[Freeipa-users] Re: Setting up Ubuntu client on free IPA

Just install these Ubuntu packages     openssh-server     freeipa-client and run this command     ipa-client-install On 24-10-18 20:03, Jatinder Kumar via FreeIPA-users wrote: > Hi, > > Actually, I had installed freeipa server on my centos7 machine. But in my > organization, we are using Ubunt

[Freeipa-users] certmonger Error 77 Problem with the SSL CA cert

Hi, We have FreeIPA running on Ubuntu 16.04 since about two years now. For the last few day we see these messages in the log Oct 22 17:32:14 ipasrv certmonger[1813]: 2018-10-22 17:32:14 [1813] Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

    auto-renew: yes In other words, is this the same issue as https://pagure.io/freeipa/issue/7422 ? On 25-10-18 09:56, Kees Bakker via FreeIPA-users wrote: > Hi, > > We have FreeIPA running on Ubuntu 16.04 since about two years > now. For the last few day we see these messages in the log &g

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 25-10-18 14:18, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Could it be that this error already existed since we started? Notice >> the Request ID of 2016..., and the expires: 2018-10-24. >> >> # getcert list -n ipaCert | sed blabla >> Nu

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 25-10-18 16:11, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> On 25-10-18 14:18, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> Could it be that this error already existed since we started? Notice >>>> the Request

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 25-10-18 20:46, Timo Aaltonen wrote: > On 25.10.2018 21.44, Rob Crittenden wrote: >> Kees Bakker wrote: >>> On 25-10-18 16:11, Rob Crittenden wrote: >>>> Kees Bakker via FreeIPA-users wrote: >>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 26-10-18 14:55, Timo Aaltonen wrote: > On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >> On 25-10-18 20:46, Timo Aaltonen wrote: >>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>> Kees Bakker wrote: >>>>> On 25-10-18 16:11, Rob Crittende

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 26-10-18 17:33, Timo Aaltonen wrote: > On 26.10.2018 18.30, Kees Bakker wrote: >> On 26-10-18 14:55, Timo Aaltonen wrote: >>> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >>>> On 25-10-18 20:46, Timo Aaltonen wrote: >>>>> On 25.10.

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 26-10-18 14:55, Timo Aaltonen wrote: > On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >> On 25-10-18 20:46, Timo Aaltonen wrote: >>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>> Kees Bakker wrote: >>>>> On 25-10-18 16:11, Rob Crittende

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 26-10-18 18:00, Timo Aaltonen wrote: > On 26.10.2018 18.59, Kees Bakker wrote: >> On 26-10-18 14:55, Timo Aaltonen wrote: >>> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >>>> On 25-10-18 20:46, Timo Aaltonen wrote: >>>>> On 25.10.

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 26-10-18 18:20, Florence Blanc-Renaud wrote: > On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: >> >> >> On 26-10-18 18:00, Timo Aaltonen wrote: >>> On 26.10.2018 18.59, Kees Bakker wrote: >>>> On 26-10-18 14:55, Timo Aaltonen wrote: >>

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: > On 26-10-18 18:20, Florence Blanc-Renaud wrote: >> On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: >>> >>> On 26-10-18 18:00, Timo Aaltonen wrote: >>>> On 26.10.2018 18.59, Kees Bakker wrote:

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 29-10-18 19:30, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: >>> On 26-10-18 18:20, Florence Blanc-Renaud wrote: >>>> On 10/26/18 6:09 PM, Kees Bakker via FreeIPA-users wrote: >>>&g

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 30-10-18 19:41, Rob Crittenden wrote: > Kees Bakker wrote: >> On 29-10-18 19:30, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: >>>>> On 26-10-18 18:20, Florence Blanc-R

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 31-10-18 14:27, Kees Bakker via FreeIPA-users wrote: > On 30-10-18 19:41, Rob Crittenden wrote: >> Kees Bakker wrote: >>> On 29-10-18 19:30, Rob Crittenden wrote: >>>> Kees Bakker via FreeIPA-users wrote: >>>>> On 29-10-18 11:56, Kees Bakker via

[Freeipa-users] Re: certmonger Error 77 Problem with the SSL CA cert

On 30-10-18 19:41, Rob Crittenden wrote: > Kees Bakker wrote: >> On 29-10-18 19:30, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> On 29-10-18 11:56, Kees Bakker via FreeIPA-users wrote: >>>>> On 26-10-18 18:20, Florence Blanc-R

[Freeipa-users] How to import ca.crt in Chrome

Hi, When I import my FreeIPA's ca.crt in Google Chrome I'm getting an error:     Certification Authority Import Error     Unable to parse file How should I import the CERT in Google Chrome (version 71)? BTW. The import works fine in Firefox (version 53) -- Kees _

[Freeipa-users] Re: How to import ca.crt in Chrome

gt; https://www.sslshopper.com/ssl-converter.html > > On Tue, Nov 13, 2018 at 10:58 AM Kees Bakker via FreeIPA-users > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hi, > > When I import my FreeIPA's ca.crt in Google Chrome I'm getting >

[Freeipa-users] Moving IPA master to a new server fails to start krb5kdc

Hello, I want to move my IPA master to new hardware, but IPA does not want to start on that new hardware. /var/log/krb5kdc.log shows: krb5kdc: Server error - while fetching master key K/M for realm GHS.NL And then of course the rest of FreeIPA is not working either. I've basically copied the wh

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

one’s time, including yours. > >> On Dec 17, 2018, at 7:40 PM, Kees Bakker via FreeIPA-users >> wrote: >> >> Hello, >> >> I want to move my IPA master to new hardware, but IPA does not >> want to start on that new hardware. >> >> /var/log/krb5kdc.

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 17-12-18 20:44, Robbie Harwood wrote: > Kees Bakker via FreeIPA-users > writes: > >> Sure I understand that, but this error in /var/log/krb5kdc.log is basically >> all I have. >> krb5kdc: Server error - while fetching master key K/M for realm GHS.NL > What are

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 18-12-18 19:18, Robbie Harwood wrote: > Kees Bakker writes: > >> On 17-12-18 20:44, Robbie Harwood wrote: >>> Kees Bakker via FreeIPA-users >>> writes: >>> >>>> Sure I understand that, but this error in /var/log/krb5kdc.log is basically

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 18-12-18 17:50, Florence Blanc-Renaud wrote: > On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote: >> Hello, >> >> I want to move my IPA master to new hardware, but IPA does not >> want to start on that new hardware. >> >> /var/log/krb5kdc.log

[Freeipa-users] Re: Moving IPA master to a new server fails to start krb5kdc

On 19-12-18 12:06, Kees Bakker via FreeIPA-users wrote: > On 18-12-18 17:50, Florence Blanc-Renaud wrote: > [...] >> If you have a spare machine you can also use replication, and create a >> replica of your current master with all the needed services (CA, KRA, DNS if >> n

[Freeipa-users] Samba server on Ubuntu not working

Hey, Is there any chance that the combination FreeIPA + Samba + Ubuntu is going to work in the near future? So far I haven't been able to. The main purpose is to give Windows users access to disk space on our (Ubuntu) servers. And with their IPA credentials. I know that Alexander knows a whole l

[Freeipa-users] Re: Samba server on Ubuntu not working

On 08-01-19 10:18, Alexander Bokovoy wrote: > On ti, 08 tammi 2019, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> Is there any chance that the combination FreeIPA + Samba + Ubuntu >> is going to work in the near future? So far I haven't been able to. >>

[Freeipa-users] Replica not working

Hey, Replication isn't working, at least not automatically. If I do a ipa-replica-manage re-initialize then everything is present on the replica. I've looked through all the logs, but I couldn't find anything that hints me what could be wrong. Today I created a new replica. The installation went

[Freeipa-users] Re: Replica not working

On 18-02-19 10:06, Florence Blanc-Renaud wrote: > On 2/18/19 9:00 AM, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> Replication isn't working, at least not automatically. If I do >> a ipa-replica-manage re-initialize then everything is present >> on the

[Freeipa-users] Re: Replica not working

On 18-02-19 21:17, Florence Blanc-Renaud wrote: > On 2/18/19 11:41 AM, Kees Bakker via FreeIPA-users wrote: >> On 18-02-19 10:06, Florence Blanc-Renaud wrote: >>> On 2/18/19 9:00 AM, Kees Bakker via FreeIPA-users wrote: >>>> Hey, >>>> >>>> Rep

[Freeipa-users] Re: FreeIPA DNS keeps losing certain A records

Do you perhaps have DHCP updating DNS? On 04-06-19 20:10, Kristian Petersen via FreeIPA-users wrote: For the last few months I have noticed that certain A records keep disappearing from my DNS.  I have put them back manually multiple times and the same thing happens again.  The SSHFP stuff in

[Freeipa-users] Re: Introducing ipa-healthcheck

On 14-06-19 16:29, Rob Crittenden via FreeIPA-users wrote: I'd like to introduce a new tool for an IPA adminstrators tool kit we're working on, currently in a beta state and shipping in Fedora 29+. ipa-healthcheck is proactive tool for identifying current, potential and future issues within an I

[Freeipa-users] Configuring polkit policy on Ubuntu

Hey, Does anyone have a suggestion how to combine FreeIPA and polkit (policykit) on Ubuntu? Notice that, for some reason, Ubuntu (and Debian) is stuck at polkit 0.105. I'm looking for ways to use HBAC rules in combination with service polkit-1. So that we're able to say: this user can do polki

[Freeipa-users] Re: How to make ipa root certificate available system wide

On 10-10-19 14:35, Rob Crittenden via FreeIPA-users wrote Kevin Vasko via FreeIPA-users wrote: How would I validate that certs are getting added properly on a CentOS machine system wide store? I’m going to test it today to find out if this is a problem unique to Ubuntu/CentOS. On Fedora t

[Freeipa-users] ssh ProxyCommand in ipa-client causes crash of x2goclient

Hey, With x2go [1] you can start a remote desktop. Going from UNIX (client) to UNIX (server) it will use SSH behinds the scenes. However, on a IPA client the x2goclient command fails with a segfault (somewhere in a ssh library). This is caused by the modified /etc/ssh/ssh_config. More specific

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

On 24-10-19 16:12, Alexander Bokovoy wrote: On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote: Hey, With x2go [1] you can start a remote desktop. Going from UNIX (client) to UNIX (server) it will use SSH behinds the scenes. However, on a IPA client the x2goclient command fails with a

[Freeipa-users] Re: ssh ProxyCommand in ipa-client causes crash of x2goclient

On 25-10-19 13:09, Andreas Schneider wrote: On Friday, 25 October 2019 11:11:32 CEST Alexander Bokovoy wrote: On pe, 25 loka 2019, Kees Bakker wrote: On 24-10-19 16:12, Alexander Bokovoy wrote: On to, 24 loka 2019, Kees Bakker via FreeIPA-users wrote: Hey, With x2go [1] you can start a

[Freeipa-users] Re: IPA healthcheck for older versions

Thanks Rob Here are my findings, mainly as an FYI. On the CA master it reports the following (which I have to investigate) [   {     "source": "ipahealthcheck.ipa.certs",     "kw": {   "msg": "Unknown certmonger id 20190412141828",   "key": "20190412141828"     },     "uuid": "f3d6ccb9-fb

[Freeipa-users] Re: [Announce] FreeIPA 4.8.2 released

On 13-11-19 09:53, Alexander Bokovoy via FreeIPA-users wrote: > > Hello! > > The FreeIPA team would like to announce FreeIPA 4.8.1 release! > > [...] > === Known Issues === > === Bug fixes === > FreeIPA 4.8.2 is a stabilization release for the features delivered as a > part of '''FIXME''' 4.7.0 '''

