[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/17/20 10:12 PM, Stuart McRobert via FreeIPA-users wrote: Dear All, Thanks to everyone for their help with this. In summary the problem was an inconsistency between the certificate stored in a file and in ldap, as described at the bottom of flo's blog:

[Freeipa-users] Re: Migrating or adding CA to a replica after-the-fact?

On 6/2/20 3:28 PM, Auerbach, Steven via FreeIPA-users wrote: Can we add the CA mastery or CA replica to an IPA v4 server that is a replica and later promote to CA mastery?  We have a IPA v3 server that has been the only CA master for several years. We have a recent IPAv4 replica that was set

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/16/20 11:42 AM, Stuart McRobert via FreeIPA-users wrote: Dear flo, At this point you also need to restart pki: Thanks, restarted and resubmitted the request, then wait, but sadly I guess something else may also need attention? Best wishes Stuart

[Freeipa-users] Re: BadRequest when using freeipa-python

On 9/21/20 7:55 AM, Ronald Wimmer via FreeIPA-users wrote: On 18.09.20 19:47, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: On 18.09.20 13:04, Rafael Jeffman via FreeIPA-users wrote: On Thu, Sep 17, 2020 at 9:59 AM Ronald Wimmer via FreeIPA-users

[Freeipa-users] Re: pki-tomcatd not starting

On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote: Not sure I'm sending this to the right place, but here it goes.  I inherited a FreeIPA/Identity Manager setup in an enclave (no internet access) environment that is running into problems.  There are at least 3 different IdM servers

[Freeipa-users] Re: Clarification on CA Cert renewal requested

On 8/6/20 6:35 PM, Khurrum Maqb via FreeIPA-users wrote: Run ipa-certupdate on all IPA-enrolled machines, including servers, to update local files. Thanks. I ran ipa-certupdate on a client and I see that it completed successfully. The output of `certutil -L -d /etc/ipa/nssdb/` shows a second

[Freeipa-users] Re: CLI commands to unprovision a host, then set one time password?

On 8/7/20 12:49 PM, Bo Lind via FreeIPA-users wrote: We have a workflow where we sometimes reinstall enrolled hosts. The role of the host does not change, IP, hostname etc. stay unchanged. Our current workflow is to enter the GUI, select unprovision, set a one time password, and then enroll

[Freeipa-users] Re: pki-tomcatd not starting

On 8/11/20 6:39 PM, Scott Z. wrote: First thing I did when I logged in this morning (I'm on Hawaii Standard Time) was run "ipactl status".  The return was "Directory Services: STOPPED", and "Directory Service must running in order to obtain status of other services". 1) Ran "getcert list",

[Freeipa-users] Re: pki-tomcatd not starting

Hi, re-adding the mailing list as the conversation could also help others. On 8/8/20 12:06 AM, Scott Z. wrote: I did notice when I compare it to another IdM server in the environment, if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a IPA CA certificate and a

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote: Yes the client was installed not using the —server option.  So it looks like my issue is DNS.  We have DNS external to the IPA hosts.  Is there a simple way for me to get a list of all the DNS records that need to be added to our DNS

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote: Environment: 2 IPA Masters running Centos 8 and IPA Server 4.8.0.13 Client running Lentos 8 and IPA Client 4.8.0.13 The masters were setup as MultiMasters (I think I have it correct). If I shutdown the first master (ipa01) so only ipa02

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/13/20 2:35 PM, Louis Bohm via FreeIPA-users wrote: Addig the DNS fixed it. Just one more question.  Should I be updating the file /etc/openldap/ldap.conf to include both masters on the URL line on the clients?  The only master that was listed there was the first master created. Hi,

[Freeipa-users] Re: pki-tomcatd not starting

On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote: Thanks much for the assistance.  Here is where I am with your suggestions: 1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' and I see that the Validity is indeed old (almost a year old

[Freeipa-users] Re: pki-tomcatd not starting

On 8/10/20 7:56 PM, Scott Z. via FreeIPA-users wrote: On the failing node, the output of "getcert list" does not show any expired certs.  I have hand-copied the info info this email below (it's interesting to note that while the other IdM servers are tracking 9 certs, the problem server is

[Freeipa-users] Re: pki-tomcatd not starting

On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote: I stopped the ntp service with the command "timedatectl set_ntp 0" I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 2019-09-01" I waiting a minute and then checked with the "date" command; the problem server believes it

