[Freeipa-users] ca-error 2100
hido you know how can i solve it? getcert list|grep -i err ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ldap/ipasrv.**.**@***.**,cn=services,cn=accounts,dc=***,dc=**'.). ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=HTTP/ipasrv.**.**@***.**,cn=services,cn=accounts,dc=***,dc=**'.) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Insufficient 'write' privilege to the 'userCertificate'
hiI get below error from "getcert list",would you please help me to solve it? ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'krbprincipalname=ldap/ipasrv.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Insufficient access
hiI got below error , when I tried to check certificates, I ran kinit admin before and it was okaywould you please help me ? ipa cert-show 1- ipa: ERROR: Insufficient access: not allowed to perform this command -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ccache for local "host" service using default keytab
hiI get below error ,is there any suggestion to solve it? ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. getcert list |less Number of certificates and requests being tracked: 8. Request ID '20140817125452': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=t1vl068.example.com,O=EXAMPLE.COM expires: 2016-08-17 12:49:50 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] replica cms issue
hiI get below error when I want to prepare a server as replica .would you please help me? Certificate operation cannot be completed: Unable to communicate with CMS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert shows error
nt issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20140817123525': status: MONITORING stuck: no key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20140817123526': status: MONITORING stuck: no key paCOM storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='247087063310' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2018-06-30 07:56:06 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20140817123534': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:35:34 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20140817123602': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key paCOM storage: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:36:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv PKI-IPA track: yes auto-renew: yes Request ID '20140817123752': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key paCOM storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipasrv.EXAMPLE.COM,O=EXAMPLE.COM expCOMes: 2016-08-17 12:37:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes From: Rob Crittenden <rcrit...@redhat.com> To: mohammad sereshki <mohammadseres...@yahoo.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Saturday, July 23, 2016 11:30 PM Subject: Re: [Freeipa-users] ipa-getcert shows error mohammad sereshki wrote: > hi > > I get below error > ca-error: Error setting up ccache for local "host" service using default > keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. I'm guessing IPA is not running, or not completely running. ipactl status will tell you. > when I run ipa-getcert li
[Freeipa-users] ipa-getcert shows error
hi I get below errorca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. when I run ipa-getcert list, also how can I check my CAs are renewed or not? Request ID '20140817123602': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key pacom storage: type=NSSDB,location='/etc/dcomsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dcomsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dcomsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=drvl124.EXAMPLE.COM,O=EXAMPLE.COM expcomes: 2016-08-17 12:36:02 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dcomsrv PKI-IPA track: yes auto-renew: yes Request ID '20140817123752': status: MONITORING ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'EXAMPLE.COM'. stuck: no key pacom storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=drvl124.EXAMPLE.COM,O=EXAMPLE.COM expcomes: 2016-08-17 12:37:51 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125
hiignore my last email,I ran list of certs, you can see I have 2 of auditSigningCert, what is this , do you know it? certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,Pu From: Rob Crittenden <rcrit...@redhat.com> To: mohammad sereshki <mohammadseres...@yahoo.com>; "freeipa-users@redhat.com" <freeipa-users@redhat.com> Sent: Friday, July 22, 2016 12:45 AM Subject: Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125 mohammad sereshki wrote: > hi > I did some changes not I get below werror when I open HTTP service in > web interface What changes did you do? From a previous e-mail the problem is that the CA couldn't validate its own certificates. This is sometimes an issue with certificate trust. To look at it run: # certutil -L -d /var/lib/pki-ca/alias The auditSigningCert should have a trust of u,u,Pu. If it doesn't you can fix it with: # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' -t u,u,Pu > Certificate operation cannot be completed: EXCEPTION (Certificate serial > number 0x276 not found) Do you have other CA masters (if not you should, but do that once things are stable)? rob > > > > *From:* "freeipa-users-requ...@redhat.com" > <freeipa-users-requ...@redhat.com> > *To:* freeipa-users@redhat.com > *Sent:* Thursday, July 21, 2016 11:38 PM > *Subject:* Freeipa-users Digest, Vol 96, Issue 125 > > Send Freeipa-users mailing list submissions to > freeipa-users@redhat.com <mailto:freeipa-users@redhat.com> > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-requ...@redhat.com <mailto:freeipa-users-requ...@redhat.com> > > You can reach the person managing the list at > freeipa-users-ow...@redhat.com <mailto:freeipa-users-ow...@redhat.com> > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: regenerate certificate (mohammad sereshki) > > > -- > > Message: 1 > Date: Thu, 21 Jul 2016 19:08:16 + (UTC) > From: mohammad sereshki <mohammadseres...