[Freeipa-users] Re: Recommended resolv.conf / hosts file

David Harvey via FreeIPA-users wrote: > Hi FreeIPA users, > > I nested this under a related topic before (subject: Replica > re-initialization failing Replication bind with GSSAPI auth failed: LDAP > error 49 (Invalid credentials) () ) but it was admittedly a bit off topic... > > Is configuring

[Freeipa-users] Re: pki-tomcatd service stopped

Since it starts directly as root perhaps check for SELinux AVCs? Maybe a relabel would help (or try permissive to catch the full set). rob Natxo Asenjo wrote: > hi, > > yes, there was something wrong with another file :-): > > # grep -r "11.5.0" /etc/pki/

[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

azeem via FreeIPA-users wrote: > Hi Rob, > > I restarted the IPA services. After that, when I run 'ipa config-show', I am > getting the following error. > > ipa config-show > ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor > code may > provide more information',

[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

azeem via FreeIPA-users wrote: > Hi Rob, > > Apologies for the late response. I have set the server time back to > 2023-06-23 and when i am running the command - ipa config-show , I am > getting :- > > ipa config-show > ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure.

[Freeipa-users] Re: pki-tomcatd service stopped

Natxo Asenjo via FreeIPA-users wrote: > hi, > > no, it's without quotes but the rolledback version: > > Configuration-Version: 11.4.2 > > I tried modifiying it to 11.5.0 and ipactl restart, but it does not help > (reset it to the proper value 11.4.2 now) Did the error change when you switched

[Freeipa-users] Re: How to use ipa-dsu

Duarte Petiz via FreeIPA-users wrote: > Hello all > There are some news about this topic? > Best regards No, this is not currently being worked on. rob > > On Wed, Aug 30, 2023 at 11:04 AM Duarte Petiz > mailto:duarte.pe...@jscrambler.com>> wrote: > > Ohhh yes i didnt saw that! >

[Freeipa-users] Re: kpi-tomcatd failing to start

girish f via FreeIPA-users wrote: > Hi Rob, > > As this is with customer, and I have very restricted access, Can you convey > your most available time as per your Time zone. So that within that timeframe > I can reply you more quicker. I'm not the only one around here. That the CA works in

[Freeipa-users] Re: kpi-tomcatd failing to start

girish f via FreeIPA-users wrote: > I cannot identify which certificate is expired exactly which is stopping > pki-tomcatd to start You need to provide information on what is going on. getcert list will show the list of certificates that certmonger is tracking including the expiration date.

[Freeipa-users] Re: update clients dns records

Dmitry Krasov via FreeIPA-users wrote: > Hi Florence. > As far as I understand, it's all because the keytab file become bad in some > time. > > 1. Why it's so? > 2. I know how to fix file manually, but how can I check it in script "if file > become bad"? What makes you think the keytab is bad?

[Freeipa-users] Re: update clients dns records

Dmitry Krasov via FreeIPA-users wrote: > Hello. > How can I update clients dns records automatically, without setup of DHCP > server? That question doesn't have a lot to go on but I guess I'd recommend starting with the ipa-client-install(1) man page and the --enable-dns-updates option. This

[Freeipa-users] Re: Questions about replica

Dmitry Krasov via FreeIPA-users wrote: > If I will change line in sssd.conf file to "ipa_server = ipa_server = _srv_, > ipa.dom.loc" on existent enrolled clients. Will they work fine with failover? You duplicated ipa_server = but otherwise yes. You can have the _srv_ last if you want to point

[Freeipa-users] Re: Freel IPA on CentOS CA_UNREACHABLE Error - kerberos

girish f via FreeIPA-users wrote: > We have one new customer, they have setup of one single node of IPA on CentOS. > > There certificate is expired, and everthing went down. > > When we are trying to bring services up. > > pki_tomcatd is not starting, another thing is > > When we run command >

