Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

dan.finkelst...@high5games.com wrote: Hi Sebastian, Unfortunately, that doesn't seem to be it and reinstalling the replica with —setup-ca failed again with the same errors. I've included relevant sections of the logs. /var/log/ipareplica-install.log: 016-06-02T10:43:16Z DEBUG Starting

Re: [Freeipa-users] Replica without CA: implications?

Cal Sawyer wrote: Apologies for the lengthy pause in getting back onto this. I ended up destroying the replica and reprovisioning frmm scratch, but the replica still lists as being CA-less. Is what i'm seeing normal? Would this 2-node setup in this state survive failure of the master? It

[Freeipa-users] Pyhton Web API access

He folks, I was looking for information on accessing the web API from python. Between other info in this list the https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ blog post and a little trial and error I got it working. The following python script logs in with a username

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman wrote: Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

Hi Rob, There's a few logs in there, I'm not sure which is most informative. Here are some sections from what I think are relevant logs: /var/log/pki/pki-tomcat/localhost.log: Jun 01, 2016 12:16:34 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: > Sorry, let me back up a step. We need to implement hype > everywhere. All our web services. And clients need to get > keys automatically whether through IPA or Puppet. These > systems use IPA for everything but

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/ On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale, wrote: > On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote: > > Sorry, let me back up a step. We need to implement hype >

Re: [Freeipa-users] FreeIPA4.2: Recovering from an IPA master server failure

Hello, comments inline On 01.06.2016 20:34, Michael Rainey (Contractor) wrote: My apologies for the duplicate thread, but from my vantage point I did not see any signs of my message making it to the mailing list. My original message was not posted back to me, nor was your reply posted to

Re: [Freeipa-users] Is the krb5.conf no longer used?

On Thu, Jun 02, 2016 at 08:29:15AM +0300, Alexander Bokovoy wrote: > On Wed, 01 Jun 2016, Geordie Grindle wrote: > > Does IPA only use ‘sssd.conf’ for kerberos authentication? Is there another > > file used to configure kerberos? > > > > I’ve built a host using Foreman and our puppet

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

Hi Sebastian, Unfortunately, that doesn't seem to be it and reinstalling the replica with —setup-ca failed again with the same errors. I've included relevant sections of the logs. /var/log/ipareplica-install.log: 016-06-02T10:43:16Z DEBUG Starting external process 2016-06-02T10:43:16Z DEBUG

[Freeipa-users] Apache Knox and FreeIPA

Hi guys, Do any of you have this setup working? And if so, how did you do it? Thanks, Tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the

[Freeipa-users] samba kerberized with autofs

Hi, I configured a samba with freeipa in kerberized mode. It work fine for normaly mounting but with autofs it work only if root has a kerberos ticket (example : kinit admin). When root haven't ticket, other users can't go in automount folder, but when root has ticket, it works fine for

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Hi Rob, We are using fedora 17. And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl, "pki-cad@pki-ca.service" is active as normal. But these five certs could not renewed as before. (actually I always restart ipa world after I roll back

[Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

Hi, My problem is: I have an ipa.example.com server on the internal network, with self-signed certificates. I'd like to be able to connect to the UI from the internet, using https with other certificates (e.g. let's encrypt certificates). So I tried to setup an SNI apache reverse proxy, but I

Re: [Freeipa-users] Replica without CA: implications?

Apologies for the lengthy pause in getting back onto this. I ended up destroying the replica and reprovisioning frmm scratch, but the replica still lists as being CA-less. Is what i'm seeing normal? Would this 2-node setup in this state survive failure of the master? -

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

Hi Dan, I had a similar problem when updating my FreeIPA. In my case it turned out that the certificates that get bundled with the replica preparation file were expired. This is due to the /root/cacert.p12 file not being updated during the preparation process until FreeIPA 3.2.2 The file can be

[Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

Hello All, Recently went from RHEL 6.7 IPA 3.0.47 to 6.8 IPA 3.0.50. I also think (not sure on this yet) that they changed ntp.. ntp used to point at my ipas.. but they look like they are now pointing elsewhere. Everything was stable at 6.7 3.0.47 pointing to IPA for NTP. However.. they all

[Freeipa-users] IPA's own ptr record - unresolvable ?

hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer .. I do: $ ipa dnsrecord-find 5.10.in-addr.arpa Record name: @ NS record: rider.private.dom.,