[Freeipa-users] Re: IPA healthcheck for older versions

On 06-11-19 17:16, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Thanks Rob >> >> Here are my findings, mainly as an FYI. >> >> On the CA master it reports the following (which I have to investigate) >> [ >>   { >>  

[Freeipa-users] Re: IPA healthcheck for older versions

On 13-12-19 15:00, Rob Crittenden wrote: > Kees Bakker wrote: >> On 06-11-19 17:16, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> Thanks Rob >>>> >>>> Here are my findings, mainly as an FYI. >>>> >>&

[Freeipa-users] Re: Samba utilizing FreeIPA as Auth

On 11-10-17 01:05, Gordon Messmer via FreeIPA-users wrote: > On 10/04/2017 05:43 AM, Patrick No via FreeIPA-users wrote: >> ~~/etc/samba/smb.conf~~ >> security = ads > > > I'm working on Samba integration, as well.  I think you might need to use > "security

[Freeipa-users] Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

Hey, This week I tried to install Samba (which failed because of Ubuntu, but that's another story). One of the steps was to do ipa-adtrust-install. It created a cifs/myhost pricipal on my IPA master server. But now it keeps switching my default pricipal to cifs/myhost@MYREALM (and in this case

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

On 12-10-17 12:05, Sumit Bose via FreeIPA-users wrote: > On Thu, Oct 12, 2017 at 11:47:26AM +0200, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This week I tried to install Samba (which failed because of Ubuntu, but >> that's >> another story). >&g

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

On 12-10-17 14:11, Alexander Bokovoy wrote: > On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> This > week I tried to install Samba (which failed because of Ubuntu, but that's >> > another story). >> >> One of the steps w

[Freeipa-users] Re: Default principal switched back to cifs every 5 minutes (after done ipa-adtrust-install)

On 12-10-17 14:49, Alexander Bokovoy wrote: > On to, 12 loka 2017, Kees Bakker wrote: >> On 12-10-17 14:11, Alexander Bokovoy wrote: >>> On to, 12 loka 2017, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> >>> This week I tried to install Samba (wh

[Freeipa-users] Replica failure, could not perform interactive bind ... [GSSAPI]

Hey, Since I've setup a replica it gives errors like these: [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor c

[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]

On 18-10-17 22:57, Robbie Harwood wrote: > Kees Bakker writes: > >> Since I've setup a replica it gives errors like these: >> >> [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_bind - Error: could >> not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local >> error) (SA

[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]

On 19-10-17 10:03, Kees Bakker via FreeIPA-users wrote: > On 18-10-17 22:57, Robbie Harwood wrote: >> Kees Bakker writes: >> >>> Since I've setup a replica it gives errors like these: >>> >>> [17/Oct/2017:11:36:55 +0200] slapd_ldap_sasl_interactive_b

[Freeipa-users] Re: Replica failure, could not perform interactive bind ... [GSSAPI]

On 19-10-17 15:07, Alexander Bokovoy wrote: > On to, 19 loka 2017, Kees Bakker via FreeIPA-users wrote: >> [...] >> [18/Oct/2017:11:24:27 +0200] NSMMReplicationPlugin - >> agmt="cn=meTolinge.ghs.nl" (linge:389): Replication bind with GSSAPI auth >> resumed &

[Freeipa-users] FreeIPA+Ubuntu-16.04+Samba, is there a solution

Hey, As described by Alexander in [1], Samba on Ubuntu 16.04 is built against Heimdal, and that conflicts with FreeIPA (which requires MIT Kerberos). We have a network with Ubuntu 16.04 servers, and Ubuntu 16.04 workstations, and some Windows PCs. So far I was unable to configure the samba serve

[Freeipa-users] Server install fails on Ubuntu due to missing crypto.fips_enabled

Hey, Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. It fails setting up the certificate server (pki-tomcatd). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes   [1/28]: configuring certificate server instance ipaserver.install.dogtaginstance: CRITICAL

[Freeipa-users] Re: Server install fails on Ubuntu due to missing crypto.fips_enabled

