[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

It appears I have resolved my certificate expiration issue

[Freeipa-users] Re: handling certificate expirations

well, I thought I was out of the woods, but I still have some issues. the services are running, but kinit gets me a ticket to nowhere. "ipa: ERROR: No valid Negotiate header in server response" grant@ef-idm01:~[20240220-14:36][#785]$ klist Ticket cache: KCM:555 Default principal:

[Freeipa-users] Re: handling certificate expirations

this was definitely the hot tip. executing a server upgrade fixed everything for me. thanx rob -- ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] handling certificate expirations

When I upgraded the servers to EL8 (I rebuilt from scratch using the old hostnames), I had neglected to assign an IPA CA renewal master after the old “boss” was retired. This crime is of course it’s own punishment. I found the documentation for handling this to actually be pretty good.

[Freeipa-users] log permission issues with "ipa-replica-manage re-initialize" in almalinux 8

users were reporting password change issues. ipa_check_consistency and cipa showed synchronization issues. grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from ef-idm01.production.efilm.com ipa: ERROR: Cannot open log file

[Freeipa-users] Re: krblastadminunlock on user account

krbLastAdminUnlock was only a part of my issue. I was able to resolve this issue, but not in the manner I expected. A careless administrator overwrote the keytabs on two FreeIPA servers while he was generating keytabs for MacOS hosts. Somehow, FreeIPA still functioned, the only repercussion was

[Freeipa-users] Re: krblastadminunlock on user account

I was able to remove this by overwriting the attribute "ipa user-mod --setattr krblastadminunlock= waynev" grant@ef-idm01:~[20221123-7:50][#1022]$ ipa user-show --all --raw waynev | grep -i krblastadminunlock grant@ef-idm01:~[20221123-7:51][#1023]$ I’ll have the user test and we’ll see if this

[Freeipa-users] Re: krblastadminunlock on user account

I see a slight variation, but still cannot remove the attribute. grant@ef-idm01:~[20221123-7:19][#1018]$ ipa user-show --all --raw waynev | grep krblastadminunlock grant@ef-idm01:~[20221123-7:20][#1019]$ ipa user-show --all --raw waynev | grep -i krblastadminunlock krbLastAdminUnlock:

[Freeipa-users] Re: krblastadminunlock on user account

Alexander Thank You for your attention, but this did not work for me. I had tried earlier to remove this attribute in the conventional manner, but failed. (example again at the tail of my output) [root@ef-idm01 ~]# ipa -e in_server=true user-mod waynev

[Freeipa-users] krblastadminunlock on user account

I have an administrative user which hasn't logged into his account in some time - likely over a year. He can authenticate to any bound host, but cannot login to the FreeIPA servers. I verified this wasn’t an HABC issue. I compared his account to my own and found he had an extra attribute -

[Freeipa-users] Re: ghost replica for radius server

that was easy - THANX Florence. My ghost replica still doesn’t show in ipa_check_consistency. Any ideas on that? grant@radius01:~[20221118-3:56][#97]$ ipa server-state $HOSTNAME --state=enabled ipa: WARNING: Automatic update of DNS system records failed. Please re-run update of system records

[Freeipa-users] ghost replica for radius server

Building a radius server, and decided this was an ideal application for a hidden replica. I got some errors in the replica install, and the consistency check does not show a ghost replica (but does show my radius host in Replication Status.) I run external DNS, this radius host has only has A

[Freeipa-users] Re: Rocky Linux 9 missing groups or modules: idm:DL1

I found I had to remove the ipa-client already installed from the standard repo $ sudo yum remove ipa-client then $ sudo yum module install idm:DL1/server worked for me. - grant > On Nov 3, 2022, at 14:01, Leo O via FreeIPA-users > wrote: > > CAUTION: This email originated outside

[Freeipa-users] Re: ID Views change sudo rules for local user

what does "sudo -l -U " show? My experience flushing sss_cache has rarely been successful. When I experience issues with user sudo permissions, I restart sssd. Fixes it every time. - grant On Jun 17, 2022, at 00:53, Alessandro Fort via FreeIPA-users

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

This issue has mutated substantially from the initial issue. I can open a new thread for my current issue, Once I changed the domain level to 1, ipa-replica-prepare no longer applies and now the method to create a replica is to promote a client. But (as detailed) this is failing for me as well.

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

there are quite few logs for the various moving pieces. I am looking at the http related logs grant@ef-idm03:/var/log/httpd[20220601-13:08][#193]$ sudo more access_log 10.1.132.27 -

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

I have attached the ipareplica-install.log Let me figure out how to add a SAN to the web server certs. - grant On Jun 1, 2022, at 12:12, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: -snip- Can you share ipareplica-install.log? I don't know that this will fix it but you'll want a SAN

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

a cascade of issues • I needed to set the domainlevel to 1 in order to join my client. grant@ef-idm01:~[20220601-8:14][#1041]$ ipa domainlevel-get --- Current domain level: 0 --- grant@ef-idm01:~[20220601-8:14][#1042]$ ipa domainlevel-set 1

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

, 2022 at 2:10 PM Grant Janssen via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: I’m on the march to move beyond CentOS 7. My plan was to build more replicas, then retire the old systems. I haven’t built a replica since 2019, but the commands I used then are failing

