On Thu, Nov 12, 2015 at 08:55:25PM +0100, Martin Kosek wrote:
> On 11/12/2015 04:51 PM, Terry John wrote:
> >
> >I got a core dump of certmonger failing user abrt but it's huge. Is there
> >any particular part that would be useful.
>
> CCing Nalin and David for the core dump. More below.
My
On Tue, Aug 04, 2015 at 07:29:13AM -0700, Janelle wrote:
Hello,
Well, I am more used to working with openssl directly, so I am a little
confused when using FreeIPA and certmonger. I assume that when a
certificate is in this state:
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck:
On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote:
Hi, all. I am trying to integrate certmonger with dogtag instance, and so
far i've stumbled on one odd problem. Hopefully this is the right list.
I've generated some random cert with getcert request, it has communicated
with
On Mon, May 11, 2015 at 05:14:16PM +0200, Thibaut Pouzet wrote:
There is one that remains expired, despite all the efforts I put into
renewing it. This is the one used for the pki-ca administration pages
reachable on ports 9443, 9444 and 9445. Here is its status after trying
to resubmit it :
On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
After doing what you recommended, the CSR have changed in the debug log :
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=ipa_domain, CN=ipa_server
Subject Public Key Info:
On Wed, Apr 15, 2015 at 08:47:12AM +0200, Günther J. Niederwimmer wrote:
Thank you for the answer and help
I mean this is working now ;) after some --uninstall and delete the
certificate
(?) . The wrong command I found with google :-(.
The status command is not working on my system!
On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote:
Hello
I mean I have a Problem with the ipa-getcert script.
system CentOS 7 (1503) and IPA 4.1.x
can any help or declare my mistake or is this a IPA Problem
I do a
kinit admin
ipa-getcert request -d
On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote:
HI
yes i have creared cache. tried from different browsers, tried from
portable browser, configure kerbros plugin in firefox
this is what i got from inspect:
http://s9.postimg.org/51c5809xr/kerb.jpg
Just to be sure, the
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
I understand from previous discussions that client certificates are not yet
supported in FreeIPA, instead I understand one can use service
certificates. From an OpenVPN standpoint I'm guessing this is fine because
a vpn client can
On Wed, Mar 18, 2015 at 05:55:52PM -0400, Rob Crittenden wrote:
getcert status
process 31282: arguments to dbus_message_new_method_call() were
incorrect, assertion path != NULL failed in file dbus-message.c line 1262.
This is normally a bug in some application using the D-Bus library.
On Tue, Nov 11, 2014 at 08:48:18AM +0100, Natxo Asenjo wrote:
2014-11-11 08:34:33 [11677] Certificate Local Signing Authority
valid for 31473668s.
2014-11-11 08:34:33 [11677] Running result is 1481416576.
2014-11-11 08:34:33 [11677] Final result is 1481416576.
Okay, that's weird. The result
On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote:
Since you mention that this seems to be specific to 32-bit boxes, I
think I need to switch to that one to try to sort out what's happening
here, since I'm on a 64-bit box.
Okay, found it, and as 64-bit cleanliness sometimes
On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote:
Nov 10 15:51:31 apachetest03 certmonger: Decoding error on
On Wed, Sep 24, 2014 at 01:02:34PM -0600, ToBeReplaced wrote:
In details below, the domain name, server host name, and ip address has
been changed.
The server is sitting behind a router with ip 12.34.56.78. The server
was configured with `--enable-dns` and `192.168.1.100 ipa.example.com
On Mon, Jan 13, 2014 at 04:07:16PM +0100, Sigbjorn Lie wrote:
After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of
the request is now:
Request ID '20120119194518':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at
On Tue, Jan 07, 2014 at 05:22:22AM -0500, Joseph, Matthew (EXP) wrote:
When I run ypcat on the IPA servers it states that ypbind can't communicate.
I started ypbind on the secondary IPA server so now I can run ypcat.
Is running ypbind on the IPA servers necessary? According to all of the
On Tue, Jan 07, 2014 at 10:35:58AM -0500, Rob Crittenden wrote:
Nalin Dahyabhai wrote:
Any system on which you intend to run ypcat, ypmatch, or any of the NIS
client commands should run ypbind, whether it's talking to a more
traditional NIS server or an IPA server with its NIS service enabled
On Thu, Oct 03, 2013 at 05:02:44PM -0400, Dmitri Pal wrote:
On 09/27/2013 08:13 AM, Ade wrote:
I have a dirsrv server using the slapi-nis plugin to provide 190+ nis
maps. It works well apart from one issue - boot up
If I do a reboot, the dirsrv starts up ok, but slapi-nis doesnt seem
to
On Thu, Sep 05, 2013 at 09:17:36AM -0500, cbul...@gmail.com wrote:
The users were imported from a openldap server and the password
encryption is MD5.
Is that {CRYPT} using an md5-based crypt, or {MD5} or {SMD5}? A client
that's trying to check passwords using hashes which it reads via NIS is
On Sun, May 26, 2013 at 09:40:03PM +0200, Sigbjorn Lie wrote:
I did some testing on this. I added an entry to cn=Schema
Compatibility, cn=plugins, cn=config, and defined the various
settings for the compat plugin. It worked as a charm, the requested
automountmaps we're mirrored. However, one
On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote:
Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
auto-renew.
ipa-getcert list
Number of certificates and requests being tracked: 4.
[snip]
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error:
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
Here is the output from the submit:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to https://ipa01.ctidata.net/ipa/xml;.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an
explanation to offer.)
Wasn't
On Wed, Mar 27, 2013 at 11:07:44AM -0400, Joseph, Matthew (EXP) wrote:
Here is the entry that is in dse.ldif:
Dn= nis-domain=domain.ca+nis-map=hosts.byname,CN=NIS
Server,cn=plugin,cn=config
objectClass: top
objectClass: extensibleObject
nis-map: hosts.byname
nis=base:
On Wed, Mar 27, 2013 at 01:42:58PM -0400, Joseph, Matthew (EXP) wrote:
Hey Nalin,
Sorry typo on my part. It does say nis-base.
Alright then. The next thing to check is if the directory entries the
plugin's finding have data that the plugin expects to use to create
entries in the NIS map.
On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org wrote:
I used IPA from the CentOS 6 repositories and I am having an issue I
can't seem to solve. ?I installed a server and a client with no
issues, but upon Nessus scans of the server, port 464 kpasswd UDP was
flagged for a
On Mon, Jan 14, 2013 at 12:06:35PM -0700, Orion Poplawski wrote:
We're looking at migrating from 389ds to ipa. Currently our users
are in ou=People with rfc2307 attributes. Is there any way to
provide an ou=people,dc=nwra,dc=com compatibility group in IPA? Or
does everything have to remain
On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote:
This appears to require dirsrv-1.3, which I assume is part of
389-base-devel. I don't see where 1.3 has been made available yet, or am I
missing something?
Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a
On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote:
[snip]
My sudo-ldap.conf file:
binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
bindpw validpassword
ssl start_tls
tls_cacertfile /etc/ipa/ca.crt
tls_checkpeer yes
bind_timelimit 5
timelimit 15
uri
On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote:
Hello,
I've read that the schema compatibility plugin should provide a vanilla RFC
2307 view of groups with memberUid attributes. I need this for our OS X
clients, which don't seem capable of understanding the RFC 2307bis format
On Thu, Jun 07, 2012 at 05:44:16PM -0400, Nalin Dahyabhai wrote:
The results should look like this:
dn: cn=Schema Compatibility,cn=plugins,cn=config
nsslapd-pluginEnabled: off
Yeah, that second line should be nsslapd-pluginEnabled: on.
*facepalm*
Nalin
On Wed, May 09, 2012 at 09:16:45PM +, Steven Jones wrote:
I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6
workstation clients doing NFS via automount as per section 10.3 admin
guide 6.3betaall good until I use a Ubuntu client to 'attack it
I find the non-IPA's ubuntu
On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote:
I thought that there was a flag for ipa-getkeytab to fetch existing key
but my knowledge in this area is rusty. Same with the cert.
May be someone else would chime in.
There's a way for certificates, at least.
If you still
On Mon, Apr 16, 2012 at 11:17:35PM +0200, Sigbjorn Lie wrote:
The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5.
The server is the IPA server provided in RHEL 6.2.
When I check the logs on the client it states that authentication
succeeded, and that the password has
On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote:
I restarted certmonger and it seems to be working. Is there some way
to change the renewal interval so we can simulate this in the lab? I'd
like to see it go through a number of renewals to make sure we don't
keep having this problem.
On Fri, Mar 16, 2012 at 03:12:03PM -0400, Rob Crittenden wrote:
2. An NIS listener (ipa-nis-manage enable/disable) which requires
compat to be enabled.
The NIS server plugin shouldn't depend on the compat plugin being
enabled. The NIS server depends on being notified of changes to its
source
On Thu, Jan 05, 2012 at 10:38:11AM -0500, Rob Crittenden wrote:
My first thought was that there was a CA trust issue. I believe that
certmonger uses the NSS database where the certificate is stored so
since it is also doing this against Apache (which in theory trust is
ok for it to start at
On Tue, Dec 27, 2011 at 09:06:22AM -0500, Boris Epstein wrote:
How do I control which NIS maps FreeIPA makes available? Specifically
I may need passwd.byname.
The the set of maps that the NIS service provides is controlled by the
entries listed under the directory server's configuration entry
On Thu, Dec 15, 2011 at 09:02:01PM +0100, Ondrej Hamada wrote:
On 12/14/2011 06:58 PM, Dmitri Pal wrote:
Consistent name resolution is a requirement for IPA.
Ondrej, can you please take a closer look and see if this is something
with the demo scripts or IPA itself?
I don't see a problem in
On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote:
Hello all,
I am using the FreeIPA to run NIS via a plugin. Works great - except
that the ypserv port numbers end up different after every reboot. That
makes it hard to run it with the firewall activated.
Does
On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote:
The only difference I know about is that the users who CAN change their
passwords have not got an expired password (so they can login and use kpasswd
from the shell), whereas those who CANNOT change their password need to reset
it
On Wed, Sep 28, 2011 at 09:38:33PM +0200, Jakub Hrozek wrote:
He said he was updating the passwords with kpasswd, which should bypass
the pam stack and talk to the kpasswd deamon directly, right?
The users who can change their passwords can log in and do so with
kpasswd, but the ones who can't
On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote:
My IPA 2.0 master-slave setup has been working fine up until this week when
users started getting problems updating their password due to expiry. Users
get the following error when using kpasswd to update their passwords:
kinit:
On Thu, May 12, 2011 at 07:02:27PM -0700, nasir nasir wrote:
Thanks for the reply Rob ! I had tried with all the log files you
mentioned and had kept most of them in debug mode. Tried again now. The
only error or clue I could see was the following I already mentioned in
my previous
On Wed, Nov 25, 2009 at 06:42:16PM +0100, Tomasz 'Zen' Napierala wrote:
Dnia 2009-11-25, śro o godzinie 15:50 +0100, Tomasz Z. Napierala pisze:
Hi,
I'm getting problems installing clients with default ipa-client-install
values. Relam and domain are both discovered successfully but then
46 matches
Mail list logo
