from:"Bret Wortman via FreeIPA\-users"

[Freeipa-users] Re: Wildcard certificate

2022-06-08 Thread Bret Wortman via FreeIPA-users

Thank you all -- this all worked and should keep us going until we have time to work around the various deprecations. Cheers! -- Bret Wortman bret.wort...@damascusgrp.com On Tue, Jun 7, 2022, at 10:11 PM, Fraser Tweedale wrote: > On Tue, Jun 07, 2022 at 11:56:10AM -0400, Bret Wortman

[Freeipa-users] Re: Wildcard certificate

2022-06-07 Thread Bret Wortman via FreeIPA-users

:44 AM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: >> When I try adding it as an alt name: >> >> # certutil -R -d . -a -g 2048 -s "cn=elastic.our.net,o=our.net" \ >> -8 >> elastic.our.net,\*.elastic.our.net,zsec

[Freeipa-users] Re: Wildcard certificate

2022-06-07 Thread Bret Wortman via FreeIPA-users

: > On ti, 07 kesä 2022, Bret Wortman via FreeIPA-users wrote: >>I'm trying to create a wildcard certificate to use with some elasticsearch >>ECE systems and it's not working quite right yet. I found Fraser's blog at >>https://frasertweedale.github.io/blog-redhat/posts/2017

[Freeipa-users] Wildcard certificate

2022-06-07 Thread Bret Wortman via FreeIPA-users

I'm trying to create a wildcard certificate to use with some elasticsearch ECE systems and it's not working quite right yet. I found Fraser's blog at https://frasertweedale.github.io/blog-redhat/posts/2017-02-20-freeipa-wildcard-certs.html and followed the directions there. After installing the

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-24 Thread Bret Wortman via FreeIPA-users

On Wed, Jun 23, 2021, at 2:13 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > >> > >> [root@ipa2c7 ~]# ipa-replica-manage clean-ruv 5 > >> Directory Manager password: > >> > >> unable to decode: {replica 13} 60b907570001000

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-23 Thread Bret Wortman via FreeIPA-users

-- Bret Wortman bret.wort...@damascusgrp.com On Wed, Jun 23, 2021, at 6:27 AM, Bret Wortman via FreeIPA-users wrote: > On Wed, Jun 23, 2021, at 5:27 AM, Bret Wortman via FreeIPA-users wrote: > > Now, this morning, I've hit the wall on this yet again. > > > > [root@i

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-23 Thread Bret Wortman via FreeIPA-users

On Wed, Jun 23, 2021, at 5:27 AM, Bret Wortman via FreeIPA-users wrote: > Now, this morning, I've hit the wall on this yet again. > > [root@ipa2c7 ~]# ipa-replica-manage list > ipa2c7.our.net: master > [root@ipa2c7 ~]# ipa-replica-manage list-ruv > Directory Manager pass

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-23 Thread Bret Wortman via FreeIPA-users

Now, this morning, I've hit the wall on this yet again. [root@ipa2c7 ~]# ipa-replica-manage list ipa2c7.our.net: master [root@ipa2c7 ~]# ipa-replica-manage list-ruv Directory Manager password: unable to decode: {replica 13} 60b907570001000d 60b907570001000d unable to decode: {replica

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-22 Thread Bret Wortman via FreeIPA-users

That worked, and I've got a CLEANALLRUV task running for the remaining RUV between the two. -- Bret Wortman bret.wort...@damascusgrp.com On Tue, Jun 22, 2021, at 1:37 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I'm now trying to detach ipa2c7 from ipa1, t

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-22 Thread Bret Wortman via FreeIPA-users

~]# -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 21, 2021, at 12:16 PM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > > > Bret W

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-21 Thread Bret Wortman via FreeIPA-users

On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > > >> On Fri,

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-21 Thread Bret Wortman via FreeIPA-users

On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > >> On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > >>> Awesome, glad to hear it. W

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-21 Thread Bret Wortman via FreeIPA-users

On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > > Awesome, glad to hear it. When you complete the migration don't forget > > to move over the DNA settings, CRL generation and other stuff. > &g

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-21 Thread Bret Wortman via FreeIPA-users

On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > Awesome, glad to hear it. When you complete the migration don't forget > to move over the DNA settings, CRL generation and other stuff. Is this documented somewhere? I'd hate to miss a step. Bret

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-18 Thread Bret Wortman via FreeIPA-users

On Thu, Jun 17, 2021, at 2:07 PM, Rob Crittenden wrote: > I think it will involve editing code on the C7 server. > > /usr/lib/python2.7/site-packages/ipaserver/install/replication.py > > REPLICA_CREATION_SETTINGS and REPLICA_FINAL_SETTINGS. > > Remove the nsds5ReplicaReleaseTimeout from both

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-17 Thread Bret Wortman via FreeIPA-users

On Thu, Jun 17, 2021, at 9:54 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden w

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-17 Thread Bret Wortman via FreeIPA-users

On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > > Bret Wortman via FreeIPA-users wrote: > > > >

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-17 Thread Bret Wortman via FreeIPA-users

On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > This appears to be the error, or at least it's the only "fatal" I could > > > fi

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-15 Thread Bret Wortman via FreeIPA-users

On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > This appears to be the error, or at least it's the only "fatal" I could > > find in the stream and it's near enough to the end of traffic that it seems > > likely

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-14 Thread Bret Wortman via FreeIPA-users

re. https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178 -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 14, 2021, at 6:24 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > > So you've run ipa-replica-prepare and

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-14 Thread Bret Wortman via FreeIPA-users

On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > So you've run ipa-replica-prepare and then ship that file to > right? Exactly. > At some point we started re-generating the CA certs file > (/root/cacert.p12) during preparation. Did we do this in F21? I have no > idea. > > Can you use

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-10 Thread Bret Wortman via FreeIPA-users

On Wed, Jun 9, 2021, at 2:32 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like we're missing an LDAP connection port? > > > > [09/Jun/2021:10:02:54][localhost-startStop-1]: LdapBoundConnFactory: init > > Property internaldb.ldapconn.port

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-09 Thread Bret Wortman via FreeIPA-users

...@damascusgrp.com On Wed, Jun 9, 2021, at 4:59 AM, Bret Wortman via FreeIPA-users wrote: > My misunderstanding, sorry. This is from the existing CA since that's > where I thought the problem would be. Okay, going back and looking at > the debug log on the new server to see if it's more

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-09 Thread Bret Wortman via FreeIPA-users

Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I was tailing several logs in /var/log/pki/pki-tomcat/ca/ (debug, system, > > and transactions) and though the replica installation failed again at the > > same point, this is what I got from the logs throug

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-08 Thread Bret Wortman via FreeIPA-users

A, but it seems to be trying to hang on to its job security... ;-) -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:13 AM, Bret Wortman via FreeIPA-users wrote: > You were absolutely correct, the flag worked, and the config-show did > not show a CRL server at all.

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-07 Thread Bret Wortman via FreeIPA-users

You were absolutely correct, the flag worked, and the config-show did not show a CRL server at all. I'll dig into the ca logs next. -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:07 AM, Rob Crittenden wrote: > Bret Wortman wrote: > > I cleaned up the contents of

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-07 Thread Bret Wortman via FreeIPA-users

I cleaned up the contents of our ldap manually, re-created the replica file, and got a lot further than we have before but ipa-replica-install still failed as below: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-04 Thread Bret Wortman via FreeIPA-users

I tried using ipa-backup but it keeps aborting claiming there's not enough space on the target device but nothing even comes close to 100% usage. Is there another way to export to LDIF? -- Bret Wortman bret.wort...@damascusgrp.com On Fri, Jun 4, 2021, at 9:01 AM, Rob Crittenden wrote: >

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-04 Thread Bret Wortman via FreeIPA-users

the host and its DNS entries and then see what crud is left behind in LDAP? -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 3:18 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I'm trying to update our IPA servers to newer OSes and IPA

[Freeipa-users] How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

2021-06-03 Thread Bret Wortman via FreeIPA-users

I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far: 1. run "ipa-replica-prepare" on the original main server, ipa1. 2. Copied the resulting file to ipa1c7. 3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg

[Freeipa-users] Re: named won't start

2021-06-03 Thread Bret Wortman via FreeIPA-users

In one of those weird things I can only blame on gremlins, time seems to have been the answer. I recently ran "ipactl start" again and it worked. -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 1:19 PM, Bret Wortman via FreeIPA-users wrote: > It's an a

[Freeipa-users] named won't start

2021-06-03 Thread Bret Wortman via FreeIPA-users

It's an ancient server, and one I'm trying to get us off of, but it's our current primary IPA server on this network and named didn't like its last reboot and is erroring on startup: [root@ipa1 ~]# systemctl status -l named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

; further conversations with this team turned up the fact that > > > > > they're just creating these by hand using openssl commands rather > > > > > than running any sort of service at all), I'm hesitant to just > > > > > barge ahead and try to make it work on my ow

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

at > > > > > > they're just creating these by hand using openssl commands rather > > > > > > than running any sort of service at all), I'm hesitant to just > > > > > > barge ahead and try to make it work on my own... > > > > > >

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

> > > > > > The CN (damascusgrp.com) is a domain name. You can add a host > > > object with that name to FreeIPA. I think the procedure outlined in > > > the blog post should work for you. > > > > > > Cheers, > > > Fraser > > > >

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

that name to FreeIPA. I think the procedure outlined in > > the blog post should work for you. > > > > Cheers, > > Fraser > > > > > > > > -- > > > Bret Wortman > > > bret.wort...@damascusgrp.com > > > > > &g

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

@damascusgrp.com > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > > > wrote: > > > > We had a developer team deploy their own CA and then issue a slew > > >

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users

On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > wrote: > > We had a developer team deploy their own CA and then issue a slew > > of certificates for users' workstations and other servers, and no

[Freeipa-users] Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-15 Thread Bret Wortman via FreeIPA-users

We had a developer team deploy their own CA and then issue a slew of certificates for users' workstations and other servers, and now they want us to deploy those certificates more widely. I'd rather find a way to bring their CA under ours so that the root CA certificate we already distribute

[Freeipa-users] Auditing screensavers

2020-05-21 Thread Bret Wortman via FreeIPA-users

I have a need to set up an audit rule that will track whenever a user's screensaver is unlocked via password. I've tried setting a watch on pam_sss.so but that gets a lot more than what I strictly need and that also, strangely, had a tendency to audit when the screensaver was activated but not

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Bret Wortman via FreeIPA-users

%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 1:47 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Thanks, Rob. I'm a lot closer now. > > > > What I'm getting now looks like: >

[Freeipa-users] Re: How to grant CSR from command line

2019-04-11 Thread Bret Wortman via FreeIPA-users

-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 11:31 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I know I can paste a CSR from o

[Freeipa-users] How to grant CSR from command line

2019-04-11 Thread Bret Wortman via FreeIPA-users

I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr But that's giving me an error that the principal doesn't exist. Then

[Freeipa-users] Re: Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

-users wrote: > > On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > > I broke out of it, but the two are still out of sync. Is there a way to > > > get past that? > > > > > >

[Freeipa-users] Re: Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > I broke out of it, but the two are still out of sync. Is there a way to > > get past that? > > > > > > photo > > *Bret Wortm

[Freeipa-users] Re: Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 9:07 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Oops. I spoke too soon. The one I thought I fixed is now just scrolling > > "No status yet" over and over... > > > You can break ou

[Freeipa-users] Re: Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

gt; > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > Looks lik

[Freeipa-users] Re: Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like I've somehow managed to get my 3 IPA servers out of sync: > > > > [root@ipa3 ~]# ipa-replica-manage list > >

[Freeipa-users] Replication issues, 3 servers not talking

2019-03-26 Thread Bret Wortman via FreeIPA-users

I've got 3 IPA servers, with replication agreements between the 3 as follows: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net

[Freeipa-users] Something amiss with my replication

2019-03-26 Thread Bret Wortman via FreeIPA-users

Looks like I've somehow managed to get my 3 IPA servers out of sync: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa host-find solr14.my.net --- 0 hosts matched --- Number of

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-27 Thread Bret Wortman via FreeIPA-users

t;https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > > > > > > 70 Main St. Suite 23 Warrenton, VA 20186 > > > > <https://link.get

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-27 Thread Bret Wortman via FreeIPA-users

3Jn) http://wrapbuddies.co/ (https://link.getmailspring.com/link/85eccf63-a370-4ebd-92a7-6e031d33c...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 27 2019, at 6:31 am, Bret Wortman via FreeIPA-use

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-27 Thread Bret Wortman via FreeIPA-users

//link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > > <https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/5?redir

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-26 Thread Bret Wortman via FreeIPA-users

On Feb 26 2019, at 10:22 am, Bret Wortman via FreeIPA-users wrote: > It looks like we've done everything in your guide. I've sent the requestor > the docs at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_pol

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-26 Thread Bret Wortman via FreeIPA-users

Warrenton, VA 20186 On Feb 26 2019, at 10:18 am, Bret Wortman via FreeIPA-users wrote: > failed to set perms (3140) on file (/var/run/ipa/ccaches/br...@my.net)!, > referrer: https:/zsipa3.my.net/ipa/ui/ > (https://link.getmailspring.com/link/8fd7cfb0-f69e-4c9c-b966-66aea2958...@getmailspr

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-26 Thread Bret Wortman via FreeIPA-users

=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 25 2019, at 3:56 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > > We have some ESXi boxes that need CA-signed certs and we're trying to > > > figure out how to properly constr

[Freeipa-users] Re: Ca signed very for non-IPA client

2019-02-25 Thread Bret Wortman via FreeIPA-users

Thanks, Rob. I’ll give it another try in the morning and let you know how it goes. And yes, -8. Keyboard error. On 25 Feb 2019, at 15:56, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: We have some ESXi boxes that need CA-signed certs and we're trying to figure out how

[Freeipa-users] Ca signed very for non-IPA client

2019-02-25 Thread Bret Wortman via FreeIPA-users

> We have some ESXi boxes that need CA-signed certs and we're trying to figure > out how to properly construct a CSR so that our IPA CA will process it. > > I'm having them create the cert using these commands: > > # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i >

[Freeipa-users] Re: Replica won't start

2018-12-07 Thread Bret Wortman via FreeIPA-users

Other symptoms: # kinit admin : # ipa help user ipa: ERROR: No valid Negotiate header in server response This is now happening on our primary IPA server. On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote: I'm seeing this in /var/log/messages periodically: systemd: Starting IPA

[Freeipa-users] Re: Replica won't start

2018-12-07 Thread Bret Wortman via FreeIPA-users

I'm seeing this in /var/log/messages periodically: systemd: Starting IPA key daemon... ipa-dnskeysyncd: ipa : INFO LDAP bind... ipa-dnskeysyncd: ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} ipa-dnskeysyncd: Traceback (most recent call last):

[Freeipa-users] Re: Replica won't start

2018-12-06 Thread Bret Wortman via FreeIPA-users

AM, Bret Wortman via FreeIPA-users wrote: I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var

[Freeipa-users] Re: Replica won't start

2018-12-06 Thread Bret Wortman via FreeIPA-users

I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named

[Freeipa-users] Replica won't start

2018-12-06 Thread Bret Wortman via FreeIPA-users

After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11): bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5 20150623 (Red Hat 4.8.5-16) LDAP error: Invalid credentials:

[Freeipa-users] Re: named fails to start

2018-10-15 Thread Bret Wortman via FreeIPA-users

Never mind. NTP wasn't working properly so the time had drifted too far. Easy fix. photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 | b...@wrapbuddies.co http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030

[Freeipa-users] Fwd: named fails to start

2018-10-15 Thread Bret Wortman via FreeIPA-users

I was out two days last week and one of my coworkers thought we were having a password problem on our admin account. This morning, my users were claiming an inability to log in, so I cycled our main IPA server, but named won't start. 2018-10-15T10:43:14.blah named-pkcs11[26250]: LDAP error:

[Freeipa-users] Re: Can't delete DNS entry

2018-10-10 Thread Bret Wortman via FreeIPA-users

Not surprisingly, that did the trick. Thanks, Rob. On 10/10/2018 09:57 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers could be reached # ipa dnsrecord-find my.net sys001 --all

[Freeipa-users] Re: Can't delete DNS entry

2018-10-10 Thread Bret Wortman via FreeIPA-users

Also: # ldapsearch -D "cn=Directory Manager" -W -b "dc=my.net" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers

[Freeipa-users] Re: How to replace a failed CA?

2018-09-26 Thread Bret Wortman via FreeIPA-users

We built brand new servers, took xml dumps from the existing ones, wrote custom scripts to load that into the new ones, and spent a weekend cutting over. So yes, but no. We now have a functioning CA but it wasn't exactly replaced; we had to build a new set of replicas around it. On

[Freeipa-users] Re: error 15 in memberof.so

2018-07-19 Thread Bret Wortman via FreeIPA-users

. On 07/19/2018 11:33 AM, Lukas Slebodnik via FreeIPA-users wrote: On (18/07/18 13:39), Bret Wortman via FreeIPA-users wrote: I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". I've tried unenro

[Freeipa-users] Re: error 15 in memberof.so

2018-07-18 Thread Bret Wortman via FreeIPA-users

Crittenden , wrote: > Bret Wortman via FreeIPA-users wrote: > > I've got a system (probably more than one) where I've got clients who > > aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". > > > > I've tried unenrolling &

[Freeipa-users] error 15 in memberof.so

2018-07-18 Thread Bret Wortman via FreeIPA-users

I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". I've tried unenrolling & re-enrolling. I've tried unenrolling, uninstalling, reinstalling ipa-client, and re-enrolling. I've tried unenrolling,

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

FreeIPA-users wrote: On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are getting a keytab fo

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are getting a keytab for yourself (say

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to cre

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

e you made was gone. You don't happen to still have that laying around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret W

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script: kinit -k admin -t /root/keytab I've tried various approaches using

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

I found your post, but the paste you made was gone. You don't happen to still have that laying around, do you? On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once

[Freeipa-users] Re: Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

Okay. I may have done this under Fedora before, then. I'll go back and search the archives. Thanks, Alexander! On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once

[Freeipa-users] Creating a user keytab

2018-06-26 Thread Bret Wortman via FreeIPA-users

What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script: kinit -k admin -t /root/keytab I've tried various approaches using ktutil and kadmin but haven't had any

[Freeipa-users] Re: Can't uninstall client

2018-06-22 Thread Bret Wortman via FreeIPA-users

directory. Thanks, Rob! On 06/22/2018 09:05 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-install --enable-d

[Freeipa-users] Can't uninstall client

2018-06-22 Thread Bret Wortman via FreeIPA-users

I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-install --enable-dns-updates --mkhomedir IPA client is already configured on this system. If you want to reinstall the IPA client,

[Freeipa-users] Re: Logon by ssh but not console?

2018-06-04 Thread Bret Wortman via FreeIPA-users

(he had been authenticated by the old servers when he first got in). I stopped sssd, rm -rf'd the cache db files, and then restarted it and voila, he was able to authenticate with the new servers. Thanks, all! On 06/03/2018 03:30 PM, Bret Wortman via FreeIPA-users wrote: I don’t t

[Freeipa-users] Re: Logon by ssh but not console?

2018-06-03 Thread Bret Wortman via FreeIPA-users

Hrozek , wrote: > > > > On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users > > wrote: > > > > I just realized that I never closed the loop on this problem and just > > finished upgrading all my systems to use our new IPA servers. And this > > proble

[Freeipa-users] Re: Logon by ssh but not console?

2018-06-03 Thread Bret Wortman via FreeIPA-users

around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost I'm able to l

[Freeipa-users] Can't log in through greeter or console after switch to new IPA servers

2018-06-02 Thread Bret Wortman via FreeIPA-users

I've just transitioned my baseline from one set of servers to another, and I'm noticing that some systems will allow me to log in directly from the greeter on workstations while others don't (including my own workstation!). These methods all work on my workstation: * ssh @localhost with

[Freeipa-users] Re: New server, can't set passwords

2018-05-07 Thread Bret Wortman via FreeIPA-users

...@damascusgrp.com UID: 10042 GID: 100 Account disabled: False Number of entries returned 1 # On 05/04/2018 10:48 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've just finished setting up a new IPA server, planning to use

[Freeipa-users] New server, can't set passwords

2018-05-04 Thread Bret Wortman via FreeIPA-users

I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate

[Freeipa-users] Re: Create a replica

2018-03-02 Thread Bret Wortman via FreeIPA-users

On 03/02/2018 04:15 AM, Florence Blanc-Renaud wrote: On 01/03/2018 18:11, Bret Wortman via FreeIPA-users wrote: I've got a one system setup now and would like to create a replica and ensure survivability as much as possible. Will this do the trick? Obviously the first is run on the current

[Freeipa-users] admin's credentials revoked?

2018-03-01 Thread Bret Wortman via FreeIPA-users

# kinit admin kint: Client's credentials have been revoked while getting initial credentials Then while looking at /var/log/httpd/error_log: [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server is unwilling to perform: Too many failed logins. What the? How can my admin

[Freeipa-users] Re: Logon by ssh but not console?

2018-02-22 Thread Bret Wortman via FreeIPA-users

Wortman wrote: My only hbac rule is "allow_all", and it's enabled. I hadn't gotten around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system t

[Freeipa-users] Re: How to replace a failed CA?

2018-02-22 Thread Bret Wortman via FreeIPA-users

ssh versus console & GDM and moving forward with a completely new installation while trying to retain as much data as possible. Thanks for your help on this, guys. Bret On 02/21/2018 03:47 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: If this is the correct se

[Freeipa-users] Re: How to replace a failed CA?

2018-02-21 Thread Bret Wortman via FreeIPA-users

If this is the correct search, then no. It's gone. # ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

2018-02-20 Thread Bret Wortman via FreeIPA-users

Changing the subject worked. Thanks! Bret Wortman http://wrapbuddies.co/ On Feb 20, 2018, 7:19 PM -0500, Fraser Tweedale <ftwee...@redhat.com>, wrote: > On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users > wrote: > > I'll give that a try. > > > I

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

2018-02-20 Thread Bret Wortman via FreeIPA-users

I'll give that a try. On 02/20/2018 12:38 PM, Jochen Hein wrote: Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. ... 3. # ipa-server-install --setup-dns

[Freeipa-users] SEC_ERROR_REUSED_ISSUER_AND_SERIAL

2018-02-20 Thread Bret Wortman via FreeIPA-users

Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. 1. Built new box, which joined the existing IPA infrastructure as a client. 2. # ipa-client-install -U --uninstall 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders 4. Inserted

[Freeipa-users] Re: Fixing limit on DNS searches

2018-02-19 Thread Bret Wortman via FreeIPA-users

On 02/19/2018 07:55 AM, Florence Blanc-Renaud wrote: On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] Re: Fixing limit on DNS searches

2018-02-19 Thread Bret Wortman via FreeIPA-users

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] Re: Fixing limit on DNS searches

2018-02-15 Thread Bret Wortman via FreeIPA-users

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users

[Freeipa-users] Re: Fixing limit on DNS searches

2018-02-15 Thread Bret Wortman via FreeIPA-users

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

[Freeipa-users] Re: Fixing limit on DNS searches

2018-02-15 Thread Bret Wortman via FreeIPA-users

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

1 2 >

1 - 100 of 113 matches

Mail list logo