[Freeipa-users] Re: Server died

Stupid return key. I solved this and was trying to delete the email. Sorry for the spam. On 08/01/2017 10:28 AM, Bret Wortman via FreeIPA-users wrote: I've got a server with multiple replication agreements that just went toes up. The tail end of the startup output says: Aug 01 14:21:22

[Freeipa-users] Server died

I've got a server with multiple replication agreements that just went toes up. The tail end of the startup output says: Aug 01 14:21:22 zsipa systemd[1]: dirsrv@DG-NET.service: main process exited, code=exited, status=1/FAILURE Aug 01 14:21:22 zsipa systemd[1]: Aug 01 14:21:22 zsipa

[Freeipa-users] Re: Ongoing CA access issues

mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) Is there a way to replace our certs and get moving again? My queue of signing requests is building up. I'm not opposed to "nuclear" options. Bret On 05/30/2017 11:31 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA

[Freeipa-users] Replication error

I've also just realized that replication appears to have ceased; I have entries in some IPA servers but not all. [root@zsipa ~]# ipa-replica-manage list Directory Manager password: zsipa.damascusgrp.com: master zsipa2.damascusgrp.com: master zsipa3.damascusgrp.com: master [root@zsipa ~]#

[Freeipa-users] Guide to enabling CA?

Is there an online guide to turning on a CA? We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without

[Freeipa-users] Re: New server, can't set passwords

...@damascusgrp.com   UID: 10042   GID: 100   Account disabled: False Number of entries returned 1 # On 05/04/2018 10:48 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've just finished setting up a new IPA server, planning to use

[Freeipa-users] New server, can't set passwords

I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate

[Freeipa-users] Re: Logon by ssh but not console?

around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost I'm able to l

[Freeipa-users] Re: Logon by ssh but not console?

Hrozek , wrote: > > > > On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users > > wrote: > > > > I just realized that I never closed the loop on this problem and just > > finished upgrading all my systems to use our new IPA servers. And this > > proble

[Freeipa-users] Re: Logon by ssh but not console?

(he had been authenticated by the old servers when he first got in). I stopped sssd, rm -rf'd the cache db files, and then restarted it and voila, he was able to authenticate with the new servers. Thanks, all! On 06/03/2018 03:30 PM, Bret Wortman via FreeIPA-users wrote: I don’t t

[Freeipa-users] Can't log in through greeter or console after switch to new IPA servers

I've just transitioned my baseline from one set of servers to another, and I'm noticing that some systems will allow me to log in directly from the greeter on workstations while others don't (including my own workstation!). These methods all work on my workstation: * ssh @localhost with

[Freeipa-users] Re: Creating a user keytab

e you made was gone. You don't happen to still have that laying around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret W

[Freeipa-users] Re: Creating a user keytab

around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to cre

[Freeipa-users] Re: Creating a user keytab

On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are getting a keytab for yourself (say

[Freeipa-users] Re: Creating a user keytab

FreeIPA-users wrote: On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are getting a keytab fo

[Freeipa-users] Creating a user keytab

What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script:    kinit -k admin -t /root/keytab I've tried various approaches using ktutil and kadmin but haven't had any

[Freeipa-users] Re: Creating a user keytab

I found your post, but the paste you made was gone. You don't happen to still have that laying around, do you? On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once

[Freeipa-users] Re: Creating a user keytab

Okay. I may have done this under Fedora before, then. I'll go back and search the archives. Thanks, Alexander! On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once

[Freeipa-users] Re: Creating a user keytab

, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script:    kinit -k admin -t /root/keytab I've tried various approaches using

[Freeipa-users] Fixing limit on DNS searches

I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been truncated: Configured administrative server limit exceeded." I've tried fixing this in a number of ways. We've shut down the

[Freeipa-users] Re: Fixing limit on DNS searches

Looking at it now. On 02/13/2018 01:09 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been truncated: Confi

[Freeipa-users] Re: Fixing limit on DNS searches

I did figure out that I can use # ldapsearch -D 'directory manager' -W -E pr=2 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com to list out all the entries, but the format isn't what I'm expecting. What I'm actually trying to do is move our whole infrastructure from one set of

[Freeipa-users] Re: Fixing limit on DNS searches

Thanks. Is it possible to list the DNS entries using ldapsearch? I've been using: # ipa dnsrecord-find --all On 02/13/2018 02:13 PM, Natxo Asenjo via FreeIPA-users wrote: On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:f

[Freeipa-users] Re: Fixing limit on DNS searches

original post -- "searchlimit" should read, "sizelimit". Bret On 02/13/2018 01:09 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did figure out that I can use # ldapsearch -D 'directory manager' -W -E pr=2 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com to list out all the entries

[Freeipa-users] Re: Fixing limit on DNS searches

Also, this doesn't solve the fact that the Web UI always produces an error dialog whenever accessing our primary zone. On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote: On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote:

