I have just installed a newly created FreeIPA server running CentOS 7.2. I
have a (wildcard) SSL Certificate that I want to use for the FreeIPA Web
Management GUI. I tried to follow the directions listed here at the URL of
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
howev
I'm not familiar enough with Fedora release engineering to know how this
gets fixed permanently, but I'll share some investigation I've done.
This appears to be due to a change in the selinux-policy-targeted
package that happened recently. As of the latest version, named-pkcs11
tries to run as
Auerbach, Steven wrote:
We have our IPA set up as master-master and we have about 25 clients in
realm (including the IPA servers themselves).
We have a single user who changed his unexpired password using the
passwd command logged on to one of the registered clients.
Thereafter, when he logs on
UPDATE:
Tried again the whole procedure with ipa-dns-install, and it DOES work with
SElinux disable, and still fails with SElinux enabled.
So the error "Failed to enumerate object store in /var/lib/softhsm/tokens/"
makes sense.
Can someone help me fix it?
$ ll -Z /var/lib/ipa/dnssec/
total 12
-
- FC23
- IPA 4.2.4
After a dnf update, bind was updated (no ipa updates), and named-pkcs11
doesn't start anymore.
$ /usr/sbin/named-pkcs11 -d 9 -g
21-Jul-2016 23:08:50.332 starting BIND 9.10.3-P4-RedHat-9.10.3-13.P4.fc23
-d 9 -g
21-Jul-2016 23:08:50.332 built with '--build=x86_64-redhat-linux-g
Hi everyone.
I'm currently planning on deploying FreeIPA as the Master KDC (among other
things to leverage from the API and some other built-in features - like
replicas).
However I find (correct if I'm wrong) FreeIPA not very modular - therefore
I would like to know what's the strategy when deploy
We have our IPA set up as master-master and we have about 25 clients in realm
(including the IPA servers themselves).
We have a single user who changed his unexpired password using the passwd
command logged on to one of the registered clients.
Thereafter, when he logs on to any of the client se
? ? ? ? ? eku: id-kp-serverAuth,id-kp-clientAuth
> >? >? >? ? ? ? ? pre-save command:
> >? >? >? ? ? ? ? post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> >? >? >? ? ? ? ? track: yes
> >? >? >? ? ? ? ? auto-renew: yes
> >? >? > Yo
i mailto:mohammadseres...@yahoo.com>
> <mailto:mohammadseres...@yahoo.com <mailto:mohammadseres...@yahoo.com>>
>? > <mailto:mohammadseres...@yahoo.com <mailto:mohammadseres...@yahoo.com>
> <mailto:mohammadseres...@yahoo.com
<mailto:mohammadseres...@yahoo.co
ahoo.com>>>; Freeipa-users
>? >? > mailto:freeipa-users@redhat.com>
> <mailto:freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>>
>
>? >? > *Sent:* Thursday, July 21, 2016 11:30 AM
>? >? > *Subject:* Re: [Freeipa-users] regenerat
and this is for catalina.out
SEVERE: A web application created a ThreadLocal with key of type [null] (value
[com.netscape.cmscore.util.Debug$1@39139da8]) and a
value of type [java.text.SimpleDateFormat] (value
[java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web
appli
cat
and below is for selftests.log
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence: CA is present
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCert
hiI find below in debug file under /var/log/pki-cawhat is your comment?
21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for
servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore():
mohammad sereshki wrote:
hi
would you please explain more
?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because
hiwould you please explain more?
From: Rob Crittenden
To: mohammad sereshki ; Florence Blanc-Renaud
; Freeipa-users
Sent: Thursday, July 21, 2016 11:09 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> it is result of command, seems issue is a
mohammad sereshki wrote:
hi
it is result of command, seems issue is another thing
ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
Which means that the CA still isn't up. You're going to need to look at
the dogtag logs in /va
hiit is result of command, seems issue is another thing
ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate
with CMS (Not Found)
From: Rob Crittenden
To: mohammad sereshki ; Florence Blanc-Renaud
; Freeipa-users
Sent: Thursday, July 21, 201
Linov Suresh wrote:
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.
*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*
The IPA API log isn't going to show much in this case.
Requests to the CA are proxie
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time.
*I am not sure about that, please see httpd_error when `ipa cert-show 1`
was run*
[root@caer ~]# *tail -f /var/log/httpd/error_log*
[Thu Jul 21 12:01:21 2016] [error] ipa: DEBUG: WSGI wsgi_d
On 07/21/2016 05:14 PM, Linov Suresh wrote:
> I set debug=true in /etc/ipa/default.conf
>
> Here are my logs,
The httpd_error log doesn't contain the part where `ipa cert-show 1` was
run. If it is from the same time. Does `ipa cert-show` communicate with
the same replica? Could be verified by `ip
mohammad sereshki wrote:
dear
thanks, but would you please check below and let me know what is your
idea?I checked your command but it did not work.
The Not Found suggests that the CA is not up. I'd try restarting the
pki-cad process to see if that helps.
A simple test that communication is
Hello everyone,
I have one issue with replication from AD to IPA.
Right now on my IPA master I have the current packages :
ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.17 @updates
ipa-client.x86_64 4.2.0-15.0.1.el7.centos.17 @updates
ipa-python.x86_64 4.2.0-15.0.1.el7.centos.17 @u
Hello,
You should remove the following from sssd.conf:
/[domain/example.tt]//
//debug_level = 7//
//ldap_id_mapping = False//
//id_provider = ad/
With the AD trust configuration, you do not need to specify any
additional domain because IPA will contact AD across the trust using the
On 07/20/2016 09:41 PM, Linov Suresh wrote:
> I have restarted the pki-cad and checked if communication with the CA is
> working, but no luck,
>
> Debug logs in /var/log/pki-ca do not have anything unusual. Can you think of
> anything other than this?
/var/log/httpd/error_log when /etc/ipa.con
Thank you.
Now I have IDMU installed and when creating trust, IPA is correctly
autodetecting the range type:
Range name: EXAMPLE.TT_id_range
First Posix ID of the range: 1
Number of IDs in the range: 20
Domain SID of the trusted domain: S-1-5-21-4123312533-990676102-3576722756
Rang
Hello all,
I prepared howto for the new feature in IPA 4.4:
https://www.freeipa.org/page/Howto/IPA_locations
Feel free to report/fix any errors :-)
With regards,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go
dear
thanks, but would you please check below and let me know what is your idea?I
checked your command but it did not work.
Number of certificates and requests being tracked: 8.
Request ID '20140817123525':
status: MONITORING
ca-error: Unable to determine principal name for sign
On 07/20/2016 10:04 PM, mohammad sereshki wrote:
hi
I check my IPA server which is version ipa-server-3.0.0-25 , command
"ipa-get-cert list" show, my certificate will be expired in next 20 days,
I do not know how to regenerate them
but command "getcert list" shows epirtion certificates are relate
28 matches
Mail list logo