[Freeipa-users] Can't delete DNS entry

I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers could be reached # ipa dnsrecord-find my.net sys001 --all --raw   dn: idnsname=sys001+nsuniqueid=7523898c-b29311e8-85ddf5f7-bbec4d04,idnsname=my.net.,cn=dns,dc=my,dc=net   idnsname: sys001   arec

[Freeipa-users] Re: Can't delete DNS entry

Also: # ldapsearch -D "cn=Directory Manager" -W -b "dc=my.net" "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" nsds5ReplConflict Enter LDAP Password: # extended LDIF # # LDAPv3 # base I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers cou

[Freeipa-users] Re: Can't delete DNS entry

Not surprisingly, that did the trick. Thanks, Rob. On 10/10/2018 09:57 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've got a DNS entry that really isn't there. # nslookup sys001 ;; connection timed out; no servers could be reached # ipa dnsrecord-find my.net sy

[Freeipa-users] Fwd: named fails to start

I was out two days last week and one of my coworkers thought we were having a password problem on our admin account. This morning, my users were claiming an inability to log in, so I cycled our main IPA server, but named won't start. 2018-10-15T10:43:14.blah named-pkcs11[26250]: LDAP error: In

[Freeipa-users] Re: named fails to start

Never mind. NTP wasn't working properly so the time had drifted too far. Easy fix. photo *Bret Wortman* Founder, Damascus Products, LLC 855-644-2783 | b...@wrapbuddies.co http://wrapbuddies.co/ 10332 Main St Suite 319 Fairfax, VA 22030

[Freeipa-users] Replica won't start

After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all messags from named-pkcs11): bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23 2017, complier 4.8.5 20150623 (Red Hat 4.8.5-16) LDAP error: Invalid credentials:

[Freeipa-users] Re: Replica won't start

I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've tracked it down to an error in the named startup. From /var/log/messages(all mess

[Freeipa-users] Re: Replica won't start

roaches in the guide. On 12/06/2018 08:42 AM, Bret Wortman via FreeIPA-users wrote: I'll check it out. Thanks, Flo! On 12/06/2018 08:39 AM, Florence Blanc-Renaud wrote: On 12/6/18 1:32 PM, Bret Wortman via FreeIPA-users wrote: After a reboot, my IPA replica won't start. I've

[Freeipa-users] Re: Replica won't start

3:20 PM, Robbie Harwood wrote: Bret Wortman via FreeIPA-users writes: So I started working through the guide below and most of thesteps just worked. No errors, which was odd. For example: # kinit -kt /etc/named.keytab DNS/ipa3.my.net # klist Ticket cache: KEYRING:persistent:0:0 Default principal:

[Freeipa-users] Re: Replica won't start

I'm seeing this in /var/log/messages periodically: systemd: Starting IPA key daemon... ipa-dnskeysyncd: ipa  : INFO LDAP bind... ipa-dnskeysyncd: ipa  : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'} ipa-dnskeysyncd: Traceback (most recent call last): ipa-dns

[Freeipa-users] Re: Replica won't start

Other symptoms: # kinit admin : # ipa help user ipa: ERROR: No valid Negotiate header in server response This is now happening on our primary IPA server. On 12/07/2018 07:42 AM, Bret Wortman via FreeIPA-users wrote: I'm seeing this in /var/log/messages periodically: systemd: Startin

[Freeipa-users] Re: Replica won't start

Woot! We had a stale, old server vm that got powered on. Once we shut it downand then cycled these, they worked just fine. Weird, but we're past this. Thanks! On 12/07/2018 07:52 AM, Bret Wortman via FreeIPA-users wrote: Other symptoms: # kinit admin : # ipa help user ipa: ERRO

[Freeipa-users] Ca signed very for non-IPA client

> We have some ESXi boxes that need CA-signed certs and we're trying to figure > out how to properly construct a CSR so that our IPA CA will process it. > > I'm having them create the cert using these commands: > > # certutil -R -d $PATH_TO_DB -a -g 2048 -s "CN=${FQDN},O=MY.NET" -i > ${SHORTHOSTN

[Freeipa-users] Re: Ca signed very for non-IPA client

Thanks, Rob. I’ll give it another try in the morning and let you know how it goes. And yes, -8. Keyboard error. On 25 Feb 2019, at 15:56, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: We have some ESXi boxes that need CA-signed certs and we're trying to figure out h

[Freeipa-users] Re: Ca signed very for non-IPA client

buddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 25 2019, at 3:56 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > > We have some ESXi boxes that need CA-signed certs and we're

[Freeipa-users] Re: Ca signed very for non-IPA client

5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 26 2019, at 10:18 am, Bret Wortman via FreeIPA-users wrote: > failed to set perms (3140) on file (/var/run/ipa/ccaches/br...@my.net)!, > referrer: https:/zsipa3.my.net/ipa/ui/ > (https://link.getmailspring.c

[Freeipa-users] Re: Ca signed very for non-IPA client

2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Feb 26 2019, at 10:22 am, Bret Wortman via FreeIPA-users wrote: > It looks like we've done everything in your guide. I've sent the requestor > the docs at >

[Freeipa-users] Re: Ca signed very for non-IPA client

getmailspring.com/3?redirect=http%3A%2F%2Fwww.linkedin.com%2Fin%2Fbretwortman&recipient=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > > <https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/4?redirect=http%3A%2F%2Ftwitter.com%2Fwrapbuddiesco&recipie

[Freeipa-users] Re: Ca signed very for non-IPA client

t; <https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@getmailspring.com/2?redirect=http%3A%2F%2Ffacebook.com%2Fwrapbuddiesco&recipient=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D> > > > <https://link.getmailspring.com/link/2902df05-6bb4-46d2-951a-440762089...@g

[Freeipa-users] Re: Ca signed very for non-IPA client

70 Main St. Suite 23 Warrenton, VA 20186 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Feb 27 2019, at 6:31 am, Bret Wortman via FreeIPA-users > wrote: > > Rob

[Freeipa-users] Something amiss with my replication

Looks like I've somehow managed to get my 3 IPA servers out of sync: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa host-find solr14.my.net --- 0 hosts matched --- Number of

[Freeipa-users] Replication issues, 3 servers not talking

I've got 3 IPA servers, with replication agreements between the 3 as follows: [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net: master ipa4.my.net: master ipa5.my.net: master [root@ipa3 ~]# ipa-replica-manage list ipa3.my.net (https://link.getmailspring.com/link/174919a3-6460-44d7-9328-2de64bcc

[Freeipa-users] Re: Something amiss with my replication

mp;recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like I've somehow managed to get my 3 IPA servers out of sync: > > > > [root@ipa

[Freeipa-users] Re: Something amiss with my replication

recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) > > > > 70 Main St. Suite 23 Warrenton, VA 20186 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mar 26 2019, at 8:47 am, Rob Crittenden wrote: >

[Freeipa-users] Re: Something amiss with my replication

ecipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Mar 26 2019, at 9:07 am, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Oops. I spoke too soon. The one I thought I fixed is now just scrolling > > "No status yet" over and over... > > >

[Freeipa-users] Re: Something amiss with my replication

On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > I broke out of it, but the two are still out of sync. Is there a way to > > get past that? > > > > > > photo > > *Bret Wortm

[Freeipa-users] Re: Something amiss with my replication

1:43 am, Bret Wortman via FreeIPA-users wrote: > > On Mar 26 2019, at 11:10 am, Florence Blanc-Renaud wrote: > > On 3/26/19 2:23 PM, Bret Wortman via FreeIPA-users wrote: > > > I broke out of it, but the two are still out of sync. Is there a way to > > > get past that?

[Freeipa-users] How to grant CSR from command line

I know I can paste a CSR from one of our servers into the GUI and generate a new cert, but how can I do this from a command line? I've been working with this: # ipa cert-request --principal=HTTP/$HOST $DB/$HOST.csr But that's giving me an error that the principal doesn't exist. Then (admittedly,

[Freeipa-users] Re: How to grant CSR from command line

spring.com/link/99891c0d-0c1a-4459-8062-779d1e426...@getmailspring.com/1?redirect=http%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 11:31 am, Rob Crittenden wrote: > Bret Wortman via Free

[Freeipa-users] Re: How to grant CSR from command line

ttp%3A%2F%2Fwrapbuddies.co%2F&recipient=ZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn) 70 Main St. Suite 23 Warrenton, VA 20186 On Apr 11 2019, at 1:47 pm, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Thanks, Rob. I'm a lot closer now. > > &g

[Freeipa-users] Guide to enabling CA?

Is there an online guide to turning on a CA? We had one, which signed all our SSL Certs and such. It worked quite nicely. Then we rolled an upgrade around our IPA servers to get them from Fedora to Centos, and in the process, we failed to migrate the CA, so we ended up with 3 servers without a

[Freeipa-users] Fixing limit on DNS searches

I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been truncated: Configured administrative server limit exceeded." I've tried fixing this in a number of ways. We've shut down the se

[Freeipa-users] Re: Fixing limit on DNS searches

Looking at it now. On 02/13/2018 01:09 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been trunca

[Freeipa-users] Re: Fixing limit on DNS searches

Thanks. Is it possible to list the DNS entries using ldapsearch? I've been using: # ipa dnsrecord-find --all On 02/13/2018 02:13 PM, Natxo Asenjo via FreeIPA-users wrote: On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users <mailto:freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Fixing limit on DNS searches

TW, I misspoke in my original post -- "searchlimit" should read, "sizelimit". Bret On 02/13/2018 01:09 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has w

[Freeipa-users] Re: Fixing limit on DNS searches

Also, this doesn't solve the fact that the Web UI always produces an error dialog whenever accessing our primary zone. On 02/13/2018 02:19 PM, Natxo Asenjo via FreeIPA-users wrote: On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo > wrote: the canonical way

[Freeipa-users] Re: Fixing limit on DNS searches

I did figure out that I can use # ldapsearch -D 'directory manager' -W -E pr=2 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com to list out all the entries, but the format isn't what I'm expecting. What I'm actually trying to do is move our whole infrastructure from one set of ol

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did figure out that I can use # ldapsearch -D 'directory manager' -W -E pr=2 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com to list out all the entrie

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret Wortman wrote: On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/19/2018 07:55 AM, Florence Blanc-Renaud wrote: On 02/19/2018 12:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/16/2018 11:54 AM, Florence Blanc-Renaud wrote: On 02/15/2018 06:42 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 12:27 PM, Florence Blanc-Renaud wrote: On 02/15

[Freeipa-users] SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. 1. Built new box, which joined the existing IPA infrastructure as a client. 2. # ipa-client-install -U --uninstall 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders 4. Inserted data

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

I'll give that a try. On 02/20/2018 12:38 PM, Jochen Hein wrote: Bret Wortman via FreeIPA-users writes: Sequence of events in trying to stand up a new IPA server to replace (wholesale) our old ones. ... 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders ... And no

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Changing the subject worked. Thanks! Bret Wortman http://wrapbuddies.co/ On Feb 20, 2018, 7:19 PM -0500, Fraser Tweedale , wrote: > On Tue, Feb 20, 2018 at 12:41:17PM -0500, Bret Wortman via FreeIPA-users > wrote: > > I'll give that a try. > > > If you "Clear

[Freeipa-users] Logon by ssh but not console?

Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost I'm able to log in without issues? And it'll tell me about failed logins for every time I try through GDM or the console. This is on a brand new IPA

[Freeipa-users] Re: Logon by ssh but not console?

My only hbac rule is "allow_all", and it's enabled. I hadn't gotten around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system through

[Freeipa-users] How to replace a failed CA?

