[Freeipa-users] Re: IPA replica with CA role problems

On Thu, Aug 03, 2017 at 06:09:22AM +1000, Fraser Tweedale wrote: > On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > > > Providing the dogtag debug log

[Freeipa-users] Re: IPA replica with CA role problems

On Wed, Aug 02, 2017 at 08:34:59AM -0400, Mark Haney wrote: > On 08/02/2017 07:25 AM, Fraser Tweedale wrote: > > On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: > > > > > > Providing the dogtag debug log might be helpful. The replica install log > > > shows that the GoDaddy CA

[Freeipa-users] Edit named-pkcs11

BIND uses the directives “type forward” and “forward first” in its named.conf file. How can I make use of BIND directives when using ipa dns? Because it is based on BIND, can I edit named-pkcs11 directly? Tejas ___ FreeIPA-users mailing list --

[Freeipa-users] ipa-getcert and java certstore/keytool

Hi, I'm playing around with keycloak and wanted to use an SSL certificate from IPA. I've looked around but didn't see any howto about using java keytool with ipa-getcert. Has someone experience with it? I was not successful adding key/cert created by certmonger into keytool, and also not

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: > > Hi, > > I'm playing around with keycloak and wanted to use an SSL certificate > from IPA. I've looked around but didn't see any howto about using java > keytool with ipa-getcert. Has someone experience with it? >

[Freeipa-users] Re: Failed Upgrade?

On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: On 08/01/2017 03:11 PM, Ian Harding wrote: On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote: On 08/01/2017 01:32 AM, Ian

[Freeipa-users] FreeIPA and postfix issue.

This may be related to the issue discussed here: https://lists.fedorahosted.org/archives/list/freeipa- us...@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ But it seems not to be, layer 8 is still open though. Using the instructions here

[Freeipa-users] Re: web interface: show all instead of just 20 entries?

On Wed, Aug 2, 2017 at 12:03 PM, Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > a small suggestion for the web interface: An option "show all" > would be nice, e.g. for the list of active users, user groups or > hosts. Currently it just shows 20

[Freeipa-users] Re: AD trust setup woes

I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA should not just presume that we have gidNumber on all

[Freeipa-users] Re: Can't create new CA replica

On Thu, Jul 06, 2017 at 02:17:40PM -0400, Rob Crittenden wrote: > john.bowman--- via FreeIPA-users wrote: > > Since taking over our FreeIPA environment I've been unable to create a new > > CA replica. A bunch of failed attempts and upgrades over the last year and > > I keep running in to

[Freeipa-users] Re: IPA replica with CA role problems

On 08/02/2017 07:25 AM, Fraser Tweedale wrote: On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: Providing the dogtag debug log might be helpful. The replica install log shows that the GoDaddy CA chain was imported and trusted reasonably (C,,) but the installer later claims it

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

I think the path that is triggered first is from the following code: if new_cert == old_cert: syslog.syslog(syslog.LOG_INFO, "Updated certificate not available") # No cert available yet, tell certmonger to wait another 8 hours return (WAIT_WITH_DELAY, 8 * 60 * 60, '')

[Freeipa-users] Creating certificate for master domain

Hi, I have freeipa 4.4 cluster with CN intra.example.com. We developed intranet on this same domain, but I can't create a valid certificate for it. I can't create service, because hostname is required. Is it other way to sign the CSR? What is the good practice for creating https certificates?

[Freeipa-users] Re: AD trust setup woes

There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I... https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/ It is obvious that

[Freeipa-users] Re: web interface: show all instead of just 20 entries?

Hi Petr, On Wed, 2 Aug 2017 12:48:32 +0200 Petr Vobornik via FreeIPA-users wrote: > > Hello, > > 20 was a hard-coded paging limit. Since FreeIPA 4.5 (not sure if also > in 4.4) the paging limit can be configured in Web UI under: "Top-right > corner

[Freeipa-users] howto replace an externally signed CA

Hi folks, Problem: I have setup freeipa using a bad external CA. Long story: I have setup my freeipa servers using ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca --subject="O=example AG,C=DE" --setup-dns --forwarder=... on ipa1.example.com. It created a csr, it was

[Freeipa-users] Re: AD trust setup woes

On ke, 02 elo 2017, Igor Sever via FreeIPA-users wrote: There is no gidNumber attribute on AD group objects. If I want to apply posix attributes directly in AD, then I don't need FreeIPA, do I...

[Freeipa-users] Re: Creating certificate for master domain

Okey, but how can I create certificate for domain intra.example.com? I can't create host, because the hostname is required. When I try to add service, I got output that principal is required. Pozdrawiam, Rafał Wądołowski On 02/08/17 15:55, Rob Crittenden via FreeIPA-users wrote: > Rafał

[Freeipa-users] setting up a new replica: failed in "retrieving schema for SchemaCache"

Cross-posted from https://github.com/freeipa/freeipa-container/issues/151 Context: I have one master running in a docker container, with freeIPA 4.2.3. I'm trying to setup a new replica. I could not using the same docker container version that runs the master. I've been told to use the latest

[Freeipa-users] Re: Creating certificate for master domain

Rafał Wądołowski via FreeIPA-users wrote: > Hi, > > I have freeipa 4.4 cluster with CN intra.example.com. > > We developed intranet on this same domain, but I can't create a valid > certificate for it. > > I can't create service, because hostname is required. Is it other way to > sign the CSR?