Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo wrote: > But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I > still get the old crl dated june 28th last year. > > Should I modify ipa-pki-proxy.conf as well on the CRL generator host > to point to the /ca/ee/ca/getCRL?op=getCRL&crlI

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On Tue, 14 Oct 2014, Orkhan Gasimov wrote: Thanks to both of you for the interest. Here`s the info you asked: 1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log

Re: [Freeipa-users] strange error from EL 7 install?

On Mon, Oct 13, 2014 at 10:08:55PM -0700, Janelle wrote: > Actually, I did find a fix and forgot to post. > > I was able to mirror the COPR repo, and after reviewing it, found that > simply removing the pki-base...fc21 directory, and regenning the repo data > with createrepo, fixed the problem. It

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Thanks to both of you for the interest. Here`s the info you asked: 1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make som

Re: [Freeipa-users] strange error from EL 7 install?

Actually, I did find a fix and forgot to post. I was able to mirror the COPR repo, and after reviewing it, found that simply removing the pki-base...fc21 directory, and regenning the repo data with createrepo, fixed the problem. It drops the version of PKI back to the 10.1 branch and that reso

Re: [Freeipa-users] strange error from EL 7 install?

On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote: > After further investigation - it looks like the PKI base was altered/updated > because even on a running server a yum update produces same error: > > # yum check-update > Loaded plugins: fastestmirror, product-id, subscription-manager, ver

Re: [Freeipa-users] sysctl and/or limits.conf?

Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a master

Re: [Freeipa-users] Replace Self-Signed Cert

makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal wrote: > On 10/13/2014 06:45 PM, quest monger wrote: > > I did the default IPA install, didnt

Re: [Freeipa-users] sysctl and/or limits.conf?

On 10/13/2014 06:58 PM, James wrote: On 13 October 2014 18:18, Dmitri Pal wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried

Re: [Freeipa-users] Replace Self-Signed Cert

On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a cont

Re: [Freeipa-users] sysctl and/or limits.conf?

On 13 October 2014 18:18, Dmitri Pal wrote: > On 10/12/2014 08:07 PM, James wrote: >> >> On 12 October 2014 19:55, Janelle wrote: >>> >>> Hi again, >>> >>> I was wondering if there were any suggestions for performance of IPA and >>> settings to sysctl and maybe limits.conf? I tried the website, b

Re: [Freeipa-users] Replace Self-Signed Cert

Hi there, My understanding is the only way to install a third party cert is to start from scratch. The part that is unclear to me is if there is a method of exporting the data prior to, and importing the data after the fresh instance of freeipa has been installed. I assume that one would als

Re: [Freeipa-users] Replace Self-Signed Cert

I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs

Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

On 10/13/2014 11:40 AM, Carlos Raúl Laguna wrote: 2014-10-09 18:12 GMT-04:00 Dmitri Pal >: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to fo

Re: [Freeipa-users] Replace Self-Signed Cert

On 10/13/2014 03:39 PM, quest monger wrote: I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to

Re: [Freeipa-users] mastercrl.bin very old

On 10/13/2014 03:39 PM, Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all

Re: [Freeipa-users] sysctl and/or limits.conf?

On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000 servers that will be talkin

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

On Mon, 13 Oct 2014 17:30:58 +0200 Andreas Ladanyi wrote: > On my old system from which i migrated the users/group accounts uses > the Kerberos own DB without LDAP for the principals. > > I could dump the master key : > > kdb5_util dump filename K/M@REALM > > Now i have a lot of numbers in the

Re: [Freeipa-users] Replace Self-Signed Cert

I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo wrote: > On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden wrote: >> Natxo Asenjo wrote: >>> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo >>> wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On (13/10/14 20:33), Jakub Hrozek wrote: >On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: >> Good day to everybody. >> There`s a post on how to make a FreeBSD client work with a FreeIPA server: >> https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146   >> For some

Re: [Freeipa-users] Replace Self-Signed Cert

I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden wrote: > quest monger wrote: > > Hello All, > > > > I installed FreeIPA server on a CentOS host. I have 20+ Linux and > > Solaris clients hooked up to it. SSH and Sudo works

Re: [Freeipa-users] Replace Self-Signed Cert

quest monger wrote: > Hello All, > > I installed FreeIPA server on a CentOS host. I have 20+ Linux and > Solaris clients hooked up to it. SSH and Sudo works on all clients. > > I would like to replace the self-signed cert that is used on Port 389 > and 636. > > Is there a way to do this without

[Freeipa-users] Replace Self-Signed Cert

Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients.

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: > Good day to everybody. > There`s a post on how to make a FreeBSD client work with a FreeIPA server: > https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146   > For some reason the instructions in that post don`t le

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: >> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo wrote: >>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the >>> files I see are very old (the MasterCRL.bin file is dated 28 june >>> 2013), and on th

[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146   For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the I

Re: [Freeipa-users] mastercrl.bin very old

Natxo Asenjo wrote: > On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo wrote: >> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the >> files I see are very old (the MasterCRL.bin file is dated 28 june >> 2013), and on the kdc02 it is newer (July 2 2013). > > on 28 June 2013 I patc

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo wrote: > But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the > files I see are very old (the MasterCRL.bin file is dated 28 june > 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:

Re: [Freeipa-users] strange error from EL 7 install?

After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base: lin

[Freeipa-users] strange error from EL 7 install?

Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : --> Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.

Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

2014-10-09 18:12 GMT-04:00 Dmitri Pal : > On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: > > Hello to everyone, for some time now i have been pretty much stalking the > samba project site, looking forward to forest trust and it seem that they > introduced new functions to support trust domain

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot of numbers in the dumpfile. Which number belongs to which LDAP attribute in the (test) Fre

[Freeipa-users] mastercrl.bin very old

hi, yet another certificate authority question. We have a centos 6.5 ipa environment with two domain controllers (kdc01, kdc02). The first one is the first replica and maintains the crl (or so it should). Recently our monitoring warned us that the web host certificate for kdc01 was about to expi

Re: [Freeipa-users] FW: FW: FW: named and IpA

On Mon, Oct 13, 2014 at 01:02:38PM +0200, Petr Spacek wrote: > > > >There probably should be at least an option (if not default) for bind > >to serve nothing if LDAP is not accessible. > > In the past, named refused to start when LDAP was not available. Later it > was flagged as bug and current be

Re: [Freeipa-users] FW: FW: FW: named and IpA

On 10.10.2014 10:32, Jan Pazdziora wrote: On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be

Re: [Freeipa-users] Sudo on Ubuntu Client works, on CentOS it doesn't

On (13/10/14 01:16), Matt . wrote: >OK, found it... I needed to comment out my other ldap lines, but I >wonder why this is needed on CentOS and Ubuntu works without them. > Which version of CentOS do you mean? LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.