Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik
comments inline On 04/28/2016 06:30 PM, Bret Wortman wrote: > Look, I'll be honest. When IPA is in this much of a knot, I don't know how to > do > the simplest things with its various components. For example, I've no clue > how > to search the ldap database for anything. Or even how to

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti
On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on this list). When the update to

Re: [Freeipa-users] Free IPA Client in Docker

2016-04-29 Thread Jakub Hrozek
On Thu, Apr 28, 2016 at 06:14:30PM +, Hosakote Nagesh, Pawan wrote: > Hi, > I am planning to deploy FreeIPA Client in a docker where my Apps are > running. However I hit a road block as there seems to be problem with the > docker’s hostname settings > In DNS records. > > Debug Log >

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > Hi List, > > i have a working setup of IPA with AD integrated and one client joined. > > i want to implement HBAC rules against this client. can anyone please share > me good articles of implementing HBAC from web UI. I'm not sure

Re: [Freeipa-users] FreeIPA with smart card using LightDM

2016-04-29 Thread Sumit Bose
On Thu, Apr 28, 2016 at 04:09:16PM -0500, Michael Rainey (Contractor) wrote: > I am wondering if anyone out there is currently using freeIPA with smart > cards along with LightDM. I have systems running SL7.2 with GDM and I have > users that prefer to use XFCE or KDE over the default GNOME-Shell.

Re: [Freeipa-users] Free IPA Client in Docker

2016-04-29 Thread Martin Kosek
On 04/28/2016 08:14 PM, Hosakote Nagesh, Pawan wrote: > Hi, > I am planning to deploy FreeIPA Client in a docker where my Apps are > running. However I hit a road block as there seems to be problem with the > docker’s hostname settings > In DNS records. CCing Jan on this one. Did you try

Re: [Freeipa-users] Quick question regarding modifying attributes

2016-04-29 Thread Jakub Hrozek
On Thu, Apr 28, 2016 at 06:31:20PM +, Sullivan, Daniel [AAA] wrote: > Jakub, > > Thank you for your reply. I did not know that the compat tree was > populated from sssd; Do you have any experience and or recommendation on > using the full_name_format variable of sssd.conf to manipulate how

Re: [Freeipa-users] Account/password expirations

2016-04-29 Thread Jakub Hrozek
On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > > logging in. > > > > Then how does the key authentication work if the

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti
On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in use by freeipa (see previous thread on

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Petr Vobornik
On 04/29/2016 12:37 PM, Prashant Bapat wrote: > Hi Petr, > > Thanks for the response. But my question was more towards the cases where > there > is a slight delay in entering the OTP in the web UI and it reaching the IPA > server. This actually can happen with ANY time window. > > There are

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Martin Basti
On 29.04.2016 13:27, Ben .T.George wrote: HI Thanks for your reply. can i do this external group mapping from web UI? You can create External Group using webUI (user groups/ add group/ choose external radio button) More doc about HBAC:

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl
Hi All: Any method can fall back the default ipa cert if I didn't backup orginal? Now the slapd and ipa cert storage quite a mess so they cant replicate even disabled nsslapd:security to off thx Barry -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
The date change was due (I think) to me changing the date back to 4/1 yesterday, though I left it there and haven't updated it again until this morning, when I went back to 4/1 again. I put the results of the commands you requested at https://pastebin.com/s7cHAh6R. Thanks for your help, Petr.

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik
On 04/29/2016 12:03 PM, Bret Wortman wrote: > The date change was due (I think) to me changing the date back to 4/1 > yesterday, though I left it there and haven't updated it again until > this morning, when I went back to 4/1 again. > > I put the results of the commands you requested at >

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Prashant Bapat
Hi Petr, Thanks for the response. But my question was more towards the cases where there is a slight delay in entering the OTP in the web UI and it reaching the IPA server. This actually can happen with ANY time window. There are couple of scenarios. 1. Network delays. 2. User enters the OTP

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti
Please keep, user-list in CC You did not send all information I requested. Please use `rpm -ql ipa-server` to get exact version number On 29.04.2016 13:32, barry...@gmail.com wrote: Error.is from Gss api And i m thinkbif it relate cert issue. Server1> server 2 fail Server 2 > server1 ok

Re: [Freeipa-users] HBAC implementation help

2016-04-29 Thread Ben .T.George
HI Thanks for your reply. can i do this external group mapping from web UI? On Fri, Apr 29, 2016 at 10:50 AM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 12:03:42AM +0300, Ben .T.George wrote: > > Hi List, > > > > i have a working setup of IPA with AD integrated and one

