[Freeipa-users] Re: Freeipa and Google Cloud Directory Sync (GCDS) password sync failing

FWIW this was entirely down to a problem in the GCDS tool (or my use of it). Although GCDS bundles it's own JRE and keystore, it had defaulted to using the system JRE and keystore. Adding "-Djavax.net.ssl.trustStore=/opt/GoogleCloudDirSync/jre/lib/security/cacerts" to config-manager.vmoptions (in

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

doh. Yes, I did mean 17.04. /facepalm On Tue, Jun 20, 2017 at 9:40 AM, Timo Aaltonen <tjaal...@ubuntu.com> wrote: > On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote: > > Hope this helps to save some of some time digging. And I know, > > freeipa-server on a no

[Freeipa-users] Overcoming hurdles installing freeipa-server on ubuntu 17.10

Hope this helps to save some of some time digging. And I know, freeipa-server on a non LTS release is daft.. apt-get install freeipa-server-trust-ad #This has been mentioned elsewhere, and it should either be a dependency OR it's absence should not break things as it currently does sudo mkdir

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

Note. The GSSAPI attempts from the MAc side are only attempted when a binddn (security -> "use authentication when connecting") account is provided. Otherwise I suspect it's unable to even work out what type of GSSAPI transaction to attempt.. On 19 September 2017 at 15:19, David Harvey

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

, ssh (to linux machines), DNS updates, and > directory services. I'm confident the issue lies with MacOS. > > I'm running MacOS 10.12.6 and IPA 4.5. > > I'll keep digging, just wanted to let you know you've been heard. > > > - Jason > > > > > > On

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

Some edits and expansion on my previous attempt to post... Free IPA 4.4.3 Mac OSX 10.12 Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave. What I have found so far using the config

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

g up a replica. I was under the impression > > that all running servers had to be of the same version, am I > > mistaken with that? > > I had avoided what you were suggesting as I feared the new > > server might update the schema o

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

Ok, thanks for the clarification. Hopefully can still mitigate by changing platform or waiting for a better supported Ubuntu release! On 1 Dec 2017 18:40, "Rob Crittenden" <rcrit...@redhat.com> wrote: > David Harvey via FreeIPA-users wrote: > > Well that sounds

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

On 13 December 2017 at 23:29, Timo Aaltonen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote: > > On 23/11/17 05:34, David Harvey via FreeIPA-users wrote: > >> Not sure why tomcat is more resilie

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

what you were suggesting as I feared the new server might > update the schema on the existing ones! > > Thanks again, appreciate the steering! > > > On 15 Nov 2017 14:34, "Rob Crittenden" <rcrit...@redhat.com> wrote: > > David Harvey via FreeIPA-users wr

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

re suggesting as I feared the new server might >> update the schema on the existing ones! >> >> Thanks again, appreciate the steering! >> >> >> On 15 Nov 2017 14:34, "Rob Crittenden" <rcrit...@redhat.com> wrote: >> >> David Harvey

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

Sorry for the dump size, but not sure if the below from /var/log/pki/pki-tomcat/localhost.date.log helps: 15-Nov-2017 12:14:50.557 SEVERE [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log StandardWrapper.Throwable java.lang.NullPointerException at

[Freeipa-users] upgrade to ubuntu 17.10 fails

Hi wisdom of the list, I know I am an edge case with running on ubuntu, but hoped someone might be able to shed some light. A bit of background. I'm trying to test upgrades without potentially hosing my existing services, so I have cloned the VM, given it a new IP address, updated hosts file

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

o make it more of a pleasure to install ;) Cheers, David On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 23/11/17 05:34, David Harvey via FreeIPA-users wrote: > > Not sure why tomcat is more resilient when launched as

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

e nss-pem is unlikely to be packaged on Debian/-derivs, it looks to me > like until FreeIPA 4.5+ is packaged (where the conversion to OpenSSL has > been completed), it is still not safe to run a CA on Ubuntu. > > > On 01/12/17 23:27, David Harvey via FreeIPA-users wrote: > > hi P

[Freeipa-users] Re: Accessing IPA host data from an enrolled workstation

). The fields I'm interested in (descriptions, platform, OS, Class) are thankfully available (at least using the host principal). Kind regards, David On 14 May 2018 at 14:14, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote: >

