[Freeipa-users] Re: using freeipa with an AWS elastic load balancer

Peter Tselios via FreeIPA-users wrote: > Is there any solution on that? > I would like to setup exactly the same (2 FreeIPA Servers behind an ELB). Is there any solution on what? You completely stripped out all existing context. rob ___ FreeIPA-users

[Freeipa-users] Re: Abstracted NTP server configuration

Rob Crittenden via FreeIPA-users wrote: > A PR to support multiple NTP servers was submitted in > https://github.com/freeipa/freeipa/pull/2169 > > This spawned a design at > https://www.freeipa.org/page/V4/NTP_Servers_Configuration I realize that this design was created from an

[Freeipa-users] Re: SSL Private Key Recovery

Fraser Tweedale via FreeIPA-users wrote: > On Wed, Oct 10, 2018 at 12:12:12PM +0200, Winfried de Heiden via > FreeIPA-users wrote: >> Agree, there no real need for storing/recovering the private key, BUT: >> >> On some test/development environment server are re-deployed rapidly, >> sometimes multi

[Freeipa-users] Re: ipa command always takes 30 seconds

Perry Smith via FreeIPA-users wrote: > I've installed freeipa on Ubuntu 18.04. The Web UI as well as kinit and > logging in via ssh work fine. There is no noticeable delays. But the > "ipa" command from the command line always takes 30 or 60 seconds. For > example: > > |ipa user-find admin | > >

[Freeipa-users] Re: Can't delete DNS entry

Bret Wortman via FreeIPA-users wrote: > I've got a DNS entry that really isn't there. > > # nslookup sys001 > ;; connection timed out; no servers could be reached > # ipa dnsrecord-find my.net sys001 --all --raw >   dn: > idnsname=sys001+nsuniqueid=7523898c-b29311e8-85ddf5f7-bbec4d04,idnsname=my.n

[Freeipa-users] Re: ipa command always takes 30 seconds

Perry Smith wrote: > > >> On Oct 11, 2018, at 12:51 AM, Alexander Bokovoy via FreeIPA-users >> > > wrote: >> >> On ke, 10 loka 2018, Perry Smith via FreeIPA-users wrote: >>> Two questions for this group: >>> >>> 1) Is there a way to get it to not look

[Freeipa-users] Re: CA private key quick question

Andrey Bondarenko via FreeIPA-users wrote: > Hello, > > Do we have private key on all nodes of the FreeIPA cluster? I am > confused with comment > > create_pkcs12 tells us whether we should create a PKCS#12 file > of the CA or not. If we are running on a replica then we won't > have the private k

[Freeipa-users] Re: CA private key quick question

Andrey Bondarenko wrote: > Thank you, that's very helpful for me. So currently all FreeIPA nodes > are completely equal? Only if they all have a CA installed as well. rob > > On Fri, Oct 12, 2018 at 3:29 PM Rob Crittenden > wrote: > > Andrey Bondarenko via Free

[Freeipa-users] Re: need help to install letsencrypt in freeipa on ubuntu 16.04

Anush Jayan wrote: > hi im getting duplicate certificate error  > > > > ipa: DEBUG: stderr= > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-MPGPSDC-COM/ -L > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout= > Certificate Nickname

[Freeipa-users] Re: Freeipa The host 'ipa-eastus.xxxxx.com' does not exist to add a service to

Melnychuk, Konstantin (KRLDS) via FreeIPA-users wrote: > Hi everyone > Can anybody help, me, please? > Overview. My error message: > > The host 'ipa-eastus.x.com' does not exist to add a service to > > I have a task to install two Freeipa servers with replication, in > Kubernetes and restore

[Freeipa-users] Re: Multiple CA certs

Andrey Bondarenko via FreeIPA-users wrote: > Hello, > > If anyone can point me in the right direction how to remove CA's certs I > don't need from the freeipa safely? Remove from where? How were they added? rob ___ FreeIPA-users mailing list -- freeipa

[Freeipa-users] Re: Session Recording - https://www.freeipa.org/page/Session_Recording

Milos Cuculovic via FreeIPA-users wrote: > Hi All, > > I would like to know if someone is working on the Session Recording > implementation on FreeIPA? > If so, what’s the status? > > https://www.freeipa.org/page/Session_Recording I don't know a ton about it but... It is still a WIP. SSSD 1.16

