccounts. Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: pki-tomcat fails to start after upgrade
Hi flo, Many thanks, that resolved my issue, I can safely upgrade my servers now. Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] pki-tomcat fails to start after upgrade
Hi FreeIPA, I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it attempted to start pki-tomcat. In the /var/log/pki/pki-tomcat/ca/debug.log I see: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) … At netscape.ldap.LDAPConnection(Uknown Source) Unable to start CA engine: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectionExection: Connection refused (Connection refused) …. I've been through the guide https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ where I can confirm the /etc/pki/pki-tomcat/ca/CS.cfg is using: internaldb.ldapauth.authtype=SslClientAuth internaldb.ldapauth.bindDN=cn=Directory Manager internaldb.ldapauth.bindPWPrompt=internaldb internaldb.ldapauth.clientCertNickname=subsystemCert cert-pki-ca internaldb.ldapconn.host= internaldb.ldapconn.port=636 internaldb.ldapconn.secureConn=true certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' shows the cert with the correct Serial number and the cert does not expire until next year. If I read the private key, I have checked the Nickname is correct and does work on another ipareplica but not the one I'm troubleshooting. grep internal /var/lib/pki/pki-tomcat/conf/password.conf | cut -d= -f2 > /tmp/pwdfile.txt certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_INVALID_ARGS: security library: invalid arguments. The ldap server configuration looks to be using the correct certificate. I rolled back the server to my last known working server, and find that commands such as ipa cert-find work fine, all my replicas have the same cert, but the command certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' fails on 4 out of 6 ipareplicas. 2 replicas see the correct result. Could any one help point me to how I might resolve this issue? Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Prometheus exporter ldap search monitoring FreeIPA servers
Hi, Many thanks for the response, I have set up the ipa-healthcheck but it didn't have the LDAP query check (the reason being we noticed a few months ago that ldap query failed whilst the services appeared to stay up, so keen to monitor so we can notice these problems before our users do) I looked into these two exporters: https://github.com/terrycain/389ds_exporter https://github.com/ozgurcd/389DS-exporter The original reason I couldn't get them to work is because by default they wanted to connect to ldap with 389 instead of 636. I was able to get both to work with a password with some tweaks, but found the go-ldap doesn't currently have GSSAPI support. There's an open ticket with go-ldap https://github.com/go-ldap/ldap/pull/402 that hopes to add GSSAPI support, so I'll wait for that work to complete before trying again. Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Prometheus exporter ldap search monitoring FreeIPA servers
Hi FreeIPA-Users, I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful metrics out of them. Could anyone recommend a good way to achieve this (preferably not putting a password a text file), afraid I've had a good search, but struggling to find a good way to do this. Current version of IPA: 4.9.10 Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa-healthcheck change log location
I managed this by overriding systemd: /etc/systemd/system/ipa-healthcheck.service [Unit] Description=Execute IPA Healthcheck [Service] Type=simple ExecStart=/usr/bin/ipa-healthcheck --output-file /var/log/ipa-healthcheck.log [Install] WantedBy=multi-user.target ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] ipa-healthcheck change log location
Hi, Using the ipa-healthcheck it will export logs to /var/log/ipa/healthcheck/healthcheck.log However I'm trying to use the ipahealthcheck_exporter using a created user and group (ipahealthcheck_exporter) which requires permission to read the file /var/log/healthcheck/healthcheck.log. Unfortunately my created user or group isn't allowed to read this file. If i copy the file to /var/log/ipa-healthcheck.log I'm able to read it, is it possible to change the default location? Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Unable to find certificates
Hi, Sorry the delay in getting back to you, I tried ipactl restart and that resolved issue. Many Thanks for helping me solving this issue. Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Unable to find certificates
Hi, I've tried increasing the limit: ldapsearch -H ldaps:// -b ou=people,o=ipaca uid=pkidbuser -x -D "cn=Directory Manager" nssizelimit -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=pkidbuser # requesting: nssizelimit # # pkidbuser, people, ipaca dn: uid=pkidbuser,ou=people,o=ipaca nssizelimit: 2 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 But still see ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: Unable to find certificates
Many thanks, I have raised https://pagure.io/freeipa/issue/9039 with the extra lines from the debug log. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Unable to find certificates
Hi FreeIPA-users, I am running the following: os: CentOs Linux 8.4.2105 ipa version: 4.9.2 pki-server: 10.10.5-3.module_el8.4.0+816+beb6e9a3 When searching for certificates in the command line (ipa cert-find) I see: ipa ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) and in the web GUI i see: IPA Error 4301: CertificateOperationError/ Certificate operation cannot be completed: Unable to communicate with CMS (500) If I run ipa cert-show 1 I see my cert does not expire until after 2037 and if I run getcert list the status is MONITORING and certs do not expire until 2023. If I look in /var/log/pki/pki-tomcat/ca/debug.log I see the following: at com.netscape.cmscore.dbs.DBVirtualList.getElementAt(DBVirtualList.java:754) at com.netscape.cmscore.dbs.CertRecordList.getCertRecord(CertRecordList.java:110) at org.dogtagpki.server.ca.rest.CertService.searchCerts(CertService.java:474) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor40.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at
[Freeipa-users] Get date user was deleted and preserved
Hi, Is there a way to get the date and time a user was deleted and preserved (ipa user-del --preserve) and if possible by who? Many Thanks, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Updating time servers
Hello, I have recently removed and added a new freeipa replica server and have noticed that the chrony.conf still has the old server listed and the new ones are not listed. How do I ensure that the freeipa-client/chrony is pointing to the correct time servers. e.g. server iburst. I have attempted reading the documentation but cannot find any useful. Server: CentOs Linux release 8.0.1905 FreeIPA version: 4.7.1 Thank You, Tania ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
