THAT WORKED THANKS ROB!! I OWE YOU A BEER!
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, November 13, 2015 9:29 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; James
Masson <james.mas...@jmips.co.uk>; Marti
For those of you that have been helping me...thank you! For all those
following along here is the status of my issues.
I ended up replacing the krbprincipal key and the user certificate in LDAP to
match what is on the master and I am no longer getting the invalid credentials
error! So thanks
Neither came back with anything
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(uid=ldap/comipa01.itmodev.gov)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
ov/2015:10:16:15 -0500] conn=38 fd=64 slot=64 connection from
172.16.100.161 to 172.16.100.161
[10/Nov/2015:10:16:15 -0500] conn=38 op=0 UNBIND
[10/Nov/2015:10:16:15 -0500] conn=38 op=0 fd=64 closed - U1
[10/Nov/2015:10:16:17 -0500] conn=39 fd=64 slot=64 connection from
172.16.100.161 to 172.16.
b5kdc will not start (kerberos authentication
error)
what do you get if you search for "objectclass=krbprincipal" ?
On 11/10/2015 05:27 PM, Rich Megginson wrote:
> On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote:
>> Neither came back with anything
>>
Note comipa01 is the master and comipa02 is the replica that is having the KDC
issue
# ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b
"dc=itmodev,dc=gov" '(krbprincipalname=ldap/comipa01.itmodev.gov*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
day, November 10, 2015 9:48 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 03:32 PM, Gronde, Christopher (Contractor) wrote:
> How do I
ay, November 10, 2015 12:03 PM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Rob
Crittenden <rcrit...@redhat.com>; Ludwig Krispenz <lkris...@redhat.com>;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
This is the mappings from the Master...it looks very different from the replica
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base
class=ldapsubentry))" attrs=ALL
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=Name
Only,cn=mapping,cn=sasl,cn=config" scope=0
filter="(|(objectclass=*)(objectclass=ld
n reverse alphabetical
order, which is why cn=uid mapping,cn=mapping,cn=sasl,cn=config is being
applied first. I thought there had been changes to this, so that you could
explicitly define the order in which the mappings were applied.
>>
>> -----Original Message-
>> From: Mart
: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 02:40 PM, Alexander Bokovoy wrote:
> On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
>> Where can I verify or change the credentials it is trying to use? Is
>> it my LDAP password?
U1
[10/Nov/2015:08:51:05 -0500] conn=53 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, November 10, 2015 8:41 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@finc
Where can I verify or change the credentials it is trying to use? Is it my
LDAP password?
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, November 10, 2015 8:18 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
C
er 09, 2015 3:26 PM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Alexander
Bokovoy <aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
Gronde, Christopher (Contractor) wrote:
>
Nothing bad came back and there is definitely data in the tree.
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, November 09, 2015 11:46 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Alexander
Bokovoy <aboko...@redha
Hello all!
On my replica IPA server after fixing a cert issue that had been going on for
sometime, I have all my certs figured out but the krb5kdc service will not
start.
# service krb5kdc start
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see log
file for details
nn=2 op=2 RESULT err=49 tag=97 nentries=0 etime=0
[09/Nov/2015:15:02:01 -0500] conn=2 op=3 UNBIND
[09/Nov/2015:15:02:01 -0500] conn=2 op=3 fd=64 closed - U1
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, November 09, 2015 3:26 PM
To: Gronde, Christopher
We have had huge issues with our ipa servers which has left some of our
applications offline. We want to stand up a temporary OpenLDAP server to
transfer the users to until we can get IPA back online. Is there a way to
export the ipa LDAP DB so that I can migrate the users into openldap?
V/r
ting down dirsrv:
ITMODEV-GOV... [ OK ]
Aborting ipactl
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, October 08, 2015 1:51 PM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
Cc: freeipa-us
: 1 instance(s) failed to start
Failed to start Directory Service: Command '/sbin/service dirsrv start '
returned non-zero exit status 1
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gronde, Christopher
(Contractor)
Sent
k: yes
auto-renew: yes
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, October 08, 2015 9:00 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and do
(Contractor) <christopher.gro...@fincen.gov>; Alexander
Bokovoy <aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues
manually renewing Server-Cert
Gronde, Christopher (Contractor) wrote:
> Now I am getting
-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, October 08, 2015 10:33 AM
To: Gronde, Chr
11:37 AM
To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Alexander
Bokovoy <aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues
manually renewing Server-Cert
Gronde, Christopher (Contractor) w
:[FAILED]
Shutting down dirsrv:
ITMODEV-GOV... [ OK ]
Aborting ipactl
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, October 08, 2015 1:51 PM
To: Gronde, Christopher (Contractor
I am new to FreeIPA and have inherited two IPA servers not sure if one is a
master/slave or how they are different. I will try to give some pertinent
outputs below of some of the things I am seeing. I know the Server-Cert is
expired but can't figure out how to renew it. There also appears to
27 matches
Mail list logo