[Freeipa-users] ipa-getcert and java certstore/keytool

Hi, I'm playing around with keycloak and wanted to use an SSL certificate from IPA. I've looked around but didn't see any howto about using java keytool with ipa-getcert. Has someone experience with it? I was not successful adding key/cert created by certmonger into keytool, and also not

[Freeipa-users] Re: Valid Sender ? - Re: Re: ipa-getcert and java certstore/keytool

Rob Crittenden writes: > certmonger doesn't support storing certificates in a java keystore. That's what I found out :-) > The tricky bit might be in dealing with the CSR. certmonger needs the > private key in order do the renewal. > > I guess one thing you could do is a

[Freeipa-users] Re: autofs.service on NFS clients and servers

Prasun Gera via FreeIPA-users writes: > The only thing I would be interested in knowing is if there is a > performance penalty to mounting NFS locally. Ideally, it should be smart > enough to know that, but I'm not sure if it is. On my NFS server /home is a

[Freeipa-users] Re: FIPA OTP 2FA

saidireddy ranabothu via FreeIPA-users writes: > I have enabled password+OTP authentication for a user and able to sync > tokens and SSH. > > While ssh to server using FIPA credentials it's asking authentication in > two steps as First Factor and Second

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: > Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> So theoretically certmonger could for example, track PEM files in the >> filesystem and upon re

[Freeipa-users] Re: FreeIPA 4.4 with Yubikey and Radius for VPN auth

Hello Dagan, > The VPN is Cisco, we use openconnect to connect to it currently and it > works without a problem. I use ocserv on my VPN server and openconnect - normally with GSSAPI, but I'll try with password/OTP. > The Yubikeys in the existing configuration are in a static file, which > does

[Freeipa-users] Re: Web UI login fails after upgrading to 4.5

Marius Bjørnstad via FreeIPA-users writes: > After I upgraded to FreeIPA 4.5 (on CentOS 7), I get an error "Login > failed due to an unknown reason" on the web UI, no matter if I use the > admin user or my personal user. ... > [Thu Oct 05 11:36:38.505372

[Freeipa-users] [CentOS 7.5] error message during LDAP backup

I've upgraded my FreeIPA servers to CentOS 7.5 (CR). After that I have the following new messages during backup: Aug 30 01:34:34 freeipa1 ns-slapd: [30/Aug/2017:01:34:34.225932118 +0200] - ERR - dblayer_copy_directory - Backend instance "cldb" does not exist; Instance path

[Freeipa-users] Re: [CentOS 7.5] error message during LDAP backup

Ludwig Krispenz via FreeIPA-users writes: > This is issue: https://pagure.io/389-ds-base/issue/49334 Thanks for the info. I like the documentation and analysis in the tickets (not only this one) - well done! Jochen -- This space is intentionally left

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

Torsten Harenberg via FreeIPA-users writes: > Suddenly, our Linux Mint clients refrain from logging in users and > throw a system error. I increased the log level and the relevant lines > seem to be: > > (Sun Sep 10 03:19:09 2017)

[Freeipa-users] Re: Manual IPA client install

Mark Haney via FreeIPA-users writes: > since these two servers are CentOS 6.9.  I'm almost certain I've got > everything setup correctly, but I'm still unable to login as an IPA > user either with SSH or with su - . I get ' does > not exist'. However, I

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

Aaron Hicks via FreeIPA-users writes: > As a workaround for another issue we have with using two-factor > authentication, we're using pam_krb5 to change expired passwords, so in > /etc/pam.d/password-auth-ac whe have changed the password section to be: > ...

[Freeipa-users] Re: some basic questions about FreeIPA

Udo Rader via FreeIPA-users writes: > Our current setup looks like this: ... > #4 DHCP is handled by multiple, distributed ISC DHCP servers, > configured to pull their configuration from OpenLDAP (network > definitions, routers, NTP servers, MAC addresses

[Freeipa-users] Re: Overall users experience with Free-IPA

Hi, Duncan Colhoun via FreeIPA-users writes: > Can I get some feedback on the overall experience setting up and > running Free-IPA. I am looking at implementing Free-IPA to > enhance/replace an OpenLDAP environment. I'm running a small FreeIPA (2 servers)

