[Freeipa-users] Re: Problems after replacing SSL certificates

Hi, I think you're hitting this issue: https://pagure.io/freeipa/issue/7759 What is the full certificate chain of your new server cert? If the chain contains a root CA and one or multiple subCAs, each subCA also needs to be added using ipa-cacert-manage install. HTH, flo On Wed, Oct 20, 2021 at

[Freeipa-users] Re: Problems after replacing SSL certificates

Hi, you can manually add the new CA to the NSS databases: - /etc/dirsrv/slapd-xxx - /etc/ipa/nssdb - /etc/pki/pki-tomcat/alias (if you have configured an embedded CA) - /etc/httpd/alias (if IPA version < 4.7) and to the PEM files /etc/ipa/ca.crt and /usr/share/ipa/html/ca.crt. ipa-certupdate

[Freeipa-users] Re: nsswitch sudoers sssd vs files priority

Hi, forwarding the e-mail to Pavel who is authselect maintainer. On Thu, Oct 14, 2021 at 12:04 AM Nathanaël Blanchet via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > I noticed that "sudoers files" was default prior over "sudoers sssd" > into

[Freeipa-users] Re: firewall rules for AD trust

Hi, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during#trust-req-ports HTH, flo On Fri, Oct 15, 2021 at 2:14 PM iulian roman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everybody, > >

[Freeipa-users] Re: FreeIPA missing replication segments but still replicating

Hi, do you have a kerberos ticket for the "admin" user when the "ipa topologysuffix-show" command (or any other ipa command) is called? Some commands require admin privileges to access the data, and will not display anything if they are executed without an admin ticket. Please try with "kinit

[Freeipa-users] Re: FreeIPA and Certbot ?

Hi, can you provide more details about what is failing exactly? Is it ipa-client-install, ipa-replica-install, which options are provided, what is the exact output? Let's Encrypt chain of trust has changed last October ( https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/), and

[Freeipa-users] Re: Question about "Character Classes"

Hi, you can find more information in the Guide Configuring and managing Identity Management , in the chapter Defining IdM password policies

[Freeipa-users] Re: ipa-ca-install rejects confirmed correct DM password

Hi, the directory manager password provided to ipa-ca-install is validated by doing a simple bind to the LDAP URI defined in /etc/ipa/default.conf. It should contain something similar to ldap_uri = ldapi://%2Frun%2Fslapd-DOMAIN-COM.socket and you can try manually with (replace DOMAIN-COM with

[Freeipa-users] Re: DNS and FreeIPA

Hi, the various settings are explained in DNS forward policies in IdM

[Freeipa-users] Re: ipa-healthcheck mentions/complains about a non-existent master - ?

Hi, you are probably hitting issue https://github.com/dogtagpki/pki/issues/3608 / https://pagure.io/freeipa/issue/8582 The healthcheck tool is using the 'subsystemCert cert-pki-ca' cert from /var/lib/pki/pki-tomcat/alias/ to authenticate to pki and find the kra key, but it seems that this is not

[Freeipa-users] Re: Unable to find certificates

Hi, you seem to be hitting this BZ: 1959057 An error has ocorred (IPA Error 4301:CertificateOperationError) It is related to PKI making LDAP searches that hit the maximum size limit set in 389-ds. On Wed, Nov 17, 2021 at 4:53 PM Tania Hagan

[Freeipa-users] Re: Another pki-tomcatd failing to start due to expired certs

Hi, The error "Peer's certificate issuer has been marked as not trusted by the user." points to PKI not trusting the LDAP certificate. 1. When moving the date back, you need to carefully pick the date. As the HTTP and LDAP certs have already been renewed, their "valid from" date is probably

[Freeipa-users] Re: sudorules attribute "entryuuid" not allowed

Hi, the error looks similar to https://github.com/389ds/389-ds-base/issues/4872. The CentOS 8 Streams master probably has a version of 389ds that doesn't contain the fix, and has entryuuid plugin enabled (that generates an entryuuid attribute). The schema failed to be replicated to the CentOS 7

[Freeipa-users] Re: Change default email format

Hi, there were a few code changes between 2015 and today :) You need to put the new py file in /usr/lib/python3.9/site-packages/ipaserver/plugins/ instead, and the import should read: from ipaserver.plugins.user import user_add HTH, flo On Wed, Dec 8, 2021 at 9:20 AM Vassiliy Kechin via

[Freeipa-users] Re: How to fix missing CA

Hi, Fraser wrote a blog post for this exact situation: https://frasertweedale.github.io/blog-redhat/posts/2018-05-31-replacing-lost-ca.html Note, your mileage may vary, It was written for fedora 28. flo On Tue, Dec 7, 2021 at 12:30 PM Stephen Berg, Code 7309 via FreeIPA-users <

[Freeipa-users] Re: Order of sudo rule precedence when all rules have undefined order values?

Hi, maybe the man page sudoers.ldap(5) will help clarify: sudoOrder The sudoRole entries retrieved from the LDAP directory have no inherent order. The sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to

[Freeipa-users] Re: FreeIPA logs retention Period

Hi, I guess it depends which log you're considering. Some services drop a configuration snippet in /etc/logrotate.d (for instance httpd, named, and others), and this snippet defines a log rotation policy. For more details refer to man logrotate(8) and man logrotate.conf(5). The LDAP server has

[Freeipa-users] Re: Clear sssd cache

Hi, You can have a look at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_authentication_and_authorization_in_rhel/index#con_data-flow-when-retrieving-idm-user-information-with-sssd_assembly_troubleshooting-authentication-with-sssd-in-idm. The

[Freeipa-users] Re: Setting up authentication for a webserver, part 3: Require ldap-group.

Hi, according to apache documentation in https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup, the full group DN must be specified: - 8< - Require ldap-group This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the

[Freeipa-users] Re: DoD Common Access Card for authentication

Hi, the official documentation for Smart Card + IdM is available at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/index It also contains a troubleshooting section at the end that may help you narrow down the issue. HTH, flo On

[Freeipa-users] Re: IPA broken after dnf update on CentOS 8

Hi, What versions are you using? # cat /etc/redhat-release # rpm -qa ipa-server pki-server java-1.8.0-openjdk 389-ds-base There were known issues with some jdk versions, as well as incompatibilities between versions of 389-ds-base and pki-server. The following troubleshooting page

[Freeipa-users] Re: Expired (web/dirsv) 3rd party cert - pki-tomcatd unable to start - cannot update cert - IPA Error 4301: CertificateOperationError - help!

Hi, it looks like some of the certificates used by PKI are also expired (they are stored in /etc/pki/pki-tomcat/alias). Since you're running IPA 4.9, you can use the command ipa-cert-fix. Please read the man page with extra care, it recommends to backup certificates and keys before you proceed.

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, let's get an accurate status first: - how many IPA servers do you have with a CA role? ipa server-role-find --role "CA server" - among those, which one is the renewal master? ipa config-show | grep renewal - can you provide the full output of "getcert list" executed on the IPA renewal master -

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, On Wed, Mar 16, 2022 at 3:14 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Sorry for the third reply in a row, > > A coworker was able to fix the > > GSSError: Major (851968): Unspecified GSS failure. Minor code may provide > more information, Minor

[Freeipa-users] Re: IPA AD Authentication not successfull if using alernative logon domain

Hi, I'm not sure I completely understood your question, but maybe the following doc will help you: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-managing#UPN-in-a-trust If the AD forest root is configured with additional UPN

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, On Tue, Mar 15, 2022 at 2:19 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning, > > I don't know what happened, but this morning the ipa cert-show 1 command > is working and it's showing an old certificate. > > That's normal as the cert with

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, in your previous email, the output of certutil shows that the new root CA isn't trusted in some databases (flag is ,, instead of CT,C,C). You can change the trust flags with certutil -M -t CT,C,C -d -n . The 2nd thing to take into account: if you change the date in the past in order to

[Freeipa-users] Re: Error "IPA Error 4002: DuplicateEntry"

Hi, you can try to use 65536 for error log level. I suspect that the entry you're trying to add contains an attribute that should be unique across the whole LDAP database but that already exists. Could you share the audit log, maybe something in the entry will stand out? flo On Tue, Mar 8, 2022

