[Freeipa-users] Re: ipa-server-upgrade failed

Hi all, I'll keep a watch on the bugzilla. For now; the upgrade succeeded and IPA is running perfectly. Thanks a lot! Winfried -Oorspronkelijk bericht- Van: Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> Antwoord-naar: FreeIPA users list Aan: Winfried de

[Freeipa-users] Re: suggestion for password policy

I can clean up our code, but it’s for a Kerberos pwqual plugin. That doesn’t seem to be the approach you’re using. We’re actually using code from Stanford that’s configurable for all kinds of policies, but we’re only using it for the database. Code that just checks the database would be much

[Freeipa-users] after recreating server, ipa: ERROR: No valid Negotiate header in server response

we just upgraded servers to centos 8.1, by dealing them and recreating them. On a few systems when I try to use the IPA command I get ipa: ERROR: No valid Negotiate header in server response This doesn’t happen on all hosts. The IPA command works fine on the server itself. Since it’s only on

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

Hi Florence, Thank you very much for your answer. I followed the link for debugging and I found a problem: [root@ipa0 pki-tomcat]# certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

Sorry, the last command I did without kinit admin. After that it's so: [root@ipa0 pki-tomcat]# ipa config-show | grep "CA renewal" IPA CA renewal master: ipa0.domain.com ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

Serge Barkov via FreeIPA-users wrote: > The OS is "Fedora release 25 (Twenty Five)". > I compared the output from "ldapsearch -LLL...", it differs. But in order to > make ipa0 work I temporarily broke connection between nodes (with iptables) > so it's normal. > Yhe date is > [root@ipa0 ~]# date

[Freeipa-users] pki-tomcat doesn't start, it can't update certificate

I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED The first thing I found a certificate expired and I changed date back in time before expiration date.

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

I assume this is running RHEL 6? On both masters I'd compare the output of $ ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 7389 -b uid=ipara,ou=people,o=ipaca description What date did you go back to? Are the new certificates still valid on that date? rob

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

The OS is "Fedora release 25 (Twenty Five)". I compared the output from "ldapsearch -LLL...", it differs. But in order to make ipa0 work I temporarily broke connection between nodes (with iptables) so it's normal. Yhe date is [root@ipa0 ~]# date Sun Oct 20 19:46:18 MSK 2019 All the other

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

The output of ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 (there is nothing on port 7389 so I beleive it must be 389) looks so: dn: cn=compat,dc=domain,dc=com objectClass: extensibleObject cn: compat dn: cn=users,cn=compat,dc=domain,dc=com objectClass: extensibleObject

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

Serge Barkov via FreeIPA-users wrote: > The output of > ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` -p 389 > (there is nothing on port 7389 so I beleive it must be 389) > looks so: Ok, I was guessing the release you were using. You are missing part of the command, add: -b

[Freeipa-users] Re: "FreeIPA" server ipa-dnskeysyncd.service failed

Navi Aujla wrote: > Here are the package information on CentOS 7  > > rpm -q ipa-server slapi-nis 389-ds-base openldap db4 nss nspr glibc > ipa-server-4.6.4-10.el7.centos.2.x86_64 > slapi-nis-0.56.0-8.el7.x86_64 > 389-ds-base-1.3.8.4-22.el7_6.x86_64 > openldap-2.4.44-21.el7_6.x86_64 > package db4

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

On 1/28/20 1:35 PM, Serge Barkov via FreeIPA-users wrote: I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED The first thing I found a certificate expired

[Freeipa-users] Re: after recreating server, ipa: ERROR: No valid Negotiate header in server response

I found the problem. Someone when one of our servers was created, it’s password (actually Kerberos credentials) didn’t propagate to the other servers. I pulled the value of krbprincipalkey from the server and used ldapmodify to fix it on the other servers. Now the credentials are the same on

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

Serge Barkov via FreeIPA-users wrote: > Oh, I'm sorry. > freeipa version is 4.4.4-1.fc25 > > I don't see any difference: > > The problem node: > [root@ipa0 ~]# ldapsearch -LLL -x -D 'cn=directory manager' -W -h `hostname` > -p 389 -b uid=ipara,ou=people,o=ipaca description > Enter LDAP

[Freeipa-users] Re: Why does ipa-client-install put "_srv_, " in the ipa_server line, and not just _srv_ by itself?

Russell Jones via FreeIPA-users wrote: > I'm running "ipa-client-install --force-join --no-nisdomain -U", and it > auto discovers my freeipa servers, but places both _srv_ and the first > server under the "ipa_server" line. This results in the first server > being listed twice when running "sssctl

[Freeipa-users] Re: [EXTERNAL] suggestion for password policy

Would you be willing to share the code on, say, a github gist ? __ Daniel E. White daniel.e.wh...@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800

[Freeipa-users] Re: suggestion for password policy

Charles Hedrick via FreeIPA-users wrote: > The NIST recommendations for passwords say they don’t think character classes > and expiration are useful. Instead, they recommend using a blacklist of known > common passwords. There’s no way to implement this policy without writing > your own plugin.

[Freeipa-users] suggestion for password policy

The NIST recommendations for passwords say they don’t think character classes and expiration are useful. Instead, they recommend using a blacklist of known common passwords. There’s no way to implement this policy without writing your own plugin. It would be useful for IPA’s password policy to

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

I compared, it's the same on both nodes ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: