[Freeipa-users] Re: How to grant CSR from command line

Alexander Bokovoy via FreeIPA-users wrote: > On to, 11 huhti 2019, Rob Crittenden via FreeIPA-users wrote: >> Bret Wortman via FreeIPA-users wrote: >>> Thanks, Rob. I'm a lot closer now. >>> >>> What I'm getting now looks like: >>> >>> # KRB5

[Freeipa-users] Re: Certmonger spawns many processes, causing huge load due to swapping

Jonathan Vaughn via FreeIPA-users wrote: > I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as > long as I didn't run the Dogtag server on it performance seemed > acceptable for the purpose. These are only being used as local > DNS/LDAP/Krb5 replicas, everything also runs on both

[Freeipa-users] Re: cert validation failed

Petar Kozić via FreeIPA-users wrote: > >> Petar Kozić via FreeIPA-users wrote:  >> > Hi folks,  >> > one question.  >> > These days I join my machine into IPA. Almost all machine have Ubuntu  >> > 18.04. I jointed about 10 machine in last two days. Today I tried to  >> > join Debian 8 jessie but

[Freeipa-users] Re: cert validation failed

Rob Crittenden via FreeIPA-users wrote: > Petar Kozić via FreeIPA-users wrote: >> Hi folks, >> one question. >> These days I join my machine into IPA. Almost all machine have Ubuntu >> 18.04. I jointed about 10 machine in last two days. Today I tried to >> join D

[Freeipa-users] Re: cert validation failed

Petar Kozić via FreeIPA-users wrote: > Hi folks, > one question. > These days I join my machine into IPA. Almost all machine have Ubuntu > 18.04. I jointed about 10 machine in last two days. Today I tried to > join Debian 8 jessie but I have problem. > > All machine I join with same command: > >

[Freeipa-users] Re: Minimal ipa configuration (inside docker)

Dmitry Perets via FreeIPA-users wrote: > Hi, > > Could you please help me configuring ipa tool inside the docker container > which is not enrolled? > > I have a parent Linux VM that is enrolled in FreeIPA. On top of it I run a > docker container, and I mount the entire /etc/ipa and

[Freeipa-users] Re: zabbix for monitoring FreeIPA server?

Alex Corcoles via FreeIPA-users wrote: > Yes, we've had a few threads about monitoring. > > I was hopeful about ipactl, but I already have a monitor for failed > systemd units in all my systems (which is nice). I would add port/URL > checks easily, but I'm not sure they will add a lot of value.

[Freeipa-users] Re: What is transient error?

Andrey Bondarenko via FreeIPA-users wrote: > https://pagure.io/389-ds-base/pull-request/50072 > > says: "Transient errors are temporary conditions that usually resolve > themselves." > > What are actually that errors are? We have some amount of them spreading > somtimes. What causes them and

[Freeipa-users] Re: IPA-Backup fails

Dirk Streubel via FreeIPA-users wrote: > Hello, > > have a little Problem with a full backup of my IPA Server. > The command : ipa-backup -d, doesn't work, the output is this: > > papython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful >

[Freeipa-users] Re: Full chain with ipa-getcert request

Josip Domšić via FreeIPA-users wrote: > Bundle  = server.cert + intermediate-ipa.cert. > > Currently, I figured to distribute rootCA to all clients, and each > server (e.g. nginx) has to serve a bundle (server.cert + intermediate). > The issue with my work flow is: when ipa-getcert generates a >

[Freeipa-users] Re: ECC keypair generation failed with `ipa-server-instal` on HSM

チョーチュアン via FreeIPA-users wrote: > Hello, > > Recently I've been experimenting on HSM with FreeIPA, I got stuck at the > CA generation, but it's a separate issue. I somehow achieve a successful > key generation on HSM with default key_algorimth/size/ settings. RSA > 3072/2048 keys showed up on

[Freeipa-users] Re: Full chain with ipa-getcert request

Jo Domsic via FreeIPA-users wrote: > Hi, > > I've deployed FreeIPA and now am trying to use ipa-getcert. > FreeIPA has been deployed with external CA, and the root CA cert has been > deployed to all servers. > FreeIPA is acting as an intermediate ssl authority. > > So, when I run ipa-getcert

[Freeipa-users] Introducing ipa-healthcheck

I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+. ipa-healthcheck is proactive tool for identifying current, potential and future issues within an IPA installation. It executes a series of checks in the

[Freeipa-users] Re: Introducing ipa-healthcheck

Dirk Streubel wrote: > Hello Rob, > > second try ;) > > [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug > Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ... > Calling check 0x7facb6a2ac50> > Initializing principal

[Freeipa-users] Re: Introducing ipa-healthcheck

John Keates via FreeIPA-users wrote: > Sounds great! Where do we find this tool? In an upcoming release or as a > stand-alone package? It's a standalone package, freeipa-healthcheck. rob > > John > >> On 14 Jun 2019, at 16:29, Rob Crittenden via FreeIPA-users >

[Freeipa-users] Re: Introducing ipa-healthcheck

Dirk Streubel via FreeIPA-users wrote: > Hello Rob, > > for me it is not working. I installed the > freeipa-healthcheck-0.2-3.fc31.noarch on a Fedora release 31 (Rawhide) > and have on the VM the following packages installed: > > freeipa-server-4.7.90.pre1-6.fc31.x86_6 and >

[Freeipa-users] Re: Introducing ipa-healthcheck

Dirk Streubel wrote: > Hello Rob, > > here it comes : > > > [root@ipaserver ~]# kinit admin > Passwort für ad...@linux.fritz.box: > [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.pa.host --debug > Source 'ipahealthcheck.pa.host' not found > > Did i make a mistake? No, I did, I

[Freeipa-users] Re: Introducing ipa-healthcheck

Dirk Streubel via FreeIPA-users wrote: > Hello Rob, > > Am 14.06.19 um 22:33 schrieb Rob Crittenden: >> Dirk Streubel wrote: >>> Hello Rob, >>> >>> second try ;) >>> >>> [root@ipaserver ~]# ipa-healthcheck --source ipahealthcheck.ipa.host --debug >>> Loading Index file from

[Freeipa-users] Re: Issues with pki-tomcat - CA

Ian Kumlien via FreeIPA-users wrote: > Hi, > > I've been confused by this a while... But from talking to people on > #freeipa@freenode this might be the real issue: > > certutil -d /etc/pki/pki-tomcat/alias/ -L |grep cert-pki-ca > Server-Cert cert-pki-ca

[Freeipa-users] Re: Cert expired for pki-tomcat and process would not start

Sayfiddin, Farhad wrote: Here is the output of getcert list I think if you stop IPA, go back in time to when this server cert is valid (it is the TLS cert for the CA server) and manually start dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200 You want to be sure ntpd

[Freeipa-users] Re: Get username and password via bind preop plugin in FreeIPA

Elena Fedorov via FreeIPA-users wrote: Hello, I have FreeIPA version 4.6.4, api_version 2.229 The system supports sasl bind version 3, mech GSSAPI. I need to support logon from the front end for users who are not part of the FreeIPA directory server. For such users I will need to bind as a

[Freeipa-users] Re: Cert expired for pki-tomcat and process would not start

Sayfiddin, Farhad wrote: > Issue is fixed finally. Great! > > Here are the steps I followed so it is helpful for others: > 1. If you see Trust flag issue you should see similar error like (NSS error > -8172 (SEC_ERROR_UNTRUSTED_ISSUER), you would need to reset the trust flags > following

[Freeipa-users] Re: Stage user is not recognized without objectClass posixaccount

Dmitry Perets via FreeIPA-users wrote: >> On ke, 12 kesä 2019, Dmitry Perets via FreeIPA-users wrote: >> Can you share >> what queries correspond to these requests in dirsrv access >> log? > > Yes, mistery continues... > > WORKING: > > [12/Jun/2019:12:31:25.546759725 +0200] conn=18810 op=2

[Freeipa-users] Re: Issues with pki-tomcat - CA

Ian Kumlien via FreeIPA-users wrote: > On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden wrote: >> >> Ian Kumlien via FreeIPA-users wrote: >>> Hi, >>> >>> I've been confused by this a while... But from talking to people on >>> #freeipa@freenode this might be the real issue: >>> >>> certutil -d

[Freeipa-users] Re: Issues with pki-tomcat - CA

Ian Kumlien wrote: > On Thu, Jun 13, 2019 at 12:32 PM Ian Kumlien wrote: >> >> On Wed, Jun 12, 2019 at 10:55 PM Ian Kumlien wrote: >>> >>> On Wed, Jun 12, 2019 at 10:52 PM Rob Crittenden wrote: Ian Kumlien via FreeIPA-users wrote: > On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden

[Freeipa-users] Re: Issues with pki-tomcat - CA

Ian Kumlien via FreeIPA-users wrote: > On Thu, Jun 13, 2019 at 7:39 PM Rob Crittenden wrote: >> >> Ian Kumlien wrote: >>> On Thu, Jun 13, 2019 at 3:47 PM Rob Crittenden wrote: Ian Kumlien wrote: > > [--8<--] > Ok, we could fix that but below is more worrying. > Also, added

[Freeipa-users] Re: Cert expired for pki-tomcat and process would not start

Sayfiddin, Farhad via FreeIPA-users wrote: > We have two replica servers sl1mmgplidm0001/2. > >   > > sl1mmgplidm0001 is functioning as CRL master and has no issues. > >   > > [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master' > >   IPA CA renewal master: sl1mmgplidm0001 >

[Freeipa-users] Re: Time based OTP enabling

Eric Fredrickson via FreeIPA-users wrote: > Hello, > > I was wondering if there was a way or if this is on the roadmap for future > work. I have a use case where I'd like to create a user account, but add a > rule where OTP must be assigned to the account within a certain time period > (e.g.

[Freeipa-users] Re: Issues with pki-tomcat - CA

Miller, Jim via FreeIPA-users wrote: > > > Sorry for butting in on this discussion, but is this an issue where the cert > for that server didn't get renewed and the tomcat-pki service won't start? > > I ask because that's an issue we're having and not sure how to address the > issue. Your

[Freeipa-users] Re: Issues with pki-tomcat - CA

Ian Kumlien via FreeIPA-users wrote: > On Wed, Jun 12, 2019 at 7:16 PM Rob Crittenden wrote: >> >> Ian Kumlien via FreeIPA-users wrote: >>> On Tue, Jun 11, 2019 at 10:22 PM Rob Crittenden wrote: Ian Kumlien via FreeIPA-users wrote: > > [--8<--] > >>> Certificate Nickname

[Freeipa-users] Re: kadmin service not running after installing ipa server

Peter Zoltan Keresztes (zozo) via FreeIPA-users wrote: > Hello > > I have just installed ipa-server on ubuntu 18.04 and I have observed > that the kadmin service is not running. While investigating the issue > I’ve seen that is complaining about the not existance of the > /etc/krb5kdc/kadm5.acl.

[Freeipa-users] Re: cannot access webui

Peter Zoltan Keresztes (zozo) via FreeIPA-users wrote: > The service is up and running. I am able to access it via cli. Apache is also > running. There is not yet firewall installed on the server. This is what I > can now see in the apache access and error logs: > > > ==> apache2/error.log <==

[Freeipa-users] Re: Cert expired for pki-tomcat and process would not start

Sayfiddin, Farhad wrote: > This still remains an issue...any thoughts??? certmonger should have them moved into the state NOTIFYING_VALIDITY and start the renewal. Create /etc/sysconfig/certmonger with the contents: OPTS=-d3 Restart certmonger Go back in time Resubmit Check logs. rob > >

[Freeipa-users] Re: error in FreeIPA UI login page

Elhamsadat Azarian wrote: > Hi Rob > Thanks for your email. > But i installed Ipa-server. I dont know why it try to install client > components! The client installer is needed because sssd, etc needs to be configured on a server as well. The error you are seeing is because the client

[Freeipa-users] Re: error in FreeIPA UI login page

Elhamsadat Azarian via FreeIPA-users wrote: > Dear friends > I instalked freeIPA on centos 7 with external DNS and internal CA server. > It finished successfuly but with a failed message about installing client > components! > Anyway i open a web browser and browse freeipa page. It showed and i

[Freeipa-users] Re: Interaction with web services is crashing ipa

Marc Boorshtein via FreeIPA-users wrote: > Seeing a very odd issue.  When we make webservices calls to IPA sssd > crashes.  this started happening within the last few days after > onboarding new members (hosts, not people)  of the domain.  I'm > wondering if there's some kind of database

[Freeipa-users] Re: Is it possible to define the default ClientAliveInterval in FreeIPA

Milos Cuculovic via FreeIPA-users wrote: Hi all, I’m using FreeIPA to manage the Ubuntu server users mostly for SSH login purposes. Is it possible to define a default ClientAliveInterval in FreeIPA, the same parameter that is available in /etc/ssh/sshd_config file? The goal being to have a

[Freeipa-users] Re: Password reset

Yuri Krysko via FreeIPA-users wrote: Hello All, I am familiar with the approach laid out in https://www.freeipa.org/page/Self-Service_Password_Reset and how we should use 3^rd -party password reset tools. I’d like to clarify why the Change Password link is present in user’s profile, as well

[Freeipa-users] Re: Add a new ObjectClass / Attributes / Help

Karim Bourenane via FreeIPA-users wrote: > Hello > > I would like to authenticate applications with users via IPA. I can't > find a Redhat tutorial (unless I'm wrong ??). > > Can you give me a link with a tutorial please ? > > My freeipa version is 4.5.4 It varies by application. What

[Freeipa-users] Re: Windows Integration - Using SSH Without Passwords

lejeczek via FreeIPA-users wrote: > hi guys, > > reading official guide one may assume - I do - that "Using SSH Without > Passwords" should work out-of-box (centos 7.6) - is such assumption valid? > > For me this does not work - ssh still asks for passwords. > > If this is due to some

[Freeipa-users] Re: cert validation failed

Petar Kozić via FreeIPA-users wrote: > @Rob, sorry for duplicate mail, I forget to do reply to all > > > No, there is X1 and X3. I have whole chain in ca.crt > > Where you think that I can install this let’s encrypt root on client > side, because on server I already have it in chain? > > On

[Freeipa-users] Re: cert validation failed

Petar Kozić via FreeIPA-users wrote: > Here is the log files. I just want to inform you that I have that > problem now also on Ubuntu 14.40 and Debian 8. > On Ubuntu ipa client version is 3.3, maybe problem is there. > > In mean time I enrolled several more Ubuntu 18.04 instances without >

[Freeipa-users] Re: cert validation failed

Petar Kozić wrote: > I just try that: > > cp ca.crt /usr/local/share/ca-certificates/ > update-ca-certificates > > Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. > Running hooks in /etc/ca-certificates/update.d > updates of cacerts keystore disabled. > done. > > Looks

[Freeipa-users] Re: host does not match the primary host name - installing replica

lejeczek via FreeIPA-users wrote: > On 08/05/2019 14:28, Rob Crittenden wrote: >> lejeczek via FreeIPA-users wrote: >>> hi guys, >>> >>> this must be something trivial and I must have gone blind, can you spot >>> what I missed? >>> >>> >>> $ ipa-replica-install --setup-dns --no-forwarders

[Freeipa-users] Re: commercial certificate expired

Adrian HY via FreeIPA-users wrote: > I changed the date two months ago. I followed the instructions > here: https://rcritten.wordpress.com/ but there were no results.  > > ipa cert-show show me : ipa: ERROR: cannot connect to > 'https://users.EXAMPLE-TEST/ipa/json': [SSL:

[Freeipa-users] Re: AD->IPA Synchronisation: Staged versus Active users

Robert Sturrock via FreeIPA-users wrote: > Hi All. > > I’m exploring the use of IPA in a synchronisation (rather than trust) > arrangement with AD, as this fits a particular use-case we have here quite > well. > > Our AD is very large, so a large number of users are synchronised into IPA >

[Freeipa-users] Re: Strange ipa group-add gid behavior

Orion Poplawski via FreeIPA-users wrote: > On 4/30/19 2:00 PM, Alexander Bokovoy wrote: >> On ti, 30 huhti 2019, Orion Poplawski via FreeIPA-users wrote: >>> We're seeing some strange gid assignment behavior.  When I run ipa group-add >>> on one ipa client I get gids in the expected range for my

[Freeipa-users] Re: Strange ipa group-add gid behavior

Orion Poplawski via FreeIPA-users wrote: > On 4/30/19 2:51 PM, Alexander Bokovoy wrote: >> On ti, 30 huhti 2019, Orion Poplawski wrote: >>> On 4/30/19 2:14 PM, Rob Crittenden wrote: Orion Poplawski via FreeIPA-users wrote: > On 4/30/19 2:00 PM, Alexander Bokovoy wrote: >> On ti, 30

[Freeipa-users] Re: Password expiration oddness

Yuri Krysko via FreeIPA-users wrote: > Hello All, > >   > > I have a user in our FreeIPA domain, whose password according to the > applied policy (displayed in the user properties UI ) should have > expired ~ 2 months ago, but it never did, nor did it force the user to > reset it. The below LDAP

[Freeipa-users] Re: http Certificate expired

Klaus Vink Slott via FreeIPA-users wrote: > Have had a small FreeIPA setup running for some time, but today I was unable > to login at the web-gui on the master. It was possible to login at the > replica but if try to delete a host I get: > > cannot connect to >

[Freeipa-users] Re: commercial certificate expired

Adrian HY wrote: > Rob, thanks for your response.  > > The output of both commands  is: > > certutil: could not find certificate named "Server-Cert": > PR_FILE_NOT_FOUND_ERROR: File not found > > Any suggestions? I guess we do a bit of cleanup when replacing the certs. Not a big deal. So I

[Freeipa-users] Re: commercial certificate expired

Adrian HY via FreeIPA-users wrote: > Hi Florence, thanks for your attention.  > > Yes, IPA was installed with self-signed CA, then I replaced the > self-signed CA with  > an externally-signed CA (godaddy certificate). The certificate expired > and I do not need it anymore. Hence, I need the

[Freeipa-users] Re: commercial certificate expired

Adrian HY via FreeIPA-users wrote: > Exactly, I ran ipa-server-certinstall and replaced both of the Apache > and 389-ds certificates.  I buy the certificate but I can't renew it.  > > I imported the certificates like this: > > Root Certificate:  > > ipa-cacert-manage -n Godaddy -p

[Freeipa-users] Re: Scripting host certificate creation

Ian Pilcher via FreeIPA-users wrote: > I am trying to script the creation of a bunch of host certificates. > > Unlike the web UI, the CLI seems to require two separate steps to do > this.  (Please correct me if I'm wrong about this.) > > After I generate a key and CSR, I create a certificate

[Freeipa-users] Re: http Certificate expired

Klaus Vink Slott via FreeIPA-users wrote: > Rob Crittenden via FreeIPA-users: >> Klaus Vink Slott via FreeIPA-users wrote: >>> Today Rob Crittenden wrote: >>>> Klaus Vink Slott via FreeIPA-users wrote: >>>>> Den 01/05/2019 kl. 21.48 skrev Rob Crittend

[Freeipa-users] Re: http Certificate expired

Klaus Vink Slott via FreeIPA-users wrote: > Today Rob Crittenden wrote: >> Klaus Vink Slott via FreeIPA-users wrote: >>> Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users: >>>> Klaus Vink Slott via FreeIPA-users wrote: >>>>> Have ha

[Freeipa-users] Re: http Certificate expired

Klaus Vink Slott via FreeIPA-users wrote: > Den 01/05/2019 kl. 21.48 skrev Rob Crittenden via FreeIPA-users: >> Klaus Vink Slott via FreeIPA-users wrote: >>> Have had a small FreeIPA setup running for some time, but today I was >>> unable to login at the web-gui on

[Freeipa-users] Re: host does not match the primary host name - installing replica

lejeczek via FreeIPA-users wrote: > hi guys, > > this must be something trivial and I must have gone blind, can you spot > what I missed? > > > $ ipa-replica-install --setup-dns --no-forwarders --ip-address=10.5.8.65 > WARNING: conflicting time synchronization service 'chronyd' will > be

[Freeipa-users] Re: commercial certificate expired

Adrian HY via FreeIPA-users wrote: > > Rob, something did not work. These are the results (I hide some variables): > > 1.) # ipa-getcert list -d /etc/httpd/alias -n Server-Cert > > Number of certificates and requests being tracked: 9. Request ID > '20180405040333': status: CA_UNREACHABLE

[Freeipa-users] Re: Home install failed

Boyd Ako via FreeIPA-users wrote: > So, I'm trying to setup a home instance to play around with before I muck up > work stuff. For some reason it looks like it's failing on the install due to > some upgrade or something > > # ipa-server-install -r NEVERLAND.DDNS.ME -n neverland.ddns.me

[Freeipa-users] Re: Can I join older clients to a newer server?

Janez Molicnik via FreeIPA-users wrote: I have IPA server installed on CentOS Linux 7.6. (IPA VERSION: 4.6.4, API_VERSION: 2.229), but I have some older servers, that run older versions of CentOS: - on the ones that have CentOS version 6.x, there is only version 3.0.0 of ipa-client available

[Freeipa-users] Re: Multi Enrollment possible ?

Karim Bourenane via FreeIPA-users wrote: > Hello All, > > I need your help. I have a small projet, finale design no fixed yet : > 2 IPA server in dedicat network (no link between), but with the same > REALM: IPA.EXAMPLE.COM > > I want to deploy some IPA-client with 2

[Freeipa-users] Re: Broken ipa replica

Giulio Casella via FreeIPA-users wrote: > Hi, > I managed to fix it! > The solution was to increase a couple of parameters in ldap config. I > passed "--dirsrv-config-file=custom.ldif" to ipa-replica-install, with > custom.ldif containing: > > dn: cn=config > changetype: modify > replace:

[Freeipa-users] Re: Password expired

François Cami via FreeIPA-users wrote: > Hi, > > On Wed, Apr 17, 2019 at 4:33 PM mustafa taha via FreeIPA-users > wrote: >> >> Hi >> >> i want to ask , if there a way allows the admin to provide an account >> with password expired after certain of time. and after a certain >> time

[Freeipa-users] Re: Directory manager password best practices

Ian Pilcher via FreeIPA-users wrote: > On 4/16/19 10:14 PM, Rob Crittenden wrote: >> It isn't a huge deal to change the DM password but in practice you'd >> want to do it on all masters (not replicated) so while not the end of >> the world it can be at best annoying. > > We'll only have a single

[Freeipa-users] Re: unregister old EMail address on this mailing list?

Harald Dunkel via FreeIPA-users wrote: > Hi Flo, > > On 7/11/19 7:54 PM, Florence Blanc-Renaud wrote: >> >> Hi Harri, >> >> you probably didn't notice this footer in the emails sent to >> freeipa-users: >>> To unsubscribe send an email to >>> freeipa-users-le...@lists.fedorahosted.org >> It may

[Freeipa-users] Re: Can I join older clients to a newer server?

Janez Molicnik via FreeIPA-users wrote: > Hey, just an update.. > > I've managed to successfully install the ipa-client when I copied the > /etc/ipa/ca.crt file from ipa-server to the new would be ipa-client that > accepted the certificate this time and finally installed. You can also use the

[Freeipa-users] Re: Replication-install Tomcat error stage 1:/28 / Need help

Karim Bourenane via FreeIPA-users wrote: > Hello All > > I have follow the step from stepes from Freeipa web + Redhat to prepare > the replicat by commands : > DNS+Reverse :  OK > On IPA Master : ipa-replica-prepare --password=X > replicat.example.com > Scp the

[Freeipa-users] Re: build of 4.6.6 on centos

lejeczek via FreeIPA-users wrote: > hi guys > > would you know if above version should build on Centos 7.6? > > Or maybe it's officially not supported, as ./configure says: > > > > checking supported IPA platform... configure: error: IPA platform centos > is not supported I'd suggest you

[Freeipa-users] Re: Inactive users

Arpit Tolani via FreeIPA-users wrote: > It is never synced across masters, Check this on all servers. > > ipa user-show --all --raw | grep krbLastSuccessfulAuth ipa user-status will do this. rob > > > > On Fri, Aug 16, 2019 at 3:12 PM Boyd Ako via FreeIPA-users >

[Freeipa-users] Re: LDAP error while installing IPA client

Elhamsadat Azarian via FreeIPA-users wrote: > Hi > > i installed ipa server but when i try to install ipa-client, this error was > showed: > Error checking LDAP: Operation error: 04DC: LdapErr: DSID-0C0907c2, > comment: In order to perform this operation a successful bind must be >

[Freeipa-users] Re: external DNS

Elhamsadat Azarian via FreeIPA-users wrote: > Hi > i installed Ipa-server without internal DNS and i set it to user a windows > DNS server in network. > when install process finished it note that: "please add records in this file > to your DNS system" > now i dont know what i must do? i must add

[Freeipa-users] Re: Inactive users

in advance for your help. Best regards. Lune. Le ven. 16 août 2019 à 14:14, Rob Crittenden via FreeIPA-users <mailto:freeipa-users@lists.fedorahosted.org>> a écrit : Arpit Tolani via FreeIPA-users wrote: > It is never synced across masters, Check this on all servers.

[Freeipa-users] Re: ipa_automount_location

Ronald Wimmer via FreeIPA-users wrote: > Is it possible to use multiple automount locations (i.e. sssd.conf > containing ipa_automount_location=locationA,locationB)? A location provides the master map so there can be only one. rob ___ FreeIPA-users

[Freeipa-users] Re: sub domain/zone on separate network segment

François Cami via FreeIPA-users wrote: > On Wed, Aug 28, 2019 at 5:08 PM Markus Larsson via FreeIPA-users > wrote: >> >> >> >> On 28 August 2019 16:47:35 CEST, lejeczek via FreeIPA-users >> wrote: >>> On 28/08/2019 15:15, Markus Larsson via FreeIPA-users wrote: I might be wrong here but it

[Freeipa-users] Re: sub domain/zone on separate network segment

lejeczek via FreeIPA-users wrote: > On 28/08/2019 15:15, Markus Larsson via FreeIPA-users wrote: >> I might be wrong here but it sure looks like the cert is being >> rejected because the name on service doesn't match the cert. >> I'm not at a place where I could check but it looks like that to me.

[Freeipa-users] Re: how to enable NFS Kerberos authentication?

Harald Dunkel via FreeIPA-users wrote: > Hi folks, > > Maybe I am confused, but apparently I do not have to activate/modify > host-based access control in Freeipa to support Kerberos for NFS. hbac > is not mentioned on >

[Freeipa-users] Re: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format

lune voo via FreeIPA-users wrote: > Hello everyone. > > I send you this mail because I try to connect an ipa-client 4.6.4 on > RHEL7 to an ipa-server 3.0.0 on RHEL6 and I get the following message > when I try to register the client to the server : > ### > ipa-client-install  \ > --domain= \ >

[Freeipa-users] Re: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format

lune voo wrote: > Hello Rob. > > Thank you for your reply. > > Here is the log from the ipa client 4.4 uninstallation : > ### > 2019-08-26T11:52:26Z DEBUG /sbin/ipa-client-install was invoked with > options: {'domain': None, 'force': True, 'krb5_offline_passwords': True, > 'ip_addresses': [],

[Freeipa-users] Re: can't delete host, apparent problem setting up RA

Charles Hedrick via FreeIPA-users wrote: > On one of 3 IPA servers (most recent centos 7.6, 4.6.4-10.el7.centos.6). I > can’t delete hosts. error_log show a bunch of python errors, ending in > > Wed Aug 28 15:59:11.634233 2019] [:error] [pid 18035] File >

[Freeipa-users] Re: can't delete host, apparent problem setting up RA

Charles Hedrick wrote: > Yes "Removing self-signed CA.” is there. > > Our configuration may have confused the upgrader. > > We initially did a default install, which sets up certificate management > with a self-signed cert. Then we moved to a commercial certificate, > which was a documented

[Freeipa-users] Re: can't delete host, apparent problem setting up RA

Charles Hedrick wrote: > looks like that was it. > > was > > enable_ra = False > > > ra_plugin = None

[Freeipa-users] Re: Samba 4.10 with ipasam

João Baúto via FreeIPA-users wrote: > Hi all, > > I'm setting FreeIPA along with Samba and currently I'm running into an > issue with the ipasam module where if I use samba 4.9.X everything works > as expected while upgrading to 4.10.X, samba fails to load ipasam. Since > the ipasam.so comes from 

[Freeipa-users] Re: Inactive users

r-status on them but be aware that this could be pretty intensive. > > rob > > > > > Thank you in advance for your help. > > > > Best regards. > > > > Lune. > > > > Le ven. 16 août 2019 à 14:14, Rob Cri

[Freeipa-users] Re: Check users last login ? To auto disable in-active users ?

Morgan Cox via FreeIPA-users wrote: > HI. > > For PCI DSS compliance I need to be able to disable users not logged in for X > amount of days (I think its 90). > > I was going to create a script which checks last login time (I have a similar > one for expired passwords), however I cannot find

[Freeipa-users] Re: services disabled by default on replicas ?

danielle lampert via FreeIPA-users wrote: > > I think I'm just facing Bug 1469246 -  Replica install fails to > configure IPA-specific temporary files/directories > (https://bugzilla.redhat.com/show_bug.cgi?id=1469246) > > The bug doesn't provide any solution other than upgrading. > Thanks for

[Freeipa-users] Re: services disabled by default on replicas ?

danielle lampert wrote: > > There's no such file as /usr/lib/tmpfiles.d/ipa.conf > > # ls -l /usr/lib/tmpfiles.d/ipa.conf > ls: cannot access /usr/lib/tmpfiles.d/ipa.conf: No such file or directory > > I only find this one > > # cat /usr/share/ipa/ipa.conf.tmpfiles > d /var/run/ipa 0711 root

[Freeipa-users] Re: services disabled by default on replicas ?

