On Mon, 2011-03-28 at 23:45 +, Steven Jones wrote:
Just tried to make a replica and the install failed with,
[4/11]: configuring certificate server instance
root: CRITICAL failed to configure ca instance Command '/usr/bin/perl
/usr/bin/pkisilent ConfigureCA -cs_hostname
On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote:
Trying to set up a fed14 cleint and since DNS is on the AD server (dc0002)
there is no dns_discoveryso as per doc I ran the install and it should
ask me for the infobut it fails with,
Complete!
[root@fed14-64-cli01
On 2011-03-29, at 10:20, Martin Kosek wrote:
On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote:
What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
installation uses this DNS record in an autodiscovery of IPA server in
the given DNS domain.
In AD managed zone that
On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote:
On 2011-03-29, at 10:20, Martin Kosek wrote:
On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote:
What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
installation uses this DNS record in an
Martin Kosek wrote:
On Tue, 2011-03-29 at 12:49 +0200, tomasz.napier...@allegro.pl wrote:
On 2011-03-29, at 10:20, Martin Kosek wrote:
On Tue, 2011-03-29 at 00:08 +, Steven Jones wrote:
What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record? IPA client
installation uses this DNS record
Steven Jones wrote:
Got a bit further...I was missing --passsync
I think you were using the V1 documentation. The Enterprise Identity
Management Guide is what you want off freeipa.org in the Documentation
section.
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync
Hi,
It would be the self cert off the AD controller I got made for methat is
the limit of my knowledge on AD
I will ask the MS ppl when they get in.
regards
Steven
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March
Hi,
This is F14, guess you missed the hostnames...
regards
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 29 March 2011 9:09 p.m.
To: freeipa-users@redhat.com
Hi,
The DNS is in AD so it cant be set to suit IPA
I did as below and even with --force your script ignores these flags, it
insists on doing AD lookups and gets the AD infoand obviously the cert isnt
on the AD box.
8
What is a content of _ldap._tcp.ipa.ac.nz DNS SRV record?
How do I add these manually to the script?
regards
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Martin Kosek [mko...@redhat.com]
Sent: Tuesday, 29 March 2011 11:52 p.m.
To: tomasz.napier...@allegro.pl
Cc:
Dmitri Pal wrote:
On 03/29/2011 03:26 PM, Steven Jones wrote:
Hi,
The DNS is in AD so it cant be set to suit IPA
I did as below and even with --force your script ignores these flags, it
insists on doing AD lookups and gets the AD infoand obviously the cert isnt
on the AD box.
What do I put in the python script as a work around?
regards
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, 30 March 2011 8:29 a.m.
To: freeipa-users@redhat.com
Subject:
Steven Jones wrote:
Hi,
This is F14, guess you missed the hostnames...
It is not safe to assume based on hostname which is why I also asked.
Your problem is this:
Unable to Send Request:java.net.NoRouteToHostException: No route to host
java.net.NoRouteToHostException: No route to host
It
uh OK.but why is it ignoring my --server and --domain ? and going to the dc
for the certificate?
This ticket still does not help me proceed
regards
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 8:50 a.m.
To: Steven
Steven Jones wrote:
uh OK.but why is it ignoring my --server and --domain ? and going to the dc
for the certificate?
This ticket still does not help me proceed
You need --force as well.
We try very hard not to hardcode values into the configuration files
which is why we always
I used --force as wellit still ignores it
regards
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 8:58 a.m.
To: Steven Jones
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure
Steven Jones wrote:
I used --force as wellit still ignores it
More information would be helpful. Ignores it how, what error messages
do you get, etc.
rob
regards
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011
On 03/29/2011 02:02 PM, Steven Jones wrote:
Hi,
My Windows person suggests because this is a self signed cert, the client needs
to be forced to trust it?
can you paste the output of
openssl x509 -in /home/jonesst1/domaincert.cer -text
?
regards
Steven
Steven Jones wrote:
Hi,
My Windows person suggests because this is a self signed cert, the client needs
to be forced to trust it?
That's what we're doing here. You need to provide the CA that issued the
SSL certificate for the AD server we're connecting to.
I'm guessing they didn't
[root@fed14-64-cli01 tmp]# ipa-client-install --server
fed14-64-ipam001.vuw.ac.nz --domain ipa.ac.nz --force
Retrieving CA from dc0001.ipa.ac.nz failed.
Command '/usr/bin/wget -O /tmp/tmpjur_Xa/ca.crt
http://dc0001.ipa.ac.nz/ipa/config/ca.crt' returned non-zero exit status 8
[root@fed14-64-cli01
So I need 2 certificates?
and I have to manually add the root CA with certutil? to the IPA master as a
separate process?
regards
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:05 a.m.
To: Steven Jones
Cc:
Hi,
Yes its a intermediate CA In the real world combining them is a huge issue,
ie making a single joined certificate...It not likely many sites would go to
the pain to do thatI think you need to re-visit that assumption.
The older docs suggested a manual import of the root cert is
some more output,
==
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz --bindpw Qsmith51B --passsync
Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v
ipa: CRITICAL: Error importing CA cert file named
Hi,
I get
certutil: function failed: security library: bad database.
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:49 a.m.
To: Steven Jones
Cc: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup
My windows person tells me that this cert is the root one, which apparently has
no permissions to do anything...
regards
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:49 a.m.
To: Steven Jones
Cc: Rich Megginson;
Same failure message
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:57 a.m.
To: Steven Jones
Cc: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
Steven Jones wrote:
Hi,
I get
Steven Jones wrote:
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:24 a.m.
To: Steven Jones
Cc: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] client setup failure
Steven Jones wrote:
What patch?
Steven Jones wrote:
Hi,
Thanks, but still no luck,
Obviously dc0001 isnt the IPA server.
[root@fed14-64-cli01 site-packages]# patch -p2 ~jonesst1/binFtBcaDVUoI.bin
patching file ipaclient/ipadiscovery.py
[root@fed14-64-cli01 site-packages]# ipa-client-install --server
28 matches
Mail list logo