[Freeipa-users] Re: update clients dns records

Hi, the DNS zone must also be configured to allow dynamic DNS updates, please check Configuring the DNS Zone to Allow Dynamic Updates

[Freeipa-users] Re: 502 Server Error: Proxy Error when creating CA replica on RockyLinux 8.9

Hi, On Thu, May 16, 2024 at 4:42 AM Satish Patel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Folks, > > I have Master freeIPA running on CentOS 7 and now trying to migrate it to > RockyLinux 8.9 (because centos7 is EOL). > > When I am running # ipa-replica-install

[Freeipa-users] Re: Remove bad replica nodes from list

Hi, On Thu, May 16, 2024 at 4:05 AM Satish Patel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Folks, > > I am trying to build some replicas and somehow they failed but because > they are half baked they are stuck in master nodes and not letting me > remove them. I have

[Freeipa-users] Re: Is it possible to migrate otp-token from freeipa server to another ipa-server?

Hi, On Tue, May 7, 2024 at 4:33 AM Heo Paul via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > There are 2 freeipa servers and the servers are not connected. > In the condition, I need to migrate otp-token data from one to another. > But when I tried to use migrate-ds tool to

[Freeipa-users] Re: Questions about replica

Hi, On Mon, May 6, 2024 at 8:57 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello. > just installed replica (ipa2.dom.loc), it seems works fine. > > But how enrolled clients will know about this replica, if primary server > will be down? > If you installed

[Freeipa-users] Re: Login failed due to an unknown reason

Hi, On Thu, May 2, 2024 at 5:12 PM Damola Azeez via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello All, > > I attempted to login to the freeipa Gui to administer a user and i found > out i wasn't able to login with any of the freeipa users. checking further, > i saw that

[Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9

Hi, in your first message, the output of $ dsconf -D "cn=Directory Manager" ldap://$(hostname) repl-conflict list-glue "dc=noc,dc=net" mentions: dn: cn=sg1-replica.noc.net,cn=masters,cn=ipa,cn=etc,dc=noc,dc=net *nsds5replconflict: deletedEntryHasChildren* It means that the replication tried to

[Freeipa-users] Re: Not possible to delete ID views from Default Trust View if user is no longer present in AD

Hi, On Mon, Apr 22, 2024 at 12:58 PM LHEUREUX Bernard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > > > I’m trying to delete some anchors on Default Trust View on a FreeIPA with > trust to an AD and, I always get the message “…@... user not found » > > Effectively

[Freeipa-users] Re: LDAP conflicts after yum update on Almalinux 8.9

Hi, On Tue, Apr 23, 2024 at 9:53 AM Lee Csk via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > After performing a usual Yum update's on multiple IPA servers (not at the > same time, one server reportedly started hanging), we started observing > "LDAP Conflicts" in multiple IPA

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Fri, Apr 19, 2024 at 6:20 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi! > > Here is the output of ipa-cert-fix on the original instance: > > ``` > > The following certificates will be renewed: > > Dogtag sslserver certificate: > Subject:

[Freeipa-users] Re: IPA Replica can't authenticate users

Hi, On Mon, Apr 15, 2024 at 10:10 AM John Doe wrote: > > > Den mån 15 apr. 2024 kl 09:35 skrev Florence Blanc-Renaud >: > >> Hi, >> >> On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> I'm playing around with IPA trying to

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Mon, Apr 15, 2024 at 6:22 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour Florence, > Thanks for your help. > > I am using the docker image `freeipa/freeipa-server:fedora-34-4.9.6`, I > guess the dependencies are correct as this is all bundled

[Freeipa-users] Re: pki-tomcat won't start + expired certificates

Hi, On Fri, Apr 12, 2024 at 10:52 PM Basile Pinsard via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi freeipa experts. > > I have been using freeipa for the past 5 years running in a docker > container, no replicas. > currently on VERSION: 4.9.6, API_VERSION: 2.245 > > I

[Freeipa-users] Re: IPA Replica can't authenticate users

Hi, On Mon, Apr 15, 2024 at 9:03 AM John Doe via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm playing around with IPA trying to figure out how to set it up to be > redundant. The problem is that the IPA Replica isn't able to authenticate > AD users if IPA Master is down. >

[Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica

Hi, On Thu, Apr 11, 2024 at 6:02 PM Orion Poplawski wrote: > On 4/11/24 09:03, Florence Blanc-Renaud wrote: > > Hi, > > > > On Thu, Apr 11, 2024 at 12:34 AM Orion Poplawski via FreeIPA-users > > > > wrote: > > > > I've just added an EL9 IPA

[Freeipa-users] Re: Cannot retrieve CRL from new EL9 IPA replica

Hi, On Thu, Apr 11, 2024 at 12:34 AM Orion Poplawski via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I've just added an EL9 IPA replica into our domain. I seems to generally > be > working fine, but trying to download the MasterCRL.bin fails: > > ==> /var/log/httpd/access_log

[Freeipa-users] Re: CA Subsystem certificate

On Wed, Apr 3, 2024 at 5:24 AM Travis West via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > > > On Tue, Apr 2, 2024 at 8:50 PM Travis West via FreeIPA-users < > > freeipa-users(a)lists.fedorahosted.org wrote: > > > > As Rob wrote, it's not a problem that getcert list,

[Freeipa-users] Re: CA Subsystem certificate

Hi, On Tue, Apr 2, 2024 at 8:50 PM Travis West via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Okay, I've generated new certs that don't have the extra space. Once > those were imported to the NSS DB I also updated the CS.cfg with the new > cert and certreq vaules for OCSP,

[Freeipa-users] Re: ipa-setup-ca

Hi, you can download freeipa-healthcheck and run ipa-healthcheck command on the master/replica, it would help you identify any inconsistency in the configuration. Otherwise, we need more info to help you. It looks like the LDAP server certificate on the master *ldap01*.app.uaap.maxar.com has

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Mon, Mar 18, 2024 at 3:38 PM Ian Kumlien wrote: > On Thu, Mar 14, 2024 at 7:36 PM Florence Blanc-Renaud > wrote: > > > > Hi, > > > > On Thu, Mar 14, 2024 at 8:55 AM Ian Kumlien > wrote: > >> > >> On Wed, Mar 13, 2024 at 1:58 PM Ian Kumlien > wrote: > > [--8<--] > > >> As a side node,

[Freeipa-users] Re: Failed FreeIPA replica installation

Hi, On Thu, Mar 14, 2024 at 9:50 PM D S via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I added more log info below and also applied this solution to generate > SIDs https://access.redhat.com/solutions/7052703 > Still unable to login via web UI and every ipa command fails. >

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Thu, Mar 14, 2024 at 8:55 AM Ian Kumlien wrote: > On Wed, Mar 13, 2024 at 1:58 PM Ian Kumlien wrote: > > > > On Wed, Mar 13, 2024 at 11:39 AM Florence Blanc-Renaud > wrote: > > > > > > Hi, > > > > > > On Wed, Mar 13, 2024 at 10:06 AM Ian Kumlien > wrote: > > >> > > >> On Tue, Mar 12,

[Freeipa-users] Re: ipa-setup-ca

Hi, On Thu, Mar 14, 2024 at 1:10 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Found this in the logs: > > INFO: Server certificate: CN=ldap.app.uaap.maxar.com,OU=UAAP,O=Maxar > Technologies Inc,L=Herndon,ST=Virginia,C=US > WARNING: UNTRUSTED ISSUER encountered

[Freeipa-users] Re: ipa-setup-ca

Hi, On Thu, Mar 14, 2024 at 1:43 AM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hey guys, > I finished installing two replicas of my master. Both installations of > the replicas completed successfully, but when I try to run the ipa-setup-ca > it is having some

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Wed, Mar 13, 2024 at 10:06 AM Ian Kumlien wrote: > On Tue, Mar 12, 2024 at 10:36 PM Florence Blanc-Renaud > wrote: > > > > Hi, > > > > On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> > >> Hi, > >> > >> So i have spent

[Freeipa-users] Re: Using ipa-ca-install on a replica

Hi, On Tue, Mar 12, 2024 at 12:54 PM Ian Kumlien via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > So i have spent quite some time trying to get out of the swamp that is > centos stream 8 and back to something with a actual upgrade path, > fedora =) > > Everything works

[Freeipa-users] Re: pki-tomcatd not starting

Hi, On Tue, Mar 12, 2024 at 1:49 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [root @ ldap01] > $ openssl x509 -noout -text -in /var/lib/ipa/certs/httpd.crt | grep Not > Not Before: Jan 12 15:30:18 2024 GMT > Not After : Jan 11 15:30:18