danielle lampert wrote: > > Hello, > >> Assuming you have: > >> # cat /usr/lib/tmpfiles.d/ipa.conf > > I don't have this file, it's not created during the replica install. > This log ipareplica-install.log shows : > > 2019-09-10T06:43:40Z DEBUG Backing up system configuration file >

[Freeipa-users] Re: Cert Issue

Randy Morgan via FreeIPA-users wrote: > We have been working to solve an expired certificate issue in IPA.  > There is an open ticket in Red Hat supportCASE 02438518.  We have tried > many things but so far have had no luck getting the certs to update.  > Currently the system is running RHEL 8.0

[Freeipa-users] Re: Cert Issue

Randy Morgan wrote: > On 9/9/2019 11:31 AM, Rob Crittenden wrote: >> Randy Morgan via FreeIPA-users wrote: >>> We have been working to solve an expired certificate issue in IPA. >>> There is an open ticket in Red Hat supportCASE 02438518.  We have tried >>> many things but so far have had no luck

[Freeipa-users] Re: FreeIPA CA_REJECT issue during adding new replica

Satish Patel via FreeIPA-users wrote: > Folks, > > Stay with me while i explain my issue because its little complex, We > had 2 working ldap running in datacenter-A for many months and life > was good. > > Last year company decided to shutdown datacenter-A and migrate > everything from there to

[Freeipa-users] Re: FreeIPA CA_REJECT issue during adding new replica

Satish Patel wrote: > Thanks Rob, > > This is the output of ldap-ca-master > > # matches for CA REST API >

[Freeipa-users] Re: reinstall freeIPA server without loosing data

Albert Szostkiewicz via FreeIPA-users wrote: > I have an issue with my IPA server. Suddenly, after some recent system > update, I am unable to log-in to web UI nor execute any command due to the > 'unknown reason' and some "Unspecified GSS failure." > I went through the suggested debugging

[Freeipa-users] Re: ipa-server-install: "does not match the primary host name" - unable to work around

Florian Dahm via FreeIPA-users wrote: > Hallo! > > I have been trying to install FreeIPA server and keep hitting this error > message: > > "ipapython.admintool: ERRORThe host name [hostname of the local machine] > does not match the primary host name [hostname of ANOTHER machine]. Please

[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete

Sandor Juhasz via FreeIPA-users wrote: > We have an entry, what after clicking delete on the UI got partially > deleted. > The compat tree entry is gone. > The accounts tree entry is there. > ldapsearch finds the entry by uid, but does fail by dn. > ipa user-show finds the user > ipa user-del

[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete

Sandor Juhasz wrote: > Was detached and deleted prior to the user's deletion. > First modified by > dn: cn=,cn=groups,cn=accounts,dc=cxn > changetype: modify > delete: objectclass > objectclass: mepManagedEntry > - > delete: mepManagedBy > > Then deleted. I don't know if this is the issue or not

[Freeipa-users] Re: ipa user-del and UI fails, as well, ldapdelete

Sandor Juhasz via FreeIPA-users wrote: > I was able to cheat it on the replica where the user was not partially > deleted. > I had to recreate and reattach the deleted group. > Then detach it with  > ipa group-detach > Then delete the user. > Then the replication took care of the rest of the

[Freeipa-users] Re: ipa-replica-install ERROR

Boudjoudad Abdelkader via FreeIPA-users wrote: > Hi, > I'm trying to install an IPA server replica from but i have  the issue > below, i did: > - Remove the IP of ipa server master from /etc/hosts > - Check if there is a problem with ipa-client-install (working fine)  > - dig IP-ipa-server

[Freeipa-users] Re: AD -> FreeIPA sync incomplete

Theodor van Nahl via FreeIPA-users wrote: > Hello, > > I do have a running `winsync` setup, which is working for most users. The > only thing that is missing are > > * the groups: I've tried to activate the group sync using ldapmodify > (setting `nsds7NewWinGroupSyncEnabled: true`), but the

[Freeipa-users] Re: Enroll & Install IPA Client on Redhat 5.4 with IPA Server on 4.6.4

Karim Bourenane via FreeIPA-users wrote: > Hello Team > > Can you tell me, if i can enroll a old Redhat 5.4 Tikanga i386 (kernel > v:2.6.18-164)  to IPA Server 4.6.4 ? > > I yes, can you please give the steps or link to do please ? ipa-client-install is available in RHEL 5. rob

<    2   3   4   5   6   7   8   9   10   11   >