I am new to FreeIPA and have inherited two IPA servers not sure if one is a
master/slave or how they are different. I will try to give some pertinent
outputs below of some of the things I am seeing. I know the Server-Cert is
expired but can't figure out how to renew it. There also appears to
e command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, October 08, 2015 9:00 AM
To: Gronde, Christopher (Contractor)
Cc: freeipa-users@redhat.
(Contractor) ; Alexander
Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues
manually renewing Server-Cert
Gronde, Christopher (Contractor) wrote:
> Now I am getting CA_UNREACHABLE
>
> # ipa-getcert resubmit -i 20151007150853 -
.gov,O=ITMODEV.GOV
expires: 2015-09-23 17:46:26 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
11:37 AM
To: Gronde, Christopher (Contractor) ; Alexander
Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Certmonger and dogtag not workingissues
manually renewing Server-Cert
Gronde, Christopher (Contractor) wrote:
> When I ran "getcert list" rather than &quo
Stopping httpd:[FAILED]
Shutting down dirsrv:
ITMODEV-GOV... [ OK ]
Aborting ipactl
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, October 08, 2015 1:51 PM
To: Gronde, Christopher (
[ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached:[ OK ]
Stopping httpd: [FAILED]
Shutting down dirsrv:
ITMODEV-GOV...
: 1 instance(s) failed to start
Failed to start Directory Service: Command '/sbin/service dirsrv start '
returned non-zero exit status 1
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Gronde, Christopher
(Contra
We have had huge issues with our ipa servers which has left some of our
applications offline. We want to stand up a temporary OpenLDAP server to
transfer the users to until we can get IPA back online. Is there a way to
export the ipa LDAP DB so that I can migrate the users into openldap?
V/r
Hello all!
On my replica IPA server after fixing a cert issue that had been going on for
sometime, I have all my certs figured out but the krb5kdc service will not
start.
# service krb5kdc start
Starting Kerberos 5 KDC: krb5kdc: cannot initialize realm ITMODEV.GOV - see log
file for details
[mailto:aboko...@redhat.com]
Sent: Monday, November 09, 2015 10:51 AM
To: Gronde, Christopher (Contractor)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On Mon, 09 Nov 2015, Gronde, Christopher (Contractor) wrote:
>Hello all!
&g
Nothing bad came back and there is definitely data in the tree.
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, November 09, 2015 11:46 AM
To: Gronde, Christopher (Contractor) ; Alexander
Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa
nn=2 op=2 RESULT err=49 tag=97 nentries=0 etime=0
[09/Nov/2015:15:02:01 -0500] conn=2 op=3 UNBIND
[09/Nov/2015:15:02:01 -0500] conn=2 op=3 fd=64 closed - U1
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, November 09, 2015 3:26 PM
To: Gronde, Christopher (Contra
er 09, 2015 3:26 PM
To: Gronde, Christopher (Contractor) ; Alexander
Bokovoy
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
Gronde, Christopher (Contractor) wrote:
> Nothing bad came back and there is definitely data in the tree.
Ok,
Where can I verify or change the credentials it is trying to use? Is it my
LDAP password?
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, November 10, 2015 8:18 AM
To: Gronde, Christopher (Contractor)
Cc: Rob Crittenden ; freeipa-users@redhat.com
U1
[10/Nov/2015:08:51:05 -0500] conn=53 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Tuesday, November 10, 2015 8:41 AM
To: Gronde, Christopher (Contractor)
Cc: Rob Crittenden ; freeip
: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 02:40 PM, Alexander Bokovoy wrote:
> On Tue, 10 Nov 2015, Gronde, Christopher (Contractor) wrote:
>> Where can I verify or change the credentials it is trying to use? Is
>> it my LDAP password?
day, November 10, 2015 9:48 AM
To: Gronde, Christopher (Contractor)
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 03:32 PM, Gronde, Christopher (Contractor) wrote:
> How do I change that log setting? Is that don
ov/2015:10:16:15 -0500] conn=38 fd=64 slot=64 connection from
172.16.100.161 to 172.16.100.161
[10/Nov/2015:10:16:15 -0500] conn=38 op=0 UNBIND
[10/Nov/2015:10:16:15 -0500] conn=38 op=0 fd=64 closed - U1
[10/Nov/2015:10:16:17 -0500] conn=39 fd=64 slot=64 connection from
172.16.100.161 to 172.16.1
11:04 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 08:18 AM, Gronde, Christopher (Contractor) wrote:
> Thank you! I should have caught that...
>
> I changed the log level and then restarted dirsrv and
-users] krb5kdc will not start (kerberos authentication
error)
what do you get if you search for "objectclass=krbprincipal" ?
On 11/10/2015 05:27 PM, Rich Megginson wrote:
> On 11/10/2015 09:16 AM, Gronde, Christopher (Contractor) wrote:
>> Neither came back with anythi
ailto:mbabi...@redhat.com]
Sent: Tuesday, November 10, 2015 11:39 AM
To: Gronde, Christopher (Contractor) ; Rich
Megginson ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 05:16 PM, Gronde, Christopher (Contractor) wro
om: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, November 10, 2015 11:52 AM
To: Gronde, Christopher (Contractor) ; Ludwig
Krispenz ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
Gronde, Christopher (Contractor) wrote
ay, November 10, 2015 12:03 PM
To: Gronde, Christopher (Contractor) ; Rob
Crittenden ; Ludwig Krispenz ;
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication
error)
On 11/10/2015 05:54 PM, Gronde, Christopher (Contractor) wrote:
> # ldapsearch -x -D
applied in reverse alphabetical
order, which is why cn=uid mapping,cn=mapping,cn=sasl,cn=config is being
applied first. I thought there had been changes to this, so that you could
explicitly define the order in which the mappings were applied.
>>
>> -Original Message-
>>
dev,dc=gov
nsSaslMapFilterTemplate: (krbPrincipalName=&@ITMODEV.GOV)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, November 10, 2015 1:26 PM
To: Gronde, Christopher (Cont
class=ldapsubentry))" attrs=ALL
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1
etime=0
[10/Nov/2015:14:12:16 -0500] conn=Internal op=-1 SRCH base="cn=Name
Only,cn=mapping,cn=sasl,cn=config" scope=0
filter="(|(objectclass=*)(objectclass=ldapsuben
For those of you that have been helping me...thank you! For all those
following along here is the status of my issues.
I ended up replacing the krbprincipal key and the user certificate in LDAP to
match what is on the master and I am no longer getting the invalid credentials
error! So thanks
THAT WORKED THANKS ROB!! I OWE YOU A BEER!
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Friday, November 13, 2015 9:29 AM
To: Gronde, Christopher (Contractor) ; James
Masson ; Martin Kosek ;
freeipa-users@redhat.com; Jan Cholasta ; David Kupka
; Endi
29 matches
Mail list logo