[Freeipa-users] Fedora -> CentOS, 4.7.2 -> 4.7.1

Dear FreeIPA users, TL:DR *any* way of moving from 4.7.2->4.7.1? I've managed to get into a situation.. On realising the support for Debian/Ubuntu was a bit ropey, I successfully made Fedora replicas and promoted them a year or so ago. These run OK, but wanting to be off the treadmill of Fedora u

[Freeipa-users] Re: Fedora -> CentOS, 4.7.2 -> 4.7.1

Thanks for your response Rob, If I were to attempt such a thing and it apparently succeeds, is there any kind of integrity/sanity check that you would run to probe for oddities? Best wishes, David On Mon, 28 Oct 2019, 21:38 Rob Crittenden, wrote: > David Harvey via FreeIPA-users wr

[Freeipa-users] krb5kdc segfault

Hi FreeIPA users, I've been haunted across installs by a sporadic krb5kdc segfault, the especially fun part is that it seems to bring the service down on all of the servers at once! Restarting it brings everything back again quite happily.. The last and only useful krb5kdc.log entry is: Nov 29

[Freeipa-users] Re: krb5kdc segfault

Thanks for the swift response Alexander. I'll try and get that enabled for clearer details. On Fri, 29 Nov 2019 at 13:59, Alexander Bokovoy wrote: > On pe, 29 marras 2019, David Harvey via FreeIPA-users wrote: > >Hi FreeIPA users, > > > >I've been haunted across

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave. What I have found so far using the config instructions - may be error prone now as the number of combinations tried! Anonymous bind e

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

Some edits and expansion on my previous attempt to post... Free IPA 4.4.3 Mac OSX 10.12 Thanks for all the hard work on this, I've been enjoying an almost functional setup for the last week but have been tearing my hair out with making GSSAPI behave. What I have found so far using the config in

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

Note. The GSSAPI attempts from the MAc side are only attempted when a binddn (security -> "use authentication when connecting") account is provided. Otherwise I suspect it's unable to even work out what type of GSSAPI transaction to attempt.. On 19 September 2017 at 15:19, David Harvey wrote: >

[Freeipa-users] Re: How to Setup FreeIPA Services for Mac OS X 10.12

for logon, ssh (to linux machines), DNS updates, and > directory services. I'm confident the issue lies with MacOS. > > I'm running MacOS 10.12.6 and IPA 4.5. > > I'll keep digging, just wanted to let you know you've been heard. > > > - Jason &g

[Freeipa-users] upgrade to ubuntu 17.10 fails

Hi wisdom of the list, I know I am an edge case with running on ubuntu, but hoped someone might be able to shed some light. A bit of background. I'm trying to test upgrades without potentially hosing my existing services, so I have cloned the VM, given it a new IP address, updated hosts file and

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

Sorry for the dump size, but not sure if the below from /var/log/pki/pki-tomcat/localhost.date.log helps: 15-Nov-2017 12:14:50.557 SEVERE [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log StandardWrapper.Throwable java.lang.NullPointerException at com.netscape.cmscore.selfte

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

sting ones! Thanks again, appreciate the steering! On 15 Nov 2017 14:34, "Rob Crittenden" wrote: David Harvey via FreeIPA-users wrote: > Sorry for the dump size, but not sure if the below from > /var/log/pki/pki-tomcat/localhost.date.log helps: Looks like the selftests are faili

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

ggesting as I feared the new server might > update the schema on the existing ones! > > Thanks again, appreciate the steering! > > > On 15 Nov 2017 14:34, "Rob Crittenden" wrote: > > David Harvey via FreeIPA-users wrote: > > Sorry for the dump size, but not s

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

gt;> update the schema on the existing ones! >> >> Thanks again, appreciate the steering! >> >> >> On 15 Nov 2017 14:34, "Rob Crittenden" wrote: >> >> David Harvey via FreeIPA-users wrote: >> > Sorry for the dump size, but not sure

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

that all running servers had to be of the same version, am I > > mistaken with that? > > I had avoided what you were suggesting as I feared the new > > server might update the schema on the existing ones! > > > > Thanks again, appreciate the s

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

needs a huge amount more TLC to make it more of a pleasure to install ;) Cheers, David On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 23/11/17 05:34, David Harvey via FreeIPA-users wrote: > > Not sure why tomcat is mo

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

ibs). > > Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks to me > like until FreeIPA 4.5+ is packaged (where the conversion to OpenSSL has > been completed), it is still not safe to run a CA on Ubuntu. > > > On 01/12/17 23:27, David Harvey via FreeIPA-users w

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

Ok, thanks for the clarification. Hopefully can still mitigate by changing platform or waiting for a better supported Ubuntu release! On 1 Dec 2017 18:40, "Rob Crittenden" wrote: > David Harvey via FreeIPA-users wrote: > > Well that sounds fun :) > > I'm hesistent

[Freeipa-users] Re: upgrade to ubuntu 17.10 fails

On 13 December 2017 at 23:29, Timo Aaltonen via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 28.11.2017 22:58, Peter Fern via FreeIPA-users wrote: > > On 23/11/17 05:34, David Harvey via FreeIPA-users wrote: > >> Not sure why tomcat is more resilie

[Freeipa-users] Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Dear list, In trying to escape from the various issues facing the ubuntu freeipa, I attempted to make the switch to Fedora 26 (same freeipa version 4.4.4). This seemed to go well (adding new replica first, and then replacing the ubuntu based installs), but I notice on my fedora boxes several warn

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Point No.2 Is now sorted. It was the old missing Subject Alternative Name extension in certificate problem (which I had only seen with https until now!). I would still love to know if I need to live in fear of the other errors though :) On 4 January 2018 at 12:25, David Harvey wrote: > Dear list

[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings

Gentle bump (whilst I remember to nudge this). TL;DR Does anyone know the likely implications of error messages such as: "Setting property 'enableOCSP' to 'false' did not find a matching property." (then repeated for several other properties) On 4 January 2018 at 14:52, David Harvey wrote: > P

[Freeipa-users] Host certificates association across IPA servers

Dear ipa-users, I've recently observed a pattern where adding a host certificate to a host only shows the association in the GUI for the server which issues the cert. I'm running FreeIPA 4.4.4. I request a certificate from the host(s) in question with something like: ipa-getcert request -f /path

[Freeipa-users] Re: Host certificates association across IPA servers

h for your guidance, hugely appreciated. David On 31 January 2018 at 21:48, Rob Crittenden wrote: > David Harvey via FreeIPA-users wrote: > > Dear ipa-users, > > > > I've recently observed a pattern where adding a host certificate to a > > host only shows the association

[Freeipa-users] Re: Host certificates association across IPA servers

tion failed: Supplied plugin directory path is not a directory > > I'll aim to reinitialise the problem box based on this. Without wanting to > make excuses for my ineptitude, are there any plans to increase visibility > for replication issues to surface them more obviously? > &

[Freeipa-users] Re: FreeIPA PKI with OpenVPN

Hi Mike, Did you have any joy with this? I've been using my IPA PKI for our 802.1x infrastructure - which is working nicely for the enrolled Linux hosts. I've been considering adding some Chrome OS into the mix, but before shelling out for some devices I've been trying to navigate both the manual

[Freeipa-users] Accessing IPA host data from an enrolled workstation

Dear list, I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet. Example - a concept of machine ownership, or device clas

[Freeipa-users] FreeIPA Certs for Chromebooks CMC,SCEP and extensions

Hi FreeIPA users, As briefly mentioned in "[Freeipa-users] FreeIPA PKI with OpenVPN", I'm looking into using FreeIPA and Dogtag to provide network certs for Chromebooks (from reading so far it looks like I'll need to use SCEP or CMC - the latter being preferred). Has anyone achieved this, or can

[Freeipa-users] Re: FreeIPA Certs for Chromebooks CMC,SCEP and extensions

Awesome, thanks for the info Rob. I will check out your method. It looks like it (Dogtag) has some improvimg CMC support too, so will have a dig. On Tue, 3 Apr 2018, 18:19 Rob Crittenden, wrote: > David Harvey via FreeIPA-users wrote: > > Hi FreeIPA users, > > > > As

[Freeipa-users] Re: Accessing IPA host data from an enrolled workstation

Hi again, Just a little nudge to see if anyone has attempted any of the prior mentioned, or if they may have ideas on how this is best achieved.. Kind regards, David On 27 March 2018 at 16:22, David Harvey wrote: > Dear list, > > I'm currently tinkering with adding host attributes (As custom

[Freeipa-users] Re: Accessing IPA host data from an enrolled workstation

. The fields I'm interested in (descriptions, platform, OS, Class) are thankfully available (at least using the host principal). Kind regards, David On 14 May 2018 at 14:14, Alexander Bokovoy wrote: > On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote: > >> Dear lis

[Freeipa-users] Re: ipa-client-install - sssd.conf

I can't answer the ipa-client-install aspect, but I've found the sssd puppet module very helpful for this kind of customisation (if you're a puppet user) On 16 May 2018 at 11:04, Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > is there a way to configure p

[Freeipa-users] Re: Netscape Portable Runtime error -5999

Hi Sarah, Not sure if the same cause, but I experienced something like this following too many open file descriptors/connections. Cause for me was LDAP connections being opened but never closed by a client, essentially DDOSing me. On phone with thumbs, so I can't recall if it was lsof or netstat

[Freeipa-users] Pausing replication or another approach to testing whilst limiting blast radius

Dear list, I'd like to do a test run of a script that I use to sync our HR data with our freeipa infrastructure. Is it possible to pause replication, or essentially fence a server off, so that if I run the updated script against it, I can limit the changes to that target server until I've checked

[Freeipa-users] Re: Pausing replication or another approach to testing whilst limiting blast radius

Thanks for the swift response Rob. Looks like just what I need! All the best, David On Fri, 24 Apr 2020, 20:56 Rob Crittenden, wrote: > David Harvey via FreeIPA-users wrote: > > Dear list, > > > > I'd like to do a test run of a script that I use to sync our HR

[Freeipa-users] LDAP conflicts and ldapsubentry

Dear list, I noted from TFM that conflicting values have ldapSubEntry and nsds5ReplConflict attributes, however it only mentioned removing

[Freeipa-users] Re: LDAP conflicts and ldapsubentry

Hi again, just a gentle bump to keep this visible, any advice on it or additional info I can provide? On Tue, 14 Jul 2020 at 19:29, David Harvey wrote: > Dear list, > > I noted from TFM >

[Freeipa-users] Another 2FA question Debian and Ubuntu

Hi list, I've been attempting to get optional 2FA working for my Debian derivatives so I can run per-host OTP nicely for the more sensitive boxes. So far: A user with "password and otp" only allowed in the can login as expected with the password and OTP concatenated. A user with both "password" a

[Freeipa-users] Re: Another 2FA question Debian and Ubuntu

n Tue, 16 Mar 2021 at 06:35, Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Mon, Mar 15, 2021 at 06:04:17PM +, David Harvey via FreeIPA-users > wrote: > > Hi list, > > > > I've been attempting to get optional 2FA working for

[Freeipa-users] Require OTP for ipa commands

Hello again list, Is it possible to differentiate between a kerberos ticket that was granted with OTP vs one that would not (for the purpose of requiring it for `ipa some-privileged command` ) Aim: Protect servers with OTP but not always require it for workstations. But to require OTP for the pri

[Freeipa-users] Re: Require OTP for ipa commands

On Fri, 19 Mar 2021 at 15:46, David Harvey wrote: > Hello again list, > > Is it possible to differentiate between a kerberos ticket that was granted > with OTP vs one that would not (for the purpose of requiring it for `ipa > some-privileged command` ) > > Aim: Protect servers with OTP but not al

[Freeipa-users] Re: DNS resolution failures

Just checking if there are any suggestions as to how to debug this effectively. The lack of smoking barrel log entries we've seen with it have left us a little stumped! Thanks as always, David On Wed, 17 Jan 2024 at 10:54, Tania Hagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote

[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()

Sorry if this is thread hijack (happy to start another) but further to this, is the single resolver 127.0.0.1 the blessed / recommended setup? We've had some chicken and egg situations recently where dirsrv being sad has broken local DNS resolution, and then krb behaviours and lookup for the other

