Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

On 10/20/2016 05:05 AM, beeth beeth wrote: First of all, thanks for the quick response Florence! I have question about your suggested step [1] and [2]: For [1], "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For [2],

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains: EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic confi

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

First of all, thanks for the quick response Florence! I have question about your suggested step [1] and [2]: For [1], "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For [2], "ipa-server-certinstall -d /path/to/pkcs12.p1

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

On ke, 19 loka 2016, Baird, Josh wrote: Hi, If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: * Create an 'external' gro

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

Perfect thank you. I tend to get too wordy in my emails. You've described exactly what I'm going for. Follow up question - Will a similar approach work for users (not groups) as well if there is a small collection of AD-defined people I want to hold and distribute SSH public keys for? Happ

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

On ke, 19 loka 2016, Chris Dagdigian wrote: Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA ser

Re: [Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

Hi, If I'm understanding you correctly - you will want to nest 'external' groups into POSIX groups for assigning policy (HBAC, sudo, etc) to your AD users. There are examples of this in the IdM documentation, but the gist is: * Create an 'external' group in IPA (eg, ipa-group-add external_admi

[Freeipa-users] Novice question re IPA management of host RBAC login, sudo and ssh key management for users who are only in Active Directory

Thanks to great tips and pointers from people on this list (h/t Alexander B) I was able to build an IPA master + replica setup that can recognize and allow logins from users coming from multiple disconnected AD Forests with 1-way trusts to the IPA servers Sanitized view of our AWS footprint:

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

De: "Bertrand Rétif" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:42:07 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > - Mail original - > > De: "Rob Crittenden" > > > À: "Bertrand Rétif" , freeipa-users@redhat.com > > > Envoy

Re: [Freeipa-users] replica DS failure deadlock

On Wed, Oct 19, 2016 at 06:59:57PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > >

Re: [Freeipa-users] replica DS failure deadlock

On Wed, Oct 19, 2016 at 07:05:14PM +0200, thierry bordaz wrote: > > > On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Lu

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 06:54 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our re

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 06:28 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52

Re: [Freeipa-users] replica DS failure deadlock

On Wed, Oct 19, 2016 at 06:33:05PM +0200, thierry bordaz wrote: > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > > > We had one of our replicas fail today with the fol

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffa

Re: [Freeipa-users] replica DS failure deadlock

On Wed, Oct 19, 2016 at 05:41:37PM +0200, Ludwig Krispenz wrote: > > On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: > > > > On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: > > > On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote:

Re: [Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

On 10/19/2016 05:23 PM, beeth beeth wrote: I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html ). Floren

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

- Mail original - > De: "Rob Crittenden" > À: "Bertrand Rétif" , freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 15:30:14 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > Bertrand Rétif wrote: > >> De: "Martin Babinsky" > >> À: freeipa-users@r

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 05:02 PM, Ludwig Krispenz wrote: On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:

[Freeipa-users] Renew / Replace third-party certificate for IPA Servers(primary and replica)

I once asked about Install IPA servers with certificate provided by third-party like Verisign(https://www.redhat.com/archives/freeipa-users/ 2016-September/msg00440.html). Florence, Rob and Jakub from Redhat had been very helpful, and pointed out the solution at https://access.redhat.com/ documenta

Re: [Freeipa-users] replica DS failure deadlock

On 10/19/2016 03:48 PM, Andrew E. Bruno wrote: On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffal

Re: [Freeipa-users] replica DS failure deadlock

On Wed, Oct 19, 2016 at 10:13:26AM +0200, Ludwig Krispenz wrote: > > On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: > > We had one of our replicas fail today with the following errors: > > > > > > [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" > > (srv-m14-32:389) -

Re: [Freeipa-users] Unable to resolve AD users from IPA

Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. Jan -- Message: 1 Date: Wed, 19 Oct 2016 12:28:31 +0200 From: Sumit Bose To: freeipa-users@redhat.com Subject: Re: [Freeipa