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, On Wed, Mar 9, 2022 at 10:12 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good afternoon Rob, > > TL;DR We cant renew FreeIPA certificate because we lost our Root > certificate private key and replacing it doesn't work > > We are currently using: >

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, You need to call ipa-certupdate on all the IPA hosts (servers/clients), in order to import the new root CA to all the NSS databases used by the various IPA services, as well as /etc/ipa/ca.crt and a few other files. flo On Thu, Mar 10, 2022 at 3:49 PM Eric Boisvert via FreeIPA-users <

[Freeipa-users] Re: Error "IPA Error 4002: DuplicateEntry"

Hi, In order to diagnose the DuplicateEntry issue, you can have a look at 389ds log files in /var/log/dirsrv/slapd-. The *access* file contains the access log and you should see an ADD operation with the dn of the user you're trying to create. For instance, when I create a new user with *ipa

[Freeipa-users] Re: Strange CA error during FreeIPA connection

Hi, if you start the services with ipactl --ignore-service-failures start then it will ignore the failure that happens when starting PKI but it won't solve the initial issue (CertificateOperationError) because the framework still won't be able to communicate with PKI. I would focus first on

[Freeipa-users] Re: Strange CA error during FreeIPA connection

Hi, so there are at least 2 issues to fix: - kinit admin fails - pki-tomcatd service and ipa-otpd service are stopped. For the first issue, can you run: # KRB5_TRACE=/dev/stderr kinit admin This will print more details (if DNS resolution is used etc...) For the 2nd issue, you need to have a

[Freeipa-users] Re: Strange CA error during FreeIPA connection

Hi, are all the IPA services up and running on the replica (the kinit error suggests that either krb5.conf is badly configured or the kerberos server isn't running on the replica)? Please report the output of "ipactl status". flo On Wed, Feb 23, 2022 at 9:05 AM Alessandro Minonzio via

[Freeipa-users] Re: How to disable password Change on FreeIPA client for user who login First time .

It seems that when one reads the emails at https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/T6TNSS55D3SESLC3NUXUXP474Y4DVOA7/ the links are not properly handled, sorry about that... Here are the proper ones: http://www.freeipa.org/page/New_Passwords_Expired

[Freeipa-users] Re: Ports Connectivity required between FreeIPA client and FreeIPA Server for Adding FreeIPA client host to FreeIPA server GUI.

Hi, you can find the port requirements here:

[Freeipa-users] Re: How to disable password Change on FreeIPA client for user who login First time .

Hi this is the expected behavior, and the rationale is explained here . There is already an upstream ticket asking to allow the creation of users without the need to reset their password on first login: #5763

[Freeipa-users] Re: httpd service failed when Configuring Let's Encrypt Certificate

Hi, it looks like your machine has configured both nss.conf and ssl.conf and they are conflicting. IPA started using mod_ssl instead of mod_nss in IPA 4.7.0+ (see the Release notes: https://www.freeipa.org/page/Releases/4.7.0#mod_ssl). Which version of IPA are you using? Depending on it you will

[Freeipa-users] Re: Could find /var/lib/ipa/certs & /var/lib/ipa/private directories on FreeIPA Server.

On Fri, Mar 25, 2022 at 5:31 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Florence , > > Thanks again for detailed info , where can we see /var/lib/ipa/private > content (i suppose it has private key) for FreeIPA 4.6.8 Version? > As I wrote, when mod_nss

[Freeipa-users] Re: httpd service failed when Configuring Let's Encrypt Certificate

On Thu, Mar 24, 2022 at 4:43 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Okay Rob so i guess Centos 8 base should also work then , just checking ? > Yes, CentOS 8 should work. flo > ___ > FreeIPA-users mailing

[Freeipa-users] Re: Could find /var/lib/ipa/certs & /var/lib/ipa/private directories on FreeIPA Server.

