Re: [Freeipa-users] ipa-replica-prepare failed
I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. 2013/2/8 James James jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/**pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-**prepare, line 459, in module main() File /usr/sbin/ipa-replica-**prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-**prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob 2013/2/8 James James jre...@gmail.com mailto:jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/__pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-__prepare, line 459, in module main() File /usr/sbin/ipa-replica-__prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-__prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Testing out FreeIPA
#yum install ipa-server -- Regards, Rajnesh Kumar Siwal ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
On 02/08/2013 06:44 AM, Rob Crittenden wrote: James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob Is that possible to do from a commercial SSL certificate provider? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
Orion Poplawski wrote: On 02/08/2013 06:44 AM, Rob Crittenden wrote: James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob Is that possible to do from a commercial SSL certificate provider? GeoTrust does, I don't know about any others. http://www.prnewswire.com/news-releases/geotrust-launches-georoot-allows-organizations-with-their-own-certificate-authority-ca-to-chain-to-geotrusts-ubiquitous-public-root-54048807.html rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? Regards (again) 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: I had to set the --dirsrv_pkcs12, --dirsrv_pin, --http_pkcs12, --http_pin and the ipa-replica-prepare command runs without failure. Thanks for your help. Yes, this is what I was going to suggest. Using ipa-server-certinstall replace the IPA CA with an external one. I should note that we're deprecating this tool and do not recommend that it be used. We instead suggest that if you need certificates from an external CA you get the IPA CA signed as a subordinate. rob 2013/2/8 James James jre...@gmail.com mailto:jre...@gmail.com My ipa version is ipa-server-2.2.0-17.el6_3.1.**x86_64 and the distro is Scientific Linux 6.3. I have used ipa-server-certinstall to replace the default IPA certs. 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Hi, today I wanted to install a ipa replica. When I used the ipa-replica-prepare command, I've got this error : [root@ipa ~]# ipa-replica-prepare ipa2-example.com http://ipa2-example.com http://ipa2-example.com Directory Manager (existing master) password: Preparing replica for ipa-EXAMPLE.COM from ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM http://ipa.EXAMPLE.COM Creating SSL certificate for the Directory Server certutil: could not find certificate named CN=EXAMPLE.COM http://EXAMPLE.COM http://EXAMPLE.COM Certificate Authority: security library: bad database. certutil: unable to create cert (security library: bad database.) preparation of replica failed: Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned non-zero exit status 255 Command '/usr/bin/certutil -d /tmp/tmpoUpN72ipa/realm_info -A -n Server-Cert -t u,u,u -i /var/lib/ipa/ipa-6qKbha/__**tmpcert.der -f /tmp/tmpoUpN72ipa/realm_info/_**_pwdfile.txt' returned non-zero exit status 255 File /usr/sbin/ipa-replica-__**prepare, line 459, in module main() File /usr/sbin/ipa-replica-__**prepare, line 345, in main export_certdb(api.env.realm, ds_dir, dir, passwd_fname, dscert, replica_fqdn, subject_base) File /usr/sbin/ipa-replica-__**prepare, line 143, in export_certdb raise e I have a certificate generated by a custom certificate authority in the ipa server. Need more information on your installation. What version of IPA, what distro? Did you use ipa-server-certinstall to replace the default IPA certs? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? 2013/2/8 Rob Crittenden rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/**dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-replica-prepare failed
James James wrote: OK .. but I have to put the pkc12 file in /etc/pki/nssdb ? No. The PKCS#12 file that contains your server private key and cert needs to also contain the CA that signed it. rob 2013/2/8 Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com James James wrote: Now on the replica server I've got this error : Run connection check to master Connection check OK Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. Configuring directory server: Estimated time 1 minute [1/30]: creating directory server user [2/30]: creating directory server instance [3/30]: adding default schema [4/30]: enabling memberof plugin [5/30]: enabling referential integrity plugin [6/30]: enabling winsync plugin [7/30]: configuring replication version plugin [8/30]: enabling IPA enrollment plugin [9/30]: enabling ldapi [10/30]: configuring uniqueness plugin [11/30]: configuring uuid plugin [12/30]: configuring modrdn plugin [13/30]: enabling entryUSN plugin [14/30]: configuring lockout plugin [15/30]: creating indices [16/30]: configuring ssl for ds instance creation of replica failed: Could not find a CA cert in /tmp/tmp21VpT8ipa/realm_info/__dscert.p12 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Where I have to put the CA certficate ? It needs to be in the PKCS#12 file. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Python Client
