[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

> On 1/16/20 12:26 AM, Ferdinand Babas via FreeIPA-users wrote: > Hi, > the cert is present but its private key is missing. It looks like you > lost many of the private keys on that node, do you have a backup > somewhere of the NSS database? > Otherwise, the private key may be present on other

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

On to, 16 tammi 2020, John Louis via FreeIPA-users wrote: sorry looks like the output for this command is different now. I think I had rebooted it a few times these days. All other output remain the same though, such as "kinit admin" and "kvno host/REALM". # KRB5_TRACE=/dev/stderr kinit

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

sorry looks like the output for this command is different now. I think I had rebooted it a few times these days. All other output remain the same though, such as "kinit admin" and "kvno host/REALM". # KRB5_TRACE=/dev/stderr kinit admin 2>&1 [2294] 1579218609.798442: Getting initial

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

sorry it's actually not literally "127.0.0.1", but the actual IP. In all my replies above, I just replaced that actual IP with "127.0.0.1". I hope this won't confuse you. "It looks like your KDC isn't running. Can you check why it's not?" How do I do that? Here is what I can think of: #

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

On to, 16 tammi 2020, Robbie Harwood via FreeIPA-users wrote: John Louis via FreeIPA-users writes: Thanks. These are very similar to what was provided in the beginning. Here is exactly what you asked: # KRB5_TRACE=/dev/stderr kinit admin [1567] 1579125111.129826: Getting initial

[Freeipa-users] Re: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

John Louis via FreeIPA-users writes: > Thanks. These are very similar to what was provided in the beginning. Here > is exactly what you asked: > > # KRB5_TRACE=/dev/stderr kinit admin > [1567] 1579125111.129826: Getting initial credentials for admin@REALM > [1567] 1579125111.129828: Sending

[Freeipa-users] Re: Strange krb5 issue

Amos via FreeIPA-users wrote: > Oddly enough, I'm experiencing this on one of our IPA clients as well.  > However, I have some questions... > > On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users > > wrote: > > > The in-memory

[Freeipa-users] Re: Strange krb5 issue

Oddly enough, I'm experiencing this on one of our IPA clients as well. However, I have some questions... On Fri, Jan 3, 2020 at 12:25 PM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > The in-memory keytab is something SSSD copies the keys from >

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

Jones, Bob (rwj5d) via FreeIPA-users wrote: > We implemented Red Hat IDM with completely external DNS. You just need to > make sure the correct DNS entries are in place and everything works fine. Yep. The warning in the documentation is because not every single possible DNS record is supported

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

We use FreeIPA as our DNS masters and have plain bind servers slaving off of them. As far as missing features, the only thing we had to give up was DNS views but we were never using them anyway and they're generally discouraged. ___ FreeIPA-users mailing

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

Ok but I'm thinking to this: "there is tight integration between DNS and native IdM tools which enables automating some of the DNS record management". Your choice is not a bad idea but my first option is to use IdM DNS integrated. Thank you ___

[Freeipa-users] Re: Integrated DNS - best solution to unique domain

We implemented Red Hat IDM with completely external DNS. You just need to make sure the correct DNS entries are in place and everything works fine. — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services > On Jan 16, 2020, at 10:03 AM, Daniel PC via FreeIPA-users > wrote: > > Hi,

[Freeipa-users] Integrated DNS - best solution to unique domain

Hi, Red Hat strongly recommends IdM-integrated DNS for basic usage within the IdM deployment but at the same time declares "It does not support some of the advanced DNS features" and must be used only for IdM purposes. I have a DNS for a domain that resolves names to Linux hostnames, VIPs,

[Freeipa-users] Re: Where is the "Audit" in IPA?

I’ve thought about this a bit more. I think it would be useful if log entries showing changes could be routed differently by syslog. The simplest would be to use a different log level, e.g. NOTICE, where other things are INFO. Another approach would be to put a specific tag in the try, e.g.

[Freeipa-users] Re: Samba integration - access without Kerberos

On 16/01/2020 13:56, Alexander Bokovoy wrote: > On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote: >> hi everybody. >> >> I see this subject might have been poked around many times, a couple >> times at least for sure. But, I thought I'll poke again and hopefully >> get some latest comments &

[Freeipa-users] Re: Samba integration - access without Kerberos

On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote: hi everybody. I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password

[Freeipa-users] Samba integration - access without Kerberos

hi everybody. I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?

[Freeipa-users] Re: [EXTERNAL] Re: Question about ipa group-add-member

Thanks, Flo, that is good to know. I was trying to write up documentation for n00bz about how to add a user. Trying for K.I.S.S. From: Florence Blanc-Renaud Date: Thursday, January 16, 2020 at 05:41 To: FreeIPA users list Cc: Daniel White Subject: [EXTERNAL] Re: [Freeipa-users] Question about

[Freeipa-users] Re: Question about ipa group-add-member

On 1/15/20 6:17 PM, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Adding multiple users to one group is documented, but the other way around seems to be missing. Is there a way to add one user to multiple groups with one command ? Hi, with the GUI you can navigate to your

[Freeipa-users] Re: Legacy client in compat tree - multiple entries?

Hi Alexander, Indeed that did the trick: if I'm using the user@ipadomain I can now log in the server. Now the funny part: if I use an external domain (AD users), then I can use the shortname... Huh... Thanks! ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

On 1/16/20 10:16 AM, luckydog xf via FreeIPA-users wrote: Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already. == # 268238851, certificateRepository, ca, ipaca dn:

[Freeipa-users] Re: Legacy client in compat tree - multiple entries?

On to, 16 tammi 2020, S Toulmonde via FreeIPA-users wrote: Hello IPA gurus, I have a legacy client (Solaris) that I want to migrate to a IPA (RHEL IPA 4.6.5). Currently, it's being served by an ODSEE server for ldap. So first I want to test if I can connect with a user in IPA, then I'll try

[Freeipa-users] Legacy client in compat tree - multiple entries?

Hello IPA gurus, I have a legacy client (Solaris) that I want to migrate to a IPA (RHEL IPA 4.6.5). Currently, it's being served by an ODSEE server for ldap. So first I want to test if I can connect with a user in IPA, then I'll try with an external (AD client). But I have the following issue:

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already. == # 268238851, certificateRepository, ca, ipaca dn: cn=268238851,ou=certificateRepository,ou=ca,o=ipaca objectClass: top objectClass:

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/16/20 12:26 AM, Ferdinand Babas via FreeIPA-users wrote: On 1/14/20 11:41 PM, Ferdinand Babas via FreeIPA-users wrote: Agreed, any date between June 1 and June 4 should be ok. ipaCert is the most important cert to renew and should be handled first. The man page for getcert-list explains