I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need: I have two IPA servers which manage our infrastructure. We used to have three, but a catastrophic failure on one led to its total loss. And it was our CA. So now we have no CA -- i

[Freeipa-users] Re: How to replace a failed CA?

ch object # numResponses: 1 On 02/21/2018 11:45 AM, Jochen Hein wrote: Bret Wortman via FreeIPA-users writes: I may be going about this in the hardest way possible, so let me stop and roll everything back to my root need: I have two IPA servers which manage our infrastructure. We

[Freeipa-users] Re: How to replace a failed CA?

ut logins over ssh versus console & GDM and moving forward with a completely new installation while trying to retain as much data as possible. Thanks for your help on this, guys. Bret On 02/21/2018 03:47 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: If this is the corr

[Freeipa-users] Re: Logon by ssh but not console?

Wortman wrote: My only hbac rule is "allow_all", and it's enabled. I hadn't gotten around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system

[Freeipa-users] Create a replica

I've got a one system setup now and would like to create a replica and ensure survivability as much as possible. Will this do the trick? Obviously the first is run on the current master and the second on the new replica... # ipa-replica-prepare newserver.my.net --ip-address=192.168.1.50 # ipa

[Freeipa-users] admin's credentials revoked?

# kinit admin kint: Client's credentials have been revoked while getting initial credentials Then while looking at /var/log/httpd/error_log: [date] [:error] [pid] [remote 192.168.1.50:96] Database Error: Server is unwilling to perform: Too many failed logins. What the? How can my admin acco

[Freeipa-users] Re: admin's credentials revoked?

On 1 Mar 2018, at 17:50, Jochen Hein wrote: Bret Wortman via FreeIPA-users writes: # kinit admin kint: Client's credentials have been revoked while getting initial credentials Then while looking at /var/log/httpd/error_log: [date] [:error] [pid] [remote 192.168.1.50:96] Database

[Freeipa-users] Re: Create a replica

On 03/02/2018 04:15 AM, Florence Blanc-Renaud wrote: On 01/03/2018 18:11, Bret Wortman via FreeIPA-users wrote: I've got a one system setup now and would like to create a replica and ensure survivability as much as possible. Will this do the trick? Obviously the first is run on the cu

[Freeipa-users] New server, can't set passwords

I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate

[Freeipa-users] Re: New server, can't set passwords

address: b...@damascusgrp.com   UID: 10042   GID: 100   Account disabled: False Number of entries returned 1 # On 05/04/2018 10:48 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've just finished setting up a new IPA server, pla

[Freeipa-users] Re: New server, can't set passwords

Yep, "ipa user-add-principal br...@damascusgrp.com" did the trick. I'll run through the rest next. Thanks for the help, Rob & Alexander. On 05/07/2018 10:07 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I can show a migrated entry, certainly. I'll

[Freeipa-users] Can't log in through greeter or console after switch to new IPA servers

I've just transitioned my baseline from one set of servers to another, and I'm noticing that some systems will allow me to log in directly from the greeter on workstations while others don't (including my own workstation!). These methods all work on my workstation: * ssh @localhost with pass

[Freeipa-users] Re: Logon by ssh but not console?

hadn't gotten around to setting up any additional ones yet. On 02/21/2018 10:14 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: Any ideas why I might be prevented from logging in on a system through GDM and the console, but if I log in as root and: # ssh bretw@localhost

[Freeipa-users] Re: Logon by ssh but not console?

Hrozek , wrote: > > > > On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users > > wrote: > > > > I just realized that I never closed the loop on this problem and just > > finished upgrading all my systems to use our new IPA servers. And this > > proble

[Freeipa-users] Re: Logon by ssh but not console?

f his passwords (he had been authenticated by the old servers when he first got in). I stopped sssd, rm -rf'd the cache db files, and then restarted it and voila, he was able to authenticate with the new servers. Thanks, all! On 06/03/2018 03:30 PM, Bret Wortman via FreeIPA-users wr

[Freeipa-users] Can't uninstall client

I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-install --enable-dns-updates --mkhomedir IPA client is already configured on this system. If you want to reinstall the IPA client,