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret Wortman wrote: On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Changing the subject worked. Thanks! Bret Wortman http://wrapbuddies.co/ On Feb 20, 2018, 7:19 PM -0500, Fraser Tweedale <ftwee...@redhat.com>, wrote: > On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users > wrote: > > I'll give that a try. > > > I

[Freeipa-users] Re: How to replace a failed CA?

ssh versus console & GDM and moving forward with a completely new installation while trying to retain as much data as possible. Thanks for your help on this, guys. Bret On 02/21/2018 03:47 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: If this is the correct se

[Freeipa-users] SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. 1. Built new box, which joined the existing IPA infrastructure as a client. 2. # ipa-client-install -U --uninstall 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders 4. Inserted

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/19/2018 07:55 AM, Florence Blanc-Renaud wrote: On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

I'll give that a try. On 02/20/2018 12:38 PM, Jochen Hein wrote: Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. ... 3. # ipa-server-install --setup-dns

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users

[Freeipa-users] Re: How to replace a failed CA?

If this is the correct search, then no. It's gone. # ldapsearch -D 'cn=directory manager' -b 'o=ipaca' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base

[Freeipa-users] Re: Logon by ssh but not console?

Wortman wrote: My only hbac rule is "allow_all", and it's enabled. I hadn't gotten around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system t

[Freeipa-users] Re: error 15 in memberof.so

Crittenden , wrote: > Bret Wortman via FreeIPA-users wrote: > > I've got a system (probably more than one) where I've got clients who > > aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". > > > > I've tried unenrolling &

[Freeipa-users] error 15 in memberof.so

I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". I've tried unenrolling & re-enrolling. I've tried unenrolling, uninstalling, reinstalling ipa-client, and re-enrolling. I've tried unenrolling,

[Freeipa-users] Re: error 15 in memberof.so

. On 07/19/2018 11:33 AM, Lukas Slebodnik via FreeIPA-users wrote: On (18/07/18 13:39), Bret Wortman via FreeIPA-users wrote: I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". I've tried unenro

[Freeipa-users] admin's credentials revoked?

# kinit admin kint: Client's credentials have been revoked while getting initial credentials Then while looking at /var/log/httpd/error_log: [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server is unwilling to perform: Too many failed logins. What the? How can my admin

[Freeipa-users] Re: Create a replica

On 03/02/2018 04:15 AM, Florence Blanc-Renaud wrote: On 01/03/2018 18:11, Bret Wortman via FreeIPA-users wrote: I've got a one system setup now and would like to create a replica and ensure survivability as much as possible. Will this do the trick? Obviously the first is run on the current

[Freeipa-users] Can't uninstall client

I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-install --enable-dns-updates --mkhomedir IPA client is already configured on this system. If you want to reinstall the IPA client,

[Freeipa-users] Re: Can't uninstall client

directory. Thanks, Rob! On 06/22/2018 09:05 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-install --enable-d

[Freeipa-users] Fwd: named fails to start

I was out two days last week and one of my coworkers thought we were having a password problem on our admin account. This morning, my users were claiming an inability to log in, so I cycled our main IPA server, but named won't start. 2018-10-15T10:43:14.blah named-pkcs11[26250]: LDAP error:

[Freeipa-users] Re: named fails to start

Never mind. NTP wasn't working properly so the time had drifted too far. Easy fix. photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 | b...@wrapbuddies.co http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030

[Freeipa-users] Re: Can't delete DNS entry

Not surprisingly, that did the trick. Thanks, Rob. On 10/10/2018 09:57 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers could be reached # ipa dnsrecord-find my.net sys001 --all

[Freeipa-users] Re: Can't delete DNS entry

Also: # ldapsearch -D "cn=Directory Manager" -W -b "dc=my.net" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers

[Freeipa-users] Re: How to replace a failed CA?

We built brand new servers, took xml dumps from the existing ones, wrote custom scripts to load that into the new ones, and spent a weekend cutting over. So yes, but no. We now have a functioning CA but it wasn't exactly replaced; we had to build a new set of replicas around it. On

[Freeipa-users] Re: Replica won't start

I'm seeing this in /var/log/messages periodically: systemd: Starting IPA key daemon... ipa-dnskeysyncd: ipa  : INFO LDAP bind... ipa-dnskeysyncd: ipa  : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} ipa-dnskeysyncd: Traceback (most recent call last):

[Freeipa-users] Re: Replica won't start

Other symptoms: # kinit admin : # ipa help user ipa: ERROR: No valid Negotiate header in server response This is now happening on our primary IPA server. On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote: I'm seeing this in /var/log/messages periodically: systemd: Starting IPA

[Freeipa-users] Re: Replica won't start

I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named

[Freeipa-users] Replica won't start

After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11): bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5 20150623 (Red Hat 4.8.5-16) LDAP error: Invalid credentials:

[Freeipa-users] Re: Replica won't start

AM, Bret Wortman via FreeIPA-users wrote: I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var

[Freeipa-users] Something amiss with my replication

Looks like I've somehow managed to get my 3 IPA servers out of sync: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa host-find solr14.my.net --- 0 hosts matched --- Number of

[Freeipa-users] Re: Something amiss with my replication

gt; > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > Looks lik

[Freeipa-users] Re: Something amiss with my replication

=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like I've somehow managed to get my 3 IPA servers out of sync: > > > > [root@ipa3 ~]# ipa-replica-manage list > >

[Freeipa-users] Re: Something amiss with my replication

. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 9:07 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Oops. I spoke too soon. The one I thought I fixed is now just scrolling > > "No status yet" over and over... > > > You can break ou

[Freeipa-users] Replication issues, 3 servers not talking

I've got 3 IPA servers, with replication agreements between the 3 as follows: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net

[Freeipa-users] Re: Something amiss with my replication

-users wrote: > > On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > > I broke out of it, but the two are still out of sync. Is there a way to > > > get past that? > > > > > >

[Freeipa-users] Re: Something amiss with my replication

On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > I broke out of it, but the two are still out of sync. Is there a way to > > get past that? > > > > > > photo > > *Bret Wortm

[Freeipa-users] Ca signed very for non-IPA client

> We have some ESXi boxes that need CA-signed certs and we're trying to figure > out how to properly construct a CSR so that our IPA CA will process it. > > I'm having them create the cert using these commands: > > # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i >

[Freeipa-users] Re: Ca signed very for non-IPA client

Thanks, Rob. I’ll give it another try in the morning and let you know how it goes. And yes, -8. Keyboard error. On 25 Feb 2019, at 15:56, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: We have some ESXi boxes that need CA-signed certs and we're trying to figure out how

[Freeipa-users] Re: Ca signed very for non-IPA client

=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 25 2019, at 3:56 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > > We have some ESXi boxes that need CA-signed certs and we're trying to > > > figure out how to properly constr

[Freeipa-users] Re: Ca signed very for non-IPA client

Warrenton, VA 20186 On Feb 26 2019, at 10:18 am, Bret Wortman via FreeIPA-users wrote: > failed to set perms (3140) on file (/var/run/ipa/ccaches/br...@my.net)!, > referrer: https:/zsipa3.my.net/ipa/ui/ > (https://link.getmailspring.com/link/8fd7cfb0-f69e-4c9c-b966-66aea2958...@getmailspr

[Freeipa-users] Re: Ca signed very for non-IPA client

3Jn) http://wrapbuddies.co/ (https://link.getmailspring.com/link/85eccf63-a370-4ebd-92a7-6e031d33c...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 27 2019, at 6:31 am, Bret Wortman via FreeIPA-use

[Freeipa-users] Re: Ca signed very for non-IPA client

//link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > > <https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/5?redir

[Freeipa-users] Re: Ca signed very for non-IPA client

t;https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > > > > > > 70 Main St. Suite 23 Warrenton, VA 20186 > > > > <https://link.get

[Freeipa-users] Re: Ca signed very for non-IPA client

On Feb 26 2019, at 10:22 am, Bret Wortman via FreeIPA-users wrote: > It looks like we've done everything in your guide. I've sent the requestor > the docs at > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_pol

[Freeipa-users] How to grant CSR from command line

I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr But that's giving me an error that the principal doesn't exist. Then

[Freeipa-users] Re: How to grant CSR from command line

-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 11:31 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I know I can paste a CSR from o

[Freeipa-users] Re: How to grant CSR from command line

%2Fwrapbuddies.co%2F=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 1:47 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Thanks, Rob. I'm a lot closer now. > > > > What I'm getting now looks like: >

[Freeipa-users] Auditing screensavers

I have a need to set up an audit rule that will track whenever a user's screensaver is unlocked via password. I've tried setting a watch on pam_sss.so but that gets a lot more than what I strictly need and that also, strangely, had a tendency to audit when the screensaver was activated but not

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > So you've run ipa-replica-prepare and then ship that file to > right? Exactly. > At some point we started re-generating the CA certs file > (/root/cacert.p12) during preparation. Did we do this in F21? I have no > idea. > > Can you use

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

re. https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178 -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 14, 2021, at 6:24 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > > So you've run ipa-replica-prepare and

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I cleaned up the contents of our ldap manually, re-created the replica file, and got a lot further than we have before but ipa-replica-install still failed as below: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

You were absolutely correct, the flag worked, and the config-show did not show a CRL server at all. I'll dig into the ca logs next. -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:07 AM, Rob Crittenden wrote: > Bret Wortman wrote: > > I cleaned up the contents of