[Freeipa-users] Re: need help to install letsencrypt in freeipa on ubuntu 16.04

Anush Jayan wrote: > i did that but still its not serving page in https what should i do Removing the existing tracking by itself won't do anything. Re-run ipa-server-certinstall. rob > > On Fri, Oct 12, 2018, 8:12 PM Rob Crittenden > wrote: > > Anush Jayan wro

[Freeipa-users] Re: Multiple CA certs

Andrey Bondarenko via FreeIPA-users wrote: > Hello, > > after some tests with Letsencrypt on my test env DEVDOMAN.COM > I have something like this: >  ipa-replica-install  --mkhomedir   --setup-ca  --setup-dns > --auto-forwarders -p password > > Successfully retrieved CA cer

[Freeipa-users] Re: Multiple CA certs

Andrey Bondarenko wrote: > Thank you!  > >> You'll need to delete the blobs out of LDAP using ldapmodify or > ldapdelete. > > But those certs are located not only in LDAP, am I correct? Wouldn't I > brake the consistency of the IPA if I will ldapdelete them? Re-run ipa-certupdate to refresh loca

[Freeipa-users] Re: RBAC in FreeIPA: Conflicts while adding permissions to a role.

Aditya kamat via FreeIPA-users wrote: > I am configuring RBAC in my current FreeIPA setup. There is a requirement > wherein each host can only belong to a particular host group. If a host is > already a part of some host group, a particular role which I create should > not be able to add it to a

[Freeipa-users] Re: New FreeIPA Server Setup

Ben Archuleta via FreeIPA-users wrote: > Hello All, > > I am in the process of setting up a FreeIPA server to replace an ancient > NIS (last updated in 2013-ish). I can manually recreate the accounts > (about 280) for the most part but the issue I can’t seem to work around > is migrating the passw

[Freeipa-users] Re: LDAP replica + Sub-CA on one FreeIPA server

Dmitry Perets via FreeIPA-users wrote: > Hi, > > I am considering FreeIPA for a multi-site project, to provide both PKI and > LDAP services. > So ideally, I would like to have one separate FreeIPA server on each site + > one central FreeIPA server. > And this is what I have in mind: > 1. The c

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

Ralph Crongeyer via FreeIPA-users wrote: > Hi List, > I have a master server that had a replica installed. The replica has > been uninstalled. When I try to run "ipa-replica-manage del --force > replica.server" it fails with: > invalid 'PKINIT enabled server': all masters must have IPA master role

[Freeipa-users] Re: Migration from Test to Production

Ronald Wimmer via FreeIPA-users wrote: > Hi, > > we have been evaluating FreeIPA for quite a while now on our test setup > (1 IPA server, 1 Replica) and are planning to move towards production. > Can the whole setup be migrated from an ipa test to an ipa production > server? (the ipa 'linux.ourdom

[Freeipa-users] Re: "message" -> "Insufficient access: Insufficient 'write' privilege to the 'userPassword' attribute

Florence Blanc-Renaud via FreeIPA-users wrote: > On 10/19/18 7:43 AM, Thomas Höll via FreeIPA-users wrote: >> Hi All, >> >> I've been building a password self service application which talks to >> the FreeIPA REST API to reset a user's password. This is working >> perfectly when I use the 'admin' u

[Freeipa-users] Re: Abstracted NTP server configuration

Andrey Bychkov via FreeIPA-users wrote: > /->>There is no description about what the abstraction layer should be. > What basic functions are there for an NTP server and how does each > server map into that abstraction? What basic methods are required?/ > > An abstract module is the parent basentpc

[Freeipa-users] Re: Testing requested - certificate checking tool

Louis Lagendijk via FreeIPA-users wrote: > On Thu, 2018-10-04 at 09:21 -0400, Rob Crittenden via FreeIPA-users > wrote: >> As part of a larger IPA "health" checker and driven largely by >> necessity >> I have the beginning of a certificate checking tool available

[Freeipa-users] Re: Testing requested - certificate checking tool

Let's tackle these one at a time. Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': 'IPA', 'cert-database': '/etc/httpd/alias', 'cert-postsave-command': '/usr/libexec/ipa/certmonger/restart_httpd'} Did you provide your own certificate for the web server (e.g. like from Let's Encryp

[Freeipa-users] Re: Testing requested - certificate checking tool

Gah, regarding Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': 'IPA', 'cert-database': '/etc/httpd/alias', 'cert-postsave-command': '/usr/libexec/ipa/certmonger/restart_httpd'} never mind. The cert is in the verbose output you sent! It is fine and issued by IPA. So this looks li

[Freeipa-users] Re: Testing requested - certificate checking tool

Gah, regarding Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': 'IPA', 'cert-database': '/etc/httpd/alias', 'cert-postsave-command': '/usr/libexec/ipa/certmonger/restart_httpd'} never mind. The cert is in the verbose output you sent! It is fine and issued by IPA. So this looks li

[Freeipa-users] Re: GSSAPI Error: Unspecified GSS

mohammad sereshki via FreeIPA-users wrote: > Hi > I got below error ,is there anyone who knows what is this and how can i s= > ort it out? > =C2=A0slapd_ldap_sasl_interactive_bind - Error: could not perform interacti= > ve bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): gen= >

[Freeipa-users] Re: GSSAPI Error: Unspecified GSS

mohammad sereshki wrote: > Hi > Everything works fine and with kinit  > I got new tgt for admin and restart but still same issue , do you have > any idea about getting new tgt The directory server uses its own keytab and should obtain it automatically. You may see a couple of these errors in a ro

[Freeipa-users] Re: GSSAPI Error: Unspecified GSS

mohammad sereshki via FreeIPA-users wrote: > Hi > But it is near 2 months that exists and servers which refer to it > sometimes ger error and it does not work prperly You need to provide more information. The snippet you provided, as I've said, is a common thing to see and can normally be ignored

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

Ralph Crongeyer via FreeIPA-users wrote: > Can this be manually removed? W currently can't login to the web portal > due to this issue. I don't understand how one master is affecting the web server of another. By design they are independent. Can you provide details on how login is failing? rob >

[Freeipa-users] Re: Account creation via API not assigning uidNumber

Callum Smith via FreeIPA-users wrote: > Dear All, > > When using the API to create an account, if I don't specify the > uidnumber I get this error: > > missing attribute "uidNumber" required by object class "posixAccount" > > I was expecting the uidNumber to function thus: "system will assign on

[Freeipa-users] Re: Account creation via API not assigning uidNumber

Callum Smith wrote: > Dear Rob, > > Running v4.5.0 (CentOS 7.4 distribution) > API version 2.228 > > Setting it to -1 gives: > ValidationError: invalid 'uid': must be at least 1 Need more information on what exactly it is you are doing. rob > > Regards, > Callum > > -- > > Callum Smith > Re

[Freeipa-users] Re: Abstracted NTP server configuration

lation is going to fail if none of the supported NTP client packages are installed? Similar to how DNS is detected? With 4.7.0 we just got out of the business of running an NTP server on an IPA master. Is it necessary to add that back? rob > > > 19.10.2018 17:11, Rob Crittenden via F

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

Ralph Crongeyer via FreeIPA-users wrote: > So it does allow me to login, however there is a popup that says: > "Some operations failed.", and a link "View details", when I click on > that it shows: > "invalid 'PKINIT enabled server': all masters must have IPA master role"   > And there is a button

[Freeipa-users] Re: Account creation via API not assigning uidNumber

Alexander Bokovoy wrote: > On to, 25 loka 2018, Callum Smith wrote: >> Dear Alexander, >> >> The issue is not with the library (it does no validation of syntax) the >> error I have provided is verbose directly from the FreeIPA API >> response. > > It seems the library puts some defaults that aren'

[Freeipa-users] Re: Abstracted NTP server configuration

Alexander Bokovoy wrote: > On ke, 24 loka 2018, Rob Crittenden via FreeIPA-users wrote: >> Andrey Bychkov via FreeIPA-users wrote: >>> Hello, I fixed design page. >>> >>> https://www.freeipa.org/page/V4/NTP_Servers_Configuration >> >> Tibor, do you

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Kees Bakker via FreeIPA-users wrote: > Could it be that this error already existed since we started? Notice > the Request ID of 2016..., and the expires: 2018-10-24. > > # getcert list -n ipaCert | sed blabla > Number of certificates and requests being tracked: 8. > Request ID '20161103094546': >

[Freeipa-users] Re: ipa.service "fails" to start

Z D via FreeIPA-users wrote: > No, CA component is not running, and seems not much activity under > /var/log/pki/pki-tomcat. Maybe these can be of interest: > > [1] selftests.log > 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] > SystemCertsVerification: system certs verificatio

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Kees Bakker via FreeIPA-users wrote: > On 25-10-18 14:18, Rob Crittenden wrote: >> Kees Bakker via FreeIPA-users wrote: >>> Could it be that this error already existed since we started? Notice >>> the Request ID of 2016..., and the expires: 2018-10-24. >>> >>> # getcert list -n ipaCert | sed blabla

[Freeipa-users] Re: Create Certificate for Load Balancer & end2end HTTPS traffic

Peter Tselios via FreeIPA-users wrote: > Thanks John. > It would be nice to create the certificate from the FreeIPA without any > external tool though :( A certificate has two keys, a public and a private key. You need to generate the private key somewhere. It is best practice to generate the k

[Freeipa-users] Re: FreeIPA stops working on nodes ... need help debugging.

Jeff Vincent via FreeIPA-users wrote: > I inherited the management of our FreeIPA instance (master + 2 replicas). > Most of our clients are running Ubuntu 14.04 or greater. It is becoming an > issue where only cached credentials will work and any new users are unable to > log in. > > So fa

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Kees Bakker wrote: > On 25-10-18 16:11, Rob Crittenden wrote: >> Kees Bakker via FreeIPA-users wrote: >>> On 25-10-18 14:18, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: > Could it be that this error already existed since we started? Notice > the Request ID of 2016..., an

[Freeipa-users] Re: FreeIPA stops working on nodes ... need help debugging.

Jeff wrote: > Thanks for the hint.  The master replica server was having issues.  It's > been updated and is running now.  The question I have now is why would > it stop working if the other two replicas were still functioning, > especially since a reinstall of the client seems to fix it? It prob

[Freeipa-users] Re: Testing requested - certificate checking tool

Louis Lagendijk via FreeIPA-users wrote: > On Mon, 2018-10-22 at 12:07 -0400, Rob Crittenden via FreeIPA-users > wrote: >> Gah, regarding >> >> Missing tracking for {'cert-nickname': 'Server-Cert', 'ca-name': >> 'IPA', >

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

Ralph Crongeyer wrote: > Well I got it fixed by using ApacheDirectoryStudio and searching for the > old stuck replica and deleted all of it's entries, which fixed the issues, > I wish I would have gotten this email sooner, I would have tried what > you suggested. > > Thanks for your help with this

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Kees Bakker via FreeIPA-users wrote: > On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: >> On 26-10-18 18:20, Florence Blanc-Renaud wrote: >>> On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: On 26-10-18 18:00, Timo Aaltonen wrote: > On 26.10.2018 18.59, Kees Bakker wr

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Z D via FreeIPA-users wrote: > Hi Kees, I've been also looking to Rob's blog as part of working on my > problem ("ipa.service "fails" to start"). > In my case, when running the curl command (with -v), I do see > > * About to connect() to ca-ldap03 port 8443 (#0) > * Trying x.x.x..x ... > * Con

[Freeipa-users] Re: Testing requested - certificate checking tool

Z D via FreeIPA-users wrote: > Rob, I'd love to test your tool, as part of working on my problem > "ipa.service fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence > do you think this is the obstacle? I haven't tried it. It won't hurt anything to try though. > Again, as part of "ip

[Freeipa-users] Re: Replica load balancing and priority without DNS SRV

Ryan Slominski via FreeIPA-users wrote: > FreeIPA allows disabling DNS Autodiscovery by explicitly listing the host > names of FreeIPA servers. However, it isn't clear if the order of host names > matters. For example: > > ipa-client-install --server firsthostname.example.com --server > secon

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Zarko D via FreeIPA-users wrote: > Rob, what kind of response means success, one server return 404 ? > >> GET /ca/agent/ca/profileReview HTTP/1.1 >> User-Agent: curl/7.29.0 >> Host: ca-ldap01:8443 >> Accept: */* >> > < HTTP/1.1 404 Not Found > < Server: Apache-Coyote/1.1 > < Content-Type: text/ht

[Freeipa-users] Re: Testing requested - certificate checking tool

Zarko D via FreeIPA-users wrote: > Hi Rob, it won't work on 4.4.0 for now. > > # python2 /tmp/checkcerts/ipa-checkcerts.py > Traceback (most recent call last): > File "/tmp/checkcerts/ipa-checkcerts.py", line 21, in > from ipalib.install import certstore > ImportError: No module named insta

[Freeipa-users] Re: ipa.service "fails" to start

Zarko D via FreeIPA-users wrote: > From what I experience, during " killing ntpd, going back a few days, restart > krb5kdc, dirsrv, httpd and the CA then certmonger", service > ipa-dnskeysyncd.service is failing. > > > Aug 10 10:19:18 ca-ldap04 ipa-dnskeysyncd: ipa : DEBUGKerberos

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Kees Bakker wrote: > On 29-10-18 19:30, Rob Crittenden wrote: >> Kees Bakker via FreeIPA-users wrote: >>> On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: On 26-10-18 18:20, Florence Blanc-Renaud wrote: > On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: >> On 26-10-18 1

[Freeipa-users] Re: Deployment without CA

Henrik Johansson via FreeIPA-users wrote: > > >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users >> > > wrote: >> >> It would create CSR for you on install. > > When are they generated? I know it does that when configuring IPA as a > sub

[Freeipa-users] Re: Add SubjectAltName in existing certificate

Peter Tselios via FreeIPA-users wrote: > Hello, > I need to add a SAN in a certificate issued by FreeIPA. > I found a much older thread in the mailing list > (https://www.redhat.com/archives/freeipa-users/2015-September/msg00184.html) > that confirmed it's possible. > But since I don't want to

[Freeipa-users] Re: Cannot start FreeIPA master - procedure for cleaning up?

Callum Smith via FreeIPA-users wrote: > Dear All, > > Running a FreeIPA cluster, the master has fallen over and refuses to get > back up: > > Failed to read data from service file: Unknown error when retrieving > list of services from LDAP: Insufficient access: SASL(-4): no mechanism > available:

[Freeipa-users] Re: Remove ntpd from IPA managed services

Ian Pilcher via FreeIPA-users wrote: > I am having trouble with ntpd on my IPA server.  For whatever reason, > chrony seems to work when I manually stop ntpd. > > I would like to remove ntpd as an IPA-managed service.  I found an old > thread on this list that says I need to remove: > >   cn=NTP,

[Freeipa-users] Re: Replica install on RPI3

Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Believe me, after modifying "startup_timeout" in > /usr/lib/python3.7/site-packages/ipalib/constants.py and > /etc/ipa/default.conf is does run on a Pi as a Master but obviously this > is not enough fiir the Replica. See https://www.freeip

[Freeipa-users] Re: FreeIPA on CentOS 7 under LXC, replica installation problems

Alex Corcoles via FreeIPA-users wrote: > So I had a running replica on CentOS 7 LXC which started giving me > trouble, so I decided to rebuild it. > > Now, when running ipa-replica install I get: > > 2018-11-04T20:12:20Z DEBUG stderr=pkispawn    : ERROR    ... > subprocess.CalledProcessError:

[Freeipa-users] Re: Issues installing replica

Alex Corcoles via FreeIPA-users wrote: > So I solved my LXC problems (thanks Rob, again), but now: > > ipa-replica-install -U --setup-ca -N > > fails when rebuilding my replica from scratch, see: > > https://gist.github.com/alexpdp7/4431da5e11afe6029e2baa01bc1f2251 > > , where I think I've copi

[Freeipa-users] Re: How to wreck your IPA environment

Chris Evich via FreeIPA-users wrote: > Hey all, > > About a year ago I did a really, really stupid thing. I updated IPA on one > CentOS 7 host, then before being really sure things were working, I did the > replica. Turned out the first upgrade only 'mostly' worked[*], meaning both > hosts ar

[Freeipa-users] Re: Replica install on RPI3

f and you need to use /etc/ipa/installer.conf rob > > > Winfried > > > > -Oorspronkelijk bericht- > *Van*: Rob Crittenden via FreeIPA-users > <mailto:rob%20crittenden%20via%20freeipa-users%20%3cfreeipa-us...@lists.fedorahosted.org%3e>> > *Antwoo

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

Zarko D via FreeIPA-users wrote: > Hi, this is the part of troubleshooting expired certificates (it's in another > post). I can't successfully renew certs after going back in time and I > believe the reason is that CA is not starting. Some of posts and Bugzilla > bugs suggest using PKI basic aut

