[Freeipa-users] Re: AD trust setup woes

On to, 03 elo 2017, Igor Sever via FreeIPA-users wrote: I didn’t specify any ID range. This was all done automagically by setup. I read a lot of documentation, and I can’t remember that ever been mentioned. We indeed had NIS at some point, but this is not supported any more by MS, and FreeIPA

[Freeipa-users] Re: Failed Upgrade?

On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On 08/02/2017 12:11 AM, Florence Blanc-Renaud wrote: On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: On 08/01/2017

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Hi, 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" schrieb: > On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users wrote: >> I'm playing around with keycloak and wanted to use an SSL certificate >> from IPA. I've looked around

[Freeipa-users] Re: Edit named-pkcs11

On 08/03/2017 02:10 AM, Tejas Desai via FreeIPA-users wrote: BIND uses the directives “type forward” and “forward first” in its named.conf file. How can I make use of BIND directives when using ipa dns? Because it is based on BIND, can I edit named-pkcs11 directly? Tejas

[Freeipa-users] PKI debug files are not rotated

Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\ pki/pki-tomcat/ca/CS.cfg, setting debug.append=true

[Freeipa-users] Re: IPA replica with CA role problems

On 08/02/2017 04:17 PM, Fraser Tweedale wrote: - /var/log/ipareplica-install.log from replica - /etc/pki/pki-tomcat/ca/debug from both master and replica Those logs should do for a start. I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both master and replica. Depending on

[Freeipa-users] Re: FreeIPA and postfix issue.

Bob Rentschler via FreeIPA-users wrote: > This may be related to the issue discussed here: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ >

[Freeipa-users] Re: Extended Schema attributes missing

I work with Randy and there was some custom python and javascript code written to implement the extensions to the schema as I recall. On Thu, Aug 3, 2017 at 8:15 AM, Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Randy Morgan via FreeIPA-users wrote: > > When

[Freeipa-users] Re: Valid Sender ? - Re: Re: ipa-getcert and java certstore/keytool

Rob Crittenden writes: > certmonger doesn't support storing certificates in a java keystore. That's what I found out :-) > The tricky bit might be in dealing with the CSR. certmonger needs the > private key in order do the renewal. > > I guess one thing you could do is a

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Jochen Kellner via FreeIPA-users wrote: > Hi, > > 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" > > schrieb: > >> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users >> wrote: >>> I'm playing around with keycloak and wanted

[Freeipa-users] Re: FreeIPA and postfix issue.

Bob Rentschler wrote: > The query mismatch was a typo/mispaste, sorry about that. > > It was indeed at least partly permissions in the LDAP server, likely > because a service is running the query. > > I solved the freeipa permissions with the below command, which is likely > bad in some way but

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

On to, 03 elo 2017, Petr Fišer via FreeIPA-users wrote: Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from

[Freeipa-users] Re: Extended Schema attributes missing

Randy Morgan via FreeIPA-users wrote: > When we setup our IPA server, we extended the schema to include 3 fields > that were important to the work we do. When we performed the last > update, those fields still show as required, but they are missing and we > cannot add users to IPA unless we

[Freeipa-users] Re: FreeIPA and postfix issue.

The query mismatch was a typo/mispaste, sorry about that. It was indeed at least partly permissions in the LDAP server, likely because a service is running the query. I solved the freeipa permissions with the below command, which is likely bad in some way but did allow postmap to return the

[Freeipa-users] Re: IPA replica with CA role problems

On 08/03/2017 08:34 AM, Fraser Tweedale wrote: Mark, that's great news; I'm glad you were able to resolve the issue. Everyone gets the tunnel vision sometimes :) I wish you a successful rollout to production. Cheers, Fraser Actually, let me update you on this. I finally got a chance to

[Freeipa-users] Re: Creating certificate for master domain

Rafał Wądołowski wrote: > Okey, but how can I create certificate for domain intra.example.com? > > I can't create host, because the hostname is required. When I try to add > service, I got output that principal is required. Like I said, every cert needs to live in a bucket (user, service, etc)

[Freeipa-users] Re: Extended Schema attributes missing

Kristian Petersen via FreeIPA-users wrote: > I work with Randy and there was some custom python and javascript code > written to implement the extensions to the schema as I recall. My initial thought was that the freeIPA code was updated directly and updating overwrote the customizations. rob >

[Freeipa-users] Deleting revoked certs from CA master

So now that we have a nicely replicating domain and ca, I'd like to rid myself of these revoked certificates which I tried as a way to fix the replication and setting up of a CA. Is there a way to delete these certs out of the store? -- Mark Haney Network Engineer at NeoNova 919-460-3330

[Freeipa-users] Re: Extended Schema attributes missing

The customizations that define the additions to the schema appear to be in the javascript file /usr/share/ipa/ui/js/plugins/chemuser/chemuser.js. It defines the additional fields we use that are causing us so much trouble. I have included it below. // Place in

[Freeipa-users] Re: I appear to have an issue with "hosts" on my replica

Have you tried the replication management script? ipa-replica-manage(1): Manage IPA replica - Linux man page | | | | || | | | | | ipa-replica-manage(1): Manage IPA replica - Linux man page Manages the replication agreements of an IPA server. connect [SERVER_A] -

[Freeipa-users] Re: setting up a new replica: failed in "retrieving schema for SchemaCache"

On Wed, Aug 2, 2017 at 3:06 PM, Karl Forner via FreeIPA-users wrote: > Cross-posted from https://github.com/freeipa/freeipa-container/issues/151 > > Context: I have one master running in a docker container, with freeIPA > 4.2.3. > > I'm trying to setup a new

[Freeipa-users] Re: Unable to re-join CentOS client to FreeIPA

On Thu, Aug 3, 2017 at 9:57 PM, Alexandre Pitre via FreeIPA-users wrote: > I'm unable to rejoin a CentOS client to my FreeIPA realm. I ran the > uninstall command on my client: ipa-client-install --uninstall > > As far as I know the uninstall was successful.

[Freeipa-users] custom attributes as a part of default ipa permissions

Hello, We are currently deploying FreeIPA and we make use of custom attributes. We defined them in custom.py script (located in /usr/lib/python2.7/site-packages/ipaserver/plugins/custom.py). custom.py looks like this: from ipaserver.plugins.user import user from ipalib.parameters import Int

[Freeipa-users] Re: PKI debug files are not rotated

On 08/03/2017 11:19 AM, Harald Dunkel via FreeIPA-users wrote: Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\

[Freeipa-users] Re: IPA replica with CA role problems

On Thu, Aug 03, 2017 at 07:18:30AM -0400, Mark Haney wrote: > On 08/02/2017 04:17 PM, Fraser Tweedale wrote: > > > > > - /var/log/ipareplica-install.log from replica > > > - /etc/pki/pki-tomcat/ca/debug from both master and replica > > > > > > Those logs should do for a start. > > > > > > I'd

[Freeipa-users] Re: custom attributes as a part of default ipa permissions

Oh, sorry, I forgot. FreeIPA 4.4.0 on RHEL 7. Petr Fišer BCV solutions s.r.o. Mobile: +420 607 618 243 E-mail: petr.fi...@bcvsolutions.eu Jabber: petr.fi...@bcvsolutions.eu On 08/03/2017 02:05 PM, Petr Fišer wrote: Hello, We are currently deploying FreeIPA and we make use of custom