Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's

Re: [Freeipa-users] Unable to access to web ui

seli irithyl wrote: Yes, you're right, I was also surprised by the subject of the error. I made changes in the /etc/httpd/conf.d/nss.conf file. I changed Listen 443 to Listen 8443 and to as it was in the /etc/httpd/conf.d/nss.conf file before the update. You have to change it back. mod_nss

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing,

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On 03/06/16 15:11, Sumit Bose wrote: On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On Fri, 03 Jun 2016, lejeczek wrote: On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key"

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

I'll check and report back Tuesday. Bret Wortman http://wrapbuddies.co/ On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > > > > > On 06/03/2016 11:02 AM, Rob Crittenden wrote: > > > Bret Wortman wrote: > > > > I'm not sure I'd call what we

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote: > > My problem is: > I have an ipa.example.com server on the internal network, with > self-signed certificates. > I'd like to be able to connect to the UI from the internet, using > https with other certificates (e.g. let's encrypt

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

dan.finkelst...@high5games.com wrote: A further update: when I try to install the CA component, it erroneously says that the CA is installed: root@ipa ~]# ipa-ca-install --skip-conncheck --debug [ snip ] ipa : DEBUGThe ipa-ca-install command failed, exception: SystemExit: CA is

Re: [Freeipa-users] IPA's own ptr record - unresolvable ?

On 03/06/16 08:06, Petr Spacek wrote: On 2.6.2016 18:30, lejeczek wrote: hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer .. I do: $ ipa dnsrecord-find

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key >

Re: [Freeipa-users] Unable to access to web ui

On 06/03/2016 11:11 AM, seli irithyl wrote: > Sorry Martin, > I rebooted the IdM server: > [root@lead sssd]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING >

Re: [Freeipa-users] Unable to access to web ui

# getcert list returns 9 request ID. All 9 are in status "MONITORING" and expire after 2017. So no expired certificate. Number of certificates and requests being tracked: 9. Request ID '20150313092422': status: MONITORING stuck: no key pair storage:

Re: [Freeipa-users] IPA's own ptr record - unresolvable ?

On 3.6.2016 10:33, lejeczek wrote: > > > On 03/06/16 08:06, Petr Spacek wrote: >> On 2.6.2016 18:30, lejeczek wrote: >>> hi users, >>> >>> I do (all on IPA server) >>> >>> $ host 10.5.6.100 >>> Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) >>> >>> I do: >>> >>> $ host 10.5.6.17 >>>

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

Hi Rob, Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. root@ecnshlx3039-test2(SH):~ #systemctl status certmonger certmonger.service - Certificate monitoring and PKI enrollment

Re: [Freeipa-users] Unable to access to web ui

Sorry Martin, I rebooted the IdM server: [root@lead sssd]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

Hi Robert.. Thanks for the reply. Think I might have found the issue. The KVM host my master was running on was showing redhat release 6.5 but the libvrt packages were showing 6.6. I think the managers of the kvm host did not reboot it after an update with new kernel. Asked them to reboot

Re: [Freeipa-users] Unable to access to web ui

seli irithyl wrote: # getcert list returns 9 request ID. All 9 are in status "MONITORING" and expire after 2017. So no expired certificate. Number of certificates and requests being tracked: 9. [snip] Request ID '20150313092456': status: MONITORING stuck: no key pair storage:

[Freeipa-users] a bit off topic- samba + sssd => AD

hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key