Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
On Mon, Oct 12, 2015 at 08:13:29PM +, Andy Thompson wrote: > > > The company I work for uses AD 2008R2 DC to resolve requests for > > Unix/Linux servers in various environments, under one domain > > example.com, with the Realm EXAMPLE.COM ? > > > > Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as > > a > > name server and forwarding all DNS requests to the windows DC's and still > > keep everything in the example.com domain without creating a child domain > > like ipa.example.com ? > > > > http://www.freeipa.org/page/Active_Directory_trust_setup > > > > Add for RedHat 7, use hostnamectl set-hostname ipa.example.com > > > > and > > change the install IPA server command to > > > > ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com - > > -realm=example.com --setup-dns --forwarder=AD_ipaddress > > No. The IPA domain has to be different than the AD domain. However, if the concern is more about users not wanting to see the ipa.example.com in servers' hostnames than the underlying technology, CNAMEs pointing to that IPA-managed domain can be used to present flat structure to users: server.example.com -> server.ipa.example.com -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
On Tue, 13 Oct 2015, Petr Spacek wrote: On 12.10.2015 22:20, Alexander Bokovoy wrote: On Mon, 12 Oct 2015, Andy Thompson wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- boun...@redhat.com] On Behalf Of Hoffmaster, John Sent: Monday, October 12, 2015 3:46 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question Hi, The company I work for uses AD 2008R2 DC to resolve requests for Unix/Linux servers in various environments, under one domain example.com, with the Realm EXAMPLE.COM ? Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as a name server and forwarding all DNS requests to the windows DC's and still keep everything in the example.com domain without creating a child domain like ipa.example.com ? http://www.freeipa.org/page/Active_Directory_trust_setup Add for RedHat 7, use hostnamectl set-hostname ipa.example.com and change the install IPA server command to ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com - -realm=example.com --setup-dns --forwarder=AD_ipaddress Thanks, No. The IPA domain has to be different than the AD domain. This is true for any two separate Active Directory forests, and as IPA represents itself as a separate AD forest for the trust relationship, it is forced to follow Active Directory requirements. In other words, IPA itself needs one separate domain for SRV records and other stuff. Client machines may have hostnames in different domains as long as there is 1:1 mapping between domain->REALM (AD/IPA). Yep. Let's say explicitly: - IPA machines cannot belong to any domain of AD forest -- in terms of DNS this means they cannot have A/ records in any AD domain's DNS zone; - IPA machines may have CNAMEs in an AD domain's DNS zone that point to A/ records in IPA DNS zones. If you follow these two rules, you'll have single sign-on working between IPA and AD through the cross-forest trust. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] SUDO does not always works on first try
Hi Jakub, thanks for looking through the data. I can not access the bug you mentioned. I already created an account for Bugzilla, but so far nothing. In the second query there is a group which isn't present in the first one ((sudoUser=%ug_freeipa-administrators_int)). This is the IPA-equivalent of the AD-Group (ug_freeipa-administrators). AD -> IPA_EXT -> IPA_INT The second command you mentioned works and returns the correct passwd entry for my user. The first command ist not found on the client. Best regards, Fabian From: Jakub Hrozek [jhro...