[Freeipa-users] Re: ipa-ca-install failed

Satish Patel wrote: > This is crazy.. why freeIPA is so difficult to debug.  > > I can't attach a replica without thousand errors + errors don't make > sense also.  Your originating system may still have a lot of problems with it. They don't go away when you create a replica. You almost never

[Freeipa-users] Re: ipa-ca-install failed

Satish Patel via FreeIPA-users wrote: > Folks, > > Trying to deploy CA on a replica node and failed here without any > information. Can I restart the process again? Even log directories are > empty /var/log/pki/pki-tomcat  > > My OS is RockyLunux 8.9 and Master CA running on CentOS7.x   > >

[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

azeem via FreeIPA-users wrote: > Hi Rob, > > Thanks for you reply. FreeIPA, version: 4.2.0 - Centos 7 > And yes are right. Here's the list of all the certifficates :- > > > getcert list > Number of certificates and requests being tracked: 8. > Request ID '20160825909273': > status:

[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

azeem via FreeIPA-users wrote: > Hello! > > I have inherited a FreeIPA server, and upon checking the certificate list > with getcert list, it shows that the certificate is already expired. Does > anyone know how to renew it? And coz of this issue, I am not able to enroll > any any clients. Any

[Freeipa-users] Re: Questions about replica

Dmitry Krasov via FreeIPA-users wrote: > My enroll command: > > sudo ipa-client-install --fixed-primary --enable-dns-updates --server > ipa.dom.loc --domain dom.loc --mkhomedir --force-join -p admin -w password -U > client sssd.conf: > > [domain/dom.loc] > > id_provider = ipa > >

[Freeipa-users] Re: `ipactl restart` fails with `Unknown error when retrieving list of services from LDAP: not enough values to unpack (expected 2, got 1)`

Andrea Stacchiotti via FreeIPA-users wrote: > Thank you for your answer. > > There is no record in the /var/log/dirsrv/slapd-REALM/access logfile at the > time of `ipact start`, which means it didn't even get to the query. > > To get kinit and ldapsearch to work I had to reinstall ipa, when I

[Freeipa-users] Re: [error] RuntimeError: Too many ID ranges

Satish Patel wrote: > Hi Rob, > > Thank you for helping me out with this. Little confused here so let me > ask you. you are saying I don't have "ipabaserid:" attribute set on two > ranges and that is what I need to set, correct?  Yes. > Curious why this is > happening now and not before? I am

[Freeipa-users] Re: [error] RuntimeError: Too many ID ranges

Satish Patel wrote: > Hi Rob, > > You are saying I have "3 ranges matched" but technically we only need "1 > range". Sorry I am little new to freeIPA terms and not sure about what > to do to fix this issue? You have two ranges without a RID base. You need to set one for at least

[Freeipa-users] Re: SSSD OCSP verfification failed

Cross posting this to sssd-users. rob Alvarez, Angelo CIV USN JOINT TYPHOON WARCEN (USA) via FreeIPA-users wrote: > Aloha. We are trying to get OCSP verification working with RHEL 8 SSSD.  > The OCSP responder CA is not in the trust chain of the CA that issued > the smart card certificates.  I

[Freeipa-users] Re: [error] RuntimeError: Too many ID ranges

Satish Patel via FreeIPA-users wrote: > Folks, > > I am migrating CentOS7 to RockyLinux 8.3. I have my master running on > CentOS7 and trying to add replica of RockyLinux 8.3  > > I am stuck here and not sure what it's actually trying to say and how to > fix it? > > [1/4]: Generating

[Freeipa-users] Re: role_del arguments

Mauricio Tavares via FreeIPA-users wrote: > https://freeipa.readthedocs.io/en/latest/api/role_del.html only lists > the cn as argument. Shouldn't it also contain the name of the role we > want to go away? The cn is the name of the role. dn: cn=User

[Freeipa-users] Re: `ipactl restart` fails with `Unknown error when retrieving list of services from LDAP: not enough values to unpack (expected 2, got 1)`

