[Freeipa-users] Re: IPA-Error 903: InternalError on Certificate page

2021-01-11 Thread Nico Maas via FreeIPA-users
Thank you Rob for your help. I see no expired certificates: getcert list | grep expires expires: 2022-04-17 16:46:12 CEST expires: unknown expires: unknown expires: unknown expires: unknown expires: 2022-04-06 16:44:19 CEST expires:

[Freeipa-users] Re: Samba on IdM member failure

2021-01-11 Thread Alan Latteri via FreeIPA-users
Logged as https://pagure.io/freeipa/issue/8636 > On Dec 23, 2020, at 11:01 PM, Alexander Bokovoy wrote: > > On ke, 23 joulu 2020, Alan Latteri via FreeIPA-users wrote: >> Hello. >> >> I have setup a test FreeIPA server and client, CentOS 8.3, very >>

[Freeipa-users] Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?

2021-01-11 Thread Braden McGrath via FreeIPA-users
Hello FreeIPA-users. The Subject line is the core of my question here; I'll provide a bit more detail below. I work for what is (effectively) a startup, non-profit internet provider. I have an extensive Windows background, and "know enough to be dangerous" with Linux & BSD (have been tinkering

[Freeipa-users] Re: web-interface from Master-Server not available, DNSSEC-Service down

2021-01-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 tammi 2021, Kay Jeschonneck via FreeIPA-users wrote: Yes, this is it. Thanks, the UI work now.   But i have an other problem with the dnssec-service.   I get this message:   Jan 10 10:56:27 hn-dlp /usr/libexec/ipa/ipa-ods-exporter[10276]: new replica keys in LDAP: {'0xbb…',

[Freeipa-users] Re: web-interface from Master-Server not available, DNSSEC-Service down

2021-01-11 Thread Kay Jeschonneck via FreeIPA-users
Yes, this is it. Thanks, the UI work now.   But i have an other problem with the dnssec-service.   I get this message:   Jan 10 10:56:27 hn-dlp /usr/libexec/ipa/ipa-ods-exporter[10276]: new replica keys in LDAP: {'0xbb…', '0x8c…'} Jan 10 10:56:27 hn-dlp ipa-ods-exporter[10276]: Traceback

[Freeipa-users] Re: ipa healthcheck issue

2021-01-11 Thread Rob Crittenden via FreeIPA-users
Patterson, David via FreeIPA-users wrote: > Hello, > >   > > Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported > for RHEL 7. > >   > > Ipa healthcheck output > > [ > >   { > >     "source": "ipahealthcheck.ipa.certs", > >     "kw": { > >       "msg":

[Freeipa-users] ipa healthcheck issue

2021-01-11 Thread Patterson, David via FreeIPA-users
Hello, Running RHEL 7.9, ipa 4.6.8-5 and freeipa-healthcheck 0.3-2 backported for RHEL 7. Ipa healthcheck output [ { "source": "ipahealthcheck.ipa.certs", "kw": { "msg": "Unable to retrieve cert 'host/idm2.X.Y' from '/etc/pki/nssdb': Failed to get host/idm2.X.Y",

[Freeipa-users] Re: web-interface from Master-Server not available, DNSSEC-Service down

2021-01-11 Thread Alexander Bokovoy via FreeIPA-users
On ma, 11 tammi 2021, Kay Jeschonneck via FreeIPA-users wrote: Issue I can't use the web-interface from the master-server. I can open the website but i see only a white page. One the replica-server i can use the web-interface without a problem. Also i get an error from ipa-ods-exporter about

[Freeipa-users] web-interface from Master-Server not available, DNSSEC-Service down

2021-01-11 Thread Kay Jeschonneck via FreeIPA-users
Issue I can't use the web-interface from the master-server. I can open the website but i see only a white page. One the replica-server i can use the web-interface without a problem. Also i get an error from ipa-ods-exporter about "Public key with same ID already exists", this problem start

[Freeipa-users] Re: Sudo Default Environment

2021-01-11 Thread Rob Crittenden via FreeIPA-users
Mark Potter via FreeIPA-users wrote: > I am trying to create a default sudo environment that is applied to all > users in addition to anything from other groups. This would include > things like "secure_path" and a few env lines. However I cannot seem to > get this to work. I understand that the

[Freeipa-users] Re: Sudo Default Environment

2021-01-11 Thread Mark Potter via FreeIPA-users
I am also seeing "secure_path" having no effect: LDAP Role: dug_it RunAsUsers: ALL RunAsGroups: ALL Options: !authenticate, !requiretty, always_set_home, env_reset, !visiblepw, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR

[Freeipa-users] Sudo Default Environment

2021-01-11 Thread Mark Potter via FreeIPA-users
I am trying to create a default sudo environment that is applied to all users in addition to anything from other groups. This would include things like "secure_path" and a few env lines. However I cannot seem to get this to work. I understand that the highest number in "Sudo order" is processed

[Freeipa-users] Re: Slow Logins on all clients

2021-01-11 Thread Mark Potter via FreeIPA-users
After a lot of reading, adding "ignore_group_members = True" to sssd.conf vastly dropped the login time. From a completely blank cache taking > 25 seconds to login to ~1 second to login. On Wed, Jan 6, 2021 at 1:59 PM Mark Potter wrote: > We are experiencing slow logins on all client

[Freeipa-users] Re: expired lets encrypt certificates - how to fix/reinstall

2021-01-11 Thread Florence Blanc-Renaud via FreeIPA-users
On 1/10/21 11:31 PM, Sinh Lam via FreeIPA-users wrote: So I have this problem where the certificates have expired. I created a new one but however when trying to apply the new certs using ipa-server-certinstall, http works but when trying to get it to apply to ldap it fails with a "peer's