Re: [Freeipa-users] certificate verify failed - WinSync strangeness - ipa-server-1.2.2-0
Ok, so the ipa-server-certinstall script seems to be where things did not
work as I perhaps expected them to.
I manually put the certificates in the dirsrv cert db, and the web interface
cert db. The ipa-replica-manage uses replication.py, which is declaring
CACERT=/usr/share/ipa/html/ca.crt
It looks like this is where the error is being caused. The certification
there is still the original IPA Test Certificate Authority. If I point it
to the DigiCertCA.crt (which should work), OR the AD-ca.crt file, I get the
same error as originally mentioned when running 'ipa-replica-manage list'.
If I comment out the CACERT variable it does as expected: unexpected error:
global name 'CACERT' is not defined
So, can someone give me some advice about where else it may be reading the
certificate from, or how I can do things the proper way for IPA?
Thanks!
On Tue, Jan 11, 2011 at 9:54 AM, d...@killbrad.com d...@killbrad.comwrote:
Hi all,
It seems something broke somewhere along the lines when I was trying to
set up Windows Sync. Please take a look at the following outputs. I can
connect both directions manually via SSL, but the actual ipa-replica-manage
script seems to be pulling certs from somewhere else. The current sync
between ipaserver-01 ipaserver-02 is working fine. If anyone has any
suggestions, I would be open to them. Thanks!
example.local = active directory domain
example.com = ipa realm
-
[r...@ipaserver-01 ~]# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
DigiCertCA CT,,C
AD CA cert CT,,C
ipaserver-01 u,u,u
#-
# everything looks right
#-
[r...@ipaserver-01 ~]#
[r...@ipaserver-01 ~]# /usr/lib64/mozldap/ldapsearch -h
adserver-01.example.local -p 636 -Z -P
/etc/dirsrv/slapd-EXAMPLE-COM/cert8.db -D passs...@example.local -w
'notrealpassword' -s base -b objectclass=*
version: 1
dn:
currentTime: 2011053848.0Z
...
...
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
...
...
dnsHostName: adserver-01.example.local
ldapServiceName: example.local:adserver-...@example.local
...
...
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 3
forestFunctionality: 3
domainControllerFunctionality: 3
[r...@ipaserver-01 ~]#
#-
# good valid results for the query [reduced for clarity]
#-
[r...@ipaserver-01 ~]# ipa-replica-manage list
Directory Manager password:
unexpected error: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
Can't contact LDAP server}
[r...@ipaserver-01 ~]#
#-
# welp, it looks like something is broken somewhere..
#-
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to change Admin password
On Wed, 12 Jan 2011 13:58:31 -0500
Uzor Ide ide4...@gmail.com wrote:
Hello List
We are having problem with changing/reseting password. Even the admin
password cannot be changed. During login users with expired
passwords are warned that their password has expired and forced to
change their password. But when the type new password, the operation
fails with error Authentication token manipulation error
When I tried the change the admin krb5 password from the ipa-server I
got the following error
Cannot contact any KDC for requested realm while getting initial
credentials
That's surprising because the KDC hostname resolves properly.
This what's in the krb5kdc.log each time
Jan 12 13:30:27 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857027,
etypes {rep=18 tkt=18 ses=18}, ad...@mycompany.com for kadmin/
chang...@mycompany.com
Jan 12 13:30:39 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.12: NEEDED_PREAUTH: kadmin/
chang...@mycompany.com for krbtgt/mycompany@uzdomain.ca,
Additional pre-authentication required
Jan 12 13:30:40 ipaserver.mycompany.com krb5kdc[1382](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.12: ISSUE: authtime 1294857040,
etypes {rep=18 tkt=18 ses=18}, kadmin/chang...@mycompany.com for
krbtgt/ mycompany@uzdomain.ca
The server is freeipa-2.0 -beta and O/S is fedora 13
Any help will be greatly appreciated
Is ipa_kpasswd running ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, Geerten Schram You would need to escape any spaces to try pasting the command on the command-line. What version of pki-ca and pki-silent do you have installed? You might also want to look at /var/log/pki-ca/debug for perhaps more details. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Dmitri Pal wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Yes it installed fine with all defaults. I will play with it more later today. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-server-install fails
Jeff B wrote: The build right now is the first time I've been able to get everything(?) working including the UI. So grab it quick! :D I was updating yesterday evening and all day today and ran into all kinds of issues that came and went with today's checkins. Sorry. It will get better. We really working hard to make it a first class product. We are not there yet but we are coming there from all sorts of directions at the same time. Thanks, Dmitri On Wed, Jan 12, 2011 at 10:02 PM, Dmitri Pal d...@redhat.com wrote: Geerten Schram wrote: Hi All, When running ipa-server-install from ipa-server-2.0.0.pre1-0.fc14.x86_64 I get an error (see list1 and ipserver-install.log). I just don't get it. When I run the pkisilent command by hand I get ### Unrecognized argument: Manager Use -help for help information ### The only Manager comes from the build in bind_dn, so I gues that's not the problem. Does someone has a clue? Regards, This is the same issue I was hitting when I was testing beta and the workaround with the links to java jars described in the release notes fixed this issue. The latest devel repository has this fixed. You might try installing from there. http://jdennis.fedorapeople.org/ipa-devel/ Make sure you also have updates testing enabled since some other packages we depend on have been fixed in the recent weeks. Just started package install will take a while since many packages changed in last couple weeks. Will let you know if I see any issues with the today's build. Thanks Dmitri Geerten Schram ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
