[Freeipa-users] Re: Errors in enrolling Ubuntu 14.04 Client to FreeIPA

On 07/31/2017 03:38 AM, Alka Murali via FreeIPA-users wrote: Hello Florence, I have checked the output for the ldapsearch command and I can see the IPA CA as well as the third party CA on my /etc/ipa/ca.crt file on my IPA Server. Even I tried installing the client by giving the option

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this one. I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs): DEBUG flushing

[Freeipa-users] Re: Failed Upgrade?

On 08/01/2017 01:32 AM, Ian Harding via FreeIPA-users wrote: On 07/31/2017 11:34 AM, Rob Crittenden wrote: Ian Harding via FreeIPA-users wrote: I had an unexpected restart of an IPA server that had apparently had updates run but had not been restarted. ipactl says pki-tomcatd would not

[Freeipa-users] Re: Failed Upgrade?

On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: On 08/01/2017 03:11 PM, Ian Harding wrote: On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote: On 08/01/2017 01:32 AM, Ian

[Freeipa-users] Re: Failed Upgrade?

On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On 08/02/2017 12:11 AM, Florence Blanc-Renaud wrote: On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03 PM, Rob Crittenden wrote: Ian Harding wrote: On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: On 08/01/2017

[Freeipa-users] Re: Edit named-pkcs11

On 08/03/2017 02:10 AM, Tejas Desai via FreeIPA-users wrote: BIND uses the directives “type forward” and “forward first” in its named.conf file. How can I make use of BIND directives when using ipa dns? Because it is based on BIND, can I edit named-pkcs11 directly? Tejas

[Freeipa-users] Re: Failed Upgrade?

On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On 08/03/2017 12:28 AM, Florence Blanc-Renaud wrote: On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On 08/02/2017 12:11 AM, Florence Blanc-Renaud wrote: On 08/02/2017 01:43 AM, Ian Harding wrote: On 08/01/2017 12:03

[Freeipa-users] Re: PKI debug files are not rotated

On 08/03/2017 11:19 AM, Harald Dunkel via FreeIPA-users wrote: Hi folks, I found some very large log files in /var/log/pki/pki-tomcat/ca On the major CA host the "debug" file is >1GByte and was never rotated. It seems that there is a responsible config file /etc/\

[Freeipa-users] Re: howto replace an externally signed CA

On 08/10/2017 04:47 PM, Harald Dunkel wrote: Hi folks, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: Hi, You can follow the steps described here:

[Freeipa-users] Re: howto replace an externally signed CA

On 08/11/2017 09:04 AM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On Thu, 10 Aug 2017 17:21:19 +0200 Florence Blanc-Renaud wrote: On 08/10/2017 04:47 PM, Harald Dunkel wrote: Hi folks, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote:

[Freeipa-users] Re: replica-install --setup-ca fails

On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote: Hi all, I would appreciate any help on my attempt to promote an existing client to replica. After client installation, I added replica-to-be to ipaservers hostgroup and then run "replica-install --setup-ca" but

[Freeipa-users] Re: replica-install --setup-ca fails

On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote: On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 07/27/2017 09:17 AM, Petros Triantafyllidis via FreeIPA-users wrote: Hi all, I would appreciate any help on my attempt to promote an existing

[Freeipa-users] Re: replica-install --setup-ca fails

On 07/27/2017 04:03 PM, Petros Triantafyllidis wrote: On 07/27/2017 04:17 PM, Florence Blanc-Renaud via FreeIPA-users wrote: On 07/27/2017 11:34 AM, Petros Triantafyllidis via FreeIPA-users wrote: On 07/27/2017 11:13 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 07/27/2017 09:17 AM

[Freeipa-users] Re: Free IPA/LDAP migration

On 07/26/2017 08:32 AM, Ed Aiduc via FreeIPA-users wrote: Hi! I'am a newbie here.. I just have a question with regards to LDAP. I have two free ipa server, one with ldap and the other one has no ldap on it, I wanted to transfer/migrate the ldap config from one server to another server with no

[Freeipa-users] Re: Errors after Upgrading from Fedora 23 to Fedora 25

On 06/29/2017 02:12 PM, dntosas--- via FreeIPA-users wrote: Hello World! I got an installation with FreeIPA server 4.2.4 in Fedora 23 and all worked fine I decided to upgrade to Fedora 25 via dnf-upgrade-plugin All the upgrade proc goes smooth and as a result my freeipa rpm packages also

[Freeipa-users] Re: Failed Upgrade?