[Freeipa-users] Re: Accessing IPA host data from an enrolled workstation

Hi again, Just a little nudge to see if anyone has attempted any of the prior mentioned, or if they may have ideas on how this is best achieved.. Kind regards, David On 27 March 2018 at 16:22, David Harvey wrote: > Dear list, > > I'm currently tinkering with

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Gentle bump (whilst I remember to nudge this). TL;DR Does anyone know the likely implications of error messages such as: "Setting property 'enableOCSP' to 'false' did not find a matching property." (then repeated for several other properties) On 4 January 2018 at 14:52, David Harvey

[Freeipa-users] Re: Host certificates association across IPA servers

generation failed: Supplied plugin directory path is not a directory > > I'll aim to reinitialise the problem box based on this. Without wanting to > make excuses for my ineptitude, are there any plans to increase visibility > for replication issues to surface them more obviously? > > Than

[Freeipa-users] Re: Host certificates association across IPA servers

preciated. David On 31 January 2018 at 21:48, Rob Crittenden <rcrit...@redhat.com> wrote: > David Harvey via FreeIPA-users wrote: > > Dear ipa-users, > > > > I've recently observed a pattern where adding a host certificate to a > > host only shows the association in the G

[Freeipa-users] Host certificates association across IPA servers

Dear ipa-users, I've recently observed a pattern where adding a host certificate to a host only shows the association in the GUI for the server which issues the cert. I'm running FreeIPA 4.4.4. I request a certificate from the host(s) in question with something like: ipa-getcert request -f

[Freeipa-users] Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Dear list, In trying to escape from the various issues facing the ubuntu freeipa, I attempted to make the switch to Fedora 26 (same freeipa version 4.4.4). This seemed to go well (adding new replica first, and then replacing the ubuntu based installs), but I notice on my fedora boxes several

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Point No.2 Is now sorted. It was the old missing Subject Alternative Name extension in certificate problem (which I had only seen with https until now!). I would still love to know if I need to live in fear of the other errors though :) On 4 January 2018 at 12:25, David Harvey

[Freeipa-users] Accessing IPA host data from an enrolled workstation

Dear list, I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet. Example - a concept of machine ownership, or device

[Freeipa-users] Re: FreeIPA Certs for Chromebooks CMC,SCEP and extensions

Awesome, thanks for the info Rob. I will check out your method. It looks like it (Dogtag) has some improvimg CMC support too, so will have a dig. On Tue, 3 Apr 2018, 18:19 Rob Crittenden, <rcrit...@redhat.com> wrote: > David Harvey via FreeIPA-users wrote: > > H

[Freeipa-users] Fedora -> CentOS, 4.7.2 -> 4.7.1

Dear FreeIPA users, TL:DR *any* way of moving from 4.7.2->4.7.1? I've managed to get into a situation.. On realising the support for Debian/Ubuntu was a bit ropey, I successfully made Fedora replicas and promoted them a year or so ago. These run OK, but wanting to be off the treadmill of Fedora

[Freeipa-users] Re: Fedora -> CentOS, 4.7.2 -> 4.7.1

Thanks for your response Rob, If I were to attempt such a thing and it apparently succeeds, is there any kind of integrity/sanity check that you would run to probe for oddities? Best wishes, David On Mon, 28 Oct 2019, 21:38 Rob Crittenden, wrote: > David Harvey via FreeIPA-users wr

[Freeipa-users] krb5kdc segfault

Hi FreeIPA users, I've been haunted across installs by a sporadic krb5kdc segfault, the especially fun part is that it seems to bring the service down on all of the servers at once! Restarting it brings everything back again quite happily.. The last and only useful krb5kdc.log entry is: Nov 29

[Freeipa-users] Re: krb5kdc segfault

Thanks for the swift response Alexander. I'll try and get that enabled for clearer details. On Fri, 29 Nov 2019 at 13:59, Alexander Bokovoy wrote: > On pe, 29 marras 2019, David Harvey via FreeIPA-users wrote: > >Hi FreeIPA users, > > > >I've been haunted across installs

[Freeipa-users] Re: Netscape Portable Runtime error -5999

Hi Sarah, Not sure if the same cause, but I experienced something like this following too many open file descriptors/connections. Cause for me was LDAP connections being opened but never closed by a client, essentially DDOSing me. On phone with thumbs, so I can't recall if it was lsof or

[Freeipa-users] Re: Pausing replication or another approach to testing whilst limiting blast radius

Thanks for the swift response Rob. Looks like just what I need! All the best, David On Fri, 24 Apr 2020, 20:56 Rob Crittenden, wrote: > David Harvey via FreeIPA-users wrote: > > Dear list, > > > > I'd like to do a test run of a script that I use to sync our HR data