[Freeipa-users] Re: pki-tomcatd not starting

Hi, in your first email you pasted the output of getcert list, and it's reporting only 7 certificates. It's likely that your server is using certmonger for the pkinit cert, the 5 certs for PKI and the RA cert, meaning that the HTTP and LDAP server certificates are externally signed and not

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Fri, Feb 23, 2024 at 2:49 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > You are right, sorry for the confusion. I have performed a new > `ipa-replica-install` and you can find the logs for the master and replica > in these links: > >

[Freeipa-users] Re: FreeIPA - access restriction

Hi, On Mon, Feb 26, 2024 at 5:03 PM Zdravko Nikolaev via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everyone, > > I've looked up old threads and tried to find some applicable solution but > I'm kind of stuck so any advice would be appreciated. > > I'm trying to deploy a

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Fri, Feb 23, 2024 at 12:38 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Florence, > > From what I can see it is setup correctly on both the master(s) and > replica. > I now understand the confusion: the logs provided in master ds389

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi Markus, On Mon, Feb 19, 2024 at 9:07 AM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Florence, > > Thanks for looking into this I appreciate it very much! > > > ``` > master# ldapsearch -xLLL -o ldif-wrap=no -D "cn=directory manager" -W -s >

[Freeipa-users] Re: Error during enrolling

Hi, On Thu, Feb 22, 2024 at 10:42 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > probably it's because more high encrypt level in Centos. How to make it > lower? > Can you try with (on the client): update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY reboot

[Freeipa-users] Re: Error during enrolling

Hi, what is the version of your server? I am asking because of the log: 2024-02-20T09:59:52Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'ipa.dom.loc', '-b', 'dc=dom,dc=loc', '-h', 'centos9.dom.loc', '-k', '/etc/krb5.keytab'] 2024-02-20T09:59:53Z DEBUG Process finished, return code=0

[Freeipa-users] Re: Error during enrolling

Hi, The logs show you're using a non-admin user for enrollment and you are probably hitting issue https://pagure.io/freeipa/issue/9496 It was fixed on multiple branches but not shipped in any official release yet. The pagure ticket provides a workaround, or you can enroll using the admin user.

[Freeipa-users] Re: ipa-replica-install fails during initial replication

Hi, On Thu, Feb 15, 2024 at 3:50 PM Markus Rexhepi-Lindberg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > The replication step fails while installing a new ipa replica server. > > Some facts: > > * Both servers running version 4.9.12. > * Both servers running RHEL 8.9 > *

[Freeipa-users] Re: idrange problem

Hi, On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Still not working. I do not have any trust set up with any active > directory currently, we have a AD running on the network but that and my > ipa domain don't trust each other in

[Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working

Hi, On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Thanks to Paul for all the leg work on this issue. Based on that, I can > confirm that we have the same problem after updating to 4.9.12-11 from > 4.9.11-7. Running the oddjob

[Freeipa-users] Re: SSSD LDAP provider fails to fetch nested groups (groups member of groups)

Hi, On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm experiencing problems on my RHEL 9 instance when looking up members of > group using getent group . I can only get users which has > direct access to a group, and no the "user

[Freeipa-users] Re: FreeIPA web session timeout

Hi, if you use the format without space kinit_lifetime = 5minutes then it should work. Probably there was some change in one of the libraries parsing the duration string and it does not accept any more the space between the value and the unit. flo On Wed, Jan 10, 2024 at 3:18 AM Ales Rozmarin

[Freeipa-users] Re: Certificate Revoking error in FreeIPA domain

Hi, On Tue, Dec 12, 2023 at 12:21 PM Albert Stoune via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello Florence! > > Thanks for the answer > > Yes, I have checked all the steps to reproduce the problem with > ipa-server-4.11.0-3.el9.x86_64. Everything is working well,

[Freeipa-users] Re: Certificate Revoking error in FreeIPA domain

Hi, ipa-server-4.11.0-1.el9.x86_64 is not the latest version, and has a known issue with cert revocation: RHEL-14842 / https://pagure.io/freeipa/issue/9345 The fix is available in ipa-server-4.11.0-2.el9.x86_64. flo On Mon, Dec 11, 2023 at 2:43 PM

