[Freeipa-users] certmonger CA settings

As part of my debugging efforts (see "Expired certificates" thread), I changed modified the settings for the dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note of the original settings. Are these correct for IPA 4.4 (on CentOS 7)? CA 'SelfSign':

[Freeipa-users] [SOLVED?] Re: Expired certificates

On 06/20/2017 11:38 PM, Ian Pilcher wrote: If I don't specify the SSL_DIR, the curl command works, so it definitely seems to be an issue with the NSS database in /etc/httpd/alias. I don't see anything obviously wrong with the trust flags, though: # certutil -d /etc/httpd/alias -L

[Freeipa-users] Re: Expired certificates

On 06/20/2017 10:38 PM, Rob Crittenden wrote: Are these three the only expired certs? For now ... What version of IPA? ipa-server-4.4.0-14.el7.centos.7.x86_64 Did you restart IPA after going back in time? If not, try that, then restart certmonger and it should renew the certs.

[Freeipa-users] Re: Expired certificates

Ian Pilcher via FreeIPA-users wrote: > After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. > > I see this (repeated many times) in the journal: > > WARNING: Exception processing realm > com.netscape.cms.tomcat.ProxyRealm@383171f8 background process >

[Freeipa-users] Expired certificates

After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. I see this (repeated many times) in the journal: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@383171f8 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at

[Freeipa-users] Expired certificates

After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. I see this (repeated many times) in the journal: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@383171f8 background process javax.ws.rs.ServiceUnavailableException: Subsystem unavailable at

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

On ti, 20 kesä 2017, Robert Johnson wrote: I ran into this exact same problem with my IPA domain in a one way external trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have removed the routing suffix option from the Windows 2012 R2 native forest trust gui. My solution was

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

I ran into this exact same problem with my IPA domain in a one way external trust to our Windows 2012 R2 AD forest. It appears that Microsoft may have removed the routing suffix option from the Windows 2012 R2 native forest trust gui. My solution was to follow the instructions in the "Define

[Freeipa-users] Re: Rebuilding IPA environment

On Jun 20, 2017, at 10:48 AM, Rob Crittenden via FreeIPA-users > wrote: John Bowman via FreeIPA-users wrote: What would be the best method to stand up a new IPA environment while keeping as much of the existing

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: Please see the attached screenshot for the Trust settings, and thank you for your time. Thanks. I'm not sure why is that happening even for the immediate forest root domain that i.rdmedia.com is. I'll check with Microsoft doc help team

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

Please see the attached screenshot for the Trust settings, and thank you for your time. On 20 June 2017 at 19:36, Tiemen Ruiten wrote: > On 20 June 2017 at 18:07, Alexander Bokovoy wrote: > >> On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users

[Freeipa-users] Master -> replica through NAT?

Here is an odd problem (I think). I am using IPA in one environment, and want to set up a replica in another environment through natted connections. I can setup the client to the NAT server, but here is the tricky part - IPA is also DNS. So if I try to bring the DNS setup over with --

[Freeipa-users] Re: GSSAPI login from trusted AD domain to FreeIPA clients not working

On 20 June 2017 at 18:07, Alexander Bokovoy wrote: > On ti, 20 kesä 2017, Tiemen Ruiten via FreeIPA-users wrote: > >> Hello, >> >> I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: >> rpm >> versions are 4.4.0-14.el7.centos.7) with a two-way,

[Freeipa-users] Re: Rebuilding IPA environment

John Bowman via FreeIPA-users wrote: > What would be the best method to stand up a new IPA environment while > keeping as much of the existing data as possible? > > I've read that the ipa migrate-ds only migrates the users and groups and > the recommended suggestion is to set up a replica. I'd

[Freeipa-users] GSSAPI login from trusted AD domain to FreeIPA clients not working

Hello, I have a FreeIPA domain, i.rdmedia.com, (CentOS 7.3, fully up-to-date: rpm versions are 4.4.0-14.el7.centos.7) with a two-way, non-transitive, external trust to an Active Directory domain in another forest, clients.rdmedia.com, (Windows Server 2012R2). I've setup the trust using the

[Freeipa-users] Re: Replication conflict woes

Yeah did not look like the same issue, but just wanted to make sure just in case. This gives me at least an idea on where to keep looking and I'll do a little more research and see what else I can find on this as well before I make any changes. Thank you very much for the help!

[Freeipa-users] Re: Replication conflict woes

On 06/20/2017 02:31 PM, john.bowman--- via FreeIPA-users wrote: These steps wouldn't be documented somewhere would they? no, I am not aware of I did find this older thread: https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html Something similar to those steps? this

[Freeipa-users] Re: Replication conflict woes

These steps wouldn't be documented somewhere would they? I did find this older thread: https://www.redhat.com/archives/freeipa-users/2016-August/msg00035.html Something similar to those steps? Thank you for the help very much appreciated! ___

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

doh. Yes, I did mean 17.04. /facepalm On Tue, Jun 20, 2017 at 9:40 AM, Timo Aaltonen wrote: > On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote: > > Hope this helps to save some of some time digging. And I know, > > freeipa-server on a non LTS release is daft.. > >

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote: > Hope this helps to save some of some time digging. And I know, > freeipa-server on a non LTS release is daft.. did you mean 17.04, since 4.4.4-1 is in 17.10 and fixed all the issues you listed.. ?

[Freeipa-users] Re: Replication conflict woes

Hi, unfortunately replication conflicts for managed entries have additional difficulties. The origin and managed entries reference the "non-conflict" entry and teh managed entry plugin prevents the deletion of a managed entry via ldapmodify. To procede in cleanup you could try to remove the

[Freeipa-users] Re: admin account locked due to external ssh authentication attempts

Thanks, this did exactly what I wanted. Regards, Peter ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org