Re: [Freeipa-users] sudo log errors

On Wed, Jan 15, 2014 at 6:49 AM, Simo Sorce s...@redhat.com wrote: On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote: On 01/14/2014 06:17 AM, Natxo Asenjo wrote: Is there anything else I can do or do I just have to live with the error on syslog? I wonder if putting this user

Re: [Freeipa-users] sudo log errors

On Wed, Jan 15, 2014 at 10:59 AM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Jan 15, 2014 at 10:09:20AM +0100, Natxo Asenjo wrote: On what platform are you ? With sudo-sssd integration you shouldn't use directly ldap anymore. centos 6.5 on these hosts. So if I use sssd insted of ldap

Re: [Freeipa-users] Configuration backup (before Samba integration)

On Thu, Mar 27, 2014 at 7:37 AM, צביקה הרמתי haramaty.zv...@gmail.comwrote: Hi. I have a working network with IdM (FreeIPA). I'd like to integrate it with Samba, according to http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration/ What's the recommended way to backup current IPA

Re: [Freeipa-users] HELP

On Thu, Mar 27, 2014 at 7:58 PM, Todd Maugh tma...@boingo.com wrote: My Master IPA server has been lost, My replica is still up and functioning. what is the best way to proceed? Do I rebuild my master and add it has a replica? how do I get my master back in line with my IPA env?

Re: [Freeipa-users] Automount WebDav share

On Mon, Jun 9, 2014 at 12:16 PM, Matt . yamakasi@gmail.com wrote: Hi All, Is it possible in some way to automount a WebDav share to a Ubuntu Client when a user logings in on the commandline ? I'm only able to use WebDav on these machines. autofs should work with webdav, and googling

Re: [Freeipa-users] Automount WebDav share

On Mon, Jun 9, 2014 at 12:41 PM, Matt . yamakasi@gmail.com wrote: Hi, I'm only concerned about how to pass the password in this one... it seesm to be hardcoded and I would like to have it used by ldap/freeipa. ideally the webdav server would accept gssapi/kerberos, then you would not

Re: [Freeipa-users] How to use sudo rules on ubuntu

On Mon, Sep 1, 2014 at 2:48 PM, Tevfik Ceydeliler tevfik.ceydeli...@astron.yasar.com.tr wrote: Actually All I wanna do is , give permission to user to use some commanf. for example apt-get or something else. I Think I can do it with IPA right? sure, I do it all the time. But Lukas was

Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working

On Mon, Sep 8, 2014 at 11:44 AM, Gerardo Padierna asl.gera...@gmail.com wrote: Hello folks, hi, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also

[Freeipa-users] [OT] ldap.conf settings with external CA

hi, This might save some time to someone, so let me post it to the list. TLDR, when using php to connect to an AD ldaps host using ADCS from IPA joined hosts modify /etc/openldap/ldap.conf or $HOME/.ldaprc and change the TLS_CACERT environment variable to TLS_CACERT

[Freeipa-users] ipa-getcert request problem

hi, Centos 6.5. I want to create a certificate request for our mysql servers. I came up with this command line: $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D `dnsdomainname` -U id-kp-serverAuth -K

Re: [Freeipa-users] ipa-getcert request problem

On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, Centos 6.5. I want to create a certificate request for our mysql servers. I came up with this command line: $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname --fqdn

Re: [Freeipa-users] Client Certificate

hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I

Re: [Freeipa-users] Client Certificate

hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have

Re: [Freeipa-users] Client Certificate

On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. Ok, do you have a preference

[Freeipa-users] kdc certificate web interface expiration warning

hi, today our monitoring system started warning us that the web ui certificate for our first kdc will expire in 30 days. I have checked manually with this command: $ sudo getcert list |grep auto-renewauto-renew: yes auto-renew: yes auto-renew: yes auto-renew: yes auto-renew:

Re: [Freeipa-users] kdc certificate web interface expiration warning

On Thu, Oct 9, 2014 at 8:42 AM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, today our monitoring system started warning us that the web ui certificate for our first kdc will expire in 30 days. I have checked manually with this command: $ sudo getcert list |grep auto-renewauto

[Freeipa-users] yet another certificate question

hi, if during the enrollment of a host a host certificate is created, then this will be a nssdb type certificate. However, lots of applications use file certificates and we can very easily create one of those (even using configuration management tools): /usr/bin/ipa-getcert request -r -f

Re: [Freeipa-users] yet another certificate question

On Thu, Oct 9, 2014 at 2:33 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, if during the enrollment of a host a host certificate is created, then this will be a nssdb type certificate. However, lots of applications use file certificates and we can very easily create one of those (even

[Freeipa-users] mastercrl.bin very old

hi, yet another certificate authority question. We have a centos 6.5 ipa environment with two domain controllers (kdc01, kdc02). The first one is the first replica and maintains the crl (or so it should). Recently our monitoring warned us that the web host certificate for kdc01 was about to

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01

Re: [Freeipa-users] mastercrl.bin very old

On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca

Re: [Freeipa-users] mastercrl.bin very old

hi, I have been really busy, apologies for the delay in answering. On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl

Re: [Freeipa-users] mastercrl.bin very old

hi, On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek mko...@redhat.com wrote: On 11/04/2014 01:39 PM, Natxo Asenjo wrote: hi, On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: How often does the crl list get generated? i still do not see recent data

Re: [Freeipa-users] mastercrl.bin very old

On Wed, Nov 5, 2014 at 7:37 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-09.temp (Permission denied) And I think I found

Re: [Freeipa-users] mastercrl.bin very old

hi, By the way, is it safe to rename this file: $ ls -lh /var/lib/pki-ca/logs/debug -rw-r-. 1 pkiuser pkiuser 841M Nov 5 19:54 /var/lib/pki-ca/logs/debug It's quite big :-). Can I just rename it while the dirsrv is running and will a new one be created or do I have to stop the pki-cad

Re: [Freeipa-users] mastercrl.bin very old

On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: And I think I found it: https://fedorahosted.org/freeipa/ticket/3727 permissions of that folder: $ ls -ld publish/ drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/ I just changed them to pkiuser:pkiuser, let's

Re: [Freeipa-users] mastercrl.bin very old

hi Martin, On Fri, Nov 7, 2014 at 10:46 AM, Martin Kosek mko...@redhat.com wrote: Good! I am glad you fixed the problem. I added this case to http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old nice. Hopefully it will help someone. I am wondering what caused the issue. In the

[Freeipa-users] certmonger question

hi, is this the right list to post certmonger questions? Here I see only a developer's list without too much activity: https://fedorahosted.org/certmonger/ My question is simple. After upgrading a vm running centos 6.5 to 6.6 I am seeing this error on reboot in messages: Nov 10 15:51:31

Re: [Freeipa-users] certmonger question

Hi Nalin, On Mon, Nov 10, 2014 at 5:19 PM, Nalin Dahyabhai na...@redhat.com wrote: On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote: How can I debug this? First thing would be to run the daemon with additional logging - I usually use '-d3' to watch what's going on while

Re: [Freeipa-users] certmonger question

hi Nali, On Tue, Nov 11, 2014 at 12:57 PM, Martin Kosek mko...@redhat.com wrote: So if the lurking double encoded certificate is in LDAP, and thus Apache DS shows is invalid (it shows as OK in my RHEL-7.0 server), maybe the easiest way to fix it would be to: - Open your Apache DS - Back up

Re: [Freeipa-users] certmonger question

hi, On Tue, Nov 11, 2014 at 2:13 PM, Martin Kosek mko...@redhat.com wrote: I meant IPA server running on RHEL/CentOS 6.5 or older... This is the one that can regenerate CAcert entry without double encoding. ok. So I removed the cacert object and ran ipa-ldap-updater --upgrade --ldapi (it

Re: [Freeipa-users] certmonger question

hi, This seems to happen only in 32bits vm's. At least in my limited testing, 2 out 2 32bits hosts running 6.5 after upgrading have this problem. A amd64 host is ok. $ rpm -qa | grep certmonger certmonger-0.75.13-1.el6.x86_64 $ rpm -qa | grep certmonger certmonger-0.75.13-1.el6.i686 --

Re: [Freeipa-users] certmonger question

hi, On Tue, Nov 11, 2014 at 7:14 PM, Nalin Dahyabhai na...@redhat.com wrote: On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote: Since you mention that this seems to be specific to 32-bit boxes, I think I need to switch to that one to try to sort out what's happening here, since

Re: [Freeipa-users] User certificates with FreeIPA and another question.

On Fri, Feb 6, 2015 at 3:30 PM, Martin Kosek mko...@redhat.com wrote: On 02/06/2015 12:53 AM, Christopher Young wrote: Obvious next question: Any plans to implement that functionality or advice on how one might get some level of functionality for this? Would it be possible to create

Re: [Freeipa-users] Unknown Client?

