Re: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0
Ok, so the ipa-server-certinstall script seems to be where things did not work as I perhaps expected them to. I manually put the certificates in the dirsrv cert db, and the web interface cert db. The ipa-replica-manage uses replication.py, which is declaring CACERT=/usr/share/ipa/html/ca.crt It looks like this is where the error is being caused. The certification there is still the original IPA Test Certificate Authority. If I point it to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the same error as originally mentioned when running 'ipa-replica-manage list'. If I comment out the CACERT variable it does as expected: unexpected error: global name 'CACERT' is not defined So, can someone give me some advice about where else it may be reading the certificate from, or how I can do things the proper way for IPA? Thanks! On Tue, Jan 11, 2011 at 9:54 AM, d...@killbrad.com d...@killbrad.comwrote: Hi all, It seems something broke somewhere along the lines when I was trying to set up Windows Sync. Please take a look at the following outputs. I can connect both directions manually via SSL, but the actual ipa-replica-manage script seems to be pulling certs from somewhere else. The current sync between ipaserver-01 ipaserver-02 is working fine. If anyone has any suggestions, I would be open to them. Thanks! example.local = active directory domain example.com = ipa realm - [r...@ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI DigiCertCA CT,,C AD CA cert CT,,C ipaserver-01 u,u,u #- # everything looks right #- [r...@ipaserver-01 ~]# [r...@ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h adserver-01.example.local -p 636 -Z -P /etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D passs...@example.local -w 'notrealpassword' -s base -b objectclass=* version: 1 dn: currentTime: 2011053848.0Z ... ... supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads ... ... dnsHostName: adserver-01.example.local ldapServiceName: example.local:adserver-...@example.local ... ... isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 3 forestFunctionality: 3 domainControllerFunctionality: 3 [r...@ipaserver-01 ~]# #- # good valid results for the query [reduced for clarity] #- [r...@ipaserver-01 ~]# ipa-replica-manage list Directory Manager password: unexpected error: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': Can't contact LDAP server} [r...@ipaserver-01 ~]# #- # welp, it looks like something is broken somewhere.. #- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to change Admin password
On Wed, 12 Jan 2011 13:58:31 -0500 Uzor Ide ide4...@gmail.com wrote: Hello List We are having problem with changing/reseting password. Even the admin password cannot be changed. During login users with expired passwords are warned that their password has expired and forced to change their password. But when the type new password, the operation fails with error Authentication token manipulation error When I tried the change the admin krb5 password from the ipa-server I got the following error Cannot contact any KDC for requested realm while getting initial credentials That's surprising because the KDC hostname resolves properly. This what's in the krb5kdc.log each time Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027, etypes {rep=18 tkt=18 ses=18}, ad...@mycompany.com for kadmin/ chang...@mycompany.com Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/ chang...@mycompany.com for krbtgt/mycompany@uzdomain.ca, Additional pre-authentication required Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040, etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@mycompany.com for krbtgt/ mycompany@uzdomain.ca The server is freeipa-2.0 -beta and O/S is fedora 13 Any help will be greatly appreciated Is ipa_kpasswd running ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, Geerten Schram You would need to escape any spaces to try pasting the command on the command-line. What version of pki-ca and pki-silent do you have installed? You might also want to look at /var/log/pki-ca/debug for perhaps more details. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Dmitri Pal wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Yes it installed fine with all defaults. I will play with it more later today. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users