[Freeipa-users] Re: IPA replica with CA role problems

2017-07-31 Thread Mark Haney via FreeIPA-users
On 07/24/2017 10:25 PM, Fraser Tweedale wrote: Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log file (ideally the whole thing)? Also to clarify: ``ipa-replica-install --setup-ca'' installs a new replica including the CA role. To install the CA role on an existing replica use

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-02 Thread Mark Haney via FreeIPA-users
On 08/02/2017 07:25 AM, Fraser Tweedale wrote: On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: Providing the dogtag debug log might be helpful. The replica install log shows that the GoDaddy CA chain was imported and trusted reasonably (C,,) but the installer later claims it

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-03 Thread Mark Haney via FreeIPA-users
On 08/02/2017 04:17 PM, Fraser Tweedale wrote: - /var/log/ipareplica-install.log from replica - /etc/pki/pki-tomcat/ca/debug from both master and replica Those logs should do for a start. I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both master and replica. Depending on

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-03 Thread Mark Haney via FreeIPA-users
On 08/03/2017 08:34 AM, Fraser Tweedale wrote: Mark, that's great news; I'm glad you were able to resolve the issue. Everyone gets the tunnel vision sometimes :) I wish you a successful rollout to production. Cheers, Fraser Actually, let me update you on this. I finally got a chance to

[Freeipa-users] Deleting revoked certs from CA master

2017-08-03 Thread Mark Haney via FreeIPA-users
So now that we have a nicely replicating domain and ca, I'd like to rid myself of these revoked certificates which I tried as a way to fix the replication and setting up of a CA. Is there a way to delete these certs out of the store? -- Mark Haney Network Engineer at NeoNova 919-460-3330

[Freeipa-users] Re: Replication and SSL certs

2017-07-13 Thread Mark Haney via FreeIPA-users
On 07/12/2017 08:34 PM, Fraser Tweedale wrote: Which version(s) of FreeIPA? ipa-server-4.4.0-14.el7.centos.7.x86_64 Which service(s) (HTTP, LDAP?). HTTPS. I haven't checked LDAPS yet. It appears this is only related to HTTPS. To give a bit of backstory, the primary host [ipa0] was

[Freeipa-users] Re: Replication and SSL certs

2017-07-17 Thread Mark Haney via FreeIPA-users
On 07/17/2017 09:27 AM, Fraser Tweedale wrote: https://tools.ietf.org/html/rfc6125#section-7.2 This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward

[Freeipa-users] Replication and SSL certs

2017-07-12 Thread Mark Haney via FreeIPA-users
I'm really new to FreeIPA, and this is probably a stupid question, but I just setup a replica of the primary (not in production) IPA server we have. However, the replica's SSL cert is untrusted, while the primary IPA server's cert is fine. The docs I read said the SSL certs would be carried

[Freeipa-users] Re: Replication and SSL certs

2017-07-14 Thread Mark Haney via FreeIPA-users
On 07/13/2017 09:57 PM, Fraser Tweedale wrote: OK, I think I understand. ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been set up with a certificate issued by the IPA CA, which your browser does not trust. There are two ways forward here: 1. You can use

[Freeipa-users] Re: IPA replica with CA role problems

2017-07-25 Thread Mark Haney via FreeIPA-users
replica with CA and pull those logs if/when that fails. On Mon, Jul 24, 2017 at 10:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users > wrote: > > Prior to my employment, one of our engineers setup an IPA s

[Freeipa-users] Re: replica-install --setup-ca fails

2017-07-27 Thread Mark Haney via FreeIPA-users
Heh. That's the EXACT SAME error I kept getting whether I ran the install-ca from an existing replica, or when adding a CA while installing a new replica. Glad I'm not the only one seeing such weird errors. On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <

[Freeipa-users] Re: Deleting revoked certs from CA master

2017-08-04 Thread Mark Haney via FreeIPA-users
On 08/04/2017 02:19 PM, Rob Crittenden wrote: You'd have to do it using LDAP directly. There is nothing really wrong with having a few revoked certs. rob I suppose that's fine, it just offends my sense of order. Thanks for the info. -- Mark Haney Network Engineer at NeoNova 919-460-3330

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-01 Thread Mark Haney via FreeIPA-users
On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: Hi, you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-01 Thread Mark Haney via FreeIPA-users
On 08/01/2017 03:26 AM, Florence Blanc-Renaud wrote: another user hit the same problem as you (ipa-replica-install --setup-ca fails during pkispawn and the PKI debug log shows an error related to updateNumberRange). He managed to workaround the issue by un-enrolling the failing replica and

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-01 Thread Mark Haney via FreeIPA-users
On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-14 Thread Mark Haney via FreeIPA-users
13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via > FreeIPA-users wrote: > > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: > > > On 09/13/2017 03

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-15 Thread Mark Haney via FreeIPA-users
On 09/14/2017 09:41 AM, Alexander Bokovoy wrote: On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Sigh.  As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result.  Care to explain that with some other policy?  Even then, DOWNLOADING the RPM still will not install

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-14 Thread Mark Haney via FreeIPA-users
com> wrote: > On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: > >> Well this is interesting. The latest version of sudo >> is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The >> issue here is that this box is CentOS 6.4 and I can't fully upd

[Freeipa-users] IPA sudo rules CentOS 6 vs CentOS 7

2017-09-13 Thread Mark Haney via FreeIPA-users
One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured.  I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-13 Thread Mark Haney via FreeIPA-users
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: Hi Mark, Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-14 Thread Mark Haney via FreeIPA-users
14 Sep 2017, at 14:15, Mark Haney via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > Well this is interesting. The latest version of sudo > is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The > issue here is that this box is CentOS 6.4 an

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Mark Haney via FreeIPA-users
Honestly, we simply built a new IPA configuration rather than try to migrate.  It's been far easier to move clients over by ripping the OpenLDAP off and installing IPA-client than mucking with a conversion. On 10/09/2017 11:50 AM, Andrew Meyer via FreeIPA-users wrote: Hello, I am planning to

[Freeipa-users] Re: planning for migration

2017-10-09 Thread Mark Haney via FreeIPA-users
On 10/09/2017 12:24 PM, Andrew Meyer wrote: I'm heading down that route as well.  But I would like to have both options available to the boss. I'm not sure if my syntax is incorrect.  That's where I need help. Can't help you there, brother.  Our LDAP setup was crap from the beginning, so we

[Freeipa-users] Re: FreeIPA Sudo Issue

2017-10-10 Thread Mark Haney via FreeIPA-users
On 10/10/2017 12:47 AM, Alka Murali via FreeIPA-users wrote: Hello Team, I have integrated my Ubuntu/Debian and CentOS Servers as IPA Clients to my FreeIPA Server. The custom sudo rule added by me also works for the users assigned to the rule. The first login attempt as well as sudo access

[Freeipa-users] IPA policy creation

2017-10-10 Thread Mark Haney via FreeIPA-users
Due to people not documenting squat here over years, one of our servers configurations got jacked up when I migrated it from OpenLDAP to IPA.  This is a CentOS 6 server that runs RANCID to pull customer edge router configs.  The old OpenLDAP setup had a policy in Kerberos that would create a

[Freeipa-users] Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries manually setup and I'm at the step to get the certificate from the IPA server. 

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Mark Haney via FreeIPA-users
I never said I didn't like. Just that it's not that complicated to setup a playbook to do what you're doing. On Thu, Oct 5, 2017 at 11:17 AM, Thomas Woerner wrote: > Hello Mark, > > On 10/05/2017 03:57 PM, Mark Haney wrote: > > I've been doing this using a custom Ansible

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Mark Haney via FreeIPA-users
, Alexander Bokovoy <aboko...@redhat.com> wrote: > On to, 05 loka 2017, Mark Haney via FreeIPA-users wrote: > >> I never said I didn't like. Just that it's not that complicated to setup a >> playbook to do what you're doing. >> > There is a context to Thomas' messa

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 11:23 AM, Rob Crittenden wrote: Sounds like the keytab is out-of-sync. Try this: # klist -kt /etc/krb5.keytab Note the kvno On a machine you can kinit on: $ kinit admin $ kvno The kvno should match that of the keytab. If not you'll need to regenerate it. Note that by default

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 11:23 AM, Rob Crittenden wrote: The kvno should match that of the keytab. If not you'll need to regenerate it. Note that by default ipa-getkeytab generates new keys every time it is executed. rob Addendum to my previous reply.  I /can/ 'kinit mark.haney' and supply my

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 10:21 AM, Rob Crittenden wrote: So yeah, you've moving right along. I was in the middle of asking you to check krb5.conf when this one came in :-) So the reason the resubmit failed is certmonger tracks the location, etc for certs to prevent duplicates (and racing at renewal

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 09:00 AM, Mark Haney wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries manually setup and I'm at the step to

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 09:17 AM, Rob Crittenden wrote: Mark Haney via FreeIPA-users wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Mark Haney via FreeIPA-users
On 10/13/2017 09:48 AM, Mark Haney wrote: I tried changing HOST/ to host/ and got this: Certificate at same location is already used by request with nickname "20171013123749" Seems it doesn't matter on this setup.  Oh, probably should mention this is a CentOS 6.9 box. In case that matters.

[Freeipa-users] IPA curl timeout on slow link

2017-10-12 Thread Mark Haney via FreeIPA-users
I appreciate all the ideas on how to fix the SSL cert issue on updating to 4.5.0, I'll work on that next week I hope. This one should be much quicker (hopefully).  My boss has insisted that I get ipa-clients working on a half-dozen or so servers located in Alaska.  (Believe me, I argued

[Freeipa-users] Re: IPA curl timeout on slow link

2017-10-12 Thread Mark Haney via FreeIPA-users
On 10/12/2017 01:32 PM, Rob Crittenden wrote: Mark Haney via FreeIPA-users wrote: That's a tough one. ipa-client-install makes many (a dozen?) connections while it does its thing. You might try pre-generate the host entry and keytab, ship it to the machine, then use the --keytab option

[Freeipa-users] Re: IPA curl timeout on slow link

2017-10-12 Thread Mark Haney via FreeIPA-users
On 10/12/2017 02:06 PM, Rob Crittenden wrote: Mark Haney wrote: Maybe some holy water wouldn't be a bad idea. On the bright side if anyone were ever to log into the machines then the sssd cache would likely make it far easier on subsequent attempts. rob True.  Forunately, we

[Freeipa-users] Replacing OpenLDAP with FreeIPA

2017-09-08 Thread Mark Haney via FreeIPA-users
Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master).  Are there any gotchas to replacing OpenLDAP with FreeIPA?  I'm using Ansible to push the client install to the VMs, with a task for uninstalling

[Freeipa-users] Re: Replacing OpenLDAP with FreeIPA

2017-09-08 Thread Mark Haney via FreeIPA-users
On 09/08/2017 12:10 PM, Simo Sorce wrote: On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote: Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master).  Are there any gotchas to replacing

[Freeipa-users] CentOS 6 system 4 error

2017-09-26 Thread Mark Haney via FreeIPA-users
I've been migrating a lot of our customer boxes from a local install of our master LDAP database (yeah, I know) to our IPA servers.  Nearly all these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as well) and I've built an ansible playbook to make the migration changes.  I've

[Freeipa-users] Re: IPA policy creation

2017-10-11 Thread Mark Haney via FreeIPA-users
On 10/10/2017 05:46 PM, Simo Sorce wrote: Could you perhaps do something weird with the default shell setting? probably can use oddjob/oddjob_mkhomedir properly configured on the various servers. Simo. Actually it was even simpler than that, and goes to show what happens when you

[Freeipa-users] Upgrading with GoDaddy SSL cert for https only

2017-10-11 Thread Mark Haney via FreeIPA-users
I just tried to upgrade one of our IPA servers to 4.5.0 (from 4.4.0) on C7 (along with updating C7 to 7.4) and it bombed spectacularly.  It seems the upgrade process doesn't like the GoDaddy SSL cert we supplied for HTTPS only.  Is there documentation explaining the process with an HTTPS only

[Freeipa-users] Manual IPA client install

2017-10-17 Thread Mark Haney via FreeIPA-users
So, I'm /this/ close to getting a pair of servers in Alaska (on very slow links) setup for IPA authentication.  I've followed the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html since these two

[Freeipa-users] Re: Special admin account for one server/host only?

2017-11-28 Thread Mark Haney via FreeIPA-users
On 11/28/2017 11:13 AM, Rob Crittenden via FreeIPA-users wrote: Rob Morin via FreeIPA-users wrote: Hello all... I was wondering if someone could help me out, is it possible to have a user administer only one host/server. Meaning they would log on to freeipa gui and be able to change a password

[Freeipa-users] Re: Upgrade from CentOS 7.3 to 7.4 - Safe?

2017-11-10 Thread Mark Haney via FreeIPA-users
On 11/10/2017 12:08 PM, Christophe TREFOIS via FreeIPA-users wrote: Hi, How did you proceed? One by one just a yum update on all pending packages? -- Little late to the party, but FWIW, I just upgraded one of our IPA servers from 7.3 to 7.4 doing yum -y update.  Worked like a charm. I do

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

2017-11-06 Thread Mark Haney via FreeIPA-users
On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote: Hi list, RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the existing HBAC rules to function. Is there a known workaround to

[Freeipa-users] Re: Manual IPA client install

2017-10-20 Thread Mark Haney via FreeIPA-users
On 10/18/2017 03:58 AM, Rob Crittenden wrote: This looks like some problem with sssd. Do you see your user with "id