Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Bret Wortman
I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? On 06/03/2016 09:48 AM, Rob Crittenden wrote: Bret

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread lejeczek
On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's

Re: [Freeipa-users] Unable to access to web ui

2016-06-03 Thread Rob Crittenden
seli irithyl wrote: Yes, you're right, I was also surprised by the subject of the error. I made changes in the /etc/httpd/conf.d/nss.conf file. I changed Listen 443 to Listen 8443 and to as it was in the /etc/httpd/conf.d/nss.conf file before the update. You have to change it back. mod_nss

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Rob Crittenden
Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating a new one? No, I think you did the right thing,

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread lejeczek
On 03/06/16 15:11, Sumit Bose wrote: On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Bret Wortman
On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key" instead of generating

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Alexander Bokovoy
On Fri, 03 Jun 2016, lejeczek wrote: On 03/06/16 15:22, Alexander Bokovoy wrote: On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Rob Crittenden
Bret Wortman wrote: On 06/03/2016 11:02 AM, Rob Crittenden wrote: Bret Wortman wrote: I'm not sure I'd call what we have "success" just yet. ;-) You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and see how we go. Rob, would you have just used the existing "localhost.key"

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread bret . wortman
I'll check and report back Tuesday. Bret Wortman http://wrapbuddies.co/ On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden, wrote: > Bret Wortman wrote: > > > > > > On 06/03/2016 11:02 AM, Rob Crittenden wrote: > > > Bret Wortman wrote: > > > > I'm not sure I'd call what we

Re: [Freeipa-users] how to setup apache reverse https proxy for freeipa web UI

2016-06-03 Thread Jan Pazdziora
On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote: > > My problem is: > I have an ipa.example.com server on the internal network, with > self-signed certificates. > I'd like to be able to connect to the UI from the internet, using > https with other certificates (e.g. let's encrypt

Re: [Freeipa-users] FreeIPA 4.2.0 on CentOS 7.2 as replica of FreeIPA 3.0.0 on CentOS 6.8; cannot install CA components as replica, cannot promote to master

2016-06-03 Thread Rob Crittenden
dan.finkelst...@high5games.com wrote: A further update: when I try to install the CA component, it erroneously says that the CA is installed: root@ipa ~]# ipa-ca-install --skip-conncheck --debug [ snip ] ipa : DEBUGThe ipa-ca-install command failed, exception: SystemExit: CA is

Re: [Freeipa-users] IPA's own ptr record - unresolvable ?

2016-06-03 Thread lejeczek
On 03/06/16 08:06, Petr Spacek wrote: On 2.6.2016 18:30, lejeczek wrote: hi users, I do (all on IPA server) $ host 10.5.6.100 Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) I do: $ host 10.5.6.17 17.6.5.10.in-addr.arpa domain name pointer .. I do: $ ipa dnsrecord-find

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Bret Wortman
So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key >

Re: [Freeipa-users] Unable to access to web ui

2016-06-03 Thread Petr Vobornik
On 06/03/2016 11:11 AM, seli irithyl wrote: > Sorry Martin, > I rebooted the IdM server: > [root@lead sssd]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > pki-tomcatd Service: RUNNING >

Re: [Freeipa-users] Unable to access to web ui

2016-06-03 Thread seli irithyl
# getcert list returns 9 request ID. All 9 are in status "MONITORING" and expire after 2017. So no expired certificate. Number of certificates and requests being tracked: 9. Request ID '20150313092422': status: MONITORING stuck: no key pair storage:

Re: [Freeipa-users] IPA's own ptr record - unresolvable ?

2016-06-03 Thread Petr Spacek
On 3.6.2016 10:33, lejeczek wrote: > > > On 03/06/16 08:06, Petr Spacek wrote: >> On 2.6.2016 18:30, lejeczek wrote: >>> hi users, >>> >>> I do (all on IPA server) >>> >>> $ host 10.5.6.100 >>> Host 100.6.5.10.in-addr.arpa. not found: 3(NXDOMAIN) >>> >>> I do: >>> >>> $ host 10.5.6.17 >>>

Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue

2016-06-03 Thread Kay Zhou Y
Hi Rob, Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird.. root@ecnshlx3039-test2(SH):~ #systemctl status certmonger certmonger.service - Certificate monitoring and PKI enrollment

Re: [Freeipa-users] Unable to access to web ui

2016-06-03 Thread seli irithyl
Sorry Martin, I rebooted the IdM server: [root@lead sssd]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was

Re: [Freeipa-users] replica +dns +ca -> ERROR Unable to retrieve CA chain

2016-06-03 Thread lejeczek
On 25/05/16 14:19, Rob Crittenden wrote: lejeczek wrote: hi there, I'm trying to set up a replica with: --setup-dns --no-forwarders --setup-ca installer fails at: [10/23]: importing CA chain to RA certificate database [error] RuntimeError: Unable to retrieve CA chain: [Errno 111]

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Sumit Bose
On Fri, Jun 03, 2016 at 02:39:00PM +0100, lejeczek wrote: > hi users, > > I have a samba and sssd trying AD, it's 7.2 Linux. > > That linux box is via sssd and samba talking to AD DC and win10 clients get > to samba shares, getent pass sees AD users, samba can get to DC's shares and > win10's

Re: [Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread Alexander Bokovoy
On Fri, 03 Jun 2016, lejeczek wrote: hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good

Re: [Freeipa-users] IPA 3.0.47 to 3.0.50 Upgrade problem

2016-06-03 Thread Sean Hogan
Hi Robert.. Thanks for the reply. Think I might have found the issue. The KVM host my master was running on was showing redhat release 6.5 but the libvrt packages were showing 6.6. I think the managers of the kvm host did not reboot it after an update with new kernel. Asked them to reboot

Re: [Freeipa-users] Unable to access to web ui

2016-06-03 Thread Rob Crittenden
seli irithyl wrote: # getcert list returns 9 request ID. All 9 are in status "MONITORING" and expire after 2017. So no expired certificate. Number of certificates and requests being tracked: 9. [snip] Request ID '20150313092456': status: MONITORING stuck: no key pair storage:

[Freeipa-users] a bit off topic- samba + sssd => AD

2016-06-03 Thread lejeczek
hi users, I have a samba and sssd trying AD, it's 7.2 Linux. That linux box is via sssd and samba talking to AD DC and win10 clients get to samba shares, getent pass sees AD users, samba can get to DC's shares and win10's clients shares, all good except... smbclient @samba, in other words

Re: [Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

2016-06-03 Thread Rob Crittenden
Bret Wortman wrote: So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): # openssl genrsa 2048 > /etc/pki/tls/private/server.key # openssl req -new -x509 -nodes -sha1 -days 365 -key