[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
Hi Flo and Andrew, thanx for you replies, but I think you missed the point: The new (external) root CA certificate and the new ipa CA certificate are *in* freeipa already, but on the host I had used for running ipa-cacert-manage to deploy this new PKI the database in /var/lib/pki/pki-tomcat/ca/a

[Freeipa-users] Re: Maintenance mode

2017-12-07 Thread Lachlan Musicman via FreeIPA-users
-- "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are crea

[Freeipa-users] IPa and automount

2017-12-07 Thread Miguel Angel Coa M. via FreeIPA-users
Hello, I'm configure automount/nfs in my IPA server but a have a question for change the remote mount point. For example, now the when user login automount "mount" the home under /home/ , but i need change this directory, for example /home/remote/ Example: [.] su - foo df

[Freeipa-users] Reinitializing replica fails?

2017-12-07 Thread Jonathan Kelley via FreeIPA-users
ipa-server-4.5.0-21.el7.centos.2.2.x86_64 ipa-server-common-4.5.0-21.el7.centos.2.2.noarch ​I was getting this error in errors.log: ​ ​ Data required to update replica has been purged ​ ​ from the changelog. If the error persists the replica ​ ​ must be reinitialized. ​This has been

[Freeipa-users] Re: Change default ldap scheme

2017-12-07 Thread Andrew Radygin via FreeIPA-users
I see, thanks for the information. 2017-12-07 16:52 GMT+03:00 Alexander Bokovoy : > On to, 07 joulu 2017, Rob Crittenden via FreeIPA-users wrote: > >> Andrew Radygin via FreeIPA-users wrote: >> >>> Anyone? >>> Of course this kind R&D question, but anyway I need to know. >>> >>> >>> 2017-12-06 17:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Andrew Radygin via FreeIPA-users
Harald, Maybe in the ldap certificate container you already have the same certificate you're trying to install, but it has another key or untrusted? Then try to delete it via ldapdelete and certutil -d and then try again install new one. 2017-12-07 17:20 GMT+03:00 Harald Dunkel via FreeIPA-users <

[Freeipa-users] Fwd: Replication Issue on slave servers

2017-12-07 Thread tarak sinha via FreeIPA-users
Hello All, I hope everyone is doing good, Since 1 month getting replication issue on my slave servers. updated logs from Master and Slave server for more info. if you have any suggestion or idea to fix this issue that will be really appreciated Auth Master server :- LOG info. /var/log/dirsrv/sla

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
On 12/7/17 2:53 PM, Florence Blanc-Renaud wrote: Hi, if you run: ipa-cacert-manage install -t C,, ipa-certupdate then the new root certificate will be installed in all the required NSS databases. Do not forget to run ipa-certupdate on all the FreeIPA machines. This did not work: [root@i

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Florence Blanc-Renaud via FreeIPA-users
On 12/07/2017 09:17 AM, Harald Dunkel via FreeIPA-users wrote: Hi Rob, On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: Here is what I see on the broken ipa server: [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate

[Freeipa-users] Re: Change default ldap scheme

2017-12-07 Thread Alexander Bokovoy via FreeIPA-users
On to, 07 joulu 2017, Rob Crittenden via FreeIPA-users wrote: Andrew Radygin via FreeIPA-users wrote: Anyone? Of course this kind R&D question, but anyway I need to know. 2017-12-06 17:15 GMT+03:00 Andrew Radygin via FreeIPA-users mailto:freeipa-users@lists.fedorahosted.org>>: Hello every

[Freeipa-users] Re: Maintenance mode

2017-12-07 Thread Rob Crittenden via FreeIPA-users
Lachlan Musicman via FreeIPA-users wrote: > Stupid question, but to stop anyone from logging in anywhere - for > instance during a maintenance period - is there an easy maintenance mode > in IPA? > > Or is the best method to disable all HBAC rules? I guess it depends on what maintenance you're ta

[Freeipa-users] Re: Change default ldap scheme

2017-12-07 Thread Rob Crittenden via FreeIPA-users
Andrew Radygin via FreeIPA-users wrote: > Anyone? > Of course this kind R&D question, but anyway I need to know. > > > 2017-12-06 17:15 GMT+03:00 Andrew Radygin via FreeIPA-users > >: > > Hello everybody, > > I want to know, is there possibi

[Freeipa-users] Re: Change default ldap scheme

2017-12-07 Thread Andrew Radygin via FreeIPA-users
Anyone? Of course this kind R&D question, but anyway I need to know. 2017-12-06 17:15 GMT+03:00 Andrew Radygin via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hello everybody, > > I want to know, is there possibility to change default ldap scheme, where > user and groups are storing

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
PS: I have derived another CA replica "ipa0" from ipa2. certutil shows different trustargs again. Shouldn't ipa2 and the new ipa0 have identical trustargs? [root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

2017-12-07 Thread Harald Dunkel via FreeIPA-users
Hi Rob, On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: Here is what I see on the broken ipa server: [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attribute