Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Alexander Bokovoy
On Wed, 07 Oct 2015, Gronde, Christopher (Contractor) wrote: I am new to FreeIPA and have inherited two IPA servers not sure if one is a master/slave or how they are different. I will try to give some pertinent outputs below of some of the things I am seeing. I know the Server-Cert is expired

Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-08 Thread Guillem Liarte
Sumit, Thanks for you reply. Ues, I have debug enabled: With level 5 I see that here is where it spends most of its time: (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]]

[Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions

2015-10-08 Thread Alex Williams
Hi folks, this one is becoming a bit of a major issue now. We upgraded one of our IPA3.0.0 servers to use the new dogtag schema over the last few days, then created an IPA4 replica from it successfully, upgraded the schema on a few more of the IPA3.0.0 servers and joined them into the mix and

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > Now I am getting CA_UNREACHABLE > > # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K > HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd > Resubmitting "20151007150853" to "IPA". > > # ipa-getcert list > Number of

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Alexander Bokovoy
Hi, On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote: Thank you for your response! Do not respond directly, send your emails to the mailing list, please. Yes "getent passwd admin" does work # getent passwd admin admin:*:127820:127820:Administrator:/home/admin:/bin/bash

Re: [Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions

2015-10-08 Thread Martin Basti
On 10/08/2015 03:23 PM, Alex Williams wrote: Hi folks, this one is becoming a bit of a major issue now. We upgraded one of our IPA3.0.0 servers to use the new dogtag schema over the last few days, then created an IPA4 replica from it successfully, upgraded the schema on a few more of the

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
Now I am getting CA_UNREACHABLE # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd Resubmitting "20151007150853" to "IPA". # ipa-getcert list Number of certificates and requests being tracked: 2. Request ID

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
Currently running ipa-server-3.0.0-47.el6.x86_64 I have stopped ntpd and reset the date to Sept 21st. Yes I agree this has been baffling me for days. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, October 08, 2015 9:49 AM To: Gronde, Christopher

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Karl Forner
Sorry I had disabled the emailing, just was your answers in the archives. >> How can I debug this ? >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging information" from

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
When I ran "getcert list" rather than "ipa-getcert list" I get the following: # getcert list Number of certificates and requests being tracked: 2. Request ID '20150922143354': status: NEED_TO_SUBMIT stuck: no key pair storage:

[Freeipa-users] Announcing FreeIPA 4.2.2

2015-10-08 Thread Petr Vobornik
The FreeIPA team would like to announce FreeIPA v4.2.2 security release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in

[Freeipa-users] (no subject)

2015-10-08 Thread Karl Forner
Hi, > you are prompted for password because (ALL) ALL rule is applied because of > last-match rule. > > > See: > http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the /usr/bin/less sudo rule. Now, if I type in a

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:09 PM, Karl Forner wrote: Sorry I had disabled the emailing, just was your answers in the archives. How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging

Re: [Freeipa-users] (no subject)

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:26 PM, Karl Forner wrote: Hi, you are prompted for password because (ALL) ALL rule is applied because of last-match rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > When I ran "getcert list" rather than "ipa-getcert list" I get the following: > > # getcert list > Number of certificates and requests being tracked: 2. > Request ID '20150922143354': > status: NEED_TO_SUBMIT > stuck: no > key pair

[Freeipa-users] Cleanly removing replication agreement

2015-10-08 Thread Dominik Korittki
Hello folks, i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and ipa02.internal. Both have a CA installed. Initially ipa02 is a replication from ipa01. Recently ipa01 had some trouble while ipa02 was running fine (see "FreeIPA 3.3 performance issues with many hosts" on this

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
First commend came back: ]# grep internal= /var/lib/pki-ca/conf/password.conf grep: /var/lib/pki-ca/conf/password.conf: No such file or directory There is no pki-ca dir on this server -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, October 08, 2015

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > First commend came back: > > ]# grep internal= /var/lib/pki-ca/conf/password.conf > grep: /var/lib/pki-ca/conf/password.conf: No such file or directory > > There is no pki-ca dir on this server That simplifies things a bit. The NEED_TO_SUBMIT status is

Re: [Freeipa-users] Web login problems

2015-10-08 Thread Pat Gunn
On 7/10/15 21:57, Simo Sorce wrote: >On 07/10/15 13:36, Pat Gunn wrote: Hi, I'm trying to build a cluster of 3 IPA (staging at this point, but eventually later I'll make a prod version) systems (that will reside in AWS) that will manage select systems in our infrastructure (mostly but not

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
# ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ipa service was not running...I attempted to start it. # service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL