[Freeipa-users] Bind current mac clients?
Hello I just joined this list so please excuse if this question has been asked Is anyone out there binding mac clients (10.7.x) to IPA? I have tried it with some success. The mac-client can join the IPA domain and the Kerberos domain but no user from the domain can log in to the mac-computer. My guess is that I need to map the LDAP values from IPA with what the mac-client expects. Anyone? Thanks Håkan Hagenrud ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 03:59 PM, Rich Megginson wrote: On 03/14/2012 03:51 PM, Jimmy Caldwell wrote: Is this a normal thing to occur during upgrade? Unfortunately, in this particular case, yes. If it was just a fluke I can revert to the snapshot from just before the upgrade and try again. I think you will run into the same exact problem. Another problem - according to http://fpaste.org/nSWh/ you were using 1.2.10.a1 - I'm not sure how that happened - on F-15, none of the alpha versions were pushed to Stable afaik (unlike F-16). We did not (nor normally do not) test upgrades from alpha versions to "stable" versions. According to https://admin.fedoraproject.org/updates/FEDORA-2011-13460/389-ds-base-1.2.10-0.1.a1.fc15 this was never pushed to Stable, only to Testing. Sent from my mobile device On Mar 14, 2012, at 17:44, Rich Megginson wrote: On 03/14/2012 03:26 PM, Jimmy wrote: http://fpaste.org/nSWh/ Thanks. Looks like you are going to have to export your database to ldif, re-import it, and then re-initialize all of your replicas. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html For ipa, the scripts are in /var/lib/dirsrv/scripts-YOUR-DOMAIN For ipa, your database is userRoot (so -n userRoot) so first, do db2ldif, then ldif2db, then use ipa-replica-manage to reinitialize all of your replicas Here ya go Jimmy On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginson wrote: On 03/14/2012 03:13 PM, Jimmy wrote: bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 It appears that the entryrdn upgrade didn't work. Can you sanitize your /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 03:51 PM, Jimmy Caldwell wrote: Is this a normal thing to occur during upgrade? Unfortunately, in this particular case, yes. If it was just a fluke I can revert to the snapshot from just before the upgrade and try again. I think you will run into the same exact problem. Sent from my mobile device On Mar 14, 2012, at 17:44, Rich Megginson wrote: On 03/14/2012 03:26 PM, Jimmy wrote: http://fpaste.org/nSWh/ Thanks. Looks like you are going to have to export your database to ldif, re-import it, and then re-initialize all of your replicas. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html For ipa, the scripts are in /var/lib/dirsrv/scripts-YOUR-DOMAIN For ipa, your database is userRoot (so -n userRoot) so first, do db2ldif, then ldif2db, then use ipa-replica-manage to reinitialize all of your replicas Here ya go Jimmy On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginson wrote: On 03/14/2012 03:13 PM, Jimmy wrote: bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 It appears that the entryrdn upgrade didn't work. Can you sanitize your /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
Is this a normal thing to occur during upgrade? If it was just a fluke I can revert to the snapshot from just before the upgrade and try again. Sent from my mobile device On Mar 14, 2012, at 17:44, Rich Megginson wrote: > On 03/14/2012 03:26 PM, Jimmy wrote: >> http://fpaste.org/nSWh/ > Thanks. Looks like you are going to have to export your database to ldif, > re-import it, and then re-initialize all of your replicas. > > http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html > > For ipa, the scripts are in /var/lib/dirsrv/scripts-YOUR-DOMAIN > > For ipa, your database is userRoot (so -n userRoot) > > so first, do db2ldif, then ldif2db, then use ipa-replica-manage to > reinitialize all of your replicas >> >> Here ya go >> Jimmy >> >> On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginson wrote: >>> On 03/14/2012 03:13 PM, Jimmy wrote: bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 >>> It appears that the entryrdn upgrade didn't work. Can you sanitize your >>> /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? >>> On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: > On 03/14/2012 03:05 PM, Jimmy wrote: >> This doesn't appear to be very good. If I drop the `grep` I see the >> data I would expect to see. >> >> dbscan -f >> /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep >> cn=etc >> 22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> P22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" > find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; >>> > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 03:26 PM, Jimmy wrote: http://fpaste.org/nSWh/ Thanks. Looks like you are going to have to export your database to ldif, re-import it, and then re-initialize all of your replicas. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html For ipa, the scripts are in /var/lib/dirsrv/scripts-YOUR-DOMAIN For ipa, your database is userRoot (so -n userRoot) so first, do db2ldif, then ldif2db, then use ipa-replica-manage to reinitialize all of your replicas Here ya go Jimmy On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginson wrote: On 03/14/2012 03:13 PM, Jimmy wrote: bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 It appears that the entryrdn upgrade didn't work. Can you sanitize your /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
http://fpaste.org/nSWh/ Here ya go Jimmy On Wed, Mar 14, 2012 at 5:11 PM, Rich Megginson wrote: > On 03/14/2012 03:13 PM, Jimmy wrote: >> >> bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 >> bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 > > It appears that the entryrdn upgrade didn't work. Can you sanitize your > /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? > >> >> On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson >> wrote: >>> >>> On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >>> >>> find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 03:13 PM, Jimmy wrote: bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 It appears that the entryrdn upgrade didn't work. Can you sanitize your /var/log/dirsrv/slapd-DOMAIN/errors file and post it to fpaste.org? On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 bdb/4.8/libback-ldbm/newidl/rdn-format-2/dn-4514 On Wed, Mar 14, 2012 at 5:06 PM, Rich Megginson wrote: > On 03/14/2012 03:05 PM, Jimmy wrote: >> >> This doesn't appear to be very good. If I drop the `grep` I see the >> data I would expect to see. >> >> dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep >> cn=etc >> 22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> C22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> P22:cn=etc >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" >> ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" > > find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 03:05 PM, Jimmy wrote: This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" find /var/lib/dirsrv/slapd-YOUR-DOMAIN/db -name DBVERSION -exec cat {} \; ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
This doesn't appear to be very good. If I drop the `grep` I see the data I would expect to see. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc 22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc C22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" P22:cn=etc ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ID: 22; RDN: "cn=etc"; NRDN: "cn=etc" ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 02:49 PM, Jimmy wrote: rpm -qi 389-ds-base Name: 389-ds-base Version : 1.2.10.3 Release : 1.fc15 Architecture: x86_64 Install Date: Wed 04 Jan 2012 12:06:20 AM UTC Group : System Environment/Daemons Size: 4816676 License : GPLv2 with exceptions Signature : RSA/SHA256, Wed 07 Mar 2012 09:47:47 PM UTC, Key ID b4ebf579069c8460 Source RPM : 389-ds-base-1.2.10.3-1.fc15.src.rpm Build Date : Mon 05 Mar 2012 10:50:10 PM UTC Build Host : x86-11.phx2.fedoraproject.org Relocations : (not relocatable) Packager: Fedora Project Vendor : Fedora Project URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. dbscan -f /var/lib/dirsrv/slapd-YOUR-DOMAIN/db/userRoot/entryrdn.db4|grep cn=etc On Wed, Mar 14, 2012 at 4:45 PM, Rich Megginson wrote: On 03/14/2012 02:45 PM, Jimmy wrote: In response to the last to suggestions, here's what I see: hostname ipa.abc.xyz /etc/hosts: 192.168.201.102 ipa.abc.xyz ipa ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz # extended LDIF # # LDAPv3 # basewith scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object matchedDN: dc=abc,dc=xyz rpm -qi 389-ds-base # numResponses: 1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] need info on AD / IPA coexistence
On 03/08/2012 01:40 PM, Sylvain Angers wrote: Does anyone was successful to hook their HP ilo, RHEV manager to IPA? I've connected IPA to the RHEV manager, yes. It works fine. However it seem to require lookup up dns srv records to find the IPA servers, so I don't think it works unless you have your own DNS domain for IPA. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
