Re: [Freeipa-users] Freeipa Server down !!

Günther J. Niederwimmer wrote: > Hello, > > is the freeipa.org Server down i have only a Proxy Error > > Reason: Error reading from remote server > Should be back up now. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Server down !!

Dmitri Pal wrote: > On 03/29/2015 06:35 AM, Peter Fern wrote: >> On 29/03/15 05:46, Rob Crittenden wrote: >>> Should be back up now. >>> >>> rob >> >> Appears to be dead again. >> > It is in fact down again. > The quote is exceeded in

Re: [Freeipa-users] ipa-cliebt-automount problem

Dmitri Pal wrote: > On 03/29/2015 06:00 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> My automount is not working correct? >> >> I have a centos 7 with "cr" Update, this is IPA 4.1 and sssd 1.12 >> >> I have this Error in the logs >> >> automount[1899]: lookup_read_map: lookup(sss): getautomnt

Re: [Freeipa-users] anonymous binds limits?

Dmitri Pal wrote: > On 03/30/2015 10:15 AM, Janelle wrote: >> For LDAP-only clients, I see an issue with performance on the dirsrv >> backends, and much of it has to do with 2 things: >> >> 1. Anonymous binds (1000's because of 7000+ hosts) >> 2. unindexed searches <-- perhaps the biggest problem a

Re: [Freeipa-users] Migration mode fun and confusion

Dmitri Pal wrote: > On 03/31/2015 09:38 AM, Janelle wrote: >> Hello again, >> >> Is this a feature or a bug? >> >> Migration mode - works fine the first time. However, if you need to >> run it a second time because someone added either new users or groups >> to your LDAP config and you want to brin

Re: [Freeipa-users] freeipa behind a load balancer

Brendan Kearney wrote: > On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>> But IPA is more complex and some operations will be performed directly >>> against the specific server name, so you need to keep 2 sets of keys >>> (one for the

Re: [Freeipa-users] where to disable components?

Janelle wrote: > Hello again... > > Looking around, but probably just not in the right place. I would like > to be able to disable httpd on all but a pair of servers, so we kind of > force all updates to come from a "master" and "slave" pair. Just trying > to keep updates defined to 2 servers rath

Re: [Freeipa-users] ipactl start fails for no apparent reason

Traiano Welcome wrote: > Hi Dmitri > > This is a freshly generated DS log (sanitized: XYZ = realm): > > > 389-Directory/1.3.1.6 B2014.160.2139 > lolpr-xyz-mstr.xyz.local:636 (/etc/dirsrv/slapd-XYZ-LOCAL) > > [01/Apr/2015:15:19:01 +0300] - 389-Directory/1.3.1.6 B2014.160.2139 sta

Re: [Freeipa-users] RUVs

Ludwig Krispenz wrote: > Hi, > > a RUV (replica update vector) is a structure which on each sever > maintains a state of updates it has seen from any other server, it is > used in a replication session to determine which updates have to be sent. > Normally you don't need to deal with it, only if y

Re: [Freeipa-users] RHEL 5 client?

Guertin, David S. wrote: > I’ve just set up an IPA domain that is working with our RHEL 6 clients. > (The servers are running RHEL 7.) But about half of our Linux servers > are running RHEL 5, and I’d like to be able to add these as clients as > well. Unfortunately I haven’t been able to get it wor

Re: [Freeipa-users] Slave DNS on FreeIPA replica

Christopher Young wrote: > I have - what I believe to be - a couple of basic questions (I apologize > in advance if these are answered elsewhere, though I've tried to do some > searching ahead of time.): > > I recently added an IPA replica to an existing IPA server and noticed > that everything ap

Re: [Freeipa-users] ID Ranges in FreeIPA

Coy Hile wrote: > Hi all, > > When I installed FreeIPA, it created a default ID range (of which user > admin > is currently the only user existing). Through the UI, I've found that > one can > create additional ranges (and that the ipa tools will complain if a user > has a > uid assigned manually