On Tue, Mar 17, 2015 at 4:19 PM, Tevfik Ceydeliler tevfik.ceydeli...@astron.yasar.com.tr wrote: Hi, Altough I have this configuration in client .conf: ## client 172.30.47.241 { secret = 877909 shortname = VodafonePinarsuAPNYeni1

Re: [Freeipa-users] how can i create home directories automatically on solaris while IPA user login

On Wed, Mar 11, 2015 at 8:36 PM, Rob Crittenden rcrit...@redhat.com wrote: Ben .T.George wrote: HI thanks for the rply. even i tried native auto_master file with directory checking script. if i feed the user manually to the script, the directory is creating and while login request

Re: [Freeipa-users] Problem FreeIPA 4.1.3 for vCenter 5.5u2b SSO

On Fri, Mar 6, 2015 at 7:06 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 11:02 AM, Gianluca Cecchi wrote: On Fri, Mar 6, 2015 at 6:21 PM, Rich Megginson rmegg...@redhat.com wrote: On 03/06/2015 09:39 AM, Herwono W Wijaya wrote: vCenter SSO works well with Univention

Re: [Freeipa-users] IPA Client using Source Code

On Mon, Mar 30, 2015 at 10:48 AM, Yogesh Sharma yks0...@gmail.com wrote: Hi List, We have trying to install IPA-Client using source code. While installing we are seeing many error out of which most are resolved but stuck at below while doing make. Is there any suggestion to get out of it.

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Fri, Mar 27, 2015 at 5:58 AM, Yogesh Sharma yks0...@gmail.com wrote: (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [sss_krb5_cc_verify_ccache] (0x0020): 1078: [-1765328190][Credentials cache permissions incorrect] (Fri Mar 27 10:19:57 2015) [sssd[be[sd.int]]] [check_old_ccache] (0x0040):

Re: [Freeipa-users] Not able to SSH with User Created in IPA Server

On Thu, Mar 26, 2015 at 3:12 PM, Yogesh Sharma yks0...@gmail.com wrote: Thanks, but when I trying to use admin user (default user created by IPA), I am able to login. The issue is happening only with new users we are trying to create. (Thu Mar 26 19:30:52 2015) [[sssd[krb5_child[13625

Re: [Freeipa-users] Common Name for the ipa-cacert-manage command

hi, On Fri, May 1, 2015 at 12:52 AM, William Graboyes wgrabo...@cenic.org wrote: I guess it is time to get deep into API documentation. This is a hell of a lot of hoops to jump through just so that users who don't have shell access can easily change their passwords without having to see a

[Freeipa-users] host usercertificate attribute

hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? The command I used was: ldapsearch -b cn=computers,cn=accounts,dc=sub,dc=domain,dc=tldl -t -Y gssapi -Z -h kdc01.sub.dmain.tld usercertificate which creates

Re: [Freeipa-users] upgrade 3.0 - 4.1

hi, On Fri, Apr 3, 2015 at 4:41 PM, Dmitri Pal d...@redhat.com wrote: On 04/03/2015 09:46 AM, Brian Topping wrote: On Apr 3, 2015, at 6:48 AM, Tamas Papp tom...@martos.bme.hu tom...@martos.bme.hu wrote: hi All, I have CentOS 6.6 server and want to upgrade to 7.1. What is the upgrade

Re: [Freeipa-users] Setup of freeipa 4.1.3 failed

On Wed, Apr 8, 2015 at 7:57 AM, Markus Roth mar...@die5roths.de wrote: Yersterday I did the installation of freeipa on my banana Pi with modifying the source file ipalib/constants.py:('startup_timeout', 300). I changed it to 900 s. And the setup process was successful! The start of the

Re: [Freeipa-users] host usercertificate attribute

hi rob, On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com mailto:natxo.ase...@gmail.com wrote: hi, If I retrieve the usercertificate attribute for host objects I get

Re: [Freeipa-users] host usercertificate attribute

hi Rob, On Wed, May 20, 2015 at 2:08 PM, Rob Crittenden rcrit...@redhat.com wrote: Nat You could try adding -inform DER cool, that works ;-) Thanks. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] host usercertificate attribute

On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? maybe there is a way to feed that to openssl. What I ended up doing

Re: [Freeipa-users] hesitate to deploy freeipa

hi, On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel harald.dun...@aixigo.de wrote: Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools

Re: [Freeipa-users] FreeIPA and Rsyslog

On Fri, Jul 3, 2015 at 7:54 PM, Esdras La-Roque esdras.laro...@gmail.com wrote: Hi guys, is it possible utilize freeipa certificate, issued for a machine, integrated in Rsyslog for redirection remotely logs? not with rsyslog, but with logstash and the logstash forwarder. I tried with

Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

Hi, Maybe just one more redirect if people come directly to https://freeipa.org? $ curl -LIv https://freeipa.org * Rebuilt URL to: https://freeipa.org/ * Hostname was NOT found in DNS cache * Trying 209.132.183.105... * Connected to freeipa.org (209.132.183.105) port 443 (#0) * Initializing

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user whether given access or not can login to the Solaris systems. The allow-all rule has been

[Freeipa-users] crl url redirecting to https

hi, I just noticed some stuff was not functioning properly and it's because the crl url is being redirected to https (centos 6.7). $ curl http://kdc01.unix.domain.tld/ipa/crl/ 301 Moved Permanently Moved Permanently The document has moved https://kdc01.unix.domain.tld/ipa/crl/ ">here.

Re: [Freeipa-users] crl url redirecting to https

hi, On Tue, Nov 10, 2015 at 5:02 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote:> Any ideas on how to fix this? > > You should have a sections like these in /etc/httpd/conf.d/ipa.conf: > > > SetHandler None > > ... > # For CRL publi

Re: [Freeipa-users] crl url redirecting to https

but going back to ipa-rewrite.conf, these 2 seem contradictory: # Redirect to the fully-qualified hostname. Not redirecting to secure # port so configuration files can be retrieved without requiring SSL. RewriteCond %{HTTP_HOST}!^kdc01.unix.iriszorg.nl$ [NC] RewriteRule ^/ipa/(.*)

[Freeipa-users] mastercrl files

hi, do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we purge them on a regular basis (say, keep 60 days dump the rest)? $ ls -l | wc -l 3621 this is in a server installed 3 years ago. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] First tests against the REST/JSON API

hi, On Mon, Nov 9, 2015 at 6:58 PM, Oliver Dörr wrote: > Hi, > > I'm completly new to this list and the product behind it. I'm trying to > use perl to get a list from my IPA installation of all users that are on > the server. > unfortunately I cannot help you right now,

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

On Thu, Nov 5, 2015 at 10:03 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > since yesterday I have a strange situation in one of our joined hosts. > > i can login using a kerberos ticket, but not using name/password. > > In /var/log/secure I see thi

[Freeipa-users] gssapi ssh works, pam user/password does not work

hi, since yesterday I have a strange situation in one of our joined hosts. i can login using a kerberos ticket, but not using name/password. In /var/log/secure I see this: sshd[29607]: pam_sss(sshd:auth): received for user username: 4 (System error) -- -- Groeten, natxo -- Manage your

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, this is in a centos host running 6.7, by the way. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi, Fixed, /tmp had the wrong permissions, was not owned by root:root. Thanks for the debugging tips! -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the

Re: [Freeipa-users] gssapi ssh works, pam user/password does not work

hi Sumit, On Thu, Nov 5, 2015 at 10:14 AM, Sumit Bose wrote: > > how can I troubleshoot this issue? > > You should check the SSSD debug logs, see > https://fedorahosted.org/sssd/wiki/Troubleshooting for details about how > to enable debug logging and where to find the logs. >

Re: [Freeipa-users] substitute local system groups by ipa groups

hi, On Wed, Oct 14, 2015 at 8:35 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > > hi, > > > > can you do something like this? > > > > ipa group-add wheel --gid=10 > > > > to substitute the local group wheel? Of course

[Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt URL to: https://www.freeipa.org/ * Hostname

Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > In a test network I followed the procedure especified in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_G

[Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

hi, In a test network I followed the procedure especified in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html to migrate from a centos 6.7 ipa server to a new centos 7 ipa server.

[Freeipa-users] ipa-client-install --request-cert fails

hi, on a a centos 7.1 host when enrolling it with (among other) the switch --request-cert it does not create a host certificate for it. The host is properly joined but not certificate is present. In the ipaclient-install.log file I see this: 2015-09-12T09:34:02Z ERROR certmonger request for

Re: [Freeipa-users] ipa-client-install --request-cert fails

On Sat, Sep 12, 2015 at 12:18 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > on a a centos 7.1 host when enrolling it with (among other) the switch > --request-cert it does not create a host certificate for it. The host is > properly joined but not c