[Freeipa-users] Re: Can't uninstall client

store directory. Thanks, Rob! On 06/22/2018 09:05 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I'm trying to uninstall and reinstall the ipa client on a particular system. Here's what it looks like: # ipa-client-install --uninstall -U # ipa-client-ins

[Freeipa-users] Creating a user keytab

What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script:    kinit -k admin -t /root/keytab I've tried various approaches using ktutil and kadmin but haven't had any su

[Freeipa-users] Re: Creating a user keytab

Okay. I may have done this under Fedora before, then. I'll go back and search the archives. Thanks, Alexander! On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done

[Freeipa-users] Re: Creating a user keytab

I found your post, but the paste you made was gone. You don't happen to still have that laying around, do you? On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done

[Freeipa-users] Re: Creating a user keytab

, Bret Wortman via FreeIPA-users wrote: What's the correct way to create a user keytab? I had done this once about 3 years ago and got it working, but can't find my notes anywhere. I need to be able to do this in a script:    kinit -k admin -t /root/keytab I've tried various a

[Freeipa-users] Re: Creating a user keytab

e paste you made was gone. You don't happen to still have that laying around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 ke

[Freeipa-users] Re: Creating a user keytab

ll have that laying around, do you? A script is attached. It may fail in some cases as salt is really a random sequence of bytes that might need additional escaping in shell. On 06/26/2018 07:06 AM, Alexander Bokovoy wrote: On ti, 26 kesä 2018, Bret Wortman via FreeIPA-users wrote: What'

[Freeipa-users] Re: Creating a user keytab

On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are getting a keytab for your

[Freeipa-users] Re: Creating a user keytab

n via FreeIPA-users wrote: On 06/26/2018 08:19 AM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: My ktutil doesn't have "-s" as an option on addent -- is this a version-specific thing? I'm on C7 with krb5-workstation 1.15.1-8 and ipa-client 4.5.0-22. If you are gett

[Freeipa-users] error 15 in memberof.so

I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". I've tried unenrolling & re-enrolling. I've tried unenrolling, uninstalling, reinstalling ipa-client, and re-enrolling. I've tried unenrolling, del

[Freeipa-users] Re: error 15 in memberof.so

Crittenden , wrote: > Bret Wortman via FreeIPA-users wrote: > > I've got a system (probably more than one) where I've got clients who > > aren't able to bring up SSSD due to this error, as seen in "journalctl -xe". > > > > I've

[Freeipa-users] Re: error 15 in memberof.so

On 07/19/2018 11:33 AM, Lukas Slebodnik via FreeIPA-users wrote: On (18/07/18 13:39), Bret Wortman via FreeIPA-users wrote: I've got a system (probably more than one) where I've got clients who aren't able to bring up SSSD due to this error, as seen in "journalctl -xe"

[Freeipa-users] Re: How to replace a failed CA?

We built brand new servers, took xml dumps from the existing ones, wrote custom scripts to load that into the new ones, and spent a weekend cutting over. So yes, but no. We now have a functioning CA but it wasn't exactly replaced; we had to build a new set of replicas around it. On 09/26/2018

[Freeipa-users] Auditing screensavers

I have a need to set up an audit rule that will track whenever a user's screensaver is unlocked via password. I've tried setting a watch on pam_sss.so but that gets a lot more than what I strictly need and that also, strangely, had a tendency to audit when the screensaver was activated but not w

[Freeipa-users] Converting an outside CA to a subordinate CA under IPA's Root CA

We had a developer team deploy their own CA and then issue a slew of certificates for users' workstations and other servers, and now they want us to deploy those certificates more widely. I'd rather find a way to bring their CA under ours so that the root CA certificate we already distribute wil

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

t.wort...@damascusgrp.com On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > wrote: > > We had a developer team deploy their own CA and then issue a slew > > of certificates for users' workstat

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

rtman > > bret.wort...@damascusgrp.com > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users > > > wrote: > > > > We had a developer team deploy their own CA and th