Re: [Freeipa-users] Private key management

Andrey Ptashnik wrote: > Hello Team, > > I know that FreeIPA server supports management of public keys for each > user and it is a very convenient feature. > Are there any possible way to manage private keys as well including > features like re-issuing the key pair if it gets compromised? I assum

Re: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server

Прохоров Сергей wrote: > Hello, I have self-signed freeipa replica. The problem is that I lose my > freeipa primary server after hdd error. > Now I need to create new replication server but I can't without primary > server. I read this documentation and a lot of community correspondence > but don't

Re: [Freeipa-users] Expired Certs on 3.0.0 IPA host

John Williams wrote: > I'm looking at the following link for recovering expired certificates on > FreeeIPA 3.0.0: > > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal > > > Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a > subsystemCert I do not find one. I see the other

Re: [Freeipa-users] Configuring RHEL 5 clients for automatic failover of servers

Guertin, David S. wrote: > I have a mixed environment of RHEL 5 and RHEL 6 clients, and three RHEL > 7 IPA servers (one master and two duplicates). I'm trying to ensure that > if one server goes down, the remain server(s) will still allow logins. > With the RHEL 6 clients this is easy -- the line >

Re: [Freeipa-users] Expired Certs

John Williams wrote: > I've inhereted an IPA infrastructure for a group in my organization. So > I've got a RHEL instance with a IPA 3.0.0 server with expired certs. > > [root@ipa ~]# rpm -qa | grep ipa-server > ipa-server-selinux-3.0.0-26.el6_4.2.x86_64 > ipa-server-3.0.0-26.el6_4.2.x86_64 > [ro

Re: [Freeipa-users] ipa-replica-prepare failing

l #0 and #1828629 AFAICT). I don't know which one is the "right' one, or if there even is one. rob > > Regards, > > D > > 2015-04-10 17:03 GMT+02:00 Rob Crittenden <mailto:rcrit...@redhat.com>>: > > David Dejaeghere wrote: > > Hi

Re: [Freeipa-users] ipa-replica-prepare failing

David Dejaeghere wrote: > Hi, > > Does somebody have any pointers for me regarding this issue? It would help very much if you'd include the version you're working with. Based on line numbers I'll assume IPA 4.1. It's hard to say since you don't include the command-line you're using, or what thos

Re: [Freeipa-users] Promoting a replica to a FreeIPA server without primary server

Прохоров Сергей wrote: > Thank you, Rob for your response > > On 08.04.2015 21:07, Rob Crittenden wrote: >> I assume you can't do this because the original host is lost, right? > Year, you right. > >> Every IPA master is a equal, some are just more equal

Re: [Freeipa-users] ipa-replica-prepare failing

e/fedora/newcert.pk12 --dirsrv-cert-file /home/fedora/newcert.pk12 > --ip-address 172.31.16.31 -v I was pretty sure a pin was required with those options as well. What do the PKCS#12 files look like: pk12util -l /home/fedora/newcert.pk12 rob > > Regards, > > D > > 2015-

Re: [Freeipa-users] FREEIPA REPLICA - ITS USE AND HOW IT SHOULD OPERATE WHEN PRIMARY FAILS

Martin Chamambo wrote: > Thanx for the feedback > > So if the replica is similar to the primary ,if the primary gets completely > fried , without automatic failover ,i can reconfigure my clients to point to > the new replica server without issues ??? If you use DNS SRV records then in the sho

Re: [Freeipa-users] ipa-replica-prepare failing

David Dejaeghere wrote: > Hi, > > I get the same error when I use a pk12 with only the server certificate > (and key) in it. > Not sure what else I can try. I'd need to see the full output again. rob > > Regards, > > D > > 2015-04-11 0:23 G