rpm -qi 389-ds-base Name: 389-ds-base Version : 1.2.10.3 Release : 1.fc15 Architecture: x86_64 Install Date: Wed 04 Jan 2012 12:06:20 AM UTC Group : System Environment/Daemons Size: 4816676 License : GPLv2 with exceptions Signature : RSA/SHA256, Wed 07 Mar 2012 09:47:47 PM UTC, Key ID b4ebf579069c8460 Source RPM : 389-ds-base-1.2.10.3-1.fc15.src.rpm Build Date : Mon 05 Mar 2012 10:50:10 PM UTC Build Host : x86-11.phx2.fedoraproject.org Relocations : (not relocatable) Packager: Fedora Project Vendor : Fedora Project URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. On Wed, Mar 14, 2012 at 4:45 PM, Rich Megginson wrote: > On 03/14/2012 02:45 PM, Jimmy wrote: >> >> In response to the last to suggestions, here's what I see: >> >> hostname >> ipa.abc.xyz >> >> /etc/hosts: >> 192.168.201.102 ipa.abc.xyz ipa >> >> ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 32 No such object >> matchedDN: dc=abc,dc=xyz > > rpm -qi 389-ds-base >> >> >> # numResponses: 1 >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On 03/14/2012 02:45 PM, Jimmy wrote: In response to the last to suggestions, here's what I see: hostname ipa.abc.xyz /etc/hosts: 192.168.201.102 ipa.abc.xyz ipa ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object matchedDN: dc=abc,dc=xyz rpm -qi 389-ds-base # numResponses: 1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
In response to the last to suggestions, here's what I see: hostname ipa.abc.xyz /etc/hosts: 192.168.201.102 ipa.abc.xyz ipa ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=abc,dc=xyz # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object matchedDN: dc=abc,dc=xyz # numResponses: 1 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On Wed, Mar 14, 2012 at 1:30 PM, Jimmy wrote: > Ok, I upgraded and that didn't go so well, now IPA doesn't start: > >>service ipa start > Starting Directory Service > Starting dirsrv: > XX... [ OK ] > PKI-IPA... [ OK ] > Failed to read data from Directory Service: Failed to get list of > services to probe status! > Configured hostname 'X' does not match any master server in LDAP: > No master found because of error: {'matched': 'dc=XXX,dc=XXX', 'desc': > 'No such object'} > Shutting down > Shutting down dirsrv: > XX... [ OK ] > PKI-IPA... [ OK ] > > *BUT* /etc/httpd/conf.d/ipa-pki-proxy.conf exists now... Does output from "hostname" (or, the hostname in /etc/sysconfig/network) match what is in your /etc/hosts file for the server name? Does dc=XXX,dc=XXX match at least the domain part of your hostname? If I remember correctly, IPA requires a fully qualified hostname, not just the host part. I can't possibly imagine how this worked to begin with though if all of this is not correct. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
Jimmy wrote: Ok, I upgraded and that didn't go so well, now IPA doesn't start: service ipa start Starting Directory Service Starting dirsrv: XX... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'X' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=XXX,dc=XXX', 'desc': 'No such object'} Shutting down Shutting down dirsrv: XX... [ OK ] PKI-IPA... [ OK ] *BUT* /etc/httpd/conf.d/ipa-pki-proxy.conf exists now... That would suggest your hostname doesn't match the hostname that IPA was installed as. Start just dirsrv and see what masters are configured: ldapsearch -x -b cn=masters,cn=ipa,cn=etc,dc=example,dc=com rob On Wed, Mar 14, 2012 at 3:47 PM, Stephen Ingram wrote: On Wed, Mar 14, 2012 at 12:41 PM, Jimmy wrote: Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is missing. I'm not sure how that is missing. Was there a separate step for the IPA install that took care of the CA? It's been 6 months since I installed so I don't remember right off. It's part of the freeipa-server package. I noticed that you are running version 2.1.1 of ipa. 2.1.4 is the latest in the non-devel repos. You might want to try a yum update as you might have other differing packages as well. Make sure you read about the changes in 2.1.4 which might affect machines you have already enrolled. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
Ok, I upgraded and that didn't go so well, now IPA doesn't start: >service ipa start Starting Directory Service Starting dirsrv: XX... [ OK ] PKI-IPA... [ OK ] Failed to read data from Directory Service: Failed to get list of services to probe status! Configured hostname 'X' does not match any master server in LDAP: No master found because of error: {'matched': 'dc=XXX,dc=XXX', 'desc': 'No such object'} Shutting down Shutting down dirsrv: XX... [ OK ] PKI-IPA... [ OK ] *BUT* /etc/httpd/conf.d/ipa-pki-proxy.conf exists now... On Wed, Mar 14, 2012 at 3:47 PM, Stephen Ingram wrote: > On Wed, Mar 14, 2012 at 12:41 PM, Jimmy wrote: >> Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is >> missing. I'm not sure how that is missing. Was there a separate step >> for the IPA install that took care of the CA? It's been 6 months since >> I installed so I don't remember right off. > > It's part of the freeipa-server package. I noticed that you are > running version 2.1.1 of ipa. 2.1.4 is the latest in the non-devel > repos. You might want to try a yum update as you might have other > differing packages as