Andrea Stacchiotti via FreeIPA-users wrote: > Hello everyone, > freshly installed ipa server on Oracle Linux 9, via the ansible role at > https://github.com/freeipa/ansible-freeipa/blob/master/roles/ipaserver/README.md > > The installation goes apparently well, but if I try restarting the

[Freeipa-users] Re: high ns-slapd cpu usage after upgrade

risto hartikainen via FreeIPA-users wrote: > Hello people > > Could I have advice how to debug why slapd on ipa server is constantly using > 15-30% cpu.. this behaviour started on ca master after successful migration > from rhel7 to latest rhel 8.9. > > There were no problems during migration,

[Freeipa-users] Re: Kerberos/IdM and NFS ACLs

Bo Lind via FreeIPA-users wrote: > Hi > > I'm trying very hard to find resources for how to set up ACLs on NFS with IdM > provided identities. > > Things work fine with local users and groups, but the translation service > (idmapd?) is causing me trouble. > > For reference, I'm running Rocky

[Freeipa-users] Re: Replica re-initialization failing Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()

Tania Hagan via FreeIPA-users wrote: > Further troubleshooting. > > If I run: > kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-unhealthly.ipa.server before the > re-initialise it complete successfully and a klist shows Default principal: > ldap/unhealthly.ipa.server > > After the LDAP error shows

[Freeipa-users] Re: Howto: Migrate DNS/DNSSec off freeipa

Harry G Coin via FreeIPA-users wrote: > If you've decided freeipa's DNS and/or DNSsec isn't part of your future, > here's a way to migrate to another solution without disrupting the rest > of freeipa's capabilities.   I couldn't find any documentation about how > to do this in an automated way,

[Freeipa-users] Re: unable to convert attribute 'cacertificate:binary'

I used the cert you provided us out-of-band and was able to load it in Fedora rawhide with cryptography-42.0.5, same (I think) as tumbleweed unless tumbleweed includes some additional change. Let's try excluding LDAP from the picture. Can you copy /etc/ipa/ca.crt from a working install to

[Freeipa-users] Re: Reenrolling IPA client in split-brain environment

William Faulk via FreeIPA-users wrote: > Sorry; I should have been more explicit in my initial post. I'm basically > only concerned with authentication on the client server and minimizing any > outage related to that. The system is running services, but they are > independent of IPA other than

[Freeipa-users] Re: unable to convert attribute 'cacertificate:binary'

Antoine Gatineau via FreeIPA-users wrote: > Hello, > > When enrolling a opensuse tumbleweed client, ipa-client-install fails to > get the cacertificate from ldap with error: > > 2024-04-30T11:23:16Z DEBUG Initializing principal adminprincipal using > password > 2024-04-30T11:23:16Z DEBUG

[Freeipa-users] Re: Reenrolling IPA client in split-brain environment

William Faulk via FreeIPA-users wrote: > I have an IdM environment where one of the replicas stopped replicating out. > A number of clients were enrolled into this replica. They are currently > working fine, since they're basically only ever talking to that replica. But > I need to fix that

[Freeipa-users] Re: Fedora 40: new warning in ipa-healthckeck

Cross-posting this on the 389-users list. rob Jochen Kellner via FreeIPA-users wrote: > > Hi, > > I've upgraded my freeipa server to Fedora 40 (the system was installed > several releases ago). After the upgrade I get the following new warning > from ipa-healthcheck: > > { > "source":

[Freeipa-users] Re: autofs freezes system after update to F40.

Albert Szostkiewicz via FreeIPA-users wrote: > ok, figured out that autofs had nothing to do with this What was the problem? Maybe your solution will help someone else. thanks rob -- ___ FreeIPA-users mailing list --

[Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one way trust).

slek kus via FreeIPA-users wrote: > Must have missed that, changed. Have disabled the compat module, restarted > all. Still no sudo working on clients. > It looks like sudo is not being handled by sssd (not aware of any rules), but > wouldn't know where to look for an issue. All trivial checks

[Freeipa-users] Re: sudo hbac rule resfues to work for AD users (one way trust).

slek kus via FreeIPA-users wrote: > Issue might have started after enabling compat mode to allow LDAP > authentication for AD users. > Found this: > https://microdevsys.com/wp/user-is-not-allowed-to-run-sudo-on-server-this-incident-will-be-reported/ > > Went to disable the plugin, but greeted

[Freeipa-users] Re: ipaclient-install.log certutil: Could not find cert:

C Wilson via FreeIPA-users wrote: > Hello > > I'm trying to roll out a new IPA server for our development environment and > have nicely automated the server installation process with Ansible but when > I've come to rolling out the clients I'm hitting this problem. > > When running

[Freeipa-users] Re: httpd uses 2x100% CPU

Bo Lind via FreeIPA-users wrote: > I just went to check on one of my replicas, and noticed that the IPA web > server seems to use a lot of CPU: > > From htop: > PID USER PRI NI VIRT RES SHR S CPU%▽MEM% TIME+ Command > 507664 ipaapi 20 0 1353M 459M 16656 S 100.8 0.2

[Freeipa-users] Re: Extra objectClass for new IPA group

Winfried de Heiden via FreeIPA-users wrote: > Hi all, > > Following documentation as provided on: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses-groups#doc-wrapper >   > > adding an

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > Thanks Rob! New certs are all replicated and all IPA services are started on > all 6 servers. > I can perform 'ipa cert-show 1' on all 6 and get the expected result. > > As a sanity check I did run the ipa-healthcheck on all 6 servers. One of > them came

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > The problem was definitely the ra-agent.pem. I generated a new one and > imported it to ~/.dogtag/nssdb, LDAP and placed the pem and key in > /var/lib/ipa/ > > Now I can verify the certificate with the openssl verify command. > Additionally the error in

[Freeipa-users] Re: Possible to split a toplogy to 2 topologies?

Heo Paul via FreeIPA-users wrote: > Hi. I installed ipa-core servers in a toplogy and the version of those are > 4.9.3. > > A topology : 1 <--> 2 <--> 3 <--> 4 <--> 5 <--> 6 > > And I'd like to disconnect agreements between 3 and 4 replicas, I expect that > there should be 2 seperate

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > Rob, > > I installed the ipa-healthcheck that you got to work on CentOS 7, and run it. > Got a couple of errors regarding the RA Agent cert: > > [ > { > "source": "ipahealthcheck.ipa.certs", > "kw": { > "msg": "Certificate validation for

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > In the apache error log I found this that is generated when, in the UI, I try > to access Authentication > Certificates > Certificate Authorities. > > [Wed Apr 03 16:33:28.439180 2024] [:error] [pid 19048] ipa: INFO: > [jsonserver_session]

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > Spoke too soon. If I try to get a new certificate on an enrolled host I get > this > > status: CA_UNREACHABLE > ca-error: Server at https://ipa1-sea2.ipa..net/ipa/xml failed request, > will retry: 907 (RPC failed at server. cannot connect to >

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

There was a bug in the DER encoding that certmonger used when generating the CSR. python-cryptography allowed it for a while, then complained loudly about it and now no longer accepts it. Upgrading certmonger is the proper fix. rob Djerk Geurts wrote: > Ubuntu 20.04: Certmonger v0.79.9 << fails

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

I can reproduce the issue with your CSR but I don't know yet what python-cryptography doesn't like about it. Older versions of python-cryptography yield different errors but the issue is still elusive. I'm looking at the ASN1 encoding. What version of certmonger is installed on the machine that

[Freeipa-users] Re: CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11.1

Djerk Geurts via FreeIPA-users wrote: > Hi, > > A month or so ago we upgraded from Fedora 37 to 39. I guess this is the > first time I’m getting round to requesting a new certificate, and it’s > failing from a server we use to manage several certificates for non-IPA > client hosts. > > Output of