@redhat.com] Sent: Monday, October 12, 2015 11:47 To: Zoske, Fabian Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] SUDO does not always works on first try On Fri, Oct 09, 2015 at 11:04:15AM +, Zoske, Fabian wrote: > Hi Jakub, > > I increased the log level in every SSSD section to 6 and got following > output, hope that helps. > > KRB5_CHILD.LOG: https://s.mit42.de/IR6tu All is OK here.. > > SSSD_SUDO.LOG (two tries are logged in it): https://s.mit42.de/WF1Jl So the interesting part is that the first try doesn't match any rules for the user: (Fri Oct 9 12:24:09 2015) [sssd[sudo]] [sysdb_search_group_by_gid] (0x0400): No such entry (Fri Oct 9 12:24:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=f.zo...@de.eu.local)(sudoUser=#1948403038)(sudoUser=%ug_freeipa-administrat...@de.eu.local)(sudoUser=%domänen-benut...@de.eu.local)(sudoUser=+*)))] (Fri Oct 9 12:24:09 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for [f.zo...@de.eu.local] While the second does: (Fri Oct 9 12:24:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=f.zo...@de.eu.local)(sudoUser=#1948403038)(sudoUser=%ug_freeipa-administrat...@de.eu.local)(sudoUser=%domänen-benut...@de.eu.local)(sudoUser=%admins)(sudoUser=%ug_freeipa-administrators_int)(sudoUser=+*)))] (Fri Oct 9 12:24:14 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache] (0x0400): Returning 2 rules for [f.zo...@de.eu.local] It would be interesting to see the dump of the cache from when 0 rules are returned. I suspect the user's membership wouldn't be correct, which might be because of the bug I linked earlier. > > SSSD_IPA-LX.COM: https://s.mit42.de/frBvx There are some failures here: (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: No such object(32), (null) (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=*] (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa-lx.com] to [de.eu.local] (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Oct 9 12:24:19 2015) [sssd[be[ipa-lx.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: No such object(32), (null) But I think this is a really minor bug we fixed later where we marked requests as failed if they simply didn't find anything. If this works without issues: $ sss_cache -u f.zo...@de.eu.local $ getent passwd f.zo...@de.eu.local Then you can ignore those.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
On 12.10.2015 22:20, Alexander Bokovoy wrote: > On Mon, 12 Oct 2015, Andy Thompson wrote: >> >> >>> -Original Message- >>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >>> boun...@redhat.com] On Behalf Of Hoffmaster, John >>> Sent: Monday, October 12, 2015 3:46 PM >>> To: freeipa-users@redhat.com >>> Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question >>> >>> Hi, >>> >>> The company I work for uses AD 2008R2 DC to resolve requests for >>> Unix/Linux servers in various environments, under one domain >>> example.com, with the Realm EXAMPLE.COM ? >>> >>> Is it possible to use Freeipa 4.1.0, with an g AD-Trust with only itself as >>> a >>> name server and forwarding all DNS requests to the windows DC's and still >>> keep everything in the example.com domain without creating a child domain >>> like ipa.example.com ? >>> >>> http://www.freeipa.org/page/Active_Directory_trust_setup >>> >>> Add for RedHat 7, use hostnamectl set-hostname ipa.example.com >>> >>> and >>> change the install IPA server command to >>> >>> ipa-server-install -a mypassword1 -p mypassword2 --domain=example.com - >>> -realm=example.com --setup-dns --forwarder=AD_ipaddress >>> >>> Thanks, >>> >> >> No. The IPA domain has to be different than the AD domain. > This is true for any two separate Active Directory forests, and as IPA > represents itself as a separate AD forest for the trust relationship, it > is forced to follow Active Directory requirements. In other words, IPA itself needs one separate domain for SRV records and other stuff. Client machines may have hostnames in different domains as long as there is 1:1 mapping between domain->REALM (AD/IPA). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-server-install fails at last leg?
dear all, my first try at ipa server, I get this when install fails: [15/16]: restarting httpd [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1 then I can see that httpd fails to restart for: Starting The Apache HTTP Server... (98)Address already in use: AH00072: make_sock: could not bind to address [::]:8443 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:8443 no listening sockets available, shutting down and port is bound by: UIDPID PPID CSZ RSS PSR STIME TTY TIME CMD pkiuser 5330 1 1 2128224 494604 5 11:00 ? 00:00:16 java -agentpath:/usr/lib64/libabrt-java-connector.so=abrt=on -DRESTEASY_LIB=/usr/share/java/resteasy-base -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start and this is as you can see, the process, the result of the ipa-server-install itself. Any suggestions as what is the problem there? many thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] import debian (salted SHA-512) password
On 10/13/2015 02:35 AM, Simo Sorce wrote: > On 11/10/15 21:39, Benjamin Reed wrote: >> On 10/11/15 12:59 PM, Benjamin Reed wrote: >>> ...but I'm not sure exactly what format to use to import a >>> "$6$salt$hash" style password from an existing debian system. >> >> Just a note for future folks trying to do this, I was able to do it by >> enabling adding users with {CRYPT}: >> >> ipa config-mod --enable-migration=1 >> ipa user-add \ >> --first=John --last=Doe \ >> --setattr userPassword='{CRYPT}$6$salt$hash' john_doe >> >> Now I just need them to ssh in once to initialize kerberos passwords, right? > > That's all you need if you are inm migration mode and the server they log in > is > configured with SSSD. > > Simo. ... or use the Web service: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Migrating_from_a_Directory_Server_to_IPA.html#webpage-pwd-migr -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OAuth2
Is it supported? Ben -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OAuth2
Ben Francis wrote: > Is it supported? No but you should be able to use IPA as an identity backend for an OAuth2 (or other Federation) provider. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking to test one-way trust
On Tue, 13 Oct 2015, Michael Barkdoll wrote: Hello, I've successfully setup a two-way trust between FreeIPA and AD. My understanding is that FreeIPA is currently or planning to support Global Cataloging. I'm looking to implement a one-way trust between AD and FreeIPA to remove security concerns with my AD administrators in my organization. You didn't specify what FreeIPA version you are talking about. One-way trust is implemented in FreeIPA 4.2 (4.2.2 right now, RHEL 7.2 beta has it under 'ipa-server-4.2.0-*' package). My questions are as follows: 1) Is there a guide/post that I can follow for setting up a one-way trust between FreeIPA and AD? In FreeIPA 4.2+ one-way trust is the default. So if you want to establish trust and don't specify --bi-directional flag, you are establishing one-way trust. For earlier-established trust relationship, you need to re-run 'ipa trust-add' again to convert to one-way. 2) What type of trust is being created on the AD side, is it a cross-forest outgoing trust to the FreeIPA server from the AD server? Yes. Instead of creating both legs of the trust, only one of them is created. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Looking to test one-way trust
Hello, I've successfully setup a two-way trust between FreeIPA and AD. My understanding is that FreeIPA is currently or planning to support Global Cataloging. I'm looking to implement a one-way trust between AD and FreeIPA to remove security concerns with my AD administrators in my organization. My questions are as follows: 1) Is there a guide/post that I can follow for setting up a one-way trust between FreeIPA and AD? 2) What type of trust is being created on the AD side, is it a cross-forest outgoing trust to the FreeIPA server from the AD server? Thanks for your kind time, Michael Barkdoll -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
Still having issues...if I can still have assistance with this getcert list Number of certificates and requests being tracked: 3. Request ID '20150922143354': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=IPA RA,O=ITMODEV.GOV expires: 2013-10-09 11:45:01 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20151007150853': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'ITMODEV.GOV'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV expires: 2015-09-23 17:46:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20150921154714': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV expires: 2015-09-23 17:46:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV track: yes auto-renew: yes -Original Message- From: Gronde, Christopher (Contractor) Sent: Thursday, October 08, 2015 2:06 PM To: 'Rob Crittenden'Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Certmonger and dogtag not workingissues manually renewing Server-Cert # ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ipa service was not running...I attempted to start it. # service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[FAILED] Shutting down dirsrv: ITMODEV-GOV... [ OK ] Aborting ipactl Ntpd is still stopped but date was back to today so I changed the date back to 9/21 and started ipa services # service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV... [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[ OK ] ]# service ipa start Starting Directory Service Starting dirsrv:
Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0
I usually try not to. On the other side I see that many important fixes are coming with major/minor releases, and trying to figure out my course of actions until fixes and/or release become available. Regards, Andrey Ptashnik On 10/12/15, 7:46 PM, "freeipa-users-boun...@redhat.com on behalf of Steven Jones"wrote: >Hi, > >IPA is a complex beast, you would be brave/foolish to upgrade it outside of >the Redhat support matrix. > >Also I would / will wait 1~2 months before upgrading to 7.2 so any serious >bugs/issues are found by someone else. > >regards > >Steven > > >From: freeipa-users-boun...@redhat.com on >behalf of Andrey Ptashnik >Sent: Tuesday, 13 October 2015 8:43 a.m. >To: Alexander Bokovoy >Cc: freeipa-users@redhat.com >Subject: Re: [Freeipa-users] Correct upgrade steps for IPA server 4.1.0 > >I see, so your best advice is to wait for official release of 7.2 and upgrade >all at once even if I need just a few simple fixes like “search for non-admin >users” and etc…? > >Are there any approximate timeline for 7.2 release? > >Regards, > >Andrey Ptashnik > > > > > >On 10/12/15, 2:10 PM, "Alexander Bokovoy" wrote: > >>On Mon, 12 Oct 2015, Andrey Ptashnik wrote: >>>I we have a production environment, is it a safe move to upgrade to 7.2 Beta? >>Beta is for testing new features, not for production yet. >> >>>And then still question remains what are correct steps to go from 4.1.0 to >>>4.2.0? >>As Rob said, you do package updates and as part of that process an >>upgrade will be done. There is no specific upgrade path instructions >>between 4.1 and 4.2, unlike between 3.0 and 3.3+. >> >>-- >>/ Alexander Bokovoy > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users >Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert
So over the weekend time on the server changed back to normal so I set the time back again and tried to restart the ipa service and I get the following #service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV... [FAILED] *** Error: 1 instance(s) failed to start Failed to start Directory Service: Command '/sbin/service dirsrv start ' returned non-zero exit status 1 -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gronde, Christopher (Contractor) Sent: Tuesday, October 13, 2015 10:50 AM To: Rob CrittendenCc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues manually renewing Server-Cert Still having issues...if I can still have assistance with this getcert list Number of certificates and requests being tracked: 3. Request ID '20150922143354': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-retrieve-agent-submit issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=IPA RA,O=ITMODEV.GOV expires: 2013-10-09 11:45:01 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20151007150853': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'ITMODEV.GOV'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV expires: 2015-09-23 17:46:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20150921154714': status: NEED_CA stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ITMODEV-GOV/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ITMODEV-GOV',nickname='Server-Cert',token='NSS Certificate DB' issuer: CN=Certificate Authority,O=ITMODEV.GOV subject: CN=comipa02.itmodev.gov,O=ITMODEV.GOV expires: 2015-09-23 17:46:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ITMODEV-GOV track: yes auto-renew: yes -Original Message- From: Gronde, Christopher (Contractor) Sent: Thursday, October 08, 2015 2:06 PM To: 'Rob Crittenden' Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Certmonger and dogtag not workingissues manually renewing Server-Cert # ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ipa service was not running...I attempted to start it. # service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 - Peer's Certificate has expired.) [ OK ] Starting KDC Service Starting Kerberos 5 KDC: [ OK ] Starting KPASSWD Service Starting Kerberos 5 Admin Server: [ OK ] Starting MEMCACHE Service Starting ipa_memcached:[ OK ] Starting HTTP Service Starting httpd:[FAILED] Failed to start HTTP Service Shutting down Stopping Kerberos 5 KDC: [ OK ] Stopping Kerberos 5 Admin Server: [ OK ] Stopping ipa_memcached:[ OK ] Stopping httpd:[FAILED] Shutting
[Freeipa-users] shared ip space for iDM and AD
Our environment is mostly Linux servers but we do have some Windows servers running MSSQL. A co-worker spun up Active Directory Domain Controllers without conferring with me and the Windows boxes are all on one of the VLAN private LAN networks used by FreeIPA. Thus we not only have reverse DNS servers in FreeIPA but also in Active Directory. Is it possible to have Active Directory use the reverse DNS servers on iDM/FreeIPA? Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project