well. Make sure you read about the changes in > 2.1.4 which might affect machines you have already enrolled. > > Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On Wed, Mar 14, 2012 at 12:41 PM, Jimmy wrote: > Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is > missing. I'm not sure how that is missing. Was there a separate step > for the IPA install that took care of the CA? It's been 6 months since > I installed so I don't remember right off. It's part of the freeipa-server package. I noticed that you are running version 2.1.1 of ipa. 2.1.4 is the latest in the non-devel repos. You might want to try a yum update as you might have other differing packages as well. Make sure you read about the changes in 2.1.4 which might affect machines you have already enrolled. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
Good call Stephen. the /etc/httpd/conf.d/ipa-pki-proxy.conf is missing. I'm not sure how that is missing. Was there a separate step for the IPA install that took care of the CA? It's been 6 months since I installed so I don't remember right off. On Wed, Mar 14, 2012 at 3:30 PM, Stephen Ingram wrote: > On Wed, Mar 14, 2012 at 12:22 PM, Jimmy wrote: >> I set the date back and ran the command and this is what I see in the >> httpd log. The ca directory does not exist, I verified it as missing. >> Any idea why this is? Did I miss something in the install of IPA? >> >> [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget >> 'https://XX:443/ca/agent/ca/displayBySerial' >> [Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does >> not exist: /var/www/html/ca >> [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/@XX: >> cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN >> BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp >> c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV >> oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc >> 3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg >> f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg >> dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=', >> principal=u >> 'ldap/@XXX', add=True): CertificateOperationError > > Are you sure you are not missing some of your config > files?(/etc/httpd/conf.d/ipa-pki-proxy.conf) There is no > /var/www/html/ca. Your httpd config should redirect this to the > certificate server. > > Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
On Wed, Mar 14, 2012 at 12:22 PM, Jimmy wrote: > I set the date back and ran the command and this is what I see in the > httpd log. The ca directory does not exist, I verified it as missing. > Any idea why this is? Did I miss something in the install of IPA? > > [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget > 'https://XX:443/ca/agent/ca/displayBySerial' > [Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does > not exist: /var/www/html/ca > [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/@XX: > cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN > BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp > c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV > oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc > 3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg > f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg > dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=', > principal=u > 'ldap/@XXX', add=True): CertificateOperationError Are you sure you are not missing some of your config files?(/etc/httpd/conf.d/ipa-pki-proxy.conf) There is no /var/www/html/ca. Your httpd config should redirect this to the certificate server. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
I set the date back and ran the command and this is what I see in the httpd log. The ca directory does not exist, I verified it as missing. Any idea why this is? Did I miss something in the install of IPA? [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: sslget 'https://XX:443/ca/agent/ca/displayBySerial' [Sun Jan 01 00:20:46 2012] [error] [client 192.168.201.102] File does not exist: /var/www/html/ca [Sun Jan 01 00:20:46 2012] [error] ipa: INFO: host/@XX: cert_request(u'MIIDQzCCAisCAQAwLDEQMA4GA1UEChMHUERILkNTUDEYMBYGA1UEAxMPY3NwLWlkbS5wZGguY3NwMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr0EHCdyTuteryFZ2bdEl+V4OATR/xk8ELthmvlwT/5qubZKwlCWS6yLawgdyCg9Yw737A7qGe0BPxHv6E+as10NxppEPsn9BOi+TPRIMYNMNNYmO2sce2pvkMkVBqsF7Gn7mF7e5+Bp c7ApnDGP7WLsAjbso8EvLUrqVMTNyiziCSHiNk+/Fi1Om6K5GKzKkqfEDex0RK+kpMswgcaZHhmW3i+y3UxFZsJjOg3R4fJAfC0+My2d1Vx4052+EgWAbSNpSj7zmLGM2+dkmgMo5Li7jjgJe8VsrqOV4L5IgqtGVJ0EOb7EP7gynbV oa74m4XrVwEP8rd/M5RxAnD1JPuwIDAQABoIHRMBoGCSqGSIb3DQEJFDENEwtTZXJ2ZXItQ2VydDCBsgYJKoZIhvcNAQkOMYGkMIGhMA4GA1UdDwEBAAQEAwIE8DB3BgNVHREBAQAEbTBroCwGCisGAQQBgjcUAgOgHgwcbGRhcC9jc 