[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 08/17/2018 12:59 PM, Jokinen Eemeli via FreeIPA-users wrote: Hi! Yes, seems like there was "security: off" but that doesn't seem to do it, I think I have ended up in the situation that I need to recreate some certificates, because: I check the renewal dates. -- getcert list |grep expires:

[Freeipa-users] Re: Changing domain name

On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: Hi all. We'd like to change the domain name on our freeipa (4.5.4 on centos 7.5). Not the realm but only the domain is it doable? If so... how? Hi, unfortunately, no. Please have a look at IdM documentation, section Host

[Freeipa-users] Re: IPA-Server-Upgrade crashes - Certificate has expired

On 08/13/2018 04:13 PM, Tobi Berninger via FreeIPA-users wrote: Hello, i upgrade my centos 7.5 ipaserver to an new version and runned into a few problems. It seems like 'subsystemCert cert-pki-ca' is expired nearly a month ago (jul 22) and i am not sure how to renew it. When i run the

[Freeipa-users] Re: IPA-Server-Upgrade crashes - Certificate has expired

On 08/13/2018 05:43 PM, Tobi Berninger via FreeIPA-users wrote: Hello Flo, thanks for ur fast answer. First of all we are an small student organization so we dont have the luck to have the money for an red hat support contract and cant access the link u provided. I started the other

[Freeipa-users] Re: dns discovery failed

On 08/26/2018 03:29 AM, Andrew Meyer via FreeIPA-users wrote: So I decided to rebuild my setup at home.  I am running this on CentOS 7 latest and have gotten the server working just fine.  I am trying to setup a client server and getting the following: [ameyer@jump01 vmware-tools-distrib]$

[Freeipa-users] Re: Switch CA from Internal (IPA) to AD

On 08/28/2018 05:57 PM, Alexander Bokovoy via FreeIPA-users wrote: On ti, 28 elo 2018, Peter Tselios via FreeIPA-users wrote: Hello, I have a FreeIPA installation (4.5.4). There is a one-way trust with the ActiveDirectory server. We had setup 2 different CAs (one for the Linux domain and one

[Freeipa-users] Re: Help with FreeIPA startup problem

On 09/04/2018 05:33 PM, Stuart McRobert wrote: Hi, I'm cc'ing the users mailing list, you may get more help there. Thanks. As the output of certutil -K correctly displays an entry for subsystemCert cert-pki-ca, we can assume that the password is OK. Okay, good. I would try to check the

[Freeipa-users] Re: Help with FreeIPA startup problem

On 09/04/2018 11:27 AM, Stuart McRobert wrote: Hi, I wonder if you might be able to help me with hopefully a quick FreeIPA startup problem that I've not been able to work out how to fix, or point me to further information to help get this resolved?  Many thanks. I found your useful guide

[Freeipa-users] Re: Help with FreeIPA startup problem

On 09/04/2018 07:20 PM, Stuart McRobert via FreeIPA-users wrote: Hi, Yes, this looks correct. Make sure that 17 is the serial of your new certificate (it may differ from my example), and don't forget to replace O=XXX with the correct domain for your deployment. Thanks, yes 17 was indeed the

[Freeipa-users] Re: Howto renew certificates with external CA?

On 01/24/2018 12:35 PM, Harald Husemann via FreeIPA-users wrote: Hello IPA-experts, we are running FreeIPA version 4.4.0 with an external CA (our own one), everything was working fine until the CA certificate expired which happened at January 13th. Since i was on vacation and the basic

[Freeipa-users] Re: new client setup

On 06/03/2018 21:39, Andrew Meyer via FreeIPA-users wrote: I am trying to add another client in my main location and getting the following information: [user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net --realm=stl1.example.net --mkhomedir --enable-dns-updates Skip

[Freeipa-users] Re: Unable to retrieve ticket despite setting the adding the system on allow list

On 03/08/2018 02:30 AM, William Muriithi via FreeIPA-users wrote: Hello, I am attempting to setup apache behind a load balancer and have setup the necessary host and DNS entry to represent a virtual host. I also have added the ACL to pull and also create the ticket. I am however unable to run

