[Freeipa-users] certmonger .service fail to start

Auto reboot fail , I just try manual bootup cermonger.service still fail sudo systemctl -f start certmonger.service Jan 30 11:03:01 dbus[537]: [system] Activating systemd to h Jan 30 11:03:01 dbus-daemon[537]: dbus[537]: [system] Activ Jan 30 11:03:13 systemd-logind[2922]: Failed to enable

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

On Mon, Jan 29, 2018 at 03:55:07PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > some certificates on our freeipa-cluster (3 servers) are have been not > renewed till now, 2 hours before expiring. Can this be a problem? > > Some of the certificates, the ones expiring show

[Freeipa-users] Re: Home directory not being created in log in

I think it is trying to write a lock file related to the X session to my home directory, but it can't because the location doesn't exist. Interestingly enough, I tried creating the directory manually and I get "permission denied" even if running as root. Could this be a problem related to IPA

[Freeipa-users] Re: FreeIPA PKI with OpenVPN

On Mon, Jan 29, 2018 at 01:34:37PM +, Mike Kelly via FreeIPA-users wrote: > Hi, > > I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right > way to generate per-user certificates? (Looking to generate certs for > Android and Chrome OS, so I don't have an easy way to build a

[Freeipa-users] Re: Home directory not being created in log in

My servers are centos but here is the script we run. CENTOS authconfig --enableldap \ --enableldapauth \ --ldapserver=servername.internal.com \ --ldapbasedn="cn=users,cn=accounts,dc=internal,dc=com" \ --enablemkhomedir \ --update On Mon, Jan 29, 2018 at 4:51 PM, Kristian Petersen

[Freeipa-users] Re: Home directory not being created in log in

Oddjobd is installed and is enabled and running at least. Where would you configure it that I could check? oddjobd.service - privileged operations for unprivileged applications Loaded: loaded (/usr/lib/systemd/system/oddjobd.service; enabled; vendor preset: disabled) Active: active (running)

[Freeipa-users] Re: Multi-site, multi-domain

On ma, 29 tammi 2018, Alexandre Cardoso wrote: Hi Alexander, The final decision will be re-install everything “IPA” and do it again now using same realm. In both sites so after the installation of first IPA server the second one will be just run the ida-server-replica right? yes, just follow

[Freeipa-users] Re: FreeIPA 4.6.1 cannot bind on 636 but can connect on port.

hi, could you try using ldapsearch with the -d 10 switch? That shoud give you plenty of debugging info. -- Groeten, natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Home directory not being created in log in

Sounds like oddjobd isn't installed/configured. On Mon, Jan 29, 2018 at 3:23 PM, Kristian Petersen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I am trying to set up a workstation running RHEL 7 with Gnome graphical > environment. I have enrolled this machine as a client

[Freeipa-users] Home directory not being created in log in

I am trying to set up a workstation running RHEL 7 with Gnome graphical environment. I have enrolled this machine as a client in IPA using the --mkhomedir flag, however, the home directory is not being created when I log in. Because the home directory doesn't get created at log in GDM kicks me

[Freeipa-users] Re: FreeIPA 4.6.1 cannot bind on 636 but can connect on port.

No-one a clue about this ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Multi-site, multi-domain

Hi Alexander, The final decision will be re-install everything “IPA” and do it again now using same realm. In both sites so after the installation of first IPA server the second one will be just run the ida-server-replica right? Thanks Alex > On 29 Jan 2018, at 12:31, Alexander Bokovoy

[Freeipa-users] Certificates not renewed till 2 hours before expiring

Hi, some certificates on our freeipa-cluster (3 servers) are have been not renewed till now, 2 hours before expiring. Can this be a problem? Some of the certificates, the ones expiring show "ca-error: Invalid cookie: '' in the "getcert list" output, what makes me nervous. We also have the

[Freeipa-users] FreeIPA PKI with OpenVPN

Hi, I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right way to generate per-user certificates? (Looking to generate certs for Android and Chrome OS, so I don't have an easy way to build a CSR on those devices directly that I can find; I assume I want to just generate the

[Freeipa-users] Re: Multi-site, multi-domain

On ma, 29 tammi 2018, Alexandre Cardoso wrote: Hi, We have 2 major projects with several servers each project until now we only have one IPA server and want to implement a second one in other site for the other project and want to implement it also as a failover to the other IPA server site.

[Freeipa-users] Re: Multi-site, multi-domain

Hi, We have 2 major projects with several servers each project until now we only have one IPA server and want to implement a second one in other site for the other project and want to implement it also as a failover to the other IPA server site. So if I can have 2 domains and if possible to

[Freeipa-users] Re: Multi-site, multi-domain

On ma, 29 tammi 2018, Alexandre Cardoso wrote: Hummm.that is bad…for me… Is that a way I can change the already in place Realm without affecting existing users/hosts so I can adapt to multi site/domain? I don't think so. If you have different realms, you are dealing with two different

[Freeipa-users] Re: Multi-site, multi-domain

Hummm.that is bad…for me… Is that a way I can change the already in place Realm without affecting existing users/hosts so I can adapt to multi site/domain? Thanks Alex > On 29 Jan 2018, at 10:45, Alexander Bokovoy wrote: > > On ma, 29 tammi 2018, Alexandre Cardoso

[Freeipa-users] Re: Multi-site, multi-domain

On ma, 29 tammi 2018, Alexandre Cardoso wrote: Thanks Alexander, And if I have different realms this can work? IPA only supports a single Kerberos realm. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Multi-site, multi-domain

Thanks Alexander, And if I have different realms this can work? Thanks Alex > On 29 Jan 2018, at 10:33, Alexander Bokovoy wrote: > > On ma, 29 tammi 2018, Alexandre Cardoso via FreeIPA-users wrote: >> Hi Guys, >> >> Is that any configuration where I can set up 2 or 3

[Freeipa-users] Re: Multi-site, multi-domain

On ma, 29 tammi 2018, Alexandre Cardoso via FreeIPA-users wrote: Hi Guys, Is that any configuration where I can set up 2 or 3 master replication in multi site and each of those master have different domain such as ipa.example-site1.com, ida.example2-site2.com? Just use them. As long as there

[Freeipa-users] Multi-site, multi-domain

Hi Guys, Is that any configuration where I can set up 2 or 3 master replication in multi site and each of those master have different domain such as ipa.example-site1.com, ida.example2-site2.com? Is this possible using the ida-server-replication? Thanks in advance Alex