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

...@damascusgrp.com On Wed, Jun 9, 2021, at 4:59 AM, Bret Wortman via FreeIPA-users wrote: > My misunderstanding, sorry. This is from the existing CA since that's > where I thought the problem would be. Okay, going back and looking at > the debug log on the new server to see if it's more

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I was tailing several logs in /var/log/pki/pki-tomcat/ca/ (debug, system, > > and transactions) and though the replica installation failed again at the > > same point, this is what I got from the logs throug

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Wed, Jun 9, 2021, at 2:32 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like we're missing an LDAP connection port? > > > > [09/Jun/2021:10:02:54][localhost-startStop-1]: LdapBoundConnFactory: init > > Property internaldb.ldapconn.port

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Thu, Jun 17, 2021, at 9:54 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden w

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > This appears to be the error, or at least it's the only "fatal" I could > > > fi

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > > Bret Wortman via FreeIPA-users wrote: > > > >

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Thu, Jun 17, 2021, at 2:07 PM, Rob Crittenden wrote: > I think it will involve editing code on the C7 server. > > /usr/lib/python2.7/site-packages/ipaserver/install/replication.py > > REPLICA_CREATION_SETTINGS and REPLICA_FINAL_SETTINGS. > > Remove the nsds5ReplicaReleaseTimeout from both

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

That worked, and I've got a CLEANALLRUV task running for the remaining RUV between the two. -- Bret Wortman bret.wort...@damascusgrp.com On Tue, Jun 22, 2021, at 1:37 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I'm now trying to detach ipa2c7 from ipa1, t

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

~]# -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 21, 2021, at 12:16 PM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > > > Bret W

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > > Awesome, glad to hear it. When you complete the migration don't forget > > to move over the DNA settings, CRL generation and other stuff. > &g

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > >> On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > >>> Awesome, glad to hear it. W

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Fri, Jun 18, 2021, at 1:32 PM, Rob Crittenden wrote: > Awesome, glad to hear it. When you complete the migration don't forget > to move over the DNA settings, CRL generation and other stuff. Is this documented somewhere? I'd hate to miss a step. Bret

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

Now, this morning, I've hit the wall on this yet again. [root@ipa2c7 ~]# ipa-replica-manage list ipa2c7.our.net: master [root@ipa2c7 ~]# ipa-replica-manage list-ruv Directory Manager password: unable to decode: {replica 13} 60b907570001000d 60b907570001000d unable to decode: {replica

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Wed, Jun 23, 2021, at 5:27 AM, Bret Wortman via FreeIPA-users wrote: > Now, this morning, I've hit the wall on this yet again. > > [root@ipa2c7 ~]# ipa-replica-manage list > ipa2c7.our.net: master > [root@ipa2c7 ~]# ipa-replica-manage list-ruv > Directory Manager pass

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

-- Bret Wortman bret.wort...@damascusgrp.com On Wed, Jun 23, 2021, at 6:27 AM, Bret Wortman via FreeIPA-users wrote: > On Wed, Jun 23, 2021, at 5:27 AM, Bret Wortman via FreeIPA-users wrote: > > Now, this morning, I've hit the wall on this yet again. > > > > [root@i

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Mon, Jun 21, 2021, at 11:02 AM, Bret Wortman via FreeIPA-users wrote: > On Mon, Jun 21, 2021, at 10:55 AM, Rob Crittenden wrote: > > Bret Wortman via FreeIPA-users wrote: > > > On Mon, Jun 21, 2021, at 9:03 AM, Bret Wortman via FreeIPA-users wrote: > > >> On Fri,

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > This appears to be the error, or at least it's the only "fatal" I could > > find in the stream and it's near enough to the end of traffic that it seems > > likely

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

A, but it seems to be trying to hang on to its job security... ;-) -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:13 AM, Bret Wortman via FreeIPA-users wrote: > You were absolutely correct, the flag worked, and the config-show did > not show a CRL server at all.

[Freeipa-users] How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far: 1. run "ipa-replica-prepare" on the original main server, ipa1. 2. Copied the resulting file to ipa1c7. 3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg

[Freeipa-users] Re: named won't start

In one of those weird things I can only blame on gremlins, time seems to have been the answer. I recently ran "ipactl start" again and it worked. -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 1:19 PM, Bret Wortman via FreeIPA-users wrote: > It's an a

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

the host and its DNS entries and then see what crud is left behind in LDAP? -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 3:18 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I'm trying to update our IPA servers to newer OSes and IPA

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I tried using ipa-backup but it keeps aborting claiming there's not enough space on the target device but nothing even comes close to 100% usage. Is there another way to export to LDIF? -- Bret Wortman bret.wort...@damascusgrp.com On Fri, Jun 4, 2021, at 9:01 AM, Rob Crittenden wrote: >

  1   2   >