[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

> On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote: > Hi, > > the ca certs need to be added from the root to the one that issued the > server cert: > 1/ ipa-cacert-manage install root.crt + ipa-certupdate > 2/ ipa-cacert-manage install inter1.crt + ipa-certu

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

I see, mechanism is clear for me. I took my CA chain from https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 And my chain is following: main cert Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

> On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote: > > Hi, > > no need to start over with a different nickname if the certificates are > already in LDAP. "ipa-cacert-manage install" adds them in the LDAP > server below cn=certificates,cn=ipa,c

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

Does anybody have any clue about what I have to do with it? Florence? Should I delete self-sign SSL from ipa-server CA completely? As I understood - there is some conflict between new CA and old, am I right? 2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users < freeipa-us

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

er install comodo_inter2.crt ipa-server-certinstall -w comodo_base.crt comodo.key comodo_ca.crt systemctl restart httpd Thank you, really-really thank you! :) 2017-12-01 11:40 GMT+03:00 Florence Blanc-Renaud <f...@redhat.com>: > On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote: >

[Freeipa-users] Re: Change default ldap scheme

Anyone? Of course this kind R question, but anyway I need to know. 2017-12-06 17:15 GMT+03:00 Andrew Radygin via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hello everybody, > > I want to know, is there possibility to change default ldap scheme, where > user and

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

Harald, Maybe in the ldap certificate container you already have the same certificate you're trying to install, but it has another key or untrusted? Then try to delete it via ldapdelete and certutil -d and then try again install new one. 2017-12-07 17:20 GMT+03:00 Harald Dunkel via FreeIPA-users

[Freeipa-users] Re: Change default ldap scheme

I see, thanks for the information. 2017-12-07 16:52 GMT+03:00 Alexander Bokovoy <aboko...@redhat.com>: > On to, 07 joulu 2017, Rob Crittenden via FreeIPA-users wrote: > >> Andrew Radygin via FreeIPA-users wrote: >> >>> Anyone? >>> Of course this

[Freeipa-users] Re: FreeIPA connection limits?

Does sssd caching of privileges is working? I mean, suppose if there is no reply from IPA-server, it should use local cache for existing users. 2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hello the list, > > > > We’ve got a number (hundreds)

[Freeipa-users] Re: One way trust between 2 different freeipa servers

It's really interesting question, I'd like to know it too. 2017-12-11 5:38 GMT+03:00 Anvar Kuchkartaev via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hello I would like to setup one way trust between 2 different freeipa > structures which belongs to different companies. The

[Freeipa-users] sudo auth doesn't work on some hosts

Hello! I've got interesting problem, I have very simple hbac and sudo rules, one hbac for admins group and the same sudo rule for the same user group - all members of this group could do anything and everywhere. I cannot do sudo on some of machines, it's just doesn't accepting password, but

[Freeipa-users] Re: sudo auth doesn't work on some hosts

Ahhh, never mind. It seems that wrong time on that system broke sudo. Can anybody explain this? 2017-12-11 15:50 GMT+03:00 Andrew Radygin : > Hello! > > I've got interesting problem, > I have very simple hbac and sudo rules, one hbac for admins group and the > same sudo rule

[Freeipa-users] Re: FreeIPA connection limits?

So are you telling, your ds-389 isn't responding to simple ldapsearch for instance, even if there is no huge amount of logins to hosts? Just from refreshing cache on host clients? But if you doesn't have sssd (that do kernel-caching of privileges), therefore all your clients every time doing

[Freeipa-users] Change default ldap scheme

Hello everybody, I want to know, is there possibility to change default ldap scheme, where user and groups are storing. For instance, I have: cn=USER, cn=groups, cn=accounts, dc=domain,dc=net cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net It seems to be too straightforward. Can I

[Freeipa-users] ipa-client-install error on Cloudlinux

Hello! I'm trying to install ipa-client on Cloudlinux 7.4, and got following error: [root@web01-cp ipaplatform]# ipa-client-install Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 22, in from ipaclient.install import ipa_client_install File