[Freeipa-users] Password reuse not permitted on ipa-replica-prepare

I’m on the march to move beyond CentOS 7. My plan was to build more replicas, then retire the old systems. I haven’t built a replica since 2019, but the commands I used then are failing now. grant@ef-idm01:~[20220601-4:39][#1003]$ sudo ipa-replica-prepare

[Freeipa-users] Re: Setting up authentication for apache webserver (part 2) -- User is not unique

this is normal (and desirable), the user is added in both users/accounts tree and the compat tree. I have had issues with nested groups when I fail to use the compat tree in my LDAP integrations. - grant ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Jira LDAP integration with JIRA

I’ve been through this a few times use the compat tree - grant On Mar 6, 2021, at 03:03, Kaspars Tuna via FreeIPA-users wrote: CAUTION: This email originated outside Company3-Method. Do not click links or open attachments unless you recognize the sender and know the content is safe. I am

[Freeipa-users] FreeIPA server host keytab was deleted

an inexperienced administrator overwrote the /etc/krb5.keytab on my IDM server. (ugh!) I had thought ipa-getkeytab was retrieving the keytab, but now see I regenerated it and SHOULD have used the -r flag. ipa-getkeytab(1)

[Freeipa-users] Re: mkhomedir recommendation?

if you forgot the —mkhomedir option, you can use authconfig authconfig --enablemkhomedir —update - grant On Jan 19, 2021, at 03:33, Dominik Vogt via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>> wrote: CAUTION: This email originated outside Company3-Method. Do not click links or

[Freeipa-users] macOS-X bound to freeIPA - mkhomedir

I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist. Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user

[Freeipa-users] macOS-X bound to freeIPA - mkhomedir

I’ve been running a number of macs bound to FreeIPA for years now. The biggest nuisance is that I haven’t found a way to make home directory when one doesn’t exist. Without a home directory, a users logs in, the beachball spins forever and the user never gets a desktop because there is no user

[Freeipa-users] Re: [389-users] How to invalidate local cache after user changed their password

you might want to take a look at the man page for sss_cache We use this sss_cache occationally to flush such problems. - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

I recently performed this on my servers. what does “ipa —version” show ? after the yum update, did you run “ipa-server-upgrade” ? - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the

[Freeipa-users] Re: CentOS 7 ipa upgrade causes pki-tomcatd not to start CA

I recently performed this on my servers. what does “ipa —version” show ? after the yum update, did you run “ipa-server-upgrade” ? - grant This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the

[Freeipa-users] Re: new replica does not post properly in ipa_check_consistency

I never thought to dissect the ipa_check_consistency script. I wasn’t going to add the SRV record until everything tested perfectly - didn’t want authorizations going to server that wasn’t functioning. added the SRV record. now THAT was an easy fix. grant@ef-idm03:~[20181219-11:37][#111]$

[Freeipa-users] new replica does not post properly in ipa_check_consistency

New replica looks to be fully joined. I can add users, and I have verified by log examination that the new replica is actually the server adding the user. I cannot detect any issues, BUT the 3rd replica does not appear as a column when I execute the ipa_check_consistency script.

[Freeipa-users] Re: new replica has no dnarange

feeling the squeeze of the python. as it turns out, I was barking up the right tree on this mod_wsgi issue. when I tried to remove: python36u-mod_wsgi python36u python36u-libs python36u-setuptools yum wanted to take ipa-server and ipa-server-dns with it. - nope, didn’t want to do that I

[Freeipa-users] Re: new replica has no dnarange

it appears your suspician was correct /var/log/httpd/error_log from the new replica [10.1.132.31]: [Thu Dec 06 08:17:17.119449 2018] [auth_gssapi:error] [pid 31454] [client 10.1.132.31:43394] Failed to unseal session data!, referer: https://ef-idm03.production.efilm.com/ipa/xml [Thu Dec 06

[Freeipa-users] Re: new replica has no dnarange

rob - thank you so much for your quick attention. with the exception of the dnaMaxValue and dnaNextValue the config appears to be identical on all 3 servers. grant@ef-idm03:~[20181206-10:10][#5]$ ldapsearch -x -D 'cn=Directory Manager' -W -b "cn=Posix IDs,cn=Distributed Numeric Assignment

[Freeipa-users] new replica has no dnarange

when I added another replica, all appeared to go smooth. But the new server did not receive a dnarange. I reviewed the man page and this indicated: "New IPA masters do not automatically get a DNA range assignment. A range assignment is done only when a user or POSIX group is added on that

[Freeipa-users] Re: replication sync issues

I’ve tried both force-sync AND re-initialize on both hosts. I do have a question about the error in the log. though the error posts on the “master”, it appears to indicate an issue with the slave. the slave syslog is clean. when the log indicates “The replica must be reinitialized” is it meant

[Freeipa-users] replication sync issues

I have these errors in the syslog of the primary, the syslog on the secondary is clean. Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389) - Can't locate CSN 5afd965100020060 in the

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

The resolv.conf is identical on both systems, DNS is solid. SRV records are functioning as expected. I looked at everything and failing to find a resolution, sought advice here on the board. Now that these are out of sync, how would one manually initiate a sync? I haven’t found this in

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

Any ideas on this? Everything appears to be in order, yet there is a disparity between the master and replica on the host count. On Jul 25, 2017, at 09:11, Grant Janssen > wrote: grant@ef-idm02:~[20170725-9:05][#56]$