On 05/15/17 16:44, Rob Crittenden wrote:
>
> I'm confused. You mention replacing some "externally signed certificate"
> and yet then ask switching to externally signed certificates. What is
> the current configuration? What is signing the existing server certs? Or
> do you have an external CA
Hi folks,
I have to renew (or replace) the externally signed certificate
on my ipa servers using a new ca. Apparently the tool of choice
is ipa-cacert-manage.
Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal.
Problem is, I cannot estimate the risk and if its worth the
Hi folks,
RHEL 7.3, sssd 1.14.0:
If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail
(without telling why) and users cannot login. *Extremely* painful.
Do you think ipa-client-install could add
selinux_provider = none
to the generated sssd.conf file, if selinux is
Hi folks,
I stumbled over this problem:
http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html
The details don't really matter. The important point is that
the root certificate used to sign freeipa's certificate
appears
On 03/05/17 11:47, Timo Aaltonen wrote:
>
> pam-auth-update configures pam, there's nothing else to be configured..
> I just ran ipa-client-install on Ubuntu zesty with freeipa-client
> 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine:
>
> services = nss, sudo, pam, ssh
>
>
On 03/03/17 10:14, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote:
>>
>> This is systemd-only?
>>
>> Wouldn't it be better to create a working sssd.conf, no matter
>> what?
>
> It is up to whoever is creating the sssd.con
Hi Jakub,
On 03/03/17 09:32, Jakub Hrozek wrote:
> On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
>> Hi folks,
>>
>> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
>> Debian Stretch
> ~~
> This is important I guess.
>
>
Hi folks,
running freeipa client 4.3.2-5 and sssd 1.15.0-3 on Debian
Stretch ipa-client-install creates a bad sssd.conf file, e.g.
[domain/example.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = example.com
id_provider =
On 02/11/17 11:57, Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Michael Ströder wrote:
>>
>> (Personally I'd avoid going through PAM.)
> Any specific reason for not using pam_sss? Remember, with SSSD involved
> you get also authentication for trusted users from Active Directory
> realms. You
On 02/10/17 15:07, Tomasz Torcz wrote:
> On Fri, Feb 10, 2017 at 02:03:48PM +0100, Harald Dunkel wrote:
>> Hi folks,
>>
>> did anybody succeed in using Freeipa for Jenkins' LDAP module?
>> I can't make it work :-(.
>
> I'm using Jenkins with FreeIPA, but
Hi folks,
did anybody succeed in using Freeipa for Jenkins' LDAP module?
I can't make it work :-(.
On the command line the jenkins user appears to have read access
to the LDAP database. The config UI for Jenkin's LDAP plugin
doesn't complain, either. Jenkins System Log appears to be fine.
But if
Hi Thierry,
On 01/30/17 09:10, thierry bordaz wrote:
>
> I understand your concern and in fact it is difficult to anticipate a
> potential bad impact of this cleanup. However,I think it is safe to get rid
> of the following entry.
> Before doing so you may check it exists
>
>
Hi Thierry,
On 01/26/17 16:55, thierry bordaz wrote:
>
>
> Those entries are managed entries and it is not possible to delete them from
> direct ldap command.
> A solution proposed by Ludwig is not first make them unmanaged:
>
>
Hi Thierry,
good new: I got rid of most of the conflicting entries. There
are only 2 left (see below). They look circular somehow.
Please note that the unwanted list of ipa servers is empty. The
official list looks OK. The record for cn=ipaservers,cn=ng,cn=alt\
,dc=example,dc=de looks fine, too.
Hi Thierry,
On 01/24/17 17:56, thierry bordaz wrote:
>
>
> On 01/24/2017 04:18 PM, Harald Dunkel wrote:
>>
>> Would you suggest to disconnect ipabak from the network and ipa1,
>> cleanup the mess as far as possible, and then connect ipabak
>> to the netwo
Hi Thierry,
On 01/24/17 15:01, thierry bordaz wrote:
>> Hopefully yes, but there were 2 conflicts that already made some
>> problems:
>>
>> deleting entry
>> "cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de"
>> ldap_delete: Server is unwilling
On 01/24/17 12:57, thierry bordaz wrote:
>
> If I understand correctly the iterations of development I do not understand
> why, at this point, you need to reconnect ipabak.
> After you create ipabak replica, you take a snapshot of it (let ipabak_0),
> then disconnect it from ipa1/ipa2.
>
>
Hi Thierry,
On 01/23/17 17:45, thierry bordaz wrote:
>
>
> On 01/23/2017 05:09 PM, Harald Dunkel wrote:
>>
>> I created a full replica (including CA) in an LXC container today
>> ("ipabak"). The idea is to take a snapshot of the whole container,
>
Hi Thierry,
On 01/23/17 11:59, thierry bordaz wrote:
> We need to get a clear status before trying to swap them.
> For example in your attachment the valid entry is member of 'DNS Admin' while
> the conflict one is not. So possibly the valid entry is the one to keep.
>
> Conflicts entry
> dn:
Hi Thierry,
On 01/20/17 14:17, thierry bordaz wrote:
>
> I agree that it is looking like the conflict entry is the most up-to-date one.
> To try to repair, it would help if you can search groups
>
> cn=System: Read DNS Configuration,cn=permissions,cn=pbac,dc=example,dc=de
> cn=System: Write DNS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Jakub,
On 01/21/17 13:49, Jakub Hrozek wrote:
>
> Can you check what kind of query do you see in the LDAP server log?
>
The git server does just a few queries per hour:
[21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH
On 01/20/17 18:42, Simo Sorce wrote:
>
> Is your server being used for authentication ?
> SSSD, by default, always refreshes user credentials on authentication,
> but you can use the cached_auth_timeout setting to relax this
> requirement in SSSD, and reduce the roundtrips for auth attempts.
>
Hi folks,
I see a pretty large number of ldap requests sent by our git
server, asking for the same account info again and again.
Sometimes it asks 20 times per second for the same user info,
for example.
Obviously caching doesn't work. I remember some note in the
installation guide suggesting to
On 01/18/17 16:22, Ludwig Krispenz wrote:
> I think the procedure in the link about renaming is only needed if you want
> to keep both entries with a "normal" dn. But you want to get rid of the
> conflict entries. Since you have to cleanup each of them individually I
> would suggest to start
On 01/19/17 16:23, Harald Dunkel wrote:
> Now I get this:
>
> [root@ipa1 ~]# kinit admin
> kinit: Generic error (see e-text) while getting initial credentials
>
Fortunately this went away after a reboot of the servers.
Phew
Harri
--
Manage your subscription for the Freeipa-use
Now I get this:
[root@ipa1 ~]# kinit admin
kinit: Generic error (see e-text) while getting initial credentials
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 01/17/17 11:38, Sumit Bose wrote:
> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>> It seems something got corrupted in my ipa setup. I found this in the
>> sssd log file on Wheezy:
>>
>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0
On 01/17/17 21:59, Lukas Slebodnik wrote:
> On (16/01/17 07:53), Alexander Bokovoy wrote:
>>
>> The spam bot actually mines the mailing list archives and sends emails
>> based on that one.
>>
I am not sure how to apply it in this case, but time is money for these
spammers. Maybe it is possible to
Hi Ludwig,
On 01/17/17 17:01, Ludwig Krispenz wrote:
>
> On 01/17/2017 04:48 PM, Harald Dunkel wrote:
>> On 01/17/17 16:12, Harald Dunkel wrote:
>>> On 01/17/17 11:38, Sumit Bose wrote:
>>>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>&
On 01/17/17 16:12, Harald Dunkel wrote:
> On 01/17/17 11:38, Sumit Bose wrote:
>> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>>> It seems something got corrupted in my ipa setup. I found this in the
>>> sssd log file on Wheezy:
>&g
On 01/17/17 11:38, Sumit Bose wrote:
> On Tue, Jan 17, 2017 at 10:44:14AM +0100, Harald Dunkel wrote:
>> It seems something got corrupted in my ipa setup. I found this in the
>> sssd log file on Wheezy:
>>
>> (Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0
It seems something got corrupted in my ipa setup. I found this in the
sssd log file on Wheezy:
(Tue Jan 17 10:19:02 2017) [hbac_shost_attrs_to_rule] (0x0400): Processing
source hosts for rule [allow_all]
(Tue Jan 17 10:19:02 2017) [hbac_eval_user_element] (0x0080): Parse error on
[cn=System:
On 08/08/2016 03:28 PM, Martin Basti wrote:
>
>
> On 08.08.2016 13:28, Harald Dunkel wrote:
>> Hi Martin,
>>
>> On 08/08/2016 09:41 AM, Martin Basti wrote:
>>> Hello, this is probably issue https://fedorahosted.org/389/ticket/48388
>>>
>>
Hi Martin,
On 08/08/2016 09:41 AM, Martin Basti wrote:
> Hello, this is probably issue https://fedorahosted.org/389/ticket/48388
>
> It was fixed, but IMO not backported to centos7.2
>
> Martin
>
>
>
Does it put my ipa installation at risk? Are the backups
generated by ipa-backup corrupted?
Hi Alexander,
thanx very much for your detailed answer. There is one problem,
though: gss-proxy is not available for most of my systems (Debian,
Ubuntu, RedHat 6, ...).
Its not in sssd 1.13.4, so I wonder if gss-proxy a part of the
most recent freeipa releases?
Regards
Harri
--
Manage your
On 06/09/16 15:16, Harald Dunkel wrote:
> Hi folks,
>
> Platform: freeipa 4.2 (Centos7)
>
> Problem: My cron job needs a ticket to run ldapsearch. The
> error message is:
>
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local erro
Hi folks,
Platform: freeipa 4.2 (Centos7)
Problem: My cron job needs a ticket to run ldapsearch. The
error message is:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
On 05/13/16 14:48, Lukas Slebodnik wrote:
> You might see in ticket that planned milestone is "Future Releases"
> that isn't any particular release (4.4.x ...)
>
> It basically mean that patches are welcome.
> That's how it works in open source world.
>
> LS
>
Sorry, I got confused about the
On 05/13/16 14:45, Lukas Slebodnik wrote:
> On (12/05/16 15:35), Harald Dunkel wrote:
>> On 05/12/16 13:48, Lukas Slebodnik wrote:
>
>>> I would like to fix it but I do not know what to fix.
>>>
>>> Is there anything interesting/suspicious in
On 04/26/16 17:29, Timo Aaltonen wrote:
>
> I guess 4.3.1 would need to be in sid first, and it just got rejected
> because of the minified javascript (bug #787593). Don't know when
> that'll get fixed.
>
Since 24beta is out without fixing
https://fedorahosted.org/freeipa/ticket/5639
On 05/12/16 13:48, Lukas Slebodnik wrote:
> It would be nice if you could provide reliable reproducer.
> I'm sorry we do not have a crystall ball and sssd log files
> did not help either. They are truncated.
>
Thats all I got.
> I would like to fix it but I do not know what to fix.
>
> Is
On 05/12/16 10:26, Lukas Slebodnik wrote:
> On (12/05/16 09:42), Harald Dunkel wrote:
>>
>> It happened again :-(.This *really* needs to be fixed.
>> I wouldn't like to move back to ypbind.
>>
> I would like to If I knew what to fix and how to reliably reproduce.
>
Hi folks,
On 02/23/16 13:46, Lukas Slebodnik wrote:
> On (23/02/16 13:01), Harald Dunkel wrote:
>> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
>>> I would rather focus on different thing.
>>> Why is sssd_be process blocked for long time?
>>>
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
the freeipa packages for client and server on Debian depend
upon ntp. Is this hard requirement really necessary? Usually
ntp is useless in containers (e.g. LXC), since the hardware
access is not permitted and since there is exactly one
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Lukas,
On 05/03/16 10:21, Lukas Slebodnik wrote:
> But that's not a problem of sssd. It bug in cron service file. If cron relies
> on user lookup then it shoudl not be started before nss-user-lookup.target.
>
> Fedora has correct service file
Hi Lukas,
On 05/02/16 17:59, Lukas Slebodnik wrote:
> Could you provide output of "systemctl cat sssd.service"?
> In my case, it should be started before nss-user-lookup.target
>
> # /usr/lib/systemd/system/sssd.service
> [Unit]
> Description=System Security Services Daemon
> #
Hi folks,
System: freeipa client, Debian 8 (using systemd), cron 3.0pl1-128,
sssd 1.13.4-2
Problem:
Cron fails to start a few "@reboot" jobs at boot time. cron.log
shows:
:
May 2 13:36:48 fpsde8i002 anacron[197]: Anacron 2.3 started on 2016-05-02
May 2 13:36:48 fpsde8i002 anacron[197]: Normal
On 04/26/2016 05:29 PM, Timo Aaltonen wrote:
>
> I guess 4.3.1 would need to be in sid first, and it just got rejected
> because of the minified javascript (bug #787593). Don't know when
> that'll get fixed.
>
Is this 3rd party code?
Anyway, I was talking about a *private* backport of freeipa
Hi Timo,
On 04/18/2016 02:08 PM, Timo Aaltonen wrote:
>
> The old package used to create /etc/pki/nssdb on postinst, but with 644
> permissions so I'm not sure why they have 600 here. 4.1.4 in
> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1
> to unstable this week, which
Hi David,
> Hello Harri,
>
> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the
> permissions are set to:
>
> $ ls -dl /etc/ipa/nssdb/
> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
>
> $ ls -l /etc/ipa/nssdb/
> total 80
> -rw-r--r--. 1 root root 65536 Apr
Hi folks,
I have no luck with the ipa cli, so I wonder if it is
possible to ldapsearch for disabled or enabled users?
A command line like
ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com uid=somebody
doesn't show :-(.
Every helpful hint is highly welcome
Harri
--
Manage
Hi folks,
If I run "kinit admin; ipa -v ping" as a regular user, then I get
ipa: INFO: trying https://ipa2.example.com/ipa/json
ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with
(SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old,
unsupported format.
ipa:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Lukas,
On 03/19/16 10:59, Lukas Slebodnik wrote:
> On (19/03/16 10:38), Harald Dunkel wrote:
>
>> Since freeipa doesn't work with anything else but systemd its a little bit
>> cheap now to say "not my problem",
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 03/16/16 14:43, Lukas Slebodnik wrote:
> On (16/03/16 14:30), Harald Dunkel wrote:
>> (Wed Mar 16 13:25:05 2016) [sssd] [sbus_add_watch] (0x2000):
>> 0xb3e070/0xb3dda0 (14), R/- (enabled) (Wed Mar 16 13:25:05 2016) [sssd]
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Jakub,
On 03/16/16 09:30, Jakub Hrozek wrote:
>
> If you can reproduce the issue, it would be nice to increase the debug_level
> a bit so that the debug logs are more verbose..
>
Using debug level 9 I got
(Wed Mar 16 13:24:57 2016) [sssd]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 03/15/16 19:21, Jakub Hrozek wrote:
> On Tue, Mar 15, 2016 at 06:42:01PM +0100, Harald Dunkel wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>>
>> Shouldn't it keep on trying, or retry after a few minutes?
>
> We don't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
If I reboot my LXC server, then sssd doesn't come up in some containers.
The logfile of an affected host shows
- -- Reboot --
Feb 27 17:17:23 lxc1.example.com systemd[1]: Starting System Security Services
Daemon...
Feb 27 17:17:53
Hi Jakub,
On 02/24/2016 09:24 AM, Jakub Hrozek wrote:
>
> Do you have debug_level=N in the [domain] section?
>
I have set N=5. Is this OK to set global debugging for all
modules? I am used to set something like
debug_level = info
but the man page doesn't tell.
Regards
Harri
--
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Lukas,
On 02/23/16 13:46, Lukas Slebodnik wrote:
> On (23/02/16 13:01), Harald Dunkel wrote:
>> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
>>> I would rather focus on different thing. Why is sssd_be process blocked
On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
> I would rather focus on different thing.
> Why is sssd_be process blocked for long time?
>
I have no idea. Was it really blocked?
> Do you use enumeration?
> If yes do you really need it.
Nope.
>
> Workaround might be to increate timeout
On 02/23/2016 10:00 AM, Jakub Hrozek wrote:
>
> Typically, this happens when the machine SSSD is running on is very
> busy, the sssd_be process is blocked writing some large result from
> LDAP, the monitor process considers it stuck and kills it. However, we
> /should/ restart and reconnect the
Hi folks,
journalctl shows me a bazillion of Logfile entries:
Jan 12 20:02:04 host.example.com sssd[be[2362]: WARNING: Using deny rules is
deprecated, the option ipa_hbac_treat_deny_as will be removed in the next
upstream version
This makes about 10% of the whole log.
What am I supposed to
On 02/22/2016 03:51 PM, Jakub Hrozek wrote:
>
> Is there anything else in the logs (/var/log/sssd/*)
>
Only some events after sssd went away:
srvvm01:/var/log/sssd# cat sssd.log.1
(Sun Feb 21 18:02:21 2016) [sssd] [monitor_restart_service] (0x0010): Process
[nss], definitely stopped!
Hi folks,
this morning I recognized that the sssd on our mail server
went away (which is fatal). journalctl -u sssd sssd says
:
Feb 21 18:01:55 srvvm01.example.com sssd[199]: Killing service [example.com],
not responding to pings!
Feb 21 18:01:55 srvvm01.example.com sssd[199]: Killing service
Hi Jakub,
On 02/19/2016 04:04 PM, Jakub Hrozek wrote:
> On Fri, Feb 19, 2016 at 03:27:50PM +0100, Harald Dunkel wrote:
>> Hi Lukas,
>>
>> I found an ubuntu manpage saying sss_ssh_knownhostsproxy is
>> an experimental feature.
>> Would you suggest to drop it
&g
Hi Lukas,
I found an ubuntu manpage saying sss_ssh_knownhostsproxy is
an experimental feature. Would you suggest to drop it
in ipa-client-install?
IMHO this is a pretty annoying bug. I rely upon a port
redirection for ssh on IPv4. For IPv6 there is no
redirection, but the port is blocked in the
Hi folks,
is it just me, or does sss_ssh_knownhostsproxy break
ssh -4 host.example.com
?
host.example.com has A and entries in DNS, of course.
If I comment out the line in ssh_config
# ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
then I get the expected IPv4
Found it. The error message on the ipa server (in /var/log/httpd/error_log)
was less misleading:
SSL Library Error: -12195 Peer does not recognize and trust the CA that issued
your certificate
After installing the ca-certificates package and adding the
root certificate to it the problem was
Hi folks,
Problem: ipa-client-install fails with
# rm -f /etc/ipa/ca.crt
# ipa-client-install
Discovery was successful!
Hostname: srvl023.ac.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa1.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these
Hi Rob,
On 01/29/2016 04:12 PM, Rob Crittenden wrote:
>
> What version of server and client?
>
Server is freeipa 4.2 (Centos 7.2)
Client is freeipa 4.0.5 (Debian 8)
Sorry, I should have mentioned this in my first post.
I am running >200 clients in this environment, appr. 40% are
Debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 01/03/16 21:39, Alexander Bokovoy wrote:
> Yes, this looks like a bug in the ipa-nis-manage which is a bit larger than I
> thought originally.
>
> You can restore maps by running
>
> ipa-ldap-updater /usr/share/ipa/nis.uldif
>
> after that
PS: Please excuse the double post. It was an accident.
Harri
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Alex,
On 01/03/16 13:31, Alexander Bokovoy wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1286781 is the bug. It has
> recommended workaround in comment 1.
>
What exactly is meant by "remove all NIS plugin entries"?
I had the impression
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 01/03/16 19:29, Alexander Bokovoy wrote:
> Alternatively, do following:
>
> ipa-nis-manage disable
>
> ldapsearch -xLLL -D "cn=Directory Manager" -W -s onelevel -b "cn=NIS
> Server,cn=plugins,cn=config" dn
>
> You'll get list of DNs like
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi folks,
Using FreeIPA 4.2 (Centos 7.2) I have enabled NIS support as described in
Red_Hat_Enterprise_Linux-7-Linux_Domain_Identity_Authentication_and_Policy_Guide-en-US.pdf
14.5.2 "Enabling the NIS Listener". Esp. I ran
ipa-nis-manage
Hi folks,
I have enabled NIS support as described on
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/migrating-from-nis.html
Esp. I have run
ipa-nis-manage enable
ipa-compat-manage enable
systemctl enable rpcbind
and rebooted the FreeIPA server
Hi folks,
how comes that '--setup-ca' is not the default for
ipa-replica-install? What is best practice wrt creating
a local ca on the replicas?
Every insightful comment is highly appreciated.
Best seasons greetings
Harri
--
Manage your subscription for the Freeipa-users mailing list:
On 12/16/2015 12:27 PM, Alexander Bokovoy wrote:
> I've asked you to provide ipaserver-install.log in the bug. Without it
> it is a bit hard to see how to help. Let's continue in the bug.
Bug report has been updated.
--
Manage your subscription for the Freeipa-users mailing list:
On 12/15/2015 04:04 PM, Alexander Bokovoy wrote:
> It makes possible others to see your specific details as this is the
> first time we get such bug report.
Done: https://bugzilla.redhat.com/show_bug.cgi?id=1292042
Now what would you suggest as a workaround?
--
Manage your subscription for
ipa-server-install asked me to get the csr signed and come back,
but then it refused to continue:
# ipa-server-install -n example.com -r EXAMPLE.COM --external-ca
--subject="C=DE,O=example AG" --setup-dns --forwarder=8.8.4.4
--forwarder=8.8.8.8
:
:
The next step is to get /root/ipa.csr signed
Hi folks,
apparently ipa-server-install (4.2) gets confused about the
attribute sequence in the DNs of the certificates. If I use
ipa-server-install --external-ca --subject="C=DE,O=example AG"
then ipa's csr contains
O=example AG, C=DE, CN=Certificate Authority
The signed
On 12/15/2015 02:51 PM, Alexander Bokovoy wrote:
> Could you please file a bug about it?
I tried, but trac refused my username/password for redhat.com.
Due to greylisting I haven't received the confirmation request
by EMail, either.
Anyway, I have to continue getting ipa running. Filing a
bug
Hi folks,
currently I have a DNS domain "example.com" with several
subdomains "s1.example.com", "s2.example.com", etc. (using
NIS for IM). DNServer is bind9. There is a special stub zone
"ws.example.com" provided by AD (including the correct
TXT DNS records).
Now I would like to move the Unix
On 12/08/2015 03:08 PM, Petr Spacek wrote:
>
> Does
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs
>
> and
>
>
Hi Simo,
On 06/25/15 17:47, Simo Sorce wrote:
Harald,
the reason I (and others) started this project many years ago is that
trying to set up all components myself was boring and highly error
prone, and you would always end up with a bag of parts that had a lot of
mismatches, and some
Hi folks,
I have a general problem with freeipa: It is *highly* complex
and depends upon too many systems working together correctly
(IMHO).
My concern is, if there is a problem, then the usual tools
following the Unix paradigm (do one thing and do it well)
don't help anymore. I can speak only
Hi folks,
Instead of a self-signed certificate I would like to use an external
CA to sign freeipa's CSR (ipa-server-install --external-ca).
Question:
Is pathlen:0, e.g.
basicConstraints=critical,CA:TRUE, pathlen:0
sufficient for freeipa's CA certificate?
Regards
Harri
--
Manage
Hi folks,
I am very new to freeipa, so hopefully its allowed to ask:
I need a single realm EXAMPLE.COM and DNS zones for example.com ,
develop.example.com, sales.example.com, etc. freeipa makes it
easy to create a subdomain using
ipa dnszone-add a.example.com
ipa dnszone-mod
88 matches
Mail list logo