[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Hi, I am getting the following error while removing a host. --- Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) --- Apache log --- [Wed May 20 12:10:26 2015] [error]

Re: [Freeipa-users] replication again :-(

On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running

[Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

Hello, we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment we are kind of confused about what type of trust we will need to deal with. In Red Hat documentation we get an information that: "... Trusts, then, are essentially unidirectional. Active Directory users can access Id

Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

On Wed, 20 May 2015, opsource trail wrote: Hello, we plan to deploy IPA (Red Hat IdM) trust with AD domain but at the moment we are kind of confused about what type of trust we will need to deal with. In Red Hat documentation we get an information that: "... Trusts, then, are essentially unidire

Re: [Freeipa-users] IPA/AD domain trust - unidirectional or bidirectional?

Hi Alex, thanks for your prompt response. This more/less sums up our arguments, but definitely the AD protocol documentation might be helpful. Best regards, Jan 2015-05-20 11:39 GMT+02:00 Alexander Bokovoy : > On Wed, 20 May 2015, opsource trail wrote: > >> Hello, >> we plan to deploy IPA (Red H

[Freeipa-users] Configure IPA Server work with Multiple domain Env

Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same IPA server. On instance with mydomain.com, I've setup and poi

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: > Hello! > > I've tried to setup my IPA server to work on multiple domain env, for > the example, I have 20 instance/servers using mydomain.co.id then I have > another 10 instance/servers using mydomain.com, I want to manage both of > them on sa

Re: [Freeipa-users] AD-trust and external DNS

Hello, please let me correct this: IPA cares only about correct DNS records. It does not matter if IPA manages the DNS server or if the server is external entity - everything will work as long as all records are in place. IPA installers should give you standard zone file which can be added to ex

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: > On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >> Hello! >> >> I've tried to setup my IPA server to work on multiple domain env, for >> the example, I have 20 instance/servers using mydomain.co.id then I have >> another 10 instance/servers

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: > Hello! > > On 05/20/2015 05:30 PM, Martin Kosek wrote: >> On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: >>> Hello! >>> >>> I've tried to setup my IPA server to work on multiple domain env, for >>> the example, I have 20 instance/servers

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

Thanks Martin, Better I leave the configuration as is :D So, If I want to add another domain, I just add and point them to master IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using `ipa dnsrecord-add`. Isn't it? On 05/20/2015 05:42 PM, Martin Kosek wrote: > On 05/20/2015 12:

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 12:56 PM, Dewangga Bachrul Alam wrote: > Thanks Martin, > > Better I leave the configuration as is :D > > So, If I want to add another domain, I just add and point them to master > IPA Server, right? Right, after FreeIPA 3.2 (https://fedorahosted.org/freeipa/ticket/3544), dnszone-a

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: > Thanks Martin, > > Better I leave the configuration as is :D > > So, If I want to add another domain, I just add and point them to master > IPA Server, right? And add DNS Zone, A Rec, etc on IPA server by using > `ipa dnsrecord-add`. > > Isn't i

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

Yes, of course. I will add NS record to parent zone if my IPA server are ready for production. :D Thanks for any comments and help. Cheers! :) On 05/20/2015 06:02 PM, Petr Spacek wrote: > On 20.5.2015 12:56, Dewangga Bachrul Alam wrote: >> Thanks Martin, >> >> Better I leave the configuration as

Re: [Freeipa-users] host usercertificate attribute

hi rob, On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: > >> On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo > > wrote: >> >> hi, >> >> If I retrieve the usercertificate attribute for host objects I get >> some gibberish. >>

Re: [Freeipa-users] host usercertificate attribute

Natxo Asenjo wrote: hi rob, On Mon, May 18, 2015 at 3:46 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Natxo Asenjo wrote: On Sat, May 16, 2015 at 10:24 PM, Natxo Asenjo mailto:natxo.ase...@gmail.com>

Re: [Freeipa-users] host usercertificate attribute

hi Rob, On Wed, May 20, 2015 at 2:08 PM, Rob Crittenden wrote: > Nat > You could try adding -inform DER > cool, that works ;-) Thanks. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa

Re: [Freeipa-users] replication again :-(

On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running

Re: [Freeipa-users] replication again :-(

On 5/20/15 12:54 AM, Ludwig Krispenz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Another key difference I noticed is that the problematic certs have CA:IPA in them, while the working certs have CA: dogtag-ipa-retrieve-agent-submit. Ok, the full output is really helpful. First an explanation of CA subsystem renewal. CA clones are just that, exact clones

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sanju A wrote: Hi, I am getting the following error while removing a host. --- Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) --- This usually means that the CA is not serving reques

Re: [Freeipa-users] replication again :-(

On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Hi Rob This is the only CA master. The one I cloned it from was decommissioned, reinstalled and then made to be a replica of this server. Looks like I'm really stuck. How do I export the data out so I can reinstall from scratch, if possible? There are a lot of rules and configuration data I'd r

Re: [Freeipa-users] replication again :-(

On 05/20/2015 03:25 PM, Janelle wrote: On 5/20/15 12:54 AM, Ludwig Krispenz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really

Re: [Freeipa-users] confused by ldapsearch results

<< This worked for me: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm "(|(uid=admin)(name=admin))" dn SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data security layer installed. dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com Not

Re: [Freeipa-users] replication again :-(

On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once again, replication/sync has been lost. I really wis

Re: [Freeipa-users] replication again :-(

On 05/20/2015 10:17 AM, thierry bordaz wrote: On 05/20/2015 03:46 PM, Janelle wrote: On 5/20/15 6:01 AM, thierry bordaz wrote: On 05/20/2015 02:57 AM, Janelle wrote: On 5/19/15 12:04 AM, thierry bordaz wrote: On 05/19/2015 03:42 AM, Janelle wrote: On 5/18/15 6:23 PM, Janelle wrote: Once ag

[Freeipa-users] Running pki commands on fresh IPA server -- authentication

Hello, TL;DR: how should I authenticate for pki command line commands on stock IPA installation? Longer context: I try to setup new IPA server (1) with --external-ca and I'd like to sign the CSR which gets generated on IPA 1 using CA at my other IPA server (2). The CSR as produced by IPA 1 is f

[Freeipa-users] Updates refused when trying to do dynamic DNS updates with TSIG

Running FreeIPA 4.1.4, Fedora 21. Trying to get dynamic DNS updates on clients to work following these instructions: http://www.freeipa.org/page/Howto/DNS_updates_and_zone_transfers_with_TSIG (Using GSS-TSIG isn't an option because I have no way of authenticating every time a client IP changes.)

Re: [Freeipa-users] Proper configuration of service accounts

<< If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make them a member of a (new) privilege. 3) Create a new r

Re: [Freeipa-users] Proper configuration of service accounts

Boyce, George Robert. (GSFC-762.0)[NICS] wrote: << If you want to add special ACIs using the new/updated permission API (ipa permission-add), I would suggest following procedure: 1) Add the new system account in cn=sysaccounts,cn=etc,dc=rhel71 2) Add the new permissions you want to add, make

Re: [Freeipa-users] Proper configuration of service accounts

I forgot to describe the system account that I created. I followed the procedure at https://www.freeipa.org/page/HowTo/LDAP#System_Accounts # LDAPsearch, sysaccounts, etc, ... dn: uid=LDAPsearch,cn=sysaccounts,cn=etc,dc=... objectClass: account objectClass: simplesecurityobject objectClass: top u

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Sina Owolabi wrote: Hi Rob This is the only CA master. The one I cloned it from was decommissioned, reinstalled and then made to be a replica of this server. Looks like I'm really stuck. How do I export the data out so I can reinstall from scratch, if possible? There are a lot of rules and c

Re: [Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

Dear Rob, Please find the result of getcert list. Request ID '20140430124456': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certifica

[Freeipa-users] ruv problem

Hello again. Is it now clear how to deal with problem ipa-replica-manage list-ruv showing unable to decode: {replica 16} 548a81260010 548a81260010 ? I have this on all of my 17 servers, including a new replica created recently, and ipa-replica-manage clean-ruv 16 says unable to d

Re: [Freeipa-users] confused by ldapsearch results

On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote: > << > This worked for me: > > $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm > "(|(uid=admin)(name=admin))" dn > SASL/GSSAPI authentication started > SASL username: ad...@example.com > SASL SSF: 56 > SAS

Re: [Freeipa-users] confused by ldapsearch results

On 05/21/2015 07:50 AM, Martin Kosek wrote: On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote: << This worked for me: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm "(|(uid=admin)(name=admin))" dn SASL/GSSAPI authentication started SASL username: ad..