[Freeipa-users] Re: Kerberos and 2FA

On to, 12 maalis 2020, Leonid Kanter via FreeIPA-users wrote: Hello, I'm trying to combine 2FA and kerberos, as described on https://bugzilla.redhat.com/show_bug.cgi?id=1510734 and on https://www.freeipa.org/page/V4/Kerberos_PKINIT#How_to_Use Our main FreeIPA server, for historical reasons, is

[Freeipa-users] DNSSec renewal issue

Hello all! I saw my logs, and notices a stacktrace. I have looked thourouhgly, but I have no clue what goes on. It repeats every minute. It appears there is no problem with my zone. Any clues? Regards, Arjen Mar 13 21:54:14 starkey python3[313742]: detected unhandled Python exception in

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

>https://www.freeipa.org/page/V4/Kerberos_PKINIT 'Configuration' and >'Upgrade' sections explain various configurations. Alexander, kinit -T doesn't work for me if 2FA enabled. Could you check my question "Kerberos and 2FA" from yesterday and help to debug it? On Fri, Mar 13, 2020 at 8:12 PM Al

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

On pe, 13 maalis 2020, Leonid Kanter via FreeIPA-users wrote: You lose nothing with --no-pkinit because you add certificate authority and enable pkinit later. But seems it's a relatively new option, we installed our prod instance back in 2016 and it didn't ask for --no-pkinit at all. I found it

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

You lose nothing with --no-pkinit because you add certificate authority and enable pkinit later. But seems it's a relatively new option, we installed our prod instance back in 2016 and it didn't ask for --no-pkinit at all. I found it yesterday. Our main instance is running with pkinit disabled and

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

On 3/13/20 3:46 PM, Peter Tselios via FreeIPA-users wrote: Hello, I have a small project to install a FreeIPA cluster on CentOS 7.7. We have our own CA and they provided me already with a private key and a certificate file for the servers. My problem is that I cannot make ipa-server to install

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

That's promising. So, now I need to ask something else. What are the implications of the --no-pkinit? What do I loose? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fe

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

Peter Tselios via FreeIPA-users wrote: > Hello, > I have a small project to install a FreeIPA cluster on CentOS 7.7. > > We have our own CA and they provided me already with a private key and a > certificate file for the servers. > My problem is that I cannot make ipa-server to install > > The

[Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

They are coming from Puppet In the IdM access log - I see a block of stuff starting with "connection from to I used cn, mail, displayName, group, member I did not set the user/group relative DN as it was marked (optional) ___

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

I installed it yesterday with --dirsrv-cert-file, --http-cert-file and --no-pkinit, then added certificate authority (ipa-ca-install) and enabled pkinit (ipa-pkinit-manage enable) On Fri, Mar 13, 2020 at 5:47 PM Peter Tselios via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hel

[Freeipa-users] FreeIPA with certificates from external CA and KDC

Hello, I have a small project to install a FreeIPA cluster on CentOS 7.7. We have our own CA and they provided me already with a private key and a certificate file for the servers. My problem is that I cannot make ipa-server to install The command I use is: ==

[Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: > Thanks for responding, Louis. > >   > > Sadly, I did all that and got a bunch of queries looking for objectClass > ipaNTTrustedDomain and other ipaNT* objectClasses > > I have opened a feature request with Puppet for FreeIPA support.

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/13/20 8:43 AM, Faraz Younus via FreeIPA-users wrote: cat /etc/ipa/default.conf #File modified by ipa-client-install [global] basedn = dc=fixedandmobile,dc=com realm = FIXEDANDMOBILE.COM domain = fixedandmobile.com server = sg.fix

[Freeipa-users] Re: [EXTERNAL] Re: Add "Puppet Enterprise" to the list of things that do not actively support FreeIPA

Thanks for responding, Louis. Sadly, I did all that and got a bunch of queries looking for objectClass ipaNTTrustedDomain and other ipaNT* objectClasses I have opened a feature request with Puppet for FreeIPA support. https://tickets.puppetlabs.com/browse/ENTERPRISE-1323 _

[Freeipa-users] Re: LDAP Server stop to response after a period of time

Hi Lays, Unfortunately the fix 1751295 may be  incomplete. It prevents deadlock in a condition (for be_write callbacks) but not for betxn_write callbacks. I will look deeper at it to confirm this. At the moment I can only recommend the workaround https://bugzilla.redhat.com/show_bug.cgi?id=17

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

cat /etc/ipa/default.conf #File modified by ipa-client-install [global] basedn = dc=fixedandmobile,dc=com realm = FIXEDANDMOBILE.COM domain = fixedandmobile.com server = sg.fixedandmobile.com host = sg.fixedandmobile.com xmlrpc_uri = https://sg.fixedandmobile.com/ipa/xml enable_ra = True

[Freeipa-users] Re: Managing different Sub CAs in FreeIPA without their shared Root CA

That's exactly what I meant. Thanks for the clarification! Alex ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedorap

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/13/20 6:42 AM, Faraz Younus via FreeIPA-users wrote: I can have the update on below LDAP error ? What is the content of the /etc/ipa/default.conf file? Especially, is there a value for "ldap_uri" and does it start with "ldap_uri = ldapi://..." ? flo On Wed, Mar 11, 2020 at 6:34 PM Fa