Hi Petr,
On Wed, 2 Aug 2017 12:48:32 +0200
Petr Vobornik via FreeIPA-users wrote:
>
> Hello,
>
> 20 was a hard-coded paging limit. Since FreeIPA 4.5 (not sure if also
> in 4.4) the paging limit can be configured in Web UI under: "Top-right
> corner
Hi folks,
Problem: I have setup freeipa using a bad external CA.
Long story:
I have setup my freeipa servers using
ipa-server-install -n example.com -r EXAMPLE.COM --no-ntp --external-ca
--subject="O=example AG,C=DE" --setup-dns --forwarder=...
on ipa1.example.com. It created a csr, it was
Hi folks,
I found some very large log files in
/var/log/pki/pki-tomcat/ca
On the major CA host the "debug" file is >1GByte and was never
rotated. It seems that there is a responsible config file /etc/\
pki/pki-tomcat/ca/CS.cfg, setting
debug.append=true
Hi folks,
My freeipa installation (Centos 7.3, freeipa 4.4.0) was signed by
an external root CA. Problem:
Even though I have imported the root CA and clicked on all the trust
checkboxes, chromium complains about the certificate of the web admin
interface running on https://ipa1.example.com/ :
Hi Flo,
On Thu, 10 Aug 2017 17:21:19 +0200
Florence Blanc-Renaud wrote:
> On 08/10/2017 04:47 PM, Harald Dunkel wrote:
> > Hi folks,
> >
> > On Wed, 2 Aug 2017 16:24:00 +0200
> > Florence Blanc-Renaud wrote:
> >
> >> Hi,
> >>
> >> You can follow the steps
Hi Fraser,
On Fri, 11 Aug 2017 18:48:29 +1000
Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
> On Fri, Aug 11, 2017 at 09:40:56AM +0200, Harald Dunkel via FreeIPA-users
> wrote:
> >
> > https://support.google.com/chrome/a/answer/7391219
On Fri, 7 Jul 2017 08:27:53 +
"wouter.hummelink--- via FreeIPA-users"
wrote:
> No,
>
I would suggest to add it.
> But you can use nscd with [services passwd group netgroup] caches disabled.
>
I saw the documentation about this on RedHat's wiki,
Hi Flo,
On Wed, 2 Aug 2017 16:24:00 +0200
Florence Blanc-Renaud wrote:
> Hi,
>
> You can follow the steps described here:
>
On Thu, 14 Sep 2017 11:09:22 +0200
Ronald Wimmer via FreeIPA-users wrote:
> Does anyone have AIX 7 IPA Clients? Is there also an IPA client
> installer around or do I have to go through this:
>
> https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients
Hi Alex,
On Fri, 10 Nov 2017 16:59:07 +0200
Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
wrote:
> On pe, 10 marras 2017, Harald Dunkel via FreeIPA-users wrote:
> >
> >ipa-getkeytab failed with
> >
> > Failed to parse result:
Hi Flo, Rob,
On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote:
The files should contain multiple certificates (IPA CA and the external CA
certificates). If it is not the case, please check first if there were AVC
issues (if running in SElinux enforcing mode), and feel free
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
My concern is, it looks much more restricted than the old root CA
cerificate:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
to the new root CA. Would anybody
mind to fix?
Thanx very much
Harri
On 11/16/17 9:28 AM, Harald Dunkel via FreeIPA-users wrote:
> Hi folks,
>
> a few months ago I had replaced the externally signed root
> certificate on my servers (CentOS 7.3) using ipa-cacert-manage.
> Problem:
Hi Charles,
On 11/16/17 7:59 PM, Charles Hedrick via FreeIPA-users wrote:
> I’ve seen the same thing. Or at least I think it seems like it’s related.
>
> We have three servers, all on Centos. The initial one was installed under
> 7.3, using defaults. That caused it to generate a self-signed CA.
Hi folks,
a few months ago I had replaced the externally signed root
certificate on my servers (CentOS 7.3) using ipa-cacert-manage.