[Freeipa-users] Re: keycloak

Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

Kristian Petersen via FreeIPA-users writes: > When I recently updated one of my IPA servers (it reports > 4.5.0-21.el7_4.1.2 in yum), the result was that it could not start back up > because pki-tomcatd kept failing. I was able to get it running for now by

[Freeipa-users] Re: Swiching which FreeIPA server is the main CA

Kristian Petersen via FreeIPA-users writes: > The dirsrv log just shows a bunch of the following: > [13/Oct/2017:14:32:07.132312021 -0600] - ERR - slapi_ldap_bind - Error: > could not bind id [cn=Replication Manager cloneAgreement1-ipa >

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

Cody Rathgeber via FreeIPA-users writes: > I'm trying to deploy freeipa to an environment running a mix of ubuntu > 16.04 and 14.04 servers. > on 16.04 the servers join and can pull down users no problem, on 14.04 when > joining it'll throw a > > "Unable to

[Freeipa-users] Re: freeipa client working on ubuntu 16.04 but not 14.04

Cody Rathgeber writes: > Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see > the default ubuntu 14.04 packages i was using were 3.3. Using the repo > Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below > errors in the log

[Freeipa-users] Re: Expired certificate problem

Giulio Casella via FreeIPA-users writes: > Done, ipactl status report everything running, That's not correct, see below. > but certificates don't renew. > Looking at certmonger (in debug mod) I can see: > > "Server at

[Freeipa-users] Re: Expired certificate problem

Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes: > Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto: >> Giulio Casella via FreeIPA-users <freeipa-users@lists.fedorahosted.org> >> writes: >> >>> Done, ipactl stat

[Freeipa-users] Re: how to avoid ntpd?

Lukas Slebodnik via FreeIPA-users writes: > On (15/01/18 10:53), Rob Crittenden via FreeIPA-users wrote: >>As I read it he has the reverse problem. He installed with NTP support >>and now wants to remove it. >> >>You need to remove NTP as a managed IPA

[Freeipa-users] Re: Documented monitoring best practices

Alex Corcoles via FreeIPA-users writes: > Is there any official literature about how to monitor FreeIPA? I'm using https://github.com/peterpakos/checkipaconsistency to monitor my replicas. > Is there any plan to provide an official way to monitor FreeIPA?

[Freeipa-users] Re: freeipa with sudo and 2FA (OTP)

John Ratliff via FreeIPA-users writes: > Okay, so the problem wasn't that it wasn't working; it's that I didn't > understand the prompts. Debian only prompts for password, but wants > password + OTP on the same field. CentOS prompts for First Factor / >

[Freeipa-users] Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

Bret Wortman via FreeIPA-users writes: > Sequence of events in trying to stand up a new IPA server to replace > (wholesale) our old ones. > ... > 3. # ipa-server-install --setup-dns --auto-reverse --no-forwarders ... > And now I'm back where I was. IPA is

[Freeipa-users] Re: OTP for specific services only

Winfried de Heiden via FreeIPA-users writes: > OTP using IPA 4.5 on CentOS seems to work well. However: I can force a user > to use OTP and/or a host. Authentication indicators won't work that way... > Selecting a user, ALL authentication needs OTP.

[Freeipa-users] Re: How to replace a failed CA?

Bret Wortman via FreeIPA-users writes: > I may be going about this in the hardest way possible, so let me stop > and roll everything back to my root need: > > I have two IPA servers which manage our infrastructure. We used to > have three, but a catastrophic

[Freeipa-users] Re: Can't ssh using GSSAPI delegation from one freeipa client to another consistently

Ranbir via FreeIPA-users writes: > When GSSAPI delegation doesn't work, I see this error: > > debug1: Unspecified GSS failure. Minor code may provide more information > Server host/ip...@theinside.rnr not found in Kerberos database You used "ssh ipa01", right? And the host has been enrolleed

[Freeipa-users] Re: admin account getting locked

hedrick--- via FreeIPA-users writes: > We have a number of systems on the internet. They are constantly > attacked through ssh. A lot of attacks try to guess passwords for a > user called “admin.” If you don't need the user admin on the outside facing boxes, you could try that in

[Freeipa-users] Re: admin's credentials revoked?