Hi: Scenario: 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) The above user will not have IPA-specific attributes. Can we use the Python Library, or CLI, to modify the account to IPA-ize it? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Python Client
On 02/08/2013 05:29 PM, It Meme wrote: Hi: Scenario: 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) The above user will not have IPA-specific attributes. Can we use the Python Library, or CLI, to modify the account to IPA-ize it? Is this an integration with the external provisioning system? Do you need to do it in real time or in batches? A simple solution that comes to mind is: to create users in a different sub tree in ipa temporarily run a cron job to inspect this area and translate the data in this temp entry into the arguments of the CLI add user command and then clean this temp area. ldap search parse ipa user-add delete processed temp entries The job can run at the cadence you think is reasonable - 30 min may be? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Python Client
On 02/08/2013 06:33 PM, It Meme wrote: Hi Dmitri: Yes, we are evaluating ways of provisioning users and their group memberships for Joiner, Mover, Leaver (JML) events. We were thinking of your suggestion as an option and your reply was very helpful. Our expected real-time scenarios is probably 5 mins latency. Is it viable to explore provisioning accounts/group to the destination tree via LDAP calls and a subsequent cron job runs, identifies the newly provisioned accounts, and applies modifications to create the IPA-specific attributes? Or is the temp folder the only option? You can do either, I think it is more error prone for you to try to convert the user that is already inserted. You would to make sure that all the attributes are in place. You would have to decompose the logic of the IPA user add and effectively re-implement it. Another approach would be to build a simple bridge that would take LDAP request and translate it into IPA JSON request. Such tool would be quite useful for us too. I am not sure how simple such thing would be in reality though. Thank you for all your great help. On Fri, Feb 8, 2013 at 2:39 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 02/08/2013 05:29 PM, It Meme wrote: Hi: Scenario: 1) User is created via LDAP call to IPA (i.e.the 389 Directory Server) The above user will not have IPA-specific attributes. Can we use the Python Library, or CLI, to modify the account to IPA-ize it? Is this an integration with the external provisioning system? Do you need to do it in real time or in batches? A simple solution that comes to mind is: to create users in a different sub tree in ipa temporarily run a cron job to inspect this area and translate the data in this temp entry into the arguments of the CLI add user command and then clean this temp area. ldap search parse ipa user-add delete processed temp entries The job can run at the cadence you think is reasonable - 30 min may be? Thanks. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Unable to enrol servers with principal
Yes the times on the ipa server and ipa client are in sync with our NTP source Thanks Charlie On Sat, Feb 9, 2013 at 1:07 AM, Dmitri Pal d...@redhat.com wrote: On 02/08/2013 07:47 PM, Charlie Derwent wrote: Hi Whenever I attempt an unattended installation with a principal and password. The installation fails. I'm using the following syntax for my command ipa-client-install --domain=example.com --server=ipa.example.com --realm= EXAMPLE.COM --principal=user --password=pass -U --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com The error I get varies between (in order of frequency) Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user and kinit(v5): Password incorrect while getting initial credentials and Password expired. you must change it now. kinit(v5): Cannot read password while getting initial credentials The password is 100% right as I can kinit on other servers and access the webgui with the same details. OTP's work flawlessly. ipa-client = tried with 2.1.3-1.el5 and 2.1.3-5.el5_9.2 (RHEL 5.8) ipa-server = 2.2.0-16.el6 (RHEL 6.3) I assume this happens on the newly installed system... Is the time on the system correct? Thanks, Charlie ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] creating group via CLI
2013/2/8 John Dennis jden...@redhat.com: On 02/07/2013 08:42 PM, Umarzuki Mochlis wrote: Hi, Is it possible to create groups and add users to that group via CLI? So far, I could not find any sample command on doing that. The ipa CLI has help % ipa help user % ipa help group % ipa help user-add etc. thanks, i'll check it out -- Regards, Umarzuki Mochlis http://debmal.my ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users