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

Bertrand Rétif wrote: De: "Martin Babinsky" À: freeipa-users@redhat.com Envoyé: Mercredi 19 Octobre 2016 08:45:49 Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue On 10/18/2016 11:22 PM, Bertrand Rétif wrote: Hello, I had an issue with pki-tomcat. I had serveral

Re: [Freeipa-users] Promote CA-less replica

James Harrison wrote: Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas" to

Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue

> De: "Martin Babinsky" > À: freeipa-users@redhat.com > Envoyé: Mercredi 19 Octobre 2016 08:45:49 > Objet: Re: [Freeipa-users] Impossible to renew certificate. pki-tomcat issue > On 10/18/2016 11:22 PM, Bertrand Rétif wrote: > > Hello, > > > > I had an issue with pki-tomcat. > > I had serveral ce

Re: [Freeipa-users] Promote CA-less replica

Hi, Martin thanks for your quick response. Based on your comments. I have further questions. >> equal peers and can be considered masters 1. If there any urgency for us to recreate a "master" server to perform any "master" type functions? How do we re-attach "replicas" to this new "master"? >>

Re: [Freeipa-users] Unable to resolve AD users from IPA

On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider = i

Re: [Freeipa-users] Unable to resolve AD users from IPA

Hi, thank you for help. This is my sssd.conf from server : [domain/vs.example.cz] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.cz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = tidmipa02.vs.example.c

Re: [Freeipa-users] Promote CA-less replica

On 10/19/2016 11:35 AM, James Harrison wrote: Hi James, Hi, Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions: 1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? IPA-intergrated DNS stores records in

[Freeipa-users] ipa-cacert-manage install failing with subject public key info mismatch

Hello, When installing FreeIPA we used the CA from our Windows servers. This one recently expired and we created a new one. It seems that the new root CA has another subject name and this seems to be an issue when we want to install new certs on our FreeIPA hosts. ipa-cacert-manage install certn

[Freeipa-users] Promote CA-less replica

Hi,Were using FreeIPA on Ubuntu Xenial. We lost the Master server. I have some questions:1. Do DNS replicate among other replicas is we change/add DNS records? If not can this behaviour be changed? 2. How do we promote a replica to become a master? We have not configured our servers to become

Re: [Freeipa-users] Lots of error messages in logs after upgrade

Thanks. This is error was did not include ipaca which is discussed a lot on this list. So I was not sure. There was indeed a dangling reference to an old replica. Removed now. ipa-replica-manage clean-ruv did the trick. On 19 October 2016 at 14:14, Petr Spacek wrote: > On 19.10.2016 10:14, Ludw

Re: [Freeipa-users] Lots of error messages in logs after upgrade

On 19.10.2016 10:14, Ludwig Krispenz wrote: > > On 10/19/2016 09:39 AM, Prashant Bapat wrote: >> Some more info. >> >> This is happening on one of the hosts for which replica-info file was >> generated but for some reason the replica installation failed. So I went >> ahead and deleted and created

Re: [Freeipa-users] Lots of error messages in logs after upgrade

On 10/19/2016 09:39 AM, Prashant Bapat wrote: Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went th

Re: [Freeipa-users] replica DS failure deadlock

On 10/18/2016 08:52 PM, Andrew E. Bruno wrote: We had one of our replicas fail today with the following errors: [18/Oct/2016:13:40:47 -0400] agmt="cn=meTosrv-m14-32.cbls.ccr.buffalo.edu" (srv-m14-32:389) - Can't locate CSN 58065ef300010003 in the changelog (DB rc=-30988). If replication

Re: [Freeipa-users] Lots of error messages in logs after upgrade

Some more info. This is happening on one of the hosts for which replica-info file was generated but for some reason the replica installation failed. So I went ahead and deleted and created the replica file again and this time installation went thru fine. Should this cause logs like this ? These m

Re: [Freeipa-users] DNS question on named.ca

On 19.10.2016 00:55, Sean Hogan wrote: > > Hi all, > >I have a DNS question on how/why my IPA DNS servers are trying to hit > the root DNS internet servers. My IPA servers are in private networks only > serving DNS for the private domains they manage but recently the network > team > indicat