[Freeipa-users] Re: Trust with POSIX-enabled AD

Hi Stefan, On Thu, Dec 7, 2023 at 8:00 AM Stefan Palm via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello everyone. > > It looks like I have a problem understanding the way AD trusts work. > Maybe someone here can enlighten me. > > In our AD we have "normal" users and groups

[Freeipa-users] Re: Implementation with AD trust/ssh key - questions

Hi, On Fri, Dec 1, 2023 at 4:22 PM slek kus via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, have some questions regarding implementing FreeIPA. To start, I am new > to FreeIPA, read up on its featuires > and started using it in a test setup. The goal is to have sshkey >

[Freeipa-users] Re: I need help with Replica installation.

Hi, On Wed, Oct 25, 2023 at 12:31 PM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, I have a free ipa server with dns and ca integrated that is > currently running. Now I want to set up a replica server but I can't figure > out some parts. It gives an error

[Freeipa-users] Re: Free ipa takes a lot of time to add a user to a group from the web interface.

Hi, On Tue, Oct 24, 2023 at 11:45 AM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, when I add a user to a group via free ipa, when I add a user to a > group, the user's addition to the group appears to be added in the web > interface. but it does not

[Freeipa-users] Re: When I create a user from the free ipa web interface, nfs autofs does not create my user directory.

Hi, On Tue, Oct 24, 2023 at 10:53 AM Alper AYKUT via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > When I create a user with free ipa using ipa tools, I can automount my > home directory on my nfs server without any problem. > > However, when I want to create a user from the

[Freeipa-users] Re: backup / restore

Hi, On Wed, Oct 18, 2023 at 4:11 PM Frederic Ayrault wrote: > Bonjour, > > Le 18/10/2023 à 15:33, Florence Blanc-Renaud a écrit : > > Hi, > > > CNRS2 and CNRS2-Standard are part of the CA chain that issued your HTTP > and LDAP server certificates, they should not be removed. > When you install

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 17, 2023 at 5:47 PM Frederic Ayrault wrote: > > Le 17/10/2023 à 17:23, Rob Crittenden a écrit : > > So if I've followed this thread correctly, what you're doing is: > > - Taking replica ipa3? and forcibly disconnecting it from an existing > > IPA installation > > This is just

[Freeipa-users] Re: Current best practice: Backup/Restore?

Hi, this guide explains the possible strategies for disaster recovery: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/preparing_for_disaster_recovery_with_identity_management/index And that one how to recover:

[Freeipa-users] Re: Extract user's private key from IdM

Hi, On Tue, Oct 17, 2023 at 8:20 PM HUANG, TONY via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > The CSR is generated within the web UI by following this section "Web UI: > Requesting new certificates" ( >

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 6:24 PM Frederic Ayrault wrote: > > Le 12/10/2023 à 17:42, Florence Blanc-Renaud a écrit : > > Hi, > > The CA installation fails because it finds an existing entry in "cn= > LIX.POLYTECHNIQUE.FR IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=lix,dc=polytechnique,dc=fr".

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 3:44 PM Frederic Ayrault wrote: > Just in case here are the logs after going in the authentification menu in > the GUI > ( I get on Erreur IPA 903: InternalError ) when trying to get certificats > informations > > in the server roles, CA server is now configured > >

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 11:41 AM Frederic Ayrault wrote: > > Le 12/10/2023 à 10:59, Florence Blanc-Renaud a écrit : > > Hi, > > > > > > > > If I recap everything so far: > > - there is a single server, ipa3.lix.polytechnique.fr > > It was part of a cluster but it is removed for the tests >

[Freeipa-users] Re: backup / restore

Hi, On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > > So far it doesn't look like there was an IPA embedded CA signed by the > external intermediate

[Freeipa-users] Re: backup / restore

Hi, On Tue, Oct 10, 2023 at 9:26 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour Florence, > > Le 10/10/2023 à 09:01, Florence Blanc-Renaud a écrit : > > The error is an LDAP error when adding an entry/attribute for the CA. Can > you check in

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 5:30 PM Frederic Ayrault wrote: > > Le 09/10/2023 à 16:47, Florence Blanc-Renaud a écrit : > > Is this your external CA? I assume that its subject conflicts with the > default subject name that IPA installer would pick. If that's the case, you > can force

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 10:22 AM Frederic Ayrault wrote: > Bonjour, > > Le 09/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Bonjour, >> >> When I run the