[Freeipa-users] Re: Testing requested - certificate checking tool

William Muriithi via FreeIPA-users wrote: > Morning Rob >>> What's the process for either removing or making it known? >> >> I'll add something to the program about this too but for now you can run: >> >> # getcert list -i 20170919231606 >> >> That will tell us what it is. It is perfectly fine to h

[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate

Peter Oliver via FreeIPA-users wrote: > I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I > find that operations related to the vault feature fail. For example: > >> ipa -v vault-add test --type=standard > ipa: INFO: trying https://ipa-01.example.com/ipa/session/json > ip

[Freeipa-users] Re: yubikey csr not working

Natxo Asenjo via FreeIPA-users wrote: > hi, > > I am testing smartcard authentication with a yubikey neo like described > in > https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-login.html > > I successfully generated a key using the yubico-piv-tool, and with that > a csr. >

[Freeipa-users] Re: Abstracted NTP server configuration

Andrey Bychkov via FreeIPA-users wrote: > Hello! Can I fix my PR according with discussion? Just one final clarification. If I read the patch and page correctly the idea is that the packager chooses the default NTP package (if any). So if no NTP server package is installed them no server will be

[Freeipa-users] Re: FreeIPA PPC64LE builds

Pieter Baele via FreeIPA-users wrote: > Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server > PPC64LE build for Centos 7 (or RH IDM on RHEL 7/8) > > I only see some packages for PowerPC on Fedora and Ubuntu ppc64le RHEL builds are available for RHEL 7 today (and IdM is part of

[Freeipa-users] Re: FreeIPA PPC64LE builds

Pieter Baele via FreeIPA-users wrote: > Seriously? I could not find them in our internal satellite 6 install and > support was going more into the subject of the IBM acquisition then > technical stuff I saw it on access.redhat.com -> Downloads, Red Hat Enterprise Linux for Power, little endian.

[Freeipa-users] Re: Creating proxy users for PWM. Which is better DN?

Joyce Babu via FreeIPA-users wrote: > I am trying to setup PWM for allowing users to reset their password. I found > the following guide on setting up PWM with FreeIPA > https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 . > > The above guide creates the pwmproxy and pwmtest us

[Freeipa-users] Re: LDAP - Zammad -> not offering all fields

Alexander Bokovoy via FreeIPA-users wrote: > On ma, 12 marras 2018, Tobi Berninger via FreeIPA-users wrote: >> hey, >> i just tried to add an new user as described in the howto/ldap from >> freeipa. and the console doenst show any errors, >> but when i try to use that user as an bind user - it wont

[Freeipa-users] Re: ipa.service "fails" to start

Zarko D via FreeIPA-users wrote: >> There is a way to disable the selftest but this is a sort of last resort. > > Hi Rob, I am afraid disabling SelfTest is maybe the way to resolve the issue. > Are there any documentation on this, IPA 4.4.0 and pki-server 10.3.3 https://www.dogtagpki.org/wiki/Se

[Freeipa-users] Re: Get IPA server of location

Peter Tselios via FreeIPA-users wrote: > Hello, > I have 2 FreeIPA servers placed in 2 AWS placement groups (AZ1, AZ2). > I want to register my hosts in the IPA Server of the same placement group. > > Using dig I get the following: > dig +short -t SRV _ldap._tcp.example.com. > _ldap._tcp.AWS-eu-w

[Freeipa-users] Re: Mix and Match Local Users and Groups with IPA Users and Groups?

Ryan Slominski via FreeIPA-users wrote: > What is the recommended way to handle a local user in an IPA group? > > For example, I have the standard local user "apache" that I'd like to add to > an IPA group. I don't really want to add an "apache" user to IPA as it isn't > really a regular user.

[Freeipa-users] Re: Is the admins group special?

Remco Kranenburg via FreeIPA-users wrote: > Hi all, > > We received a question from one of our auditors about who has the > permission to do certain actions in FreeIPA itself. This is managed by > the RBAC system: you can for example configure that certain groups are > allowed to manage certain pa

[Freeipa-users] Re: Migration from Test to Production

Ronald Wimmer via FreeIPA-users wrote: > On 19.10.18 14:15, Rob Crittenden via FreeIPA-users wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> Hi, >>> >>> we have been evaluating FreeIPA for quite a while now on our test setup >>> (1 IPA server

[Freeipa-users] Re: Installation Error in step: Configuring the web interface (httpd)

Florence Blanc-Renaud via FreeIPA-users wrote: > On 11/17/18 10:29 PM, c.monty--- via FreeIPA-users wrote: >> Hi, >> the installation fails in step >> Configuring the web interface (httpd) - [19/21]: starting httpd >> >> The error details are here: >> [root@vm200-freeipa ~]# tail /var/log/ipaserver

[Freeipa-users] Re: LDAP Group Membership puzzle

Peter Tselios via FreeIPA-users wrote: > I don't see any option to change the search schema. > Is there any way to get a similar result with the the RFC2307bis schema? > Like, using a more complex filter? You would use member instead which requires a full DN: ldapsearch -x -W -D "uid=nonipaapp

[Freeipa-users] Re: Everything getting lowercased migrating between FreeIPA instances

Mitchell Smith via FreeIPA-users wrote: > Hi List, > > I am trying to migrate an old FreeIPA 4.3.1 server running on Ubuntu > 16.04 to a new FreeIPA 4.5.4 server running on Centos 7. > > I am doing the migration via the "ipa migrate-ds" command, the command > is running successfully and the users

[Freeipa-users] Re: How to find users who do not have a password set yet

Ryan Slominski via FreeIPA-users wrote: > I'm trying to find out which users do not have a password set yet. The "ipa > user-find" command doesn't seem to allow filtering by "existence of > password". Further, it doesn't show whether the password exists in output > anyways. The user-show and

[Freeipa-users] Re: Certificate Issue on IPA server

Christopher Young via FreeIPA-users wrote: > Yeah. I definitely lost on this one at this point. As far as I can > tell, SOMEHOW I'm missing these certs in the directory? Does that > sound right? > > How would one go about making sure is corrected? I'm guess I'd need > to regenerate some type o

[Freeipa-users] Re: sudo and hostgroups

Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > On a brand new install, sudo for hostgroup seems not to work. Ik create > a sudo rule for admins, only to to "averything" on all servers within > the hostgroup "ipaservers": > >   Rule name: s3_sudo_freeipa_admins >   Enabled: TRUE >   Com

[Freeipa-users] Re: krbpasswordexpiration field gone from "ipa user-show" ?

Ivars Strazdiņš via FreeIPA-users wrote: > Hi, > just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4. > > Now command "ipa user-show —all” does not return > “krbpasswordexpiration” field anymore. > Is there another simple way to find out when user's password expires? We kind > of reli

[Freeipa-users] Re: sudo and hostgroups

Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Awsome! OK, cannot user "ipaservers" hostgroup, but creating a new one > wil work! > > Thanks a lot! > > > Create a new hostgroup and used that one for the sudorule: > > [admin@freeipa1 ~]$ ipa sudorule-show sudo_freeipa_admins >   Rule

[Freeipa-users] Re: Certificate Issue on IPA server

Christopher Young wrote: > Another thing I notice that confuses me... (see attached) Yes. There are multiple services running on the same machine each with their own private key. > Is it normal to have this many certificate with the same Subject for > an IPA server? I'm wondering if somewhere al

[Freeipa-users] Re: krbpasswordexpiration field gone from "ipa user-show" ?

Ivars Strazdiņš via FreeIPA-users wrote: > > >> On 5 Dec 2018, at 14:47, Rob Crittenden wrote: >> >> Ivars Strazdiņš via FreeIPA-users wrote: >>> Hi, >>> just upgraded Centos to 7.6 and got FreeIPA upgraded to 4.6.4. >>> >>> Now command "ipa user-show —all” does not return >>> “krbpasswordexpi

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

74cmonty via FreeIPA-users wrote: > I have installed freeipa-server-common=4.7.0, so I don't understand the > relation to an issue that should be fixed with 4.6.0. You never did say before which version you were using... > I have no restarted command ipa-pkinit-manage enable after opening port 8

[Freeipa-users] Re: Installation Replica reports error: Full PKINIT configuration did not succeed

74cmonty via FreeIPA-users wrote: > I was instructed to delete the existing cert before executing > ipa-pkinit-manage enable. > > And I have provided the output of getcert in an earlier response. > I was told that this cert is incomplete/incorrect. Again, no context :-( Yes, I asked for the CUR