@yahoo.com > <mailto:mohammadseres...@yahoo.com>> > To: Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>>, Florence Blanc-Renaud > <f...@redhat.com <mailto:f...@redhat.com>>, Freeipa-users > <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>> > Subject: Re: [Freeipa-users] regenerate certificate > Message-ID: > <1119368990.3296955.1469128096522.javamail.ya...@mail.yahoo.com > <mailto:1119368990.3296955.1469128096522.javamail.ya...@mail.yahoo.com>> > Content-Type: text/plain; charset="utf-8" > > and this is for catalina.out > > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1@39139da8 <mailto:1@39139da8>]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat@d1b317c9 > <mailto:java.text.SimpleDateFormat@d1b317c9>]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader > clearThreadLocalMap > SEVERE: A web application created a ThreadLocal with key of type [null] > (value [com.netscape.cmscore.util.Debug$1@39139da8 <mailto:1@39139da8>]) > and a > value of type [java.text.SimpleDateFormat] (value > [java.text.SimpleDateFormat@d1b317c9 > <mailto:java.text.SimpleDateFormat@d1b317c9>]) but failed to remove it > when the web appli > cation was stopped. To prevent a memory leak, the ThreadLocal has been > forcibly removed. > Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy > INFO: Stopping Coyote HTTP/1.1 on http-9180 &
Re: [Freeipa-users] Freeipa-users Digest, Vol 96, Issue 125
hiI did some changes not I get below werror when I open HTTP service in web interface Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x276 not found) From: "freeipa-users-requ...@redhat.com" <freeipa-users-requ...@redhat.com> To: freeipa-users@redhat.com Sent: Thursday, July 21, 2016 11:38 PM Subject: Freeipa-users Digest, Vol 96, Issue 125 Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: regenerate certificate (mohammad sereshki) -- Message: 1 Date: Thu, 21 Jul 2016 19:08:16 + (UTC) From: mohammad sereshki <mohammadseres...@yahoo.com> To: Rob Crittenden <rcrit...@redhat.com>, Florence Blanc-Renaud <f...@redhat.com>, Freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] regenerate certificate Message-ID: <1119368990.3296955.1469128096522.javamail.ya...@mail.yahoo.com> Content-Type: text/plain; charset="utf-8" and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException ??? at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) ??? at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) ??? at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) ??? at java.util.TimerThread.mainLoop(Timer.java:555) ??? at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : From: mohammad sereshki <mohammadseres...@yahoo.com> To: Rob Crittenden <rcrit...@redhat.com>; Florence Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence:? CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:
Re: [Freeipa-users] regenerate certificate
and this is for catalina.out SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:10 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@39139da8]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web appli cation was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9180 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9443 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9445 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9444 Jul 21, 2016 11:10:11 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-9446 Exception in thread "Timer-0" java.lang.NullPointerException at com.netscape.certsrv.apps.CMS.getConfigStore(CMS.java:771) at com.netscape.cms.servlet.csadmin.LDAPSecurityDomainSessionTable.getSessionIds(LDAPSecurityDomainSessionTable.java:156) at com.netscape.cms.servlet.csadmin.SessionTimer.run(SessionTimer.java:33) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Jul 21, 2016 11:10:43 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Jul 21, 2016 11:10:43 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-9180 Warning: SSL ECC cipher "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. Warning: SSL ECC cipher "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" unsupported by NSS. This is probably O.K. unless ECC support has been installed. : From: mohammad sereshki <mohammadseres...@yahoo.com> To: Rob Crittenden <rcrit...@redhat.com>; Florence Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Thursday, July 21, 2016 11:36 PM Subject: Re: [Freeipa-users] regenerate certificate and below is for selftests.log 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence: CA is present 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Initializing self test plugins: 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence: CA is present 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification: system certs verification failure 1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! (END) From: mohammad sereshki <mohammadseres...@yahoo.com> To: Rob Crittenden <rcrit...@redhat.com>; Florence Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Thursday, July 21, 2016 1
Re: [Freeipa-users] regenerate certificate
and below is for selftests.log
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] CAPresence: CA is present
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SystemCertsVerification:
system certs verification failure
3971.main - [21/Jul/2016:16:20:13 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem:
Initializing self test plugins:
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin logger parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instances
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
all self test plugin instance parameters
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
self test plugins in on-demand order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: loading
self test plugins in startup order
1523.main - [21/Jul/2016:23:10:45 IRDT] [20] [1] SelfTestSubsystem: Self test
plugins have been successfully loaded!
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: Running
self test plugins specified to be executed at startup:
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] CAPresence: CA is present
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SystemCertsVerification:
system certs verification failure
1523.main - [21/Jul/2016:23:10:46 IRDT] [20] [1] SelfTestSubsystem: The
CRITICAL self test plugin called
selftests.container.instance.SystemCertsVerification running at startup FAILED!
(END)
From: mohammad sereshki <mohammadseres...@yahoo.com>
To: Rob Crittenden <rcrit...@redhat.com>; Florence Blanc-Renaud
<f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
Sent: Thursday, July 21, 2016 11:34 PM
Subject: Re: [Freeipa-users] regenerate certificate
hiI find below in debug file under /var/log/pki-cawhat is your comment?
21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for
servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus
(entered lock)
From: Rob Crittenden <rcrit...@redhat.com>
To: mohammad sereshki <mohammadseres...@yahoo.com>; Florence Blanc-Renaud
<f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
Sent: Thursday, July 21, 2016 11:21 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> would you please explain more
> ?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.
You need to look at the logs in /var/log/pki-ca to see what is going on.
I'd start with selftests.log then move onto catalina.out and debug.
rob
>
>
> ----
> *From:* Rob Crittenden <rcrit...@redhat.com>
> *To:* mohammad sereshki <mohammadseres...@yahoo.com>; Florence
> Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > hi
> > it is result of command, seems issue is another thing
> >
> >
> > ipa cert-show 1
> > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
Re: [Freeipa-users] regenerate certificate
hiI find below in debug file under /var/log/pki-cawhat is your comment?
21/Jul/2016:23:13:42][TP-Processor3]: according to ccMode, authorization for
servlet: caDisplayBySerial is LD
AP based, not XML {1}, use default authz mgr: {2}.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:15:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized before.
[21/Jul/2016:23:20:44][Timer-0]: CMSEngine: getPasswordStore(): password store
initialized.
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: About to start updateCertStatus
[21/Jul/2016:23:20:45][CertStatusUpdateThread]: Starting updateCertStatus
(entered lock)
From: Rob Crittenden <rcrit...@redhat.com>
To: mohammad sereshki <mohammadseres...@yahoo.com>; Florence Blanc-Renaud
<f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
Sent: Thursday, July 21, 2016 11:21 PM
Subject: Re: [Freeipa-users] regenerate certificate
mohammad sereshki wrote:
> hi
> would you please explain more
> ?
Your CA (dogtag) is not running. The CA is written in java and deployed
as a WAR in tomcat. If something goes wrong during initialization the CA
will exit but tomcat will not.
Requests to the CA are returning 404 Not Found because the application
is not running in dogtag.
You need to look at the logs in /var/log/pki-ca to see what is going on.
I'd start with selftests.log then move onto catalina.out and debug.
rob
>
>
>
> *From:* Rob Crittenden <rcrit...@redhat.com>
> *To:* mohammad sereshki <mohammadseres...@yahoo.com>; Florence
> Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com>
> *Sent:* Thursday, July 21, 2016 11:09 PM
> *Subject:* Re: [Freeipa-users] regenerate certificate
>
> mohammad sereshki wrote:
> > hi
> > it is result of command, seems issue is another thing
> >
> >
> > ipa cert-show 1
> > ipa: ERROR: Certificate operation cannot be completed: Unable to
> > communicate with CMS (Not Found)
>
> Which means that the CA still isn't up. You're going to need to look at
> the dogtag logs in /var/log/pki*. debug is probably the place to start.
>
> rob
>
> >
> >
> >
> > ----
> > *From:* Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>>
> > *To:* mohammad sereshki <mohammadseres...@yahoo.com
> <mailto:mohammadseres...@yahoo.com>>; Florence
> > Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>>; Freeipa-users
> <freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>>
> > *Sent:* Thursday, July 21, 2016 8:08 PM
> > *Subject:* Re: [Freeipa-users] regenerate certificate
> >
> > mohammad sereshki wrote:
> > > dear
> > > thanks, but would you please check below and let me know what is your
> > > idea?I checked your command but it did not work.
> >
> > The Not Found suggests that the CA is not up. I'd try restarting the
> > pki-cad process to see if that helps.
> >
> > A simple test that communication is working is: ipa cert-show 1
> >
> > The output isn't important as long as it isn't an error.
> >
> > rob
> >
> >
> > >
> > >
> > >
> > > Number of certificates and requests being tracked: 8.
> > > Request ID '20140817123525':
> > > status: MONITORING
> > > ca-error: Unable to determine principal name for signing
> > request.
> > > stuck: no
> > > key paCOM storage:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > certificate:
> > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> > > Certificate DB'
> > > CA: IPA
> > > issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > > subject: CN=IPA RA,O=EXAMPLE.COM
> > > ex
Re: [Freeipa-users] regenerate certificate
hiwould you please explain more? From: Rob Crittenden <rcrit...@redhat.com> To: mohammad sereshki <mohammadseres...@yahoo.com>; Florence Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Thursday, July 21, 2016 11:09 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > hi > it is result of command, seems issue is another thing > > > ipa cert-show 1 > ipa: ERROR: Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found) Which means that the CA still isn't up. You're going to need to look at the dogtag logs in /var/log/pki*. debug is probably the place to start. rob > > > > ---- > *From:* Rob Crittenden <rcrit...@redhat.com> > *To:* mohammad sereshki <mohammadseres...@yahoo.com>; Florence > Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> > *Sent:* Thursday, July 21, 2016 8:08 PM > *Subject:* Re: [Freeipa-users] regenerate certificate > > mohammad sereshki wrote: > > dear > > thanks, but would you please check below and let me know what is your > > idea?I checked your command but it did not work. > > The Not Found suggests that the CA is not up. I'd try restarting the > pki-cad process to see if that helps. > > A simple test that communication is working is: ipa cert-show 1 > > The output isn't important as long as it isn't an error. > > rob > > > > > > > > > > Number of certificates and requests being tracked: 8. > > Request ID '20140817123525': > > status: MONITORING > > ca-error: Unable to determine principal name for signing > request. > > stuck: no > > key paCOM storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expCOMes: 2018-06-30 07:56:06 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20140817123534': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:35:34 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > EXAMPLE.-COM > > track: yes > > auto-renew: yes > > Request ID '20140817123602': > > status: CA_UNREACHABLE > > ca-error: Server failed request, will retry: 4301 (RPC failed > > at server. Certificate operation cannot be completed: Unable to > > communicate with CMS (Not Found)). > > stuck: yes > > key paCOM storage: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > > expCOMes: 2016-08-17 12:36:02 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > > PKI-IPA > &
Re: [Freeipa-users] regenerate certificate
hiit is result of command, seems issue is another thing ipa cert-show 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) From: Rob Crittenden <rcrit...@redhat.com> To: mohammad sereshki <mohammadseres...@yahoo.com>; Florence Blanc-Renaud <f...@redhat.com>; Freeipa-users <freeipa-users@redhat.com> Sent: Thursday, July 21, 2016 8:08 PM Subject: Re: [Freeipa-users] regenerate certificate mohammad sereshki wrote: > dear > thanks, but would you please check below and let me know what is your > idea?I checked your command but it did not work. The Not Found suggests that the CA is not up. I'd try restarting the pki-cad process to see if that helps. A simple test that communication is working is: ipa cert-show 1 The output isn't important as long as it isn't an error. rob > > > > Number of certificates and requests being tracked: 8. > Request ID '20140817123525': > status: MONITORING > ca-error: Unable to determine principal name for signing request. > stuck: no > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=IPA RA,O=EXAMPLE.COM > expCOMes: 2018-06-30 07:56:06 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20140817123534': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-EXAMPLE.