[Freeipa-users] Re: Custom certificate

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Per Qvindesland via FreeIPA-users wrote: > Hi All > > I installed a custom signed certificate from quovadis, the install on the ipa > server wen’t fine but when I try to add a client (centos 6) it gives error: > LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been >

[Freeipa-users] Re: IP address in certificate

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Mikaël ANDRE via FreeIPA-users wrote: > Hi evrybody, > > With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi > and HP ILO certificates to my FreeIPA server. > I create csr with the following command: "openssl req -new -sha256 > -nodes -config openssl.cfg -newkey rsa:2048 -keyout

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Prasun Gera via FreeIPA-users wrote: > The entry is present on both master, and replica. Also, the status on > replica for those two has changed to *'ca-error: Invalid cookie: '''*. > The certs listed by certutil on both systems, as well as the ones listed > by the ldap query seem to match. When I

[Freeipa-users] Re: Failed Upgrade?

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Ian Harding via FreeIPA-users wrote: > I had an unexpected restart of an IPA server that had apparently had > updates run but had not been restarted. ipactl says pki-tomcatd would > not start. > > Strangely, the actual service appears to be running: > dogtag is an application within tomcat so

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Bob Rentschler via FreeIPA-users wrote: > This may be related to the issue discussed here: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ >

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Jochen Kellner via FreeIPA-users wrote: > Hi, > > 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" > > schrieb: > >> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users >> wrote: >>> I'm playing around with keycloak and wanted

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Bob Rentschler wrote: > The query mismatch was a typo/mispaste, sorry about that. > > It was indeed at least partly permissions in the LDAP server, likely > because a service is running the query. > > I solved the freeipa permissions with the below command, which is likely > bad in some way but

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Randy Morgan via FreeIPA-users wrote: > When we setup our IPA server, we extended the schema to include 3 fields > that were important to the work we do. When we performed the last > update, those fields still show as required, but they are missing and we > cannot add users to IPA unless we

[Freeipa-users] Re: Creating certificate for master domain

2017-08-03 Thread Rob Crittenden via FreeIPA-users
service, etc) so since domain can't fit into one, you can't issue a cert for it. What would it be used for? I'm not sure how meaningful a domain name in a cert is, but it could be a use-case we missed. rob > > > Pozdrawiam, > > Rafał Wądołowski > > On 02/08/17 15:55, Rob C

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-03 Thread Rob Crittenden via FreeIPA-users
. rob > > On Thu, Aug 3, 2017 at 8:15 AM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Randy Morgan via FreeIPA-users wrote: > > When we setup our IPA server,

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Bob Rentschler wrote: > It seems the postfix problem was of my creation, I reset the postfix > config file to a copy of the default, re-did everything a step at > a time and it all worked. Who knows what I had in there screwing it up, > I still can't find it when I compare them. > > To sum it up

[Freeipa-users] Re: Freeipa + Godaddy certificate

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Adrian HY wrote: > Ho Rob, same problem; > > ipa-cacert-manage -n "Godaddy" -t CT,C,C install gd_bundle-g2-g1.crt -v > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpp31Uuq -N -f /tmp/tmp4TnBRN > ipa: DEBUG: Process finished, return code=0 > ipa:

[Freeipa-users] Re: IPA Master won't start and replicas are not taking over

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Randy Morgan wrote: > After some serious arm twisting, I was finally able to get the server to > run a yum update. It would appear that some of the files for ipa had > become corrupted and this was the reason it would not start. After the > yum update, it started just fine and I was able to run

[Freeipa-users] Re: IPA Master won't start and replicas are not taking over

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Randy Morgan via FreeIPA-users wrote: > Over the weekend our IPA Master failed and I can not get ipactl to > start, the Directory Service fails. We have two replicas and I was > under the impression that if one of the servers failed the others would > pickup the load, that is not happening

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-15 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann wrote: > On 08/14/2017 09:51 PM, Rob Crittenden wrote: >> Julian Gethmann wrote: >>> On 08/14/2017 05:46 PM, Rob Crittenden wrote: Julian Gethmann wrote: > Hallo, > > On 08/14/2017 04:21 PM, Rob Crittenden wrote: >> Julian Gethmann via FreeIPA-users wrote:

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-09 Thread Rob Crittenden via FreeIPA-users
Michael Gusek wrote: > Hello Rob, > > i can understand why CA won't start with expired certs. Actually my > system date is a day before expiring (expiring date is 30 Jul 2017, > system date now 29 Jul 2017), but CA won't start. How to "ensure that > the CA comes up" ? Ok, well the logs I

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Christian Glombek via FreeIPA-users wrote: > I can only second that. Official FreeIPA plugins for Postfix and Dovecot > would be immensely helpful. > > Someone made a plugin that adds mailAlternateAdress to the scheme and ui, > which is somewhat related to this issue: >

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-10 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > You may recall earlier when I said that we wound up pulling an expired cert > on one of our staging IPA replicas after updating the xmlrpc_server variable > to point to a different host. It's not clear to us how best to fix that cert >

[Freeipa-users] Re: password reset privileges

2017-08-10 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten wrote: > Hello, > > Sorry for the late reply. This is the latest FreeIPA version in CentOS > 7.3 (4.4.0-14). > > Indeed the helpdesk role should be sufficient. I tried with the User > Administrator role as well, but that made no difference. Since it's > working for you, it's

[Freeipa-users] Re: Freeipa + Godaddy certificate

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Adrian HY via FreeIPA-users wrote: > Hi, I need to incorporate a godaddy certificate in freeipa. > > I have three files: 4dfc653ab0cf823d.crt, gd_bundle-g2-g1.crt and mykey.key. > > When I run the command * ipa-cacert-manage -n "Godaddy" -t CT,C,C > install cert.pem* the output is > >

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann wrote: > Hallo, > > On 08/14/2017 04:21 PM, Rob Crittenden wrote: >> Julian Gethmann via FreeIPA-users wrote: >>> Hallo, >>> >>> Unfortunately I don't know when this problem occurred first, but it may >>> have occurred after an update. >>> The httpd does not start and aborts with

[Freeipa-users] Re: Can Load balanced HTTP service use kerberos authentication?

2017-08-14 Thread Rob Crittenden via FreeIPA-users
William Muriithi via FreeIPA-users wrote: > Hi Wouter, > > On 11 August 2017 at 15:14, wrote: >> I've used shared keytabs before to create a loadbalanced squid instance. >> This way you don't even need to use sticky balancing since all nodes that >> have the key

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann via FreeIPA-users wrote: > Hallo, > > Unfortunately I don't know when this problem occurred first, but it may > have occurred after an update. > The httpd does not start and aborts with the error > > [:info] [pid 15383] Using nickname Server-Cert. > [...] [:error] [pid 15383]

[Freeipa-users] Re: Can't create new CA replica

2017-07-06 Thread Rob Crittenden via FreeIPA-users
john.bowman--- via FreeIPA-users wrote: > Since taking over our FreeIPA environment I've been unable to create a new CA > replica. A bunch of failed attempts and upgrades over the last year and I > keep running in to issues. After my latest attempt I noticed something that > I had not seen

[Freeipa-users] Re: different failed auth times?

2017-07-20 Thread Rob Crittenden via FreeIPA-users
Kat via FreeIPA-users wrote: > Hi, > > If I have a simple pair of FreeIPA servers and one is showing different > failed auth times for a user -- is this a good indication they are out > of sync? Should I not see same failures on both? The lockout attributes are per-server (not replicated). rob

[Freeipa-users] Re: keys for cert - how to get those?

2017-07-20 Thread Rob Crittenden via FreeIPA-users
lejeczek via FreeIPA-users wrote: > > > On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote: >> lejeczek via FreeIPA-users wrote: >>> hello fallas >>> >>> those certs I see with: >>> $ ipa cert-find >>> is it possible to get pri

[Freeipa-users] Re: FreeIPA and Foreman

2017-07-25 Thread Rob Crittenden via FreeIPA-users
Andrew Meyer via FreeIPA-users wrote: > So I just installed foreman on my puppet and ansible instance and got it > working. After I installed it and got it working. I joined the server > to the my FreeIPA domain. > > I now get the following error whenever I try to restart apache. > > By the

[Freeipa-users] Re: FreeIPA upgrade

2017-07-24 Thread Rob Crittenden via FreeIPA-users
Bhavin Vaidya via FreeIPA-users wrote: > Hello, > We are trying to upgrade FreeIPA- v4.1.3-1.el7 on our master server > which is CentOS 7.0.1406. > We were getting other conflict issues, which were fixed with updating yum. > > We are not able to go further without following Error, while both RPMs

[Freeipa-users] Re: ipa-server-4.4.0-14.el7.centos.7.x86_64 - 389 dirsrv will not start

2017-07-19 Thread Rob Crittenden via FreeIPA-users
email--- via FreeIPA-users wrote: > Hey Guys, > > Was having some strange issues and found one of the dirsrv services > crashed, I can't say this is the only time this has happened but usually > it starts manually or on reboot. > > Any ideas on this one? Let me know if you need more info. > >

[Freeipa-users] Re: Question regarding filtering of users seen by managing users

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Thomas Handler via FreeIPA-users wrote: > Dear all, > > I have installed FreeIPA and try to learn about the concepts. > > I’ve been looking around, reading documents that I found and searched > but did not find any useful hints how to configure FreeIPA to solve my > problem I describe below. >

[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch

2017-07-19 Thread Rob Crittenden via FreeIPA-users
David Hendén via FreeIPA-users wrote: > Hi all, > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL > 4.4.0. > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this

[Freeipa-users] Re: Update signing certificate

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Jatin Nansi via FreeIPA-users wrote: > You can not use ipa-getcert to request / issue certificates from an > external CA. Issuing certificates now needs to be managed by the > external CA's tools. You should also disable the old CA from starting up > on IPA server. I guess it depends what the

[Freeipa-users] Re: can't upgrade IPA because of certificate alias problem

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Fraser Tweedale via FreeIPA-users wrote: > On Thu, Jul 13, 2017 at 03:02:02PM +, Charles Hedrick via FreeIPA-users > wrote: >> I’ve installed ipa. Originally I did the default install, without DNS. >> >> I then updated to a commercial cert. Notes at the end. >> >> I just did a yum update.

[Freeipa-users] Re: keys for cert - how to get those?

2017-07-19 Thread Rob Crittenden via FreeIPA-users
lejeczek via FreeIPA-users wrote: > hello fallas > > those certs I see with: > $ ipa cert-find > is it possible to get private key(s) for a given cert? With means of > (any)command line? Not from the CA, no. The CA doesn't store the private keys for the certificates it issues and never sees

[Freeipa-users] Re: Preserved IPA users got deleted from AD

2017-07-20 Thread Rob Crittenden via FreeIPA-users
Rob Brown via FreeIPA-users wrote: > Our company recently implemented freeipa to replace a cent5 kerberos > infrastructure. We set it up with a Winsync agreement with an AD domain, > and is working pretty well. > Our user disposition workflow in AD is this: user account is disabled, > and moved to

[Freeipa-users] Re: Preserved IPA users got deleted from AD

2017-07-20 Thread Rob Crittenden via FreeIPA-users
Rob Brown wrote: > yeah, I did find the users in AD under: > CN=Deleted Objects,DC=foo,DC=domain,DC=com > and, the users actually have the attribute: > isDeleted = TRUE > so, looks like they were actually deleted (from AD perspective). > It seems like the delete sync is two-way (surprising, since

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-03 Thread Rob Crittenden via FreeIPA-users
Pieter Baele via FreeIPA-users wrote: > Hi, > > I've a weird problem with 2 hosts on ipa-client-install registration. > All my servers are using a 99% alike kickstart profile. > > 8 hosts did their registration almost immediately (after submit of admin) > > But on 2 servers I am stuck with: >

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-06 Thread Rob Crittenden via FreeIPA-users
wenxing zheng wrote: > Thanks to Rob. > > We finally got the root cause, it's a bug in the application. Our LDAP > URL or DN is too long which triggered a bug in the JDK Properties. Java > Properties doesn't allow the value to be longer than 47, and if the > length is longer than 47, it will

[Freeipa-users] Re: Syncronization on servers

2017-06-27 Thread Rob Crittenden via FreeIPA-users
Ataliba Teixeira via FreeIPA-users wrote: > Hello, > > reading some docs about the sync of my two servers : > > # ipa-replica-manage list > server1.domain: master > server2.domain: master > > > # ipa-replica-manage list-ruv > Directory Manager password: > > Replica Update Vectors: >

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-05 Thread Rob Crittenden via FreeIPA-users
wenxing zheng via FreeIPA-users wrote: > Dear all, > > I met with an issue when doing the LDAP authentication on the Kylin. My > FreeIPA works with Ranger very well, but on Kylin, when binding the DN > with the admin, it failed to connect to the LDAP server: > > [05/Jul/2017:11:16:32 +0800]

[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten via FreeIPA-users wrote: > As I mentioned in my first mail, that doesn't work. For testing, I > created a new role that contains the following privileges: > > Group Administrators > Modify Group membership > Modify Users and Reset passwords > User Administrators > > Unfortunately,

[Freeipa-users] Re: Deleting revoked certs from CA master

2017-08-04 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: > So now that we have a nicely replicating domain and ca, I'd like to rid > myself of these revoked certificates which I tried as a way to fix the > replication and setting up of a CA. Is there a way to delete these > certs out of the store? > > You'd have

[Freeipa-users] Re: Password History

2017-07-28 Thread Rob Crittenden via FreeIPA-users
John Trump via FreeIPA-users wrote: > I am using FreeIPA 4.4 and have implemented a password policy where > password history is set to 24. If a password admin or the user "admin" > resets a users password, the user is forced to change their password > upon logging in. At this point, the user is

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

2017-08-01 Thread Rob Crittenden via FreeIPA-users
None via FreeIPA-users wrote: > Further update: I'm pretty sure I found out the problem. > > Basically, my old server is running pyasn1==0.2.3 and the new one has > pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change > to __init__ and a few other functions in 0.3.1, so I

[Freeipa-users] Re: Creating certificate for master domain

2017-08-02 Thread Rob Crittenden via FreeIPA-users
Rafał Wądołowski via FreeIPA-users wrote: > Hi, > > I have freeipa 4.4 cluster with CN intra.example.com. > > We developed intranet on this same domain, but I can't create a valid > certificate for it. > > I can't create service, because hostname is required. Is it other way to > sign the CSR?

[Freeipa-users] Re: IPA replica with CA role problems

2017-08-01 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: > On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: >> >> you can connect to IPA web UI on the server to revoke the cert: >> https://server.ipadomain.com/ipa/ui, then navigate to Authentication > >> Certificates, click on the certificate corresponding to the

[Freeipa-users] Re: Failed Upgrade?

2017-08-01 Thread Rob Crittenden via FreeIPA-users
Ian Harding wrote: > On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: >> On 08/01/2017 03:11 PM, Ian Harding wrote: >>> On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote: On 08/01/2017 01:32 AM, Ian Harding via FreeIPA-users wrote: > > > On 07/31/2017 11:34 AM, Rob

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > It's the NSSDB cert. Here's some console output that might be helpful. > > PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 > Request ID '20150827000358': > status: MONITORING > ca-error: Server at >

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Thanks, Rob. > > Unfortunately my test in staging resulted in an expired dogtag cert. The > staging environment didn't have any certificates that were due to expire soon > so I updated the xmlrpc_server variable on one of the four IPA hosts we have >

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Michael Gusek via FreeIPA-users wrote: > Hi Fraser, > > at the moment, i can't provide this logfile, i've moved that back to > have only new log lines. But a new new logfile is not created ??? In my > old logfile i have some lines after switch to basic auth, but before > setting time to past: >

[Freeipa-users] Re: Creating certificate for master domain

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Wildcard_certificates > BR, > Rafał > > On 03/08/17 16:03, Rob Crittenden via FreeIPA-users wrote: >> Rafał Wądołowski wrote: >>> Okey, but how can I create certificate for domain intra.example.com? >>> >>> I can't create host, because the hostname is required

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-07 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hi all, > > We run IPA 3.0.0 and have a cert on the CA master expiring in about 10 days. > The problem is that we mistakenly provisioned the last cert using an old > hostname which means that automatically renewing the cert fails, and the IPA > cert

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-07 Thread Rob Crittenden via FreeIPA-users
Jochen Hein wrote: > Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> >> writes: >> >>> So theoretically certmonger could for example, track

[Freeipa-users] Re: Group membership expiration

2017-07-27 Thread Rob Crittenden via FreeIPA-users
Prashant Bapat via FreeIPA-users wrote: > Hi FreeIPA Users, > > Is there a way to make the group membership have an optional expiration > date. This expiration date can be set by the admin. No, there is no way to do this in IPA. > Any pointers to how this can be implemented would be very

[Freeipa-users] Re: Issues after adding Let's encrypt certificate

2017-08-17 Thread Rob Crittenden via FreeIPA-users
Sarhan Aissi via FreeIPA-users wrote: > Hello, > > I am using FreeIPA 4.3.1 with Ubuntu Server 16.04 and i tried to add my > Let's encrypt certificate using the "freeipa-letsencrypt" script (I replaced > Fedora/RHEL commands with ubuntu equivalents): >

[Freeipa-users] Re: NFS problems after OS updates - can't access directories

2017-08-22 Thread Rob Crittenden via FreeIPA-users
Detlev Habicht via FreeIPA-users wrote: > Ok, > > i will reduce my questions to one point: > > I was using tcpdump on NFS server side. > > When i am trying to go to a directory i can see, that the client connect > the server. > But the server don’t answer. Not any packet … > > So the server

[Freeipa-users] Re: documentation or example of using S42U for NFS

2017-06-12 Thread Rob Crittenden via FreeIPA-users
Jens Timmerman via FreeIPA-users wrote: > Hi Greg, > > > On 02/03/2017 03:29, Greg wrote: >> I've been at this as well for a while now, and managed to make it work >> for my NFS needs (automounting user homes with password-less logons). >> >> >> >> $ ipa servicedelegationrule-show

[Freeipa-users] Re: Expired certificates

2017-06-20 Thread Rob Crittenden via FreeIPA-users
Ian Pilcher via FreeIPA-users wrote: > After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. > > I see this (repeated many times) in the journal: > > WARNING: Exception processing realm > com.netscape.cms.tomcat.ProxyRealm@383171f8 background process >

[Freeipa-users] Re: [Freeipa-users]admin account locked due to external ssh authentication attempts

2017-06-19 Thread Rob Crittenden via FreeIPA-users
Jason B. Nance via FreeIPA-users wrote: > Hi Peter, > >> What is the best way to prevent >> the evil bots of the Internet from locking out my admin account? > > One simple solution would be to grant another user admin privileges instead > of using the built-in "admin" account. Yes, any member

[Freeipa-users] Re: Users not imported with Active Directory Synchronization

2017-06-21 Thread Rob Crittenden via FreeIPA-users
laurent2.perrin--- via FreeIPA-users wrote: > Hi, > > > > I'm trying to setup a FreeIPA and Active Directory synchronisation > following Red Hat >

[Freeipa-users] Re: [SOLVED?] Re: Expired certificates

2017-06-21 Thread Rob Crittenden via FreeIPA-users
Ian Pilcher via FreeIPA-users wrote: > On 06/20/2017 11:38 PM, Ian Pilcher wrote: >> If I don't specify the SSL_DIR, the curl command works, so it >> definitely seems to be an issue with the NSS database in >> /etc/httpd/alias. I don't see anything obviously wrong with the trust >> flags, though:

[Freeipa-users] Re: Issue with replica creation

2017-06-22 Thread Rob Crittenden via FreeIPA-users
Oleg Danilovich via FreeIPA-users wrote: > Does it mean that i should update my ipa servers ? I'd recommend examining /var/log/ipaserver-install.log and the CA log files in /var/log/pki/pki-tomcat/ca/ rob > > On 21 June 2017 at 17:28, Oleg Danilovich >

[Freeipa-users] Re: LDAP + Nextcloud -> retrieve Mailfield

2017-06-22 Thread Rob Crittenden via FreeIPA-users
Jens Laufer via FreeIPA-users wrote: > Hello, > > iam very happy that i got nextcloud connected to freeipa over ldap. It > seems to work nearly perfect now, the only thing i wont get worked is to > pull the mail from freeipa and add it to nextcloud. > > I tried to use the field mail but that

[Freeipa-users] Re: Rebuilding IPA environment

2017-06-20 Thread Rob Crittenden via FreeIPA-users
John Bowman via FreeIPA-users wrote: > What would be the best method to stand up a new IPA environment while > keeping as much of the existing data as possible? > > I've read that the ipa migrate-ds only migrates the users and groups and > the recommended suggestion is to set up a replica. I'd

[Freeipa-users] Re: Certificate renewals with external CA

2017-06-19 Thread Rob Crittenden via FreeIPA-users
Rob Foehl wrote: > On Thu, 15 Jun 2017, Rob Crittenden wrote: > >> Rob Foehl wrote: >>> Can I at least get a yes or no on whether external CA certificate >>> renewal has ever been tested when that certificate is nearing >>> expiration? >> >> Yes. I tested this with IPA v3.0. Did it break in

[Freeipa-users] Re: Insufficient 'delete' privilege

2017-06-23 Thread Rob Crittenden via FreeIPA-users
Sieferlinger, Andreas via FreeIPA-users wrote: > Hi all, > > > > after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some > trouble in changing replication agreements. > > > > #ipa-replica-manage del auth4.example.com > > 'auth9.example.com' has no replication agreement for

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-26 Thread Rob Crittenden via FreeIPA-users
Rob Foehl via FreeIPA-users wrote: > On Fri, 26 May 2017, Fraser Tweedale wrote: > >> What is the validity of the leaf certificates? Is the notAfter time >> of the leaf certificate pegged to the notAfter time of the CA >> certificate? If so, this is (IMO) a bug. > > The leaf certs' expiration

[Freeipa-users] Re: Ongoing CA access issues

2017-05-30 Thread Rob Crittenden via FreeIPA-users
Bret Wortman via FreeIPA-users wrote: > Still trying to get my CA working. > > In the IPA web UI, under Authentication -> Certificates, I can see a > number of certs listed as VALID, EXPIRED, or REVOKED_EXPIRED. But I can > also see many more that are greyed out, and whose "Issuing CA" and >

[Freeipa-users] Re: cannot connect ...Encountered end of file.

2017-05-31 Thread Rob Crittenden via FreeIPA-users
Vinny Del Signore via FreeIPA-users wrote: > Hello all, > > Has anyone seen this issue? We've tried to generate a new CA and SSL Cert. > > *IPA v.3.0.0-50 * > > # *rpm -qa | grep ipa-server* > ipa-server-selinux-3.0.0-50.el6.1.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > root ldap-srv

[Freeipa-users] Re: DatabaseError: Server is unwilling to perform: Too many failed logins.

2017-06-01 Thread Rob Crittenden via FreeIPA-users
Jose Alvarez R. via FreeIPA-users wrote: > Hi > > > > Can you help me with this problem? > > > > My FreeIPA version 4.3.3 and the S.O. is Fedora 24 It would help if you'd provide context to what you were doing at the time. A account may be locked out for a period of time due to too many

[Freeipa-users] Re: Unable to communicate with CMS

2017-06-07 Thread Rob Crittenden via FreeIPA-users
John Bowman via FreeIPA-users wrote: > I'm hoping this is a firewall issue but I figured I would check just in > case I'm looking in the wrong direction. > > I setup a pair non-CA replicas today and as far as I could tell > everything seemed to be okay but I noticed that when searching via the >

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > Sorry for accidentally dropping freeipa-users. > > I was impatient so went back in time before your answer, but I did chose > a good date > > Before this, I had the following two entries with an expired date: > > Request ID '20150316184508': >

[Freeipa-users] Re: ipa-server-upgrade stuck

2017-06-01 Thread Rob Crittenden via FreeIPA-users
pgb205 via FreeIPA-users wrote: > I have tried to start an apparently crashed instance of ipa server Define crashed, and what version? > and got > > ipactl start > Upgrade required: please run ipa-server-upgrade command > Aborting ipactl It uses values from

[Freeipa-users] Re: keytab usage?

2017-06-06 Thread Rob Crittenden via FreeIPA-users
Simo Sorce via FreeIPA-users wrote: > On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote: >> Never mind -- if I use ipa-getkeytab, it works perfectly. >> >> What is the difference between what getkeytab and ktutil by hand >> does? >> Is it documented? > > In FreeIPA we generate a

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 -showcerts > CONNECTED(0003) > depth=1 O = HQ.SPINQUE.COM , CN = Certificate > Authority > verify return:1 > depth=0 O =

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Rob Crittenden via FreeIPA-users
Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > Fixing a topology and replication issue caused my IDM infrastructure to > forget about roughly 30 enrolled client hosts. > > Though this would be trivial to fix via an ansible playbook that runs > the IPA client install command again with

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Rob Crittenden via FreeIPA-users
Alexander Bokovoy via FreeIPA-users wrote: > On ti, 13 kesä 2017, Chris Dagdigian via FreeIPA-users wrote: >> Hi folks, >> >> Fixing a topology and replication issue caused my IDM infrastructure >> to forget about roughly 30 enrolled client hosts. >> >> Though this would be trivial to fix via an

[Freeipa-users] Re: Certificate renewals with external CA

2017-06-15 Thread Rob Crittenden via FreeIPA-users
Rob Foehl wrote: > On Fri, 9 Jun 2017, I wrote: > >> In short, that didn't go particularly well at all, which in some ways >> brings me back to the original as-yet-unanswered deployment question: >> >> Is trying to do this with an external CA worth the pain? > > Three attempts at this question,

[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3

2017-06-09 Thread Rob Crittenden via FreeIPA-users
Jose and I exchanged some files privately and I think I've narrowed down the enrollment problem to failing to get a keytab due to the error: Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) This is because newer IPA servers don't support DES. I don't recall the workaround for

[Freeipa-users] Re: replication problem

2017-06-13 Thread Rob Crittenden via FreeIPA-users
Eric Renfro via FreeIPA-users wrote: > Hmmm.. > > Well, in my case specifically, the failed ipa-replica-install does in > fact have the nsslapd-rootpw entry, however, changing this in a recovery > process does no good during an ipa-replica-install. I think this is a red herring. The client

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Rob Crittenden via FreeIPA-users
Jason Sherrill via FreeIPA-users wrote: > Opened in incognito, same error: "An error occurred: an invalid token > was found." It's hard to say, it works for me though. I'll ping the FAS maintainer and see what I can find out. rob > > On Thu, May 25, 2017 at 12:12 PM, Martin Bašti

[Freeipa-users] Re: Query about the configuration on the High Availability of the FreeIPA

2017-06-05 Thread Rob Crittenden via FreeIPA-users
Standa Laznicka via FreeIPA-users wrote: > Hello, > > When you specify --help to a script, you usually get a brief description > of its options. Try `man ipa-client-install` instead ;) For HA you really don't want to use the --server option but to instead rely on DNS discovery via SRV records.

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Rob Crittenden via FreeIPA-users
Gady Notrica via FreeIPA-users wrote: > Hello, > > Please HELP > > After upgrading my server, IPA is not running any more. Here is the error I > am getting and I can't seem to find any solution on the web. > > All services are stopped except the directory service > > # ipactl status >

[Freeipa-users] Re: Problem with ipa restore

2017-09-15 Thread Rob Crittenden via FreeIPA-users
xattab--- via FreeIPA-users wrote: > > Hi. I have tried to restore freeipa. But all time have an error ERROR > > Command ''tar' '--xattrs' '--selinux' '-xzf' > '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'' > returned non-zero exit status 2 > > My actions : > > 1. run

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Rob Crittenden via FreeIPA-users
Louis Abel via FreeIPA-users wrote: > I should probably mention that IPA users have started working. But not my AD > users. > > [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q > Password: > Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com > Could not chdir to home

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Rob Crittenden via FreeIPA-users
09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote: >> John R. Shannon via FreeIPA-users wrote: >>> Attached in gzip'd form >> >> We need /var/log/ipaclient-install.log >> >> rob >> >>> >>> On 09/15/17 11:39, Rob Crittenden via Fr

[Freeipa-users] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Rob Crittenden via FreeIPA-users
John R. Shannon via FreeIPA-users wrote: > Running ipa-server-install I get: > > Configuring client side components > Using existing certificate '/etc/ipa/ca.crt'. > Client hostname: auth.test.internal.johnrshannon.com > Realm: TEST.INTERNAL.JOHNRSHANNON.COM > DNS Domain:

[Freeipa-users] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Rob Crittenden via FreeIPA-users
John R. Shannon via FreeIPA-users wrote: > Attached in gzip'd form We need /var/log/ipaclient-install.log rob > > On 09/15/17 11:39, Rob Crittenden via FreeIPA-users wrote: >> John R. Shannon via FreeIPA-users wrote: >>> Running ipa-server-install I get: >>

[Freeipa-users] Re: IPA replica appears in LDAP conflicts

2017-09-22 Thread Rob Crittenden via FreeIPA-users
Andrey Ptashnik via FreeIPA-users wrote: > Team, > > When I run LDAP search for conflicting records I see that one replica is > listed as a conflicting record. Do you know how that may have happened and > can I safely remove it? > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b

[Freeipa-users] Re: how I spent my day (hints on dealing with issues setting up a replica)

2017-10-06 Thread Rob Crittenden via FreeIPA-users
Charles Hedrick via FreeIPA-users wrote: > In case anyone else has the same problem, let me document what I did today > with our IPA installation (Centos 7.3) Sorry to hear you had so many problems. > > We started out by installing a primary with a default install, and doing >

[Freeipa-users] Re: Can't install ipa-server-4.5.0 on RHEL 7.4: Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 768.

2017-10-04 Thread Rob Crittenden via FreeIPA-users
Markovich via FreeIPA-users wrote: > Hello freeipa-users! > > I'm trying to install ipa-server-4.5.0-21.0.1.el7_4.1.2.x86_64 on Red Hat > Enterprise Linux Server release 7.4 (Maipo) but getting error: > > [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 768.

[Freeipa-users] Re: Freeipa and Datadog

2017-10-09 Thread Rob Crittenden via FreeIPA-users
Gabriel Stein via FreeIPA-users wrote: hey hey... I already registered for copyrights :P It's already a thing, https://www.datadoghq.com/ rob Thank you! Gabriel Stein -- Gabriel Ferraz Stein Tel.: +49 (0) 170 2881531 2017-10-09 15:25 GMT+02:00 Fraser

[Freeipa-users] Re: updating certificates

2017-10-10 Thread Rob Crittenden via FreeIPA-users
Josh wrote: Greetings to all, A follow up on https://www.redhat.com/archives/freeipa-users/2017-January/msg00051.html I missed expiration date and now ipa-certupdate command fails with SSL: CERTIFICATE_VERIFY_FAILED. Should I update httpd certificate manually or there is a workaround to allow

[Freeipa-users] Re: FREEIPA TACPLUS

2017-10-13 Thread Rob Crittenden via FreeIPA-users
saidireddy ranabothu via FreeIPA-users wrote: Hi, Please can anyone help me to integrate TACPLUS with FREEIPA for authentication and authorisation. I don't know that anyone has provided instructions for configuring this but you can get information on configuring other services which might

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration. This should be easy to answer. I've got all the necessaries manually setup and I'm at the step to get the

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-16 Thread Rob Crittenden via FreeIPA-users
0 AM *To:* FreeIPA users list *Cc:* Bhavin Vaidya; Rob Crittenden *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote: Bhavin Vaidya via FreeIPA-users wrote: Hello, I'm having various problem on our FreeIPA setup,

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: > I'm fine with that. Just that IPA's implementation is very much > end-user specific. I really doubt you could abstract the playbook > enough to make it viable for even a majority of users. Can you expand on why? Is it that no playbook could be viable for

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Mark Haney wrote: On 10/13/2017 09:48 AM, Mark Haney wrote: I tried changing HOST/ to host/ and got this: Certificate at same location is already used by request with nickname "20171013123749" Seems it doesn't matter on this setup. Oh, probably should mention this is a CentOS 6.9 box. In case

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: On 10/13/2017 10:21 AM, Rob Crittenden wrote: So yeah, you've moving right along. I was in the middle of asking you to check krb5.conf when this one came in :-) So the reason the resubmit failed is certmonger tracks the location, etc for certs to prevent

[Freeipa-users] Re: Broken WebUI

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Rob Crittenden via FreeIPA-users wrote: Kristian Petersen via FreeIPA-users wrote: Very possibly a bug if others are experiencing this as well. I am running IPA v4.5.0 on RHEL 7.4 are you running in a similar environment? You might be able to figure out what is going on using something like

  1   2   3   4   5   >