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

hi Ranbir, On Fri, Dec 11, 2015 at 9:29 PM, Ranbir wrote: > Hi All, > > I want to integrate my Postfix server with IPA. I've found a couple of > documents on how this can be done, but they don't accomplish the feat > the same way (they're also not discussing the

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

On Fri, Dec 11, 2015 at 11:32 PM, Ranbir <m3fr...@thesandhufamily.ca> wrote: > On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote: > > what exactly do you want to achieve? 'Integrate' could mean a couple > > of things, so please specify. > > I would like

Re: [Freeipa-users] how to force switch to another kdc

On Tue, Jan 5, 2016 at 7:31 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > includedir /var/lib/sss/pubconf/krb5.include.d/ > #File modified by ipa-client-install > > [libdefaults] > default_realm = IPA.DOMAIN.TLD > dns_lookup_realm = true > dns_lookup_

Re: [Freeipa-users] how to force switch to another kdc

On Tue, Jan 5, 2016 at 7:22 PM, Karl Forner wrote: > update: > > modifying the /etc/krb5.conf, and replacing the name of my freeipa master > by the replica fixes the problem. > So that proves that the kdc is not picked up by discovery. > > The problem is that my ubuntu box

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

On Thu, Nov 19, 2015 at 11:03 PM, Ash Alam wrote: > Hello All > > I am looking for some advice on upgrading. Currently our FreeIPA servers > are 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This > upgrade path is not possible per IPA documentation. Minimum

Re: [Freeipa-users] Squid authentication in FreeIPA

hi holo, On Fri, Nov 20, 2015 at 11:21 PM, holo wrote: > Thank you for your reply. > > I think i wasnt clear enough. Clients of proxy server are not kerberized. > I want to just authenticate them for proxy use in kerberos DB when they are > trying to use it (just by popup

Re: [Freeipa-users] LDAP creditentials for Squid

hi, On Fri, Nov 20, 2015 at 10:47 PM, holo wrote: > Hello > > How can i find FreeIPA ldap creditentials? I want to try to configure > Squid in similar way like it is described here for ejabberd: > > >

Re: [Freeipa-users] Install best practice -

On Mon, May 30, 2016 at 7:14 AM, Ben .T.George wrote: > Hi > > thanks for the reply. > > "the easiest would be to create a zone and delegating that to the ipa > hosts. No other change necessary." > > can you explain little more. You mean need to create separate DNS zone ?

Re: [Freeipa-users] Install best practice -

On Sun, May 29, 2016 at 7:11 PM, Ben .T.George wrote: > Hi > > I would like to know how can i proceed with best practices > > My AD domain is : corp.examle.com.kw > My DNS (appliances ) : kw.test.com > > All my clients are pointed to kw.test.com including AD. > > How can i

[Freeipa-users] multiple ds instances (maybe off-topic)

hi, according to the RHDS documentation ( https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html-single/Using_the_Admin_Server/index.html) one can have multiple directory server instances on the same hosts Would it be interesting to offer this functionality in

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

On Tue, Jun 28, 2016 at 9:07 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 28 Jun 2016, Natxo Asenjo wrote: > >> hi, >> >> according to the RHDS documentation ( >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Ser

Re: [Freeipa-users] multiple ds instances (maybe off-topic)

hi Ludwig, On Tue, Jun 28, 2016 at 10:03 AM, Ludwig Krispenz <lkris...@redhat.com> wrote: > > On 06/28/2016 09:50 AM, Natxo Asenjo wrote: > > > I'd like to have internally all sort of ldap access, but externally onlly > certificate based, for example. > > If there i

Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

On Sat, Feb 20, 2016 at 5:58 PM, Ian Pilcher wrote: > I am running IPA 3.0.0 on CentOS 6 (32-bit x86), and I am getting a > traceback every time pki-cad starts: > > Traceback (most recent call last): > File "/usr/sbin/pki-server", line 89, in > cli.execute(sys.argv)

Re: [Freeipa-users] is it possible to add a value to the group 'mail' attrirbute?

hi, On Fri, Mar 18, 2016 at 6:14 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Thu, 17 Mar 2016, Natxo Asenjo wrote: > >> hi, >> >> see subject. For user accounts it's possible (even multivalued), >> >> Adding it using an ldap client give

Re: [Freeipa-users] IPA command to batch create users.

hi, On Thu, Mar 24, 2016 at 8:14 PM, Armstrong, Jeffrey < jeffrey.armstr...@gasoc.com> wrote: > Hello, > > > > I would like to find out if I can create a large number of users in IPA at > one time. If so, what is the command to do that. > > > you can use ipa user-add command in a bash loop, or

