On Thu, Nov 12, 2015 at 08:55:25PM +0100, Martin Kosek wrote:
> On 11/12/2015 04:51 PM, Terry John wrote:
> >
> >I got a core dump of certmonger failing user abrt but it's huge. Is there
> >any particular part that would be useful.
>
> CCing Nalin and David for the core dump. More below.
My init
On Tue, Aug 04, 2015 at 07:29:13AM -0700, Janelle wrote:
> Hello,
>
> Well, I am more used to working with openssl directly, so I am a little
> confused when using FreeIPA and certmonger. I assume that when a
> certificate is in this state:
>
> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>
On Tue, May 19, 2015 at 12:34:47PM +0200, marcin kowalski wrote:
> Hi, all. I am trying to integrate certmonger with dogtag instance, and so
> far i've stumbled on one odd problem. Hopefully this is the right list.
>
> I've generated some random cert with getcert request, it has communicated
> wit
On Tue, May 12, 2015 at 06:39:13PM +0200, Thibaut Pouzet wrote:
> After doing what you recommended, the CSR have changed in the debug log :
>
> Certificate Request:
> Data:
> Version: 0 (0x0)
> Subject: O=ipa_domain, CN=ipa_server
> Subject Public Key Info:
>
On Mon, May 11, 2015 at 05:14:16PM +0200, Thibaut Pouzet wrote:
> There is one that remains expired, despite all the efforts I put into
> renewing it. This is the one used for the pki-ca administration pages
> reachable on ports 9443, 9444 and 9445. Here is its status after trying
> to resubmit it
On Wed, Apr 15, 2015 at 08:47:12AM +0200, Günther J. Niederwimmer wrote:
> Thank you for the answer and help
>
> I mean this is working now ;) after some --uninstall and delete the
> certificate
> (?) . The wrong command I found with google :-(.
>
> The status command is not working on my syste
On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote:
> Hello
>
> I mean I have a Problem with the ipa-getcert script.
>
> system CentOS 7 (1503) and IPA 4.1.x
>
> can any help or declare my mistake or is this a IPA Problem
>
> I do a
>
> kinit admin
>
> ipa-getcert request
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
> I understand from previous discussions that client certificates are not yet
> supported in FreeIPA, instead I understand one can use "service
> certificates". From an OpenVPN standpoint I'm guessing this is fine because
> a vpn client
On Wed, Apr 01, 2015 at 07:45:10PM +0300, Ben .T.George wrote:
> HI
>
> yes i have creared cache. tried from different browsers, tried from
> portable browser, configure kerbros plugin in firefox
>
> this is what i got from inspect:
>
> http://s9.postimg.org/51c5809xr/kerb.jpg
Just to be sure,
On Wed, Mar 18, 2015 at 05:55:52PM -0400, Rob Crittenden wrote:
> > getcert status
> > process 31282: arguments to dbus_message_new_method_call() were
> > incorrect, assertion "path != NULL" failed in file dbus-message.c line 1262.
> > This is normally a bug in some application using the D-Bus libr
On Wed, Feb 11, 2015 at 10:04:42AM +0100, marcin kowalski wrote:
> I forgot to add - usually removing the "-v" bit in ca external helper
> definition produces the aforementioned 'rejected by CA' message, instead of
> verbose output.
Ah. Yes, the verbose output goes to stdout, where it confuses th
On Thu, Jan 08, 2015 at 01:27:26PM -0500, John Desantis wrote:
> > Would file corruption within the file of the "Request ID" in
> > /var/lib/certmonger/request have anything to do with this?
> >
> > autorenew=1
> > monitor=1
> > ca_name=dogtag-ipa-retrieve-agent-submit
> > ca_profile=ipaCert
> > su
On Tue, Nov 11, 2014 at 11:13:12AM -0500, Nalin Dahyabhai wrote:
> Since you mention that this seems to be specific to 32-bit boxes, I
> think I need to switch to that one to try to sort out what's happening
> here, since I'm on a 64-bit box.
Okay, found it, and as 64-bit clean
On Tue, Nov 11, 2014 at 08:48:18AM +0100, Natxo Asenjo wrote:
> 2014-11-11 08:34:33 [11677] Certificate "Local Signing Authority"
> valid for 31473668s.
> 2014-11-11 08:34:33 [11677] Running result is 1481416576.
> 2014-11-11 08:34:33 [11677] Final result is 1481416576.
Okay, that's weird. The re
On Mon, Nov 10, 2014 at 04:17:49PM +0100, Natxo Asenjo wrote:
> Nov 10 15:51:31 apachetest03 certmonger: Decoding error on
> "TUlJRG5EQ0NBb1NnQXdJQkFnSUJBVEFOQmdrcWhraUc5dzBCQVFzRkFEQTdNUmt3#012RndZRFZRUUtFeEJWVGtsWUxrbFNTVk5hVDFKSExrNU1NUjR3SEFZRFZRUURFeFZE#012WlhKMGFXWnBZMkYwWlNCQmRYUm9iM0pwZEhrd
On Wed, Sep 24, 2014 at 01:02:34PM -0600, ToBeReplaced wrote:
> In details below, the domain name, server host name, and ip address has
> been changed.
>
> The server is sitting behind a router with ip 12.34.56.78. The server
> was configured with `--enable-dns` and `192.168.1.100 ipa.example.com
On Mon, Jan 13, 2014 at 04:07:16PM +0100, Sigbjorn Lie wrote:
> After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of
> the request is now:
>
> Request ID '20120119194518':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 907 (RPC failed at
On Tue, Jan 07, 2014 at 10:35:58AM -0500, Rob Crittenden wrote:
> Nalin Dahyabhai wrote:
> >Any system on which you intend to run ypcat, ypmatch, or any of the NIS
> >client commands should run ypbind, whether it's talking to a more
> >traditional NIS server or an IPA s
On Tue, Jan 07, 2014 at 08:22:45AM -0500, Joseph, Matthew (EXP) wrote:
> I've been trying different combinations of adding the nsslapd-pluginarg0:
> 1023 and running ypserv on the same port.
> Should nsslapd and ypserv be running on the same port when I do the netstat
> command?
Only one of thos
On Tue, Jan 07, 2014 at 05:22:22AM -0500, Joseph, Matthew (EXP) wrote:
> When I run ypcat on the IPA servers it states that ypbind can't communicate.
> I started ypbind on the secondary IPA server so now I can run ypcat.
> Is running ypbind on the IPA servers necessary? According to all of the
> d
On Thu, Oct 03, 2013 at 05:02:44PM -0400, Dmitri Pal wrote:
> On 09/27/2013 08:13 AM, Ade wrote:
> > I have a dirsrv server using the slapi-nis plugin to provide 190+ nis
> > maps. It works well apart from one issue - boot up
> >
> > If I do a reboot, the dirsrv starts up ok, but slapi-nis doesnt s
On Thu, Sep 05, 2013 at 09:17:36AM -0500, cbul...@gmail.com wrote:
> The users were imported from a openldap server and the password
> encryption is MD5.
Is that {CRYPT} using an md5-based crypt, or {MD5} or {SMD5}? A client
that's trying to check passwords using hashes which it reads via NIS is
On Mon, Jul 22, 2013 at 01:41:14PM +, Rivet, Matt wrote:
> Does IPA need to be in my host file or dns?
>
> Does anyone know why certmonger is looking for a keytab for
> host/det-webdl01@. instead of
> host/host/det-webdl01.sub.example@example.com?
In order to authenticate to the IPA ser
On Sun, May 26, 2013 at 09:40:03PM +0200, Sigbjorn Lie wrote:
> I did some testing on this. I added an entry to "cn=Schema
> Compatibility, cn=plugins, cn=config", and defined the various
> settings for the compat plugin. It worked as a charm, the requested
> automountmaps we're mirrored. However,
On Fri, May 24, 2013 at 12:01:04PM +0200, Sigbjorn Lie wrote:
> The compat module would have to be extended to support displaying selected
> automount maps from one
> location in a different location. I do not know the internals of the compat
> plugin so what I'm
> asking might be unable/hard to
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
> /etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
>
> All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an
explanation to offer.)
> Wasn'
On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
> Here is the output from the submit:
>
> /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
> Submitting request to "https://ipa01.ctidata.net/ipa/xml";.
> Fault -504: (libcurl failed to execute the HTTP POST transact
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
> Nalin,
>
> Thanks for your response. Running `hostname` does result in
> ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
>
> I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
> ipa01.ctidata@ct
On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote:
> Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
> auto-renew.
>
> ipa-getcert list
> Number of certificates and requests being tracked: 4.
[snip]
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca
On Wed, Mar 27, 2013 at 01:42:58PM -0400, Joseph, Matthew (EXP) wrote:
> Hey Nalin,
>
> Sorry typo on my part. It does say nis-base.
Alright then. The next thing to check is if the directory entries the
plugin's finding have data that the plugin expects to use to create
entries in the NIS map.
On Wed, Mar 27, 2013 at 11:07:44AM -0400, Joseph, Matthew (EXP) wrote:
> Here is the entry that is in dse.ldif:
>
> Dn= nis-domain=domain.ca+nis-map=hosts.byname,CN=NIS
> Server,cn=plugin,cn=config
> objectClass: top
> objectClass: extensibleObject
> nis-map: hosts.byname
> nis=base: cn=computers
On Tue, Feb 19, 2013 at 10:49:42AM -0700, ninib...@worldd.org wrote:
> I used IPA from the CentOS 6 repositories and I am having an issue I
> can't seem to solve. ?I installed a server and a client with no
> issues, but upon Nessus scans of the server, port 464 kpasswd UDP was
> flagged for a ping-
On Mon, Jan 14, 2013 at 12:06:35PM -0700, Orion Poplawski wrote:
> We're looking at migrating from 389ds to ipa. Currently our users
> are in ou=People with rfc2307 attributes. Is there any way to
> provide an ou=people,dc=nwra,dc=com compatibility group in IPA? Or
> does everything have to rema
On Tue, Dec 11, 2012 at 01:04:37PM -0500, Bret Wortman wrote:
> This appears to require dirsrv-1.3, which I assume is part of
> 389-base-devel. I don't see where 1.3 has been made available yet, or am I
> missing something?
Hmm. I'm seeing packages for a 1.3.0-0.1.a1 in Fedora 18, and after a
lit
On Mon, Sep 10, 2012 at 10:06:38PM +0200, Sigbjorn Lie wrote:
> Hi,
>
> We are using pam_ldap + pam_krb5 on our RHEL 5 workstations.
> Sometimes when the user logs in, or unlocks his workstation the
> users kerberos keytab is not created or updated.
You mean credential caches rather than keytabs,
On Tue, Jul 10, 2012 at 02:15:41PM -0500, KodaK wrote:
[snip]
> My sudo-ldap.conf file:
>
> binddn uid=sudo,cn=sysaccounts,cn=etc,dc=validserver,dc=com
> bindpw validpassword
>
> ssl start_tls
> tls_cacertfile /etc/ipa/ca.crt
> tls_checkpeer yes
>
> bind_timelimit 5
> timelimit 15
>
> uri ldap:
On Thu, Jun 07, 2012 at 05:56:14PM -0400, Ian Levesque wrote:
> On Jun 7, 2012, at 5:44 PM, Nalin Dahyabhai wrote:
>
> > ldapsearch -h sbgrid-directory -Y GSSAPI \
> > -b "cn=Schema Compatibility,cn=plugins,cn=config" \
> > nsslapd-pluginEnabled
> >
On Thu, Jun 07, 2012 at 05:44:16PM -0400, Nalin Dahyabhai wrote:
> The results should look like this:
>
> dn: cn=Schema Compatibility,cn=plugins,cn=config
> nsslapd-pluginEnabled: off
Yeah, that second line should be "nsslapd-pluginEnabled: on&quo
On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote:
> # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org
> No such object (32)
> Matched DN: dc=sbgrid,dc=org
This result suggests that the plugin isn't running. Can you
double-check by searching (as either the director
On Thu, Jun 07, 2012 at 05:03:11PM -0400, Ian Levesque wrote:
> Hello,
>
> I've read that the schema compatibility plugin should provide a vanilla RFC
> 2307 view of groups with memberUid attributes. I need this for our OS X
> clients, which don't seem capable of understanding the RFC 2307bis fo
On Wed, May 09, 2012 at 09:16:45PM +, Steven Jones wrote:
> I just setup a RHEL6 server as a NFS server and I have 2 x RHEL6
> workstation clients doing NFS via automount as per section 10.3 admin
> guide 6.3betaall good until I use a Ubuntu client to 'attack it"
> I find the non-IPA's ubun
On Fri, Apr 27, 2012 at 02:52:20PM -0400, Dmitri Pal wrote:
>I thought that there was a flag for ipa-getkeytab to fetch existing key
>but my knowledge in this area is rusty. Same with the cert.
>May be someone else would chime in.
There's a way for certificates, at least.
If you still
On Mon, Apr 16, 2012 at 11:17:35PM +0200, Sigbjorn Lie wrote:
> The clients use nss_ldap+pam_krb5, SSSD was crashing for us on RHEL 5.
>
> The server is the IPA server provided in RHEL 6.2.
>
> When I check the logs on the client it states that authentication
> succeeded, and that the password ha
On Tue, Mar 20, 2012 at 04:10:19PM -0400, Jimmy wrote:
> I restarted certmonger and it seems to be working. Is there some way
> to change the renewal interval so we can simulate this in the lab? I'd
> like to see it go through a number of renewals to make sure we don't
> keep having this problem.
On Fri, Mar 16, 2012 at 03:12:03PM -0400, Rob Crittenden wrote:
> 2. An NIS listener (ipa-nis-manage enable/disable) which requires
> compat to be enabled.
The NIS server plugin shouldn't depend on the compat plugin being
enabled. The NIS server depends on being notified of changes to its
source
On Wed, Feb 22, 2012 at 02:57:03PM -0900, Erinn Looney-Triggs wrote:
> It looks like, as far as I can tell, the IPA pki setup does not by
> default include subjectKeyIdentifier in the SSL certificates issued. I
> am using ipa-getcert -f foo -k bar, to generate and submit the request.
>
> I am a li
On Thu, Jan 05, 2012 at 10:38:11AM -0500, Rob Crittenden wrote:
> My first thought was that there was a CA trust issue. I believe that
> certmonger uses the NSS database where the certificate is stored so
> since it is also doing this against Apache (which in theory trust is
> ok for it to start at
On Tue, Dec 27, 2011 at 09:06:22AM -0500, Boris Epstein wrote:
> How do I control which NIS maps FreeIPA makes available? Specifically
> I may need passwd.byname.
The the set of maps that the NIS service provides is controlled by the
entries listed under the directory server's configuration entry
On Thu, Dec 15, 2011 at 09:02:01PM +0100, Ondrej Hamada wrote:
> On 12/14/2011 06:58 PM, Dmitri Pal wrote:
> >Consistent name resolution is a requirement for IPA.
> >Ondrej, can you please take a closer look and see if this is something
> >with the demo scripts or IPA itself?
> I don't see a proble
On Tue, Nov 15, 2011 at 09:44:43AM -0500, Boris Epstein wrote:
>Thanks a lot for the tip. It definitely looks like this put me on the
>right path though I am not quite there yet.
>
>Doing what you suggested did not quite work. For one thing, the right
>cn is "NIS", not "NIS Server"
On Mon, Nov 14, 2011 at 05:19:44PM -0500, Boris Epstein wrote:
>Hello all,
>
>I am using the FreeIPA to run NIS via a plugin. Works great - except
>that the ypserv port numbers end up different after every reboot. That
>makes it hard to run it with the firewall activated.
>
>D
On Wed, Sep 28, 2011 at 09:38:33PM +0200, Jakub Hrozek wrote:
> He said he was updating the passwords with kpasswd, which should bypass
> the pam stack and talk to the kpasswd deamon directly, right?
The users who can change their passwords can log in and do so with
kpasswd, but the ones who can't
On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote:
> The only difference I know about is that the users who CAN change their
> passwords have not got an expired password (so they can login and use kpasswd
> from the shell), whereas those who CANNOT change their password need to reset
>
On Tue, Sep 27, 2011 at 03:24:24PM +0800, Goff, Raal wrote:
> My IPA 2.0 master-slave setup has been working fine up until this week when
> users started getting problems updating their password due to expiry. Users
> get the following error when using kpasswd to update their passwords:
>
> kini
On Fri, Sep 16, 2011 at 04:42:11PM -0400, Dmitri Pal wrote:
>On 09/16/2011 11:19 AM, Johan Sunnerstig wrote:
>Right now I have nss-pam-ldapd
>([1]http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb
>software that's included in Debian 6 working decently. By that I mean I
>
On Thu, May 12, 2011 at 07:02:27PM -0700, nasir nasir wrote:
>Thanks for the reply Rob ! I had tried with all the log files you
>mentioned and had kept most of them in debug mode. Tried again now. The
>only error or clue I could see was the following I already mentioned in
>my previ
On Tue, Mar 22, 2011 at 10:11:47AM -, Andy Singleton wrote:
>I am trying to install a rhel6 machine with the ipa-1.2.2 client.
>
>Everything appears to work fine, with the exception of updating users
>passwords from the client.
Does running kpasswd instead of passwd work? The pam
On Mon, Sep 27, 2010 at 04:02:48PM +1300, Steven Jones wrote:
> While trying to get a new kerberos ticket I get,
>
> "kinit: Cannot contact and KDC realm 'VUW.AC.NZ' while getting credentials"
>
> So any ideas where I go looking?
The KDC is the 'krb5kdc' service, so I'd suggest checking that the
On Sat, Feb 20, 2010 at 07:31:33PM -0600, David Christensen wrote:
> I have my ipa 1.2.2 setup in an environment where my servers have two
> NICs each in a different VLAN.
>
> With the multi NIC setup I have two different DNS names for a single
> host to control which interface is is used when acc
On Fri, Feb 05, 2010 at 04:03:05PM -, Andy Singleton wrote:
> Hi Rob,
>
> Ok ive switched on the compat plugin.
> Incidentally, does this need to be done separately for all replicas?
I believe so. The set of plugins which are configured is configured on
each server.
> However, when I run ld
On Fri, Dec 18, 2009 at 12:31:44PM -0500, Dan Scott wrote:
> I have added these principals to both FreeIPA servers:
>
> krbtgt/c.b.example@a.example.com
>
> (I see the warning in the FreeIPA documentation about avoiding the use
> of kadmin and kadmin.local - I can remove these principals if
>
On Wed, Nov 25, 2009 at 06:42:16PM +0100, Tomasz 'Zen' Napierala wrote:
> Dnia 2009-11-25, śro o godzinie 15:50 +0100, Tomasz Z. Napierala pisze:
> > Hi,
> >
> > I'm getting problems installing clients with default ipa-client-install
> > values. Relam and domain are both discovered successfully bu
On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote:
> Thanks for the response.
> I have the NIS config on the client setup correctly I believe.
> This client was moved from my current NIS domain and works fine.
>
> It's not that the client does not bind to the new FreeIPA NIS domain,
>
On Wed, Aug 19, 2009 at 08:21:23PM -0500, Brandon Young wrote:
> I am not running a firewall. If I probe portmapper from a remote host
> (again, using 'rpcinfo -p freeipa', where freeipa is the name of the
> server) I can see ypserv running on port 710. Am I correct in
> understanding that it is
On Wed, Aug 19, 2009 at 04:50:44PM -0500, Brandon Young wrote:
> I have been dinking with this a few minutes at a time since last week,
> and am having a problem, still. I have gone over my nis-plugin.ldif
> file and verified that nis-domain matches everywhere (at first it
> didn't), and that once
65 matches
Mail list logo