[Freeipa-users] Re: removing a replica

On 03/07/2018 08:52 PM, Andrew Meyer via FreeIPA-users wrote: I am trying to follow HowTo/Remove replica in a managed topology - FreeIPA  to remove replica servers correctly.  However when I do this I am running into an

[Freeipa-users] Re: timestamp of ipa backup and test on backup restore

On 03/08/2018 08:13 AM, barrykfl--- via FreeIPA-users wrote: hi : any timestamp expiry of the ipa backup copy ? My steps are: On orginal server , I backup a copy then I shut it down. Then I reinstall an new one with same host name and I can really restore from the backup. (test finish)

[Freeipa-users] Re: Add attributes

p you should be able to add the edupersontargetedid attribute. Hope this clarifies, Flo Regards Per On 15 Mar 2018, at 10:31, Florence Blanc-Renaud via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: On 03/15/2018

[Freeipa-users] Re: Untrusted Peer certificate after CA renewal

On 03/13/2018 11:36 AM, Stéphane Mehat via FreeIPA-users wrote: So went back to the basics of that tutorial. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ # getcert modify-ca -c dogtag-ipa-ca-renew-agent -e

[Freeipa-users] Re: Add attributes

hence the error. You will need to add eduPerson objectclass to the existing user entries: ipa user-mod username --addattr objectclass=eduPerson After this step you should be able to add the edupersontargetedid attribute. Hope this clarifies, Flo Regards Per On 15 Mar 2018, at 1

[Freeipa-users] Re: any freeipa master slave configuration

On 03/15/2018 11:04 AM, barrykfl--- via FreeIPA-users wrote: Hi: I m seeking a replication of master - slave mode of free ipa ? Is there such mode ? as I saw actually 2 nodes configuration acutally called master - master . Regards ___

[Freeipa-users] Re: Add attributes

, hence the error. You will need to add eduPerson objectclass to the existing user entries: ipa user-mod username --addattr objectclass=eduPerson After this step you should be able to add the edupersontargetedid attribute. Hope this clarifies, Flo Regards Per On 15 Mar 2018, at 10:31

[Freeipa-users] Re: any freeipa master slave configuration

On 03/15/2018 11:47 AM, barrykfl--- via FreeIPA-users wrote: So if short time after server 1 recovery it will syn back correct data right ? There is always a risk that some entries get simultaneously modified on server2 and server3, with each server unaware of the modification on the other

[Freeipa-users] Re: What does migration mode actually do?

On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote: On 09/03/2018 09:13, Florence Blanc-Renaud wrote: On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa

[Freeipa-users] Re: What does migration mode actually do?

On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another. I wasn't able to find any docs on what enabling migration mode actually does, exactly. Can anyone

[Freeipa-users] Re: ipa-kra-install error

On 03/08/2018 08:33 PM, Natxo Asenjo via FreeIPA-users wrote: anyone? On Wed, Mar 7, 2018 at 8:33 PM, Natxo Asenjo > wrote: hi, I want to try the vault but when I tried installing it it failed. Unfortunately the error

[Freeipa-users] Re: read only replicants

On 04/06/2018 12:10 PM, Angus Clarke via FreeIPA-users wrote: Hi Is there way to lock down a FreeIPA replica so that it can only receive updates but not make changes to other FreeIPA systems. Some of our environments are considered less secure than others, our security team are concerned

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

On 04/10/2018 11:35 AM, Hillar Aarelaid via FreeIPA-users wrote: Hi not exactly same, but feels similar here ;( _single_ freeipa server (Linux ipa.idm.domain.tld 4.15.14-300.fc27.x86_64 IPA VERSION: 4.6.3, API_VERSION: 2.229) 1) full backup made with ipa-backup 2) server loss 3) new server

[Freeipa-users] Re: ipa-restore breaks pki-tomcatd (?)