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

hi, On Thu, Mar 3, 2016 at 10:57 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > > > Using EXTERNAL, no cookie: > > $ ldapsearch -h kdc.sub.domain.tld -ZZ -Y EXTERNAL -LLL > > objectclass=person -s sub -b dc=sub,dc=domain,dc=tld cn &g

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden wrote: > Ah right. Because all the subjects are the same base the same map will > be used for both DS and the CA. > > Any chance you could write up a HOWTO on this? Gladly, but I seem unable to login using my recently created

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 4:58 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > > On Fri, Mar 4, 2016 at 3:43 PM, Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Ah right. Because all the subjects are the same base the same map will >> be used for b

[Freeipa-users] user certificate ldap EXTERNAL authentication

hi, I am testing certificate authentication to ipa ldap ( centos 7.2 ). I have generated a user certificate following the instructions on https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/ After that I modified my $HOME/.ldaprc with these settings:

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Mon, Mar 7, 2016 at 9:14 AM, Martin Kosek <mko...@redhat.com> wrote: > On 03/05/2016 06:00 AM, Rob Crittenden wrote: > > Natxo Asenjo wrote: > >> > >> By the way, revoking the certificate does not block applications using > >> it from ldap. > >

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

On Fri, Mar 4, 2016 at 11:00 PM, Simo Sorce <s...@redhat.com> wrote: > On Fri, 2016-03-04 at 14:34 -0500, Rob Crittenden wrote: > > Natxo Asenjo wrote: > > > > when I go to http://www.freeipa.org/page/Special:OpenIDLogin to login > > > with the fedora acco

Re: [Freeipa-users] user certificate ldap EXTERNAL authentication

By the way, revoking the certificate does not block applications using it from ldap. I can still access the ldap server using this cert/key pair *after* revoking the certificate using ipa cert-revoke . In order to block it I need to remove the seeAlso value of the user account, or the certificate

Re: [Freeipa-users] Unexpiring user passwords

On Sun, May 1, 2016 at 4:53 AM, Joshua J. Kugler wrote: > We have a situation where the passwords in FreeIPA need to be synchronized > with another system in the company (a database of users, which is the > authoritative source for users and passwords). But, from what I

Re: [Freeipa-users] ipa-client-install errors

hi Gady, On Wed, Apr 20, 2016 at 8:11 PM, Gady Notrica wrote: > Any specific command in particular to remove that keytab? > > Since these don't work > > [root@cprddb1 /]# ipa-rmkeytab -r DOMAIN.COM -k /etc/krb5.keytab > Kerberos context initialization failed > [root@prddb1

Re: [Freeipa-users] howto ldapsearch for disabled/enabled users?

hi Harald, On Fri, Apr 15, 2016 at 1:31 PM, Harald Dunkel wrote: > Hi folks, > > I have no luck with the ipa cli, so I wonder if it is > possible to ldapsearch for disabled or enabled users? > A command line like > > ldapsearch -LLL -Y GSSAPI -b

Re: [Freeipa-users] what is the best way to create a search account

hi Rob, On Thu, Jun 30, 2016 at 1:22 PM, Rob Verduijn wrote: > Hello, > > > What would be the most appropriate way to create a search account so that > a third party tool (wildfly) can use it to search the ipa domain for > credentials ? > I just create a normal account.

[Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

hi, using centos 6.8 (server and client), when trying to view some hosts we get this error: $ ipa host-find host-1920.sub.domain.tld ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. I saw a thread last year about

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Wed, Sep 7, 2016 at 2:10 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > hi, > > using centos 6.8 (server and client), when trying to view some hosts we > get this error: > > > $ ipa host-find host-1920.sub.domain.tld > ipa: ERROR: Certificate format err

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

On Wed, Sep 7, 2016 at 3:27 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Natxo Asenjo wrote: > >> hi, >> >> using centos 6.8 (server and client), when trying to view some hosts we >> get this error: >> >> >> $ ipa host-find host-1920.

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

: : host_find(u'tftp-1801', all=False, raw=False, version=u'2.49', no_members=False, pkey_only=False): CertificateFormatErro On Wed, Sep 7, 2016 at 4:01 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: > > alas, not woriking again. > > On the one kdc > > $ ipa host-fin

Re: [Freeipa-users] ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.

alas, not woriking again. On the one kdc $ ipa host-find tftp-1801 ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. On the other: $ ipa host-find tftp-1801 -- 1 host matched -- Host name:

<    1   2   3   >