3AtaWRtLnBkaC5jc3BAUERILkNTUKA7BgYrBgEFAgKgMTAvoAkbB1BESC5DU1ChIjAgoAMCAQGhGTAXGwRsZGFwGw9jc3AtaWRtLnBkaC5jc3AwFgYDVR0lAQEABAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBABD/Hwbg f5NJNUYt0+ntMDHiilMFkSaO6ryQ36/pCH1oR+vI+PCeClHewPo0v99h4Z8W8L7CQtDdNBUMl/JVHH5Lz7cBF8A/jXZQ+naV17EEuXncacM8AvYh5dL2yih+8RpPalEmSgz5rijtbSigfNGrZn0Mh3qOW1kbsz+GDaaT9wLFxvdJyqg dKds2tsp0KzHIMcJuw3cwOfH8zrBRV28XYhMLm0OOhj92uxgax5UPY2VyHP5UOtOnfuduU1ZXa+o8QIXqX7/HyDSCLGwiPJscAsp9cRzjn4KvqzZDOcdGEjXmCGfrmUiMcuzVyTDR2SdAWrHdbRmXeyVxmiBPzdk=', principal=u 'ldap/@XXX', add=True): CertificateOperationError On Wed, Mar 14, 2012 at 3:09 PM, Rob Crittenden wrote: > Jimmy wrote: >> >> I can set the date to before 3/12(the cert expiry date) and things >> start just fine. The apache logs don't seem to hold much info other >> than "the cert is expired." CA logs have even less info. >> >> I did find a similar issue on the mailing list - >> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I >> don't see a resolution, I don't see how the cert is supposed to get >> renewed. > > > certmonger is supposed to automatically renew it. It apparently tried and > failed because the CA was unreachable. If you set the date back again and > execute this command it will resubmit the request and perhaps the logs will > contain the details we need. > > > rob > >> >> On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden >> wrote: >>> >>> Jimmy wrote: I changed the system date and it's functional now. I ran the command ` certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired cert. Looking at `ipa-getcert list` I see this-- Request ID '20110913154233': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=X subject: CN=csp-idm.pdh.csp,O=X expires: 2012-03-11 15:42:32 UTC eku: id-kp-serverAuth track: yes auto-renew: yes It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any ideas on why this is occurring? >>> >>> >>> >>> The Apache error log may hold some clues. You might try: >>> >>> # ipa-getcert resubmit -i 20110913154233 >>> >>> Then watch the Apache log to see what it is doing. The CA logs are in >>> /var/log/pki-ca and may provide some details as well. >>> >>> rob >>> >>> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy wrote: > > > My IPA server just stopped working with this error. I'm looking in to > it, but if anyone knows what the issue is right off I'd appreciate any > pointers you have. > > (when trying to do service ipa start) > Starting dirsrv: > PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) >
Re: [Freeipa-users] (no subject)
Jimmy wrote: I can set the date to before 3/12(the cert expiry date) and things start just fine. The apache logs don't seem to hold much info other than "the cert is expired." CA logs have even less info. I did find a similar issue on the mailing list - http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I don't see a resolution, I don't see how the cert is supposed to get renewed. certmonger is supposed to automatically renew it. It apparently tried and failed because the CA was unreachable. If you set the date back again and execute this command it will resubmit the request and perhaps the logs will contain the details we need. rob On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden wrote: Jimmy wrote: I changed the system date and it's functional now. I ran the command ` certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired cert. Looking at `ipa-getcert list` I see this-- Request ID '20110913154233': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=X subject: CN=csp-idm.pdh.csp,O=X expires: 2012-03-11 15:42:32 UTC eku: id-kp-serverAuth track: yes auto-renew: yes It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any ideas on why this is occurring? The Apache error log may hold some clues. You might try: # ipa-getcert resubmit -i 20110913154233 Then watch the Apache log to see what it is doing. The CA logs are in /var/log/pki-ca and may provide some details as well. rob On Wed, Mar 14, 2012 at 1:35 PM, Jimmywrote: My IPA server just stopped working with this error. I'm looking in to it, but if anyone knows what the issue is right off I'd appreciate any pointers you have. (when trying to do service ipa start) Starting dirsrv: PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64. Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
I can set the date to before 3/12(the cert expiry date) and things start just fine. The apache logs don't seem to hold much info other than "the cert is expired." CA logs have even less info. I did find a similar issue on the mailing list - http://comments.gmane.org/gmane.linux.redhat.freeipa.user/3104 - but I don't see a resolution, I don't see how the cert is supposed to get renewed. On Wed, Mar 14, 2012 at 2:22 PM, Rob Crittenden wrote: > Jimmy wrote: >> >> I changed the system date and it's functional now. I ran the command ` >> certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired >> cert. Looking at `ipa-getcert list` I see this-- >> >> Request ID '20110913154233': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: 4301 (RPC failed >> at server. Certificate operation cannot be completed: Unable to >> communicate with CMS (Not Found)). >> stuck: yes >> key pair storage: >> >> type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt' >> certificate: >> >> type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=X >> subject: CN=csp-idm.pdh.csp,O=X >> expires: 2012-03-11 15:42:32 UTC >> eku: id-kp-serverAuth >> track: yes >> auto-renew: yes >> >> It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any >> ideas on why this is occurring? > > > The Apache error log may hold some clues. You might try: > > # ipa-getcert resubmit -i 20110913154233 > > Then watch the Apache log to see what it is doing. The CA logs are in > /var/log/pki-ca and may provide some details as well. > > rob > > >> >> On Wed, Mar 14, 2012 at 1:35 PM, Jimmy wrote: >>> >>> My IPA server just stopped working with this error. I'm looking in to >>> it, but if anyone knows what the issue is right off I'd appreciate any >>> pointers you have. >>> >>> (when trying to do service ipa start) >>> Starting dirsrv: >>> PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: >>> CERT_VerifyCertificateNow: verify certificate failed for cert >>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8181 - Peer's Certificate has expired.) >>> [ OK ] >>> PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: >>> CERT_VerifyCertificateNow: verify certificate failed for cert >>> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape >>> Portable Runtime error -8181 - Peer's Certificate has expired.) >>> [ OK ] >>> >>> >>> I'm running on Fedora15, running IPA -- >>> freeipa-server-2.1.1-1.fc15.x86_64. >>> Thanks. >>> >>> ___ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
Jimmy wrote: I changed the system date and it's functional now. I ran the command ` certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired cert. Looking at `ipa-getcert list` I see this-- Request ID '20110913154233': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=X subject: CN=csp-idm.pdh.csp,O=X expires: 2012-03-11 15:42:32 UTC eku: id-kp-serverAuth track: yes auto-renew: yes It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any ideas on why this is occurring? The Apache error log may hold some clues. You might try: # ipa-getcert resubmit -i 20110913154233 Then watch the Apache log to see what it is doing. The CA logs are in /var/log/pki-ca and may provide some details as well. rob On Wed, Mar 14, 2012 at 1:35 PM, Jimmy wrote: My IPA server just stopped working with this error. I'm looking in to it, but if anyone knows what the issue is right off I'd appreciate any pointers you have. (when trying to do service ipa start) Starting dirsrv: PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64. Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] (no subject)
I changed the system date and it's functional now. I ran the command ` certutil -L -d /etc/httpd/alias -n Server-Cert` and see the expired cert. Looking at `ipa-getcert list` I see this-- Request ID '20110913154233': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapdX//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-X',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=X subject: CN=csp-idm.pdh.csp,O=X expires: 2012-03-11 15:42:32 UTC eku: id-kp-serverAuth track: yes auto-renew: yes It says "CA_UNREACHABLE", but ipactl status shows the CA running. Any ideas on why this is occurring? On Wed, Mar 14, 2012 at 1:35 PM, Jimmy wrote: > My IPA server just stopped working with this error. I'm looking in to > it, but if anyone knows what the issue is right off I'd appreciate any > pointers you have. > > (when trying to do service ipa start) > Starting dirsrv: > PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: > CERT_VerifyCertificateNow: verify certificate failed for cert > Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape > Portable Runtime error -8181 - Peer's Certificate has expired.) > [ OK ] > > > I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64. > Thanks. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] (no subject)
My IPA server just stopped working with this error. I'm looking in to it, but if anyone knows what the issue is right off I'd appreciate any pointers you have. (when trying to do service ipa start) Starting dirsrv: PDH-CSP...[14/Mar/2012:17:24:34 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] PKI-IPA...[14/Mar/2012:17:24:36 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] I'm running on Fedora15, running IPA -- freeipa-server-2.1.1-1.fc15.x86_64. Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users