On 04/10/2018 04:30 PM, Hillar Aarelaid wrote: On 10. apr 2018, at 15:05, Florence Blanc-Renaud wrote: I would start by checking if all the certificates are up-to-date, especially subsystemCert cert-pki-ca. sorry, i did not touch any certificates. Hi, (re-adding the

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

On 04/04/2018 04:16 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: You need to check which server is your renewal master (ipa config-show | grep 'IPA CA renewal master'), then make sure that the certs were properly renewed on this master (check

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

On 04/04/2018 02:49 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: On 04/04/2018 12:37 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 09:36, Florence Blanc-Renaud wrote: On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

On 04/04/2018 03:21 PM, lejeczek via FreeIPA-users wrote: On 04/04/18 12:43, Florence Blanc-Renaud wrote: Hi, CA_WORKING means that certmonger's helper is trying to download the certificate from LDAP, but does not find new certs. In topologies with multiple servers, only one server is the

[Freeipa-users] Re: modifying ttl on dns records

On 04/10/2018 06:16 PM, Andrew Meyer via FreeIPA-users wrote: I am trying to modify the TTL for records in my zone.  When I try to do this I am getting the following error: [gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. andrew-test.stl1 --ttl=300 No option to modify

[Freeipa-users] Re: LDAP Replication errors and GSSAPI authentication on one FreeIPA replica

On 04/11/2018 04:47 PM, Dave Jablonski via FreeIPA-users wrote: One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server.  I'm not sure why.  I added example.com to just replace the actual

[Freeipa-users] Re: client installation would randomly succeed

On 04/07/2018 05:46 PM, lejeczek via FreeIPA-users wrote: hi I'm trying to install a client that would very rarely succeed, 9 out of 10 fails, I run these installations in series. When it fails it does it this way: .. Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor

[Freeipa-users] Re: client installation would randomly succeed

On 04/09/2018 12:07 PM, lejeczek via FreeIPA-users wrote: On 09/04/18 09:50, Florence Blanc-Renaud wrote: Hi, the issue looks like bugzilla 1538184 [1]. Did you define a 'root' user in FreeIPA with uid=0/gid=0? Flo hmm.. honestly I cannot say whether I migrated users before I tried

[Freeipa-users] Re: logic behind replica installer - host already exists

On 04/07/2018 04:52 PM, lejeczek via FreeIPA-users wrote: hi having a client installed now I attempt to install a replica.. ..  host already exists. It needs to be removed. Run this command:     %% ipa-replica-manage del rider.private.ccnr.ceb.private.cam.ac.uk --force which I do, I go to

[Freeipa-users] Re: Cannot figure out why ipa-server-install says ipv6 ::1 is not assigned

On 04/12/2018 08:39 PM, Paul Raines via FreeIPA-users wrote: The problem is on this line in ipautil.CheckedIPAddress with the netmask=ifdata['netmask'] call ifnet = netaddr.IPNetwork('{addr}/{netmask}'.format( addr=ifaddr, netmask=ifdata['netmask'] )) On

[Freeipa-users] Re: at which point IPA changes nsswitch.conf

On 04/20/2018 11:06 AM, lejeczek via FreeIPA-users wrote: hi I'd like to ask when, if at all, IPA's installer change nsswitch.conf? I install a client, afterwards no sss in nsswitch, I install a replica on that client, still no sss. Is this normal, expected? many thanks, L.

[Freeipa-users] Re: IPA Error 4203 DatabaseError

On 04/23/2018 04:25 PM, Andrew Meyer via FreeIPA-users wrote: I seem to have 1 server that constantly gets out of sync with the other 3 servers.  Currently I am getting this error when I try to add a user: Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors

[Freeipa-users] Re: CA_UNREACHABLE during ipa-replica-install

On 04/19/2018 06:34 PM, r hartikainen via FreeIPA-users wrote: Hello I got this same error with replica installation on rhel 7.4 after the OS was hardened with openscap. Pure base OS install without any additional hardening did work without problems. I was doing replica immediately after

[Freeipa-users] Re: replica - install fails with CA issue

On 04/23/2018 10:37 PM, Ross Infinger via FreeIPA-users wrote: I'm trying to promote a new client to a replica.  I install the client first then run ipa-replica-install. The client install goes OK but the ipa-replica-install command fails with RuntimeError: Certificate issuance failed

[Freeipa-users] Re: pki-tomcatd and ipa-otpd Service stopping!!

On 03/30/2018 01:19 PM, Günther J. Niederwimmer via FreeIPA-users wrote: Hello, can any help me to find out the correct way to renew the certificates After a Problem I found out my certificates are not renewed on my two ipa servers ? My ipa servers Version is 4.5.0-22-22 Centos 7.4 All i

[Freeipa-users] Re: remote udate vectors

On 03/20/2018 04:55 PM, Andrew Meyer via FreeIPA-users wrote: While doing some troubleshooting on replication I found that I have an old server in my replica list-ruvs.  How would I go about removing that? ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Add attributes

ll need to add eduPerson objectclass to the existing user entries: ipa user-mod username --addattr objectclass=eduPerson After this step you should be able to add the edupersontargetedid attribute. Hope this clarifies, Flo Regards Per On 15 Mar 2018, at 10:31, Florence Blanc-Renaud via Fr

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service

[Freeipa-users] Re: pki-tomcatd and ipa-otpd Service stopping!!

On 03/30/2018 03:22 PM, Günther J. Niederwimmer via FreeIPA-users wrote: Am Freitag, 30. März 2018, 14:27:13 CEST schrieb Florence Blanc-Renaud via FreeIPA-users: On 03/30/2018 01:19 PM, Günther J. Niederwimmer via FreeIPA-users wrote: Hello, can any help me to find out the correct way

[Freeipa-users] Re: Failed to start pki-tomcatd Service - javax.ws.rs.ServiceUnavailableException: Subsystem unavailable

On 04/03/2018 08:37 PM, lejeczek wrote: On 29/03/18 12:43, Florence Blanc-Renaud wrote: On 03/28/2018 12:42 PM, lejeczek via FreeIPA-users wrote: hi guys, I fail to troubleshoot this here: $ ipactl start --ignore-service-failures Starting Directory Service Starting krb5kdc Service Starting

[Freeipa-users] Re: Add attributes

classes, the objectclasses for already existing user entries were not modified, hence the error. You will need to add eduPerson objectclass to the existing user entries: ipa user-mod username --addattr objectclass=eduPerson After this step you should be able to add the edupersontargetedid attri

[Freeipa-users] Re: Fedora 27 and IPA - install timeout?

On 03/17/2018 05:21 PM, Alexander Bokovoy via FreeIPA-users wrote: On Sat, 17 Mar 2018, Kat via FreeIPA-users wrote: But why would it work perfectly with CentOS on VBox, but not Fedora? No changes - still VirtualBox, just CentOS vs Fedora. Different software, including different (much older)

[Freeipa-users] Re: Backup idea of disaster

On 04/03/2018 02:28, barrykfl--- via FreeIPA-users wrote: Tried those command before ,,,seem the web page and LDAP separate or I missed some parts. it can turn on the ldap but the web page not allow to login ...mostly it related to ? Hi, on which system do you have trouble accessing the web

[Freeipa-users] Re: Create a replica

On 01/03/2018 18:11, Bret Wortman via FreeIPA-users wrote: I've got a one system setup now and would like to create a replica and ensure survivability as much as possible. Will this do the trick? Obviously the first is run on the current master and the second on the new replica... #

[Freeipa-users] Re: Backup idea of disaster

On 01/03/2018 10:37, barrykfl--- via FreeIPA-users wrote: ic ..but the full restore can success run in clean installed master with new CA overwrite? e.g. master with CA and ldap all crashed with replication servers but data aslo crashed...can it be use as restore using the same hostname  

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/21/2018 08:57 AM, Jokinen Eemeli via FreeIPA-users wrote: Hi! Forgot kinit: -- kinit admin Password for admin@<>: klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@<> Valid starting Expires Service principal 06/21/2018 09:55:07 06/22/2018 09:54:54

