[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

Hello, I think this is everything (domain name changed to protect the guilty!): https://pastebin.com/bF1KR7VJ I pulled the same on the replica, which appears to be playing up too in a similar fashion. I did just notice the date on the replica is out, I never set it back when I was trying to get

[Freeipa-users] Re: freeIPA backup

If you do some searches, you can find some perl scripts that will do things like compare two LDIF files to see what changed. > On Jun 25, 2018, at 2:19:16 PM, Alfredo De Luca via FreeIPA-users > wrote: > > ok thanks. but can I have a different IP address but same hostname? this is > to check

[Freeipa-users] Re: Backup DNS Zones

actually ipa-backup isn’t such a bad approach. It produces ipa-data.tar, If you look in the tar file you’ll find DOMAIN-userRoot.ldif. This is the whole database as an LDIF fills. If you’ll spend a few minutes looking at the format, it’s actually pretty easy to pull out individual entries or gro

[Freeipa-users] Re: freeIPA backup

Yes. If you put a mapping between the new IP address and hostname in /etc/hosts, lookups will use that in preference to the usual one. If you also put the hostname in /etc/hostname and reboot, together those things should make the system believe it has the hostname of your actual server. > On

[Freeipa-users] Re: Backup DNS Zones

Hi Rob, Exactly. I just need a quick way to restore in case someone fat fingers a change. I was curious if there was a baked in way to do this using FreeIPA but it sounds like there isn't. Thanks for the other suggestions. It looks like a zone transfer will probably be the simplest way to get a b

[Freeipa-users] Re: freeIPA backup

ok thanks. but can I have a different IP address but same hostname? this is to check if everything works /Alfredo On Mon, 25 Jun 2018, 18:24 , wrote: > Yes. Edit /etc/hosts and add your IP address and hostname. Edit > /etc/hostname to put your hostname. > > That works for me. > > You should pro

[Freeipa-users] Re: certmonger upgrade failure

Harald Dunkel via FreeIPA-users wrote: > Hi Rob, > > On 6/25/18 4:53 PM, Rob Crittenden via FreeIPA-users wrote: >> >> We'd need to see what certs are being tracked, getcert list. >> > > This gets stuck, too: > > [root@ipa1 ~]# getcert list > Error org.freedesktop.DBus.Error.TimedOut > > I foun

[Freeipa-users] Re: freeIPA backup

Yes. Edit /etc/hosts and add your IP address and hostname. Edit /etc/hostname to put your hostname. That works for me. You should probably make sure that you have iptables on the production systems to reject connections from the ip address of your copy. Otherwise you run the danger of having a

[Freeipa-users] Re: certmonger upgrade failure

Hi Rob, On 6/25/18 4:53 PM, Rob Crittenden via FreeIPA-users wrote: > > We'd need to see what certs are being tracked, getcert list. > This gets stuck, too: [root@ipa1 ~]# getcert list Error org.freedesktop.DBus.Error.TimedOut I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but t

[Freeipa-users] Re: freeIPA backup

​Hi Hedrick. Jus a quick one. If i want to restore a full backup IPA in a different host (just for test purpose) can I change the IP address but have the same hostname/FQDN? Alfredo ​ On Sat, Jun 23, 2018 at 5:54 PM wrote: > There is actually documentation supporting my view: > https://www.free

[Freeipa-users] Re: Backup DNS Zones

John Petrini via FreeIPA-users wrote: > Anyone have any suggestions on this? So you are worried that people are going to accidentally delete things? There is no tool to back up and restore individual entries. You'd need to roll something yourself. Some possible ideas: - setup a plain bind slave

[Freeipa-users] Re: certmonger upgrade failure

Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > I managed to get rid of the corrupted entry and to create a new > user account. But there are still problems. The upgrade from Centos > 7.4 to 7.5 got stuck for 5 to 10 minutes. > > : >   Installing : libxkbcommon-0.7.1-1.el7.x86_64  

[Freeipa-users] Re: Backup DNS Zones

Anyone have any suggestions on this? John Petrini Platforms Engineer [image: Call CoreDial] 215.297.4400 x 232 <215-297-4400> [image: Call CoreDial] www.coredial.com [image: CoreDial] 751 Arbor Way, Hillcrest I, Suite 150 Blue Bell, PA 19422

[Freeipa-users] Re: CIFS insufficient access error when "enterprise admin" AD account is used to establish 1-way trust

On ma, 25 kesä 2018, Chris Dagdigian via FreeIPA-users wrote: Dealing with outsourced IT organization that manages an AD domain we are tying to build an additional trust with so we can upgrade and replace our fleet of IDM servers. We got a webex work session going with a domain admin to build

[Freeipa-users] CIFS insufficient access error when "enterprise admin" AD account is used to establish 1-way trust

Dealing with outsourced IT organization that manages an AD domain we are tying to build an additional trust with so we can upgrade and replace our fleet of IDM servers. We got a webex work session going with a domain admin to build the trust but we keep seeing this on the CLI and WebUI: ipa:

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

Hi! The node 1 is the Renewal Master -- ldapsearch -D cn=directory\ manager -W -LLL -b cn=masters,cn=ipa,cn=etc,BASEDN '(&(cn=CA)(ipaConfigString=caRenewalMaster))' dn Enter LDAP Password: dn: cn=CA,cn=<>,cn=masters,cn=ipa,cn=etc,BASEDN -- Eemeli -Original Message- From: Florence Blanc

[Freeipa-users] Re: rotate host keytabs

sure. We’re not actually doing this. > On Jun 22, 2018, at 11:38 AM, Robbie Harwood wrote: > > Charles Hedrick writes: > >> I can see only one possible advantage. If someone becomes root and >> steals your keytab, regular rotation will limit how long the >> compromise lasts. Of course that ass

[Freeipa-users] Re: rotate host keytabs

I can see only one possible advantage. If someone becomes root and steals your keytab, regular rotation will limit how long the compromise lasts. Of course that assumes that you fix the problem that allowed them to become root in the first place. You could add the new credential, keeping old an

[Freeipa-users] Re: NFSv4 question

Right. the documentation is often not clear. Most Linux client software will try several principals. One of them is host/hostname. So you don’t need nfs/hostname. Since nfs/hostname is one of the principals it tries, some documentation says to use that principal. > On Jun 19, 2018, at 3:24 AM,

[Freeipa-users] Re: 2FA integration: FreeIPA and Mac OS

You can get an MIT Kerberos implementation from Macports. I use that myself. However I don’t use it for login, so I haven’t tried the pam support on the Mac. The Macports implementation supports both 2FA and the https proxy. We restrict access to our kerberos servers, so people at home have to u

[Freeipa-users] Re: freeIPA backup

Our IPA servers are VMs. We do backups of snapshots, either through VMware or when the image is on a Netapp, through a Netapp snapshot. That guarantees that you have all the pieces in a consistent state. I’ve never had to restore a production server, but I have started copies of one of the backu

[Freeipa-users] Re: auth to pther providers still using freeipa

It depends upon what you want to do. If you want a user to authenticate for all purposes using some external service, you can do that, as long as the external service supports radius. You may have to et up a radius server and configure it to use the external authentication. You can have more tha

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/25/2018 07:48 AM, Jokinen Eemeli via FreeIPA-users wrote: Hi! gssproxy up and running -- systemctl status gssproxy ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since