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

This error doesn't familiar for me, but I'd at least try to compile 4.5 for excluding versioning issues. And maybe you can find some hint from ansible role for manual freeipa client installing from Lee Wiscovitch in "debian 8 freeipa-client" thread. 2018-01-05 23:42 GMT+03:00 Cody Rathgeber via

[Freeipa-users] Re: Here we go again, configuring Proxmox/Debian Stretch 9.3 as a FreeIPA client

Hi Alex! I've set up on Debian 8 ipa-client recently. And here is my notes on this process, maybe it would be helpfull. 1. Enable sid repo 2. Install freeipa-client and python-sss packages 3. Update python-six to 1.10+ 4. Restart dbus service 5. ipa-client-install command In the end - I've got

[Freeipa-users] Re: any one have issue at centos7 ?

Hello, You should provide more information - logs, errors, commands that you execute. More information - more chance you'll get help here. 2018-01-26 10:50 GMT+03:00 barrykfl--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hi : > > when reboot the server the certomenger.service

[Freeipa-users] Re: something happened - unable to join new clients

I think you should launch tcpdump on all specified ports and simultaneously run ipa-client enroll. 2018-02-02 14:36 GMT+03:00 skrawczenko--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Checked TCP 80,443,389,88, 636,464 all open except tcp/7389 which is not > used i suppose. >

[Freeipa-users] Re: something happened - unable to join new clients

Maybe firewall on client host? I would look to allowed ports and traffic exchange. 2018-02-02 14:09 GMT+03:00 skrawczenko--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > Hundreds of clients have been joined earlier, never such an issue. > What could have happened please advise? >

[Freeipa-users] Re: How to recover from "split brain"

Though you can completely rebuild preprod servers, still it would be interesting how to reconnect prod servers with replicas again. 2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > ok, did a little googling, and seems like KRA refers to the "vault"

[Freeipa-users] Re: Documented monitoring best practices

Wow! It's really important question. I'm joining with it. It's good to be able to know what happening with IPA-infra. Espesially - ssh/sudo working (in general at least, with out concearning about HBAC+Policy groups). 2018-01-31 22:04 GMT+03:00 Alex Corcoles via FreeIPA-users <

[Freeipa-users] Re: deploying freeipa

Sorry, missed words, I meant - such setup of freeipa without DNS completely. 2018-02-13 17:25 GMT+03:00 Andrew Radygin : > I'm running FreeIPA 4.5 server with several hundred hosts and dozens of > users. And it's perfectly fine, especially if you already have another >

[Freeipa-users] Re: deploying freeipa

I'm running FreeIPA 4.5 server with several hundred hosts and dozens of users. And it's perfectly fine, especially if you already have another instrument for dns managing. I haven't experienced any problems from such setup so far. 2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <

[Freeipa-users] Re: deploying freeipa

I have another software in that role. Here it is - https://www.ispsystem.com/software/dnsmanager It's frontend for managing zones and pdns+mysql as backend. So when I configuring new hosts, these servers play as authoritative dns. No special configuring for freeipa server, only ipa-server-install

[Freeipa-users] Re: ipa-client-install error on Cloudlinux

Support ot Cloudliunx replied - there is different minor version of ipa-client package from Centos 7 main upstream, and it has bug. Promise to update package in they repo during the nearest week. ___ FreeIPA-users mailing list --

[Freeipa-users] debian 8 freeipa-client

Hello! I have freeipa server 4.5 on Centos 7. And want to enroll host on Debian 8 to domain. I've found freeipa-client 4.4 in the sid repo, installing of it was almost successful... apt-get cannot complete configuring for certmonger, and I've got following error: == # journalctl -u

[Freeipa-users] Re: debian 8 freeipa-client

: > - common-account > - common-auth > - common-password > - common-session > > - name: ssh - add sshd_config > copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root > mode=0644 > notify: ssh_restart > > - name: sudo - add sudoers-custom

[Freeipa-users] Re: debian 8 freeipa-client

aal...@ubuntu.com>: > On 04.01.2018 12:48, Andrew Radygin via FreeIPA-users wrote: > > Flo, > > I've checked certmonger dbus config - it's okay and identical to another > > one working. > > But after restart dbus - certmoner configured and installed successful. > &