Hi again
After further testing, it seems like my problems were caused by the use
of the -F option on the kinit line.
Roderick
On 05/05/2016 22:31, Roderick Johnstone wrote:
Hi Mike
Thanks for sharing your setup. It looks pretty much like mine.
I just tried your kinit command syntax and
Hi Fraser,
Thank you very much for the immediate response. Our use-case for Dogtag is:
our installation engineers request a signing CA cert through the Dogtag web
interface, and our admin grants the request, anything following is not
managed with Dogtag. So we only use Dogtag for managing the
Hi
I need to run some ipa commands in cron jobs.
The post here:
https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
suggests I need to use a keytab file to authenticate kerberos.
I've tried the prescription there, with variations, without success.
My current testing
As a control, I fired up a new VPS, did a new minimal CentOS 7.2 install and
I have the same problem.
These are the steps I took:
# yum update -y
# yum install -y nano net-tools wget
# yum install -y
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# cd /etc/yum.repos.d/
#
Roderick,
Here's how we do it.
Create a service account user, for example "svc_useradm".
Then generate a keytab for the service account, and store it somewhere secure.
ipa-getkeytab -s infrae2u01.lnx.dr.local -p svc_useradm -k
/root/svc_useradm.keytab
Now we can leverage the keytab for that
Hi All:
I restore from backup but some lib / pki error come.
As the package is ipa-server-3.0.0-26.el6_4.4.x86_64
But now is ipa-server-3.0.0-47.el6.centos.2.x86_64 , it seem no harm ?
How to tune it ?
Starting KDC Service
Starting Kerberos 5 KDC: [ OK
On 5.5.2016 06:28, David LeVene wrote:
> Hey All,
>
> I'm looking for a bit of direction around the best way to configure/setup an
> on-site cache &/or replica from an AD Server which will be uni-directional
> (AD -> IPA/slapd)
>
> The master are multiple AD Servers located around the place,
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
> lejeczek wrote:
> > hi users,
> >
> > as one follows official docs and issues a certificate for a
> > service/host, one wonders what is the correct way to move such a
> > certificate to a host(which is domain member) ?
> > I understand
Hi all:
Orginal config server <> server02 , either server can add user and syn
Now server < server02 ,GSSAPI show as below ..ANY idea? THX
[05/May/2016:17:29:03 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[05/May/2016:17:29:03 +0800] - WARNING: userRoot: entry cache size
On 4.5.2016 16:33, Jakub Hrozek wrote:
> On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote:
>> On 05/04/2016 09:23 AM, Jakub Hrozek wrote:
>>> On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote:
On (03/05/16 15:09), Alexandre de Verteuil wrote:
> Hello all,
>
On Wed, May 04, 2016 at 10:51:37PM +0200, Rob Verduijn wrote:
> Hi,
>
> I avoided the slow filling group by using the AD-Group with spaces
> (was a tad more challenging for scipting)
>
> But here's the releases (some of them)
>
> ipa 4.2 and sssd 1.13
>
>
On 05/05/2016 11:44 AM, lejeczek wrote:
> On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
>> lejeczek wrote:
>>> hi users, as one follows official docs and issues a certificate for a
>>> service/host, one wonders what is the correct way to move such a
>>> certificate
>>> to a
+1 For enforcing OTP in web UI.
When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.
Are there any ideas for ensuring that all users are using OTP tokens ?
On 4 May 2016 at 05:12, Peter Bisroev
On 05/05/2016 03:54 PM, Andrew Holway wrote:
Hello,
We've been using Freeipa on Centos for a while and found one day that
the replication stuff was broken and that the LDAP database on our pair
of IPA servers was inconsistent. We didn't know how long this had been
broken for but we were not
I'm trying to create a new replica and i receive the following message:
onfiguring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
[1/8]: adding sasl mappings to the directory
[2/8]: configuring KDC
[3/8]: creating a keytab for the directory
[4/8]: creating a keytab for the machine
On 05.05.2016 15:54, Andrew Holway wrote:
Hello,
We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for but
we were
lejeczek wrote:
On Wed, 2016-05-04 at 13:26 -0400, Rob Crittenden wrote:
lejeczek wrote:
hi users, as one follows official docs and issues a certificate for a
service/host, one wonders what is the correct way to move such a
certificate to a host(which is domain member) ? I understand
Hello,
We've been using Freeipa on Centos for a while and found one day that the
replication stuff was broken and that the LDAP database on our pair of IPA
servers was inconsistent. We didn't know how long this had been broken for
but we were not able to repair it either.
We use AWS so we've now
On Thu, May 05, 2016 at 12:46:48PM -0700, Ha T. Lam wrote:
> Hi Fraser,
>
> Thank you very much for the immediate response. Our use-case for Dogtag is:
> our installation engineers request a signing CA cert through the Dogtag web
> interface, and our admin grants the request, anything following
Anthony Cheng wrote:
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
Hi Mike
Thanks for sharing your setup. It looks pretty much like mine.
I just tried your kinit command syntax and then I can ipa ping
successfully. Then I tried my kinit syntax (after a kdestroy) and I can
still ipa ping successfully!
So, it does work now, but I don't know why it didn't
More updates; it turns out that there were some duplicate and expired
certificates as well as incorrect trust attributes; (e.g. seeing 2
instances of Server-Cert from certutil -L -d /etc/httpd/alias). So I
deleted the duplicate cert and re-add certificate w/ valid date and
fix cert trust
[This didn't show up in the archives or list after 12 house, so resending.
Sorry if it's a dupe.]
I've been googling and looking through the documentation, but I have yet to
find official docs for the Python API for FreeIPA.
The first result for 'python' when doing a search on www.freeipa.org
Hi Petr,
Thanks for the response.
I didn't know about Samba 4, so that's worth some further investigation on my
part - Thanks.
So from what you've said below it can't run as a standalone, but SSSD does
allow caching(if a user has authenticated previous).. does IPA have the ability
to cache
On Thu, May 05, 2016 at 08:13:00PM +0530, Rakesh Rajasekharan wrote:
> (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [get_and_save_tgt]
> (0x0020): 1000: [-1765328353][Decrypt integrity check failed]
> (Thu May 5 14:35:49 2016) [[sssd[krb5_child[32281 [map_krb5_error]
> (0x0020):
I'm not entirely sure if this is what you were asking for, but here's a
manual LDAP query and the associated logs, and then I restarted
ipa-dnskeysyncd and the logs associated with that as well:
[root@host /]# date
Thu May 5 10:52:12 EDT 2016
[root@host /]# ldapsearch -Y GSSAPI -b
26 matches
Mail list logo