Hi, it depends which cert you're referring to: - the server certificate used by the httpd server is located in /var/lib/ipa/certs/httpd.crt (when mod_ssl is used, otherwise it's /etc/httpd/alias) - the server certificate used by the LDAP server is in /etc/dirsrv/slapd-YOURDOMAINNAME - the KDC

[Freeipa-users] Re: upgrade to FreeIPA 4.7+ from 4.6

Hi, the official Red Hat Enterprise Linux documentation recommends to install a RHEL8 replica (in place upgrade is not supported), ensure everything works properly and then decommission the RHEL7 server:

[Freeipa-users] Re: Unable to create AD trust

Hi, you can follow the debugging guidelines from https://www.freeipa.org/page/Active_Directory_trust_setup#Debugging_trust. The *ipa trust-add* logs will be visible in /var/log/httpd/error_log and in the /var/log/samba directory. flo On Wed, Mar 30, 2022 at 7:17 PM Jeremy Tourville via

[Freeipa-users] Re: geo replication - ? - concept of

Hi, IPA doesn't support read-only replica (see ticket https://pagure.io/freeipa/issue/5569), but has a notion of hidden replica (

[Freeipa-users] Re: ipa-ca DNS record - ?

Hi, The command *ipa dns-update-system-records* can be used to add the missing records. If you'd rather add them manually, the command can be run with the *--dry-run* option and will display the expected records but will not perform any update. flo On Thu, Mar 31, 2022 at 2:26 PM Rob Crittenden

[Freeipa-users] Re: ipa-sidgen-task failing, can't make trust to work

Hi, Operations error is an error returned by the LDAP server. Can you check the content of /var/log/dirsrv/slapd-/errors? If there is no detailed error message, you can increase the debug level to 65536, re-run the ipa-adtrust-install command, restore the original debug level and check the logs.

[Freeipa-users] Re: IPA to IPA migration - lot more groups - why?

Hi, On Wed, Feb 2, 2022 at 7:31 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi guys. > > I migrate: > -> $ ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts >

[Freeipa-users] Re: IPA WebUI login fails

Hi, did you define an idoverride-user for your AD user as described in Authenticating to the IdM Web UI as an AD User ? flo On

[Freeipa-users] Re: 1 server not syncing with the others

Hi, you can find troubleshooting tips in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/trouble-gen-replication HTH, flo On Thu, Jan 27, 2022 at 6:54 PM Russell Jones via FreeIPA-users <

[Freeipa-users] Re: missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"

Hi, you can do (on another server) $ ipa server-del --force server.example.com This should clean up all references to server.example.com (on server.example.com) $ ipa-client-install --uninstall -U $ kdestroy -A $ ipa-client-install ... $ kinit admin $ ipa-replica-install ... HTH, flo On Fri,

[Freeipa-users] Re: Need help with confusing query results

Hi, the issue with "dsconf plugin entryuuid fixup" is a known issue, see *Bug 2036672* - Based on 1944494 (RFC 4530 entryUUID attribute) - plugin entryuuid failing HTH, flo On Thu, Jan 27, 2022 at 5:53 AM Edward Valley via FreeIPA-users <

[Freeipa-users] Re: 'transportCert cert-pki-kra' mix up

Hi, Certmonger can provide information related to the certificates it's tracking (stored in a file or in an NSS database). In your case, the certificate nickname is "transportCert cert-pki-kra", and to know where it's stored you can run the following command: # getcert list -n 'transportCert

[Freeipa-users] Re: missing attribute "krbPrincipalName" required by object class "ipaKrbPrincipal"

Hi this error is also a known issue, #8865 [Tracker] ipa-replica-install fails on 2nd run (f35+) / #3544 ipa-replica-install fails to reinstall a replica (rawhide) It's been fixed with pki updates

[Freeipa-users] Re: Replica KRA install - Certificate at same location is already used

Hi, if the KRA installation fails, the only way to recover is to uninstall IPA on the node with ipa-server-install --uninstall and start over with ipa-replica-install, supposing there is another master to replicate from. Make sure that the node to uninstall is not a single point of failure for

[Freeipa-users] Re: healthcheck - Invalid PKI instance: pki-tomcat

Hi, you are hitting https://github.com/dogtagpki/pki/issues/3544 The issue was solved in dogtag-pki-server-11.1.0-0.1.alpha2.fc36.noarch and dogtag-pki-server-11.0.2-1.fc35.noarch. If you upgrade dogtag-pki-server, you should be able to re-install the replica with the CA role. HTH, flo On Tue,

