[Freeipa-users] Re: ldap_bind: Invalid credentials (49)

Hi Rob, Thanks for all the observations and i will keep those things in mind. The issue was with the wrong password. Once I updated the password everything worked ! Regards On Mon, Jul 20, 2020 at 7:28 PM Rob Crittenden wrote: > Dwija D via FreeIPA-users wrote: > > Hi I am trying to se

[Freeipa-users] ldap_bind: Invalid credentials (49)

Hi I am trying to search ldap user using the following command but with invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net -p 389 -b "*dc=example,dc=net*" -D " *uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 -W Enter LDAP

[Freeipa-users] Re: kdb5_util: Kerberos database constraints violated while adding entries to the database

Thanks a lot. This is the case ! On Tue, Feb 18, 2020 at 4:20 PM Christian Heimes wrote: > On 18/02/2020 10.53, Djan D via FreeIPA-users wrote: > > HI > > Installed a fresh IPA server on CentOS 6 and all services are up and > > running. While trying to create database for

[Freeipa-users] kdb5_util: Kerberos database constraints violated while adding entries to the database

HI Installed a fresh IPA server on CentOS 6 and all services are up and running. While trying to create database for the first-time, i am facing following error. * # /usr/sbin/kdb5_util create -r TESTLAB.ORG -sLoading random dataInitializing database

[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

ps cert installed but the clients do > > not. Not sure if that's related. > > Thanks, > > D > > ‐‐‐ Original Message ‐‐‐ > > On Monday, April 29, 2019 3:04 PM, Jakub Hrozek via FreeIPA-users > > freeipa-users@lists.fedorahosted.org wrote: > > &g

[Freeipa-users] Re: IPA Client SSH under AD cross-forest trust not working

:56:33PM +0000, D via FreeIPA-users wrote: > > > Hello, > > Apologies for the earlier premature post :) > > This list helped me solve a number of issues getting a proof-of-concept > > ipa-ad cross-forest trust working. I believe there is one final issue, > > hopefu

[Freeipa-users] IPA Client SSH under AD cross-forest trust not working

Hello, Apologies for the earlier premature post :) This list helped me solve a number of issues getting a proof-of-concept ipa-ad cross-forest trust working. I believe there is one final issue, hopefully one of the experts here can have a look at the logs and let me know if anything sticks

[Freeipa-users] Client SSH under AD trust not working

Hello, This list helped solve a number of issues related to logging into clients under a cross-forest AD trust. I believe there is one final issue, I'm hoping one of the experts can have a look at the logs and configs. I can ssh into the IPA servers themselves using AD credentials just fine,

[Freeipa-users] Re: AD Trust Integration Issue

FWIW on your EL7 ipa-server you can find the krb-ad stuff under /var/lib/sss/pubconf/ and /var/lib/sss/pubconf/krb5.include.d/. Like Alexander says, this config should be reflected in the ipa client's krb config. HTH D ‐‐‐ Original Message ‐‐‐ On Thursday, April 18, 2019 8:23 AM,

[Freeipa-users] Re: SSH problems in cross-forest trust

were moved to example.ipa.splat.acme.com, and if DNS for this subdomain were managed by the IPA servers? Thank you for your time, D ‐‐‐ Original Message ‐‐‐ On Monday, April 8, 2019 11:49 AM, Alexander Bokovoy via FreeIPA-users wrote: > On ma, 08 huhti 2019, D via FreeIPA-users wr

[Freeipa-users] Re: Issues with AD user ssh

, February 19, 2019 4:08 PM, D via FreeIPA-users wrote: > Sumit, > > Yes, krb5_store_password_if_offline = True is set. > > I will update to the new version today. > > D > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 19 February 2019 14:52, Sumit Bose sb...@redhat.c

[Freeipa-users] Re: Issues with AD user ssh

mer > > > > > case > > > > > you can try to increase ldap_search_timeout, default is 6s as well. > > > > > bye, > > > > > Sumit > > > > > > > > > > > > Thanks, > > > > > > > D > >

[Freeipa-users] Re: Issues with AD user ssh

, > > > Sumit > > > > > > > > Thanks, > > > > > D > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > On Friday, 15 February 2019 13:23, Sumit Bose via FreeIPA-users > > > > >

[Freeipa-users] Re: Issues with AD user ssh

t; > > > On Fri, Feb 15, 2019 at 04:22:33PM +, D wrote: > > > > > > > > > Apologies, forgot to attach. > > > > > D > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > On Friday, February 15, 2019 11:19 AM, D via FreeIPA-users > >

[Freeipa-users] Re: Issues with AD user ssh

prefer a new thread or to continue here? Thanks again for everything, D ‐‐‐ Original Message ‐‐‐ On Wednesday, 13 February 2019 11:03, D via FreeIPA-users wrote: > Apologies for the delay Sumit. > > I've attached full sanitized logs this time. This should answer a few of the &g

[Freeipa-users] Re: Issues with AD user ssh

des trying to figure out what is wrong with the KEYRING ccache you > might also want to try if a different ccache type, e.g. FILE:, > works any better? > > HTH > > bye, > Sumit > > > Thank you for your hard work, > > D > > ‐‐‐ Original Message ‐‐

[Freeipa-users] Re: Issues with AD user ssh

2019 02:19, Sumit Bose via FreeIPA-users wrote: > On Mon, Feb 11, 2019 at 03:51:07PM +0000, D via FreeIPA-users wrote: > > > Hello, > > Would anyone mind helping me troubleshoot a problem? > > > > 1. Running a two-way trust between AD2016 and ipa-server 4.5.4

[Freeipa-users] Re: Issues with AD user ssh

ia FreeIPA-users wrote: > I think the issue is outlined in the PAC error you got. > >> On 11 Feb 2019, at 16:51, D via FreeIPA-users >> wrote: >> >> sss_send_pac failed, group membership for user with principal [> username>@AD.DOMAIN.COM] might not be correct.

[Freeipa-users] Issues with AD user ssh

Hello, Would anyone mind helping me troubleshoot a problem? 1. Running a two-way trust between AD2016 and ipa-server 4.5.4-10.el7. 2. Unable to log into an IPA client with an AD account via ssh. The client has no trouble with “kinit $ad_user” and “getent passwd $ad_user”. 3. The AD user

[Freeipa-users] Re: Failed to start 389 Directory Server

Thanks Thierry, IPA backup had failed much before, unfortunate not able to restore those logs. But I did some progress, by trying to restore different daily backups. And I found one, that was restored "successfully", and 389ds has started after that. But new problem is that replica from

[Freeipa-users] Failed to start 389 Directory Server

Hi there, this is ipa-server-4.4.0-12.0.1 with 389-ds-base-1.3.5.10-11 and suddenly daily backup has started to fail with messages: 2019-01-28T04:10:04Z INFO Backing up ipaca in REALM-COM to LDIF 2019-01-28T04:10:04Z INFO Waiting for LDIF to finish 2019-01-28T04:10:05Z DEBUG File

[Freeipa-users] Re: IPA server upgrade fails with KDC error

> Hi, have you found resolution here? > > I get same/similar error while troubleshooting expired certificates, for > example going > back in time when all certs are valid and restarting certmonger, then I see > this error. sorry, please ignore. Apologies.

[Freeipa-users] Re: IPA server upgrade fails with KDC error

Hi, have you found resolution here? I get same/similar error while troubleshooting expired certificates, for example going back in time when all certs are valid and restarting certmonger, then I see this error. ___ FreeIPA-users mailing list --

[Freeipa-users] Re: certmonger (back in time) renewal is onyl 50% successful

Hi Rob, when certmonger fails to renew a cert, and PKI is running, it fails and dogtag-ipa-ca-renew-agent-submit shows the message : ACIError: Insufficient access: Invalid credentials Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error I hope to

[Freeipa-users] Re: ipa.service "fails" to start

> There is a way to disable the selftest but this is a sort of last resort. Hi Rob, I am afraid disabling SelfTest is maybe the way to resolve the issue. Are there any documentation on this, IPA 4.4.0 and pki-server 10.3.3 ___ FreeIPA-users mailing

[Freeipa-users] Re: certmonger (back in time) renewal is onyl 50% successful

Forgot to add versions: ipa-server is 4.4.0 and pki-server is 10.3.3 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] certmonger (back in time) renewal is onyl 50% successful

Hi there, still working on cert renewal with little bit of progress, hence asking kindly for more support until final resolution. As per the subject, certmonger renews two out of four certificates. [1] stop ntpd, go back in time (Aug 10 2018), where all certs are valid [2] restart krb5kdc,

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

Once again, I am back in time when all certs are valid. , for example : # date Fri Aug 3 01:47:18 PDT 2018 Yet, CA cannot start and /var/log/pki/pki-tomcat/ca/selftests.log reads: 0.localhost-startStop-2 - [03/Aug/2018:01:03:17 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-2

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

I've also reset nss trust flag, as per https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ and still getting " Insufficient access: Invalid credentials", from the previous post. ___

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

Hi Fraser, I am making some progress. Let's please continue. [1] I was able to follow your info and find common date in past for all certs to be valid. Note, in case this is important, I have four IPA servers and I do this on CA renewal master. [2] Then system clock was set to past time

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

Thank you Fraser for the support. 'REALM.COM IPA CA' or caSigningCert is valid for 20 years, should be no problem here. But I am afraid I can't find common date for remaining four certs. As per bellow data: [1] There is common date for auditSigningCert, subsystemCert and Server-Cert [2] There

[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)

The /var/lib/pki/pki-tomcat/logs/ca/selftests.log reads: 0.localhost-startStop-2 - [06/Nov/2018:15:55:02 PST] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-2 - [06/Nov/2018:15:55:02 PST] [20] [1] SelfTestSubsystem: loading all self test plugin logger

[Freeipa-users] Fails to start CA with Basic Auth (and/or SSL)

Hi, this is the part of troubleshooting expired certificates (it's in another post). I can't successfully renew certs after going back in time and I believe the reason is that CA is not starting. Some of posts and Bugzilla bugs suggest using PKI basic authentication, that I try without success,

[Freeipa-users] Re: ipa.service "fails" to start

Hi Rob, any idea why going back in time prevents named running. It looks it's active but with errors. The returning to the present, service doesn't have any errors. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe

[Freeipa-users] Re: ipa.service "fails" to start

> This doesn't . You are forcefull going back in time. As long as it > doesn't prevent named from starting and at least limping along then it > isn't worth pursuing until the certs are renewed. I can confirm that going back in time prevents named running. It looks it's active but with errors.

[Freeipa-users] Re: ipa.service "fails" to start

From what I experience, during " killing ntpd, going back a few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger", service ipa-dnskeysyncd.service is failing. Aug 10 10:19:18 ca-ldap04 ipa-dnskeysyncd: ipa : DEBUGKerberos principal:

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Rob, what kind of response means success, one server return 404 ? > GET /ca/agent/ca/profileReview HTTP/1.1 > User-Agent: curl/7.29.0 > Host: ca-ldap01:8443 > Accept: */* > < HTTP/1.1 404 Not Found < Server: Apache-Coyote/1.1 < Content-Type: text/html;charset=utf-8 < Content-Language: en <

[Freeipa-users] Re: Testing requested - certificate checking tool

Hi Rob, it won't work on 4.4.0 for now. # python2 /tmp/checkcerts/ipa-checkcerts.py Traceback (most recent call last): File "/tmp/checkcerts/ipa-checkcerts.py", line 21, in from ipalib.install import certstore ImportError: No module named install I guess it's not appropriate to use this

[Freeipa-users] Re: Testing requested - certificate checking tool

Rob, I'd love to test your tool, as part of working on my problem "ipa.service fails to start", but I still run 4.4.0-12.0.1.el7.x86_64, hence do you think this is the obstacle? Again, as part of "ipa.service fails to start" work, I was hoping to add new IPA server 4.5.4, but

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

Hi Kees, I've been also looking to Rob's blog as part of working on my problem ("ipa.service "fails" to start"). In my case, when running the curl command (with -v), I do see * About to connect() to ca-ldap03 port 8443 (#0) * Trying x.x.x..x ... * Connected to ca-ldap03 port 8443 (#0) *

[Freeipa-users] Re: ipa.service "fails" to start

Hi Flo and Rob, additional update. There is discrepancy in some of cert's expire time among 4 servers, I thought maybe another server can be candidate to be new renewal master. The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well, hence "ipa config-show" on all 4 servers

[Freeipa-users] Re: ipa.service "fails" to start

Agree Flo, making sure that I am in the past, unfortunately still not resolution. [root@ca-ldap01 ~]# systemctl restart krb5kdc [root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service [root@ca-ldap01 ~]# systemctl restart httpd [root@ca-ldap01 ~]# systemctl restart

[Freeipa-users] Re: ipa.service "fails" to start

Hi Rob, I follow one of your suggestions in another post, it's : "certmonger _should_ have renewed them. Try killing ntpd, going back a few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and see what happens" I did it, no success with messages: - MainThread ipa DEBUG

[Freeipa-users] Re: ipa.service "fails" to start

Hi Rob, thanks much. Some of Flo's blogs about CA helps me to understand better now. Sure "ipa cacert-manage renew" and "ipa-certupdate" was run before, hopefully not harmful, "caSigningCert cert-pki-ca" was valid for 18 more years. You're right, there is mix of old and renewed ones, three

[Freeipa-users] Re: ipa.service "fails" to start

No, CA component is not running, and seems not much activity under /var/log/pki/pki-tomcat. Maybe these can be of interest: [1] selftests.log 0.localhost-startStop-1 - [08/Aug/2018:10:12:03 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate ocspSigningCert

[Freeipa-users] Re: ipa.service "fails" to start

Hi Flo, I have debug enabled in both /etc/ipa/server.conf and /etc/ipa/default.conf and /var/log/pki/pki-tomcat/ca/debug reads: [08/Aug/2018:10:12:02][localhost-startStop-1]: = DEBUG SUBSYSTEM INITIALIZED === java.lang.Exception: Certificate ocspSigningCert cert-pki-ca is invalid:

[Freeipa-users] ipa.service "fails" to start

Hi there, This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7. After reboot I couldn't start ipa service via systemctl, hence I run "ipactl start --ignore-service-failures" and this was kind of successful. I still have some discrepancies, and looking for troubleshooting ideas. 1.

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

This is resolved by updating sudo package. ---> Package sudo.x86_64 0:1.8.6p7-11.el7 will be updated ---> Package sudo.x86_64 0:1.8.19p2-10.el7 will be an update From: Pavel Březina Sent: Thursday, August 31, 2017 1:48:33 AM To: Jakub