Problem:
ipa-client-install on a freshly bootstrapped Debian 7 (Wheezy,
freeipa 3.0.2) fails. Apparently it stumbles over the old root
certificate:
#
Hi Flo and Andrew,
thanx for you replies, but I think you missed the point:
The new (external) root CA certificate and the new ipa
CA certificate are *in* freeipa already, but on the host
I had used for running ipa-cacert-manage to deploy this
new PKI the database in
Hi Flo,
On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote:
Hi Harald,
the external CAs and FreeIPA CA must be stored in the LDAP server
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external
CAs to the LDAP server is to run ipa-cacert-manage install.
ACK
You need
Hi Rob,
On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:
Here is what I see on the broken ipa server:
[root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust
On 12/7/17 2:53 PM, Florence Blanc-Renaud wrote:
Hi,
if you run:
ipa-cacert-manage install -t C,,
ipa-certupdate
then the new root certificate will be installed in all the required NSS
databases. Do not forget to run ipa-certupdate on all the FreeIPA machines.
This did not work:
PS: I have derived another CA replica "ipa0" from ipa2.
certutil shows different trustargs again. Shouldn't ipa2
and the new ipa0 have identical trustargs?
[root@ipa0 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust
Hi Rob,
On 12/06/17 17:39, Rob Crittenden via FreeIPA-users wrote:
> Harald Dunkel via FreeIPA-users wrote:
>> See attachment.
>>
>> Please note the "invalid certificate". Du you remember the thread
>> on freeipa-devel about "ipa-client-install (3.0.2
See attachment.
Please note the "invalid certificate". Du you remember the thread
on freeipa-devel about "ipa-client-install (3.0.2 on Wheezy) fails
after root certificate change via ipa-cacert-manage" and the
output of "ipa-certupdate -v" I had posted?
Regards
Harri
debug.txt.gz
Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
>
> I would try to remove the new root CA from LDAP and re-import it using
> ipa-cacert-manage install -t C,,
> This should create the entry with the appropriate attributes.
>
> Flo
Result: The new root CA
Hi folks,
any ideas about how to proceed? Is this bbr? Do I have to reactivate
the old pki to get out of this mess?
Every helpful comment is highly appreciated.
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
Hi Flo,
On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
I would try to remove the new root CA from LDAP and re-import it using
Hi folks,
Platform: Centos 7.4, ipa 4.5.0-21
The ipa service cannot be started anymore. Error message:
# systemctl status ipa
* ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset:
disabled)
Active: failed (Result: exit-code)
On Fri, 20 Oct 2017 20:42:25 +0300
Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
wrote:
> On pe, 20 loka 2017, Harald Dunkel via FreeIPA-users wrote:
> >Hi folks,
> >
> >I had to replace the CA chain about 3 months ago, using
>
Hi Rob,
On 6/25/18 4:53 PM, Rob Crittenden via FreeIPA-users wrote:
>
> We'd need to see what certs are being tracked, getcert list.
>
This gets stuck, too:
[root@ipa1 ~]# getcert list
Error org.freedesktop.DBus.Error.TimedOut
I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but
Hi Rob,
On 6/25/18 7:10 PM, Rob Crittenden via FreeIPA-users wrote:
Harald Dunkel via FreeIPA-users wrote:
I found https://bugzilla.redhat.com/show_bug.cgi?id=1519206, but the conclusion
("please reboot") is not helpful. I did.
The dbus developers don't think it should ever be res
Hi folks,
I managed to get rid of the corrupted entry and to create a new
user account. But there are still problems. The upgrade from Centos
7.4 to 7.5 got stuck for 5 to 10 minutes.
:
Installing : libxkbcommon-0.7.1-1.el7.x86_64 297/787
Updating :
Hi Thierry,
On 6/20/18 6:02 PM, thierry bordaz via FreeIPA-users wrote:
> Hi Harald,
>
> I wonder if error on ipa1 can not be part of the problem
>
> [20/Jun/2018:12:16:31.885644563 +0200] - ERR - ldbm_back_modrdn -
> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
>
On 6/28/18 2:19 PM, Harald Dunkel via FreeIPA-users wrote:
The dbus problem has been resolved by reinstalling the dbus RPMs.
journalctl still shows a lot of "Connection refused" messages for
dbus, see attachment.
certmonger appears to be running when started on the command
Hi folks,
I had to replace the CA chain about 3 months ago, using
ipa-cacert-manage. Question:
Does this affect freeipa's NIS support? Is there a hidden
certificate somewhere I missed to renew?
The freeipa servers are running Centos 7.3 and 7.4.
Every helpful comment is highly appreciated
On Fri, 20 Oct 2017 12:30:50 +0200
Rob Crittenden via FreeIPA-users wrote:
>
> the list moved earlier this year to
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
>
Thanx very much for your pointer. Apparently the old
Hi folks,
On 6/28/18 9:08 AM, Harald Dunkel via FreeIPA-users wrote:
On 6/27/18 5:59 PM, Rob Crittenden via FreeIPA-users wrote:
I don't see anything obviously wrong. I'd try launching certmonger from
a shell to see what you get:
# certmonger -d 9
certmonger works fine on the command line
On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote:
That's fine but it doesn't address the original problem: he doesn't want
anything managing the clock on his system at all:
"some ipa servers in my environment are not permitted to change
the clock."
These are LXC containers
Hi folks,
some ipa servers in my environment are not permitted to change
the clock. If I use "systemctl mask ntpd" to avoid the "degraded"
returned by "systemctl status", then ipactl fails without the
ntpd service:
# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Hi folks,
/var/log/messages includes tons of error messages like
Jan 15 07:34:56 ipa1 ns-slapd: [15/Jan/2018:07:34:56.684472891 +0100] - ERR -
attrlist_replace - attr_replace (nsslapd-referral,
ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed.
Jan 15 07:34:58 ipa1 ns-slapd:
Hi folks,
something got corrupted in my ldap database (again). After running
% ipa user-mod --rename=bobk bobs
I get
% getent passwd bobs
% getent passwd bobk
%
The UID became unusable. (Highly painful, because this user is cut off
from EMails.) This is what I
PS: Running
ipa-replica-manage force-sync --from ipa0.example.de
to sync a "good" replica to a bad one did not help.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
Hi Thierry,
On 6/20/18 3:31 PM, thierry bordaz via FreeIPA-users wrote:
Hi Harald,
anything noticeable in the error logs when the problem occurred ? (DB_DEADLOCK)
I found something in the slapd error log files on the bad replicas
(attached).
Other replicas show tons of lines like
:
On 6/22/18 2:09 PM, Harald Dunkel wrote:
I found something new: "ipa-replica-manage list-ruv" shows an error
# ipa-replica-manage list-ruv
unable to decode: {replica 7} 58809c7c00030007 58809c7c00030007
PS: Never mind, that was an old problem. I just forgot.
Regards
Harri
Hi Thierry,
On 6/21/18 7:19 PM, thierry bordaz via FreeIPA-users wrote:
Hi Harald,
Sorry to be back late.
There is not enough detail to confirm but my feeling is that the MODRDN (write)
failed to update the changelog because of many replication agreements (read)
competing with it. It
PS: The logfile says
2018-08-03T08:25:31Z INFO Checking DNS domain 10.0.10.in-addr.arpa., please
wait ...
2018-08-03T08:26:01Z INFO Reverse zone 10.0.10.in-addr.arpa. for IP address
10.0.10.7 already exists
But I doubt that this is correct. dig returns
[root@idms00 centos]# dig -x 10.0.10.7
Hi folks,
Apparently sssd goes down and up again and again. I found this in
/var/log/daemon.log on our git server:
Jul 23 18:02:08 git01 sssd[be[example.de]]: Shutting down
Jul 23 18:02:08 git01 sssd[pam]: Shutting down
Jul 23 18:02:08 git01 sssd[nss]: Shutting down
Jul 23 18:02:09 git01
Hi folks,
I am confused: Setting up a new freeipa service (CentOS 7.5) using
ipa-server-install or ipa-dns-install it asks me
Do you want to search for missing reverse zones? [yes]: yes
But then it did not create a reverse zone :-(.
This doesn't look like documented. There is no
Hi folks,
I am confused: Setting up a new freeipa service (CentOS 7.5) using
ipa-server-install or ipa-dns-install it asks me
Do you want to search for missing reverse zones? [yes]: yes
But then it did not create a reverse zone :-( This doesn't look like
Hi folks,
apparently openldap-server is considered as deprecated by RedHat:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality
I wonder what this means for Freeipa? Will all of
Hi Thierry,
On 03/12/18 17:52, thierry bordaz via FreeIPA-users wrote:
Hi Harald,
What version of DS are you running ?
We have a reproducer (not systematic) for versions before
https://bugzilla.redhat.com/show_bug.cgi?id=1516309 but we have not reproduced
it since then, you may need to
PS: I see tons of error messages like
:
Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.819967301 +0100] - ERR -
DSRetroclPlugin - retrocl_postob - Operation failure [68]
Mar 12 22:38:42 ipa1 ns-slapd: [12/Mar/2018:22:38:42.824391203 +0100] - ERR -
DSRetroclPlugin - write_replog_db - An
Hi Ludwig,
On 03/13/18 14:47, Ludwig Krispenz via FreeIPA-users wrote:
On 03/13/2018 09:07 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Ludwig,
On 03/12/18 17:10, Ludwig Krispenz via FreeIPA-users wrote:
Hi,
to get rid of this ruv entry with replicaid 7 you could try to run
Hi Jakub,
On 9/21/18 3:24 PM, Jakub Hrozek via FreeIPA-users wrote:
On Wed, Sep 19, 2018 at 02:04:28PM +0200, Harald Dunkel via FreeIPA-users wrote:
I still have the problem that sometimes some sssd components
disappear somehow, e.g. sssd_pam. The logfile on our mail gateway
said
:
(Tue Sep
Hi folks,
I read somewhere that it is not recommended to run nscd to cache
passwd on ipa clients, but I wonder: What if?
I still have the problem that sometimes some sssd components
disappear somehow, e.g. sssd_pam. The logfile on our mail gateway
said
:
(Tue Sep 18 22:34:28 2018) [sssd[pam]]
Hi Johan,
I am using freeipa 4.4.4-3 and sssd 1.16.3-1 on Stretch. Just the
client part of freeipa, of course. Requires systemd for running
ipa-client-install, but it works fine for me.
My ipa servers are running on CentOS 7.
Regards
Harri
___
Hi Eric,
On 1/10/19 2:33 PM, Eric Engstrom via FreeIPA-users wrote:
>
>> I am using freeipa 4.4.4-3 and sssd 1.16.3-1 on Stretch. Just the
>> client part of freeipa, of course. Requires systemd for running
>> ipa-client-install, but it works fine for me.
>
> Harald,
>
> Could you be a bit more
Hi folks,
Setup: ipa-server 4.6.4-7 on CentOS 7
Problem:
ipa host-del gives me
[root@ipa1 ~]# ipa host-del ppcl027.example.com
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
with CMS (404)
Google pointed me to https://access.redhat.com/solutions/3624671,
but
Hi Florence,
On 7/10/19 4:50 PM, Florence Blanc-Renaud wrote:
Hi,
the issue seems rather to be between IPA framework and dogtag. Is the CA
subsystem enabled?
$ pki-server subsystem-show ca
should display "Enabled: True"
Nope:
[root@ipa1 ~]# pki-server subsystem-show ca
Subsystem ID: ca
Hi folks,
I have a new EMail address.
Problem is, there is no option on [Manage subscription] to replace
the EMail address. The old address is not available to send an
unsubscribe to mailman, either. I could subscribe my new address
via mail to mailman, but
Hi Flo,
On 7/11/19 7:58 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 7/11/19 10:19 AM, Harald Dunkel via FreeIPA-users wrote:
The ldapsearch line returns 2 identical certificates on ipa{0,1,2,bak},
but ipa1 has a 3rd certificate.
Please don't tell me that my ldap instances are out
Hi Flo,
On 7/11/19 7:54 PM, Florence Blanc-Renaud wrote:
Hi Harri,
you probably didn't notice this footer in the emails sent to freeipa-users:
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
It may be worth a try...
That would unsubscribe the *valid* IP
On 7/16/19 11:39 AM, François Cami wrote:
Please have a look at the latest logs from pki:
/var/log/pki/pki-tomcat/ca/
The debug log file on ipa2 gives me an authentication failed for
connecting to ldap on ipa2:
[16/Jul/2019:09:52:22][localhost-startStop-1]:
Hi Flo,
On 7/15/19 11:53 AM, Harald Dunkel wrote:
Hi Flo,
On 7/11/19 7:58 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
I hate to bring bad news, but it really looks like replication failed between
your instances. Feel free to start a new thread on the users mailing list if
you need
Hi folks,
On 7/15/19 2:41 PM, Harald Dunkel via FreeIPA-users wrote:
Good news (sort of): ipa does *not* appear to be out of sync. Some
new user accounts added recently can be found in ldap on all ipa
servers. It just failed to distribute the new certificate.
Every suggestion about how
Hi folks,
Maybe I am confused, but apparently I do not have to activate/modify
host-based access control in Freeipa to support Kerberos for NFS. hbac
is not mentioned on
Hi Rob,
On 7/22/19 5:34 PM, Rob Crittenden via FreeIPA-users wrote:
It is expected. dogtag uses cert auth to bind to LDAP. That fails with
the expired certs. This is why the IPA tree is used to distribute the
updated certificates.
rob
Good news:
Apparently the new certificate did make it
PS: Attached is slapd's errors file as well. Please note the
Kerberos errors:
:
[23/Jul/2019:11:42:23.714599643 +0200] - ERR - set_krb5_creds - Could not get
initial credentials for principal [ldap/ipa0.example...@example.de] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact
Hi Rob,
On 7/17/19 9:27 PM, Rob Crittenden via FreeIPA-users wrote:
The renewal certificates are passed via the main IPA backend. Check to
see if that replication is working.
It is not:
[root@ipa1 ~]# ipa-csreplica-manage list -v ipa0.example.de
Directory Manager password:
ipa1.example.de
PS: Below you can find an excerpt from the slapd errors file on ipa1
(the renewal master).
Regards
Harri
[15/Jul/2019:11:31:53.160959903 +0200] - ERR - slapi_ldap_bind - Error: could
not send startTLS request: error -11 (Connect error)
[15/Jul/2019:11:36:53.653395671 +0200] - ERR -
Hi Timo,
On 7/19/19 8:51 AM, Timo Aaltonen via FreeIPA-users wrote:
Hi,
Sorry, only Debian unstable is somewhat supported right now, though the
freeipa part is still lacking because of ipa-server-upgrade crashes I'm
seeing which is blocking the upload of current version being staged.
I'll
Please ignore, I got confused with another thread.
Harri
On 7/19/19 10:22 AM, Harald Dunkel wrote:
Hi Timo,
On 7/19/19 8:51 AM, Timo Aaltonen via FreeIPA-users wrote:
Hi,
Sorry, only Debian unstable is somewhat supported right now, though the
freeipa part is still lacking because of
Hi Rob,
On 7/18/19 3:06 PM, Rob Crittenden wrote:
Look in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com to see if the
updated certificates are there. If they are then try to manually
resubmit the certmonger tracking for it.
For example, for the subsystem cert you'd do something like:
#
Hi Rob,
On 7/19/19 3:45 PM, Rob Crittenden wrote:
Harald Dunkel via FreeIPA-users wrote:
AFAICS the new certificates are in ldap on the non-renewal masters (e.g.
ipa0). Here is the output of the suggested getcert session on ipa0:
[root@ipa0 ~]# date
Fri Jul 19 11:21:00 CEST 2019
[root@ipa0
Hi Flo,
FYI: ipa2 is essential in our environment, so I reinstalled
the replica (without ca). There are still 2 other hosts
ipa0 and ipabak with the same problem.
On 7/17/19 2:50 PM, Florence Blanc-Renaud wrote:
Hi,
the renewal behaves differently on the renewal master and on other nodes. On
Hi Flo,
On 7/23/19 12:27 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
The subsystemCert cert-pki-ca is also stored in LDAP, in 2 places:
- in the entry uid=pkidbuser,ou=people,o=ipaca (in the userCertificate attribute, which can be
multivalued and contain the old certs along with
Hi Flo,
On 7/23/19 2:49 PM, Florence Blanc-Renaud wrote:
On 7/23/19 12:27 PM, Harald Dunkel via FreeIPA-users wrote:
PS: Attached is slapd's errors file as well. Please note the
Kerberos errors:
:
[23/Jul/2019:11:42:23.714599643 +0200] - ERR - set_krb5_creds - Could not get
initial
Hi Rob,
On 7/23/19 4:01 PM, Rob Crittenden wrote:
It's a red herring. There is a chicken and egg problem here. The KDC
uses LDAP as its backend and 389-ds needs a ticket. 389-ds starts first,
can't get a ticket and then eventually recovers once the KDC is running.
rob
You mean pki-tomcatd
Hi Rob,
On 7/23/19 5:16 PM, Rob Crittenden wrote:
I keep saying to ignore this. It doesn't work because the CA isn't
running because the certs aren't updated.
When certmonger pulls the cert out of the IPA tree it will update the
NSS database and whatever other configuration needs to be
Hi Rob,
On 7/17/19 1:55 PM, Rob Crittenden via FreeIPA-users wrote:
Bug in dogtag, https://pagure.io/dogtagpki/issue/3039. Fixed in 10.6.3+
according to git tag.
I applied the patch I found in the dogtag ticket to
/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py
On 7/16/19 2:39 PM, Harald Dunkel via FreeIPA-users wrote:
ldapsearch -D cn=directory\ manager -W -b o=ipaca uid=pkidbuser userCertificate
does not show the new certificate yet. I thought that the post-save command
for this certificate is supposed to add it to ldap as well. Should I have used
Hi folks,
installing a new ca replica in an LXC container failed with
[root@ipa5 ~]# ipa-replica-install --no-ntp --setup-ca
/var/lib/ipa/replica-info-ipa5.example.de.gpg
Directory Manager (existing master) password:
Run connection check to master
ad...@example.de password:
Connection check
On 7/15/19 9:51 PM, Rob Crittenden wrote:
Please check the status again. POST_SAVED_CERT is the status where the
post command is being executed. It should be in MONITORING now.
Yes, it does. I had to resubmit a few other certificates, and now the
ca-error is gone on all ipa servers, too.
Just for the records:
The reason was an updated external root certificate, that I had
imported with bad trust attributes about 2 years ago. My bad.
After fixing the trust attributes freeipa is running again,
probably better than before. There is just a minor issue with
a duplicate csreplica
Hi Rob,
On 7/19/19 7:25 PM, Rob Crittenden wrote:
The log doesn't seem to say which cert isn't found. You could try again
and see what is being logged to find out what cert can't be found, and
potentially why.
This might be interesting. An ipactl restart gave me this in /var/log/messages:
Hi folks,
Setup: ipa-server 4.6.4-7 on CentOS 7
Problem:
ipa host-del gives me
[root@ipa1 ~]# ipa host-del ppcl027.example.com
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
with CMS (404)
Google pointed me to https://access.redhat.com/solutions/3624671,
but
Hi folks,
*ipa help topics* gives me
# ipa help topics
ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8",
or LC_ALL="" and LC_CTYPE="C.UTF-8".
# env | egrep LANG\|LC
# echo $?
1
Shouldn't the command line interface work by default? Why not
On 2020-01-31 10:02, François Cami wrote:
We'd rather fail early and print that warning which lets the admin fix
the issue.