[Freeipa-users] Re: FreeIPA API logout

Yuri Krysko via FreeIPA-users wrote: > Hey Folks, > >   > > I’m trying to use API calls to manage entities on our FreeIPA servers > per https://access.redhat.com/articles/2728021#end-point-json. The > question that I have is how does one log out (terminates) the API session? A session cookie is

[Freeipa-users] Re: new replica has no dnarange

Grant Janssen via FreeIPA-users wrote: > when I added another replica, all appeared to go smooth. But the new server > did not receive a dnarange. > I reviewed the man page and this indicated: > "New IPA masters do not automatically get a DNA range assignment. A range > assignment is > done only

[Freeipa-users] Re: new replica has no dnarange

Grant Janssen via FreeIPA-users wrote: > rob - thank you so much for your quick attention. > > with the exception of the dnaMaxValue and dnaNextValue the config appears to > be identical on all 3 servers. > > grant@ef-idm03:~[20181206-10:10][#5]$ ldapsearch -x -D 'cn=Directory Manager' > -W -b

[Freeipa-users] Re: Announcing FreeIPA v4.7.2

74cmonty via FreeIPA-users wrote: > Hi, > can you please advise how to upgrade to 4.7.2? > > I'm running version 4.7.0 > [root@ipa-replica ~]# rpm -q freeipa-server freeipa-client ipa-server > ipa-client 389-ds-base pki-ca krb5-server > freeipa-server-4.7.0-3.fc29.x86_64 > freeipa-client-4.7.0-3.

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

lune voo via FreeIPA-users wrote: > Hello everyone. > > I had this problem again but forgot to perform a klist -ef. :( > > I was wondering if my problem was coming from the session I had > established with Freeipa. > So I was wondering if I could reinitialize the session, maybe by > removing the

[Freeipa-users] Re: Upgrading from 4.2.4 (FC23)

Brian Topping via FreeIPA-users wrote: > Hi Roberto, my skills here are weaker than the actual team here but they > are busy so I thought I might be able kick in a little.  > > Please do be careful. I recently had a situation where I had a machine > crash during initial replication due to a bad CP

[Freeipa-users] Re: freeipa server removed from DNS at seemingly random intervals

James Richard via FreeIPA-users wrote: > how about about if I change the question to: > > Why does a "sanity check" seems to happen before an A record delete is > processed, the sanity check seems to fail BUT, the system goes right and > deletes the record anyways ??? What do you mean by sanity

[Freeipa-users] Re: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

lune voo via FreeIPA-users wrote: > Thanks Rob. > > Hm, thinking about this, this problem occured only when I use the python > code for ipa api. > > When I begin my script, I perform the following : > > api.bootstrap_with_global_options(context='cli') > api.finalize() > api.Backend.xmlclient.con

[Freeipa-users] Re: Adding Linux client in WebUI reports error: The host was added but the DNS update failed with: DNS reverse zone 168.192.in-addr.arpa. for IP address 192.168.1.47 is not managed by

74cmonty via FreeIPA-users wrote: > No, I didn't create a reverse zone. > > I'm not sure if the definition of DNS forwarding in FreeIPA makes sense. > Actually I consider to use Pi-hole as single DNS for specific network > 192.168.1.0/24 only and forward any requests to FreeIPA. > > Would this m

[Freeipa-users] Re: Service named-pkcs11.service on master fails: Process 3946 (named-pkcs11) of user 25 dumped core

74cmonty via FreeIPA-users wrote: > Hi, > starting service `named-pkcs11.service` fails with a core dump: > ``` > Dez 29 17:32:25 ipa-master.example.com systemd-coredump[2901]: Process 2895 > (named-pkcs11) of user 25 dumped core. > >

[Freeipa-users] Re: yum upgrade doesn't do IPA upgrade

Charles Hedrick via FreeIPA-users wrote: > For some reason on one of our 3 servers, yum update didn’t run the IPA > upgrade. /var/log/ipaupgrade.log was zero length. “ipactl start” noted that > an upgraded was needed, and did it. So it wasn’t a big deal. But it would be > nice for yum update to

[Freeipa-users] Re: Testing requested - certificate checking tool

SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello, > >   > > I have run the tool on an environment where I’ve installed my own > certificate for HTTPS (following this tutorial: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP), > and it complains when find the root ce

  1   2   3   4   5   6   7   8   9   10   >