Re: [Freeipa-users] Web login problems

2015-10-08 Thread Pat Gunn
On 7/10/15 21:57, Simo Sorce wrote: >On 07/10/15 13:36, Pat Gunn wrote: Hi, I'm trying to build a cluster of 3 IPA (staging at this point, but eventually later I'll make a prod version) systems (that will reside in AWS) that will manage select systems in our infrastructure (mostly but not entirel

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
# ldapsearch -x -b cn=ca_renewal,cn=ipa,cn=etc,dc=itmodev,dc=gov ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ipa service was not running...I attempted to start it. # service ipa start Starting Directory Service Starting dirsrv: ITMODEV-GOV...[08/Oct/2015:14:03:08 -0400] - SSL alert

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > First commend came back: > > ]# grep internal= /var/lib/pki-ca/conf/password.conf > grep: /var/lib/pki-ca/conf/password.conf: No such file or directory > > There is no pki-ca dir on this server That simplifies things a bit. The NEED_TO_SUBMIT status is

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
First commend came back: ]# grep internal= /var/lib/pki-ca/conf/password.conf grep: /var/lib/pki-ca/conf/password.conf: No such file or directory There is no pki-ca dir on this server -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, October 08, 2015 1

[Freeipa-users] Cleanly removing replication agreement

2015-10-08 Thread Dominik Korittki
Hello folks, i have two FreeIPA 3.3 Machines running on CentOS7: ipa01.internal and ipa02.internal. Both have a CA installed. Initially ipa02 is a replication from ipa01. Recently ipa01 had some trouble while ipa02 was running fine (see "FreeIPA 3.3 performance issues with many hosts" on this

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > When I ran "getcert list" rather than "ipa-getcert list" I get the following: > > # getcert list > Number of certificates and requests being tracked: 2. > Request ID '20150922143354': > status: NEED_TO_SUBMIT > stuck: no > key pair

Re: [Freeipa-users] (no subject)

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:26 PM, Karl Forner wrote: Hi, you are prompted for password because (ALL) ALL rule is applied because of last-match rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the /usr/bin/l

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Pavel Březina
On 10/08/2015 04:09 PM, Karl Forner wrote: Sorry I had disabled the emailing, just was your answers in the archives. How can I debug this ? Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging

[Freeipa-users] Announcing FreeIPA 4.2.2

2015-10-08 Thread Petr Vobornik
The FreeIPA team would like to announce FreeIPA v4.2.2 security release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
When I ran "getcert list" rather than "ipa-getcert list" I get the following: # getcert list Number of certificates and requests being tracked: 2. Request ID '20150922143354': status: NEED_TO_SUBMIT stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nicknam

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > Currently running ipa-server-3.0.0-47.el6.x86_64 > > I have stopped ntpd and reset the date to Sept 21st. Yes I agree this has > been baffling me for days. You should be tracking 8 certificates. The output of `getcert list` should look something like:

[Freeipa-users] (no subject)

2015-10-08 Thread Karl Forner
Hi, > you are prompted for password because (ALL) ALL rule is applied because of > last-match rule. > > > See: > http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder. Ok. I updated the rules to use a sudoorder attribute of 100 for the /usr/bin/less sudo rule. Now, if I type in a termi

Re: [Freeipa-users] sudo rules do not seem to work

2015-10-08 Thread Karl Forner
Sorry I had disabled the emailing, just was your answers in the archives. >> How can I debug this ? >Pavel (CC) has a nice sudo debug howto, maybe it would be helpful? Where is it ? Do you mean the slide "FreeIPA Training Series: Obtaining debugging information" from https://www.freeipa.org/ima

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
Currently running ipa-server-3.0.0-47.el6.x86_64 I have stopped ntpd and reset the date to Sept 21st. Yes I agree this has been baffling me for days. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Thursday, October 08, 2015 9:49 AM To: Gronde, Christopher (

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Rob Crittenden
Gronde, Christopher (Contractor) wrote: > Now I am getting CA_UNREACHABLE > > # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K > HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd > Resubmitting "20151007150853" to "IPA". > > # ipa-getcert list > Number of c

[Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions

2015-10-08 Thread Alex Williams
Hi folks, this one is becoming a bit of a major issue now. We upgraded one of our IPA3.0.0 servers to use the new dogtag schema over the last few days, then created an IPA4 replica from it successfully, upgraded the schema on a few more of the IPA3.0.0 servers and joined them into the mix and

Re: [Freeipa-users] Upgrade of schema has broken permissions and now no one can authenticate if they have certain permissions

2015-10-08 Thread Martin Basti
On 10/08/2015 03:23 PM, Alex Williams wrote: Hi folks, this one is becoming a bit of a major issue now. We upgraded one of our IPA3.0.0 servers to use the new dogtag schema over the last few days, then created an IPA4 replica from it successfully, upgraded the schema on a few more of the IP

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Gronde, Christopher (Contractor)
Now I am getting CA_UNREACHABLE # ipa-getcert resubmit -i 20151007150853 -p /etc/httpd/alias/pwdfile.txt -K HTTP/comipa02..gov -C /usr/lib64/ipa/certmonger/restart_httpd Resubmitting "20151007150853" to "IPA". # ipa-getcert list Number of certificates and requests being tracked: 2. Request ID '2

Re: [Freeipa-users] Certmonger and dogtag not working....issues manually renewing Server-Cert

2015-10-08 Thread Alexander Bokovoy
Hi, On Thu, 08 Oct 2015, Gronde, Christopher (Contractor) wrote: Thank you for your response! Do not respond directly, send your emails to the mailing list, please. Yes "getent passwd admin" does work # getent passwd admin admin:*:127820:127820:Administrator:/home/admin:/bin/bash Th

Re: [Freeipa-users] Slow SSH login for IPA users only

2015-10-08 Thread Guillem Liarte
Sumit, Thanks for you reply. Ues, I have debug enabled: With level 5 I see that here is where it spends most of its time: (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [be_get_account_info] (0x0200): Got request for [0x1][1][name=testuser] (Wed Oct 7 13:14:17 2015) [sssd[be[#.com]]] [sdap_idmap_