[Freeipa-users] New ipaclient releases for PyPI?

ipaclient on PyPI is a bit outdated (4.8.9). Are there any plans to start uploading it again? Cheers, -- Sam Morris PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 ___ FreeIPA-users mailing list --

[Freeipa-users] Re: ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!

On ma, 21 marras 2022, Paulina Budzon via FreeIPA-users wrote: In some cases the error message from ipa-client-install is different (but still thrown at certuril): Starting external process args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpiat7ggvf', '-A', '-n', 'CA certificate 1', '-t', 'C,,',

[Freeipa-users] SSSD unable to retrieve secondary groups after upgrade of ipa-server

Hello Community, We recently updated ipa-server and a bunch of related packages from 4.6.8-5.el7.centos.11 to 4.6.8-5.el7.centos.12. This also updated the IPA data. After that, the clients are unable to retrieve group information. However, they can load SSH public keys and other user details

[Freeipa-users] broken installation -> how to migrate it?

hello people. -> this is already posted here, maybe check there for better formatting? https://www.reddit.com/r/FreeIPA/comments/yzcln7/broken_installation_how_to_migrate_it/ i broke my ipa installation on a centos 7 somehow... can't root cause it anymore. but since i basically use only ldap i

[Freeipa-users] Re: New ipaclient releases for PyPI?

On ti, 22 marras 2022, Sam Morris via FreeIPA-users wrote: ipaclient on PyPI is a bit outdated (4.8.9). Are there any plans to start uploading it again? We are planning new releases for 4.9/4.10 series soon. I'll make sure we'd upload updates too. -- / Alexander Bokovoy Sr. Principal

[Freeipa-users] Re: NFSv4 id mapping through IPA ldap server

On ti, 22 marras 2022, Yanlish Hesap via FreeIPA-users wrote: Hi All. We have IPA setup in an AD trust to support our Linux fleet. User home directories are mounted from a Netapp filer (nfs4 with krb5). The filer performs uid <-> uidNumber mapping required by kerberized nfs4 via IPA ldap

[Freeipa-users] Re: ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!

For reference to @freeipa-users, since I very much don’t like open threads that moved to private and were left unanswered. Big thanks to Alexander for helping with debugging. It seems we are affected by https://pagure.io/freeipa/issue/9228 . To confirm

[Freeipa-users] Re: New ipaclient releases for PyPI?

On 22/11/2022 09:28, Alexander Bokovoy wrote: On ti, 22 marras 2022, Sam Morris via FreeIPA-users wrote: ipaclient on PyPI is a bit outdated (4.8.9). Are there any plans to start uploading it again? We are planning new releases for 4.9/4.10 series soon. I'll make sure we'd upload updates too.

[Freeipa-users] Re: ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!

Thanks for your help! > This is coming from an attempt to get a Kerberos service ticket using > credentials for the user you are using to enroll this machine. Since you > are passing '-w$password' and not any specific principal, this means it > is the machine itself, hence we see I'm passing

[Freeipa-users] Re: ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!

On ti, 22 marras 2022, Paulina Budzon via FreeIPA-users wrote: Thanks for your help! This is coming from an attempt to get a Kerberos service ticket using credentials for the user you are using to enroll this machine. Since you are passing '-w$password' and not any specific principal, this

[Freeipa-users] Re: HTTP certificate expired

Juan Pablo Lorier via FreeIPA-users wrote: > Hi, > > I have a production server that was not maintained and I see that the HTTP > certificate has expired long ago. I tried to renew it but I'm not being agle > to get it right. > > The initial status was: > > Request ID '20191219011208': >

[Freeipa-users] Re: ipa-client-install randomly fails with slapi_access_allowed does not allow WRITE to ipaProtectedOperation; write_keys!

Paulina Budzoń via FreeIPA-users wrote: > For reference to @freeipa-users, since I very much don’t like open > threads that moved to private and were left unanswered. > > Big thanks to Alexander for helping with debugging. It seems we are > affected by https://pagure.io/freeipa/issue/9228. To

[Freeipa-users] Re: SSSD unable to retrieve secondary groups after upgrade of ipa-server

FYI - The issue is now resolved after updating SSD configs to use compat tree for group search. However, it is good to know why the FreeIPA upgrade broke it, as we will have to update the same in production in the coming weeks. ___ FreeIPA-users

[Freeipa-users] freeipa dns resolving for non local domains fails

Hello, I've found an issue with my ipa dns setup. all local dns queries work fine. However queries outside my ipa domain fail most of the time. I found this error in the logs: managed-keys-zone: Unable to fetch DNSKEY set '.': timed out I think that this causes my problems with external dns.

[Freeipa-users] Re: HTTP certificate expired

Hi Rob, Thanks for the reply. As I didn’t know other way but to go back in time, I just did it and now the server is running 100%. This was all part of an update from 4.7 to 4.9. According to the documentation, it was just a matter to def update but it seems that is not such a happy path. I

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

Hi, I would start by doing a backup of the NSS database (save the directory and files from /etc/pki/pki-tomcat/alias). Then remove the wrong cert using: certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' and install the good one using certutil -A -d

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

Greg Harris wrote: > ARRRGGG!!!  ’Server-Cert cert-pki-ca’ is missing again.  Trying to > recover it from the /etc/pki/pki-tomcat/alias directory via pk12util is > not giving me the key, so that I can re-import it and get it trusted. >  The certutil -L command is showing a trust of ‘,,’,

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

Got it! A ‘ipa-getcert resubmit -I $Serial’ did it. It’s now showing in the certutil as trusted. Now to see if it will ipa-server-upgrade correctly. Thanks! Thanks, Greg Harris On Nov 22, 2022, at 4:26 PM, Greg Harris mailto:ghar...@teamexpansion.org>> wrote: I just discovered that

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

It’s 4.6.8-5.el7.centos.12. Yes, it’s strange that it would disappear. I believe that it renewed the certificate, but may not have updated correctly. The first thing I found was that the certificate wasn’t there. I was able to restore the .crt from the CS.cfg file, but that of course

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

I just discovered that ipa-certupdate is removing the 'Server-Cert cert-pki-ca’ from 'certutil -L -d /etc/pki/pki-tomcat/alias/‘ when the trust flags aren’t correct. However, the new cert is still in 'getcert list’ as monitoring. I did a 'ipa-getcert request -d /etc/pki/pki-tomcat/alias -n

[Freeipa-users] Re: NFSv4 id mapping through IPA ldap server

Thanks, I have stumbled upon a solution yesterday, which was to change the ldap search base to cn=compat,dc=ipa,dc=localdomain (from dc=ipa,dc=localdomain). The curious thing is "dc=ipa,dc=localdomain" as the search base was working before the RHEL8 patch cycle. Wondering if that was a bug that

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

ARRRGGG!!! ’Server-Cert cert-pki-ca’ is missing again. Trying to recover it from the /etc/pki/pki-tomcat/alias directory via pk12util is not giving me the key, so that I can re-import it and get it trusted. The certutil -L command is showing a trust of ‘,,’, rather than ‘u,u,u’ because