On 08/01/2017 03:11 PM, Ian Harding wrote: On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote: On 08/01/2017 01:32 AM, Ian Harding via FreeIPA-users wrote: On 07/31/2017 11:34 AM, Rob Crittenden wrote: Ian Harding via FreeIPA-users wrote: I had an unexpected restart of an IPA server that

[Freeipa-users] Re: IPA replica with CA role problems

On 08/01/2017 03:11 PM, Mark Haney via FreeIPA-users wrote: On 08/01/2017 03:26 AM, Florence Blanc-Renaud wrote: another user hit the same problem as you (ipa-replica-install --setup-ca fails during pkispawn and the PKI debug log shows an error related to updateNumberRange). He managed to

[Freeipa-users] Re: Renewing /etc/httpd/alias certs

On 08/01/2017 03:50 PM, Jason B. Nance via FreeIPA-users wrote: Hello everyone, I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of unfortunate events which resulted in the entire cluster being offline for a matter of a couple weeks during which the certificate in

[Freeipa-users] Re: Failed Upgrade?

On 08/04/2017 11:02 PM, Ian Harding via FreeIPA-users wrote: On 8/4/17 2:16 AM, Florence Blanc-Renaud wrote: On 08/03/2017 11:13 PM, Ian Harding via FreeIPA-users wrote: On 08/03/2017 12:28 AM, Florence Blanc-Renaud wrote: On 08/02/2017 11:51 PM, Ian Harding via FreeIPA-users wrote: On

[Freeipa-users] Re: certificate has expired?

On 06/07/2017 11:25 PM, Roberto Cornacchia wrote: A relatively good news: The current error (Insufficient access: Principal 'HTTP/spinque04.hq.spinque@hq.spinque.com ' is not permitted to use CA '.' with profile 'caIPAserviceCert' for

[Freeipa-users] Re: certmonger CA settings

On 06/21/2017 07:41 AM, Ian Pilcher via FreeIPA-users wrote: As part of my debugging efforts (see "Expired certificates" thread), I changed modified the settings for the dogtag-ipa-renew-agent and dogtag-ipa-ca-renew-agent CAs. Unfortunately, I forgot to make a note of the original settings.

[Freeipa-users] Re: certmonger CA settings

On 06/21/2017 04:13 PM, Ian Pilcher via FreeIPA-users wrote: On 06/21/2017 01:39 AM, Florence Blanc-Renaud wrote: your CA helpers are properly configured, except for the last one, which should look like the following: CA 'dogtag-ipa-ca-renew-agent': is-default: no ca-type: EXTERNAL

[Freeipa-users] Re: getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE

On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote: I am trying to renew the last certificate for the IPA masters (previous email) and am coming across this issue on my original IPA master (first server) getcert list -d /etc/httpd/alias -n "Server-Cert" Number of certificates and requests

[Freeipa-users] Ansible and ipa-client-install

Hi, the team is starting investigations regarding the deployment of IPA using Ansible, and we would like to get community feedback. Ansible already provides a few community-maintained Identity Modules [1] allowing to manage users, groups, hosts, hbac rules, roles, sudo rules, but in a first

[Freeipa-users] Re: Can't install client on scientific linux 7.3

On 06/27/2017 12:40 PM, Niels Walet via FreeIPA-users wrote: I seem to have some serios issues with ipa on sl 7.3; on installing on a client, the install works through fine until it bombs on the following issue: https://theoipa.ph.man.ac.uk/ipa/json Created connection context.rpcclient_47349328