[Freeipa-users] Re: backup / restore

Hi, On Mon, Oct 9, 2023 at 9:19 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Bonjour, > > When I run the command, I get this message > > CA is not configured on this system > The ipa-cacert-manage command failed. > > > "replace our external CA to an

[Freeipa-users] Re: Error during ipa-replica-install on RHEL 9

Hi, On Wed, Sep 27, 2023 at 10:26 AM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Срд, 27 вер 2023, Michal Konecny via FreeIPA-users wrote: > >Hi everyone, > > > >I'm currently trying to update Fedora IPA installation on staging from > >RHEL 8 to RHEL

[Freeipa-users] Re: Disabling Anonymous Binds - Hangs on Request - No Return to Prompt

Hi, On Wed, Sep 27, 2023 at 2:10 AM Marcelo Carvalho via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi everyone > > I am trying on a development host to Disabling Anonymous Binds. > > I have ran the following command but it hangs and does not return a prompt. > > $ ldapmodify

[Freeipa-users] Re: Recovering from certificate exparation issues

Hi, On Fri, Sep 22, 2023 at 12:36 PM Cristian Le wrote: > Hi Florence, > > Thanks for the feedback, let me clarify the situation on the certificates: > - External CA is still valid and it is a self-signed certificate that we > use for other services. So we can manually sign any service

[Freeipa-users] Re: Recovering from certificate exparation issues

Hi, On Thu, Sep 21, 2023 at 5:04 PM Cristian Le via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have tried my luck around with all the helpers: `pki-server cert-fix`, > `ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me > for multiple reasons. > -

[Freeipa-users] Re: Another Cert Expiration Problem

Hi, On Fri, Sep 15, 2023 at 7:43 PM Russ Long via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I have a single-server IPA environment in my homelab. I noticed today > that I was unable to delete a host from IPA, and found that pki-tomcatd was > down and unable to start. > > I

[Freeipa-users] Re: Certs expired, CA Unreachable

Hi, it seems that PKI is not happy with the subject name of the certificates. The failing certs are for KDC, dirsrv and httpd and they all use the same subject name constraint in their profile. 1. Was any certificate profile modified (caIPAserviceCert or KDCs_PKINIT_Certs)? You can use ipa

[Freeipa-users] Re: Unable to compile class for JSP during CA installation

Hi, can you share the logs from /var/log/pki/pki-ca-spawn.$DATE.log and the full ipa-ca-install.log? flo On Mon, Sep 4, 2023 at 5:52 PM Konstantin Sapozhnikov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello! We cant't install IPA Replica on Oracle Linux Server 8.8. >

[Freeipa-users] Re: Replace external CA and certificates to self-signed ones.

Hi, On Mon, Aug 7, 2023 at 4:17 AM luckydog xf via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I installed a new IPA with self-signed CA and certificates. I didn't find > anything related NSSDB under /etc/http/alias > > FreeIPA uses NSS for httpd up to version 4.6 (the server

[Freeipa-users] Re: Rocky 8: how to set security-policy to FUTURE without losing FreeIPA?

Hi, On Tue, Aug 1, 2023 at 7:50 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > our security scanner complains about weak ciphers in Rocky 8 > (httpd and ssh). security policy is set to "DEFAULT". If I set > it to "FUTURE", then httpd is not

[Freeipa-users] Re: Exporting certificates with keys associated in FreeIPA

Hi, if you used the WebUI to generate a cert, you had to type a few commands in a terminal, like: certutil -N -d certutil -R -d -a -g -s 'CN=employee,O= DEMO1.FREEIPA.ORG' This means that you generated a key in the NSS database. When you used the WebUI to issue the cert, the new cert was

[Freeipa-users] Re: bad list of CAs on FreeIPA client?

Hi, On Tue, Jul 18, 2023 at 7:33 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > getcert list-cas returns on some FreeIPA clients > > root@nasl006a:~# getcert list-cas > CA 'SelfSign': > is-default: no >

[Freeipa-users] Re: pki-tomcatd service stopped

Hi, we need more details in order to help you. Do you have a single IPA server or multiple servers? Which one is the CA renewal master? flo On Fri, Jul 7, 2023 at 10:02 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Team, > > > > As we checked

[Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP

Hi, On Fri, Jul 7, 2023 at 7:00 AM Polavarapu Manideep Sai via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi Rob, > > As mentioned in my previous response, here is the error upon executing > ipa-cacert-manage install > Please let me know if any other details required on this

[Freeipa-users] Re: migrating CA renewal server to RHEL 8 (using an external root CA)

Hi, On Thu, Jul 6, 2023 at 9:55 AM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > >

[Freeipa-users] Re: PKINIT questions

Hi, On Sat, Jul 1, 2023 at 3:48 AM alexey safonov wrote: > Got it. thanks. Would it be possible to use for KDS self-signed > certificate, while for dirsrv/http normal certificate signed by public > CA? > > It is possible to have different certificates for dirsrv/httpd/kdc, and even different

[Freeipa-users] Re: certmonger certificate renewal stuck in SUBMITTING loop

Hi, On Wed, Jun 28, 2023 at 4:45 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Jernej Jakob via FreeIPA-users wrote: > > I've been trying to debug this for the last couple of days. I can't > > find what's wrong. I found that another client whose cert also

[Freeipa-users] Re: ipa-pkinit-manage failure

Hi On Thu, Jun 22, 2023 at 5:27 PM Алексей Иванов via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings, > > I'm trying to configure my replica IPA servers to support PKINIT. > > [root@office-ipa-1 ~]# ipa-pkinit-manage enable > Configuring Kerberos KDC (krb5kdc) >

[Freeipa-users] Re: 'ipa-ca-install' conncheck failure on freeIPA

Hi, another user recently had the same issue, see https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VCARE7OOXWBEB5UXF75AQVFQXNOA43XM/#VFPHENT3PPWTY6W5L42FKQJFQ5GBWKOR We are not sure how the situation got solved, but he cleaned the security domain from

[Freeipa-users] Re: pki-tomcat fails to start after upgrade

Hi, On Mon, Jun 26, 2023 at 4:36 PM Tania Hagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi FreeIPA, > > I am currently using FreeIPA version 4.9.10 with 6 ipareaplicas. I went > to upgrade the server to 4.9.11 but the ipa-server-upgrade failed where it > attempted to

[Freeipa-users] Re: how to set the RIDs during migration to Rocky 8?

Hi, On Fri, Jun 23, 2023 at 2:12 PM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi folks, > > I am trying to migrate FreeIPA from CentOS7 to Rocky 8. No AD trust > relationship involved by now. Problem: ipa-replica-install on the > first Rocky 8 host to join

[Freeipa-users] Re: Removing dead servers with tombstone entries

Hi, On Thu, Jun 22, 2023 at 3:18 PM Joe Rhodes via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > On Jun 21, 2023, at 18:07, Rob Crittenden wrote: > > Joe Rhodes via FreeIPA-users wrote: > > Hello all! > > I have a CentOS 7 based FreeIPA system that I’m migrating to Rocky 9.

[Freeipa-users] Re: FreeIPA PKI Certs wont renew "Adjustment limit exceeded"

Hi, can you provide more information on your deployment? Do you have a single IPA server that is providing the CA service or many servers? In the latter case, which one is the CA renewal master? Are there other expired certificates? # kinit admin # ipa config-show # getcert list flo On Mon,

[Freeipa-users] Re: PKINIT questions

Hi, On Sun, Jun 18, 2023 at 3:47 AM alexey safonov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I'm just surprised than, how other replicas has PKINIT? > in your first email you mentioned that the topology used to have a CA. If a replica was installed at that time then

[Freeipa-users] Re: repl conflict which is not there - ?

Hi, On Fri, May 26, 2023 at 10:26 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi guys. > > for what 'ipa-healthcheck' complains of: > > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "WARNING", >

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

name='cn', error=_("must be \"%s\"") % api.env.host) > > and we can see that in fact ipa008.ad.companyx.fm != ipa011.ad.companyx.fm > > So, that's about as far as i have gotten so far. > > Do we think the keys swapped around for some rea

[Freeipa-users] Re: Problem with replica installation 4.10.1

Hi, replica installation failures are often related to either a wrong DNS configuration or firewall preventing the communication. Did you run ipa-replica-installation with or without the option --skip-conncheck? Without the option you may have some hints if the issue is related to the firewall.

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

Hi, On Wed, May 24, 2023 at 3:29 PM Nicholas Cross wrote: > Hi Flo (and other helpful people on this list), > > After fixing the SID/PAC issue, i am back to looking as to why the > ipa-replica-conncheck fails when installing the CA to a (working) replica. > > I ran your suggested commands and

[Freeipa-users] Re: ACME service is disabled

Hi, On Tue, May 23, 2023 at 1:40 PM Georgy Safronov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello! On one of our ipa masters (alma9.2, ipa 4.10.1, CA renewal master) > we have some problems with pki-tomcat, on neighbour master (alma9.2, ipa > 4.10.1, ca role) there

[Freeipa-users] Re: Can't add CA to replica - invalid 'cn': must be

Hi, the replica-conncheck error means that a call to server_conncheck reached the wrong server. ipa-replica-conncheck performs multiple checks: - first from the replica to the existing master (here we seem to be good) - then from the existing master to the replica, by doing a call to the XMLRPC

[Freeipa-users] Re: IPA filters not working

Hi, On Mon, May 15, 2023 at 10:34 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > [root @ ldap01] ~ > $ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com > --service ssh > The issue looks like a simple typo. Here the test is using *ssh*

[Freeipa-users] Re: IPA filters not working

Hi, On Wed, May 10, 2023 at 1:37 PM Omar Pagan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > I have setup a bastion host with an IPA client in order to control access > to the bastion host by groups. I have users in different groups, but I > just got word that

[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9

Hi, On Wed, May 10, 2023 at 1:43 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > > > if you want to install a RHEL8 or RHEL9 server with the same domain name, > > the recommended procedure would be to install a RHEL8 replica from your > > RHEL7 server,

[Freeipa-users] Re: IDView problem

Hi, On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer wrote: > On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote: > > Hi, > > > > can you provide more details? Did you use the "Default Trust View" > > idview or did you create another o

[Freeipa-users] Re: IDView problem

Hi, can you provide more details? Did you use the "Default Trust View" idview or did you create another one? Which attributes did you override for your AD user? flo On Thu, May 11, 2023 at 11:02 AM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I tried to

[Freeipa-users] Re: Yum-based upgrade causes group lookup failures.

Hi, thanks for confirming, and glad you got it working! flo On Wed, May 10, 2023 at 4:46 PM Jeff Goddard wrote: > Flo, > > I must have made multiple edits before posting last about still > seeing issues. HAving parsed the rundeck config file again, and setting the > appropriate values as

[Freeipa-users] Re: Free-IPA to RHEL IPA: ipa-crlgen-manage not present, manual options

Hi, On Wed, May 10, 2023 at 12:03 AM John Burns via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings! > > Can the actions within the two commands below can be done manually > (outside the RPM)? > > ipa-crlgen-manage status > ipa-crlgen-manage disable > You can refer to

[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9

Hi, if you want to install a RHEL8 or RHEL9 server with the same domain name, the recommended procedure would be to install a RHEL8 replica from your RHEL7 server, then a RHEL9 replica from your RHEL8 server. You can check this documentation: - Migrating your IdM environment from RHEL 7

[Freeipa-users] Re: Yum-based upgrade causes group lookup failures.

Hi, if you are comfortable with 389-ds access log, you can check which search rundeck is performing and try to reproduce manually. I would start with the working one: in /var/log/dirsrv/slapd-MY-DOMAIN-DOM/access, look for a line showing the operations done with the working user

[Freeipa-users] Re: SSL errors ... again

Hi, On Tue, May 9, 2023 at 1:24 PM Justin Sanderson via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hey Flo - thanks so much for your willingness to help. > > > My setup is just a single VM server. I will give it a try tonight once > everyone has gone home for the day. > >

[Freeipa-users] Re: SSL errors ... again

Hi Justin, The ra-agent.pem is the same certificate on all servers/replicas. When everything works properly, it gets renewed on the renewal master, then it is uploaded in LDAP and the other replicas can download it from LDAP. Do you have multiple servers? If yes and if the ra-agent.pem has been

[Freeipa-users] Re: What's the proper way of creating HBAC/SUDO rules in a Primary/replica setup

Hi, On Tue, May 2, 2023 at 1:06 PM J N via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > I'm new to ansible and FreeIPA project, and I'm currently trying to setup > HBAC and SUDO rules to my primary server and the replicas. > Is the practice to only apply rules to the

  1   2   3   4   5   6   7   8   >