[Freeipa-users] Recommended resolv.conf / hosts file

Hi FreeIPA users, I nested this under a related topic before (subject: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () ) but it was admittedly a bit off topic... Is configuring resolv.conf with the single resolver 127.0.0.1 the bl

[Freeipa-users] dyndns and dns forwarders

Dear list, I'm thinking of making our border devices our primary port of call for DNS , and setting them to forward to FreeIPA. I found an inconclusive thread saying that this might break dyndns for my otherwise happy IPA clients. Does dyndns working rely upon clients having IPA servers setups as

[Freeipa-users] Re: dyndns and dns forwarders

Super helpful, thank you Sam! On Thu, 11 Jul 2024, 18:01 Sam Morris via FreeIPA-users, < freeipa-users@lists.fedorahosted.org> wrote: > On 11/07/2024 14:36, David Harvey via FreeIPA-users wrote: > > Dear list, > > > > I'm thinking of making our border devices our

[Freeipa-users] certs: SAN without othername / NT Principal name

Hi FreeiPA users, I'm having great fun with a web app that hates the othername/ NT Principal name included with certificates generated with ipa-getcert. I've tried several variations but can't omit this part of the subject alternative name. Is there any way to do so? Thanks in advance, David __

[Freeipa-users] Re: certs: SAN without othername / NT Principal name

sers wrote: > > On to, 31 maalis 2022, David Harvey via FreeIPA-users wrote: > > > Hi FreeiPA users, > > > > > > I'm having great fun with a web app that hates the othername/ NT > Principal > > > name included with certificates generated with ipa-getc

[Freeipa-users] Host based two factor requirements

Hi there, When I try and re-enable TOTP for a host auth indicator I receive "invalid 'krbprincipalauthind': authentication indicators not allowed in service "host"" Running FreeIPA 4.9.10 on Rocky. I'm having some issues working out the current methods of OTP enforcement for SSH interactive as a

[Freeipa-users] Re: Host based two factor requirements

d not password only enabled... On Mon, 20 Mar 2023 at 17:05, Rob Crittenden wrote: > Alexander Bokovoy via FreeIPA-users wrote: > > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: > >> Hi there, > >> > >> When I try and re-enable TOTP for a ho

[Freeipa-users] Re: Host based two factor requirements

ote: >> > On ma, 20 maalis 2023, David Harvey via FreeIPA-users wrote: >> >> Hi there, >> >> >> >> When I try and re-enable TOTP for a host auth indicator I receive >> >> "invalid 'krbprincipalauthind': authentication indicat

[Freeipa-users] Overcoming hurdles installing freeipa-server on ubuntu 17.10

Hope this helps to save some of some time digging. And I know, freeipa-server on a non LTS release is daft.. apt-get install freeipa-server-trust-ad #This has been mentioned elsewhere, and it should either be a dependency OR it's absence should not break things as it currently does sudo mkdir /et

[Freeipa-users] Re: Overcoming hurdles installing freeipa-server on ubuntu 17.10

doh. Yes, I did mean 17.04. /facepalm On Tue, Jun 20, 2017 at 9:40 AM, Timo Aaltonen wrote: > On 15.06.2017 15:39, David Harvey via FreeIPA-users wrote: > > Hope this helps to save some of some time digging. And I know, > > freeipa-server on a non LTS release is daft.. > &g

[Freeipa-users] Re: Freeipa and Google Cloud Directory Sync (GCDS) password sync failing

Hi Janet, I've been having a nightmare trying to get GCDS working in anything other than anonymous bind with basic LDAP (no SSL). Have you had any success with service accounts and or SSL? Best, David ___ FreeIPA-users mailing list -- freeipa-users@lists

[Freeipa-users] Re: Freeipa and Google Cloud Directory Sync (GCDS) password sync failing

FWIW this was entirely down to a problem in the GCDS tool (or my use of it). Although GCDS bundles it's own JRE and keystore, it had defaulted to using the system JRE and keystore. Adding "-Djavax.net.ssl.trustStore=/opt/GoogleCloudDirSync/jre/lib/security/cacerts" to config-manager.vmoptions (in t