Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?

Tamas Papp wrote: On 06/10/2015 03:35 PM, Martin Kosek wrote: On 06/10/2015 03:32 PM, Christopher Lamb wrote: Hi Tamas I think the general advice is to replicate rather than to migrate. I am sure Martin K will jump in on this. Yes :-) However some weeks ago, when doing a very similar move

Re: [Freeipa-users] Specific rights needed to enroll a new host

Martin Kosek wrote: On 06/12/2015 01:30 AM, Christopher Young wrote: I'm trying to develop a process in Ansible to enroll new hosts (as well as check beforehand to see if the host is already enrolled). I was wondering a couple of things: #1. Has anyone else worked out a process for doing this

Re: [Freeipa-users] 4.x on CentOS 6?

Janelle wrote: Hi everyone, Does anyone know if it is possible to install the 4.1 ipa-CLIENT (not the server - just the client) on a CentOS 6.6 system? My guess is this is really just based on sssd, or am I missing something? I would like to get OTP on 6.6 system, just not sure if that is possi

Re: [Freeipa-users] Migration error?

Janelle wrote: Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The migration worked previously, but now, in order to try and up

Re: [Freeipa-users] direct ldap connect from dovecot

Günther J. Niederwimmer wrote: Hello, is it possible to connect direct to the ldap from a program like dovecot? I have big "auth" problems with my setup? with cn=admin,cn=users,cn=accounts,dc=,dc=x and password from admin this is not working I don't know the 386 server :-(, in the mom

Re: [Freeipa-users] Migration error?

Janelle wrote: On 6/15/15 6:36 AM, Rob Crittenden wrote: Janelle wrote: Good morning and happy Monday, I have a strange problem. Wondering if anyone has seen this before in trying to run an ipa migrate-ds? ipa: ERROR: The search criteria was not specific enough. Expected 1 and found 2. The

Re: [Freeipa-users] Crazy Cert problem?

Janelle wrote: Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However, prior to the re-install it was saying the wonderful: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. It was rebuilt - new OS and doing a

Re: [Freeipa-users] CentOS 6.6 Installation Issues

Randall Harrison wrote: Hello freeipa! I am having difficulty installing freeipa on a freshly installed CentOS6.6 box. I have not had this problem on previous CentOS releases, and it installed with no problems on a CentOS7.1 box. Here is a list of steps I took to install: 1.) Disable SElinux

Re: [Freeipa-users] Crazy Cert problem?

Janelle wrote: On 6/17/15 6:14 AM, Rob Crittenden wrote: Janelle wrote: Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However, prior to the re-install it was saying the wonderful: TLS error -8172:Peer's certificate issuer has been mark

Re: [Freeipa-users] Crazy Cert problem?

Janelle wrote: On 6/17/15 6:21 AM, Rob Crittenden wrote: Janelle wrote: On 6/17/15 6:14 AM, Rob Crittenden wrote: Janelle wrote: Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However, prior to the re-install it was saying the wonderful: TLS

Re: [Freeipa-users] FreeIPA 4.1.0 server behind apache/mod_proxy

Piotr Baranowski wrote: - 17 cze 2015 o 15:51, Alexander Bokovoy aboko...@redhat.com napisał(a): On Wed, 17 Jun 2015, Piotr Baranowski wrote: - Oryginalna wiadomość - Od: "Alexander Bokovoy" So you have two different certificates in use here and your client doesn't know about the

Re: [Freeipa-users] CentOS 6.6 Installation Issues

which causes subsequent installs to fail. Do this: # ipa-server-install --uninstal # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force Then try the install again. rob On Jun 17, 2015 6:15 AM, "Rob Crittenden" mailto:rcrit...@redhat.com>> wrote:

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

Prashant Bapat wrote: Hi All, There is a way to change the certificate for the web UI. I went with a standard install with a self signed CA etc. Now I want to install a cert from a commercial CA. I don't mind using the IPA CA certs for the 389 DS, just want to change the cert for the UI. Any p

Re: [Freeipa-users] ipa replica failure

Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Hello, First time trouble shooting an ipa server failure and looking for some guidance on how best to proceed. First some background on our setup: Servers are running freeipa v4.1.0 on CentOS 7.1.1503: - ipa-server-4.1.0-18

Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of view into FreeIPA that they have in

Re: [Freeipa-users] Installing replica w/o CA?