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

ou can add a host > > object with that name to FreeIPA. I think the procedure outlined in > > the blog post should work for you. > > > > Cheers, > > Fraser > > > > > > > > -- > > > Bret Wortman > > > bret.wort...@dama

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

t > > > > barge ahead and try to make it work on my own... > > > > > > The CN (damascusgrp.com) is a domain name. You can add a host > > > object with that name to FreeIPA. I think the procedure outlined in > > > the blog post should work for you. > >

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

gt; > > further conversations with this team turned up the fact that > > > > > > they're just creating these by hand using openssl commands rather > > > > > > than running any sort of service at all), I'm hesitant to just > > > > >

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

name in there anywhere (and in fact, > > > > > further conversations with this team turned up the fact that > > > > > they're just creating these by hand using openssl commands rather > > > > > than running any sort of service at all), I'm hesitant to just

[Freeipa-users] named won't start

It's an ancient server, and one I'm trying to get us off of, but it's our current primary IPA server on this network and named didn't like its last reboot and is erroring on startup: [root@ipa1 ~]# systemctl status -l named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (D

[Freeipa-users] Re: named won't start

In one of those weird things I can only blame on gremlins, time seems to have been the answer. I recently ran "ipactl start" again and it worked. -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 1:19 PM, Bret Wortman via FreeIPA-users wrote: > It's

[Freeipa-users] How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far: 1. run "ipa-replica-prepare" on the original main server, ipa1. 2. Copied the resulting file to ipa1c7. 3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-connche

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

et: master Any suggestions for other ways to remove the replica so I can remove the host and its DNS entries and then see what crud is left behind in LDAP? -- Bret Wortman bret.wort...@damascusgrp.com On Thu, Jun 3, 2021, at 3:18 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-u

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I tried using ipa-backup but it keeps aborting claiming there's not enough space on the target device but nothing even comes close to 100% usage. Is there another way to export to LDIF? -- Bret Wortman bret.wort...@damascusgrp.com On Fri, Jun 4, 2021, at 9:01 AM, Rob Crittenden wrote: > B

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

I cleaned up the contents of our ldap manually, re-created the replica file, and got a lot further than we have before but ipa-replica-install still failed as below: Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/30]: configuring certificate server instance ipaserve

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

You were absolutely correct, the flag worked, and the config-show did not show a CRL server at all. I'll dig into the ca logs next. -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:07 AM, Rob Crittenden wrote: > Bret Wortman wrote: > > I cleaned up the contents of o

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

the only CA, but it seems to be trying to hang on to its job security... ;-) -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 7, 2021, at 11:13 AM, Bret Wortman via FreeIPA-users wrote: > You were absolutely correct, the flag worked, and the config-show did > not show a CRL serv

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

27 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > I was tailing several logs in /var/log/pki/pki-tomcat/ca/ (debug, system, > > and transactions) and though the replica installation failed again at the > > same point, this is what I got from the l

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

.wort...@damascusgrp.com On Wed, Jun 9, 2021, at 4:59 AM, Bret Wortman via FreeIPA-users wrote: > My misunderstanding, sorry. This is from the existing CA since that's > where I thought the problem would be. Okay, going back and looking at > the debug log on the new server to see if

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Wed, Jun 9, 2021, at 2:32 PM, Rob Crittenden wrote: > Bret Wortman via FreeIPA-users wrote: > > Looks like we're missing an LDAP connection port? > > > > [09/Jun/2021:10:02:54][localhost-startStop-1]: LdapBoundConnFactory: init > > Property internaldb.ldapconn.

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > So you've run ipa-replica-prepare and then ship that file to > right? Exactly. > At some point we started re-generating the CA certs file > (/root/cacert.p12) during preparation. Did we do this in F21? I have no > idea. > > Can you use

[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

27;s something obvious here. https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178 -- Bret Wortman bret.wort...@damascusgrp.com On Mon, Jun 14, 2021, at 6:24 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > > So you've

  1   2   >