Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto
Found it. Nothing to do with keytabs or their permissions. It was settings in named.conf (sasl_user) which had the wrong server name. On Fri, Oct 7, 2016 at 2:05 PM, Fil Di Noto wrote: > I forgot to add the -k in the klist command. Actually the keytab looks > correct. I

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto
I forgot to add the -k in the klist command. Actually the keytab looks correct. I noticed the file permissions were 0400 named:named but all other service keytabs I see are 0600. I thought that might be an issue so I tried changing the permissions to 0600 on all the servers but it hasn't changed

Re: [Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto
klist /etc/named.keytab klist: Bad format in credentials cache It's actually like this on all the servers, and I assume it is only showing up in the logs for the 1 server because that is the server where we make changes and it is trying to push changes out to the rest. If it were any other

[Freeipa-users] LDAP/DNS replication, IPA server service principal key issue

2016-10-07 Thread Fil Di Noto
I'm trying to interpret these log messages. It seems like server ipa03 has no principal for the DNS service and is not able to replicate LDAP to the other 3 IPA servers. If that is correct: 1. Is "DNS" the service principal it should be using? 2. How do I correct this? (what concerns me

[Freeipa-users] IPA - AD trust - LDAP signing

2016-10-07 Thread Jan Karásek
Hi all, I am having the trouble with IPA-AD trust. We have scenario, where on the AD side the LDAP signing policy is on - this is company standard and can not be changed. Is there any chance to let the IPA use LDAP signing on IPA side ? I guess IPA use SASL LDAP bind but without signing.

Re: [Freeipa-users] IP SAN in certificates

2016-10-07 Thread Rob Crittenden
Alessandro De Maria wrote: Hello, I am running the following command to create a certificate for etcd ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zz", "-D", "dock07.prod.", "-A", "10.0.1.67", "-K",

[Freeipa-users] IP SAN in certificates

2016-10-07 Thread Alessandro De Maria
Hello, I am running the following command to create a certificate for etcd ipa-getcert", "request", "-w", "-r", "-f", "/etc/etcd/ssl/server.crt", "-k", "/etc/etcd/ssl/server.key", "-N", "CN=dock07.prod.zz", "-D", "dock07.prod.", "-A", "10.0.1.67", "-K", "etcd/dock07.prod." ca-error:

Re: [Freeipa-users] Error looking up public keys

2016-10-07 Thread Sumit Bose
On Thu, Oct 06, 2016 at 09:55:30PM +0100, Alessandro De Maria wrote: > The workaround worked thank you! Great, glad I could help. bye, Sumit > > On 6 Oct 2016 5:09 pm, "Sumit Bose" wrote: > > > On Thu, Oct 06, 2016 at 03:48:10PM +0100, Alessandro De Maria wrote: > > >