[Freeipa-users] Re: "No valid Negotiate header in server response" error when trying to install

On 06/21/2018 06:05 PM, None via FreeIPA-users wrote: Hey everyone: I posted this like a week ago and didn't get a response. Hoping someone can respond, since it's happened to us again. Any ideas? On 2018-06-12 10:58, g...@greg-gilbert.com wrote: Hi all, I've been having an issue recently

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/21/2018 07:34 AM, Jokinen Eemeli via FreeIPA-users wrote: Hi! We do have 2 IPA nodes configured but the second node has been down for some time. Tried to update it to same version as node1: - Won't start tells me to use ipa-server-upgrade - Ipa-server-upgrade fails at start, doesn't

[Freeipa-users] Re: "message" -> "Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute

On 10/19/18 7:43 AM, Thomas Höll via FreeIPA-users wrote: Hi All, I've been building a password self service application which talks to the FreeIPA REST API to reset a user's password. This is working perfectly when I use the 'admin' user to perform the operation, but I don't want to do that in

[Freeipa-users] Re: ipa.service "fails" to start

On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote: Hi there, This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. After reboot I couldn't start ipa service via systemctl, hence I run "ipactl start --ignore-service-failures" and this was kind of successful. I still have some

[Freeipa-users] Re: freeipa in Docker: please help to recover the data.

On 10/20/18 3:00 PM, skrawczenko--- via FreeIPA-users wrote: Hello, used to have docker version of freeipa-server, everything went well until some disaster. While recovering from disaster, i've managed to have dirsrv working but pki-tomcat is not and it doesn't seem to worth to fix it. The

[Freeipa-users] Re: ipa.service "fails" to start

On 10/20/18 5:40 AM, None via FreeIPA-users wrote: Thanks Flo. [1] Service pki-tomcatd@pki-tomcat.service is active (running) [2] /var/log/pki/pki-tomcat/ca/debug reads among others: - SSL handshake happened - Could not connect to LDAP server host ca-ldap03.us.domain.com port 636 Error

[Freeipa-users] Re: Inconsistencies in account preserved status

On 10/22/18 2:10 PM, Roderick Johnstone via FreeIPA-users wrote: Hi This is ipa-server-4.5.4-10.el7_5.4.4.x86_64 on RHEL7.5. I've got four preserved accounts (out of a few hundred preserved accounts). On two of the servers they are showing up correctly as preserved with this command: ipa

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: On 26-10-18 18:00, Timo Aaltonen wrote: On 26.10.2018 18.59, Kees Bakker wrote: On 26-10-18 14:55, Timo Aaltonen wrote: On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: On 25-10-18 20:46, Timo Aaltonen wrote: On 25.10.2018

[Freeipa-users] Re: ipa.service "fails" to start

On 10/23/18 5:24 AM, None via FreeIPA-users wrote: Hi Flo, the journalctl reports that request is rejected, error 2. dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to dogtag-ipa-renew-agent dogtag-ipa-renew-agent-submit[29558]: GET

[Freeipa-users] Re: ipa.service "fails" to start

On 10/26/18 7:36 AM, Z D via FreeIPA-users wrote: Hi Rob, I follow one of your suggestions in another post, it's : "certmonger _should_ have renewed them. Try killing ntpd, going back a few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what happens" I did it, no

[Freeipa-users] Re: ipa.service "fails" to start

On 10/25/18 8:11 AM, Z D via FreeIPA-users wrote: Hi Flo, I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and /var/log/pki/pki-tomcat/ca/debug reads: [08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED ===

[Freeipa-users] Re: New FreeIPA Server Setup

On 10/18/18 4:34 PM, Ben Archuleta via FreeIPA-users wrote: Hello All, I am in the process of setting up a FreeIPA server to replace an ancient NIS (last updated in 2013-ish). I can manually recreate the accounts (about 280) for the most part but the issue I can’t seem to work around is

[Freeipa-users] Re: LDAP - Zammad -> not offering all fields

On 11/12/18 12:58 PM, Tobi Berninger via FreeIPA-users wrote: hey, i just tried to add an new user as described in the howto/ldap from freeipa. and the console doenst show any errors, but when i try to use that user as an bind user - it wont work at all. Maybe something bigger isnt work? this

[Freeipa-users] Re: Automatic Hostgroup Membership

On 10/9/18 9:39 AM, Peter Tselios via FreeIPA-users wrote: Hello, I want to create an automember rule for my IPA Clients. The regular expression is tested in the https://regex101.com/ and it matches my sample FQDNs. On the IPA server, I have created the Automember --> Host --> Rules rule with

[Freeipa-users] Re: adding users

On 08/31/2018 04:33 PM, Andrew Meyer via FreeIPA-users wrote: So we are starting the final phase of our migration and I am trying to add all the users to FreeIPA.  But i'm getting an error and i'm not sure why.  I've also never gotten this in the past when adding users. [root@freeipa01 ~]#

[Freeipa-users] Re: Web UI always in self service mode no matter what role a user belongs to

On 9/21/18 2:06 PM, kwtygrys via FreeIPA-users wrote: Hi I am running Freeipa 4.5.4 on Centos 7 server. I created a few users hradmin, itadmin, secadmin and assigned them to the built-in special roles User Administrator, IT Specialist and IT Security Specialist respectively. However every

[Freeipa-users] Re: Web UI always in self service mode no matter what role a user belongs to

On 9/21/18 5:25 PM, kwtygrys via FreeIPA-users wrote: well, according to the freeipa page https://www.freeipa.org/page/Web_UI Web UI has two operation modes: * self-service o used for regular users o limited interface - only information about users o default page: user's

[Freeipa-users] Re: Expired Certificates.

On 1/17/19 4:30 AM, Bhavin Vaidya via FreeIPA-users wrote: Hello, We rebooted our Primary FreeIPA server (ds01) and then it will not start pki-tomcatd, Kerberos will also not work, though it starts. We realized that 2 certificates have expired. we tried stopped ipa, stopped NTP, going back to

[Freeipa-users] Re: orphan certificate key Issue

On 1/14/19 5:30 PM, Uzor Ide via FreeIPA-users wrote: Hello All, I upgraded our ipa server and after the upgrade ipa won't start again. further investigation shows that components of ipa starts but pki-tomcatd@pki-tomcat.service appears to be where the issue lies. checking the logs suggested

[Freeipa-users] Re: ipa-replica-install error migrating CentOS 6 to 7

On 12/6/18 4:11 PM, Marc Wiatrowski via FreeIPA-users wrote: Definitely! https://pagure.io/freeipa/issue/7796 Thank you so much.  Is there something I can do in the meantime? Hi, I added a workaround in the ticket [1], please let me know if it works for you. flo [1]

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

On 12/11/18 12:59 PM, 74cmonty via FreeIPA-users wrote: Hi Flo, thanks for your reply. I decided to start replica setup from scratch. This means I executed this command on master: ipa-replica-manage del ipa-replica.biszumbitterenen.de Then I restored the replica server to a previous state,

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote: Hello, I want to move my IPA master to new hardware, but IPA does not want to start on that new hardware. /var/log/krb5kdc.log shows: krb5kdc: Server error - while fetching master key K/M for realm GHS.NL And then of course the rest of

[Freeipa-users] Re: Limits exceeded for this query

Hi, based on the err code err=3 I can see that I was wrong, it's not a size limit but rather a time limit issue. It looks like the LDAP server is busy after the modification on the cn= entry and takes more than 33sec to answer. The default search time limit is 2 seconds at IPA level: dn:

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 12/20/18 11:51 AM, Kees Bakker via FreeIPA-users wrote: On 19-12-18 12:06, Kees Bakker via FreeIPA-users wrote: On 18-12-18 17:50, Florence Blanc-Renaud wrote: [...] If you have a spare machine you can also use replication, and create a replica of your current master with all the needed

