date:20151209

Re: [Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD

2015-12-09 Thread Alexander Bokovoy

On Wed, 09 Dec 2015, Harald Dunkel wrote:

On 12/08/2015 03:08 PM, Petr Spacek wrote:

Does

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#dns-reqs

and

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings

answer your questions?

Not really. All these documents bring up strings like
"ipa.example.com". Sometimes thats a DNS domain, sometimes
its a kerberos realm (even though its in lower case letters).
The assumption that DNS and realm name match is based upon a
recommendation, i.e. you cannot rely upon that. (Not to
mention that "example.com" and "ad.example.com" *are* unique.)

In Active Directory Kerberos realm is always a capitalized version of
the primary DNS domain occupied by this Active Directory domain.

My point is: Currently I have a hierarchy between the DNS top
level domain "example.com" and the windows DNS domain
"ws.example.com". I do not have a hierarchy between the IM
solutions for Unix and Windows (currently NIS and AD). Moving
from NIS/bind to FreeIPA I would prefer to keep this setup. If
this is not possible, then I can live with moving the IPA
servers to "ipa.example.com" (DNS), but I cannot change the
other DNS subnets. Changing existing host and domain names
is *highly* expensive.

You can keep own arrangement if it doesn't conflict with your Active
Directory deployment's ownership of DNS zones.

You are saying ws.example.com is your AD DNS domain. Do you have
machines from example.com enrolled into AD? If there are machines from
DNS zone example.com in AD, you cannot have IPA deployed in DNS zone
example.com because AD will not allow trust between something that
claims to own DNS zone AD owns already.

It is simple as that. When you create AD deployment, it establishes
ownership over the DNS domain which is used to create the deployment.
Later, each enrolled computer's DNS domain is added to the list of owned
DNS domains. They all would belong to Active Directory and to have some
other Active Directory to claim ownership over it would be seen as a
conflict.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

2015-12-09 Thread Jakub Hrozek

On Tue, Dec 08, 2015 at 04:10:42PM -0600, Sauls, Jeff wrote:
> > Jakub Hrozek wrote:
> > 
> > On Mon, Dec 07, 2015 at 02:04:26PM -0600, Sauls, Jeff wrote:
> > > > Jakub Hrozek wrote:
> > > >
> > > > On Fri, Dec 04, 2015 at 02:03:04PM -0600, Sauls, Jeff wrote:
> > > > > Hello,
> > > > >
> > > > > We are having a problem with HBAC that appears to be related to
> > > > > group membership lookup.  I am testing with a new install on RHEL
> > > > > 7.2 with a cross-forest trust with AD.  When an AD user attempts
> > > > > to log into a client (RH 6.7 or 7.2) the "hbac_eval_user_element"
> > > > > can report a different number of groups each time and never seems to
> > contain the full list.
> > > > > For the testing account, running the 'id' command returns 153 groups.
> > > > > The ipa group "ad_admin" has setup to be able to log in anywhere,
> > > > > everyone else is denied.  With the default allow_all rule enabled,
> > > > > everything works as expected.  Any ideas on where I can look next?
> > > >
> > > > I assume the group membership is OK on the server, but not the
> > > > client? Can you enable debugging and also include the full logs from
> > > > the client after doing sss_cache -E on the client?
> > >
> > > I've done some more testing and installed a RHEL 6.6 client, the issue 
> > > doesn't
> > occur there since it is not pulling in AD groups, it only shows the single 
> > POSIX
> > group.  The server is running 7.2 and I get the same issue logging into it.
> > 
> > To make sure I understand -- the group you expect to be returned on the 
> > server
> > is not either? So there is a consistent failure on the server as well?
> > 
> > (It's important to see where the failure is, the server and the client use
> > different methods to obtain the group memberships. The server talks 
> > directly to
> > the AD, the clients talk to the server)
> > 
> > >
> > > This is the log section for a login that failed due to "Access denied
> > > by HBAC rules"  http://pastebin.com/paiBjG96 It shows it failing with 112
> > groups, but I've had it pass at 113 and fail on another user at 66.
> > >
> > >
> 
> The server and client show the same symptoms. 

Ah, OK, then it sounds different from the other cases we've seen recently
and we need to fix the server first, because the clients read data from
the server.

If you can catch the failure with logs that update the cache (so sss_cache
-E was run before the id attempt), please go ahead and file a bug against
sssd. It would also be nice to list what groups are not displayed but
should be (or which work intermittently) and describe the hierarchy if
possible, at least the part that includes the faulty groups, so we can
set a similar environment locally.

> If I clear the cache on both and log into each, the number of groups can 
> change between cache clearings.  The only group used in the HBAC rule 
> "admin-access" is a POSIX group "ad_admins".  Ad_admins contains an external 
> group with the AD user account in it.  I can't consistently repeat it nor 
> find a pattern to the failure.
> 
> After many cache clears and reboots testing with the server, I've managed to 
> get it into a failure state.  After the reboot, I successfully logged in with 
> the AD account.  It showed [113] groups in the log.  I logged out and logged 
> back in with the same account a few minutes later and was denied by HABC 
> rules, the group count shows [71] for this session.  Logging in 30 minutes 
> later still fails, but show [112] groups now.  On the client system, I 
> cleared the cache and rebooted it, I'm able to log into it with the AD 
> account and it shows [72] groups in the log.
> 
> -Jeff
> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-09 Thread wouter.hummelink

Hello,

Im trying to import and use a certificate profile in IPAv4.2 on RHEL.

I've exported the default caIPAServiceCert profile and did the following 
modification:
< profileId=caIPAserviceCert
---
> profileId=KPNWebhostingAEM
87c87
< 
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, 
O=IPADOMAIN
---
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
>  OU=TESTAEM, O=IPADOMAIN

Profile
  Profile ID: KPNWebhostingAEM
  Profile description: KPN Webhosting AEM
  Store issued certificates: TRUE

CAACL
  ACL name: ING Intermediairs AEM Application Servers
  Enabled: TRUE
  Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
  Host Groups: xxx_accp_applications, xxx_prod_applications

Trying to request a certificate for a server
ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
/etc/pki/tls/certs/host.key  -TKPNWebhostingAEM

Results in:
ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID 'mongo2':
status: CA_UNREACHABLE
ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
request, will retry: 4301 (RPC failed at server.  Certificate operation cannot 
be completed: FAILURE (Policy Set Not Found)).
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes

Since the same setup was working to request certificates on my lab environment 
I'm at a loss what is causing the error.

Met vriendelijke groet,

Wouter Hummelink
Cloud Engineer
[Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
KPN IT Solutions
Platform Organisation Cloud Services
Mail: wouter.hummel...@kpn.com
Telefoon: +31 (0)6 1288 2447
[cid:image002.png@01D0DA65.706AE4B0]
P Save Paper - Do you really need to print this e-mail?
*
KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
Handelsregister 52959597 Amsterdam
The information transmitted is intended only for use by the addressee and may 
contain confidential and/or privileged material.
Any review, re-transmission, dissemination or other use of it, or the taking of 
any action in reliance upon this information by persons
and/or entities other than the intended recipient is prohibited. If you 
received this in error, please inform the sender and/or addressee immediately
and delete the material. Thank you.
*

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Trusted Domain Users - entry_cache_timeout

2015-12-09 Thread Winfried de Heiden


  
  
Hi all,
  
  Using entry_cache_timeout to set different cache timeout for sssd
  works well. However, it doesn't seem to work for Trusted Domain
  Users (using AD trust)
  
  I made some changes, cleaned the cache but expiry will stay on a
  (too long) 10 (ten!) hours!
  
  How can I change the sssd cache timeout for Trusted AD users ?
  (using IPA 4.1)
  
  Kind regards!
  
  Winny

  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeRadius and FreeIPA

2015-12-09 Thread Randy Morgan


Hello,

We are setting up our wireless to authenticate against FreeRadius and 
FreeIPA.  I am looking for any instructions on how to integrate radius 
with IPA.  We can get them talking via kerberos, but when we have a 
wireless client attempt to authenticate against them, the password gets 
stripped out and only the username gets passed on, resulting in a failed 
logon attempt.


As we have studied the problem we have identified the communication 
protocols used by wireless to pass on the user credentials to radius.  
Wireless uses EAP as it's primary protocol.  We are running Xirrus 
wireless APs and from what we can learn, they act only as a pass through 
conduit for the client.  Ideally we would like them to speak PEAP TTLS, 
this would allow kerberos to process from the client to the IPA server, 
we are still researching this.


Are there any instructions on how to integrate FreeRadius 3.0.10 with 
FreeIPA 3.3.5?  Any help would be appreciated.


Randy

--
Randy Morgan
CSR
Department of Chemistry and Biochemistry
Brigham Young University
801-422-4100

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record

2015-12-09 Thread Günther J . Niederwimmer

Hello,

I like to create a NSEC3PARAM Record but my tests are not working :-(.

Is there a documentation for this Problem I can't found a DOCU

My test is

I make a "Salt" with this

head -c 512 /dev/random | sha1sum | cut -b 1-16
x...

afterward i make with
ldns-nsec3-hash -t 10 -s xx x.com 
x.

the result i like to insert in the WebUI but this is wrong ?

What is the correct syntax to create a NSEC3PARAM record?

Thanks for a answer,

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] yum update today broke ipa

2015-12-09 Thread Prasun Gera

Thanks! That worked. The command passed, and I don't see any other odd
behaviour yet. I'll wait for a new fixed errata before upgrading the other
node. That should be OK right ? i.e. Running replicas on slightly different
versions.

On Wed, Dec 9, 2015 at 8:22 AM, Martin Basti  wrote:

> Run upgrade manually, this is just error in checking function, obviously
> 4.2.0-15.el7_2.3 is never than 4.2.0-15.el7
>
>
> On 09.12.2015 17:21, Prasun Gera wrote:
>
> Before I try this on the actual node, would it be better to roll back the
> last yum transaction ? I want to do whatever is safer.
>
> On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti  wrote:
>
>>
>>
>> On 09.12.2015 16:32, Prasun Gera wrote:
>>
>> Ran yum update today. Pulled in
>> 
>> https://rhn.redhat.com/errata/RHBA-2015-2562.html.
>>
>> Seeing this error:
>>
>> 2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed,
>> exception: ScriptError: ("Unable to execute IPA upgrade: data are in newer
>> version than IPA (data version '4.2.0-15.el7', IPA version
>> '4.2.0-15.el7_2.3')", 1)
>> 2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade: data are in
>> newer version than IPA (data version '4.2.0-15.el7', IPA version
>> '4.2.0-15.el7_2.3')", 1)
>> "/var/log/ipaupgrade.log" 54696L, 5389464C
>>
>> ipactl won't start now. Luckily, I ran the update only on one replica.
>> The other node is still running.
>>
>>
>> Hello, this is not good, something terrible wrong happened with parsing
>> versions.
>>
>> You can run upgrade with ipa-server-upgrade --skip-version-check or
>> --force
>>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] yum update today broke ipa

2015-12-09 Thread Prasun Gera

Ran yum update today. Pulled in
https://rhn.redhat.com/errata/RHBA-2015-2562.html.

Seeing this error:

2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed,
exception: ScriptError: ("Unable to execute IPA upgrade: data are in newer
version than IPA (data version '4.2.0-15.el7', IPA version
'4.2.0-15.el7_2.3')", 1)
2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade: data are in
newer version than IPA (data version '4.2.0-15.el7', IPA version
'4.2.0-15.el7_2.3')", 1)
"/var/log/ipaupgrade.log" 54696L, 5389464C

ipactl won't start now. Luckily, I ran the update only on one replica. The
other node is still running.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] yum update today broke ipa

2015-12-09 Thread Martin Basti


You can safely upgrade all machines, this is just version check error.

On 09.12.2015 17:30, Prasun Gera wrote:
Thanks! That worked. The command passed, and I don't see any other odd 
behaviour yet. I'll wait for a new fixed errata before upgrading the 
other node. That should be OK right ? i.e. Running replicas on 
slightly different versions.


On Wed, Dec 9, 2015 at 8:22 AM, Martin Basti > wrote:


Run upgrade manually, this is just error in checking function,
obviously 4.2.0-15.el7_2.3 is never than 4.2.0-15.el7


On 09.12.2015 17:21, Prasun Gera wrote:

Before I try this on the actual node, would it be better to roll
back the last yum transaction ? I want to do whatever is safer.

On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti > wrote:



On 09.12.2015 16:32, Prasun Gera wrote:

Ran yum update today. Pulled in
https://rhn.redhat.com/errata/RHBA-2015-2562.html.

Seeing this error:

2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command
failed, exception: ScriptError: ("Unable to execute IPA
upgrade: data are in newer version than IPA (data version
'4.2.0-15.el7', IPA version '4.2.0-15.el7_2.3')", 1)
2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade:
data are in newer version than IPA (data version
'4.2.0-15.el7', IPA version '4.2.0-15.el7_2.3')", 1)
"/var/log/ipaupgrade.log" 54696L, 5389464C

ipactl won't start now. Luckily, I ran the update only on
one replica. The other node is still running.



Hello, this is not good, something terrible wrong happened
with parsing versions.

You can run upgrade with ipa-server-upgrade
--skip-version-check or --force







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Add "mkhomedir" after install

2015-12-09 Thread Ranbir


Hello Everyone,

I installed a replica without passing the "mkhomedir" option to the 
install command. Sure enough, when I login to the replica, my home dir 
isn't created. I _could_ create it manually, but it would be nice if the 
first login triggered the creation.


I've been trying to find an answer to this on my own, but so far I've 
had no luck.


Thanks in advance!

--
Ranbir

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-09 Thread Fraser Tweedale

On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 09, 2015 at 10:46:06AM +, wouter.hummel...@kpn.com wrote:
> > Hello,
> > 
> > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > 
> > I've exported the default caIPAServiceCert profile and did the following 
> > modification:
> > < profileId=caIPAserviceCert
> > ---
> > > profileId=KPNWebhostingAEM
> > 87c87
> > < 
> > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> >  O=IPADOMAIN
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  OU=TESTAEM, O=IPADOMAIN
> > 
> > Profile
> >   Profile ID: KPNWebhostingAEM
> >   Profile description: KPN Webhosting AEM
> >   Store issued certificates: TRUE
> > 
> > CAACL
> >   ACL name: ING Intermediairs AEM Application Servers
> >   Enabled: TRUE
> >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > 
> > Trying to request a certificate for a server
> > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > 
> > Results in:
> > ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID 'mongo2':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > cannot be completed: FAILURE (Policy Set Not Found)).
> > stuck: no
> > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> > 
> > Since the same setup was working to request certificates on my lab 
> > environment I'm at a loss what is causing the error.
> > 
> > Met vriendelijke groet,
> > 
> Hi Wouter,
> 
> I'm looking into this; stay tuned.
> 
OK, I could not reproduce.  Is the issue reproducible for you?  Did
you execute the commands by hand or as part of a script?  Can you
provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-09 Thread wouter.hummelink

I'll send the log as soon as I get a chance. After the mail I also tried 
fetching a cert on another server cent7.1 that never had a cert issued. This 
resulted in a cert conformant
With caIpaServiceCert


Verzonden vanaf mijn Samsung-apparaat


 Oorspronkelijk bericht 
Van: Fraser Tweedale 
Datum: 2015-12-10 03:58 (GMT+01:00)
Aan: "Hummelink, Wouter" 
Cc: freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> On Wed, Dec 09, 2015 at 10:46:06AM +, wouter.hummel...@kpn.com wrote:
> > Hello,
> >
> > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> >
> > I've exported the default caIPAServiceCert profile and did the following 
> > modification:
> > < profileId=caIPAserviceCert
> > ---
> > > profileId=KPNWebhostingAEM
> > 87c87
> > < 
> > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> >  O=IPADOMAIN
> > ---
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  OU=TESTAEM, O=IPADOMAIN
> >
> > Profile
> >   Profile ID: KPNWebhostingAEM
> >   Profile description: KPN Webhosting AEM
> >   Store issued certificates: TRUE
> >
> > CAACL
> >   ACL name: ING Intermediairs AEM Application Servers
> >   Enabled: TRUE
> >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> >   Host Groups: xxx_accp_applications, xxx_prod_applications
> >
> > Trying to request a certificate for a server
> > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> >
> > Results in:
> > ipa-getcert list
> > Number of certificates and requests being tracked: 1.
> > Request ID 'mongo2':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > cannot be completed: FAILURE (Policy Set Not Found)).
> > stuck: no
> > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
> >
> > Since the same setup was working to request certificates on my lab 
> > environment I'm at a loss what is causing the error.
> >
> > Met vriendelijke groet,
> >
> Hi Wouter,
>
> I'm looking into this; stay tuned.
>
OK, I could not reproduce.  Is the issue reproducible for you?  Did
you execute the commands by hand or as part of a script?  Can you
provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?

Cheers,
Fraser
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-09 Thread Fraser Tweedale

On Thu, Dec 10, 2015 at 12:58:05PM +1000, Fraser Tweedale wrote:
> On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> > On Wed, Dec 09, 2015 at 10:46:06AM +, wouter.hummel...@kpn.com wrote:
> > > Hello,
> > > 
> > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > > 
> > > I've exported the default caIPAServiceCert profile and did the following 
> > > modification:
> > > < profileId=caIPAserviceCert
> > > ---
> > > > profileId=KPNWebhostingAEM
> > > 87c87
> > > < 
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  O=IPADOMAIN
> > > ---
> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > > >  OU=TESTAEM, O=IPADOMAIN
> > > 
> > > Profile
> > >   Profile ID: KPNWebhostingAEM
> > >   Profile description: KPN Webhosting AEM
> > >   Store issued certificates: TRUE
> > > 
> > > CAACL
> > >   ACL name: ING Intermediairs AEM Application Servers
> > >   Enabled: TRUE
> > >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > > 
> > > Trying to request a certificate for a server
> > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > > 
> > > Results in:
> > > ipa-getcert list
> > > Number of certificates and requests being tracked: 1.
> > > Request ID 'mongo2':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > > cannot be completed: FAILURE (Policy Set Not Found)).
> > > stuck: no
> > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > > CA: IPA
> > > issuer:
> > > subject:
> > > expires: unknown
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > > 
> > > Since the same setup was working to request certificates on my lab 
> > > environment I'm at a loss what is causing the error.
> > > 
> > > Met vriendelijke groet,
> > > 
> > Hi Wouter,
> > 
> > I'm looking into this; stay tuned.
> > 
> OK, I could not reproduce.  Is the issue reproducible for you?  Did
> you execute the commands by hand or as part of a script?  Can you
> provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
>
Oh, and did you make any changes to the profile configuration
besides those you mentioned; the profileId and Subject Name pattern?

> 
> Cheers,
> Fraser

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add "mkhomedir" after install

2015-12-09 Thread Joshua Doll

I usually just run

authconfig --enablemkhomedir

--Joshua D Doll

On Wed, Dec 9, 2015 at 1:46 PM Ranbir  wrote:

> Hello Everyone,
>
> I installed a replica without passing the "mkhomedir" option to the
> install command. Sure enough, when I login to the replica, my home dir
> isn't created. I _could_ create it manually, but it would be nice if the
> first login triggered the creation.
>
> I've been trying to find an answer to this on my own, but so far I've
> had no luck.
>
> Thanks in advance!
>
> --
> Ranbir
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add "mkhomedir" after install

2015-12-09 Thread Ranbir


On 2015-12-09 14:01, Craig White wrote:

You can enable it at any time...

authconfig --enablemkhomedir --update


Crap! I didn't even consider doing it that way. For some reason I 
thought there was some ipa command I had to run. The ipa install does 
this too, I guess. :)


Thanks for the pointer and for jogging my memory.

--
Ranbir

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] mixed DNS subnets for FreeIPA and M$ AD

Re: [Freeipa-users] HBAC access denied, all AD groups not detected

[Freeipa-users] Certificate Profile - Policy Set Not Found

[Freeipa-users] Trusted Domain Users - entry_cache_timeout

[Freeipa-users] FreeRadius and FreeIPA

[Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record

Re: [Freeipa-users] yum update today broke ipa

[Freeipa-users] yum update today broke ipa

Re: [Freeipa-users] yum update today broke ipa

[Freeipa-users] Add "mkhomedir" after install

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

Re: [Freeipa-users] Add "mkhomedir" after install

Re: [Freeipa-users] Add "mkhomedir" after install

15 matches

Site Navigation

Mail list logo

Footer information