[Freeipa-users] Re: Custom certificate

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Per Qvindesland via FreeIPA-users wrote: > Hi All > > I installed a custom signed certificate from quovadis, the install on the ipa > server wen’t fine but when I try to add a client (centos 6) it gives error: > LDAP Error: Connect error: TLS error -8172:Peer's certificate issuer has been >

[Freeipa-users] Re: IP address in certificate

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Mikaël ANDRE via FreeIPA-users wrote: > Hi evrybody, > > With my IPA version 4.4.0 on CentOS 7 64 Bits, I need to sign my ESXi > and HP ILO certificates to my FreeIPA server. > I create csr with the following command: "openssl req -new -sha256 > -nodes -config openssl.cfg -newkey rsa:2048 -keyout

[Freeipa-users] Re: Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Prasun Gera via FreeIPA-users wrote: > The entry is present on both master, and replica. Also, the status on > replica for those two has changed to *'ca-error: Invalid cookie: '''*. > The certs listed by certutil on both systems, as well as the ones listed > by the ldap query seem to match. When I

[Freeipa-users] Re: Failed Upgrade?

2017-07-31 Thread Rob Crittenden via FreeIPA-users
Ian Harding via FreeIPA-users wrote: > I had an unexpected restart of an IPA server that had apparently had > updates run but had not been restarted. ipactl says pki-tomcatd would > not start. > > Strangely, the actual service appears to be running: > dogtag is an application within tomcat so

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Bob Rentschler via FreeIPA-users wrote: > This may be related to the issue discussed here: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SC7GYMHMJ2DNT6BDDSWG5F4HL252EJOD/ >

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Jochen Kellner via FreeIPA-users wrote: > Hi, > > 3. August 2017 03:03, "Fraser Tweedale via FreeIPA-users" > > schrieb: > >> On Wed, Aug 02, 2017 at 11:11:09PM +0200, Jochen Hein via FreeIPA-users >> wrote: >>> I'm playing around with keycloak and wanted

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Bob Rentschler wrote: > The query mismatch was a typo/mispaste, sorry about that. > > It was indeed at least partly permissions in the LDAP server, likely > because a service is running the query. > > I solved the freeipa permissions with the below command, which is likely > bad in some way but

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-03 Thread Rob Crittenden via FreeIPA-users
Randy Morgan via FreeIPA-users wrote: > When we setup our IPA server, we extended the schema to include 3 fields > that were important to the work we do. When we performed the last > update, those fields still show as required, but they are missing and we > cannot add users to IPA unless we

[Freeipa-users] Re: Creating certificate for master domain

2017-08-03 Thread Rob Crittenden via FreeIPA-users
service, etc) so since domain can't fit into one, you can't issue a cert for it. What would it be used for? I'm not sure how meaningful a domain name in a cert is, but it could be a use-case we missed. rob > > > Pozdrawiam, > > Rafał Wądołowski > > On 02/08/17 15:55, Rob C

[Freeipa-users] Re: Extended Schema attributes missing

2017-08-03 Thread Rob Crittenden via FreeIPA-users
. rob > > On Thu, Aug 3, 2017 at 8:15 AM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Randy Morgan via FreeIPA-users wrote: > > When we setup our IPA server,

[Freeipa-users] Re: Freeipa + Godaddy certificate

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Adrian HY wrote: > Ho Rob, same problem; > > ipa-cacert-manage -n "Godaddy" -t CT,C,C install gd_bundle-g2-g1.crt -v > > ipa: DEBUG: Starting external process > ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpp31Uuq -N -f /tmp/tmp4TnBRN > ipa: DEBUG: Process finished, return code=0 > ipa:

[Freeipa-users] Re: IPA Master won't start and replicas are not taking over

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Randy Morgan wrote: > After some serious arm twisting, I was finally able to get the server to > run a yum update. It would appear that some of the files for ipa had > become corrupted and this was the reason it would not start. After the > yum update, it started just fine and I was able to run

[Freeipa-users] Re: IPA Master won't start and replicas are not taking over

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Randy Morgan via FreeIPA-users wrote: > Over the weekend our IPA Master failed and I can not get ipactl to > start, the Directory Service fails. We have two replicas and I was > under the impression that if one of the servers failed the others would > pickup the load, that is not happening

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-15 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann wrote: > On 08/14/2017 09:51 PM, Rob Crittenden wrote: >> Julian Gethmann wrote: >>> On 08/14/2017 05:46 PM, Rob Crittenden wrote: Julian Gethmann wrote: > Hallo, > > On 08/14/2017 04:21 PM, Rob Crittenden wrote: >> Julian Gethmann via FreeIPA-users wrote:

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-09 Thread Rob Crittenden via FreeIPA-users
Michael Gusek wrote: > Hello Rob, > > i can understand why CA won't start with expired certs. Actually my > system date is a day before expiring (expiring date is 30 Jul 2017, > system date now 29 Jul 2017), but CA won't start. How to "ensure that > the CA comes up" ? Ok, well the logs I

[Freeipa-users] Re: FreeIPA and postfix issue.

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Christian Glombek via FreeIPA-users wrote: > I can only second that. Official FreeIPA plugins for Postfix and Dovecot > would be immensely helpful. > > Someone made a plugin that adds mailAlternateAdress to the scheme and ui, > which is somewhat related to this issue: >

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-10 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > You may recall earlier when I said that we wound up pulling an expired cert > on one of our staging IPA replicas after updating the xmlrpc_server variable > to point to a different host. It's not clear to us how best to fix that cert >

[Freeipa-users] Re: password reset privileges

2017-08-10 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten wrote: > Hello, > > Sorry for the late reply. This is the latest FreeIPA version in CentOS > 7.3 (4.4.0-14). > > Indeed the helpdesk role should be sufficient. I tried with the User > Administrator role as well, but that made no difference. Since it's > working for you, it's

[Freeipa-users] Re: Freeipa + Godaddy certificate

2017-08-11 Thread Rob Crittenden via FreeIPA-users
Adrian HY via FreeIPA-users wrote: > Hi, I need to incorporate a godaddy certificate in freeipa. > > I have three files: 4dfc653ab0cf823d.crt, gd_bundle-g2-g1.crt and mykey.key. > > When I run the command * ipa-cacert-manage -n "Godaddy" -t CT,C,C > install cert.pem* the output is > >

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann wrote: > Hallo, > > On 08/14/2017 04:21 PM, Rob Crittenden wrote: >> Julian Gethmann via FreeIPA-users wrote: >>> Hallo, >>> >>> Unfortunately I don't know when this problem occurred first, but it may >>> have occurred after an update. >>> The httpd does not start and aborts with

[Freeipa-users] Re: Can Load balanced HTTP service use kerberos authentication?

2017-08-14 Thread Rob Crittenden via FreeIPA-users
William Muriithi via FreeIPA-users wrote: > Hi Wouter, > > On 11 August 2017 at 15:14, wrote: >> I've used shared keytabs before to create a loadbalanced squid instance. >> This way you don't even need to use sticky balancing since all nodes that >> have the key

[Freeipa-users] Re: HTTPD does not start when NSS enabled

2017-08-14 Thread Rob Crittenden via FreeIPA-users
Julian Gethmann via FreeIPA-users wrote: > Hallo, > > Unfortunately I don't know when this problem occurred first, but it may > have occurred after an update. > The httpd does not start and aborts with the error > > [:info] [pid 15383] Using nickname Server-Cert. > [...] [:error] [pid 15383]

[Freeipa-users] Re: Can't create new CA replica

2017-07-06 Thread Rob Crittenden via FreeIPA-users
john.bowman--- via FreeIPA-users wrote: > Since taking over our FreeIPA environment I've been unable to create a new CA > replica. A bunch of failed attempts and upgrades over the last year and I > keep running in to issues. After my latest attempt I noticed something that > I had not seen

[Freeipa-users] Re: different failed auth times?

2017-07-20 Thread Rob Crittenden via FreeIPA-users
Kat via FreeIPA-users wrote: > Hi, > > If I have a simple pair of FreeIPA servers and one is showing different > failed auth times for a user -- is this a good indication they are out > of sync? Should I not see same failures on both? The lockout attributes are per-server (not replicated). rob

[Freeipa-users] Re: keys for cert - how to get those?

2017-07-20 Thread Rob Crittenden via FreeIPA-users
lejeczek via FreeIPA-users wrote: > > > On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote: >> lejeczek via FreeIPA-users wrote: >>> hello fallas >>> >>> those certs I see with: >>> $ ipa cert-find >>> is it possible to get pri

[Freeipa-users] Re: FreeIPA and Foreman

2017-07-25 Thread Rob Crittenden via FreeIPA-users
Andrew Meyer via FreeIPA-users wrote: > So I just installed foreman on my puppet and ansible instance and got it > working. After I installed it and got it working. I joined the server > to the my FreeIPA domain. > > I now get the following error whenever I try to restart apache. > > By the

[Freeipa-users] Re: ipa-server-4.4.0-14.el7.centos.7.x86_64 - 389 dirsrv will not start

2017-07-19 Thread Rob Crittenden via FreeIPA-users
email--- via FreeIPA-users wrote: > Hey Guys, > > Was having some strange issues and found one of the dirsrv services > crashed, I can't say this is the only time this has happened but usually > it starts manually or on reboot. > > Any ideas on this one? Let me know if you need more info. > >

[Freeipa-users] Re: Question regarding filtering of users seen by managing users

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Thomas Handler via FreeIPA-users wrote: > Dear all, > > I have installed FreeIPA and try to learn about the concepts. > > I’ve been looking around, reading documents that I found and searched > but did not find any useful hints how to configure FreeIPA to solve my > problem I describe below. >

[Freeipa-users] Re: Replica from RHEL6 7 fails to create CA with clone URI mismatch

2017-07-19 Thread Rob Crittenden via FreeIPA-users
David Hendén via FreeIPA-users wrote: > Hi all, > > I'm trying to set up a replica from RHEL6.9 FreeIPA 3.0.0 to RHEL7.3 RHEL > 4.4.0. > > What I'm trying to achieve is an isolated FreeIPA 4.4 server that we could > replace the original FreeIPA 3.0 infrastrcuture with. The way I'm doing this

[Freeipa-users] Re: Update signing certificate

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Jatin Nansi via FreeIPA-users wrote: > You can not use ipa-getcert to request / issue certificates from an > external CA. Issuing certificates now needs to be managed by the > external CA's tools. You should also disable the old CA from starting up > on IPA server. I guess it depends what the

[Freeipa-users] Re: can't upgrade IPA because of certificate alias problem

2017-07-19 Thread Rob Crittenden via FreeIPA-users
Fraser Tweedale via FreeIPA-users wrote: > On Thu, Jul 13, 2017 at 03:02:02PM +, Charles Hedrick via FreeIPA-users > wrote: >> I’ve installed ipa. Originally I did the default install, without DNS. >> >> I then updated to a commercial cert. Notes at the end. >> >> I just did a yum update.

[Freeipa-users] Re: keys for cert - how to get those?

2017-07-19 Thread Rob Crittenden via FreeIPA-users
lejeczek via FreeIPA-users wrote: > hello fallas > > those certs I see with: > $ ipa cert-find > is it possible to get private key(s) for a given cert? With means of > (any)command line? Not from the CA, no. The CA doesn't store the private keys for the certificates it issues and never sees

[Freeipa-users] Re: Preserved IPA users got deleted from AD

2017-07-20 Thread Rob Crittenden via FreeIPA-users
Rob Brown wrote: > yeah, I did find the users in AD under: > CN=Deleted Objects,DC=foo,DC=domain,DC=com > and, the users actually have the attribute: > isDeleted = TRUE > so, looks like they were actually deleted (from AD perspective). > It seems like the delete sync is two-way (surprising, since

[Freeipa-users] Re: trying to retrieve CA cert via LDAP .... stuck

2017-07-03 Thread Rob Crittenden via FreeIPA-users
Pieter Baele via FreeIPA-users wrote: > Hi, > > I've a weird problem with 2 hosts on ipa-client-install registration. > All my servers are using a 99% alike kickstart profile. > > 8 hosts did their registration almost immediately (after submit of admin) > > But on 2 servers I am stuck with: >

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-06 Thread Rob Crittenden via FreeIPA-users
wenxing zheng wrote: > Thanks to Rob. > > We finally got the root cause, it's a bug in the application. Our LDAP > URL or DN is too long which triggered a bug in the JDK Properties. Java > Properties doesn't allow the value to be longer than 47, and if the > length is longer than 47, it will

[Freeipa-users] Re: Syncronization on servers

2017-06-27 Thread Rob Crittenden via FreeIPA-users
Ataliba Teixeira via FreeIPA-users wrote: > Hello, > > reading some docs about the sync of my two servers : > > # ipa-replica-manage list > server1.domain: master > server2.domain: master > > > # ipa-replica-manage list-ruv > Directory Manager password: > > Replica Update Vectors: >

[Freeipa-users] Re: Failed to retrieve entry 32

2017-07-05 Thread Rob Crittenden via FreeIPA-users
wenxing zheng via FreeIPA-users wrote: > Dear all, > > I met with an issue when doing the LDAP authentication on the Kylin. My > FreeIPA works with Ranger very well, but on Kylin, when binding the DN > with the admin, it failed to connect to the LDAP server: > > [05/Jul/2017:11:16:32 +0800]

[Freeipa-users] Re: password reset privileges

2017-08-04 Thread Rob Crittenden via FreeIPA-users
Tiemen Ruiten via FreeIPA-users wrote: > As I mentioned in my first mail, that doesn't work. For testing, I > created a new role that contains the following privileges: > > Group Administrators > Modify Group membership > Modify Users and Reset passwords > User Administrators > > Unfortunately,

[Freeipa-users] Re: Deleting revoked certs from CA master

2017-08-04 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: > So now that we have a nicely replicating domain and ca, I'd like to rid > myself of these revoked certificates which I tried as a way to fix the > replication and setting up of a CA. Is there a way to delete these > certs out of the store? > > You'd have

[Freeipa-users] Re: Password History

2017-07-28 Thread Rob Crittenden via FreeIPA-users
John Trump via FreeIPA-users wrote: > I am using FreeIPA 4.4 and have implemented a password policy where > password history is set to 24. If a password admin or the user "admin" > resets a users password, the user is forced to change their password > upon logging in. At this point, the user is

[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

2017-08-01 Thread Rob Crittenden via FreeIPA-users
None via FreeIPA-users wrote: > Further update: I'm pretty sure I found out the problem. > > Basically, my old server is running pyasn1==0.2.3 and the new one has > pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change > to __init__ and a few other functions in 0.3.1, so I

[Freeipa-users] Re: Creating certificate for master domain

2017-08-02 Thread Rob Crittenden via FreeIPA-users
Rafał Wądołowski via FreeIPA-users wrote: > Hi, > > I have freeipa 4.4 cluster with CN intra.example.com. > > We developed intranet on this same domain, but I can't create a valid > certificate for it. > > I can't create service, because hostname is required. Is it other way to > sign the CSR?

[Freeipa-users] Re: Failed Upgrade?

2017-08-01 Thread Rob Crittenden via FreeIPA-users
Ian Harding wrote: > On 08/01/2017 07:39 AM, Florence Blanc-Renaud wrote: >> On 08/01/2017 03:11 PM, Ian Harding wrote: >>> On 08/01/2017 01:48 AM, Florence Blanc-Renaud wrote: On 08/01/2017 01:32 AM, Ian Harding via FreeIPA-users wrote: > > > On 07/31/2017 11:34 AM, Rob

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > It's the NSSDB cert. Here's some console output that might be helpful. > > PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 > Request ID '20150827000358': > status: MONITORING > ca-error: Server at >

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Thanks, Rob. > > Unfortunately my test in staging resulted in an expired dogtag cert. The > staging environment didn't have any certificates that were due to expire soon > so I updated the xmlrpc_server variable on one of the four IPA hosts we have >

[Freeipa-users] Re: expired certificates - pki-tomcat not running

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Michael Gusek via FreeIPA-users wrote: > Hi Fraser, > > at the moment, i can't provide this logfile, i've moved that back to > have only new log lines. But a new new logfile is not created ??? In my > old logfile i have some lines after switch to basic auth, but before > setting time to past: >

[Freeipa-users] Re: Creating certificate for master domain

2017-08-08 Thread Rob Crittenden via FreeIPA-users
Wildcard_certificates > BR, > Rafał > > On 03/08/17 16:03, Rob Crittenden via FreeIPA-users wrote: >> Rafał Wądołowski wrote: >>> Okey, but how can I create certificate for domain intra.example.com? >>> >>> I can't create host, because the hostname is required

[Freeipa-users] Re: Correcting errors in the CA master certificate

2017-08-07 Thread Rob Crittenden via FreeIPA-users
Scott Stevson via FreeIPA-users wrote: > Hi all, > > We run IPA 3.0.0 and have a cert on the CA master expiring in about 10 days. > The problem is that we mistakenly provisioned the last cert using an old > hostname which means that automatically renewing the cert fails, and the IPA > cert

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

2017-08-07 Thread Rob Crittenden via FreeIPA-users
Jochen Hein wrote: > Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org> > writes: > >> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> >> writes: >> >>> So theoretically certmonger could for example, track

[Freeipa-users] Re: Group membership expiration

2017-07-27 Thread Rob Crittenden via FreeIPA-users
Prashant Bapat via FreeIPA-users wrote: > Hi FreeIPA Users, > > Is there a way to make the group membership have an optional expiration > date. This expiration date can be set by the admin. No, there is no way to do this in IPA. > Any pointers to how this can be implemented would be very

[Freeipa-users] Re: NFS problems after OS updates - can't access directories

2017-08-22 Thread Rob Crittenden via FreeIPA-users
Detlev Habicht via FreeIPA-users wrote: > Ok, > > i will reduce my questions to one point: > > I was using tcpdump on NFS server side. > > When i am trying to go to a directory i can see, that the client connect > the server. > But the server don’t answer. Not any packet … > > So the server

[Freeipa-users] Re: Expired certificates

2017-06-20 Thread Rob Crittenden via FreeIPA-users
Ian Pilcher via FreeIPA-users wrote: > After rebooting my CentOS 7 IdM server, pki-tomcatd is failing to start. > > I see this (repeated many times) in the journal: > > WARNING: Exception processing realm > com.netscape.cms.tomcat.ProxyRealm@383171f8 background process >

[Freeipa-users] Re: [Freeipa-users]admin account locked due to external ssh authentication attempts