Janelle wrote: Maybe this is an obvious question - but I am missign the simple answer. If you create a master and want to create 3 replicas -- creating the first replica works just fine, but I want the 2nd replica chained off the first, and NOT the master. But unless you install a CA on that firs

Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

nat...@nathanpeters.com wrote: nat...@nathanpeters.com wrote: FreeIPA server 4.1.3 on CentOS 7 I am trying to create a set of privileges or roles that will allow me to create a user who has read-only access to as much of the FreeIPA web UI as possible. Basically my manager want the type of vie

Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Friday, June 19, 2015 3:38 PM To: nat...@nathanpeters.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

there are real replay issues possible. You should re-encrypt, so terminate SSL at the load balancer and then open a new SSL session to IPA. rob On 18 June 2015 at 19:03, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Prashant Bapat wrote: Hi All, There i

Re: [Freeipa-users] Changing the SSL certificate for the WebUI

Prashant Bapat wrote: Hi Rob, Thanks for the reply. The ipa-server-certinstalldid require that I have the cert and the CA cert in PEM file and the key in another PEM file. And the command went thru successfully. But afterwards the HTTP service stopped working. Only way I could get it to start

Re: [Freeipa-users] Migrate from 3.0 (CentOS 6.6) to 4.1 (CentOS 7.1)

Matt . wrote: Hi Guys, I found some good information about migrating from 3.3 to 4.x using replica's. It's not 100% clear what I can do on a CentOS 6.6 install with 3.0 as CentOS doesn't provide 3.3. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Id

Re: [Freeipa-users] ipa replica failure

Andrew E. Bruno wrote: On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Questions: 0. Is it likely that after running out of file descriptors the dirsrv slapd database on rep2 was corrupted? That would

Re: [Freeipa-users] Crazy Cert problem?

Janelle wrote: On 6/17/15 2:00 PM, Rob Crittenden wrote: Janelle wrote: On 6/17/15 6:21 AM, Rob Crittenden wrote: Janelle wrote: On 6/17/15 6:14 AM, Rob Crittenden wrote: Janelle wrote: Hi, Had a server - named ipa001.example.com -- it was a replica. It died. It was re-installed. However

Re: [Freeipa-users] ipa replica failure

Andrew E. Bruno wrote: On Mon, Jun 22, 2015 at 10:02:59AM -0400, Rob Crittenden wrote: Andrew E. Bruno wrote: On Fri, Jun 19, 2015 at 03:18:50PM -0400, Rob Crittenden wrote: Rich Megginson wrote: On 06/19/2015 12:22 PM, Andrew E. Bruno wrote: Questions: 0. Is it likely that after running

Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype "all" to a privilege

Nathan Peters wrote: -Original Message- From: Rob Crittenden Sent: Saturday, June 20, 2015 1:17 PM To: Nathan Peters Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission "System: Read HBAC Rules" with bindtype

Re: [Freeipa-users] 3rd party certificate for WebUI only

Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such t

Re: [Freeipa-users] error after change cert

barry...@gmail.com wrote: the cert already in httpd / ldap side. but it prompt error [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed. *.wisers.com - COMODO CA Limited

Re: [Freeipa-users] error after change cert

NSS uses nicknames to reference a given certificate. This nickname needs to exist in it's database. I'm guessing that you changed the database, and therefore the nickname in the database, without also updating the server configuration with this new nickname. rob 2015-07-06 21:3

Re: [Freeipa-users] error after change cert

server certificate to use. rob Many thks 2015年7月6日 下午11:44於 "Rob Crittenden" mailto:rcrit...@redhat.com>>寫道： barry...@gmail.com <mailto:barry...@gmail.com> wrote: Do u meant this : i already add the cert to nss and even \etc\ipa\ ca.cert repalced

Re: [Freeipa-users] what error log i should check

barry...@gmail.com wrote: server 1 ipa-replica-manage list Segmentation fault (core dumped) server 2 ipa-replica-manage list Can't contact LDAP server but it seem still syn as i add new ac then server 2 have i delete server2 's anme server 1 still delte. I'd start with the seg fault. Check

Re: [Freeipa-users] IPA replica without CA, how to become CA

Matt . wrote: Hi All, I'm cleaning up and playing around with some old dev setups and reviewing these tests. This is a replica setup but the replica is no CA. Now I'm testing out how to manage cluster when I remove the ipa1 (CA) and create a new replica with CA from the ipa2. IPA2 should beco

Re: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server

Haiden, Scott B. wrote: Hello, I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a FreeIPA server running on it. I am trying to get a TGT from it, from my Windows 7 Enterprise machine. I am able to easily interact with it from other Linux hosts, but I am not having any

Re: [Freeipa-users] error after change cert

ickname of your new cert then your simplest solution is: # ipactl stop # /etc/dirsrv/slapd-REALM/dse.ldif Find nsSSLPersonalitySSL and replace the value with the right one. # ipactl start rob 2015年7月6日 下午11:52於 "Rob Crittenden" mailto:rcrit...@redhat.com>>寫道： >

Re: [Freeipa-users] Apache not starting because of cert password issue ?

Matt . wrote: I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) I think you need to take a step back and tell us what you've done to get into this situation. The error messages are fairly clear. The first one wa

Re: [Freeipa-users] CANT LOGIN INTO centos 6.6 2.6.32-504.23.4.el6.i686

Martin Chamambo wrote: I have the following configuration below and im able to login via SSH into a 32 bit server. With the same username im able to login on other servers Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for the information necessary to assist. rob -- Manage yo

Re: [Freeipa-users] Multiple CA certificates (for PassSync)

Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. Part of our configuration is using t

Re: [Freeipa-users] FreeIPA and sambaPwdLastSet

Christopher Lamb wrote: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct ver

Re: [Freeipa-users] Client Certificates not in backlog

Brian Topping wrote: Hi I was just looking at http://www.freeipa.org/page/User_certificate_use_cases and was trying to do some self-service to see when it might get scheduled. Unless I am mistaken, it doesn't even seem to exist in the backlog. Is that intentional? The reason I started to look

Re: [Freeipa-users] OTP and Laptops

John Johnson wrote: Kerberos version is 1.12.2 on RHEL7.1. I guess I'm wondering if the issue is hardware-related, somehow specific to laptops; or if it's related to the way laptops are assumed to be used, i.e. portable, etc. It would be helpful if you described what isn't working. rob On

Re: [Freeipa-users] Keeping a Tuesday fun - replication? without replication?

Janelle wrote: Hello again, Just to keep your Tuesday fun, is this possible: 16 servers. ipa-replica-manage list < shows all 16 1 of the servers broke a couple of weeks ago and was removed with "clean-ruv" but STILL shows up in the replica list, but not a single master has a replica agree

Re: [Freeipa-users] Keeping a Tuesday fun - replication? without replication?

Janelle wrote: On 8/4/15 9:06 AM, Ludwig Krispenz wrote: On 08/04/2015 05:40 PM, Rob Crittenden wrote: Janelle wrote: Hello again, Just to keep your Tuesday fun, is this possible: 16 servers. ipa-replica-manage list < shows all 16 1 of the servers broke a couple of weeks ago

Re: [Freeipa-users] FreeIPA user ID differs

markus@mc.ingenico.com wrote: Hi Christopher, Hi Loris, The plugin is enabled ipa-compat-manage status Plugin Enabled When I request the id of a posix user on the freeipa server then I receive the output I expact with correct uid, gid and groups. But on a connected host, with freeipa cli

Re: [Freeipa-users] FreeIPA Server install fails on configuration of client side components

Christopher Lamb wrote: Hi In order to better assist on another thread in this list, I installed FreeIPA Server in a throwaway VM. Unfortunately the FreeIPA Server Install repeatedly fails with: Configuration of client side components failed! ipa-client-install returned: Command ''/usr/sbin/i

Re: [Freeipa-users] Having problem with pwd_expiration

Dewangga Bachrul Alam wrote: I've tried both of them (web ui & CLI), still no luck. Screenshoot attached, the password expired not follow the global_policy. I've create another new user, it was same with user `subhan`. The password expired not follow global_policy. http://www.freeipa.org/page

Re: [Freeipa-users] ipa directory inconsistencies

Nguyen, Alicia wrote: Hi, I'm having an issue re-adding a client to freeipa (same hostname). When I removed the client from the domain I uninstalled freeipa on the client (using ipa-client-install --uninstall), removed the keytab, and ran ipa host-del FQDN on the the freeipa master. Everythin

Re: [Freeipa-users] IPA User Group Auto membership

Yogesh Sharma wrote: Team,, We are having issue in configuring Auto Membership for Usergroup i.e. when ever we add/update a user to IPA , it should get added to a group on the basis of his/her Job Title. Below is the rule: [root@ipa-inf-prd-ng2-02 ~]# ipa automember-find dbausers Grouping Typ

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

sipazzo wrote: Hi I am using freeipa 3.0.0-47 in a mixed environment with rhel5-7 clients, Solaris 10 clients and a handful of Solaris 11 clients. I followed this guide in setting up the solaris clients: 3.8. Configuring a Solaris System as a FreeIPA Client

Re: [Freeipa-users] freeipa on http?

Janelle wrote: Hi, Is there a way to force freeipa web server to accept http requests and not redirect to https? Reason is simple - offloading SSL to a load balancer on the front end. (this is for web only, not the LDAP or Kerberos) Thank you ~J You could try disabling the rewrite rules to d

Re: [Freeipa-users] Cannot uninstall ipa-server

Janelle wrote: ipa-server-install --uninstall --unattended I don't think it is the prompt that's hanging. I'd either wait to see whether it clears things up itself or try to figure out what service is hanging. Some of the timeouts are 5 minutes IIRC so it may take a while in the worse case s

Re: [Freeipa-users] private groups

Martin Kosek wrote: On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with

Re: [Freeipa-users] Questions to "compat" LDAP suffix

Detlev Habicht wrote: Hi all, i am very new using and testing IPA and i have some questions, which are not really IPA topics. But perhaps someone can help me and send me a link, where i can read and learn such things: I see in the LDAP tree a suffix like this: cn=users,cn=compat,dc=ims,dc=inte

Re: [Freeipa-users] How to modify the logging dir

bahan w wrote: Hello. I send you this mail because I'm looking for a way to modify the logging dir of the different components embedded with FreeIPA. I already check here : http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html But I cannot see how to modify the lo

Re: [Freeipa-users] Adding virtual servers to IPA httpd

Ian Pilcher wrote: On 08/24/2015 01:47 AM, Martin Kosek wrote: FreeIPA can play well with other stuff running on the same Apache as long as you do not break it's Apache configuration - like mod_nss running on port 443, CA proxy or the RPC connection URIs used by "ipa" tool or other tools. So th

Re: [Freeipa-users] Trying to enroll clients on CentOS7 with '--' in the host name failing

McNiel, Craig wrote: We have a rather strange need to have '--' in some standard host names and when I use the CentOS7 ipa-client 4.1 I get the following error message. [root@pan-smk-pdev lib]# ipa-join -h "craigs--ipa--client--test.pearsondev.com

Re: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

Mateusz Małek wrote: Hi everyone, We're trying to adjust FreeIPA to our environment... quite a bit. Here are some bullet points: 1. User home directory location is dependent on user primary group and its value should be autogenerated on user creation. 2. User administrator should be able to sel

Re: [Freeipa-users] certificate renewal stuck

Mike LoSapio wrote: Hey there - I’m working a FreeIPA box (ipa-server-3.0.0-42) - Our original PKI “master” was nuked a while ago and I have a suspicion that none of the other “master” freeipa replicas were “promoted” (sorry for the over-use of “ ) So we went ahead and ran through these instru

Re: [Freeipa-users] certificate renewal stuck

ading down the correct path? - I would have assumed these certs would have renewed themselves since I¹m +3.0. I see the Configure renewal section but its an odd situation where we have to renew and reconfigureŠ ‹Mike On 8/28/15, 7:45 PM, "Rob Crittenden" wrote: Mike LoSapio wrot

Re: [Freeipa-users] CA replicas different views???

Janelle wrote: Hello, I am very confused. I have a couple of data centers and as expected, I have setup CA replicas in each DC. However, this is what makes me nervous/afraid of my configs. In one data center, which sitting on a master and issuing: (as seen from ipa006.example.com) ipa-csreplic

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: Hello, In trying to script some changes for automount locations. I've noticed 'ipa automountlocation-tofiles' doesn't seem to return everything. As an example: $ ipa automountlocation-tofiles office | grep abg returns nothing for abg. Yes, I have run this without the

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: On Wed, Sep 2, 2015 at 3:46 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Marc Wiatrowski wrote: Hello, In trying to script some changes for automount locations. I've noticed 'ipa automountlocation-tofiles&

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

Janelle wrote: You will find, if you check in the ns-slapd "errors" log that this server may no longer be handling replication correctly. Look in /var/log/dirsrv/slapd-INSTANCE/errors This probably doesn't have anything to do with replication. Lockout is per-master because failed (and suc

Re: [Freeipa-users] ipa automountlocation-tofiles

Marc Wiatrowski wrote: That looks to have done the trick! (no restart needed) thank you Great. I opened https://fedorahosted.org/freeipa/ticket/5285 to track this. rob On Thu, Sep 3, 2015 at 1:43 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Marc Wiatrowski

Re: [Freeipa-users] Replacing the "master"

Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002. Directory Manager password: Deleting a master is irreversible. To recon

Re: [Freeipa-users] Replacing the "master"

Martin Kosek wrote: On 09/04/2015 12:00 AM, Rob Crittenden wrote: Steven Jones wrote: I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I try and remove the last one the master? it says, "[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoi

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

Steven Jones wrote: It seems I built IPA with self signed certs so I need to upgrade? is this possible? and if so how on existing servers? I think it depends heavily on what version of IPA you are running and what you mean by self-signed. rob -- Manage your subscription for the Freeipa-us

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

Steven Jones wrote: RHEL6.7 and IPA 3.0 "self-signed" not understanding such terminology terribly well, I am not sure at all. What command will tell me what I have? Do you have a dogtag CA instance? ipactl status rob regards Steven ____

Re: [Freeipa-users] Antwort: Re: Antwort: Re: Faulty LDAP record

Christoph Kaminski wrote: Youenn PIOLET schrieb am 07.09.2015 14:13:35: > Von: Youenn PIOLET > An: Christoph Kaminski > Kopie: Ludwig Krispenz , freeipa-users@redhat.com > Datum: 07.09.2015 14:16 > Betreff: Re: [Freeipa-users] Antwort: Re: Faulty LDAP record > > Hi, > Did you try to r

Re: [Freeipa-users] Add objectclasses to computer schema

Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, I’m > able to add the object class to individual servers but not

Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

Craig White wrote: > Following instructions from here… > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > > > > RHEL6 server > > # rpm -qa ipa-server > > ipa-server-3.0.0-42.el6.x86

Re: [Freeipa-users] How to add multivalued attribute to UI

John Duino wrote: > Greetings! > > I am wanting to add a multivalued attribute (mailAlternateAddress, from > objectClass:MailRecipient) to the User UI. We are running IPA > 4.1.0-18.el7.centos.4.x86_64, on CentOS7. Adding it to the CLI was fairly > straightforward. > I have a plugin at /usr/sha

Re: [Freeipa-users] How to add multivalued attribute to UI

nfigured the plugin. Can you share the code? The UI downloads all the available commands and options as metadata and uses that to help drive some of the interactions. rob > > Thanks! > - Original Message - > From: "Rob Crittenden" > > Do you have this configured

Re: [Freeipa-users] Red Hat 5 and 6 with IPA Client v. 4

Andrey Ptashnik wrote: > Any ideas on that? /var/log/ipaclient-install.log probably has more details on the DNS update failure. rob > > Regards, > > Andrey Ptashnik | Network Architect > CCC Information Services Inc. > 222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654 > Office: +1-312-22

Re: [Freeipa-users] Automatic IPA CA cert generation

David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >> set

Re: [Freeipa-users] Ghost user?

Janelle wrote: > On 9/23/15 10:36 AM, Martin Basti wrote: >> >> >> On 09/23/2015 07:15 PM, Janelle wrote: >>> I have a user I created for testing, but now shows as both "there" >>> but not there.. >>> >>> *ipa user-show jtest* >>> >>> ipa: ERROR: jtest: user not found >>> >>> *ipa user-fin

Re: [Freeipa-users] CentOS7: certmonger not enabled by default?

Martin Štefany wrote: > Hello all, > > I'd to verify with you if certmonger.service should be enabled by > default after IPA client installation or not. If I remember correctly, > it used to start by on CentOS6, IPA client ~3.0.0, after ipa-client > installation and reboots. > > The thing is, for

Re: [Freeipa-users] password resets - errors

Janelle wrote: > Hello, > > I continue to see these a lot, but only on some servers. It causes a lot > of confusions with my users. There must be a way to troubleshoot this > and find the issue. Also, there is nothing wrong with the password > policies. They are all set to default, and this occurs

Re: [Freeipa-users] password resets - errors

Janelle wrote: > On 9/28/15 6:10 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello, >>> >>> I continue to see these a lot, but only on some servers. It causes a lot >>> of confusions with my users. There must be a way to troubleshoot this >>

Re: [Freeipa-users] password resets - errors

Simo Sorce wrote: > On 27/09/15 09:21, Janelle wrote: >> Hello, >> >> I continue to see these a lot, but only on some servers. It causes a lot >> of confusions with my users. There must be a way to troubleshoot this >> and find the issue. Also, there is nothing wrong with the password >> policies.

Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

Brian Mathis wrote: > No. FreeIPA requires a *CA* certificate, which is a cert that has the > ability to sign other certs. Unless you're in a large company with an > expensive agreement in place with GoDaddy, that is not a permission they > grant to regular certs. A wildcard cert is only allowed

Re: [Freeipa-users] FreeIPA 3.3 performance issues with many hosts

Dominik Korittki wrote: > Hello folks, > > I am running two FreeIPA Servers with around 100 users and around 15.000 > hosts, which are used by users to login via ssh. The FreeIPA servers > (which are Centos 7.0) ran good for a while, but as more and more hosts > got migrated to serve as FreeIPA ho

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

Nathan Peters wrote: There doesn't seem to be an option to add POSIX attributes to my sudo rules. Which attributes should I be adding and how? Not the sudo rule, the group. I'd create a new test group similar to one of your existing groups, add that to your sudo rule and try that. rob --

Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails

t.com/show_bug.cgi?id=1336548 rob -----Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, June 13, 2016 2:20 PM To: Nathan Peters; Jakub Hrozek Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails Nathan Peters

Re: [Freeipa-users] How to renew kerberos tickets without user intervation?

Matrix wrote: HI, All IPA server was installed on ipaserver.dev.example.net A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired. I would like to renew kerberos tickets before e

Re: [Freeipa-users] ipa: ERROR: invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'

Łukasz Jaworski wrote: Hi, freeipa-client-4.2.4-1.fc23.x86_64 freeipa-server-4.2.4-1.fc23.x86_64 I've tried add hostname with multiple hyphens. Sth like: example--name-of-host.example.com. Output is: ipa: ERROR: invalid ‘hostname’: invalid domain-name: only letters, numbers, ‘-’ are allowed. DN

Re: [Freeipa-users] CA: IPA certificates not renewing

Marc Wiatrowski wrote: Hello, I'm having issues with the 3 ipa certificates of type CA: IPA renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA master. The other 5 certificates from getcert list do renew and all certificates on the CA master do look to renew. Both servers ru

Re: [Freeipa-users] Unable to install replica using replica file

Abhijeet Kasurde wrote: Hi All, I am creating master replica setup using following commands and getting error on replica server 2016-06-15T03:53:31Z DEBUG The ipa-replica-install command failed, exception: NetworkError: cannot connect to 'ldaps://dhcp201-141.testrelm.test:636': TLS error -8157:

Re: [Freeipa-users] CA: IPA certificates not renewing

entry on all the masters. Again, should be the same. Note that fixing this won't address any replication issues. rob Marc On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski mailto:w...@iglass.net>> wrote: On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden mailto:rcrit.

Re: [Freeipa-users] FreeIPA – AD Trust Integration Option

Saqib N Ali wrote: Hi Alexander, I understand that with Trust to AD, we can use AD for System of Records for the User Accounts. We do want IPA to maintain the policies, but just want to use SunLDAP instead of 389 Directory Server for storing the policies. From Enterprise Architecture point of v

Re: [Freeipa-users] FreeIPA – AD Trust Integration Option

Saqib N Ali wrote: Rob, is there a architecture document/diagram that describes how 389-ds in the FreeIPA w/ AD Trust setup? You'll find a number of pages on freeipa.org. rob On Thu, Jun 16, 2016 at 9:08 AM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Saqib

Re: [Freeipa-users] CentOS 7, FreeIPA 4.2: slapd crashes soon after launch

dan.finkelst...@high5games.com wrote: Our FreeIPA master was working fine for about a day and then, apropos of nothing, the LDAP component started to crash with nary an error message. Obviously, with it down we can log into the WebUI nor can we query the status of the components or retrieve data.

Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error

dan.finkelst...@high5games.com wrote: Epilogue: While I couldn't solve the python error, I did manage to uninstall the ipa client and sssd components, then delete /var/lib/ipa-client (which was causing the ipa-client-install program to think that it was already registered). After reinstalling th

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz wrote: On Fri, Jun 17, 2016 at 11:32:22AM +0200, Petr Vobornik wrote: On 27.5.2016 14:28, Tomasz Torcz wrote: Hi, In my home environment I'm using two-server FreeIPA configuration on Fedora. Initially installed on fedora 19 in November 2013, it have been upgraded every Fedora r

Re: [Freeipa-users] CA: IPA certificates not renewing

rob thanks On Thu, Jun 16, 2016 at 10:22 AM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Marc Wiatrowski wrote: Thanks Rob, Any suggestions on how make the CA aware of the current serial number? Serial numbers are dolled out like uid numbers, by

Re: [Freeipa-users] CentOS 6.8: uninstalling IPA client causes python error

ts. Any unauthorized disclosure, use, distribution, or reproduction of this message or any attachments is prohibited and may be unlawful./ *From: *Rob Crittenden *Date: *Saturday, June 18, 2016 at 23:00 *To: *Daniel Finkestein , "freeipa-users@redhat.com" *Subject: *Re: [Freeipa-users] Ce

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz wrote: On Sat, Jun 18, 2016 at 11:02:23PM -0400, Rob Crittenden wrote: Most of the functions work, but 5) I cannot get Authentication→Certificates list: On okda, going to Certificates list yields ”Certificate operation cannot be completed: Unable to communicate with CMS

Re: [Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Günther J. Niederwimmer wrote: Hello Rob, Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello, Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: Günther J. Niederwimmer wrote: Hello I found any Help for the IPA Certificate

Re: [Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz wrote: On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) [Sat Jun 18 18:59

Re: [Freeipa-users] IPA active-active node failure

Auerbach, Steven wrote: We have an active-active dual-node IPA. The second node stopped accepting logins thru the Web GUI. I rebooted the server. Now it is really botched. Directory service will not restart: # service ipa restart Restarting Directory Service Shutting down dirsrv: doma

Re: [Freeipa-users] nss unrecognized name alert with SAN name

John Obaterspok wrote: 2016-06-27 11:05 GMT+02:00 Lukas Slebodnik mailto:lsleb...@redhat.com>>: On (26/06/16 20:37), John Obaterspok wrote: >Hi, > >I've been running F23 + mod_nss 1.0.14-1 for months to get SubjectAltName >to work. >F24 update brings back mod_nss to 1.0

Re: [Freeipa-users] updating certificates

j...@use.startmail.com wrote: Greetings, About a year ago I installed my freeipa server with certificates from startssl using command line options --dirsrv-cert-file --http-cert-file etc. The certificate is about to expire, what is the proper way to update it in all places? It depends on wheth

<    1   2   3   4   5   6   7   8   9   10   >