Re: [Freeipa-users] Can't delete group because it states it's not found

Joseph, Matthew (EXP) wrote: > Hello, > > > > I’m trying to delete a group in IdM but when I do a ipa group-del > “group” it states the following; > > Ipa: ERROR: “group”: group not found > > > > I do an ipa group-find and it displays the group with the current memebers. > > > > I look

Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found

se the --all --raw flags to get the actual DN of the group entry and delete that. rob > > Matt > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Tuesday, April 14, 2015 12:01 PM > To: Joseph, Matthew (EXP); freeipa-users@redhat.com > S

Re: [Freeipa-users] ipa-replica-prepare failing

David Dejaeghere wrote: > Hi Rob, > > So you want to output of the command using pk12 with server cert and > key? or with the ca chain in there too? > Oddly enough it is failing in exactly the same place. Those GoDaddy CA certs are still being loaded from somewhere, I'm not sure where, and I sus

Re: [Freeipa-users] EXTERNAL: Re: Can't delete group because it states it's not found

ect Maybe this will help: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html I can't see what you're seeing so it's hard to get more precise. rob > > Matt > >

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Rich Megginson wrote: > On 04/15/2015 02:58 PM, James James wrote: >> Nothing on the replica .. maybye a process on the master. How can I >> check that ? > > I have no idea. But it seems highly unlikely that a process on the > master is able to shutdown a process on the replica . . . > > I would

Re: [Freeipa-users] indirect automount offsets

Rob Verduijn wrote: > Hello, > > I'm trying to figure out how to use automounts in freeipa with offsets. > > currently I have this: > the default location containing 3 maps > auto.direct > auto.home > auto.master > > auto.direct is empty > auto.home contains: > key : * mount information : -rw nf

Re: [Freeipa-users] posix ids not propgating

Bryan Pearson wrote: > I believe that my master dna server isnt currently being used, so I did this. > > ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan > Enter LDAP Password: That's not the right location to search for the DNA configuration. Se

Re: [Freeipa-users] posix ids not propgating

ca-manage has some DNA commands which makes this easier to figure out and fix. You don't want to set overlapping ranges. rob > Bryan > > > On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden wrote: >> Bryan Pearson wrote: >>> I believe that my master dna server isnt cur

Re: [Freeipa-users] Expired Certs

John Williams wrote: > >> You are going way to far back in time AFAICT. The certs expired on April >> 5 of this year so you don't need to go back to 2014. Just go back to >> April 3 or 4. > >> You'll also need to restart IPA before kicking certmonger ipactl restart > >> rob > > > > > ***

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

Alexander Frolushkin wrote: > Very strange. If this user acts as a member of admins group - it can enroll > host. If not - it can't. > Only difference this group brings in permissions - a number of replication > agreement permissions... admins can do nearly anything so that's not surprising. Fo

Re: [Freeipa-users] Found new problem after 3.3 - 4.1 update

only the enrollment bit. Add creating hosts and others as needed. rob > > WBR, > Alexander Frolushkin > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Monday, April 20, 2015 8:41 PM > To: Alexander Frolushkin (SIB); freeip

Re: [Freeipa-users] web interface for FREEIPA runtime error

Chamambo Martin wrote: > Sometimes when I access the web URL where FreeIPA is installed for > general administration ,I encounter this error below. > > > > Runtime error > > Web UI got in unrecoverable state during "metadata" phase > > > > I can only restore access after I have restarted t

Re: [Freeipa-users] Common Name for the ipa-cacert-manage command

William Graboyes wrote: > Hi List, > > I am having yet another issue, when I run the following command: > ipa-cacert-manage renew --external-ca > > It does output the CSR, however the CN is not a valid name > (Certificate Authority). Is it possible to change the output of this > command to use a

Re: [Freeipa-users] group membership listing?

Janelle wrote: > Hello - and happy day before Earth Day, > > Perhaps this is an easy one and related to replication, BUT: > > $ id some-user-name > > If I run that on every IPA master, should the listing not be identical? > In other words, the listing of the uid, gid and groups, should show up >

Re: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa

Roderick Johnstone wrote: > On 22/04/15 14:30, Dmitri Pal wrote: >> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>> Hi >>> >>> I also need to integrate Solaris 10 clients with freeipa servers. >>> >>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat >>> manuals, various bug

Re: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa

Roderick Johnstone wrote: > On 23/04/15 04:25, Rob Crittenden wrote: >> Roderick Johnstone wrote: >>> On 22/04/15 14:30, Dmitri Pal wrote: >>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote: >>>>> Hi >>>>> >>>>> I also

Re: [Freeipa-users] Unable to Rebuid Replica

dbisc...@hrz.uni-kassel.de wrote: > Sina, > > On Fri, 24 Apr 2015, Sina Owolabi wrote: > >> I noticed that my IPA domain masters were out of sync, with users >> having to login with different passwords depending on the IPA client >> they were connected to. I noticed it was the replica that was th

Re: [Freeipa-users] Ticket delegation

John Obaterspok wrote: > Hello, > > I'm on F21 and if I login to my workstation I can then sso using ssh to > host X. But then I'm also able to sso from x -> y. > > If I'm on x and issue klist I see this: > klist: No credentials cache found (ticket cache FILE:/tmp/krb5 > > Should I really be abl

Re: [Freeipa-users] FreeIPA 4 JSON API documentation

Wanderley Mayhé wrote: > Where can I find a clear documentation on JSON RPC API to Free IPA > latest version (4.x.x)? > > > > http://www.freeipa.org/page/Documentation has nothing such as code > samples for authenticating, adding or updating users in Linux. > > > > I think this cannot be t

Re: [Freeipa-users] Web UI: Migrated Admins missing action buttons

Dmitri Pal wrote: > On 04/24/2015 12:58 PM, Christopher Lamb wrote: >> Hi >> >> I am in the process of setting up and configuring a FreeIPA Server 4.1.0. >> >> I have successfully migrated all the users from an existing FreeIPA >> Server >> 3.0.0 with the following command: >> >> ipa migrate-ds --g

Re: [Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa

Roderick Johnstone wrote: > On 28/04/2015 19:23, Dmitri Pal wrote: >> On 04/28/2015 02:12 PM, Roderick Johnstone wrote: >>> On 23/04/15 14:14, Rob Crittenden wrote: >>>> Roderick Johnstone wrote: >>>>> On 23/04/15 04:25, Rob Crittenden wrote: >>&g

Re: [Freeipa-users] FreeIPA WebUI Logout logs back in

Dmitri Pal wrote: > On 04/28/2015 05:11 PM, Christopher Lamb wrote: >> HI All >> >> I have just tested with the FreeIPA Web UI public demo >> https://ipa.demo1.freeipa.org/ipa/ui/ >> >> Using the public demo, when I log out, I get returned to the login >> screen, >> as expected. This allows me to l

Re: [Freeipa-users] ipa-replica-install fails at CA setup

Qing Chang wrote: > mripa2.mr.ric is the server to be setup as replica. I wonder if the ldap > service was available at all at installation stage. I think we'd need to see the full ipareplica-install.log. You might also want to see if a ns-slapd process is running and check /var/log/dirsrv/slapd-

Re: [Freeipa-users] Common Name for the ipa-cacert-manage command

cn=FQDN,. That doesn't really apply to a CA. So it's changeable if you hack some installer code, but there be dragons. rob > > Thanks, > Bill > > On 4/21/15 2:55 PM, Rob Crittenden wrote: >> William Graboyes wrote: >>> Hi List, >>> >>> I

Re: [Freeipa-users] CA replicas on all?

Janelle wrote: > Hi all, > > Just wondering if there are issues with running CA replicas on all the > servers? Are there maybe performance issues or anything that I might not be > aware of? The only downside I can think of is resources used (RAM & disk) and slightly more administration regardin

Re: [Freeipa-users] Questions about nsslapd-sizelimit

John Desantis wrote: > Hello all! > > I believe I may be falling victim to the nsslapd-sizelimit's default > setting of 2,000. > > I've been wondering why some JSON calls to IPA (3.0.37, user_find) > have been failing to show all user accounts in the results. Checking > the FreeIPA admin UI, I c

Re: [Freeipa-users] User creation with native ldap tools

Alan Evans wrote: > Hello, I thought I saw something like this asked before but after > searching the archive it seems I can't find it. > > I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using > native ldap tools, ldapadd and ldappasswd in particular, for user > creation and passwor

Re: [Freeipa-users] Revocation of Issuing CA certificates

Kamal Perera wrote: > Dear All, > > > How is the revocation of issuing CA certificates are handled? We are > using OCSP responders for revocation checking of certificates issued by > the Issuing CAs. So do we have to setup another OCSP or CRL distribution > point to let the applications to query

Re: [Freeipa-users] user-mod --rename and password

Alexander Bokovoy wrote: > On Thu, 07 May 2015, Jan Pazdziora wrote: >> >> Hello, >> >> I try to test renaming of user objects. I start with user bob and I'm >> able to kinit just fine: >> >> # echo BobPassword123 | kinit bob >> Password for b...@example.test: >> # >> >> I then rename t

Re: [Freeipa-users] Host groups not working with SUDO Rules

Dmitri Pal wrote: > On 05/07/2015 03:07 PM, Megan . wrote: >> I'm having an issue where user's can't use sudo commands on ipa client >> hosts. I previously thought my issues with sudo were related to the >> type of commands, but I've narrowed it down to an issue with using >> host groups in the su

Re: [Freeipa-users] Host groups not working with SUDO Rules

example). I doubt, but can't guarantee, that rc.local would be just as effective though. Given that there is already machinery to set it based on the config file though, I'd lean towards that myself. rob > > > > On Thu, May 7, 2015 at 3:43 PM, Rob Crittenden wrote: &

Re: [Freeipa-users] more replication fun

Janelle wrote: On 5/7/15 12:59 AM, thierry bordaz wrote: On 05/07/2015 05:39 AM, Janelle wrote: On 5/6/15 8:12 PM, Vaclav Adamec wrote: Hi, Mike Reynolds recommend cleanallruv script (IPA RUV unable to decode thread), if you are sure that's not any live replica server behind this id than jus

Re: [Freeipa-users] more replication fun

Janelle wrote: > On 5/8/15 8:43 AM, Ludwig Krispenz wrote: >> >> On 05/08/2015 05:30 PM, Rob Crittenden wrote: >>> Janelle wrote: >>>> On 5/7/15 12:59 AM, thierry bordaz wrote: >>>>> On 05/07/2015 05:39 AM, Janelle wrote: >>>>>&g

Re: [Freeipa-users] host usercertificate attribute

Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo mailto:natxo.ase...@gmail.com>> wrote: hi, If I retrieve the usercertificate attribute for host objects I get some gibberish. How can I decode the info I get from ldapsearch? maybe there is a way to feed that

Re: [Freeipa-users] LDAP uid to cn modify

Vangass wrote: Hi, I try to set FreeIPA as a LDAP server for HP iLO authentication. iLO client sends dn as "cn=bartosz,cn=users,cn=accounts,dc=example,dc=com" but in FreeIPA there is no cn=bartosz just uid=bartosz (as for any other user I create is uid). Is it possible to modify uid to cn or is

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Yes CA is running, and it's on the same machine. [root@dc ~]# ipa-replica-prepare dc01.ourdom.com --ip-address 192.168.2.40 Directory Manager (existing master) password: Preparing replica for dc01.ourdom.com from dc.ourdom

Re: [Freeipa-users] Securing IPA Redux

Rich Megginson wrote: On 05/18/2015 08:26 AM, Martin Kosek wrote: Adding freeipa-users list back, to keep others in the loop. On 05/18/2015 12:32 PM, Brian Topping wrote: Thanks for taking the time to write that, Martin. It's good to have a reference to build from. Result of "ida-client-insta

Re: [Freeipa-users] LDAP uid to cn modify

/share/doc/slapi-nis/sch-getting-started.txt You'll need to write your own set of rules to create new compat tree entries. rob 2015-05-18 16:03 GMT+02:00 Rob Crittenden mailto:rcrit...@redhat.com>>: Vangass wrote: Hi, I try to set FreeIPA as a L

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Hi Rob There are some logs in /var/log/pki-ca/catalina.out that appear to indicate a problem: [SNIP] These are mostly white noise from tomcat and can be ignored. Also running "getcert list" tells me there are two expired certs: Request ID '20130524104636':

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Hi Rob Ive been to the URL but its a little difficult applying these commands to RHEL6 systems. For instance there is no /etc/pki-tomcat directory in RHEL6, and I cannot find the ipa.crt Im sure as a noob I am overlooking some very obvious stuff, but could you please guide m

Re: [Freeipa-users] confused by ldapsearch results

Boyce, George Robert. (GSFC-762.0)[NICS] wrote: I don’t understand what is happening… If I use a compound OR filter to search for “cn” or “uid”, I only get back the match for uid. I expect to get both. If I add a search for a nonexistent attribute like “name”, I get nothing back. I expect to get

Re: [Freeipa-users] getting rid of nsds5ReplConflict

Megan . wrote: Thank you for the reply. I think I just got frustrated. I uninstalled ipa on the dir2 replica then set it back up again as a replica. Everything seems to be replicating just fine without errors now. I know that this isn't the preferred or documented solution but i needed the se

Re: [Freeipa-users] host usercertificate attribute

Natxo Asenjo wrote: hi rob, On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo mailto:natxo.ase...@gmail.com> <mailto:natxo.ase...@gmail.com <m

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Another key difference I noticed is that the problematic certs have CA:IPA in them, while the working certs have CA: dogtag-ipa-retrieve-agent-submit. Ok, the full output is really helpful. First an explanation of CA subsystem renewal. CA clones are just that, exact clones

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sanju A wrote: Hi, I am getting the following error while removing a host. --- Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) --- This usually means that the CA is not serving reques

Re: [Freeipa-users] Proper configuration of service accounts

Boyce, George Robert. (GSFC-762.0)[NICS] wrote: << If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Since at least one certificate has expired you'll need to go back in time to get this working. Be sure to restart IPA after going back to ensure that the CA is up. You'll eventually want to do the CRL changes as well. rob On Wed, May 20, 2015, 2:32 PM Rob Crittenden mail

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

s You need to run getcert list on the IPA master running the CA that can't be contacted, not the host you're trying to delete. rob Regards Sanju Abraham From: Rob Crittenden To: Sanju A , freeipa-users@redhat.com Date: 20-05-2015 19:04 Subject: Re: [Freeipa-u

Re: [Freeipa-users] replication again :-(

Janelle wrote: On 5/21/15 6:46 AM, Ludwig Krispenz wrote: On 05/21/2015 03:28 PM, Janelle wrote: I think I found the problem. There was a lone replica running in another DC. It was installed as a replica some time ago with all the others. Think of this -- the original config had 5 servers, o

Re: [Freeipa-users] Count of IPA Servers for SSSD

Christoph Kaminski wrote: Hi All what a count of IPA servers does make sense for sssd configuration? We have 5 IPA servers and each Host can reach them. Can I put them all to sssd configuration (redundancy) or does it dont make sense (timeouts to big etc)? The recommended procedure is to use D

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sanju A wrote: Dear Rob, The result is from ipa master server. Ok, then this can't be the entire output. For a master with a CA there should be about 8 certs tracked rob Regards Sanju Abraham From: Rob Crittenden To: Sanju A Cc: freeipa-users@redhat.com Date: 21-05-2015

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sanju A wrote: Dear Rob, Please find the entire result. Ok, the good news is that renewal already took place and it looks like everything is a-ok certificate-wise. First, make sure the CA is up: # ipactl status If the CA is down, start it with service pki-cad start. If the CA is up, the

Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]

Carlos Raúl Laguna wrote: Just for clarification, If i create a user in Windows 2008R2 it propagates to Freeipa 4.1 because freeIPA trust the AD domain, in this scenario where AD equally trust the freeIPA domain (Fedora 22), a user created in freeIPA should not propagate as well to AD ? Regards

Re: [Freeipa-users] Restore deleted RBAC Rules?

Martin Kosek wrote: On 05/25/2015 04:27 PM, Striker Leggette wrote: Is it possible to restore deleted RBAC rules that were deleted from "Permissions and Privileges"? Hello Striker, Only if you did a data backup. I do not know about other way... More information and ideas about Backup and Res

Re: [Freeipa-users] OSX login very slow

John Obaterspok wrote: Hello, I'm using OSX 10.10.3 (Yosemite) and I've followed the Freeipa/OSX guide at linsec.ca . I can do the following with very fast response time: - id on osx host - klist/kdestroy/kinit a ticket - ssh via SSO to ipaserver with this ticket - ping osxhos

Re: [Freeipa-users] FreeIPA On SuSE (SLES 11, 12, and up)

Traiano Welcome wrote: Hi All Has anyone successfully configured IPA v4.xx on SLES (specifically 11.x)? As a client or a server? I'm pretty sure that sssd is built for SLES 12, I don't see it on 11 and that would be the major hurdle for a client. You can probably connect it using nss_lda

Re: [Freeipa-users] replication on Debian and Ubuntu

Holger Levsen wrote: Hi, first of all: thanks for FreeIPA, I think it's pretty usefull, well done and was missing for a long time. IOW: I really like it, thank you for your work! That, I'm having a serious problem with it: replication on Debian doesnt work at all. Which is partly expected (as D

Re: [Freeipa-users] client fails to install from ipa-server-install or ipa-replica-install

Bob Hinton wrote: Hello, I'm using Puppet to try to install ipa masters and replicas. I can generally get this to work on Vagrant VMs, but on the target VMs the server part succeeds until it attempts to install the ipa client and then this fails (please see extracts of logs below). The /etc/ipa

Re: [Freeipa-users] ipa-replica-prepare error

Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin= --http_pkcs12=nwra.com.p12 --http_pin= --idstart=8000 But now when

Re: [Freeipa-users] ipa-replica-prepare error

Orion Poplawski wrote: On 05/28/2015 03:09 PM, Rob Crittenden wrote: Orion Poplawski wrote: We did a CAless install: ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat /etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=

Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Thomas Sailer wrote: Hello everyone. I upgraded a freeipa server from fedora 20 to fedora 22. It mostly worked ok, but there are a few issues: - pki-tomcat didn't start after the upgrade, and that in turn made ipa-upgradeconfig fail, because /var/lib/pki/pki-tomcat/conf/ca/CS.cfg had the wrong

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

bahan w wrote: Hello everyone. I modified the /etc/selinux/config file : # # This file controls the state of SELinux on the system. # SELINUX=disabled # enforcing - SELinux security policy is enforced. # permissive - SELinux pri

Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master

Martin Kosek wrote: On 06/01/2015 02:19 AM, Sina Owolabi wrote: Hi! I am still stumbling along with this, I have had my IPA domain destroyed and currently only a CA-less replica is left running the network. The existing CA-less replica is on RHEL6.6 with ipa-3.0.0. I am trying to setup a fresh

Re: [Freeipa-users] deny to change shell

Ivars Strazdiņš wrote: Hi, just another basic question, I am sorry to spam the list. Noticed that regular users can change their login shell in account settings. Is it possible to lock login shell property for a regular user? For a unix system, using standard PAM authentication, use of chsh comma

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 -->Not Solved

Christopher Lamb wrote: Hi To narrow down the cause even further, I reverted HOST10 via VM snapshot back to the state after installing linux and configuring ntpd. This time I installed ipa-client 4.1 directly (rather then as a dependent of our standard server packages). So this machine is a ba

Re: [Freeipa-users] Problem to install FreeIPA Server 3.0 on a RedHat 6.4

k you everyone for your answers, it helped a lot. Can you be more specific on what script was being executed? It sounds a bit odd but it may be instance-specific scripts. rob f Best regards. Bahan On Mon, Jun 1, 2015 at 4:58 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: ba

Re: [Freeipa-users] Issues with SNI+Kerberos

Brian Topping wrote: Hi all, I've been trying to work through the instructions at https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having much luck. I've followed the instructions there exactly, ending with the following command: ipa-getcert request -r -f /etc/httpd/c

Re: [Freeipa-users] freeipa server upgrade from fedora 20 to fedora 22 glitches

Thomas Sailer wrote: I have now managed to upgrade the replica as well. I stumbled over a few additional problems: 1) whenever a user becomes member of a group with +nsuniqueid= in its name, the user can no longer login. The reason is that ldb_dn_validate doesn't like the + character, thus retu

Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Chris Tobey wrote: Hi Martin, Thank you for the response. Here is what I can see on my FreeIPA server (I replaced my server name with server.com): [Wed Jun 03 10:05:36:..//var/lib/pki-ca]$ ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not

Re: [Freeipa-users] vSphere and freeIPA

Rees wrote: If I applied the original vsphere_groupmod.ldif (with the %regsub()) is there anything special I have to do to reapply the modification? When I attempt to apply this ldif i just get an error message telling me "type or value exists" and then when I run the steps you have, (creating u

Re: [Freeipa-users] IPA v3 Certificate not renewed

Junhe Jian wrote: Hello everyone, I’m new here and have problem with IPA Server our single IPA Server all Certificate was expired. Autorenewal not worked, so I read the docu http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually my server is centos 6.4 [root@be-ipasrv ~]# r

Re: [Freeipa-users] IPA v3 Certificate not renewed

Junhe Jian wrote: Hi Rob, i set the date in past "26 MAY 2015" and add "NSSEnforceValidCerts off" to nss.conf and resubmit the 3 ID [root@be-ipasrv httpd]# getcert resubmit -i 20130528090822 Resubmitting "20130528090822" to "IPA". [root@be-ipasrv httpd]# getcert resubmit -i 20130528090849 Resub

Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

ebooting the FreeIPA (chimera) and Puppet/Foreman (puppetmaster) servers yet. When I have some downtime I will try that and see what happens in regards to questions 2 and 3. Thanks, -Chris Tobey -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: June-04-15 10:35 AM To:

Re: [Freeipa-users] Certificate expired/renew problems

John Desantis wrote: Marc, Unfortunately, I've never had to promote a replica to become the CA master in our environment. Is the host that's reporting the error the URL of the old master or the replica? Did you check the CS.cfg to see if the replica certificate is present vs. the old master?

Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

Thibaut Pouzet wrote: Le 05/06/2015 22:19, Endi Sukma Dewata a écrit : Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself. I suppose you are following this instruction: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Could you post the f

Re: [Freeipa-users] add suse 11 sp3 to ipa

mohammad sereshki wrote: hi Would you please let me know is it possible to add suse 11 sp3 to IPA? and how it is possible? Regards I'm not sure if any version of SUSE has ipa-client or freeipa-client, but I know that 12+ has sssd. If 11 also has sssd then you can configure that pa

Re: [Freeipa-users] Installing a replica with alternate 'admin' username

Brian Mathis wrote: I have renamed the default 'admin' account to something else to avoid possible conflicts with other application accounts. However, when I try to install a replica with ipa-replica-install, it uses 'admin' as the username and I don't see a way to supply an alternate account na

<    1   2   3   4   5   6   7   8   9   10   >