2017-06-19 Thread Rob Crittenden via FreeIPA-users
Jason B. Nance via FreeIPA-users wrote: > Hi Peter, > >> What is the best way to prevent >> the evil bots of the Internet from locking out my admin account? > > One simple solution would be to grant another user admin privileges instead > of using the built-in "admin" account. Yes, any member

[Freeipa-users] Re: Users not imported with Active Directory Synchronization

2017-06-21 Thread Rob Crittenden via FreeIPA-users
laurent2.perrin--- via FreeIPA-users wrote: > Hi, > > > > I'm trying to setup a FreeIPA and Active Directory synchronisation > following Red Hat >

[Freeipa-users] Re: LDAP + Nextcloud -> retrieve Mailfield

2017-06-22 Thread Rob Crittenden via FreeIPA-users
Jens Laufer via FreeIPA-users wrote: > Hello, > > iam very happy that i got nextcloud connected to freeipa over ldap. It > seems to work nearly perfect now, the only thing i wont get worked is to > pull the mail from freeipa and add it to nextcloud. > > I tried to use the field mail but that

[Freeipa-users] Re: Rebuilding IPA environment

2017-06-20 Thread Rob Crittenden via FreeIPA-users
John Bowman via FreeIPA-users wrote: > What would be the best method to stand up a new IPA environment while > keeping as much of the existing data as possible? > > I've read that the ipa migrate-ds only migrates the users and groups and > the recommended suggestion is to set up a replica. I'd

[Freeipa-users] Re: Certificate renewals with external CA

2017-06-19 Thread Rob Crittenden via FreeIPA-users
Rob Foehl wrote: > On Thu, 15 Jun 2017, Rob Crittenden wrote: > >> Rob Foehl wrote: >>> Can I at least get a yes or no on whether external CA certificate >>> renewal has ever been tested when that certificate is nearing >>> expiration? >> >> Yes. I tested this with IPA v3.0. Did it break in

[Freeipa-users] Re: Insufficient 'delete' privilege

2017-06-23 Thread Rob Crittenden via FreeIPA-users
Sieferlinger, Andreas via FreeIPA-users wrote: > Hi all, > > > > after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some > trouble in changing replication agreements. > > > > #ipa-replica-manage del auth4.example.com > > 'auth9.example.com' has no replication agreement for

[Freeipa-users] Re: Certificate renewals with external CA

2017-05-26 Thread Rob Crittenden via FreeIPA-users
Rob Foehl via FreeIPA-users wrote: > On Fri, 26 May 2017, Fraser Tweedale wrote: > >> What is the validity of the leaf certificates? Is the notAfter time >> of the leaf certificate pegged to the notAfter time of the CA >> certificate? If so, this is (IMO) a bug. > > The leaf certs' expiration

[Freeipa-users] Re: cannot connect ...Encountered end of file.

2017-05-31 Thread Rob Crittenden via FreeIPA-users
Vinny Del Signore via FreeIPA-users wrote: > Hello all, > > Has anyone seen this issue? We've tried to generate a new CA and SSL Cert. > > *IPA v.3.0.0-50 * > > # *rpm -qa | grep ipa-server* > ipa-server-selinux-3.0.0-50.el6.1.x86_64 > ipa-server-3.0.0-50.el6.1.x86_64 > > root ldap-srv

[Freeipa-users] Re: Unable to communicate with CMS

2017-06-07 Thread Rob Crittenden via FreeIPA-users
John Bowman via FreeIPA-users wrote: > I'm hoping this is a firewall issue but I figured I would check just in > case I'm looking in the wrong direction. > > I setup a pair non-CA replicas today and as far as I could tell > everything seemed to be okay but I noticed that when searching via the >

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > Sorry for accidentally dropping freeipa-users. > > I was impatient so went back in time before your answer, but I did chose > a good date > > Before this, I had the following two entries with an expired date: > > Request ID '20150316184508': >

[Freeipa-users] Re: keytab usage?

2017-06-06 Thread Rob Crittenden via FreeIPA-users
Simo Sorce via FreeIPA-users wrote: > On Mon, 2017-06-05 at 09:59 -0500, Kat via FreeIPA-users wrote: >> Never mind -- if I use ipa-getkeytab, it works perfectly. >> >> What is the difference between what getkeytab and ktutil by hand >> does? >> Is it documented? > > In FreeIPA we generate a

[Freeipa-users] Re: certificate has expired?

2017-06-07 Thread Rob Crittenden via FreeIPA-users
Roberto Cornacchia via FreeIPA-users wrote: > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 -showcerts > CONNECTED(0003) > depth=1 O = HQ.SPINQUE.COM , CN = Certificate > Authority > verify return:1 > depth=0 O =

[Freeipa-users] Re: ipa 4.4.0-14 not honoring "ipa-client-install --force-join" command?

2017-06-13 Thread Rob Crittenden via FreeIPA-users
Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > Fixing a topology and replication issue caused my IDM infrastructure to > forget about roughly 30 enrolled client hosts. > > Though this would be trivial to fix via an ansible playbook that runs > the IPA client install command again with

[Freeipa-users] Re: Certificate renewals with external CA

2017-06-15 Thread Rob Crittenden via FreeIPA-users
Rob Foehl wrote: > On Fri, 9 Jun 2017, I wrote: > >> In short, that didn't go particularly well at all, which in some ways >> brings me back to the original as-yet-unanswered deployment question: >> >> Is trying to do this with an external CA worth the pain? > > Three attempts at this question,

[Freeipa-users] Re: Enroll CentOS 5 on FreeIPA 4.3

2017-06-09 Thread Rob Crittenden via FreeIPA-users
Jose and I exchanged some files privately and I think I've narrowed down the enrollment problem to failing to get a keytab due to the error: Failed to retrieve encryption type DES cbc mode with CRC-32 (#1) This is because newer IPA servers don't support DES. I don't recall the workaround for

[Freeipa-users] Re: replication problem

2017-06-13 Thread Rob Crittenden via FreeIPA-users
Eric Renfro via FreeIPA-users wrote: > Hmmm.. > > Well, in my case specifically, the failed ipa-replica-install does in > fact have the nsslapd-rootpw entry, however, changing this in a recovery > process does no good during an ipa-replica-install. I think this is a red herring. The client

[Freeipa-users] Re: Request to Contribute a How/To Page

2017-05-25 Thread Rob Crittenden via FreeIPA-users
Jason Sherrill via FreeIPA-users wrote: > Opened in incognito, same error: "An error occurred: an invalid token > was found." It's hard to say, it works for me though. I'll ping the FAS maintainer and see what I can find out. rob > > On Thu, May 25, 2017 at 12:12 PM, Martin Bašti

[Freeipa-users] Re: Query about the configuration on the High Availability of the FreeIPA

2017-06-05 Thread Rob Crittenden via FreeIPA-users
Standa Laznicka via FreeIPA-users wrote: > Hello, > > When you specify --help to a script, you usually get a brief description > of its options. Try `man ipa-client-install` instead ;) For HA you really don't want to use the --server option but to instead rely on DNS discovery via SRV records.

[Freeipa-users] Re: IPA Server down after system update

2017-09-15 Thread Rob Crittenden via FreeIPA-users
Gady Notrica via FreeIPA-users wrote: > Hello, > > Please HELP > > After upgrading my server, IPA is not running any more. Here is the error I > am getting and I can't seem to find any solution on the web. > > All services are stopped except the directory service > > # ipactl status >

[Freeipa-users] Re: Problem with ipa restore

2017-09-15 Thread Rob Crittenden via FreeIPA-users
xattab--- via FreeIPA-users wrote: > > Hi. I have tried to restore freeipa. But all time have an error ERROR > > Command ''tar' '--xattrs' '--selinux' '-xzf' > '/var/lib/ipa/backup/ipa-full-2017-09-14-12-23-44/ipa-full.tar' '.'' > returned non-zero exit status 2 > > My actions : > > 1. run

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Rob Crittenden via FreeIPA-users
Louis Abel via FreeIPA-users wrote: > I should probably mention that IPA users have started working. But not my AD > users. > > [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q > Password: > Last login: Thu Sep 14 07:57:55 2017 from rhn2.example.com > Could not chdir to home

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-15 Thread Rob Crittenden via FreeIPA-users
09/15/17 11:54, Rob Crittenden via FreeIPA-users wrote: >> John R. Shannon via FreeIPA-users wrote: >>> Attached in gzip'd form >> >> We need /var/log/ipaclient-install.log >> >> rob >> >>> >>> On 09/15/17 11:39, Rob Crittenden via Fr

[Freeipa-users] Re: IPA replica appears in LDAP conflicts

2017-09-22 Thread Rob Crittenden via FreeIPA-users
Andrey Ptashnik via FreeIPA-users wrote: > Team, > > When I run LDAP search for conflicting records I see that one replica is > listed as a conflicting record. Do you know how that may have happened and > can I safely remove it? > > # ldapsearch -xLLL -D "cn=Directory Manager" -W -b

[Freeipa-users] Re: how I spent my day (hints on dealing with issues setting up a replica)

2017-10-06 Thread Rob Crittenden via FreeIPA-users
Charles Hedrick via FreeIPA-users wrote: > In case anyone else has the same problem, let me document what I did today > with our IPA installation (Centos 7.3) Sorry to hear you had so many problems. > > We started out by installing a primary with a default install, and doing >

[Freeipa-users] Re: Can't install ipa-server-4.5.0 on RHEL 7.4: Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 768.

2017-10-04 Thread Rob Crittenden via FreeIPA-users
Markovich via FreeIPA-users wrote: > Hello freeipa-users! > > I'm trying to install ipa-server-4.5.0-21.0.1.el7_4.1.2.x86_64 on Red Hat > Enterprise Linux Server release 7.4 (Maipo) but getting error: > > [Setup] Info Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: > 768.

[Freeipa-users] Re: Freeipa and Datadog

2017-10-09 Thread Rob Crittenden via FreeIPA-users
Gabriel Stein via FreeIPA-users wrote: hey hey... I already registered for copyrights :P It's already a thing, https://www.datadoghq.com/ rob Thank you! Gabriel Stein -- Gabriel Ferraz Stein Tel.: +49 (0) 170 2881531 2017-10-09 15:25 GMT+02:00 Fraser

[Freeipa-users] Re: updating certificates

2017-10-10 Thread Rob Crittenden via FreeIPA-users
Josh wrote: Greetings to all, A follow up on https://www.redhat.com/archives/freeipa-users/2017-January/msg00051.html I missed expiration date and now ipa-certupdate command fails with SSL: CERTIFICATE_VERIFY_FAILED. Should I update httpd certificate manually or there is a workaround to allow

[Freeipa-users] Re: FREEIPA TACPLUS

2017-10-13 Thread Rob Crittenden via FreeIPA-users
saidireddy ranabothu via FreeIPA-users wrote: Hi, Please can anyone help me to integrate TACPLUS with FREEIPA for authentication and authorisation. I don't know that anyone has provided instructions for configuring this but you can get information on configuring other services which might

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration. This should be easy to answer. I've got all the necessaries manually setup and I'm at the step to get the

[Freeipa-users] Re: several IPA CA certificate entries

2017-10-16 Thread Rob Crittenden via FreeIPA-users
0 AM *To:* FreeIPA users list *Cc:* Bhavin Vaidya; Rob Crittenden *Subject:* Re: [Freeipa-users] Re: several IPA CA certificate entries On 10/12/2017 03:29 AM, Rob Crittenden via FreeIPA-users wrote: Bhavin Vaidya via FreeIPA-users wrote: Hello, I'm having various problem on our FreeIPA setup,

[Freeipa-users] Re: ansible-freeipa

2017-10-05 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: > I'm fine with that. Just that IPA's implementation is very much > end-user specific. I really doubt you could abstract the playbook > enough to make it viable for even a majority of users. Can you expand on why? Is it that no playbook could be viable for

[Freeipa-users] Re: Manual client configuration

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Mark Haney wrote: On 10/13/2017 09:48 AM, Mark Haney wrote: I tried changing HOST/ to host/ and got this: Certificate at same location is already used by request with nickname "20171013123749" Seems it doesn't matter on this setup. Oh, probably should mention this is a CentOS 6.9 box. In case

[Freeipa-users] Re: Broken WebUI

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Rob Crittenden via FreeIPA-users wrote: Kristian Petersen via FreeIPA-users wrote: Very possibly a bug if others are experiencing this as well. I am running IPA v4.5.0 on RHEL 7.4 are you running in a similar environment? You might be able to figure out what is going on using something like

[Freeipa-users] Re: Broken WebUI

2017-10-13 Thread Rob Crittenden via FreeIPA-users
Rob Crittenden wrote: Rob Crittenden via FreeIPA-users wrote: Kristian Petersen via FreeIPA-users wrote: Very possibly a bug if others are experiencing this as well. I am running IPA v4.5.0 on RHEL 7.4 are you running in a similar environment? You might be able to figure out what is going

[Freeipa-users] Re: IPA curl timeout on slow link

2017-10-12 Thread Rob Crittenden via FreeIPA-users
Mark Haney via FreeIPA-users wrote: I appreciate all the ideas on how to fix the SSL cert issue on updating to 4.5.0, I'll work on that next week I hope. This one should be much quicker (hopefully). My boss has insisted that I get ipa-clients working on a half-dozen or so servers located in

[Freeipa-users] Re: Broken WebUI

2017-10-12 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen via FreeIPA-users wrote: Very possibly a bug if others are experiencing this as well. I am running IPA v4.5.0 on RHEL 7.4 are you running in a similar environment? You might be able to figure out what is going on using something like the Firefox dev console. In it you could

[Freeipa-users] Re: IPA curl timeout on slow link

2017-10-12 Thread Rob Crittenden via FreeIPA-users
Mark Haney wrote: On 10/12/2017 01:32 PM, Rob Crittenden wrote: Mark Haney via FreeIPA-users wrote: That's a tough one. ipa-client-install makes many (a dozen?) connections while it does its thing. You might try pre-generate the host entry and keytab, ship it to the machine, then use the

[Freeipa-users] Re: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i

2017-08-29 Thread Rob Crittenden via FreeIPA-users
on. rob > > Detlev > > > > -- > Detlev | Institut fuer Mikroelektronische Systeme > Habicht | D-30167 Hannover +49 511 > 76219662 habi...@ims.uni-hannover.de <mailto:habi...@ims.uni-hannover.de> > + Handy+49 172 5415752 ------- >

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

2017-09-11 Thread Rob Crittenden via FreeIPA-users
Winfried de Heiden via FreeIPA-users wrote: > Hi All, > > Somewhere after an update (I guess) I have issues; > pki-tomcatd@pki-tomcat.service will not start since it cannot login to > LDAP. It seems I have some certificate isues: > > getcert list shows: > > Request ID '20170129002017': >

[Freeipa-users] Re: Changing CA certificate subject name post-install

2017-09-11 Thread Rob Crittenden via FreeIPA-users
Rob Foehl via FreeIPA-users wrote: > Noting that it's now possible to modify the CA certificate subject name > at install time in 4.5 and 4.6, is there any provision for doing so > after an upgrade to one of those releases with a cert that originated in > a 4.4 instance? Possibly involving

[Freeipa-users] Re: Restoring DNS Grants

2017-09-11 Thread Rob Crittenden via FreeIPA-users
None via FreeIPA-users wrote: > Hello, > > I have two questions: > > 1. How can the default DNS grants be restored, or fixed, without >knowing what they were? > 2. Where can I get information about grants? I can't seem to find where >they're documented. > > I was trying to get DDNS

[Freeipa-users] Re: Raising domain to level 1 from level 0

2017-09-07 Thread Rob Crittenden via FreeIPA-users
Kristian Petersen via FreeIPA-users wrote: > I am trying to set the domain level for my IPA servers to level 1 from > level 0. When I attempt to run: > > ipa domainlevel-set 1 > > I get the following error: > > ipa: ERROR: Domain Level cannot be raised to 1, existing replication > conflicts

[Freeipa-users] Re: Request failed with status 500: Non-2xx response from CA REST API: 500. - pki-tomcatd fails to start

2017-09-12 Thread Rob Crittenden via FreeIPA-users
netscape.ldap.LDAPException: Authentication failed (49) >>>>> at >>>>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) >>>>> at >>>>> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:

[Freeipa-users] Re: Changing case of user attributes fails

2017-09-06 Thread Rob Crittenden via FreeIPA-users
Anthony Clark via FreeIPA-users wrote: > It may possibly be related to this, but this is marked as fixed for 4.3: > https://pagure.io/freeipa/issue/5456 That is the case of an attribute not a value. > I'm on 4.4.0-14.el7.centos.7 > > A user had their lastname entry added with the wrong case. I

[Freeipa-users] Re: How to implement sudo for "ALL, !something"

2017-09-25 Thread Rob Crittenden via FreeIPA-users
Ranbir via FreeIPA-users wrote: > On Sun, 2017-09-24 at 02:28 -0400, Ranbir via FreeIPA-users wrote: >> I'm now thoroughly confused! Can anyone lend a hand? > > I think I managed to achieve what I wanted by specifying a "sudo > order". Now I can give the user the ability to run every command as >

[Freeipa-users] Re: [+] Re: ipa-server-install fails on fresh install

2017-09-25 Thread Rob Crittenden via FreeIPA-users
ate)] rob > > On 09/15/17 13:17, John R. Shannon wrote: >> Attached >> >> On 09/15/17 12:58, Alexander Bokovoy wrote: >>> On pe, 15 syys 2017, Rob Crittenden via FreeIPA-users wrote: >>>> John R. Shannon via FreeIPA-users wrote: >>>>>

[Freeipa-users] Re: Web UI errors after update to ipa-server 4.5/centos 7.4

2017-09-25 Thread Rob Crittenden via FreeIPA-users
Mark Esman via FreeIPA-users wrote: > After upgrading two freeipa servers (replicas of each other) from > ipa-server-4.4.0-14.el7.centos.7.x86_64 to > ipa-server-4.5.0-21.el7.centos.1.2.x86_64 during the recent > Centos 7.3 to 7.4 update, one of the servers is having Web UI errors. > > ipactl

[Freeipa-users] Re: ipactl status Failed to get list of services to probe status! Configured hostname 'replica.company.domain' does not match any master server in LDAP: No master found because of erro

2017-09-26 Thread Rob Crittenden via FreeIPA-users
pgb 205 via FreeIPA-users wrote: > any idea as to why im getting these errors? Because the configured hostname doesn't match any configured known master? ipactl looks in cn=masters,cn=ipa,cn=etc,$SUFFIX for the list of known masters. It uses that to determine what services are configured for a

  1   2   3   4   5   6   7   8   9   10   >