On 03-05-18 12:07, Kees Bakker via FreeIPA-users wrote: > Hey, > > Trying to do a test installation of a FreeIPA server on Ubuntu 18.04. > It fails setting up the certificate server (pki-tomcatd). > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >

[Freeipa-users] Re: Server install fails on Ubuntu due to missing crypto.fips_enabled

On 03-05-18 16:08, Alexander Bokovoy wrote: > If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with > the current release of FreeIPA. > > We have been working on FreeIPA 4.7 for about a half a year now and only > recently dogtag got support for tomcat 8.5. There are still bits an

[Freeipa-users] Re: Server install fails on Ubuntu due to missing crypto.fips_enabled

On 03-05-18 16:42, Alexander Bokovoy wrote: > On to, 03 touko 2018, Kees Bakker via FreeIPA-users wrote: >> On 03-05-18 16:08, Alexander Bokovoy wrote: >>> If Ubuntu 18.04 has Tomcat 8.5, you are not going to get it working with >>> the current release of FreeIPA. >

[Freeipa-users] SSH Unspecified GSS failure, No key table entry found matching host

Hey, After installing a PC with Ubuntu 18.04 I'm seeing this problem with SSH logins. The gssapi-with-mic authentication method does not work anymore. Strangely enough a system that I upgraded (16.04->18.04) was working fine. The debug of sshd shows (fivel being the unqualified hostname): debug1

[Freeipa-users] Re: SSH Unspecified GSS failure, No key table entry found matching host

On 28-06-18 23:39, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> After installing a PC with Ubuntu 18.04 I'm seeing this problem with >> SSH logins. The gssapi-with-mic authentication method does not >> work anymore. Strangely

[Freeipa-users] How to change nsslapd-cachememsize

Hi, This is about the infamous log message     WARNING: changelog: entry cache size 2097152B is less than db size 19701760B; We recommend to increase the entry cache size nsslapd-cachememsize. I've searched the Internet, including this mailing list, but I haven't found a sensible FreeIPA soluti

[Freeipa-users] Re: How to change nsslapd-cachememsize

On 17-07-18 10:56, Alexander Bokovoy wrote: > On ti, 17 heinä 2018, Kees Bakker via FreeIPA-users wrote: >> Hi, >> >> This is about the infamous log message >> >>     WARNING: changelog: entry cache size 2097152B is less than db size >> 19701760B; We rec

[Freeipa-users] Re: How to change nsslapd-cachememsize

On 17-07-18 11:48, Alexander Bokovoy wrote: > On ti, 17 heinä 2018, Kees Bakker wrote: >>> To modify you'd rather use ipa-ldap-updater tool which manages >>> automatically this for you when an update file is provided. In addition, >>> you have some substitution variables available too. These aren't

[Freeipa-users] Re: How to change nsslapd-cachememsize

On 17-07-18 13:15, Alexander Bokovoy wrote: > [...] > Could you please file a ticket with all these details? You mean at https://pagure.io/freeipa/issues ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an emai

[Freeipa-users] freeipa server install fails - ipa-ca DNS record will be incomplete

Hi, Installing FreeIPA server fails on Ubuntu 18.04 with the following messages. (( I should say: still failing. I haven't had much luck with it. )) -8X-8X-- Restarting named Updating DNS system records ipapython.dnsutil: ERROR    DNS query for

[Freeipa-users] Re: freeipa server install fails - ipa-ca DNS record will be incomplete

On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: > Hi, > > Installing FreeIPA server fails on Ubuntu 18.04 with the following > messages. (( I should say: still failing. I haven't had much luck with > it. )) > > -8X-8X---

[Freeipa-users] Re: freeipa server install fails - ipa-ca DNS record will be incomplete

On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: > [...] > > Also, when I access the IPA server using a browser it fails with >     Login failed due to an unknown reason. > > In /var/log/apache2/error.log there is this: > -8X-8X

[Freeipa-users] Re: freeipa server install fails - ipa-ca DNS record will be incomplete

On 07-09-18 10:13, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote: >> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: >>> [...] >>> >>> Also, when I access the IPA server using a browser it fails with >>&

[Freeipa-users] Re: freeipa server install fails - ipa-ca DNS record will be incomplete

On 07-09-18 11:50, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker wrote: >> On 07-09-18 10:13, Alexander Bokovoy wrote: >>> On pe, 07 syys 2018, Kees Bakker via FreeIPA-users wrote: >>>> On 06-09-18 15:16, Kees Bakker via FreeIPA-users wrote: >&g

[Freeipa-users] Re: freeipa server install fails - ipa-ca DNS record will be incomplete

On 07-09-18 16:10, Alexander Bokovoy wrote: > On pe, 07 syys 2018, Kees Bakker wrote: >> The problem with this seems to be related to the fact that directory >> /var/lib/krb5kdc >> is only readable for root. >> >> $ ls -ld /var/lib/krb5kdc >> drwx-- 2 root root 4096 Feb

[Freeipa-users] dirsrv hangs soon after reboot

Hey, I'm looking for advice how to analyse/debug this. On one of the masters the dirsrv is unresponsive. It runs, but every attempt to connect it hangs. The command "systemctl status" does not show anything alarming ● dirsrv@EXAMPLE-COM.service - 389 Directory Server EXAMPLE-COM.    Loaded: loa

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 20-04-2020 09:09, Florence Blanc-Renaud wrote: > On 4/20/20 8:28 AM, Kees Bakker via FreeIPA-users wrote: >> Hey, >> >> I'm looking for advice how to analyse/debug this. >> >> On one of the masters the dirsrv is unresponsive. It runs, but every >> at

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 20-04-2020 09:58, Kees Bakker via FreeIPA-users wrote: > On 20-04-2020 09:09, Florence Blanc-Renaud wrote: >> On 4/20/20 8:28 AM, Kees Bakker via FreeIPA-users wrote: >>> Hey, >>> >>> I'm looking for advice how to analyse/debug this. >>> >&g

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 20-04-2020 14:51, Rob Crittenden wrote: > *** EXTERNAL E-MAIL *** > > > Kees Bakker via FreeIPA-users wrote: >> On 20-04-2020 09:58, Kees Bakker via FreeIPA-users wrote: >>> On 20-04-2020 09:09, Florence Blanc-Renaud wrote: >>>> On 4/20/20 8:28 AM, Kees Ba

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 20-04-2020 15:16, thierry bordaz wrote: > On 4/20/20 3:02 PM, Kees Bakker wrote: >> On 20-04-2020 14:51, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> On 20-04-2020 09:58, Kees Bakker via FreeIPA-users wrote: >>>>> On

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 20-04-2020 15:35, Kees Bakker via FreeIPA-users wrote: > On 20-04-2020 15:16, thierry bordaz wrote: >> On 4/20/20 3:02 PM, Kees Bakker wrote: >>> On 20-04-2020 14:51, Rob Crittenden wrote: >>>> Kees Bakker via FreeIPA-users wrote: >>>>> On 20-04-20

[Freeipa-users] Re: yum update problem

This now happened to me too. The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart). What remains a mystery is **why** this happened. In my case, we have three CA masters, one is the CA renewal master (of course).

[Freeipa-users] Re: yum update problem

x27;20181127141751':     ca-error: Invalid cookie: u''     subject: CN=CA Subsystem,O=GHS.NL     expires: 2020-10-26 20:15:32 UTC All of them are "system certificates" that are already renewed on the CA Renewal Master. How do I get these renewed? I don't like to run wh

[Freeipa-users] Re: yum update problem

Can I safely do the following? ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751 On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote: > EXTERNAL E-MAIL > > O

[Freeipa-users] Re: yum update problem

On 01-10-2020 20:33, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Can I safely do the following? >> >> ipa-getcert resubmit -i 20181127141739 >> ipa-getcert resubmit -i 20181127141749 >> ipa-getcert resubmit -i 20181127141750 >> ipa-getcer

