[Freeipa-users] ipa and puppet

2013-09-18 Thread Jakub Bittner 

Hi,

we are testing freeipa and we are wonder if anyone knows how to edit 
ldap tree (or what to do) to be able to store puppet nodes in ipa's ldap.


I found this RFE on redhat bugzilla, but I do not understand it so much. 
https://bugzilla.redhat.com/show_bug.cgi?id=805368


Thank you for any hint.


Jakub Bittner

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] ipa-client-install certutil failure

2013-03-05 Thread Jakub Bittner 

Hello,

I am using IPA version 3.0 on server and if I want to install on ubuntu 
with ipa-client-install certutil in the end this command 
/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i 
/etc/ipa/ca.crt fails.


If I try it manually it says:

certutil: function failed: The certificate/key database is in an old, 
unsupported format.


I dont know for what I need nssdb. Is there a way how to recreate this 
nssdb file?



Thank you
Jakub Bittner

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] ipa-client-install certutil failure

2013-03-05 Thread Jakub Bittner 

Dne 5.3.2013 16:06, Rob Crittenden napsal(a):

Bittner Jakub wrote:

On 5.3.2013 14:43, Rob Crittenden wrote:

Jakub Bittner wrote:

Hello,

I am using IPA version 3.0 on server and if I want to install on 
ubuntu

with ipa-client-install certutil in the end this command
/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t CT,C,C -a -i
/etc/ipa/ca.crt fails.

If I try it manually it says:

certutil: function failed: The certificate/key database is in an old,
unsupported format.

I dont know for what I need nssdb. Is there a way how to recreate this
nssdb file?


Is it safe to assume that there is no NSS database in /etc/pki/nssdb
(the certutil error msgs are horrible)? There should be 3 .db files,
keyX.db, certY.db and secmod.db.

To create an empty one do:

certutil -N -d /etc/pki/nssdb

You can set no password on this by pressing ENTER twice at the password
prompts.

These files are typically root:root mode 644.

rob



Thank you for reply, I overcome this issue, but I have problem with
changing password on Ubuntu. I can log in, I can see GID, UIG and so,
but I can not change password.


How are you trying to change the password? What output do you get when 
it fails?


Is there anything in system logs related to this? /var/log/secure, 
/var/log/messages.


Does password change work on other clients (e.g. if you have a Fedora 
client, does that work?)


rob




I do this procedure:

passwd
Current Password:
Password change failed. Server message: Password is too short

Password not changed.
passwd: Authentication Token Manipulation Error
passwd: password unchanged


In /var/log/auth.log is:

Mar  5 16:12:56 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): 
user bitj does not exist in /etc/passwd
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_unix(passwd:chauthtok): 
user bitj does not exist in /etc/passwd
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
system info: [Generic error (see e-text)]
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
User info message: Password change failed. Server message: Password is 
too short#012#012Password not changed.
Mar  5 16:12:59 b125-test-201 passwd[23994]: pam_sss(passwd:chauthtok): 
Password change failed for user bitj: 20 (Authentication Token 
Manipulation Error)




in wireshark:

15769.952337ipa.domain.czclient.domain.czKRB5 366KRB 
Error: KRB5KDC_ERR_PREAUTH_REQUIRED



P.S.
Generic error (see e-text). I dont know what or where the e-text is.


Thank you,
Jakub Bittner

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users