[Freeipa-users] Re: parse the audit logs

Hi Kathy, which log file are you referring to? 389-ds audit log in /var/log/dirsrv/slapd-xxx/audit? flo On Thu, Jan 20, 2022 at 6:43 PM Kathy Zhu via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello list, > > I had FreeIPA audit log on. I feed audit logs to Graylog. Since

[Freeipa-users] Re: After OS/IPA updates Employee attributes in web app are blank

Hi Scott, we had a similar issue one year ago. When IPA was deployed in CA-less mode, only parts of the "user" web page were properly filled: *#8203 * User page on WebUi only has half the information in CA-less install *Bug 1835853*

[Freeipa-users] Re: Need help with confusing query results

Hi, I'm not able to reproduce the issue on fedora 35: # ldapsearch -LLL -H ldap://`hostname`:389 -x -D cn=directory\ manager -w Secret123 -b cn=users,cn=accounts,dc=ipa,dc=test -s sub "(&(objectClass=inetOrgPerson)(uid=testuser1))" uid entryUUID dn:

[Freeipa-users] Re: parse the audit logs

Hi, You should try with 389-us...@lists.fedoraproject.org , other users may have found a solution to your problem. flo On Fri, Jan 21, 2022 at 6:45 PM Kathy Zhu wrote: > Yes, correct, Florence. > > BTW, Florence, I'd

[Freeipa-users] Re: server sshfp update - ?

Hi, if you already have ssh public keys in /etc/ssh/ssh_host_*.pub, you can do # ipa host-mod --updatedns --sshpubkey "*ssh-rsa B3NzaC...*" client.ipa.test (where the bold text is the content of your .pub file). Then in order to check what was done: # ipa dnsrecord-show ipa.test client

[Freeipa-users] Re: Installing 3rd party PEM format Certificate on FreeIPA Server

Hi, if you refer to the man pages you will see the supported formats: # man ipa-cacert-manage ... The supported formats for the certificate files are *DER, PEM and PKCS#7* format. ... # man ipa-server-certinstall ... Replace the current Directory server SSL

[Freeipa-users] Re: server sshfp update - ?

On Tue, Apr 12, 2022 at 7:05 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On 12/04/2022 11:21, Florence Blanc-Renaud wrote: > > Hi, > > > > if you already have ssh public keys in > > /etc/ssh/ssh_host_*.pub, you can do > > # ipa host-mod --updatedns

[Freeipa-users] Re: user different shells - ? - with rbac

Hi, If you mean assign a different loginShell to a user, depending on the host he's logging in, then yes, it is possible. You can find more information in this chapter *Using an ID view to override a user attribute value on an IdM client* [1] from the guide *Configuring and managing Identity

[Freeipa-users] Re: Which Ubuntu OS version have FreeIPA version 4.7.x ?

You can have a look at https://packages.ubuntu.com/search?keywords=freeipa HTH, flo On Thu, Apr 7, 2022 at 5:11 PM GAURAV Pande via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Guys , > > Apologies for dumb question if it sounds but could you let me know which > Ubuntu

[Freeipa-users] Re: Login without having to use `@ad_domain` - is it possible?

Hi, you can have a look at "Configuration options for using short names to resolve and authenticate users and groups" [1] in RHEL 8 guide "Configuring and managing Identity Management". flo [1]

[Freeipa-users] Re: Change admin user name

Hi, >From the guide *Managing IdM users, groups, hosts, and access control rules*, in the section *The different group types in IdM* [1]: - 8< - Warning Do not delete the admins group. As admins is a pre-defined group required by IdM, this operation causes problems with certain commands.

[Freeipa-users] Re: server sshfp update - ?