You can see the rationale in the upstream ticket:
https://pagure.io/freeipa/issue/5887
As an admin I won't touch user settings, esp. not the locale variables.
All I can
Hi folks,
I have found several migration guidelines from Centos 7 to 8. AFAIU
the procedure is to setup a new CentOS 8 FreeIPA server, and then to
migrate the "master" from the old to the new host. See [1], for example.
Having myself burned with the CA stuff in FreeIPA before, I wonder if
there
Hi folks,
how can I list the expiration dates of the ca certificate chain, before
it is too late? External ca.
Regards
Harri
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
On 9/5/21 22:24, Nico Maas via FreeIPA-users wrote:
Looks like you're right: https://packages.debian.org/search?keywords=freeipa
Is there any client planned for Bullseye?
AFAICT: No.
Freeipa is in sid (aka "Unstable"). The current version 4.8.10-2 is easy to
backport to Debian 11 and to
On 2022-06-15 14:15:12, Rob Crittenden via FreeIPA-users wrote:
Major version upgrades via adding a new machine is the recommended and
documented route. It includes retiring existing, older servers, so have
a plan for that.
How comes? Maybe I am wrong, but I saw FreeIPA as a set of (complex)
Hi Alex,
On 2022-06-15 16:23:53, Alexander Bokovoy via FreeIPA-users wrote:
The same as with not doing backports to older OSes, FreeIPA depends on a
*particular set* of integrated services and libraries, not just any. We
choose to avoid some of tough to solve upgrade issues by doing upgrade
by
Hi folks,
I've got a few colleagues running Debian 10 or 11 on a laptop. Their account
is managed by FreeIPA in the office. On first-time login their laptop is
wired to the office lan.
When they are in home office they have a VPN connection (IPsec, wireguard
or openvpn) to the office, but since
As written before, wifi and VPN connections are established *after* the
user logged in using information stored in the cache. I can't help it.
Esp. I cannot support a VPN connection at boot time in a wifi network I
have no information about.
I understand that caching the user information is
On 2022-07-16 16:03:15, Sam Morris via FreeIPA-users wrote:
The user experience for this is not ideal (it's something my
orgnaization suffers from as well). My two ideas for how to improve it are:
* A VPN that connects on boot, using the host's identity instead
of the user (ideally
Hi Sumit,
On 2023-07-03 09:57:53, Sumit Bose via FreeIPA-users wrote:
A proper backup is always recommended when doing such kind of
operations. Adding the RID bases with ldapmodify should for a start
have no additional effects. Only when you start to add new users the
sidgen plugin might now
Hi folks,
I have found an Active Directory domain range in my FreeIPA setup using -1
as the first Posix ID:
Range name: EXAMPLE.COM_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain
Hi folks,
I have almost completed the FreeIPA migration from CentOS7 to Rocky8 (FreeIPA
4.9.11).
Domain replications seems to be fine, but I get a replication error for ca:
[root@ipa2 ~]# ipa-csreplica-manage -v list ipaca8.example.com
Directory Manager password:
ipa2.example.com
last init
Hi folks,
being tired I have set a dnanextrange on 2 servers, instead of a
dnarange. Very painful. Now our favorite ID range is blocked.
Is there some kind of
ipa-replica-manage dnanextrange-del
to drop a dnanextrange and to return it to the available pool
of IDs?
Every helpful
Hi folks,
getcert list-cas returns on some FreeIPA clients
root@nasl006a:~# getcert list-cas
CA 'SelfSign':
is-default: no
ca-type: INTERNAL:SELF
next-serial-number: 01
CA 'IPA':
is-default: no
Hi Rob,
I highly appreciate your reply. Apparently the problem for cs
went away on its own. "ipa-csreplica-manage -v list" doesn't
show "duplicate replica ID detected" anymore.
But I do have a replication problem for domain. list-ruv shows
on ipa0 and ipa1 (sorted)
Replica Update Vectors:
1 - 100 of 112 matches
Mail list logo