[Freeipa-users] Re: Replication issue with CSN generator

On 8/10/20 11:51 AM, Morgan Marodin via FreeIPA-users wrote: My issue got worse, the certificate has expired on the replica server, and it can't be renewed because it cannot communicate with the master server. I can start the server using the /--ignore-service-failure/ parameter, but the

[Freeipa-users] Re: ipa-server-upgrade failed after yum update on CentOS7

Hi, as you have installed 4.6.5-11, the command ipa-cert-fix is available and should ease fixing the expired certs. The topology looks simple enough (a single master), so no need to worry about which server to fix first. More info available in [1] and in ipa-cert-fix man page. HTH, flo

[Freeipa-users] Re: ipa-server-upgrade failed after yum update on CentOS7

On 6/30/20 10:24 AM, Mariusz Stolarczyk via FreeIPA-users wrote: All, I did a routine server updates last night on my IPA server. After the reboot I first noticed the DNS was not resolving and the ipa.service failed. The ipa.service failed to start so I ran the following: # ipactl start

[Freeipa-users] Re: Can't Add Replica: The changelog directory CLDB already exists and is not empty

Hi Andrey, it looks really similar to the issue https://bugzilla.redhat.com/show_bug.cgi?id=1590974 Can you check the access log and error log on the IPA server server-01.example.com? It seems that the issue happens when the replica installer tries to create the entry

[Freeipa-users] Re: Can't Add Replica: The changelog directory CLDB already exists and is not empty

On 7/7/20 10:13 PM, Andrey Ptashnik via FreeIPA-users wrote: Team, I'm trying to install FreeIPA replica and constantly hitting this error below. OS where replica is being installed is a fresh install. IPA version 4.6.6 After this error Master does not have any record of replica anyway. Can

[Freeipa-users] Re: FreeIPA/PKI CA/KRA Subsystem Certificate Renewal Failure (not yet expired)

On Mon, Jul 6, 2020 at 1:25 PM Rob Crittenden <mailto:rcrit...@redhat.com>> wrote: Florence Blanc-Renaud via FreeIPA-users wrote: > On 7/5/20 2:23 AM, Ilya Kogan via FreeIPA-users wrote: >> Hi, >> >> I seem to be facing a similar issue with one o

[Freeipa-users] Re: FreeIPA/PKI CA/KRA Subsystem Certificate Renewal Failure (not yet expired)

On 7/5/20 2:23 AM, Ilya Kogan via FreeIPA-users wrote: Hi, I seem to be facing a similar issue with one of my KRAs. My KRA certificates were, for some reason, not automatically renewed when they expired last month. Using `ipa-cert-fix` correctly fixed them on _one_ host. On the other, they

[Freeipa-users] Re: Adding new replica with CA fails.

On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: Hi all, I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range. This is the error

[Freeipa-users] Re: certmapdata issue

On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote: Hello, I have users who kinit using their PIV (smartcard) certificates. Everything works great for users who happen to be "full" employees, but contractors' certificates never match. "Full" employees have certificates issues by:

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 I cannot login in FreeIPA web page. So I update CA by : # delete everything except IPA CA of httpd and dirsrv

[Freeipa-users] Re: Root CA is changing in an AD Trust environment

On 6/24/20 2:01 PM, White, David via FreeIPA-users wrote: We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following

[Freeipa-users] Re: Problems Cleaning Up After Migration and Upgrade

On 6/20/20 9:59 PM, Auerbach, Steven via FreeIPA-users wrote: I have finally been able to create an RHEL7/IPAv4 server using ipa-replica-prepare on a RHEL6/IPA v3 server (ipa01)(added the needed schema) and running ipa-replica-install on the RHEL7/IPAv4 server (ipa03).  I followed a number of

[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server

On 6/25/20 11:01 AM, Nathanaël Blanchet via FreeIPA-users wrote: Hello, I meet this error: ipa: ERROR: No valid Negotiate header in server on the master and I want to try the solution get there: https://access.redhat.com/solutions/3533431 but I don't remember when the "directory manager"

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias   [root@wocfreeipa ~]# [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' [root@wocfreeipa ~]#  grep internal /etc/pki/pki-tomcat/password.conf