On Wed, Apr 13, 2022 at 11:50 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On 12/04/2022 18:39, Rob Crittenden wrote: > > lejeczek via FreeIPA-users wrote: > >> > >> On 12/04/2022 11:21, Florence Blanc-Renaud wrote: > >>> Hi, > >>> > >>> if you already have

[Freeipa-users] Re: Unable to compile class for JSP during CA installation

Hi, can you share the logs from /var/log/pki/pki-ca-spawn.$DATE.log and the full ipa-ca-install.log? flo On Mon, Sep 4, 2023 at 5:52 PM Konstantin Sapozhnikov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello! We cant't install IPA Replica on Oracle Linux Server 8.8. >

[Freeipa-users] Re: Certs expired, CA Unreachable

Hi, it seems that PKI is not happy with the subject name of the certificates. The failing certs are for KDC, dirsrv and httpd and they all use the same subject name constraint in their profile. 1. Was any certificate profile modified (caIPAserviceCert or KDCs_PKINIT_Certs)? You can use ipa

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 6:24 PM Frederic Ayrault wrote: > > Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit : > > Hi, > > The CA installation fails because it finds an existing entry in "cn= > LIX.POLYTECHNIQUE.FR IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr".

[Freeipa-users] Re: I need help with Replica installation.

Hi, On Wed, Oct 25, 2023 at 12:31 PM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, I have a free ipa server with dns and ca integrated that is > currently running. Now I want to set up a replica server but I can't figure > out some parts. It gives an error

[Freeipa-users] Re: Another Cert Expiration Problem

Hi, On Fri, Sep 15, 2023 at 7:43 PM Russ Long via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have a single-server IPA environment in my homelab. I noticed today > that I was unable to delete a host from IPA, and found that pki-tomcatd was > down and unable to start. > > I

[Freeipa-users] Re: Recovering from certificate exparation issues

Hi, On Thu, Sep 21, 2023 at 5:04 PM Cristian Le via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have tried my luck around with all the helpers: `pki-server cert-fix`, > `ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me > for multiple reasons. > -

[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9

Hi, On Wed, Sep 27, 2023 at 10:26 AM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: > >Hi everyone, > > > >I'm currently trying to update Fedora IPA installation on staging from > >RHEL 8 to RHEL

[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt

Hi, On Wed, Sep 27, 2023 at 2:10 AM Marcelo Carvalho via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi everyone > > I am trying on a development host to Disabling Anonymous Binds. > > I have ran the following command but it hangs and does not return a prompt. > > $ ldapmodify

[Freeipa-users] Re: Recovering from certificate exparation issues

Hi, On Fri, Sep 22, 2023 at 12:36 PM Cristian Le wrote: > Hi Florence, > > Thanks for the feedback, let me clarify the situation on the certificates: > - External CA is still valid and it is a self-signed certificate that we > use for other services. So we can manually sign any service

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > When I run the command, I get this message > > CA is not configured on this system > The ipa-cacert-manage command failed. > > > "replace our external CA to an

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour Florence, > > Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit : > > The error is an LDAP error when adding an entry/attribute for the CA. Can > you check in

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > > So far it doesn't look like there was an IPA embedded CA signed by the > external intermediate

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault wrote: > > Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit : > > Hi, > > > > > > > > If I recap everything so far: > > - there is a single server, ipa3.lix.polytechnique.fr > > It was part of a cluster but it is removed for the tests >

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault wrote: > Just in case here are the logs after going in the authentification menu in > the GUI > ( I get on Erreur IPA 903: InternalError ) when trying to get certificats > informations > > in the server roles, CA server is now configured > >

[Freeipa-users] Re: backup / restore

Hi, On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault wrote: > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : > > Hi, > > > CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP > and LDAP server certificates, they should not be removed. > When you install

[Freeipa-users] Re: Current best practice: Backup/Restore?

Hi, this guide explains the possible strategies for disaster recovery: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/preparing_for_disaster_recovery_with_identity_management/index And that one how to recover:

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 17, 2023 at 5:47 PM Frederic Ayrault wrote: > > Le 17/10/2023 à 17:23, Rob Crittenden a écrit : > > So if I've followed this thread correctly, what you're doing is: > > - Taking replica ipa3? and forcibly disconnecting it from an existing > > IPA installation > > This is just

[Freeipa-users] Re: Extract user's private key from IdM

Hi, On Tue, Oct 17, 2023 at 8:20 PM HUANG, TONY via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > The CSR is generated within the web UI by following this section "Web UI: > Requesting new certificates" ( >

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 10:22 AM Frederic Ayrault wrote: > Bonjour, > > Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Bonjour, >> >> When I run the

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault wrote: > > Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit : > > Is this your external CA? I assume that its subject conflicts with the > default subject name that IPA installer would pick. If that's the case, you > can force

[Freeipa-users] Re: When I create a user from the free ipa web interface, nfs autofs does not create my user directory.

Hi, On Tue, Oct 24, 2023 at 10:53 AM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > When I create a user with free ipa using ipa tools, I can automount my > home directory on my nfs server without any problem. > > However, when I want to create a user from the

[Freeipa-users] Re: Free ipa takes a lot of time to add a user to a group from the web interface.

Hi, On Tue, Oct 24, 2023 at 11:45 AM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, when I add a user to a group via free ipa, when I add a user to a > group, the user's addition to the group appears to be added in the web > interface. but it does not

[Freeipa-users] Re: Migrating IPA CA to new hosts

On Mon, Apr 25, 2022 at 5:01 AM Adam Bishop via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > We're in the process of decomissioning our oldest IPA servers (built in > 2014). We've migrated the roles successfully and are making sure everything > is ready to switch over to the new

[Freeipa-users] Re: pki-tomcatd service doesn't start on multiple servers in the domain

Hi, I don't know if it's a copy/paste issue but the separator in your ldif file renders badly on my screen. It should be a simple dash ("-") but it looks different. flo On Fri, Apr 8, 2022 at 2:28 AM Yajith Dayarathna via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello

[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Hi, I hope I got everything right: on client.qc.lrtech.ca you have configured apache, and it should be using a certificate delivered by IPA and monitored by certmonger. Certmonger is monitoring the cert 'Server-Cert' that is stored in the NSS database */etc/httpd/nssdb*. From your description,

[Freeipa-users] Re: expired Server-cert

Hi, On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings,all > > I've been observing multiple issues for some time, unable to enroll new > clients etc. > Finally found out that the possible root cause is the expired

[Freeipa-users] Re: RHEL 8.6 and sub ids

Hi, Is /etc/nsswitch.conf configured to use SSSD as data source for subid? (check if there is a line starting with *subid:* and if it contains sss or files). You may also be hitting the limit defined by the kernel parameter user.max_user_namespaces (visible with *sysctl

[Freeipa-users] Re: hostgroup automember rules

Hi, On Fri, May 20, 2022 at 11:48 AM Angus Clarke via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello > > FreeIPA 4.6.8 > > We are very happy with hostgroup automember rules based on servername > attribute however one of our internal customers uses a generic servername >

[Freeipa-users] Re: ca-error: Server at https://xx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate

Hi, On Tue, May 31, 2022 at 8:33 AM rui liang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > ### Request for enhancement > ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired > > > At present, it is an online operation, so I dare not change the > configuration at

[Freeipa-users] Re: ca-error: Server at https://xx.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate h

Hi, On Tue, May 31, 2022 at 1:20 PM rui liang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, thank you very much for your reply. My situation is as follows: > > 1. root@fs-hiido-kerberos-server02:/home/liangrui# ipa config-show | grep > CA > ipa: ERROR: cannot connect

[Freeipa-users] Re: Password reuse not permitted on ipa-replica-prepare

Hi, On Wed, Jun 1, 2022 at 2:10 PM Grant Janssen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I’m on the march to move beyond CentOS 7. My plan was to build more > replicas, then retire the old systems. > I haven’t built a replica since 2019, but the commands I used then

[Freeipa-users] Re: How to Delete IPA CA and sub-CA entries

Hi, maybe you can explain first what you're trying to achieve. Do you want to install IPA without a CA? If it's a fresh installation, you can use ipa-server-install and provide the HTTP/LDAP/PKINIT certificates using the options --dirsrv-cert-file / --http-cert-file / --pkinit-cert-file /

[Freeipa-users] Re: SSL Library Error: -12269 The server has rejected your certificate as expired

Hi, On Mon, Jul 4, 2022 at 11:52 AM roy liang via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > I deliberately set the server back 2 years, installed Freeipa-Server, > and then > > synchronized the time back.The related service certificate expires.Verify > > this: >

<    1   2   3   4   5   6   7   8   >