[Freeipa-users] Re: Private PEN for OID not accepted

On Thu, Jan 11, 2018 at 04:49:46AM -, Matt . via FreeIPA-users wrote: > HI guys. > > I'm having an issue with my private PEN when I want to add an objectclass and > an attribute with the following ldif (9 is a replacement for my private > PEN registered at Iana) > > The following output

[Freeipa-users] corosycnc conflict with certmonger always`

Already set a cluster of 2 nodes can work fine but evey reboot corosync seem conflict with certmonger service and login service and cause ssh shell login slow. and idea.? other funct of freeipa / HA actually is working fine. It seem will fail login service and zabbix agent also for the corosync.

[Freeipa-users] Private PEN for OID not accepted

HI guys. I'm having an issue with my private PEN when I want to add an objectclass and an attribute with the following ldif (9 is a replacement for my private PEN registered at Iana) The following output is what I get: modifying entry "cn=schema" ldap_modify: Invalid syntax (21) ad

[Freeipa-users] Re: Expired certificate problem

On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote: > Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto: > > Great! I'm glad you got to the bottom of it. Just curious - were > > there / are there multiple authority entries in LDAP underneath > > ou=authorities,ou=ca,o=

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

lejeczek via FreeIPA-users writes: > On 08/01/18 08:46, Florence Blanc-Renaud wrote: >> On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: >>> >>> $ ipa-client-install --no-ntp --force-join >>> Discovery was successful! >>> ... >>> Also note that following ports are necessary for >>> ipa-

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Alex Corcoles via FreeIPA-users writes: > Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Dependency failed for > GSSAPI Proxy Daemon. > -- Subject: Unit gssproxy.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Uni

[Freeipa-users] Re: Promote new CA master after failure?

Jonathan Kelley via FreeIPA-users writes: > I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my > primary. I found this guide "Promote CA to Renewal and CRL Master Procedure > in FreeIPA 4.0 or later >

[Freeipa-users] Promote new CA master after failure?

I've got ipa-server 4.5.0. This is topology with 2 servers and and lost my primary. I found this guide "Promote CA to Renewal and CRL Master Procedure in FreeIPA 4.0 or later ". Server 1 failed in my case. On server 2, I set

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

Yeah, think so, filed: https://bugzilla.redhat.com/show_bug.cgi?id=1533228 On Wed, Jan 10, 2018 at 8:07 PM, Martin Basti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > You should open a bug about this, IPA should not fail if zone where > replica belongs is a forward zone. > >

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

You should open a bug about this, IPA should not fail if zone where replica belongs is a forward zone. Probably the easiest solution might be to update FreeIPA's code before installing. /usr/lib/python??/site-packages/ipaserver/install/bindinstance.py:add_rr and replace lines showed in diff: ---

[Freeipa-users] Re: Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)

Wait, so I retried the replica installation on LXC, without CA and DNS and it worked, no gssproxy issues. However, I retried with CA and DNS and it failed: # journalctl -xe Jan 10 18:47:02 ctipa.h2.int.pdp7.net systemd[1]: Starting GSSAPI Proxy Daemon... -- Subject: Unit gssproxy.service has begu

[Freeipa-users] Re: Replacing externally signed CA long before expiry

Hi Flo, Is there anything I can do to help troubleshoot this issue? Or is there a bugzilla issue I can watch? Thanks, Steve On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard wrote: > > > On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud > wrote: > >> On 12/19/2017 06:59 PM, Steve Dainard v

[Freeipa-users] Re: The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records

OK, just reproduced the error: [root@ipa2 ~]# ipa-replica-install -v -w $pw -n ipa.pdp7.net -P alex --mkhomedir --setup-ca --setup-dns --auto-forwarders [...] ipa : DEBUG [2/8]: setting up our own record [2/8]: setting up our own record ipa.ipaserver.plugins.dns.dnsrecord_add: DEBUG

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 10/01/18 15:48, Florence Blanc-Renaud wrote: On 01/10/2018 12:29 PM, lejeczek via FreeIPA-users wrote: On 09/01/18 17:24, Charles Hedrick wrote: I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. I'm on Centos,

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

hi, another, different error this time. # replica: ..   [28/40]: adding sasl mappings to the directory   [29/40]: updating schema ipa : CRITICAL Failed to load schema-update.ldif: Command '/usr/bin/ldapmodify -v -f /usr/share/ipa/schema-update.ldif -H ldapi://%2Fvar%2Frun%2Fslapd-PRIVA

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On ke, 10 tammi 2018, lejeczek wrote: On 10/01/18 15:14, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 13:53, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 01/10/2018 12:29 PM, lejeczek via FreeIPA-users wrote: On 09/01/18 17:24, Charles Hedrick wrote: I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. I'm on Centos, there is something very wrong with freeipa / depende

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On 10/01/18 15:14, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 13:53, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: On ke, 10 tammi 2018, le

[Freeipa-users] Re: New replica (4.5) issues

I tried a fresh install with the same result. The new replica install process completes successfully but it does not register as a master. When I look at the replication status via ipa-replica-manage it shows this: # ipa-replica-manage list -v ipa8.domain.tld Directory Manager password: ipa1.

