[Freeipa-users] Re: expired certificates - pki-tomcat not running

Michael Gusek wrote: > Hello Rob, > > i can understand why CA won't start with expired certs. Actually my > system date is a day before expiring (expiring date is 30 Jul 2017, > system date now 29 Jul 2017), but CA won't start. How to "ensure that > the CA comes up" ? Ok, well the logs I

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

Hi Pavel, On this machine it says that the first install of rhel-release-server was 7.2-9 But the ipa information came from a centos 6.4 install some years ago with ipa 3.0 Later it was converted to rhel 7.0 and then upgraded through the years Hope that helps On Wed, Aug 9, 2017 at 12:15 PM,

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Hello Rob, i can understand why CA won't start with expired certs. Actually my system date is a day before expiring (expiring date is 30 Jul 2017, system date now 29 Jul 2017), but CA won't start. How to "ensure that the CA comes up" ? Michael Am 08.08.2017 um 17:40 schrieb Rob Crittenden: >

[Freeipa-users] Re: expired certificates - pki-tomcat not running

One more info. After starting tomcat-pki i have a exception in catalina.2017-07-29.log: Jul 29, 2017 10:06:58 AM org.apache.catalina.core.ContainerBase addChildInternal SCHWERWIEGEND: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component

[Freeipa-users] Re: ID view is not overriding user attributes

Can someone please help me to figure out the issue? Please let me know if any other information is required On Wed, Aug 9, 2017 at 9:54 AM, Supratik Goswami wrote: > (Wed Aug 9 04:20:14 2017) [sssd[be[ipa.corp.example.com]]] > [sdap_get_generic_ext_step] (0x0400):

[Freeipa-users] Re: Failed Upgrade?

On 8/9/17 3:05 AM, thierry bordaz wrote: Hi Ian, Thanks for having gather those data. # # So pkidbuser entries have a same (old) userCertificate likely generated during install # But only freeipa-sea has a new one created on freeipa-sea around Jun 8th 2017 05:54:16 #

[Freeipa-users] Re: Show AD groups members from command line

> On 9 Aug 2017, at 17:21, Steve Weeks via FreeIPA-users > wrote: > > I can use 'id ad_user@ad_domain' command to see what groups an ad_user is a > member of. > > Is there a way from the Linux command line to see who are the member of >

[Freeipa-users] Re: password reset privileges

Hello, Sorry for the late reply. This is the latest FreeIPA version in CentOS 7.3 (4.4.0-14). Indeed the helpdesk role should be sufficient. I tried with the User Administrator role as well, but that made no difference. Since it's working for you, it's likely a config error, but I have no idea

[Freeipa-users] Re: Unable to login with AD users

> On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users > wrote: > > Hello, > > I have created a FreeIPA solution using Red Hat’s IDM product. > FreeIPA version: 4.5.0 > OS version: RHEL 7.4 > > I have successfully installed the server portion and

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

If your hosts are in the IPA subdomain, then I would have expected centos.ipa.ad.com The centos client has a hostname set to centos.domain.ad.com I'm using FQDN hostname based on the required DNS domain, not the IPA kerberos realm. Hence why centos.domain.ad.com. To explain further more, It'll

[Freeipa-users] Re: expired certificates - pki-tomcat not running

On Wed, Aug 09, 2017 at 01:32:43PM +0200, Michael Gusek via FreeIPA-users wrote: > Hello Rob, > > i can understand why CA won't start with expired certs. Actually my > system date is a day before expiring (expiring date is 30 Jul 2017, > system date now 29 Jul 2017), but CA won't start. How to

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

> On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: > > If your hosts are in the IPA subdomain, then I would have expected > centos.ipa.ad.com > > The centos client has a hostname set to centos.domain.ad.com >

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 14:37, Supratik Goswami via FreeIPA-users > wrote: > > Can someone please help me to figure out the issue? > > Please let me know if any other information is required > Describing how you set up the idview and providing SSSD logs is

[Freeipa-users] Re: ID view is not overriding user attributes

Hi Jakub, Thanks for looking into the issue, please find the details you have requested. 1. ipa idoverrideuser-show "Default Trust View" supratik.gosw...@ad.corp.example.com Anchor to override: supratik.gosw...@ad.corp.example.com Login shell: /bin/bash SSH public key: ssh-rsa

[Freeipa-users] Re: ID view is not overriding user attributes

> On 9 Aug 2017, at 16:02, Supratik Goswami via FreeIPA-users > wrote: > > (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp. > example .com > ]]] [acctinfo_callback]

[Freeipa-users] Re: Cannot access Web UI after IPA upgrade to 4.5

On 08/08/2017 02:03 PM, Gustavo Berman via FreeIPA-users wrote: Pavel, Thanks for the help, that solved the problem. Now I can access the web ui. I'm glad that it works again. The upgrade took place yesterday and it was a release upgrade from rhel 7.3 (last update was last week) to rhel 7.4

[Freeipa-users] Show AD groups members from command line

I can use 'id ad_user@ad_domain' command to see what groups an ad_user is a member of. Is there a way from the Linux command line to see who are the member of some_ad_group@ad_domain are? Thanks, Steve ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

> On 7 Aug 2017, at 20:02, Alexandre Pitre via FreeIPA-users > wrote: > > The client is in the IPA domain. Although it's sub-domain of ad.com > , I did delegate it and configure the IPA servers as name > servers. It uses a different

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Hello Tomasz, thx for your hint. I've disabled all selftests in /etc/pki/pki-tomcat/ca/CS.cfg and /etc/pki/pki-tomcat/kra/CS.cfg. There where only one test. But i did'nt get any success. CA won't start. :( Michael Am 09.08.2017 um 15:24 schrieb Tomasz Torcz via FreeIPA-users: > On Wed, Aug 09,