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/12/20 2:52 PM, Karim Bourenane wrote: Hello Florence, All After your recommendation : yum update ipactl start ( start will be start ipa-server-upgrade too) In attachment the ipaupgrade.log file I hope the file will be taken by the website. Hi, can you check the content of the

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote: One more questions, In this thread (https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/) you mentioned that subsystemCert cert-pki-ca would map to pkidbuser. So the process is that dog-tag

[Freeipa-users] Re: Last FreeIPA master is failing

On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote: # certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca

[Freeipa-users] Re: Problems after replacing SSL certificates

On 6/5/20 7:50 PM, John Burns via FreeIPA-users wrote: I have this exact same error on ipa-certupdate, after deleting certs that expired on May 30. Were you able to find any leads in the time since this post? ipa-certupdate is needed after "ipa-cacert-manage install" commands, prior to

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote: Hello Team I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately 

[Freeipa-users] Re: sub-cas ipa-certupdate

On 6/3/20 6:07 PM, Rob Crittenden via FreeIPA-users wrote: Natxo Asenjo via FreeIPA-users wrote: hi, in the rhel 8 documentation I came across this:

[Freeipa-users] Re: AddTrust CA expiration

On 6/4/20 9:21 PM, Peter Lewis via FreeIPA-users wrote: On May 30, 2020, the AddTrust CA expired as a CA. I'll get to the IPA issue after a bit of background in case everyone is not familiar. The external certs we're using are from InCommon and were cross signed by AddTrust and when we

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/9/20 10:04 AM, Karim Bourenane via FreeIPA-users wrote: Hello Florence, all I have also only update ipa-*, but i have same Error. Its appears that unable to unlink the port 8433 TCPV6 by pki-tomcat used by FreeIPA. Im actually blocked with this minor update. Hi, do you mean that you

[Freeipa-users] Re: IPA web login: 401 "Login failed due to an unknown reason."

On 6/10/20 4:37 AM, Chris Carr via FreeIPA-users wrote: We are unable to login to the FreeIPA web console. However, it is able to tell when I use an incorrect password (shows "The password you entered is incorrect.") Also one of the CentOS servers getting ssh login credentials from our ipa

[Freeipa-users] Re: Last FreeIPA master is failing

On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote: Hi Rob, Thanks a lot for your reply. It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed. Amazing! So I turned back the clock and: # ipactl

[Freeipa-users] Re: IPA -> AD trust : can't ssh with an AD user

Hi, in order to use AD users or groups in HBAC/sudo rules, you need to first create an external group (ipa group-add --external extgrp) that will contain your AD users/groups, then create a posix group (ipa group-add grp) and add the external group as member of the posix group (ipa

[Freeipa-users] Re: Add Windows host in Freeipa

On 6/4/20 10:07 AM, dmitriys via FreeIPA-users wrote: Good day! I tried add windows host in Freeipa and get Hi, can you provide a little more context? What do you mean by "add windows host in Freeipa", which command are you running and what is the output? It's difficult to understand from a

[Freeipa-users] Re: automember hostgroup by account?

On 6/12/20 12:44 AM, Amos via FreeIPA-users wrote: Sorry to follow-up to an old thread, but is this still true? https://www.redhat.com/archives/freeipa-users/2015-February/msg00038.html Hi, 389-ds implemented a new feature that allows to run the automembership plugin on modify operations as

[Freeipa-users] Re: LDAP conflicts and ldapsubentry

On 7/16/20 11:36 AM, David Harvey via FreeIPA-users wrote: Hi again, just a gentle bump to keep this visible, any advice on it or additional info I can provide? On Tue, 14 Jul 2020 at 19:29, David Harvey > wrote: Dear list, I noted from TFM

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 11:02 AM, Lorenz Braun via FreeIPA-users wrote: Hi there, i have been running an IPA install (4.5.0) on a CentOS 7 server for quite a while and had some problems with it. Eventually everything got worse and now it is not really usable anymore. It started with someone accidentally

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote: Hi Flo, thanks for your feedback. I appreciate it a lot! On 16.07.20 14:32, Florence Blanc-Renaud wrote: Hi, this type of failure can happen when the certificates expire. You can check if that's the case using "getcert list" and look

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 4:54 PM, Lorenz Braun wrote: On 16.07.20 15:50, Florence Blanc-Renaud wrote: On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote: I was thinking something similar. I tried ``` [root@ipa01 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting

[Freeipa-users] Re: DNS Delegation

On 7/31/20 1:03 AM, Christian Hernandez via FreeIPA-users wrote: I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following. ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253

[Freeipa-users] Re: subsystemCert appears out of date

On 11/27/20 11:54 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, I've raised that issue as requested including this full email chain so far: https://pagure.io/freeipa/issue/8600 Sorry to seem dense, but ssl certs and keys are definatly not my strong suite, and the whole freeipa setup se have

[Freeipa-users] Re: subsystemCert appears out of date

On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, I'm getting a database error when running that command: # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Sorry,

[Freeipa-users] Re: subsystemCert appears out of date

On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote: Thanks Flo, I'm suprosed I didn't catch that typeo: certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM Certificate Nickname Trust Attributes

[Freeipa-users] Re: subsystemCert appears out of date

On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate: [root@red-auth01 ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command

[Freeipa-users] Re: Unable to remove incomplete replication entry - topology plugin?

On 11/25/20 6:21 AM, Robert.Mattson--- via FreeIPA-users wrote: Dear FreeIPA Community, We’re having a problem joining a host to an IPA realm. We created a host account in the realm and added that host to the IPA replicas group. We installed the ipa-client and ipa-server RPMS on the

[Freeipa-users] Re: "missing attribute sn" error on migration

On 12/23/20 10:19 AM, Jacquelin Charbonnel via FreeIPA-users wrote: Hi everyone, To create a nice new proper domain in CentOS8 (with a new name and so), I use "ipa migrate-ds" on a fresh installed Centos8 server, to retrieve entries from my current domain in CentOS7 : ipa migrate-ds

[Freeipa-users] Re: repair ca

On 12/18/20 3:38 PM, Evg Hertz via FreeIPA-users wrote: Hello I need to fix CA Failed to authenticate to CA REST API How I can reinstall/reconfigure only CA. or export users(with hash passwords)/groups. and import on new installation. Help me please. Hi, this error usually happens when the

[Freeipa-users] Re: a shortcut a small mayhem - a replica's way

On 12/16/20 7:18 PM, lejeczek via FreeIPA-users wrote: On 16/12/2020 17:29, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. I'm trying to spin up a new replica: ...   [25/41]: restarting directory server    [26/41]: creating DS keytab    [error] CalledProcessError:

[Freeipa-users] Re: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed

On 12/15/20 5:07 PM, iulian roman via FreeIPA-users wrote: After some plumbing and manual operations I managed to have CA running during installation of the FreeIPA server. Currently the install fails in : Configuring directory server (dirsrv) [2/3]: adding CA certificate entry

[Freeipa-users] Re: repair ca

On 12/21/20 11:31 AM, Evg Hertz via FreeIPA-users wrote: getcert list -f /var/lib/ipa/ra-agent.pem | grep expires expires: 2022-06-20 19:31:51 UTC I dont find /var/lib/ipa/ra-agent.pem in output ldapsearch -D "cn=directory manager" -W -b o=ipaca Hi, please type the whole command

[Freeipa-users] Re: bricked beyond belief?

On 12/17/20 12:33 AM, lejeczek via FreeIPA-users wrote: Hi everyone. I'm trying to add fourth replica to existing IPA domain and it does not want to work, but don't mind that for now. Failed replica no. 4 now is not happy to go away, not happy at all. ~]$ ipa-server-install --uninstall

[Freeipa-users] Re: Weub UI fails with "Login failed due to an unknown reason."

On 11/12/20 3:13 PM, Thomas Boroske via FreeIPA-users wrote: Hi Flo, I am seeing the same (with SE Linux since we use that too): ll -Z /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem

[Freeipa-users] Re: How to get a private key for a service certificate to use with TLS?

On 11/16/20 10:38 AM, Scott Reed via FreeIPA-users wrote: I created some service certificates for some of my machines that are using FreeIPA. I followed the instructions that were in the web interface. Now, we need to establish the keys so that we can use them for TLS communications between

[Freeipa-users] Re: subsystemCert appears out of date

On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: Hi All, My subsystem cert appears to have gone out of date, and I’m unable to get it to update. This has become an issue on my production environment, and my current work around has been to take the system date back by

[Freeipa-users] Re: when will my ca certificate expire?

On 11/17/20 3:56 PM, Harald Dunkel via FreeIPA-users wrote: Hi folks, how can I list the expiration dates of the ca certificate chain, before it is too late? External ca. Regards Harri ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Certificate operation cannot be completed: Unable to communicate with CMS (403)

On 11/17/20 6:27 PM, Corey Devenport via FreeIPA-users wrote: Update: In using the command ipa-certupdate all of the IPA Servers have all the certs as MONITORING, including the caSigningCert. However, the authentication problem persists, and I still get the 403 cannot communicate with CMS

[Freeipa-users] Re: subsystemCert appears out of date

On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, Thanks for the help. Included is the output of all the commands as you requested. These were all run from a single freeIPA server (red-auth01). kinit admin; ipa server-role-find --role "CA server" Password for

[Freeipa-users] Re: Certificate operation cannot be completed: Unable to communicate with CMS (403)

On 11/18/20 5:23 PM, Corey Devenport via FreeIPA-users wrote: On 11/17/20 6:27 PM, Corey Devenport via FreeIPA-users wrote: Hi, you need first to identify the right RA cert to use. On all the servers, check the content of /var/lib/ipa/ra-agent.pem, for instance with: # openssl x509 -noout

[Freeipa-users] Re: Weub UI fails with "Login failed due to an unknown reason."

On 11/11/20 8:22 AM, Thomas Boroske via FreeIPA-users wrote: Hi Rob, when I run openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt I get output containing the lines: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm:

[Freeipa-users] Re: expired lets encrypt certificates - how to fix/reinstall

On 1/10/21 11:31 PM, Sinh Lam via FreeIPA-users wrote: So I have this problem where the certificates have expired. I created a new one but however when trying to apply the new certs using ipa-server-certinstall, http works but when trying to get it to apply to ldap it fails with a "peer's

[Freeipa-users] Re: chronyd support in freeipa server?

On 1/20/21 10:31 PM, Kent Brodie via FreeIPA-users wrote: OK, chronyd support is great to know that it's there. How, exactly, do I de-integrate ntpd from my existing freeipa server setup and switch to chronyd? ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Exipred SSL for https and Ldap

On 1/25/21 11:36 PM, Ahmed ElShafaie via FreeIPA-users wrote: Also when I run ipa-certupdate trying https://identity.ashlex.com/ipa/session/json [try 1]: Forwarding 'schema' to json server 'https://identity.ashlex.com/ipa/session/json' Major (851968): Unspecified GSS failure. Minor code may

[Freeipa-users] Re: problem with AD user login

On 12/31/20 12:51 AM, Suchismita Panda via FreeIPA-users wrote: Hi, We have a pair of FreeIPA servers (1 master and 1 replica) Freeipa server version 4.6.8 Recently when we are trying to enroll any new freeipa client to the server, the installation goes successful, but AD user login does not 

[Freeipa-users] Re: Access LOG Files / configuration - zip ?

On 12/28/20 11:03 AM, Karim Bourenane via FreeIPA-users wrote: Hello Team Its possible to know where the access log files in /var/log/dirsrv/slapd./ are configured. Its possible to active the gzip process for this files ? Hi, please refer to Directory Server documentation

[Freeipa-users] Re: Insufficient access

On 12/31/20 12:32 PM, Ivan Isakov via FreeIPA-users wrote: Hello, When I try to perform command after command kinit admin: ipa group-remove-member group --users=test I get next: Failed members: member user: test: Insufficient access: Insufficient 'write' privilege to the 'member' attribute

[Freeipa-users] Re: IPA compat mode

On 1/28/21 10:27 AM, Jacquelin Charbonnel via FreeIPA-users wrote: Hi folks, Overall, what is the goal of the IPA compat mode, and what are the consequences of enabling/disabling it ? And specifically, what's the differences between : # ipa migrate-ds --with-compat ... and #

[Freeipa-users] Re: missed ipa-certupdate after adding certificates root ca and httpd

On 4/22/21 5:02 PM, Embedded Devel via FreeIPA-users wrote: any work around for missing the ipa-certupdate step ? we injected the root CA and missed the step, so now we are basically locked out from doing anything ipa, even loggging in with the error ipa: ERROR: cannot connect to

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 11:59 AM, Manuel Gugliucci via FreeIPA-users wrote: Hello, I'm running a freeipa server over a cloudera cluster, on 2020-12-31 all the certs expired and did not renew by itself. After I set the system date before the expiration date, I tried ipa-cacert-renew but returns an error

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 2:03 PM, Manuel Gujo via FreeIPA-users wrote: Hi Florence, thanks for the answer it's a single IPA server, VERSION: 4.6.8, API_VERSION: 2.237 Hi, The CA is self-signed and still valid, and you are lucky because this ipa version already provides a new tool called ipa-cert-fix that

[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

On 2/8/21 4:11 PM, SRM via FreeIPA-users wrote: I see some one else opened another thread with similar issue, but the error messages are different so I'm going ahead & seeking help on a new thread. I've inherited a FreeIPA installation from somebody used among 5 physical servers with one

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 2:56 PM, Manuel Gujo via FreeIPA-users wrote: Hi, I re-sync the date to today and ran ipa-cert-fix but it returns an error [root@ipa1 ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of

[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

On 2/9/21 10:40 AM, SRM via FreeIPA-users wrote: First of all thank you for taking time & replying. I thought "ipa-cacert-manage renew" is for renewing IPA CA & "ipa-certupdate" is for renewing certificates, so should I use "ipa cert-request" to get renew / new certificates. And pki-tomcatd

[Freeipa-users] Re: UPN group name@domain in id output

On 3/23/21 7:57 PM, Alfred Victor via FreeIPA-users wrote: I should clarify that I have now asked all involved and no one recognizes this change, so is it fair to assume adding a replica has somehow imparted this, or should we dig through logs? Hi, I didn't find any place in the code where

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/24/21 8:20 AM, Miguel Hinojosa via FreeIPA-users wrote: Thank you a lot Florence. It worked perfectly, no issues after downgrade package on both nodes. Glad to know the workaround fixed your issue, and thanks for closing the loop. flo ___

[Freeipa-users] Re: UPN group name@domain in id output

On 3/22/21 9:26 PM, Alfred Victor via FreeIPA-users wrote: Hi Rob, This is on a newly re-enrolled client (it runs force-join, previously it joined with different arguments but the machine does not have any data that itself persists between boots). I don't see the issue on a previously

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/23/21 11:29 AM, Florence Blanc-Renaud wrote: On 3/23/21 10:38 AM, Miguel Hinojosa via FreeIPA-users wrote: We're facing some intermittent failures in IPA server, where the corresponding IPA groups are not mapped correctly (some or all ipa groups are missing). Short description of the

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/23/21 10:38 AM, Miguel Hinojosa via FreeIPA-users wrote: We're facing some intermittent failures in IPA server, where the corresponding IPA groups are not mapped correctly (some or all ipa groups are missing). Short description of the set up: 2 IPA server nodes, both have a trust with AD

[Freeipa-users] Re: UPN group name@domain in id output

On 3/24/21 5:18 PM, Alfred Victor via FreeIPA-users wrote: Hi FreeIPA, We have found the cause was a GUI change. I have spoken with my colleague, who at first did not recall any change, but after looking and given the log did realize. It seems like this function may be poorly described in

[Freeipa-users] Re: Dogtag certificates somehow got expired

On 3/25/21 2:20 PM, Rogge, Henning via FreeIPA-users wrote: Hi, we are running a FreeIPA server instance (with an externally supplied and still valid CA certificate) in our company network (on Fedora): # rpm -qa *ipa-server freeipa-server-4.8.3-1.fc31.x86_64 ​ Somewhen in the last months

[Freeipa-users] Re: Freeipa Firewall rich rules broken

On 3/28/21 6:01 PM, Günther J. Niederwimmer via FreeIPA-users wrote: Hello, is this a known Problem? When I config in the Firewall rich rules with the new "freeipa-4" this is not working I mean firewall-cmd can't read this construct? I have to setup the "old" freeipa-ldaps freeipa-ldap

[Freeipa-users] Re: Server Installation Error - [error] RuntimeError: failed to create DS instance Command '/usr/sbin/setup-ds.pl

On 3/31/21 3:35 PM, Scott Reed via FreeIPA-users wrote: I am not new to installing FreeIPA. This one has been a struggle. I came in to help some people on there server installation. Long story short. I found the ipa-dnskeysyncd.service constantly restarting. I went and uninstalled the

[Freeipa-users] Re: FreeIPA configuration via Ansible Tower / AWX

On 4/2/21 3:38 PM, Russ Long via FreeIPA-users wrote: I have an ansible role built out using the Ansible-provided FreeIPA commands, however for more flexibility I want to switch over to the ones available from the FreeIPA project directly. I run the playbook that calls this role from

[Freeipa-users] Re: Crash in ipadb_get_principal

On 4/5/21 8:21 AM, Sushmita Bhattacharya via FreeIPA-users wrote: Hi, I am facing an issue with a ipa-kdb crash in ipadb_get_principal function, in ipa version 4.6.8. Backtrace below:- Hi, it looks similar to issue #8681 krb5kdc dumped core [1] The issue got fixed in ipa-4-6, ipa-4-8,

[Freeipa-users] Re: Multi-Master addition to existing cluster

On 3/16/21 2:49 PM, Mark Potter via FreeIPA-users wrote: I have a working FreeIPA cluster and need to start deploying for other geolocations. I deployed with freeipa-ansible. While I can find docs on multi-master setups I am struggling to find the initial setup bits. Would it be best to

[Freeipa-users] Re: Deprecate/sync howto/troubleshooting DNS pages re: ds-seen requirement?

On 3/18/21 5:20 PM, Harry G. Coin via FreeIPA-users wrote: Notice the two pages regarding DNSSEC (the 'howto' and the 'troubleshooting') discuss a requirement to give a command ( ... ds-seen ... ), requiring many arguments.  The docs call for this command to occur for each domain after the DS

[Freeipa-users] Re: Replication broken

On 3/9/21 10:59 AM, Antoine Gatineau via FreeIPA-users wrote: I could rebuild my cluster from backup before the upgrade to CentOS Stream. So I'll be able to work from there. On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote: Hello, I'm on freeipa 4.9.0 on CentOS

[Freeipa-users] Re: FreeIPA Multi-master dse.ldif updates

On 3/1/21 9:47 PM, Yuri Krysko via FreeIPA-users wrote: Hello, We run two IPA servers in a multi-master replication topology. Could anyone please advise if it is normal to have dse.ldif files on both IPA servers be updated every minute roughly with nsState attribute being modified by

[Freeipa-users] Re: Problems after upgrade

On 3/3/21 10:24 AM, Ronald Wimmer via FreeIPA-users wrote: On 03.03.21 10:13, Alexander Bokovoy wrote: On ke, 03 maalis 2021, Ronald Wimmer via FreeIPA-users wrote: Some time ago we upgraded our IPA servers from CentOS 7.x to Oracle Linux 8.3. We did it exactly as recommended in the respective

[Freeipa-users] Re: blank page for migration URL: File does not exist: /usr/share/ipa/ui/js/freeipa/menu.js

On 2/19/21 10:39 PM, Robert Kudyba via FreeIPA-users wrote: Running freeipa-server-4.9.1-1.fc33.x86_64 with httpd-2.4.46-9.fc33.x86_64 and the domain/ipa/migration page is blank. The only thing in the page source is:                             var dojoConfig = {            

[Freeipa-users] Re: Updating Letsencrypt certificate fails

On 4/19/21 10:14 AM, Reino Wallin via FreeIPA-users wrote: When the letsencrypt certificate was renewed a couple of months ago, a problem occurred. I found this guide and tried to follow it: https://yyhh.org/blog/2021/01/fix-freeipa-httpd-lets-encrypt-certificate-update/ But it seems I have

[Freeipa-users] Re: Updating Letsencrypt certificate fails

On 4/19/21 2:30 PM, Reino Wallin via FreeIPA-users wrote: I successfully added ISRG Root X1 using ipa-cacert-manage install to my main ipa server. I then tried ipa-certupdate which failed on both the main ipa server and my replica. trying https://ipa.example.net/ipa/json Connection to

[Freeipa-users] Re: Error on ipa-replica-install (replication agreement already exists)

On 4/13/21 2:44 PM, Ronald Wimmer via FreeIPA-users wrote: On 13.04.21 12:57, François Cami wrote: On Tue, Apr 13, 2021 at 12:52 PM Ronald Wimmer via FreeIPA-users wrote: I tried to promote an ipa-client to an ipa-replica. That particular host has previously been a replica but has been

[Freeipa-users] Re: Something changed regarding enrollment permissions?

On 2/17/21 12:56 PM, Ronald Wimmer via FreeIPA-users wrote: On 19.10.20 11:38, Ronald Wimmer via FreeIPA-users wrote: Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment"

<    1   2   3   4   5   6   7   8   >