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

On 08/01/18 22:46, Robbie Harwood wrote: lejeczek via FreeIPA-users writes: $ ipa-client-install --no-ntp --force-join krb5kdc[1560686](info): preauth (encrypted_timestamp) verify failure: Preauthentication failed But after many tries(randomly) suddenly it would succeed. Do the clocks mat

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 13:53, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: hi would you k

[Freeipa-users] Re: files permission from apache's perspective

On 01/10/2018 02:42 PM, lejeczek via FreeIPA-users wrote: hi I see in httpd/error_log entries about access, like: Wed Jan 10 13:32:30.726295 2018] [:error] [pid 606202] ipa: INFO: [jsonserver_kerb] ad...@private.xx.xx.private.xx.xx.x: host_find/1(None, version=u'2.228'): SUCCESS [Wed Jan 10 1

[Freeipa-users] Re: Expired certificate problem

Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto: Great! I'm glad you got to the bottom of it. Just curious - were there / are there multiple authority entries in LDAP underneath ou=authorities,ou=ca,o=ipaca? No, there weren't (now, after solving initial problem, I setup a re

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On 10/01/18 13:53, Alexander Bokovoy wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: hi would you know if normal is below from ipa * commands, before kini

[Freeipa-users] Re: Expired certificate problem

On Wed, Jan 10, 2018 at 01:45:04PM +0100, Giulio Casella wrote: > Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto: > > Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto: > > > Fraser, some more info: > > > > > > In /var/log/pki/pki-tomcat/localhost_access_log.2018-0

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: hi would you know if normal is below from ipa * commands, before kinit is done?: ipa: ERROR: Major (851968): Unspec

[Freeipa-users] files permission from apache's perspective

hi I see in httpd/error_log entries about access, like: Wed Jan 10 13:32:30.726295 2018] [:error] [pid 606202] ipa: INFO: [jsonserver_kerb] ad...@private.xx.xx.private.xx.xx.x: host_find/1(None, version=u'2.228'): SUCCESS [Wed Jan 10 13:32:37.798793 2018] [:warn] [pid 624924] [client 10.5.6.1

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: hi would you know if normal is below from ipa * commands, before kinit is done?: ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more informat

[Freeipa-users] Re: AD trust and SAMBA

When I connected to samba shares from windows AD users I had errors in samba logs : FAILED with error NT_STATUS_NO_LOGON_SERVERS I found why. I have separate DNS server, not in IPA. There weren't this records: kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs SRV 0 100 88 freeipa _kerber

[Freeipa-users] Re: Expired certificate problem

Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto: Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto: Fraser, some more info: In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found: 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/r

[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: hi would you know if normal is below from ipa * commands, before kinit is done?: ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed I reme

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 09/01/18 17:24, Charles Hedrick wrote: I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. I'm on Centos, there is something very wrong with freeipa / dependencies in 7.4. I've had four replicas/servers from 7.1 tim

[Freeipa-users] ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

hi would you know if normal is below from ipa * commands, before kinit is done?: ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed I remember before, tools would silently execute if a ticket wa

[Freeipa-users] Re: Expired certificate problem

Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto: Fraser, some more info: In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found: 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018

[Freeipa-users] Re: Expired certificate problem

Fraser, some more info: In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found: 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 01/10/2018 10:06 AM, Harald Dunkel via FreeIPA-users wrote: On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote: Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates). I

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

On Wed, Jan 10, 2018 at 09:22:05AM +, Marin BERNARD wrote: > > > Hi, > > > > > > > > > > > > The client systems are the FreeIPA servers! Both are running on up-to- > > date CentOS 7.4 with sssd 1.15.2. > > > > There is https://pagure.io/SSSD/sssd/issue/3431 which is fixed upstream in > > 1.15.

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

> > Hi, > > > > > > > > The client systems are the FreeIPA servers! Both are running on up-to- > date CentOS 7.4 with sssd 1.15.2. > > There is https://pagure.io/SSSD/sssd/issue/3431 which is fixed upstream in > 1.15.3 which might prevent the automatic enabling of enterprise principals > on the cl

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

On Tue, Jan 09, 2018 at 05:16:03PM +, Marin BERNARD via FreeIPA-users wrote: > Hi, > > > > The client systems are the FreeIPA servers! Both are running on up-to-date > CentOS 7.4 with sssd 1.15.2. There is https://pagure.io/SSSD/sssd/issue/3431 which is fixed upstream in 1.15.3 which might

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote: Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates). If it is not the case, please check first if there were AVC iss

[Freeipa-users] Re: sudo fails as the Kerberos realm from an alternate UPN suffix

> > Hi, > > > > We're using FreeIPA 4.5.0 on CentOS 7.4. > > > > We've set up a two-way trust between our 2 FreeIPA servers and our AD > domain (forest an domain levels both on 2012 R2). So far, everything works > as expected, and we're able to perform SSO to both FreeIPA instances with > AD accoun

[Freeipa-users] Re: Expired certificate problem

Il 09/01/2018 22:40, Jochen Hein via FreeIPA-users ha scritto: Have a look again: Host idc01 delivers 500 - internal error. Host idc02 has no apache running ("connection refused"). Correct, but I'm ignoring idc01 right now (more deeply corrupted), focusing on idc01. Next goal is to reinstall