[Freeipa-users] Reminder: Southeast Linux Fest 2017

Hi all, This is a reminder of the upcoming Linux Fest this weekend (June 9th to the 11th). We will have two folks manning a table for FreeIPA, showing off features and spreading the good word while answering questions from the audience. If you're in the area, feel free to stop by. 3315

[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3

On (07/06/17 10:21), Jose Alvarez R. via FreeIPA-users wrote: >Hello > > > >A question > > > >What another way I can enroll my server client on my IPA server ? > > > >I have a server IPA with S.O. Fedora 24 and >freeipa-server-4.3.3-1.fc24.x86_64 > > > >My client server have a S.O. CentOS

[Freeipa-users] Re: Unable to communicate with CMS

That was it. They opened up 8080 and its working as expected. Thank you! On Wed, Jun 7, 2017 at 12:17 PM, Rob Crittenden wrote: > John Bowman via FreeIPA-users wrote: > > I'm hoping this is a firewall issue but I figured I would check just in > > case I'm looking in the

[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3

Hi Rob Thanks for your response No, there is nothing after this line in the output neither in /var/log/ipaclient-install.log This is my /var/log/ipaclient-install.log [root@l1 log]# cat /var/log/ipaclient-install.log 2017-06-07 09:57:29,671 DEBUG /usr/sbin/ipa-client-install was invoked

[Freeipa-users] Re: Unable to communicate with CMS

John Bowman via FreeIPA-users wrote: > I'm hoping this is a firewall issue but I figured I would check just in > case I'm looking in the wrong direction. > > I setup a pair non-CA replicas today and as far as I could tell > everything seemed to be okay but I noticed that when searching via the >

[Freeipa-users] Re: certificate has expired?

Roberto Cornacchia via FreeIPA-users wrote: > Sorry for accidentally dropping freeipa-users. > > I was impatient so went back in time before your answer, but I did chose > a good date > > Before this, I had the following two entries with an expired date: > > Request ID '20150316184508': >

[Freeipa-users] Enroll CentOS 5 on FreeIPA 4.3

Hello A question What another way I can enroll my server client on my IPA server ? I have a server IPA with S.O. Fedora 24 and freeipa-server-4.3.3-1.fc24.x86_64 My client server have a S.O. CentOS release 5.10 with ipa-client-2.1.3-7.el5 This is the "ipa-client-install -d"

[Freeipa-users] Re: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

Still true. :-) # ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com --all dn: idnsname=dev.mcs.az-eastus2.mob.nuance.com .,cn=dns,dc=mob,dc=nuance,dc=com Zone name: dev.mcs.az-eastus2.mob.nuance.com. Active zone: TRUE Managedby permission: cn=Manage DNS zone

[Freeipa-users] Unable to communicate with CMS

I'm hoping this is a firewall issue but I figured I would check just in case I'm looking in the wrong direction. I setup a pair non-CA replicas today and as far as I could tell everything seemed to be okay but I noticed that when searching via the web ui on the new replicas it would take 2

[Freeipa-users] Replication failing on some records

Hi all, We have a 3 master setup that is failing to replicate changes from a particular node to the other IPA instances. The replication status says it's all fine, however the record hasn't been changed on the other servers. We've seen this on user password changes, adding hosts and services.

[Freeipa-users] Re: certificate has expired?

Sorry for accidentally dropping freeipa-users. I was impatient so went back in time before your answer, but I did chose a good date Before this, I had the following two entries with an expired date: Request ID '20150316184508': status: NEED_TO_SUBMIT ca-error: Error setting up ccache for "host"

[Freeipa-users] Re: certificate has expired?

Roberto Cornacchia via FreeIPA-users wrote: > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 -showcerts > CONNECTED(0003) > depth=1 O = HQ.SPINQUE.COM , CN = Certificate > Authority > verify return:1 > depth=0 O =

[Freeipa-users] Re: certificate has expired?

Looks to me like Apache isn’t using the correct certificate, or the correct certificate was never installed. But I don’t know enough about FreeIPA’s certificate replacement process to known which one it is. Aside from digging deeper and checking to see where Apache is looking for certificates

[Freeipa-users] Re: certificate has expired?

OK, I did so and httpd restarts. $ openssl s_client -connect 127.0.0.1:443 -showcerts CONNECTED(0003) depth=1 O = HQ.SPINQUE.COM, CN = Certificate Authority verify return:1 depth=0 O = HQ.SPINQUE.COM, CN = spinque04.hq.spinque.com verify error:num=10:certificate has expired notAfter=Mar 16

[Freeipa-users] Re: certificate has expired?

I would suggest doing what the last line says: Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. Then, you can check the certificates and maybe refresh it if it is actually expired. John > On 7 Jun 2017, at 14:39, Roberto Cornacchia via

[Freeipa-users] certificate has expired?

Not being able to login to the admin console, I checked the httpd log and found the following errors: [Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be

[Freeipa-users] Re: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

I meant dynamic updates in zone config. ipa dnszone-show dev.mcs.az-eastus2.mob.nuance.com --all On 06.06.2017 19:08, Josh Pavel wrote: Dynamic updates are enabled: dynamic-db "ipa" { library "ldap.so"; arg "uri

[Freeipa-users] Re: IPA-clients fail to update DNS: "response to GSS-TSIG query was unsuccessful"

Dynamic updates are enabled: dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-MOB-NUANCE-COM.socket"; arg "base cn=dns, dc=mob,dc=nuance,dc=com"; arg "server_id freeipa-01.dev.mcs.az-eastus2.mob.nuance.com"; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg