irsrv/$domain/access
log from time of execution of the command.
[1] https://www.freeipa.org/page/Troubleshooting#Administration_Framework
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to ht
ult principal: ad...@damascusgrp.com
Valid starting Expires Service principal
04/25/2017 18:48:26 04/26/2017 18:48:21
krbtgt/damascusgrp@damascusgrp.com
#
What's my best path of recovery?
--
*Bret Wortman*
The Damascus Group
--
Petr Vobornik
DNS area.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 03/16/2017 07:14 PM, Ian Harding wrote:
I've made some progress. But I have one zombie replication agreement to
kill, I just don't know the syntax.
The output listed below is not replication agreement. But there is
reference to RUV.
freeipa-dal.bpt.rocks does not exist. I want all
is, "We've always done it this way."
- Grace Hopper
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freei
://bugzilla.redhat.com/show_bug.cgi?id=1291240
It will help us prioritize and know what you actually expect from the
feature.
Regards,
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
xist?
Also look to /var/log/krb5kdc.log for any interesting messages
Thank you in advance!
//Robert
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 02/27/2017 12:46 PM, Petr Vobornik wrote:
Hello list,
today and tomorrow a migration of FreeIPA issue tracker[1] and git repo
will take place.
It is due to FedoraHosted sunset [2]. Both will be migrated to pagure.io
[3].
During this migration it won't be possible to add new tickets
ore Mark Zuckerberg invented friendship"
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
Go to http://freei
al cleanup of RUVs
might help.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
://fedorahosted.org/freeipa/
[2] https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/
[3] https://pagure.io/
Thank you for understanding,
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list
On 02/24/2017 05:13 PM, Iulian Roman wrote:
On Fri, Feb 24, 2017 at 4:55 PM, Petr Vobornik <pvobo...@redhat.com
<mailto:pvobo...@redhat.com>> wrote:
On 02/24/2017 12:15 PM, Iulian Roman wrote:
Hello,
After a successful installation of the ipa-server when i
o mitigate possibility
of old cache) then it is weird. Maybe it is the antivirus.
Do you have some Web UI plugin installed on IPA server?
Did anyone experience the same issue and is there any fix/solution for that ?
--
Petr Vobornik
Associate Manager, Engineering, Identity Management
Re
e:
>
> Resubmitting certmonger request '20151222031110' timed out, please check the
> request manually
>
>
> Don't really know what else to try right now.
>
Could you check:
Is directory server listening on ports 389 and 636?
Is PKI server listening on port 8009 i.e. if you a
only get one, so it's up to you to subdivide the space.
> For example: if you get 1.3.6.1.4.1.9, then you might decide to use:
>
> 1.3.6.1.4.1.9.1 = LDAP object classes
>
> 1.3.6.1.4.1.9.1.1 = myMailObjectClass
>
> 1.3.6.1.4.1.99999.1.2 = someOtherObjectClass
+] conn=59668 op=0 BIND dn=""
> method=sasl version=3 mech=EXTERNAL
> [10/Jan/2017:18:21:08.919725280 +] conn=59668 op=0 RESULT err=48
> tag=97 nentries=0 etime=0
> [10/Jan/2017:18:21:09.590236408 +] conn=59637 op=88 EXT
> oid="2.16.840.1.113730.3.5.12" name=
ow to debug this situation?
>
> P.S. Hosts - Centos 7. DNS on demo3.
>
> Regards,
> Andrey
>
Does following sequence work the same way on both demo3 and demo5?
$ kdestroy -A
$ kinit someadmin
$ kvno HTTP/demo3.xxx.com
Does `ipactl status` show that all services are runnin
.cli.install_tool(Replica): ERRORThe
> > ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for
> > more information
> >
> >
> > Also ipv6 is disabled on both nodes
> >
> > Regards,
>
> domain level uses different mechanism to stand up replicas. See the latest
> IdM documentation[1] for more details.
>
> [1]
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/crea
b/FreeIPA33-extending-freeipa.pdf
>
> -Original Message-
> From: Petr Vobornik [mailto:pvobo...@redhat.com]
> Sent: 02 January 2017 22:21
> To: Singh, NirajKumar <nirajkumar.si...@accenture.com>;
> freeipa-users@redhat.com
> Subject: Re: [Freeipa-users]
most likely be part
of FreeIPA 4.5.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
in Web UI, user adder dialog doesn't have email field. To add it
there a Web UI plugin would be needed.
>
> 2017-01-02 17:50 GMT+01:00 Petr Vobornik <pvobo...@redhat.com>:
>> On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote:
>>> Hi Team,
>>>
>&
n't support such configuration out of the box.
It is theoretically possible to implement IPA server side plugin to mark
the field as required. It may not be straightforward though.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman
tems for the purposes
> of
> information security and assessment of internal compliance with Accenture
> policy.
> ______
>
> www.accenture.com
>
>
>
--
Petr Vobornik
--
Manage your
[ OK ]
Restarting HTTP Service
Stopping httpd:[ OK ]
Starting httpd:[ OK ]
Restarting CA Service [ OK ]
Starting pki-ca: [ OK ]
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
temctl restart dirsrv@SOMETHING-BE.service' returned non-zero
>>>> exit
>>>> status 1). See the installation log for details.
>>>> [28/43]: setting up initial replication
>>>> [error] error: [Errno 111] Connection refused
>>>> Your system may be partly configured.
>>>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>>>
>>>>
>>>> [29/Nov/2016:11:29:44.034285579 +0100] SSL alert: Security
>>>> Initialization:
>>>> Can't find certificate (Server-Cert) for family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>> [29/Nov/2016:11:29:44.045039728 +0100] SSL alert: Security
>>>> Initialization:
>>>> Unable to retrieve private key for cert Server-Cert of family
>>>> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
>>>> security library: bad database.)
>>>>
>>>>
>>>>
>>>>
>>> Hello David,
>>>
>>> The error from the log indicates that either the NSSDB for dirsrv is not
>>> initialized or not accessible.
>>>
>>> Could you please send output of the following commands?
>>>
>>> # ls -lZ /etc/dirsrv/slapd-$REALM/
>>> # certutil -d /etc/dirsrv/slapd-$REALM/ -L
>>> # ausearch -m avc -i
>>>
>>>
>>> --
>>> David Kupka
>>>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
in. Is there a related setting we must change?
>
> Thanks,
>
> Callum
>
What type of otp token do you use? Does it work with some different?
E.g. FreeOTP vs Google Authenticator ...
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat
org/page/V4/OTP
>
>
>
>
>
> --
> 祝:
> 工作顺利!生活愉快!
> --
> 长沙研发中心 郑磊
> 电话:18684703229
> 邮箱:zheng...@kylinos.cn
> 公司:天津麒麟信息技术有限公司
> 地址:湖南长沙市开福区三一大道工美大厦十四楼
> ------ Original --
> *From: * "Petr V
u describe your use case in more details?
If you are asking about how to access IPA behind proxy, then checkout:
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
https://www.adelton.com/freeipa/freeipa-behind-ssl-proxy
Or other proxy threads on this list.
--
Petr V
DN/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}!^$FQDN$$ [NC]
RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301]
Which most likely causes the
discrete standalone dev/test IPA domains/realms to create
> isolated environments or is there some other good strategy that allows
> testing to be done within the same domain/realm?
>
> Thanks!
>
> -Chris
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mai
34
> <https://bugzilla.redhat.com/show_bug.cgi?id=1370134>
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.c
he
> two
> systems to isolate the problem.
>
I'm afraid that without more info(messages/journal) nobody will be able
to help.
But based on the description it seems that it didn't even get to step
where IPA is started.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users m
you see any way to make the webui directly authenticable ?
>
> Thanks,
> Sebastien Julliot.
>
Not sure what you want exactly. But if you want users to do simple ldap
bind with username and password and nothing else then they can use
migration page:
https://ipa.demo1.freeipa.org/ipa/
On 11/04/2016 02:42 PM, Brian Candler wrote:
> On 04/11/2016 12:20, Petr Vobornik wrote:
>> You can check with what options authconfig was called by:
>> # cat /var/log/ipaclient-install.log | grep authconfig
>>
>> if --enablemkhomedir is not there then it is poss
calls something like:
# authconfig --enablemkhomedir --update
You can check with what options authconfig was called by:
# cat /var/log/ipaclient-install.log | grep authconfig
if --enablemkhomedir is not there then it is possible that something
else enabled it.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ind it in minimized code.
>
>
> Thank you in advance,
>
> Sebastien Julliot.
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ncy fixed in a later release?
Yes, it has been fixed in 4.4 release.
>
> Ciao, Michael.
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
evocation reasons
* Don't show error messages in bash completion
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 09/21/2016 05:06 PM, Natxo Asenjo wrote:
> hi Petr,
>
> On Wed, Sep 21, 2016 at 4:38 PM, Petr Vobornik <pvobo...@redhat.com
> <mailto:pvobo...@redhat.com>> wrote:
>
> On 09/21/2016 10:50 AM, Natxo Asenjo wrote:
>
> > When I try to resubmit cert
ce --clean
ipa-replica-manage del master2 --force --clean
In that order. First step only if master2 was installed with CA.
Those command should clean left-over data from master2.
In standard situation, recommended uninstallation procedure for IPAs
prior FreeIPA 4.4 is:
master1# ipa-csr
MO it is quite a serious bug which needs to be
fixed (i.e. DNS discovery needs to be used).
>
>
> Which was the problem on a recent thread on the list (trying to get rid of
> this
> replica now to fix this problem as well).
>
> So something is not redirecting properly and I would apprecia
On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:
>
>
> On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:
>> On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:
>>> On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:
I've tried that but still the same result.
[root@ipa-server /]#
rver-certinstall ?
>
> Thanks for the Help
>
Looks to me as bug: https://fedorahosted.org/freeipa/ticket/6032
It was fixed in FreeIPA 4.4.1 (will be in Fedora 25)
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo
ertain configuration in IPA LDAP because there are
>> actual 389-ds plugins that depend on the configuration and work jointly
>> with ipasam module in Samba to provide common setup. If 'ipasam' is
>> missing, those modules also become useless.
>
--
Petr Vobornik
--
Man
gt;
> What I'd do is this. Assuming each step works, move onto the next.
>
> 1. ipa cert-show 1
>
> The serial # picked more or less at random, we're testing connectivity
> and that the CA is up and operational.
>
> 2. I assume that getcert list | grep expire shows all certs cu
ce of
calls and hopefully not reproduce the issue. But the issue will be still
present.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ate the repilca .gpg file from a v3 installation
> against
> a v4.2 freeipa installation to check for any errors before going through the
> ipa-replica-install?
> The ipa-replica-install completes if I don't include the --setup-ca flag but
> I
> don't want that
>
There is no automatic method to verify the replica file.
Could you share the stack trace from /var/log/pki/pki-tomcat/ca/debug +
couple lines before and after?
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
A or Dogtag PKI:
https://github.com/tiran/pki-vagans
Might be helpful.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
of regressions, especially
in CLI, that it was not even announced. The FreeIPA team is working on
stabilization which will result in FreeIPA 4.4.1. That release will
most-likely be available for Fedora 25 and also probably in a COPR
repository for testing on CentOS 7.
--
Petr Vobornik
--
Manage
gt; [...]
> # ldapsearch -xLLL -D cn='Directory manager' -w
> -b 'cn=users,cn=accounts,dc=example,dc=domain' '(objectClass=*)' '*' |
> perl -p0e 's/\n //g' | less
>
> You can also take a look at
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/constants.py#n78
>
ge del $tobedeleted` on different replica
- run `ipa-replica-manage del $tobedeleted` on different replica
- run `ipa-server-install --uninstall` on the to-be-delete-replica
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ts installed?
Autodiscovery works only if the client is installed also with
autodiscover. That means that if ipa-client-install is run with --server
option then autodiscovery is not used. This is documented in
ipa-client-install man page.
HTH
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
s
* Added pyusb as a dependency
* Deprecated the domain-level option in ipa-server-install
* fixes premature sys.exit in ipa-replica-manage del
* Remove dangling RUVs even if replicas are offline
=== Thierry Bordaz (1) ===
* Make sure ipapwd_extop takes precedence over passwd_modify_extop
--
Petr
ipa/migration page does)
Additional info which might interest you:
*
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
* http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
is could be because of incorrect trust attributes trust on the
> certificates, the current attributes are,
>
> [root@caer ~]# certutil -L -d /var/lib/pki-ca/alias
>
> Certificate Nickname Trust
> Attributes
>
:11:46:20 EDT]
> [20] [1]
>SelfTestSubsystem: loading all self
> test
> plugin logger
> parameters
>8634.main - [18/Jul/2016:11:46:20 EDT]
>
CentOS 6.4 and IPA 3.0.0-26.
>
>
>I followed the Redhat documentation,How do I manually renew
> Identity
>Management (IPA) certificates after they have expired? (Master IPA
>Server), https://access.redhat.com/solutions/643753 but no luck.
>
>
effect. Demand for IPA-IPA trust is raising so it
is definitively on our radar and has a chance to be implemented in some
of upcoming releases.
For completeness, there is also a RFE to support IPA-SAMBA 4 DC trusts:
https://fedorahosted.org/freeipa/ticket/4866
--
Petr Vobornik
--
Manage your s
..@tremolosecurity.com
> Twitter - @mlbiam / @tremolosecurity
>
I'd start with investigation of:
# journalctl -u named-pkcs11
And with:
# ipactl status
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ated only on a replica with CA unless whole topo
is install as CA less(then it needs other options).
It is strongly encouraged to have more than one replica with CA.
Was anything in directory server errors log on master?
>
> On Thu, Jul 14, 2016 at 8:22 AM, Petr Vobornik <pvobo...@redhat.com
>> replication agreements to clean it up?
>>
>> On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik <pvobo...@redhat.com
>> <mailto:pvobo...@redhat.com>> wrote:
>>
>> On 07/14/2016 12:57 PM, Martin Kosek wrote:
>> > On 07/13/
o the directory
>
>[2/8]: configuring KDC
>
>[3/8]: creating a keytab for the directory
>
>[4/8]: creating a keytab for the machine
>
>[5/8]: adding the password extension to the directory
>
>[6/8]: enable GSSAPI for replication
>
>[error]
impler to
> disconnect the replica, uninstall it and start again ?
>
> Thanks
>
> Bob Hinton
>
Hi Bob,
what is the version of you IPA packages? Do you use the latest update?
Sounds like an issue which should be fixed in
ipa-server-4.2.0-15.el7_2.5.x86_64
what is your umask settings? The issue happend when there was umask set
to 077 and then the softhsm dir was created with incorrect permissions.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
.
A possibility is to use SSSD as client on Debian.
>
> Has anyone done something like this before? Anyone have any ideas what the
> migration path would look like or whether this is even possible?
>
> Thanks,
>
> Grant Wu
> gran...@andrew.cmu.edu <mai
ire busy replica"
seems OK if it disappears after a while.
2. "1 Unable to acquire replicaLDAP error: Can't contact LDAP"
Probably worth investigating if ipa01-
i2x.rsinc.local:389 and ipa01-
jap.rsinc.local:389 still exist. If not then there is probably a
dangling replication agre
On 07/04/2016 05:54 PM, Christophe TREFOIS wrote:
Dear all,
First of all, thanks to mbasti for helping out so far.
We have a 3-node master cluster (—setup-ca) on 4.1 and setup a 4th using 4.2.0
as we want to migrate there.
First, we had some orphan entries in ipa-replica-manage list. We
uot;krbExtraData" not allowed" error?
After that, could you try to do step 3 of
http://www.freeipa.org/page/Howto/Change_Directory_Manager_Password to
check if the automatic password change which is done in
ipa-replica-prepare failed. And if it is therefore the root cause.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ibe your environment and use case in more details. It is
not clear to me what you are trying to achieve or what doesn't work for you.
Thank you
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5
adtrustinstance: Make sure smb.conf exists
l10n: Remove Transifex configuration
ipalib: Fix user certificate docstrings
idviews: Add user certificate attribute to user
d[22469]: WARNING: yacc
> table file version is out of date
> May 27 14:08:29 kaitain.pipebreaker.pl ipa-dnskeysyncd[22469]: WARNING:
> Couldn't create 'pycparser.yacctab'. [Errno 13] Permission denied:
> 'yacctab.py'
>
> Also (related?) error during 'ipactl' invocations:
> $ ipactl
ert-signing master?
>
> Thanks,
>
> Dan
>
> /This message and any attachments may contain confidential or privileged
>
> information and are only for the use of the intended recipient of this
>
> message. If you are not the intended recipient, please notify the sender
>
> by return email, and delete or destroy this and all copies of this
>
> message and all attachments. Any unauthorized disclosure, use,
>
> distribution, or reproduction of this message or any attachments is
>
> prohibited and may be unlawful./
>
> *From: *Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
>
> *Date: *Friday, June 10, 2016 at 14:48
>
> *To: *Daniel Finkestein <dan.finkelst...@high5games.com
> <mailto:dan.finkelst...@high5games.com>>,
>
> "freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>"
> <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
>
> *Subject: *Re: [Freeipa-users] FreeIPA 4.2.0: An error has occurred (IPA
>
> Error 4301: CertificateOperationError)
>
> I'd reinstall some rpms to properly create these:
>
> tomcat
>
> pki-base
>
> pki-server
>
> I'm not positive it will fix permissions, rpm -V on the same may point
>
> out problems as well.
>
> rob
>
>
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
ords
You need to identify which one is INCORRECT and then run
ipa-replica-manage clean-ruv $incorrect command.
The CORRECT one can identified with:
ldapsearch -ZZ -h ipa2.localdomain.local -D "cn=Directory Manager" -W -b
"dc=localdomain,dc=local"
"(&(objectclass=ns
- what is the size and time limit configured
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
y/2016:12:14:10 +0200] NSACLPlugin - The ACL target
> cn=automember
> > rebuild membership,cn=tasks,cn=config does not exist
> > [26/May/2016:12:14:10 +0200] - Skipping CoS Definition cn=Password
> > Policy,cn=accounts,dc=bioinf,dc=local--no CoS Templates found, w
On 05/16/2016 12:20 PM, Prashant Bapat wrote:
> Any suggestions on how to achieve this ?
>
`ipa config-mod --user-auth-type=otp` will force otp auth for users with
an OTP token.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/m
5':
> status: NEED_CSR_GEN_PIN
> ca-error: Internal error: no response to
> "http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_nu
> m=63=true=true".
> stuck: yes
> key pair storage:
> type=NSSDB,location='/var/
another way: is there a way to hand a user/pass to the Python API and
>>>> authenticate that way.
>>>
>>> The API itself can be hit with user/password, as noted in Alexander's
>>> blog. If
>>> you want to use the actual Python API, Kerberos may be the only
complex 'external' IPA plugin I've
seen.
You must have put quite a lot of effort into making it happen. Were
there any areas in code/docs/wiki/... you encountered which you would
like to see improved in FreeIPA or maybe some obstacles removed so that
plugins like this can be made easier?
Regards
mand-line interface')
>>> File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
>>> __init__
>>> self.modules = collections.OrderedDict()
>>> AttributeError: 'module' object has no attribute 'OrderedDict'
>>> Starting pki-ca: [ OK ]
>>>
>>>
>>> Any idea above?
>>>
>>>
>>
>> You are using the old python, python 2.7 is required, which version of OS
>> and IPA do you use?
>> Martin
>>
>
>
>
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
entOS 6. Then migrate to RHEL 7 by creating a new replica, see the
full process here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
--
Petr Vobornik
--
Manage your subscri
won't say why the upgrader failed. Maybe it was a one-time glitch
or it was related to the expired certs.
The error message you got is in code which creates connection to
certmonger.
But if there are expired certificates. The usual recovery is to move
back time a day or two before the first certificate exp
ng these are set up by installer and to be managed by certmonger,
> for
> DS and web server for certificates auto management purposes?
You can use generic `getcert` tool to get all certs managed by
certmonger and their location. It will show you also PKI internal certs.
# getcert list
`ip
.example.test:389} 56f3e2
nsds50ruv: {replica 9 ldap://ipa2.example.test:389} 56f3d2
nsds50ruv: {replica 6 ldap://ipa1.example.test:389} 56f3e2
Here the correct replica IDs are 8,5,5.
Dangling are 3,9. So the cleanall ruv task would be run for 3,9,
>
ate. What IPA version from what
repository do you use? Have you done any manual changes there?
>
> And yes, all i get on the browser is an empty white screen window,
That is most-likely a result of the above.
>
> On 30 April 2016 at 02:20, Petr Vobornik <pvobo...@redhat.co
/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html
>
>
> For 'trusts' integration method, since user did not sync to IPA at all, how
> to
> set sudo/HBAC rules for users? I have not tried it.
>
>
> Matrix
>
>
>
&g
ere content of your /usr/share/ipa/wsgi/plugins.py file?
Does it prevent to load Web UI?
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
t;""
Which may help us with root culprit.
Do web ui or CLI work?
>
> On 04/29/2016 07:29 AM, Petr Vobornik wrote:
>> On 04/29/2016 12:03 PM, Bret Wortman wrote:
>>> The date change was due (I think) to me changing the date back to 4/1
>>> yesterday, though
On 04/29/2016 02:53 PM, Bret Wortman wrote:
> Despite "ipactl status" indicating that all processes were running after
> step 1, step 2 produces "Unable to establish SSL connection."
>
> Full terminal session is at http://pastebin.com/ZuNBHPy0
>
> On 04
> This will go a long way in making FreeIPA's OTP implementation much more
> usable.
Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.
>
> Thanks.
> --Prashant
>
> On 25 April 2016 at 21:48, P
in (date April 4th) but force it to not stop services
1. ipactl start --force
wait until all is started
2. wget -v -d -S -O - --timeout=30 --no-check-certificate
https://zsipa.private.net:443/ca/admin/ca/getStatus
optionally (assuming that CA won't be turned of)
3. getcert list
--
Petr Vobornik
Handler
> ["http-bio-8080"]
> Apr 28 12:12:53 zsipa.private.net server[8557]: Apr 28, 2016 12:12:53 PM
> org.apache.coyote.AbstractProtocol pause
> Apr 28 12:12:53 zsipa.private.net server[8557]: INFO: Pausing ProtocolHandler
> ["http-bio-8443"]
> Apr 28
ates in LDAP database in ou=people,o=ipaca for that you need
only ldapsearch command and start directory server:
systemctl start dirsrv@YOUR-REALM-TEST.service
Proper name for dirsrv@YOUR-REALM-TEST.service can be found using:
systemctl | grep dirsrv@
>
> On 04/28/2016 11:07 AM, P
cess.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html
HTH
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
look like someone was
>>> experimenting with issuing a cert and didn't quite get things working.
>>>
>>> The CA seems to be throwing an error. I'd check the syslog for messages
>>> from
>>> certmonger and look at the CA debug log and selftest
s.6.1.x86_64
> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64
> python-libipa_hbac-1.13.0-40.el7_2.2.x86_64
> python-iniparse-0.4-9.el7.noarch
> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64
>
>
> Best Regards
> Anton Rubets
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
s: unknown` doesn't look good. Check `getcert list`
output for errors related to the cert.
>
>
> Bret
>
>
> On 04/26/2016 11:46 AM, Petr Vobornik wrote:
>> On 04/26/2016 03:26 PM, Bret Wortman wrote:
>>> On our non-CA IPA server, this is happening, in case it's related
lid.
>>> dogtag-ipa-ca-renew-agent-submit: Updated certificate not available.
>>> named-pkcs11[3437]: client 192.168.208.205#57832: update
>>> '208.168.192.in-addr.arpa/IN' denied
>>>
>>> and then things start shutting down. I can't start ipa at
3ViIjoiMGU1ZGZkNDc3N2I2NmNhOTU3ZTc4ZmJhZjMxNjYxMmEifQ.cr8cNy7zgQkY-q7UUyTCNPCjGlmz-LCCzUYSUV9P694'}"})
>> result = {"url": url, "data": urllib2.urlopen(request,
>> timeout=10).read()[:100]}
>> #result = {"url": url, "data": urllib2.url
1 - 100 of 208 matches
Mail list logo
