Re: [Freeipa-users] reboot required after ipa-client-install?

On Thu, Nov 07, 2013 at 09:44:21AM +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this

Re: [Freeipa-users] External CA

On 11/07/2013 08:34 AM, William Leese wrote: [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption

Re: [Freeipa-users] Installation issues with sub-ca.

-12195 is SSL_ERROR_UNKNOWN_CA_ALERT in NSS. I wonder if the root chain you gave to the IPA installer was complete. rob I work with PEM file format, in the sub-ca certificate there aren't chains (but isn't a problem if i use a self-generated CA). (Moreover, the script has all the chain, the

Re: [Freeipa-users] question about generating certificates

Arthur Faizullin wrote: I have found what that means. It is again something with access rights. Rob Crittenden rcrit...@redhat.com says that it is better to generate certificates at: /etc/pki/tls/private/postgresql.key /etc/pki/tls/certs/postgresql.crt and if these files owner is postgres then

Re: [Freeipa-users] reboot required after ipa-client-install?

I do not know, may be I am wrong somewhere, but I did not make any extra things with config files, just run ipa-client-install and everything seemed works fine. that worked for f17, f18, f19 with ipa-server on CentOS 6.36.4. Jakub Hrozek wrote: On Thu, Nov 07, 2013 at 09:44:21AM +0200,

Re: [Freeipa-users] Installation issues with sub-ca.

Andrea Bontempi wrote: -12195 is SSL_ERROR_UNKNOWN_CA_ALERT in NSS. I wonder if the root chain you gave to the IPA installer was complete. rob I work with PEM file format, in the sub-ca certificate there aren't chains (but isn't a problem if i use a self-generated CA). (Moreover, the

Re: [Freeipa-users] reboot required after ipa-client-install?

On Thu, Nov 07, 2013 at 08:47:35PM +0600, Arthur wrote: I do not know, may be I am wrong somewhere, but I did not make any extra things with config files, just run ipa-client-install and everything seemed works fine. ipa-client-install modifies /etc/nsswitch.conf and adds sss to the list of

Re: [Freeipa-users] reboot required after ipa-client-install?

On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is

Re: [Freeipa-users] reboot required after ipa-client-install?

On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with

Re: [Freeipa-users] reboot required after ipa-client-install?

On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to

[Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

Hi, I have just done a fresh server install of ipa on a Scientific Linux 6.4 machine, and I am finding the command line utilities are failing with: # ipa ping ipa: ERROR: non-public: AttributeError: KerbTransport instance has no attribute '_conn' Traceback (most recent call last): File

Re: [Freeipa-users] reboot required after ipa-client-install?

On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

On 11/07/2013 01:49 PM, Jonathan Underwood wrote: Hi, I have just done a fresh server install of ipa on a Scientific Linux 6.4 machine, and I am finding the command line utilities are failing with: # ipa ping ipa: ERROR: non-public: AttributeError: KerbTransport instance has no attribute

Re: [Freeipa-users] ipa cli AttributeError: KerbTransport instance has no attribute '_conn'

Jonathan Underwood wrote: Hi, I have just done a fresh server install of ipa on a Scientific Linux 6.4 machine, and I am finding the command line utilities are failing with: # ipa ping ipa: ERROR: non-public: AttributeError: KerbTransport instance has no attribute '_conn' Traceback (most

Re: [Freeipa-users] reboot required after ipa-client-install?

On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06

Re: [Freeipa-users] External CA

I was able to solve this by recreating my test CA. I believe the problem was with non-matching Organisation between the CSR and CA - but I dont have the knowledge to know if this is really required. Anyhow, things work, despite not having removed the -BEGIN CERTIFICATE- lines this time

Re: [Freeipa-users] reboot required after ipa-client-install?

On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy