On Mon, Jul 31, 2017 at 05:47:11PM -0400, Alexandre Pitre wrote:
> Bull-eye Jakub, that did the trick. I should have posted for help on the
> mailing list sooner. Thanks you so much, you are saving my ass.
>
> It makes sense to increase the krb5_auth_timeout as my AD domain
> controllers servers a
On 07/31/2017 10:45 PM, pgb 205 via FreeIPA-users wrote:
Ludwig,
what about this 'fix'
https://bugzilla.redhat.com/show_bug.cgi?id=1009122
won't the setting of nsslapd -ignore-time-skew==on effectively solve the issue?
IE on the down server edit the value in /etc/dirsrv/slapd-DOMAIN/dse.ldif
Grant,
>Any ideas on this? Everything appears to be in order, yet there is a
>disparity between the master and replica on the host count.
>On Jul 25, 2017, at 09:11, Grant Janssen wrote:
What's going on with DNS on these two hosts? Are they pointing to the same DNS
server? Are there kerb
They are published, or at least it would seem that way. These were my
queries:
ldapsearch -h ipa_master -x -D 'cn=directory manager' -b cn="subsystemCert
cert-pki-ca",cn=ca_renewal,cn=ipa,cn=etc,dc= -W
ldapsearch -h ipa_replica -x -D 'cn=directory manager' -b cn="subsystemCert
cert-pki-ca",cn=ca_re
Hi Florence,
Thanks for your update.
Tried copying the ca.crt file to /et/ipa and the installation went fine.
Thanks and Regards,
Alka Murali
On Mon, Jul 31, 2017 at 3:58 PM, Florence Blanc-Renaud
wrote:
> On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
>
>> Hello Florence,
>>
>>
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving sch
On 07/31/2017 11:34 AM, Rob Crittenden wrote:
Ian Harding via FreeIPA-users wrote:
I had an unexpected restart of an IPA server that had apparently had
updates run but had not been restarted. ipactl says pki-tomcatd would
not start.
Strangely, the actual service appears to be running:
dog
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to
authenticate a number of VMs that I grew tired of managing permissions on a
individual basis and so far have been very pleased.
Now, I'm attempting to use t
I've been trying to get this to work for a few days now all to no avail...
I'm been running "FreeIPA, version: 4.3.1" for a few months now to authenticate
a number of VMs that I grew tired of managing permissions on a individual basis
and so far have been very pleased.
Now, I'm attempt to use th
Bull-eye Jakub, that did the trick. I should have posted for help on the
mailing list sooner. Thanks you so much, you are saving my ass.
It makes sense to increase the krb5_auth_timeout as my AD domain
controllers servers are worldwide. Currently they exist in 3 regions: North
America, Europe and
Ludwig,
what about this 'fix'
https://bugzilla.redhat.com/show_bug.cgi?id=1009122
won't the setting of nsslapd -ignore-time-skew==on effectively solve the issue?
IE on the down server edit the value in /etc/dirsrv/slapd-DOMAIN/dse.ldif to
nsslapd-ignore-time-skew=on
and then try to bring up
On 07/24/2017 10:25 PM, Fraser Tweedale wrote:
Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
file (ideally the whole thing)?
Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
replica including the CA role. To install the CA role on an
existing replica use
Prasun Gera via FreeIPA-users wrote:
> The entry is present on both master, and replica. Also, the status on
> replica for those two has changed to *'ca-error: Invalid cookie: '''*.
> The certs listed by certutil on both systems, as well as the ones listed
> by the ldap query seem to match. When I
Mikaël ANDRE via FreeIPA-users wrote:
> Hi evrybody,
>
> With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi
> and HP ILO certificates to my FreeIPA server.
> I create csr with the following command: "openssl req -new -sha256
> -nodes -config openssl.cfg -newkey rsa:2048 -keyout
Ian Harding via FreeIPA-users wrote:
> I had an unexpected restart of an IPA server that had apparently had
> updates run but had not been restarted. ipactl says pki-tomcatd would
> not start.
>
> Strangely, the actual service appears to be running:
>
dogtag is an application within tomcat so t
Per Qvindesland via FreeIPA-users wrote:
> Hi All
>
> I installed a custom signed certificate from quovadis, the install on the ipa
> server wen’t fine but when I try to add a client (centos 6) it gives error:
> LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been
> mark
I agree with what Fraser says. Non-expired certs (revoked or not)
should never be removed from the CA repository as that will affect the CRL
I believe someone asked about this before, and we also warned them about
that. Though I have no recollection how it worked out for them in the
end. Yo
Any ideas on this? Everything appears to be in order, yet there is a disparity
between the master and replica on the host count.
On Jul 25, 2017, at 09:11, Grant Janssen
mailto:grant.jans...@efilm.com>> wrote:
grant@ef-idm02:~[20170725-9:05][#56]$ ipa_check_consistency -d
PRODUCTION.EFILM.COM
Hello Florence,
> the tool ipa-cacert-manage is used to renew IPA CA certificate, not the
> https certificate. It is a common mistake (IPA CA certificate is the
> certificate authority that has delivered the https and ldaps certificates).
Yes
> But now that you have renewed the CA certifica
The entry is present on both master, and replica. Also, the status on
replica for those two has changed to *'ca-error: Invalid cookie: '''*. The
certs listed by certutil on both systems, as well as the ones listed by the
ldap query seem to match. When I try to resubmit, there is also this
message i
On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote:
Hello Florence,
I have checked the output for the ldapsearch command and I can see the
IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my
IPA Server.
Even I tried installing the client by giving the option ca-cer
On Sun, Jul 30, 2017 at 6:53 PM, Ian Harding via FreeIPA-users
wrote:
> I had an unexpected restart of an IPA server that had apparently had
> updates run but had not been restarted. ipactl says pki-tomcatd would
> not start.
>
> Strangely, the actual service appears to be running:
>
> [root@seat
On Fri, Jul 28, 2017 at 9:27 PM, Rob Crittenden via FreeIPA-users
wrote:
> John Trump via FreeIPA-users wrote:
>> I am using FreeIPA 4.4 and have implemented a password policy where
>> password history is set to 24. If a password admin or the user "admin"
>> resets a users password, the user is fo
I did answer your same question on June,2nd
On 07/29/2017 05:09 PM, pgb205 via FreeIPA-users wrote:
we are affected by the CSN time skew bug discussed in this wiki
http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html#so-how-does-the-time-skew-grow-at-all
and
h
On 07/28/2017 07:56 PM, Jake via FreeIPA-users wrote:
All I see are responses like yours, how about a link or add it to the
documentation since it's such a problem?!
if the ruvs cannot be decoded, the ipa command line utility does not
work, you have to execute a plain cleanallruv task, an exam
Hi evrybody,
With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi and
HP ILO certificates to my FreeIPA server.
I create csr with the following command: "openssl req -new -sha256 -nodes
-config openssl.cfg -newkey rsa:2048 -keyout esxi.key -out esxi.csr"
My OpenSSL configuration
26 matches
Mail list logo