[Freeipa-users] Pausing replication or another approach to testing whilst limiting blast radius

Dear list, I'd like to do a test run of a script that I use to sync our HR data with our freeipa infrastructure. Is it possible to pause replication, or essentially fence a server off, so that if I run the updated script against it, I can limit the changes to that target server until I've checked

[Freeipa-users] LDAP conflicts and ldapsubentry

Dear list, I noted from TFM that conflicting values have ldapSubEntry and nsds5ReplConflict attributes, however it only mentioned

[Freeipa-users] Re: LDAP conflicts and ldapsubentry

Hi again, just a gentle bump to keep this visible, any advice on it or additional info I can provide? On Tue, 14 Jul 2020 at 19:29, David Harvey wrote: > Dear list, > > I noted from TFM >

[Freeipa-users] Re: Another 2FA question Debian and Ubuntu

, 16 Mar 2021 at 06:35, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Mon, Mar 15, 2021 at 06:04:17PM +0000, David Harvey via FreeIPA-users > wrote: > > Hi list, > > > > I've been attempting to get optional 2FA working for my Debian

[Freeipa-users] Require OTP for ipa commands

Hello again list, Is it possible to differentiate between a kerberos ticket that was granted with OTP vs one that would not (for the purpose of requiring it for `ipa some-privileged command` ) Aim: Protect servers with OTP but not always require it for workstations. But to require OTP for the

[Freeipa-users] Re: Require OTP for ipa commands

On Fri, 19 Mar 2021 at 15:46, David Harvey wrote: > Hello again list, > > Is it possible to differentiate between a kerberos ticket that was granted > with OTP vs one that would not (for the purpose of requiring it for `ipa > some-privileged command` ) > > Aim: Protect servers with OTP but not

[Freeipa-users] Another 2FA question Debian and Ubuntu

Hi list, I've been attempting to get optional 2FA working for my Debian derivatives so I can run per-host OTP nicely for the more sensitive boxes. So far: A user with "password and otp" only allowed in the can login as expected with the password and OTP concatenated. A user with both "password"

[Freeipa-users] certs: SAN without othername / NT Principal name

Hi FreeiPA users, I'm having great fun with a web app that hates the othername/ NT Principal name included with certificates generated with ipa-getcert. I've tried several variations but can't omit this part of the subject alternative name. Is there any way to do so? Thanks in advance, David

[Freeipa-users] Re: certs: SAN without othername / NT Principal name

wrote: > > On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote: > > > Hi FreeiPA users, > > > > > > I'm having great fun with a web app that hates the othername/ NT > Principal > > > name included with certificates generated with ipa-getcert. > > >

[Freeipa-users] Re: Host based two factor requirements

and not password only enabled... On Mon, 20 Mar 2023 at 17:05, Rob Crittenden wrote: > Alexander Bokovoy via FreeIPA-users wrote: > > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: > >> Hi there, > >> > >> When I try and re-enable TOTP for a host au

[Freeipa-users] Host based two factor requirements

Hi there, When I try and re-enable TOTP for a host auth indicator I receive "invalid 'krbprincipalauthind': authentication indicators not allowed in service "host"" Running FreeIPA 4.9.10 on Rocky. I'm having some issues working out the current methods of OTP enforcement for SSH interactive as a

[Freeipa-users] Re: Host based two factor requirements

>> > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: >> >> Hi there, >> >> >> >> When I try and re-enable TOTP for a host auth indicator I receive >> >> "invalid 'krbprincipalauthind': authentication indicators not allowed

[Freeipa-users] Re: DNS resolution failures

Just checking if there are any suggestions as to how to debug this effectively. The lack of smoking barrel log entries we've seen with it have left us a little stumped! Thanks as always, David On Wed, 17 Jan 2024 at 10:54, Tania Hagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org>

[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()

Sorry if this is thread hijack (happy to start another) but further to this, is the single resolver 127.0.0.1 the blessed / recommended setup? We've had some chicken and egg situations recently where dirsrv being sad has broken local DNS resolution, and then krb behaviours and lookup for the other

[Freeipa-users] Recommended resolv.conf / hosts file

Hi FreeIPA users, I nested this under a related topic before (subject: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () ) but it was admittedly a bit off topic... Is configuring resolv.conf with the single resolver 127.0.0.1 the