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread Martin Basti
On 29.04.2016 13:02, barry...@gmail.com wrote: Hi All: Any method can fall back the default ipa cert if I didn't backup orginal? Now the slapd and ipa cert storage quite a mess so they cant replicate even disabled nsslapd:security to off thx Barry Hello Barry, Can you provide more

[Freeipa-users] WinSync: The correct method for unbinding some users from synchronization

2016-04-29 Thread cac2s
Hello ALL. In our organization it became necessary to: - replicate all user accounts from AD to FreeIPA preserving user passwords (the passwords will appear in FreeIPA when changing these in AD using WinSync) - unbind the part of the migrated accounts from synchronization - remove

[Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R.
Hi Users You can help me? I have the problem for join a client to my FREEIPA Server. The version IPA Server is 3.0 and IP client is 3.0 When I join my client to IPA server show these errors: [root@ppa ~]# tail -f /var/log/ipaclient-install.log 2016-04-28T17:26:41Z DEBUG

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Roderick Johnstone
On 29/04/2016 10:27, Martin Basti wrote: On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated /etc/dirsrv/slapd-XXX.XXX.XXX/dse.ldif to customise the cipher suite in

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
Despite "ipactl status" indicating that all processes were running after step 1, step 2 produces "Unable to establish SSL connection." Full terminal session is at http://pastebin.com/ZuNBHPy0 On 04/29/2016 07:29 AM, Petr Vobornik wrote: On 04/29/2016 12:03 PM, Bret Wortman wrote: The date

[Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Andreas Calminder
Hello, I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting oneWaySync to fromWindows will affect password synchronization from IPA to AD, I.E password changes from IPA will not be replicated to Windows? Best regards, Andreas -- Manage your subscription for the Freeipa-users

[Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George
Hi while issuing ipa trust-fetch-domains, i am getting below error. i have created new security group in AD and i want to add this to external group. [root@freeipa ~]# ipa trust-fetch-domains "kwttestdc.com.kw" ipa: ERROR: error on server 'freeipa.idm.local': Fetching domains from trusted fo

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik
On 04/29/2016 02:53 PM, Bret Wortman wrote: > Despite "ipactl status" indicating that all processes were running after > step 1, step 2 produces "Unable to establish SSL connection." > > Full terminal session is at http://pastebin.com/ZuNBHPy0 > > On 04/29/2016 07:29 AM, Petr Vobornik wrote: >>

Re: [Freeipa-users] freeipa update changed my cipher set

2016-04-29 Thread Martin Basti
On 29.04.2016 14:13, Roderick Johnstone wrote: On 29/04/2016 10:27, Martin Basti wrote: On 29.04.2016 11:02, Martin Basti wrote: On 28.04.2016 19:16, Roderick Johnstone wrote: Hi RHEL7 running ipa-server-4.2.0-15.el7_2.6.1.x86_64 A couple of months ago I updated

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > Hi List, > > I have working setup of one AD, one IPA server and one client server. by > default i can login to client server by using AD username. > > i want to apply HBAC rules against this client server. For that i have done >

Re: [Freeipa-users] ipa-client password authentication failed

2016-04-29 Thread Petr Vobornik
On 04/29/2016 12:44 AM, siology.io wrote: > On a clean centos 7 VM, after installation of ipa-server browsing to the ipa > web > UI gets me in the httpd error_logs: > > [Thu Apr 28 18:41:11.826134 2016] [:error] [pid 10162] [remote 10.0.4.10:244 > ] mod_wsgi (pid=10162):

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
It is contacting the correct machine. I tried again by IP with the same results. /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. Web UI won't load. CLI won't respond either. Commands just hang. # netstat -ln | grep 443 tcp6 0 0 :::8443 :::* LISTEN

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Petr Vobornik
On 04/29/2016 02:53 PM, Bret Wortman wrote: > Despite "ipactl status" indicating that all processes were running after > step 1, step 2 produces "Unable to establish SSL connection." > > Full terminal session is at http://pastebin.com/ZuNBHPy0 Hm, it doesn't help me much. Does it contact the

[Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External group in IPA erver 2. created local POSIX

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
I'll put the results inline here, since they're short. [root@zsipa log]# ls -laZ /etc/httpd/ drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias drwxr-xr-x. root root

