Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

2016-09-13 Thread Rob Crittenden
Natxo Asenjo wrote: hi, On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden > wrote: Natxo Asenjo wrote: hi, I can reproduce this everytime. Restarting httpd fixes it for a while, but then ik stops working:

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

2016-09-13 Thread Endi Sukma Dewata
On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote: On 9/9/2016 2:46 PM, Georgios Kafataridis wrote: I've tried that but still the same result. [root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h localhost -b "uid=admin,ou=people,o=ipaca" Enter LDAP Password: # extended LDIF # #

[Freeipa-users] 3rd party Certificate install

2016-09-13 Thread Günther J . Niederwimmer
Hello, FreeIPA 4.3.1 I like to install my new Startcom Cert and have a Problem with the access ? I search and found this ipa-cacert-manage -p '#-!???<<' -n STARTCOM-ROOT -t C,, install 1_root_bundle.crt but I become this Insufficient access: Invalid credentials The ipa-cacert-manage

Re: [Freeipa-users] ERROR CA configuration failed. - again

2016-09-13 Thread lejeczek
fortunately that was a VM and with libvirt+qemu snaphost feature I reverted filesystem to some older(prior to IPA) state, and yes... that was that only system'slocal problem. On 09/09/16 18:49, Rob Crittenden wrote: lejeczek wrote: hi everybody, looking at ipareplica-install.log: raise

Re: [Freeipa-users] 3rd party Certificate install

2016-09-13 Thread Florence Blanc-Renaud
Hi, ipa-cacert-manage must be run as root but does not require any Kerberos ticket. You can run the following command to check your directory manager password: /usr/bin/ldapsearch -h localhost -p 389 -D "cn=directory manager" -w '#-!???<<' -b "" -s base If the password is wrong, you

Re: [Freeipa-users] sss / nsswitch

2016-09-13 Thread Sumit Bose
On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: > Hi, > > Thanks that did it. > > Is there a less painfull way to be notified of these changes ? > > My nfs configuration gets broken much more than I like because of changes > like these. > I know fedora is supposed to be testing

Re: [Freeipa-users] adding replica centos 7 to centos 6 fails [error] ObjectclassViolation: attribute "unhashed#user#password" not allowed

2016-09-13 Thread Natxo Asenjo
On Tue, Sep 13, 2016 at 2:10 PM, Natxo Asenjo wrote: > hi, > > when trying to add a replica to the Idm environment of a host running > centos 7 (fully patched) to an existing centos 6.8 realm I get this error: > ok, some progress. I found this:

Re: [Freeipa-users] sss / nsswitch

2016-09-13 Thread Lukas Slebodnik
On (13/09/16 10:39), Sumit Bose wrote: >On Tue, Sep 13, 2016 at 10:13:12AM +0200, Rob Verduijn wrote: >> Hi, >> >> Thanks that did it. >> >> Is there a less painfull way to be notified of these changes ? >> >> My nfs configuration gets broken much more than I like because of changes >> like

[Freeipa-users] sss / nsswitch

2016-09-13 Thread Rob Verduijn
Hi all, Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24. Then after the reboot the nfs-idmap service told me it couldn't start because it could not find method sss. So I filed a bug report and tried switching the method nsswitch. But now all files on my kerberos nfs4

Re: [Freeipa-users] sss / nsswitch

2016-09-13 Thread Sumit Bose
On Tue, Sep 13, 2016 at 08:51:48AM +0200, Rob Verduijn wrote: > Hi all, > > Yesterday my fedora 24 box received an update for sssd to 1.14.1-2.fc24. > > Then after the reboot the nfs-idmap service told me it couldn't start > because it could not find method sss. > > So I filed a bug report and

[Freeipa-users] 2FA using FreeIPA

2016-09-13 Thread Deepak Dimri
Hi All, I have below lines added to my sshd_config file for testuser. Match User testuser AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam I have OTP enable for tapuser in IPA and i am able to login to GUI using the password + OTP. However when i try

Re: [Freeipa-users] About AllowGroups with sshd

2016-09-13 Thread Jakub Hrozek
On Mon, Sep 12, 2016 at 10:00:57AM -0600, Jose Alvarez R. wrote: > Hello > > > > I have an question > > > > I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). > I wants enable root a two servers this servers, because they are backup > servers. > > > > I add

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

2016-09-13 Thread Natxo Asenjo
hi, On Mon, Sep 12, 2016 at 9:48 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: > >> hi, >> >> I can reproduce this everytime. Restarting httpd fixes it for a while, >> but then ik stops working: >> >> $ ipa cert-show 1 >> ipa: ERROR: cannot connect to >>