Bret Wortman via FreeIPA-users writes: > # kinit admin > kint: Client's credentials have been revoked while getting initial > credentials > > Then while looking at /var/log/httpd/error_log: > > [date] [:error] [pid] [remote 192.168.1.50:96] Database Error:

[Freeipa-users] Re: Zone transfers between external DNS slave and Internal IPA master

Randy Morgan via FreeIPA-users writes: [BIND as slave on IPA DNS masters] > Has anyone set this up before and if so, do you have a sample config > that I could look at to gain a better understanding of what is needed > here? I'm running a pair of IPA

[Freeipa-users] Re: IPA managed autofs mount timeout

William Muriithi via FreeIPA-users writes: > I am using autofs to mount home directories. The autofs maps are on IPA > server. A while back, I adjusted the mount idle timeout from the default 5 > minutes to 2 hours. > > I now want to undo the change, essentially bring down the timeout to 5 >

[Freeipa-users] Re: is anyone running Debian as freeipa-client

Johan Vermeulen via FreeIPA-users writes: > Now it would come in handy if I could field some Debian clients for some > purposes. > But on the current stable release there is no freeipa client. > I have installed some freeipa-clients from unstable, but it's not ideal. > > I'm wondering, is anyone

[Freeipa-users] Re: HBAC Rules for OpenVPN Server

Rob Crittenden via FreeIPA-users writes: > Sina Owolabi via FreeIPA-users wrote: >> Hi List >> >> I’ve been struggling with this for a while and I would really appreciate >> some advice.  >> I have an openvpn server using freeIPA to authenticate users logging >> into the office VPN.  >>

[Freeipa-users] Re: HBAC Rules for OpenVPN Server

Sina Owolabi via FreeIPA-users writes: > Yes I use PAM with openvpn to authenticate user clients > "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" > I'm also running a HBAC controlled IPA environment but the rule for vpnusers > is a --servicecat=all: > > Rule name:

[Freeipa-users] Re: how to deal with an existing user before client installation

Albert Szostkiewicz via FreeIPA-users writes: > So I do have an user on my laptop with same username as IPA user. I've > noticed that after installing client, this existing user is still > being authenticated by it's original password and is with its original > UID. > What is the best procedure

[Freeipa-users] Re: Autofs maps for students directories divided by first letter of username

Rob Crittenden via FreeIPA-users writes: [...] > I don't think that first entry is a glob. I believe that * just means > any. & is shorthand for the matching key so > > * -fstype=nfs4,soft,intr,rsize=8192,wsize=8192,tcp > fileserver.chem.byu.edu:/export/home/students/& > > Just substitutes

[Freeipa-users] FreeIPA-Client now in Debian Buster

Hello, today freeipa-client migrated from sid to buster - thanks a lot for this! Jochen -- This space is intentionally left blank. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Multi Enrollment possible ?

Karim Bourenane via FreeIPA-users writes: > I want to deploy some IPA-client with 2 interfaces, each host interface > managed by each IPA server. I think the IPA servers should be replicas. > Can you confirm me, that its possible to enroll 2 time the ipa-client in > each servers ? I manage

[Freeipa-users] Re: adding external 2FA

Andrew Meyer via FreeIPA-users writes: > I am trying to research how to add other 2FA providers to FreeIPA.  > Has anyone added Duo or something else to FreeIPA/IPA in the most > recent versions? I'm running Privacyidea (https://www.privacyidea.org/) and FreeRADIUS and have some users

[Freeipa-users] Additional Check for checkipaconsistency - KRA

Hallo, right now checkipaconsistency reports an error when not all IPA servers havew AD trust enabled. My first two IPA servers running CentOS 7 do have KRA enabled, but installing KRA on a new CentOS 8 replica failed. Would it be useful to check that in checkipaconsistency? If yes, here's my

[Freeipa-users] Re: 2FA using ssh keys + Free OTP

Daniel PC via FreeIPA-users writes: > Currently, I have 2FA implemented with password + FreeOTP as authentication > methods. > > I wonder if possible to implement ssh pub+priv keys instead of a password as > the first authentication factor. > > Has anyone implemented such thing? That's

[Freeipa-users] Re: freeipa failing to start after update

Andrew Meyer via FreeIPA-users writes: > [andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start ... > Starting smb Service > Failed to start smb Service > Forced start, ignoring smb Service, continuing normal operation > Starting winbind Service > Failed to start winbind Service