Re: [Freeipa-users] Account/password expirations

2016-04-29 Thread Anon Lister
Yep sorry I missed that. You need to put your public keys in IPA. On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote: On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes
On 2016-04-29 16:08, Petr Vobornik wrote: > On 04/29/2016 02:53 PM, Bret Wortman wrote: >> Despite "ipactl status" indicating that all processes were running after >> step 1, step 2 produces "Unable to establish SSL connection." >> >> Full terminal session is at http://pastebin.com/ZuNBHPy0 > >

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes
On 2016-04-29 16:51, Bret Wortman wrote: > It is contacting the correct machine. I tried again by IP with the same > results. > > /etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014. > > Web UI won't load. CLI won't respond either. Commands just hang. > > # netstat -ln | grep 443 > tcp6

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Alexander Bokovoy
On Fri, 29 Apr 2016, Ben .T.George wrote: Hi List, I have working setup of one AD, one IPA server and one client server. by default i can login to client server by using AD username. i want to apply HBAC rules against this client server. For that i have done below steps. 1. created External

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI If i disable allow_all rule, i cannot able to login to client machine. On Fri, Apr 29, 2016 at 7:05 PM, Ben .T.George wrote: > HI > > actually i have added Domain Admins and the user ben is not part of Domain > Admins. But

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Christian Heimes
On 2016-04-29 18:17, Bret Wortman wrote: > I'll put the results inline here, since they're short. > > [root@zsipa log]# ls -laZ /etc/httpd/ > drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 . > drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. > drwxr-xr-x. root root

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
surprisingly i have created some local IPA users and added to same HBAC rule, and removed AD grop ad applied this rule to client, and that got worked. How can i make this AD group with HBAC working? Regards, Ben On Fri, Apr 29, 2016 at 7:12 PM, Ben .T.George wrote: > HI

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi I have created 2 fresh users now and i was running below, [root@freeipa log]# ipa hbactest --user "KWTTESTDC\jude" --host `hostname` --service sshd ipa: ERROR: trusted domain user not found [root@freeipa log]# ipa hbactest --user "KWTTESTDC\muneer" --host `hostname` --service sshd ipa: ERROR:

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Rich Megginson
On 04/29/2016 09:44 AM, Rob Crittenden wrote: Andreas Calminder wrote: Hello, I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting oneWaySync to fromWindows will affect password synchronization from IPA to AD, I.E password changes from IPA will not be replicated to Windows?

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Andreas Calminder
Hello, The goal was that I wanted to just have passwords in sync, leaving attributes and what not to windows but mostly to protect from accidental deletes in IPA being carried out in the active directory. I've removed the onewaysync attribute and worked around it with limiting the permissions

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI actually i have added Domain Admins and the user ben is not part of Domain Admins. But when i login to client machine, i am getting below -sh-4.2$ id uid=1827801104(b...@kwttestdc.com.kw) gid=1827801104(b...@kwttestdc.com.kw) groups=1827801104(b...@kwttestdc.com.kw),1827800513(*domain

Re: [Freeipa-users] Replication error

2016-04-29 Thread Anton Rubets
Hi Yeap now request: error -1 (Can't contact LDAP server) errno 2 (No such file or directory) gone But still i have attrlist_replace - attr_replace (nsslapd-referral, ldap://ldap2.domain389/o%3Dipaca) failed. Maybe you can help to find out were i need to go? dirsrv, ldap, client, sssd etc

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden
Jose Alvarez R. wrote: Hi Users You can help me? I have the problem for join a client to my FREEIPA Server. The version IPA Server is 3.0 and IP client is 3.0 When I join my client to IPA server show these errors: [root@ppa ~]# tail –f /var/log/ipaclient-install.log 2016-04-28T17:26:41Z

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
Hi Alex, yea my mistake. i was following u this http://www.freeipa.org/page/Active_Directory_trust_setup#Allow_access_for_users_from_AD_domain_to_protected_resources On Fri, Apr 29, 2016 at 6:03 PM, Alexander Bokovoy wrote: > On Fri, 29 Apr 2016, Ben .T.George wrote: >

Re: [Freeipa-users] oneWaySync affecting Password sync?

2016-04-29 Thread Rob Crittenden
Andreas Calminder wrote: Hello, I'm running ipa 4.2.0-15.el7 with winsync and wondering if setting oneWaySync to fromWindows will affect password synchronization from IPA to AD, I.E password changes from IPA will not be replicated to Windows? Hmm, interesting question, I'm not sure. What is

Re: [Freeipa-users] IPA Server Web UI multiple network access

2016-04-29 Thread Martin Basti
On 29.04.2016 15:34, GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP wrote: I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure. I've installed IPA server (version 3.0.0) on a

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Jakub Hrozek
On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > HI, > > "The other is that the groups might not show up on the client (do they?)" id $user. But I think Alexander noticed the root cause. > > how can i check that. > > Thanks > Ben > > On Fri, Apr 29, 2016 at 5:59 PM, Jakub

[Freeipa-users] DNS reverse Zones on other server

2016-04-29 Thread Wanka, Silvio
Hi, if I search in the web for this problem I don’t find an useable solution, maybe my search pattern is wrong. ;-) I have setup an IPA domain with integrated DNS but because the most systems here are Windows servers and clients the IPA clients must use the same IP ranges. So the reverse

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI while explaning here it went wrong. actually i did is" Added external group to POSIX group" On Fri, Apr 29, 2016 at 6:56 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 06:32:28PM +0300, Ben .T.George wrote: > > HI, > > > > "The other is that the groups might not show

[Freeipa-users] IPA Server Web UI multiple network access

2016-04-29 Thread GOLDBERG, RUSSELL J GG-12 USAF ACC 453 EWS/EWP
I'm attempting to figure out if it's possible to configure IPA's web UI in such a way that it can be accessed from both a private and a public network infrastructure. I've installed IPA server (version 3.0.0) on a RHEL 6.7 host (ipa.dev.internal) and configured an IPA domain (dev.internal).

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden
Sean Hogan wrote: Hi Noriko, Thanks for the suggestions, I had to trim out the GCM ciphers in order to get IPA to start back up or I would get the unknown cipher message The trick is getting the cipher name right (it doesn't always follow a pattern) and explicitly disabling some ciphers as

Re: [Freeipa-users] HBAC with Active directory group is not working

2016-04-29 Thread Ben .T.George
HI, "The other is that the groups might not show up on the client (do they?)" how can i check that. Thanks Ben On Fri, Apr 29, 2016 at 5:59 PM, Jakub Hrozek wrote: > On Fri, Apr 29, 2016 at 05:38:30PM +0300, Ben .T.George wrote: > > Hi List, > > > > I have working setup

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan
Hi Rob, I stopped IPA, modified dse.ldif, restarted with the cipher list and it started without issue however Same 13 ciphers. You know.. thinking about this now.. I going to try something. The box I am testing on it a replica master and not the first replica. I did not think this would

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R.
Hi, Rob Thanks!! The version the xmlrpc-c of my server IPA: xmlrpc-c-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 The version the xmlrpc-c of my client IPA xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-1.16.24-1210.1840.el6.x86_64

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden
Sean Hogan wrote: Apparently making it the master ca will not work at this point since the replica is removed. So still stuck with non-changing ciphers. Other services running on the box have zero impact on the ciphers available. I'm not sure what is wrong because it took me just a minute to

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan
Apparently making it the master ca will not work at this point since the replica is removed. So still stuck with non-changing ciphers. Sean Hogan From: Sean Hogan/Durham/IBM To: Rob Crittenden Cc: freeipa-users@redhat.com, Noriko Hosoi

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden
Jose Alvarez R. wrote: Hi, Rob Thanks!! The version the xmlrpc-c of my server IPA: xmlrpc-c-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 The version the xmlrpc-c of my client IPA xmlrpc-c-client-1.16.24-1210.1840.el6.x86_64 xmlrpc-c-1.16.24-1210.1840.el6.x86_64

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
Scratch that. Decided to be daring and run "getcert resubmit -i" for each cert (after verifying the first one worked), then shut ipa down, advanced the date, re-enabled ntpd and started it back up. Looks clean. On 04/29/2016 01:22 PM, Bret Wortman wrote: Of course, I just remembered that the

[Freeipa-users] Ldap error in ModifyPassword - 50: Insufficient access

2016-04-29 Thread Gady Notrica
Hey guys, After my previous issue, my password do not sync anymore with IPA. No password changed for the sync user. Any ideas? Thank you, 04/29/16 13:32:56: Ldap error in ModifyPassword 50: Insufficient access 04/29/16 13:32:56: Modify password failed for remote entry:

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
We run with selinux disabled. # getenforce Disabled # restorecon -R -v /etc/httpd/alias # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting pki-tomcatd Service Failed to

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Rob Crittenden
Bret Wortman wrote: We run with selinux disabled. # getenforce Disabled # restorecon -R -v /etc/httpd/alias # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Starting

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
Of course, I just remembered that the server still thinks it's April 4, and I still have some certs that are expiring as of 4-17-16. Before I screw anything else up, what's the RIGHT way to renew those certs and move the server back to real time? On 04/29/2016 01:07 PM, Bret Wortman wrote:

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R.
Hi Rob, Thanks for your response Yes, It's with admin. I execute the command "ipa-client-install --debug" - [root@ppa named]# ipa-client-install --debug /usr/sbin/ipa-client-install was invoked with options: {'domain':

Re: [Freeipa-users] IPA server having cert issues

2016-04-29 Thread Bret Wortman
Hot damn! It's up and running. Web UI works. CLI works. The chgrp did the trick. Thank you Rob, Petr and Christian! Bret On 04/29/2016 01:04 PM, Rob Crittenden wrote: Bret Wortman wrote: We run with selinux disabled. # getenforce Disabled # restorecon -R -v /etc/httpd/alias # ipactl

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl
ipa-server-3.0.0-37.el6.x86_64 << here 2016-04-29 19:36 GMT+08:00 Martin Basti : > Please keep, user-list in CC > > You did not send all information I requested. > > Please use `rpm -ql ipa-server` to get exact version number > > > On 29.04.2016 13:32, barry...@gmail.com

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

2016-04-29 Thread barrykfl
server 1: ipa-server-3.0.0-26.el6_4.4.x86_64 server2 ipa-server-3.0.0-37.el6.x86_64 2016-04-30 1:10 GMT+08:00 : > > ipa-server-3.0.0-37.el6.x86_64 << here > > 2016-04-29 19:36 GMT+08:00 Martin Basti : > >> Please keep, user-list in CC >> >> You did not

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Rob Crittenden
Jose Alvarez R. wrote: Hi Rob, Thanks for your response Yes, It's with admin. I assume this is a problem with your version of xmlrpc-c. We use standard calls xmlrpc-c calls to setup authentication and IIRC that links against libcurl which provides the Kerberos/GSSAPI support. On EL6 you

Re: [Freeipa-users] HTTP response code is 401, not 200

2016-04-29 Thread Jose Alvarez R.
Hi, Rob Thanks for your response The link https://bugzilla.redhat.com/show_bug.cgi?id=719945 I not have access.. I tried to install xmlrpc-c-1.16.24-1210.1840.el6.src.rpm in the server PPA(Client IPA), but still shows the same error. A moment ago I added another client server with same

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Rob Crittenden
Sean Hogan wrote: Thanks Rob... appreciate the help.. can you send me what you have in nss.conf, server.xml as well? If I start off playing with something you see working without issue then maybe I can come up with something or am I wrong thinking those might affect anything? The only config

Re: [Freeipa-users] IPA vulnerability management SSL

2016-04-29 Thread Sean Hogan
Thanks Rob... appreciate the help.. can you send me what you have in nss.conf, server.xml as well? If I start off playing with something you see working without issue then maybe I can come up with something or am I wrong thinking those might affect anything? IE .. can you send me the entire

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-29 Thread Anthony Cheng
OK so I made process on my cert renew issue; I was able to get kinit working so I can follow the rest of the steps here ( http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) However, after using ldapmodify -x -h localhost -p 7389 -D 'cn=directory manager' -w password and restarting apache

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

2016-04-29 Thread Anthony Cheng
I make further progress, I managed to get it to be in NEED_TO_SUBMIT state again after a reboot and this time klist and clock looks good. However getting this error while restarting IPA, Starting dirsrv: PKI-IPA...[29/Apr/2016:21:41:48 +] - SSL alert: CERT_VerifyCertificateNow: verify

Re: [Freeipa-users] ipa trust-fetch-domains failing.

2016-04-29 Thread Ben .T.George
Hi Anyone please help me to fix this issue. i have created new group in AD( 4 hours back) and while i was mapping this group as --external, i am getting below error. *[root@freeipa sysctl.d]# ipa group-add --external ad_admins_external --desc "KWTTESTDC.com.KW AD

[Freeipa-users] Password Encryption Method

2016-04-29 Thread Zak Wolfinger
Did the password encryption method change between V3.0 and newer versions? Where can I find out what method is being used? I’m running into hash issues when using GADS to sync to Google. Cheers, Zak Wolfinger Infrastructure Engineer | Emma® zak.wolfin...@myemma.com