-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-EXAMPLE.-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:35:34 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > EXAMPLE.-COM > track: yes > auto-renew: yes > Request ID '20140817123602': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dCOMsrv/slapd-PKI-IPA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dCOMsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:36:02 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dCOMsrv > PKI-IPA > track: yes > auto-renew: yes > Request ID '20140817123752': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: 4301 (RPC failed > at server. Certificate operation cannot be completed: Unable to > communicate with CMS (Not Found)). > stuck: yes > key paCOM storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipatestsrv.EXAMPLE.COM,O=EXAMPLE.COM > expCOMes: 2016-08-17 12:37:51 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > You have new mail in /var/spool/mail/root > > > -
[Freeipa-users] regenerate certificate
hiI check my IPA server which is version ipa-server-3.0.0-25 , command "ipa-get-cert list" show, my certificate will be expired in next 20 days, I do not know how to regenerate thembut command "getcert list" shows epirtion certificates are related just to "CA:IPA" and certificate " CA: dogtag-ipa-renew-agent" , has enough time .would you please help me to know how to regenerate CA:IPA certificates? Best Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] add suse 11 sp3 to ipa
hido you know where is the path of certification file and certification key file for clients? From: Rob Crittenden rcrit...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; Freeipa-users freeipa-users@redhat.com Sent: Tuesday, June 9, 2015 10:29 PM Subject: Re: [Freeipa-users] add suse 11 sp3 to ipa mohammad sereshki wrote: hi Would you please let me know is it possible to add suse 11 sp3 to IPA? and how it is possible? Regards I'm not sure if any version of SUSE has ipa-client or freeipa-client, but I know that 12+ has sssd. If 11 also has sssd then you can configure that part using this: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html Note that a bunch of the steps don't really apply to you, like getting a host cert. Oddly enough, the docs don't include setting up krb5.conf, but you can get the jist of that from an ipa-cleint enrolled client. If you don't have sssd then you'll need to go the nss_ldap route. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] add suse 11 sp3 to ipa
hiWould you please let me know is it possible to add suse 11 sp3 to IPA? and how it is possible?Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa-users Digest, Vol 79, Issue 57
hiI found my issue , it was related to curl which we complied it and replaced it, now after putting the original one , issue fixed. From: freeipa-users-requ...@redhat.com freeipa-users-requ...@redhat.com To: freeipa-users@redhat.com Sent: Monday, February 16, 2015 4:40 PM Subject: Freeipa-users Digest, Vol 79, Issue 57 Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. join error (mohammad sereshki) 2. Re: resolving subdomain AD in a trust relationship (Nicolas Zin) 3. Re: resolving subdomain AD in a trust relationship (Alexander Bokovoy) 4. Re: join error (Martin Basti) 5. Re: ipa replication not working (Martin Kosek) 6. Re: join error (mohammad sereshki) 7. Re: join error (Dmitri Pal) -- Message: 1 Date: Mon, 16 Feb 2015 02:02:27 -0800 From: mohammad sereshki mohammadseres...@yahoo.com To: freeipa-users@redhat.com freeipa-users@redhat.com Subject: [Freeipa-users] join error Message-ID: 1424080947.19867.yahoomailba...@web161504.mail.bf1.yahoo.com Content-Type: text/plain; charset=us-ascii hi when I want to add a host to IPA I get below error, My server is centOS, is there anyone to help me? HTTP response code is 401, not 200 stderr= trying to retrieve CA cert via LDAP from ldap://linux126.example.com Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s linux126.example.com -b dc=mtnirancell,dc=ir -d -h temsdp-smsc1.example.com stdout= stderr=XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept
Re: [Freeipa-users] join error
dear I use ipa-client-3.0.0-42 and I added with ipa-client-install so it asks to enter admin user and password. From: Martin Basti mba...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, February 16, 2015 2:35 PM Subject: Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] join error
dear I use the admin user, at the same time I added another server with this permission. From: Martin Basti mba...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, February 16, 2015 2:35 PM Subject: Re: [Freeipa-users] join error On 16/02/15 11:02, mohammad sereshki wrote: * Server auth using Basic with user '' Hello, It looks like anonymous user. Which version of IPA do you use? Did you specified right user with ability to enroll client? Martin^2 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] join error
hi when I want to add a host to IPA I get below error, My server is centOS, is there anyone to help me? HTTP response code is 401, not 200 stderr= trying to retrieve CA cert via LDAP from ldap://linux126.example.com Existing CA cert and Retrieved CA cert are identical args=/usr/sbin/ipa-join -s linux126.example.com -b dc=mtnirancell,dc=ir -d -h temsdp-smsc1.example.com stdout= stderr=XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Joining realm failed: XML-RPC CALL: ?xml version=1.0 encoding=UTF-8?\r\n methodCall\r\n methodNamejoin/methodName\r\n params\r\n paramvaluearraydata\r\n valuestringtemsdp-smsc1.example.com/string/value\r\n /data/array/value/param\r\n paramvaluestruct\r\n membernamensosversion/name\r\n valuestring2.6.32-358.el6.x86_64/string/value/member\r\n membernamenshardwareplatform/name\r\n valuestringx86_64/string/value/member\r\n /struct/value/param\r\n /params\r\n /methodCall\r\n * About to connect() to linux126.example.com port 443 (#0) * Trying 192.168.65.187... * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * Connected to linux126.example.com (192.168.65.187) port 443 (#0) * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt CApath: none * SSL connection using AES256-SHA * Server certificate: * subject: O=example.com; CN=linux126.example.com * start date: 2014-12-10 12:38:10 GMT * expire date: 2016-12-10 12:38:10 GMT * common name: linux126.example.com (matched) * issuer: O=example.com; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Basic with user '' POST /ipa/xml HTTP/1.1 Authorization: Basic Ojo= Host: linux126.example.com Accept: */* Content-Type: text/xml User-Agent: ipa-join/3.0.0 Referer: https://linux126.example.com/ipa/xml X-Original-User-Agent: Xmlrpc-c/1.16.24 Curl/1.1.1 Content-Length: 483 * upload completely sent off: 483 out of 483 bytes HTTP/1.1 401 Authorization Required Date: Sun, 15 Feb 2015 12:54:54 GMT Server: Apache/2.2.15 Last-Modified: Wed, 30 Jan 2013 15:34:41 GMT ETag: e24d7-55a-4d4833fadc640 Accept-Ranges: bytes Content-Length: 1370 Connection: close Content-Type: text/html; charset=UTF-8 * Closing connection #0 HTTP response code is 401, not 200 Installation failed. Rolling back changes. Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' args=ipa-client-automount --uninstall --debug stdout=Restoring configuration -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
Dear below must be configured in the pam.conf also each host needs seperate keytab, solaris 11 is same as solaris 10 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 krshauth required pam_unix_cred.so.1 krshauth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 cronaccount requiredpam_unix_account.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account sufficient pam_krb5.so.1 other account requiredpam_tsol_account.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 From: Gerardo Padierna asl.gera...@gmail.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Tuesday, September 9, 2014 2:49 PM Subject: Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hi Mohammad, This is for Solaris 11; it seems that some of the options for the pam.conf file are not available in Solaris 10 (I think it was the following options: auth definitive pam_user_policy.so.1 account requiredpam_tsol_account.so.1 password required pam_authtok_store.so.1 ... had to remove them from the pam.conf file..) Still didn't get the ssh auth to work... This may be a stupid question, but do you know if the keytab file must be _exactly_ the same as in the IPA server, or does it only need to contain the entries relevant for the (solaris) client? According to the link you're pointing me to, it seems to just take from the server keytab file those entries relevant for the client, create a new keytab file with that content, and copy it over to the client. Is such a 'stipped down' keytab file supposed to work for the client's auth? Regards, Gerardo El 08/09/14 a las #4, mohammad sereshki escribió: hi Please go ahead with below structure, It works! Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? View on www.redhat.com Preview by Yahoo From: Gerardo Padierna asl.gera...@gmail.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 2:14 PM Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth
Re: [Freeipa-users] webmin can't work after installing freeipa
Dear I have some scripts that should be run on all servers and I should use webmin. anyway i fixed it by changing authentication mechanism from pam to don't use pam. From: Dmitri Pal d...@redhat.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 6:56 AM Subject: Re: [Freeipa-users] webmin can't work after installing freeipa On 09/07/2014 01:45 PM, mohammad sereshki wrote: Hi I configured IPA on solaris as client and it works correctly. but the problem is I have webmin to manage my servers and it can't login after IPA installation. Please help me. thanks Why do you need webmin if you are deploying IPA? What is your goal? IPA is the central store for the accounts it takes over the machine and configures the client on the server. Other tools should not be used after you install it. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working
hi Please go ahead with below structure, It works! Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? [Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? View on www.redhat.com Preview by Yahoo From: Gerardo Padierna asl.gera...@gmail.com To: freeipa-users@redhat.com Sent: Monday, September 8, 2014 2:14 PM Subject: [Freeipa-users] Solaris 10 client auth (ssh + kerberos) not working Hello folks, I'm setting up an IPA-server instance aimed to be used primarily for Linux/Unix clients ssh authentication (with kerberos). I've managed to successfully set up debian clients (via sssd and also on older debians, through libnss and pam_krb5). But for some reason I can't authenticate ssh on Solaris10 clients. On the Solaris box, I've followed the steps outiined here: http://www.freeipa.org/page/ConfiguringUnixClients and the nss part works fine (things like getent [group | passwd] and id user work), but unfortunaltely, the ssh user authentication fails with an error: sshd auth.error PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory On the solaris clients, does there need to be a keytab in /etc/krb5/ directory copied over from the IPA server? (I didn't have to set up a keytab file fo the legacy debian clients, and in the solaris-clients doc previously mentioned, there's no mention of it). Well, since I read somewhere the keytab file need to be there, I copied it over from the IPA server to the solaris clients, Then I get a different error: PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found This error seems to indicate that there isn't an matching entry found in the keytab file, so I added an entry for the solaris client, but I'm still getting the same 'Key table entry not found' error (it could be the entry I added is wrong, of course). But, for now, just want to be sure: On the solaris clients, do I need an /etc/krb5/krb5.keytab file? (if yes, why not in the non-sssd Debian hosts then?) Thanks in advance, -- Gerardo Padierna Nanclares Técnico de Sistemas (grupo ASL) - [Fujitsu / Logware] Servicio de Sistemas de la Información (DGTI) - Generalitat Valenciana C/.Castan Tobeñas 77 – 46018 Valencia – Edificio A Tel: 961 208973 Email: asl.gera...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] webmin can't work after installing freeipa
Hi I configured IPA on solaris as client and it works correctly. but the problem is I have webmin to manage my servers and it can't login after IPA installation. Please help me. thanks-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPuser can't authenticated with sssd
Hi I have configured IPA(ipa-client-2.1.3-7.el5) but the problem is that Ican connect with kerberos from another client but I can't login to client directly and I chet below error pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.211.166 user= Please help me if you can ,I'm under pressure to fix it :( my os is centos 5.8 and kernel is 2.6.18-348.16.1-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] add solaris attribiutes to IPA
hi Would you please let me know who can i add /etc/user_attr,prof_attr,projet,auth_attr to IPA ? Iwant to configure RBAC solaris on IPA . Thanks -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] add solaris attribiutes to IPA
Dear yes you are right, we can cnfigure an object schema SolarisUserAttr in LDAP then we can add it as default parameter of user and configure it to set RBAC (role access) if you want I can share the commands with you. but I want to know how can we change WEBUI to configure solarisuserattr through web interface. anyway I had done it through command line. From: Rob Crittenden rcrit...@redhat.com To: mohammad sereshki mohammadseres...@yahoo.com; freeipa-users@redhat.com freeipa-users@redhat.com Sent: Monday, July 28, 2014 6:45 PM Subject: Re: [Freeipa-users] add solaris attribiutes to IPA mohammad sereshki wrote: hi Would you please let me know who can i add /etc/user_attr,prof_attr,projet,auth_attr to IPA ? Iwant to configure RBAC solaris on IPA . Thanks There is probably a way to do this in LDAP but it isn't something that IPA provides. When IPA started there was no common access control mechanism across *nixes. We looked at the available options and ended up rolling our own which we called HBAC. rob-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
