is highly appreciated.
On Wed, 7 Jun 2017 at 19:15 Rob Crittenden <rcrit...@redhat.com> wrote:
> Roberto Cornacchia via FreeIPA-users wrote:
> > Sorry for accidentally dropping freeipa-users.
> >
> > I was impatient so went back in time before your answer, but I did chose
>
he first place.
>>
>> So hopefully I'm back to the original issue that caused all this. Any
>> help is highly appreciated.
>>
>>
>> On Wed, 7 Jun 2017 at 19:15 Rob Crittenden <rcrit...@redhat.com> wrote:
>>
>>> Roberto Cornacchia via FreeIPA-u
e original issue that caused all this. Any help
> is highly appreciated.
>
>
> On Wed, 7 Jun 2017 at 19:15 Rob Crittenden <rcrit...@redhat.com> wrote:
>
>> Roberto Cornacchia via FreeIPA-users wrote:
>> > Sorry for accidentally dropping freeipa-users.
>
Not being able to login to the admin console, I checked the httpd log and
found the following errors:
[Wed Jun 07 12:50:59.352022 2017] [:error] [pid 10240] Unable to verify
certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so
the server can start until the problem can be
ved.
>
> Then, you can check the certificates and maybe refresh it if it is
> actually expired.
>
> John
>
> On 7 Jun 2017, at 14:39, Roberto Cornacchia via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> Things are getting worse.
>
> F
>
> rob
>
> >
> >
> > On Wed, 7 Jun 2017 at 15:36 Roberto Cornacchia
> > <roberto.cornacc...@gmail.com <mailto:roberto.cornacc...@gmail.com>>
> wrote:
> >
> > Thanks Rob,
> >
> > I've seen in similar posts that you reco
ts and reboot.
>
> > On Dec 17, 2018, at 6:17 PM, Roberto Cornacchia via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Dear all,
> >
> > Upgrading is always scary, I will appreciate any comment on the
> following.
> >
&
:
> Roberto Cornacchia via FreeIPA-users wrote:
> > Hi Rob,
> >
> > Thanks for the tip.
> >
> > I don't see errors that I've found before, but quite some errors.
> >
> > In attachment is the result of
> > grep -v SUCCESS /var/log/httpd/error_log
client
>>
>> I guess it makes sense, old ciphers have been disabled in the newer
>> release.
>>
>> Testing with openssl from ipa02 against ipa01, I found only these being
>> accepted:
>> AES128-SHA
>> DES-CBC3-SHA
>> RC4-SHA
>> RC4-MD5
>&
Hi,
I have successfully created a replica from a 4.2.4 master (ipa01) into a
new 4.6.6 master (ipa02).
I did it without --setup-ca option (because it had failed), so the only CA
is still on the 4.2.4 server (ipa01).
When I try to setup theCA on ipa02 (the same replica file was used with
ipa-replica-conncheck fails with --auto-master-check (used by
ipa-ca-install), but not without:
[root@ipa02 ~]# /usr/sbin/ipa-replica-conncheck --master
ipa01.hq.spinque.com --auto-master-check --realm HQ.SPINQUE.COM --hostname
ipa02.hq.spinque.com
Check connection from replica to remote master
01.hq.spinque.com/ca/admin/ca/getStatus'
1CArunning10.2.6-20.fc23
Roberto
On Thu, 23 Jul 2020 at 19:08, Rob Crittenden wrote:
> Roberto Cornacchia via FreeIPA-users wrote:
> > ipa-replica-conncheck fails with --auto-master-check (used by
> > ipa-ca-install), but not without:
&g
Hi,
I currently have a single 4.2.4 server.
I would like to create a replica with 4.8 and later decommission the 4.2
server.
I had tested the procedure a while ago, from 4.2 to 4.6. I had created a
replica package from the old instance, and used it with ipa-replica-install
to create the new
Hello,
Apologies if this is a trivial question, I could not find an obvious answer
anywhere.
If I want to reinstall from scratch the OS of an already enrolled client,
is this the right procedure?
1. ipa-client-install --uninstall
2.
3. ipa-client-install
Best regards,
Roberto
tlev | Institut fuer Mikroelektronische Systeme
> Habicht | D-30167 Hannover +49 511 76219662 habi...@ims.uni-hannover.de
> + Handy+49 172 5415752 ---
>
>
>
> > Am 04.12.2020 um 11:46 schrieb Roberto Cornacchia via FreeIPA-user
file or directory.
>>
>>
>> On Wed, 16 Nov 2022 at 10:34, Roberto Cornacchia <
>> roberto.cornacc...@gmail.com> wrote:
>>
>>> No luck with that, unfortunately:
>>>
>>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
; No request found that matched arguments.
>
> # getcert list
> Number of certificates and requests being tracked: 0.
>
>
> On Wed, 16 Nov 2022 at 01:40, Rob Crittenden wrote:
>
>> Roberto Cornacchia via FreeIPA-users wrote:
>> >
>> > I'm not sure why it
Cornacchia <
>>> roberto.cornacc...@gmail.com> wrote:
>>>
>>>> No luck with that, unfortunately:
>>>>
>>>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>>>> cert-pki-ca' -v -w
>>>> No request fo
rto Cornacchia via FreeIPA-users wrote:
> >
> > I'm not sure why it was not renewed, but now that it is in this
> > state, what would be the correct procedure to renew it?
> >
> >
> > The other IPA server is the CA renewal master and it does have a vali
luck with that, unfortunately:
>>
>> # getcert resubmit -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>> cert-pki-ca' -v -w
>> No request found that matched arguments.
>>
>> # getcert list
>> Number of certificates and requests being tracked: 0.
>>
OK, thanks!
On Thu, 17 Nov 2022, 08:45 Florence Blanc-Renaud, wrote:
> Hi,
>
> On Wed, Nov 16, 2022 at 10:44 PM Roberto Cornacchia via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> I'm adding a replica, with CA and DNS setup, to an existing
Correction:
After ipa-server-upgrade fails, dirsrv service is up (the only one):
$ systemctl status dirsrv@HQ-SPINQUE-COM -l
● dirsrv@HQ-SPINQUE-COM.service - 389 Directory Server HQ-SPINQUE-COM.
Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor
preset: disabled)
Yesterday I installed a replica on a clean Rocky 9 system. No issues at
all. Everything
seemed to work fine.
Today the machine was rebooted (no dnf updates, no system changes) and ipa
could not start anymore.
ipactl start -d says:
Starting Directory Service
ipa: DEBUG: Starting external process
I found it!
dirsrv listens on ipv6 only.
I had set net.ipv6.conf.all.disable_ipv6 and net.ipv6.conf.all.disable_ipv6
to 0, but apparently forgot to make the change permanent, so after the
reboot ipv6 was disabled.
On Thu, 17 Nov 2022 at 18:50, Roberto Cornacchia <
roberto.cornacc...@gmail.com>
>
>
> You still have a replication agreement, and until its removed you will
> keep seeing these messages. However it's not related to this issue though.
>
Good to know. I hope there is a way to force removal of that agreement.
> - sometimes, but not always, this log also shows:
> ERR -
This, however, works:
# ldapsearch -H ldap://localhost:389 -x uid=roberto
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: uid=roberto
# requesting: ALL
#
# roberto, users, compat, hq.spinque.com
dn: uid=roberto,cn=users,cn=compat,dc=hq,dc=spinque,dc=com
[.. omitted ..]
QUE.COM"
Validity:
Not Before: Sat Nov 21 12:56:43 2020
Not After : Fri Nov 11 12:56:43 2022
I'm not sure why it was not renewed, but now that it is in this state, what
would be the correct procedure to renew it?
Best, Roberto
On Tue, 15 Nov 2022 at 19:47, Rob Crittenden wr
>
>
> I'm not sure why it was not renewed, but now that it is in this state,
> what would be the correct procedure to renew it?
>
The other IPA server is the CA renewal master and it does have a valid
certificate.
___
FreeIPA-users mailing list --
Hi there,
I appear to be stuck in a failing upgrade.
On Rocky Linux 8.6. The server is one of 2 replicas, both CA and DNS
servers.
It all started with pki-tomcat being down on a running server (
ipa02.hq.spinque.com):
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin
Oh. I hadn't forgotten. This is what happened.
These are my settings:
[root@ipa02 etc]# cat sysctl.conf | grep -v '#'
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
These will overwrite my settings:
[root@ipa02 etc]# cat sysctl.d/anaconda.conf
# Anaconda disabling ipv6
>
> It isn't a common issue.
>
>
You are right. I thought it referred to the Python Anaconda package. This
file was generated by anaconda the installer, apparently we had a --noipv6
in the kickstart.
(bad practice by anaconda anyway, to use non-numbered configuration files)
Roberto
Hi there, clients are having trouble with kerberos authentication:
$ kinit -V user
Using existing cache: xx:y
Using principal: u...@sub.example.com
Password for u...@sub.example.com :
kinit: Generic error (see e-text) while getting initial credentials
On the ipa server,
Hi Alexander,
Thanks for the quick reply, I will look into that.
Roberto
On Tue, 2 Jan 2024 at 17:04, Alexander Bokovoy wrote:
> On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote:
> >Hi there, clients are having trouble with kerberos authentication:
> >
>
Restarting krb5kdc doesn't help, and although it restarts, it complains
about /run/krb5kdc.pid.
[ipa01 ~]# systemctl restart krb5kdc
[ipa01 ~]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled;
preset: disabled)
rto Cornacchia via FreeIPA-users wrote:
> >Hi there, clients are having trouble with kerberos authentication:
> >
> >$ kinit -V user
> >Using existing cache: xx:y
> >Using principal: u...@sub.example.com
> >Password for u...@sub.example.com :
> >ki
t this straight is?
> >
> > My intuition would be to leave the existing IDs alone and reset both
> > the domain range and the DNA ranges so that they cover the existing
> > IDs, so:
> >
> > Domain range: 1,172,000,000 - 1,172,199,999
> >
;
> Thanks for your support, Roberto
>
> [1] https://access.redhat.com/solutions/394763
>
> On Tue, 2 Jan 2024 at 17:04, Alexander Bokovoy
> wrote:
>
>> On Аўт, 02 сту 2024, Roberto Cornacchia via FreeIPA-users wrote:
>> >Hi there, clients are having trouble with ker
- 1,172,199,999
Is this the correct way? And would I then need to reset the DNA ranges
manually by splitting this in two, or is that done automatically somehow?
Thanks, Roberto
On Wed, 3 Jan 2024 at 14:34, Rob Crittenden wrote:
> Roberto Cornacchia via FreeIPA-users wrote:
> > Also, I jus
range and the DNA ranges so that they cover the existing IDs, so:
>
> Domain range: 1,172,000,000 - 1,172,199,999
>
> Is this the correct way? And would I then need to reset the DNA ranges
> manually by splitting this in two, or is that done automatically somehow?
>
> Thanks, Rob
39 matches
Mail list logo