[Freeipa-users] Re: Can't log on using password when /tmp is full

On 09/18/2017 05:11 PM, Marius Bjørnstad via FreeIPA-users wrote: Hi, When /tmp is full, it is impossible to authenticate with Kerberos. Login with password over SSH and sudo don't work. Login with ssh key works fine. Here is the output in the system log when I try to log on via SSH with

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

On 09/11/2017 04:53 PM, Winfried de Heiden via FreeIPA-users wrote: CS.cfg was modified so pki-tomcat can login using a password and non-secure LDAP. At least it is working now: < internaldb.ldapauth.authtype=BasicAuth < internaldb.ldapauth.bindDN=cn=Directory Manager --- >

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

IPA server, and FreeIPA in turn communicates with Dogtag. You will probably find more information in FreeIPA server logs (in /var/log/httpd/error_log) and in Dogtag logs (/var/log/pki/pki-tomcat/ca/debug). Flo Winfried Op 11-09-17 om 17:12 schreef Florence Blanc-Renaud via FreeIPA-users: On 09/11/

[Freeipa-users] Re: Duplicate Certificate on master.

On 09/29/2017 02:39 AM, Bhavin Vaidya via FreeIPA-users wrote: Hello, On our master FreeIPA I see multiple (which are duplicate) entries for certificates with different NSS Database. Some are from /var/lib/pji/pki-tomcat/alias instead of /etc/pki/pki-tomcat/alias. As I inherited the setup and

[Freeipa-users] Re: IPA Server Upgrade Error

On 09/28/2017 11:51 AM, Alka Murali via FreeIPA-users wrote: Hi Florence, Thanks for the email. I am on CentOS 7 system and would like to use yum to go for the Upgrade. I beleive dnf is intended for Fedora. Can you please provide me a solution for CentOS on the Upgrade process. Regards,

[Freeipa-users] Re: IPA Server Upgrade Error

On 09/28/2017 04:12 AM, Alka Murali wrote: Hi Florence, Thanks for the email. As you have mentioned, I tried updating the corresponding python files under IPA Server and tried for the Upgrade. Hi, do you mean that you manually edited the python files? In this case it is likely that some

[Freeipa-users] Re: IPA Server Upgrade Error

On 09/28/2017 09:52 AM, Alka Murali wrote: Hi Florence, Thanks for the reply. However do you mean that I need to create a new repo file for Version 4.6 and try the Upgrade? Or do you mean that I need to remove the current installation and go for a fresh install? Hi, the easiest path is

[Freeipa-users] Re: HTTPD does not start when NSS enabled

On 08/15/2017 03:30 PM, Rob Crittenden via FreeIPA-users wrote: Julian Gethmann wrote: On 08/14/2017 09:51 PM, Rob Crittenden wrote: Julian Gethmann wrote: On 08/14/2017 05:46 PM, Rob Crittenden wrote: Julian Gethmann wrote: Hallo, On 08/14/2017 04:21 PM, Rob Crittenden wrote: Julian

[Freeipa-users] Re: Free IPA/LDAP migration

On 08/22/2017 07:53 AM, Mon Corotan via FreeIPA-users wrote: Hi.. Sorry for my this late update.. Thank you for responding to my query. I was able to do it on my test vm environment, replication and migration also works. I tried this process on production environment but unfortunately I am

[Freeipa-users] Re: Issues after adding Let's encrypt certificate

On 08/18/2017 05:46 PM, Sarhan Aissi via FreeIPA-users wrote: Hi, I got another error when trying the command again: trying https://ipa.example.net/ipa/json Forwarding 'ca_is_enabled' to json server 'https://ipa.example.net/ipa/json' cert validation failed for "CN=ipa.example.net"

[Freeipa-users] Re: problem installing 3rd party(trusted cert)

On 08/28/2017 04:00 PM, Rob Morin via FreeIPA-users wrote: Hello all... So i have a wildcard cert from geotrust. I am running freeipa V4.4 fresh install no users yet I downloaded and installed their GeoTrust Primary Certification Authority root cert from here -->

[Freeipa-users] Re: Freeipa Certficates issues

On 08/29/2017 06:43 PM, Julien Honore wrote: Hi Florence, Thank you for the reply. When I execute the command sudo kinit -kt /etc/krb5.keytab the result is : kinit: Clients credentials have been revoked while getting initial credentials When I try the command ipa-getkeytab, I don't have the

[Freeipa-users] Re: problem installing 3rd party(trusted cert)

On 08/30/2017 08:26 PM, Rob Morin wrote: I ran this command firstly: The G2 root CA from Geotrust website.. [root@auth-1 certs]# ipa-cacert-manage -p 7t7FR.08 -n httpcrt -t C,, install root_ca.crt Installing CA certificate, please wait CA certificate successfully installed The

[Freeipa-users] Re: FreeIPA client installation failure

On 10/06/2017 02:04 AM, Bhavin Vaidya via FreeIPA-users wrote: Hello, Thank you all for help in past, as I'm keep encountering one after another issue. Sorry for long email, as posting log. let me know if there is other way. IPA Server OS: CentOS Linux release 7.0.1406 (Core) IPA Server

[Freeipa-users] Re: several IPA CA certificate entries

On 10/23/2017 08:59 PM, Bhavin Vaidya via FreeIPA-users wrote: Hello Rob, here what we have. Looks like /etc/http/alias certificate is different, as it is from Sug 03 2014 through Aug 03 2034, which is original date. If /etc/httpd/alias does not contain the latest IPA CA certificate,

[Freeipa-users] Re: Listing groups in FreeIPA

On 11/09/2017 08:10 PM, Kristian Petersen via FreeIPA-users wrote: Hey all, Is there a way to get a list of all of the groups in FreeIPA using the python API? -- Kristian Petersen System Administrator Dept. of Chemistry and Biochemistry ___

[Freeipa-users] FreeIPA wiki: troubleshooting

Hi all, FreeIPA wiki contains a really long page for Troubleshooting [1], and I would like to re-organize the content a little bit differently. My proposal would be to keep this page as the main access point and only store pointers to other pages, organized by component. We can keep the

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote: I see, mechanism is clear for me. I took my CA chain from https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2 And my chain is following: main cert Issuer: C=GB, ST=Greater

[Freeipa-users] Re: Promote ipa-client-install to a replica successful but system become unstable

On 11/28/2017 08:25 AM, barrykfl--- via FreeIPA-users wrote: Dear all: two servers replica but the latter one become unstable. I success promote a client  to replcia master . but after reboot the response is slow and the certomanger start fail and remote login ssh very slow delay half minuets

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote: On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote: Hi, the ca certs need to be added from the root to the one that issued the server cert: 1/ ipa-cacert-manage install root.crt + ipa-certupdate 2/ ipa-cacert-manage

[Freeipa-users] Re: Joining realm failed: HTTP POST to URL 'https://ipaserver.mydomain:443/ipa/xml' failed. HTTP response code is 401, not 200

On 11/30/2017 11:39 AM, Fuji San via FreeIPA-users wrote: Hello, I have trouble enrolling a ipa client. I just installed Fedora 27 and all the packages are up-to-date. I succeeded to enroll 2 previous F27 clients, but this one is giving me a hard time. Any help would be welcome. Fuji --

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote: Does anybody have any clue about what I have to do with it? Florence? Should I delete self-sign SSL from ipa-server CA completely? As I understood - there is some conflict between new CA and old, am I right? Hi, can you check if

[Freeipa-users] Re: FreeIPA setup third party ssl from Comodo

On 12/01/2017 10:22 AM, Andrew Radygin via FreeIPA-users wrote: Wow, Flo!!! You were right, there was such cert with another key. Done that in such way: ldapdelete "cn=Comodo3,cn=certificates,cn=ipa,cn=etc,dc=domain,dc=net" /usr/bin/certutil -d /etc/ipa/nssdb -D -n Comodo3 /usr/bin/certutil -d

[Freeipa-users] Re: Replacing externally signed CA long before expiry

On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5. I've replaced an external root CA that had a very short key, and have gone through the process of resigning the ipa intermediate-CA. I've used ipa-cacert-manage to generate a new csr and have signed it

[Freeipa-users] Re: retrieve user keytab from multiple hosts

On 12/15/2017 12:52 PM, Stijn De Weirdt via FreeIPA-users wrote: hi all, i'm trying to retrieve an existing keytab from a user on a second host. ipa-getkeytab on a first host worked fine. but when i try to retrieve the keytab (using -r option) i get a "Insufficient access rights" error (even

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote: My concern is, it looks much more restricted than the old root CA cerificate: # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname 

[Freeipa-users] Re: Replacing externally signed CA long before expiry

On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote: Hi Flo, On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud > wrote: On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: Hello, Using freeipa 4.5.

[Freeipa-users] Re: WebGui Cert back to selfsigned

On 11/17/2017 06:41 PM, Matt . via FreeIPA-users wrote: Hi Guys, Is there a proven way to set the WebGui cert back to a self signed one ? I have installed an expired 3rd party certificate and want to move back to a selfsigned cert and later on to an letsEncrypt one. Setting back the time

[Freeipa-users] Re: Question about FreeIPA-pki-tomcatd fails to start

On 11/09/2017 09:16 AM, None via FreeIPA-users wrote: Dear, I encountered an issue on FreeIPA, could someone give some suggestion? thanks ahead~ ipactl start Starting Directory Service Staring krb5kdc service Staring kadmin Service … Starting pki-tomcatd Service Failed to start

[Freeipa-users] Re: master - replica relationship

On 11/08/2017 04:52 AM, Lachlan Musicman via FreeIPA-users wrote: Hola, I'm still trying to wrap my head around the master-replica concept. From what I read in the documentation (Chapter 4 of

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/08/2017 08:01 AM, Harald Dunkel via FreeIPA-users wrote: Hi Flo and Andrew, thanx for you replies, but I think you missed the point: The new (external) root CA certificate and the new ipa CA certificate are *in* freeipa already, but on the host I had used for running ipa-cacert-manage to

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/08/2017 01:08 PM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote: Hi Harald, the external CAs and FreeIPA CA must be stored in the LDAP server (cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external CAs to the

[Freeipa-users] Re: Authentication for ipa cli scripting (wsgi, kerberos)

On 12/04/2017 03:57 PM, skrawczenko--- via FreeIPA-users wrote: Hello all, i suppose the issue is quite typical but still unable to find any solution. All i need is to run some ipa cli commands from scripts with preliminary kinit I manage to authenticate as kinit -F -k -t That allows me to

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/07/2017 09:17 AM, Harald Dunkel via FreeIPA-users wrote: Hi Rob, On 12/6/17 9:56 PM, Rob Crittenden via FreeIPA-users wrote: Harald Dunkel via FreeIPA-users wrote: Here is what I see on the broken ipa server: [root@ipa1 ~]# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote: Hi Flo, On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote: Hi, I would try to remove the new root CA from LDAP and re-import it using ipa-cacert-manage install -t C,, This should create the entry

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

On 10/28/2017 01:15 AM, Kristian Petersen via FreeIPA-users wrote: I forgot to include the results of the commands in case it is helpful: -bash-4.2$ ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso Enter LDAP Password: dn:

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

On 10/30/2017 05:23 PM, Kristian Petersen via FreeIPA-users wrote: OK I think  I got the ldapmodify to work.  I reran the commands to check the two certs and they appear to match now.  However, when I run an ipactl restart the system still fails on pki-tomcatd. Hi, In this case I think that

[Freeipa-users] Re: [Freeipa-users] https://www.freeipa.org/page/V4/Authselect_migration review

On 05/04/2018 05:40 PM, Rob Crittenden via FreeIPA-users wrote: Not sure worth adding but `authselect list` will show available profiles. I think commands should use a tag rather than bold (authselect select sssd with-mkhomedir). The NIS domain change is mentioned but not the proposed or

[Freeipa-users] Re: Server Uninstall Fail

On 05/09/2018 12:44 AM, Ross Infinger via FreeIPA-users wrote: After a failed ipa-replica-install, I try to uninstall with ipa-server-install --uninstall.  However the uninstall is failing with the following: [root@ipa-nyc-pci01 ~]# ipa-server-install --uninstall This is a NON REVERSIBLE

[Freeipa-users] Re: Promoting CA replica to master

On 05/29/2018 03:54 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: Hi Florence, Let me give more info about our FreeIPA infraestructure. We have 8 servers in different zones, 2 per zone. Last year we installed the first two IPAs, one from scratch and the other its first replica, and

[Freeipa-users] Re: Error after migration all user from ldap

On 05/29/2018 12:26 PM, barrykfl--- via FreeIPA-users wrote: Hi : I migrated use commands form ipa 3 to ipa 4  ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://abc.cde.com:389 Fine I saw everything

[Freeipa-users] Re: Promoting CA replica to master

On 05/29/2018 01:14 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: Hi, We've created a new replica from our FreeIPA infrastructure, with CA capabilities. Now we want it to be the CA renewal master, as it's written here:

[Freeipa-users] Re: Promoting CA replica to master

On 06/26/2018 03:08 PM, Carlos Fernández Manteiga via FreeIPA-users wrote: Hi, Sorry about no replying to this, we cannot try it till now. We've followed the doc, and it seems to work ok, certficates can be issued without problems, so we hope that autorenewal works too. But we have a little

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/26/2018 09:58 AM, Jokinen Eemeli via FreeIPA-users wrote: Hello! Thank you for your answers by the way, seems like we're getting closer and closer every step although haven't had a breakthrough yet... At least I feel like I understand the structure of IPA better alredy! A bit long

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/25/2018 07:48 AM, Jokinen Eemeli via FreeIPA-users wrote: Hi! gssproxy up and running -- systemctl status gssproxy ● gssproxy.service - GSSAPI Proxy Daemon Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor preset: disabled) Active: active (running) since

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/20/2018 01:53 PM, Jokinen Eemeli via FreeIPA-users wrote: Hello all! I have very similiar problem as this one: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/YU6TZHOJAV5QHHHPQWJHYX3FP4OHA37X/ ipa-server-upgrade fails as below -- Update

[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

On 06/27/2018 07:02 AM, Thomas Letherby via FreeIPA-users wrote: After some fiddling with dates some more I seem to have the HTTPD cert in sync, however it appears the cert signing cert is expired. named also says it's starting, but doesn't seem to want to respond. I don't have time to dig

[Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start

On 06/27/2018 08:56 AM, Jokinen Eemeli via FreeIPA-users wrote: Hi! -- certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep "Not Before" Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d /etc/dirsrv/slapd-<> -n Server-Cert | grep "Not Before"

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

On 10/26/2017 04:58 PM, Kristian Petersen via FreeIPA-users wrote: I am having problems with the server that currently is my main CA and was considering trying to switch that function to a different server.  I have tried some of the stuff I found online but the CA role can't be enabled on

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

On 10/27/2017 12:55 AM, Kristian Petersen via FreeIPA-users wrote: I checked the logs that turned up after running the find command suggested by Jochen and only a couple of them turned up anything that mention pki or pki-tomcat: from /var/log/audit/audit.log: type=SERVICE_START

[Freeipa-users] Re: ipa-client-install - error - Failed to obtain host TGT: Major (851968)

On 01/06/2018 08:51 PM, lejeczek via FreeIPA-users wrote: hi everyone I'm trying a client, when I do: $ ipa-client-install --no-ntp --force-join Discovery was successful! ... Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 01/06/2018 08:54 PM, lejeczek via FreeIPA-users wrote: hi I'm trying to install replica, process fails: ..   [3/5]: creating anonymous principal   [4/5]: starting the KDC   [5/5]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin   [1/2]:

[Freeipa-users] Re: worst nightmare come true: ipa service doesn't start anymore

On 01/10/2018 10:06 AM, Harald Dunkel via FreeIPA-users wrote: On 12/14/17 17:09, Harald Dunkel via FreeIPA-users wrote: Hi Flo, Rob, On 12/14/17 9:27 AM, Florence Blanc-Renaud via FreeIPA-users wrote: The files should contain multiple certificates (IPA CA and the external CA certificates

[Freeipa-users] Re: files permission from apache's perspective

On 01/10/2018 02:42 PM, lejeczek via FreeIPA-users wrote: hi I see in httpd/error_log entries about access, like: Wed Jan 10 13:32:30.726295 2018] [:error] [pid 606202] ipa: INFO: [jsonserver_kerb] ad...@private.xx.xx.private.xx.xx.x: host_find/1(None, version=u'2.228'): SUCCESS [Wed Jan 10

[Freeipa-users] Re: "certmonger.py", line 317, in request_and_wait_for_cert

On 01/11/2018 05:16 PM, lejeczek via FreeIPA-users wrote: On 11/01/18 15:02, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: hi not an python nor ipa expert here, looking at certmonger.py what does such an error indicate? : ipa : DEBUG    certmonger request is in state

[Freeipa-users] Re: replica install fails: CA_UNREACHABLE

On 01/10/2018 12:29 PM, lejeczek via FreeIPA-users wrote: On 09/01/18 17:24, Charles Hedrick wrote: I also had issues installing a replica under 7.4. Here are my notes. krb4 is the new replica, krb1 and 2 the existing ones. I'm on Centos, there is something very wrong with freeipa /

[Freeipa-users] Re: Vault best practices

On 01/21/2018 04:28 PM, Fil Di Noto via FreeIPA-users wrote: I've been using Vaults, I feel like I need some kind of version control, or historical log of values to recover from mistakenly overwriting vaults. What do most do? I notice that some docs have vault-add commands with a

[Freeipa-users] Re: Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

Hi, just a wild guess but was ipa installed with a umask more restrictive than 022? You may also want to start ipa in debug mode in order to have more traces: $ cat /etc/ipa/server.conf [global] debug=True $ ipactl restart HTH, Flo On 01/18/2018 08:42 AM, Alexandre Pitre via FreeIPA-users

[Freeipa-users] Re: "certmonger.py", line 317, in request_and_wait_for_cert

On 01/11/2018 06:37 PM, lejeczek via FreeIPA-users wrote: On 11/01/18 17:02, Florence Blanc-Renaud wrote: On 01/11/2018 05:16 PM, lejeczek via FreeIPA-users wrote: On 11/01/18 15:02, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: hi not an python nor ipa expert here, looking at

[Freeipa-users] Re: Replacing externally signed CA long before expiry

On 01/10/2018 07:47 PM, Steve Dainard via FreeIPA-users wrote: Hi Flo, Is there anything I can do to help troubleshoot this issue? Or is there a bugzilla issue I can watch? Thanks, Steve Hi Steve, I was not able to reproduce the behavior you are experiencing. With IPA 4.5.0-22 on rhel

[Freeipa-users] Re: Certificates not renewed till 2 hours before expiring

On 01/30/2018 02:02 PM, Christof Schulze via FreeIPA-users wrote: Hi, Now the roof is on fire, all certificates are synced on all masters since a long time ago. The not renewing certificates in /etc/pki/pki-tomcat/alias have now expired "subsystemCert cert-pki-ca" , "ocspSigningCert

[Freeipa-users] Re: Howto renew certificates with external CA?

On 01/24/2018 07:35 PM, Harald.Husemann--- via FreeIPA-users wrote: Hello Flo, thanks for your answer, and for the explanation of the certutil output. I have tried your suggestion, first with sudo: hhuseman@mat-ipa-master-1:~$ sudo kinit -kt /etc/krb5.keytab [sudo] password for hhuseman:

[Freeipa-users] Re: Howto renew certificates with external CA?

On 01/30/2018 05:17 PM, Harald Husemann via FreeIPA-users wrote: Hello Flo, and thanks again for your response. First of all, I've figured out that the package "pki-symkey" was missing, so I've installed it with yum. Now, according to systemctl, pki-tomcatd is running:

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did figure out that I can use # ldapsearch -D 'directory manager' -W -E pr=2 -b idnsname=damascusgrp.com,cn=dns,dc=damascusgrp,dc=com to list out all the entries, but the format isn't what I'm expecting. What I'm actually

[Freeipa-users] Re: FreeIPA replica in AWS

On 02/07/2018 10:53 PM, Andrew Meyer via FreeIPA-users wrote: I just got FreeIPA added as a client and then I tried to promote it as a replica. I got the following error: Done configuring kadmin. Configuring directory server (dirsrv) [1/3]: configuring TLS for DS instance [error]

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret Wortman wrote: On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 10:08 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/14/2018 05:58 PM, Bret Wortman wrote: On 02/14/2018 10:22 AM, Florence Blanc-Renaud wrote: On 02/14/2018 12:52 PM, Bret Wortman via FreeIPA-users wrote: I did figure out that I can use # ldapsearch -D 'directory

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud wrote: On 02/15/2018 10:08 AM, Florence Blanc

[Freeipa-users] Re: Fixing limit on DNS searches

On 02/15/2018 05:01 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via

[Freeipa-users] Re: Fixing limit on DNS searches

: On 02/15/2018 09:29 AM, Florence Blanc-Renaud wrote: On 02/15/2018 02:40 PM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 07:09 AM, Florence Blanc-Renaud via FreeIPA-users wrote: On 02/15/2018 11:47 AM, Bret Wortman via FreeIPA-users wrote: On 02/15/2018 04:50 AM, Florence Blanc-Renaud

[Freeipa-users] Re: debian 8 freeipa-client

ount   - common-auth   - common-password   - common-session - name: ssh - add sshd_config   copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=0644   notify: ssh_restart - name: sudo - add sudoers-custom   copy: src=sudoers-cu

[Freeipa-users] Re: Tomcat/CA fails to start after upgrade

Hi Thomas, you can have a look at https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ Usually the communication issue between PKI and LDAP is linked to an expired certificate, or a mismatch between the content of uid=pkidbuser,ou=people,o=ipaca and

[Freeipa-users] Re: Issue with creating CA replica/how to do so

On 07/25/2018 12:02 AM, Jared Biel via FreeIPA-users wrote: Hello, I'm trying to add a CA replica to an already established "regular" replica and am unable to do so. Can anyone point me to instructions for how to do this? It seems like maybe some files need to be manually copied over from

[Freeipa-users] Re: Replacing selfsigned cert with external signed CA

On 07/17/2018 10:58 AM, Jan Gardian via FreeIPA-users wrote: Hello, Could you please recommend procedure to replace self signed IPA certificate with external signed CA? I found this

[Freeipa-users] Re: Problem with replication topology after replica removal

On 07/20/2018 04:45 PM, Przemysław Orzechowski via FreeIPA-users wrote: Hi I removed a replica but after removal i got 3 undeleted replication agreements I can't delete it with ipa topologysegment-del error returned ipa: ERROR: Server is unwilling to perform: Removal of Segment

  1   2   3   4   5   6   7   8   >