[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4

On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote: Hi, my IPA system consists of 2 masters with their own self-signed CAs, one of them being the certificate renewal master (ipa1). The system has been running for years and has been migrated from an IPA 3 system. Since a while, the Web

[Freeipa-users] Re: FreeIPA/Dogtag - Slow host deletion due to certificate pagination

On 12/20/18 6:33 PM, Jared Ledvina via FreeIPA-users wrote: Hi Florence, Thanks for the reply! So, I've been looking at those and I currently, don't have any limit that I can find configured to 2,000 entries. Current setup: https://paste.fedoraproject.org/paste/75jhSM1qonlQB-Uqtgug-Q

[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4

On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 4:22 PM, dbischof--- via FreeIPA-users wrote:  my IPA system consists of 2 masters with their own self-signed CAs, one of  them being

[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4

On 12/21/18 11:58 AM, dbischof--- via FreeIPA-users wrote: Hi Florence, thank you very much for your help. On Fri, 21 Dec 2018, Florence Blanc-Renaud via FreeIPA-users wrote: On 12/20/18 6:52 PM, dbischof--- via FreeIPA-users wrote:  On Thu, 20 Dec 2018, Florence Blanc-Renaud via FreeIPA

[Freeipa-users] Re: Cannot issue new certificate (again...)

On 12/21/18 1:26 PM, Peter Tselios via FreeIPA-users wrote: Hello, I have a host with 2 names: * servername.example.com * alias.example.com But the command: === ipa-getcert request \ -K HTTP/servername.example.com \ -D alias.example.com \ -f

[Freeipa-users] Re: Cannot issue new certificate (again...)

On 12/21/18 1:26 PM, Peter Tselios via FreeIPA-users wrote: Hello, I have a host with 2 names: * servername.example.com * alias.example.com But the command: === ipa-getcert request \ -K HTTP/servername.example.com \ -D alias.example.com \ -f

[Freeipa-users] Re: How to prevent non-admin users of FreeIPA from reading the list of users in the web interface?

On 12/11/18 1:36 AM, cdknight via FreeIPA-users wrote: When a user signs in to FreeIPA, I do not want them to be able to view the list of users in my LDAP server under the "Active users" link. I still want them to be able to administer self-service, so they can reset their password, add OTP

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

On 12/11/18 11:23 AM, 74cmonty via FreeIPA-users wrote: Hello Flo, I successfully installed FreeIPA 4.7.2 packages on replica server: ``` [root@ipa-replica ~]# rpm -q freeipa-server freeipa-client ipa-server ipa-client 3

[Freeipa-users] Re: freeIPA Host certs

On 12/13/18 4:04 PM, Azim Siddiqui via FreeIPA-users wrote: Hello, Hope you are doing good. I have a question regarding freeIPA host certificates. We are using FreeIPA as our LDAP. We have some certificates for hosts ex :- http/uat.com . And we deploying the certs in Haproxy

[Freeipa-users] Re: new replica does not post properly in ipa_check_consistency

On 12/19/18 8:39 PM, Grant Janssen via FreeIPA-users wrote: New replica looks to be fully joined. I can add users, and I have verified by log examination that the new replica is actually the server adding the user. I cannot detect any issues, BUT the 3rd replica does not appear as a

[Freeipa-users] Re: TOTP generators producing different values

On 12/3/18 6:10 PM, Brian Topping via FreeIPA-users wrote: Hi all, I have a question about TOTP authenticators (Google Authenticator, Authy, FreeOTP): Why is it that a given URL/QRCode can load into all three authenticators, but all three give different OTP values at any given time and only

[Freeipa-users] Re: ipa-replica-install error migrating CentOS 6 to 7

On 12/4/18 9:55 PM, Marc Wiatrowski via FreeIPA-users wrote: I'm trying to migrate a CentOS 6 IPA setup to CentOS 7.   Both are fully updated CentOS 6.10 (ipa-server-3.0.0-51) and CentOS 7.6 (ipa-server-4.6.4-10) I've been following:

[Freeipa-users] Re: ipa-replica-install error migrating CentOS 6 to 7

On 12/5/18 3:12 PM, Marc Wiatrowski wrote: hello flo, I attached the log to only you... Wasn't sure if there was anything in there that wasn't ok to go to the whole list. Hi Marc, (adding the list in cc) indeed the error happens in a code path that wasn't fixed. Could you open a new

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

On 12/6/18 8:59 AM, 74cmonty via FreeIPA-users wrote: Well, then I will repeat the context... After completing FreeIPA master (vm200; 192.168.100.200) installation I started setup of replica (vm201; 192.168.100.201). This means I first enrolled the replica server as a client successfully and

[Freeipa-users] Re: Replica won't start

On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11): bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

On 12/6/18 1:26 PM, 74cmonty via FreeIPA-users wrote: Hi Florence, thank you for this detailed analysis. I fully support your conclusion. Before you replied to this ticket I have already opened a bug report: https://pagure.io/freeipa/issue/7795 Question: Is there any workaround to temporarily

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

On 12/7/18 6:33 PM, 74cmonty via FreeIPA-users wrote: Hello Flo, I've decided to follow your advise. This means I will install another CA instance on the replica server. However I would prefer to upgrade FreeIPA to version 4.7.2 before. Unfortunately I failed on this task. I've executed

[Freeipa-users] Re: Problem with Freeipa-client on Ubuntu 16.04 - create_ipa_nssdb

On 12/6/18 4:23 PM, Milos Cuculovic via FreeIPA-users wrote: I have an issue trying to install freeipa-client on Ubuntu16.04 (worked on other 16.04 servers but this one is somehow failing). The problem is with the postinst script that fails on this line: python2 -c 'from ipapython.certdb

[Freeipa-users] Re: Installation Error in step: Configuring the web interface (httpd)

On 11/17/18 10:29 PM, c.monty--- via FreeIPA-users wrote: Hi, the installation fails in step Configuring the web interface (httpd) - [19/21]: starting httpd The error details are here: [root@vm200-freeipa ~]# tail /var/log/ipaserver-install.log   File

[Freeipa-users] Re: How to add host with subdomain local..de

On 11/19/18 12:22 AM, 74cmonty via FreeIPA-users wrote: Hi, I completed installation using the recommended FQHN ipa..de of FreeIPA server. How can I add a client host configured with sub-domain local..de? Hi, if FreeIPA server was installed with embedded DNS, you can add a DNS zone for

[Freeipa-users] Re: Migration from Test to Production

On 11/21/18 9:26 PM, Ronald Wimmer via FreeIPA-users wrote: On 21.11.18 17:40, Rob Crittenden via FreeIPA-users wrote: [..] Yes, masters are all more or less equal, the difference being whether they run optional services and there are a few roles that only one master has (CRL manager, renewal

[Freeipa-users] Re: Testing requested - certificate checking tool

On 1/9/19 4:21 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: Hello, Now it works and it shows the real problem I have. I have 2 master, I have changed the HTTP certificate on both (using ipa-cacert-manage, ipa-certupdate and ipa-server-certinstall as the manual says), but I one of them

[Freeipa-users] Re: IPA location on replica servers with different domain suffixes

On 1/8/19 10:13 PM, I AM USER via FreeIPA-users wrote: Thanks, but I got to this point after following that document. It doesn't answer my question. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Web UI login/certificate issues, IPA 4.5.4

On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote: Hi Florence, On Tue, 8 Jan 2019, Florence Blanc-Renaud wrote: On 1/8/19 3:51 PM, dbischof--- via FreeIPA-users wrote:  Hi Florence,  On Mon, 7 Jan 2019, Florence Blanc-Renaud wrote:  [...]  i shaved this thread a little, since it

[Freeipa-users] Re: Testing requested - certificate checking tool

On 1/10/19 3:24 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: Ipa cert-show is working now after copying the certificates, thanks. The error I get is: Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA

<    1   2   3   4   5   6   7   8   >