[Freeipa-users] Re: yum update problem

On 01-10-2020 20:33, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Can I safely do the following? >> >> ipa-getcert resubmit -i 20181127141739 >> ipa-getcert resubmit -i 20181127141749 >> ipa-getcert resubmit -i 20181127141750 >> ipa-getcer

[Freeipa-users] Re: Replica not renewing IPA certificates

Hello Roderick, Would you care to confirm that you indeed ran "getcert resubmit" on the replica (the non-renewal master)? I'm in the same situation as you were, and I'm reluctant to run commands that could potentially make things worse. -- Kees On 31-01-2020 16:04, Roderick Johnstone via FreeIPA

[Freeipa-users] Re: yum update problem

On 01-10-2020 22:05, Kees Bakker via FreeIPA-users wrote: > On 01-10-2020 20:33, Rob Crittenden wrote: >> Kees Bakker via FreeIPA-users wrote: >>> Can I safely do the following? >>> >>> ipa-getcert resubmit -i 20181127141739 >>> ipa-getcert resubmit

[Freeipa-users] Is there a process that will renew TGT

Hi, On my Ubuntu 20.04 system, if I login I'm getting a TGT. So far so good. Usually I login onto a system and never logout for weeks. I seem to remember that I didn't have to manually get a new TGT all the time. Now it expires after 24h and I have to redo a kinit. My question: is there (or shou

[Freeipa-users] Re: Is there a process that will renew TGT

> > Please see: > https://sgallagh.wordpress.com/2011/09/02/sssd-tips-and-tricks-vol-1-kerberos/ > > Disclaimer: I don't know how applicable this is to your system. > > François > > > On Wed, Dec 16, 2020 at 9:04 AM Kees Bakker via FreeIPA-users > <mailto:free

[Freeipa-users] Re: Is there a process that will renew TGT

On 16-12-2020 14:59, François Cami wrote: > On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker > wrote: > > Thanks for the pointer. A bit old, but probably still relevant. > > Anyway, I was thinking that the following may be the cause of > my observation. I'm now working

[Freeipa-users] Re: Is there a process that will renew TGT

On 16-12-2020 16:03, Alexander Bokovoy wrote: > On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote: >> On 16-12-2020 14:59, François Cami wrote: >>> On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker >> <mailto:ke...@ghs.com>> wrote: >>> >>>

[Freeipa-users] Problem adding DKIM record in DNS

Hi, This is a heads-up for people who want to add a DKIM TXT record in FreeIPA. Adding a (long) TXT record with the DKIM key fails with a syntax error from named-pkcs11 The FreeIPA web UI did not show an error but with journalctl I see there is one. feb 27 21:51:58 rotte.ghs.nl named-pkcs11[93

[Freeipa-users] SRV entries remain after removing replica

Hi, After removing one of the replicas the SRV records in DNS remained. I'm talking about _kpasswd._udp _kerberos._udp _kerberos._tcp _kerberos-master._udp etc Two questions. 1. Is this a known problem? 2. Is there a (simple?) command to remove these SRV entries? I can remove them manually, so i

[Freeipa-users] Re: SRV entries remain after removing replica

On 15-03-2021 17:44, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Hi, >> >> After removing one of the replicas the SRV records in DNS remained. I'm >> talking >> about _kpasswd._udp _kerberos._udp _kerberos._tcp _kerberos-master._udp et

[Freeipa-users] What FQDN to use to get the LDAP server when there are multiple masters

Hi, We have FreeIPA with three masters. To get to the LDAP server we can use either of the three. To configure a service you must come up with a FQDN for the LDAP server. Until now we have simply selected one of the three. But that's not very convenient because we want to do maintenance on that IP

[Freeipa-users] Re: What FQDN to use to get the LDAP server when there are multiple masters

On 19-03-2021 00:30, Fraser Tweedale wrote: > On Thu, Mar 18, 2021 at 03:10:30PM +0100, Kees Bakker via FreeIPA-users wrote: >> Hi, >> >> We have FreeIPA with three masters. To get to the LDAP server >> we can use either of the three. To configure a service you must >

[Freeipa-users] Re: What FQDN to use to get the LDAP server when there are multiple masters

On 23-03-2021 11:06, Peter Tselios via FreeIPA-users wrote: > For Gitlab you can specify multiple LDAP servers with the EE if I am not > mistaken. > We have Gitlab EE and we can use both of our FreeIPA servers. The multiple LDAP servers in GitLab are not meant as "fail-over". There is an issue [1]

[Freeipa-users] Problem upgrading centos7 to centos8

Hi, Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on the internet. Executing this command fails # dnf --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync ... Running transaction check Error: transaction check vs depsolve: (ipa-selinux = 4.8.7-12.module_el8.3

[Freeipa-users] Re: Problem upgrading centos7 to centos8

On 10-05-2021 14:45, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: Hi, Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on the internet. Executing this command fails # dnf --releasever=8 --allowerasing --setopt=deltarpm=false distro-sync ... Running

[Freeipa-users] Re: Problem upgrading centos7 to centos8

On 10-05-2021 15:06, Kees Bakker via FreeIPA-users wrote: On 10-05-2021 14:45, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: Hi, Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on the internet. Executing this command fails # dnf --releasever=8 --allowerasing

[Freeipa-users] Re: Problem upgrading centos7 to centos8

On 10-05-2021 15:35, Alexander Bokovoy wrote: On ma, 10 touko 2021, Kees Bakker via FreeIPA-users wrote: On 10-05-2021 14:45, Rob Crittenden wrote: Kees Bakker via FreeIPA-users wrote: Hi, Trying to upgrade CentOS 7 tot CentOS 8, following the various hints on the internet. Executing this

[Freeipa-users] Re: dirsrv hangs soon after reboot

Sorry to revive an old thread. I'm getting deadlocks again. See below On 20-04-2020 15:16, thierry bordaz wrote: [...]This is a known bug [1]. With the same bug there are two deadlock scenario but only one is fixed (for example in  slapi-nis-0.56.4-1 [2]). A fix for the second one is under test

[Freeipa-users] Re: dirsrv hangs soon after reboot

Hi Thierry, Just to be clear, changelogmaxage was changed to -1 by me after the upgrade and I've confirmed it is now set to -1. The reason for me to change the value was because of the deadlock. Apparently, it did not make much of a difference. It still gets into a deadlock with the value -1.

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 12-05-2021 19:44, Thierry Bordaz wrote: On 5/12/21 4:55 PM, Kees Bakker wrote: Hi Thierry, Just to be clear, changelogmaxage was changed to -1 by me after the upgrade and I've confirmed it is now set to -1. The reason for me to change the value was because of the deadlock. Apparently, it di

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 13-05-2021 08:32, Thierry Bordaz wrote: On 5/12/21 8:41 PM, Kees Bakker wrote: On 12-05-2021 19:44, Thierry Bordaz wrote: On 5/12/21 4:55 PM, Kees Bakker wrote: Hi Thierry, Just to be clear, changelogmaxage was changed to -1 by me after the upgrade and I've confirmed it is now set to -1.

[Freeipa-users] healthcheck complains about a removed replica

Hi, After installing a new replica and running /usr/bin/ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data I'm getting this error keyctl_search: Required key not available Enter password for Internal Key Storage Token: Internal server error HTTPSConnectionPool(host='

[Freeipa-users] Re: healthcheck complains about a removed replica

On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote: Hi, After installing a new replica and running /usr/bin/ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data I'm getting this error keyctl_search: Required key not available Enter password for Interna

[Freeipa-users] Re: healthcheck complains about a removed replica

On 28-05-2021 19:32, Kees Bakker via FreeIPA-users wrote: *** EXTERNAL E-MAIL *** On 28-05-2021 17:22, Kees Bakker via FreeIPA-users wrote: Hi, After installing a new replica and running /usr/bin/ipa-healthcheck --source pki.server.healthcheck.clones.connectivity_and_data I'm getting

  1   2   >