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > Okay, I've sort of fixed the tracking, but there is still an issue I can't > seem to solve. Here is the tracking now for the Audit, OCSP, and Subsystem > certificates > > Number of certificates and requests being tracked: 9. > Request ID '20190322032029':

[Freeipa-users] Re: ACME certs fail to renew

ow what happened :/ Yes, rather unsatisfying. But on the other hand I'm glad its working again for you. ipa-healthcheck might be something to look into. I think it would have alerted you to the issue earlier since ipa-acme-manage was failing. Thanks for following up. rob > > Best regards > >

[Freeipa-users] Re: IPA replica installation failed-SEVERE: Unable to start CA engine: Selftest failed: Invalid certificate Server-Cert cert-pki-ca: NotBefore: Mon Apr 01 03:41:49 CST 2024

Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > >   > > Any one faced this issue during replica installation > >   > > I have third party SSL certificate installed on master server > >   > >   > > *IPA Version:* > >   > > [root@dir02-mex ~]# ipa --version > > *VERSION:

[Freeipa-users] Re: One freeipa replica install fails, while other is going through

D S via FreeIPA-users wrote: > Any ideas on where to look next? I believe you posed the same question on the freeipa-container package. It might have helped if you'd posted here that you were using containers, what underlying OS's were being used and the version of IPA. Did you try pointing

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > I've just found an old p12 file from 2019. I was able to extract the key > from that and it does match the CA Subystem cert that expired 8 March that is > listed in LDAP. > So if I could somehow generate a new certificate with this and import into > the

[Freeipa-users] Re: problem with configuration replication in ipa server

Richard Halley via FreeIPA-users wrote: > Hi everyone, I'm configuring the freeipa replication as follows: > > 1) ipa-client-install --domain=pippo.internal --realm=PIPPO.INTERNAL -N > > 2) I add the client to the ipaserver host group > > 3) ipa-replica-install -N --setup-dns --forwarder

[Freeipa-users] Re: ACME certs fail to renew

Antoine Gatineau via FreeIPA-users wrote: > Hello, > > I have a strange issue regarding acme service. > My acme certificates fail to renew. `ipa-acme-manage status`fails with > error: > Failed to authenticate to CA REST API > The ipa-acme-manage command failed. > > certbot client fails with

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > I've restored the Renewal Master from before I started changing this. If I > run getcert list I do see 9 certificates being tracked. > None of the system certs seem to expire at the same time, but they also all > have incorrect Common Name in the Subject.

[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users wrote: > The person who set this up is no longer available. We have 6 IPA servers in > a cluster, all set as MASTER. All servers are running IPA v. 4.6.4. > On 8 March the CA Subsystem certificate expired. When looking at the > certificate I noticed it had an

[Freeipa-users] Re: cannot login into account after migration to 4.10.x

Piotr Miedzik via FreeIPA-users wrote: > Hi > > I have problem with some users after updating freeipa server. > As of freeipa 4.10 I'm not able to login if user was created with uid > specified (ipa user-add testx --uid=1001 --first=p --last=m --password) > It also doesn't work for accounts

[Freeipa-users] Re: admin password changes when joing new replica

Christian Heimes via FreeIPA-users wrote: > On 21/03/2024 18.42, Rob Crittenden via FreeIPA-users wrote: >> Schweiss, Chip via FreeIPA-users wrote: >>> I'm building out a multisite installation. For unknown reasons, the >>> 'admin' user password needs to be reset eac

[Freeipa-users] Re: admin password changes when joing new replica

Schweiss, Chip via FreeIPA-users wrote: > I'm building out a multisite installation. For unknown reasons, the > 'admin' user password needs to be reset each time I join a new FreeIPA > replica.   > > It seems to happen a minute or two after the ipa-replica-install > completes.  Attempts to kinit

[Freeipa-users] Re: ipa-setup-ca

Omar wrote: > I will attach the logs today.  It's been a couple of days and the > installation is still at the same spot (  [5/28]: configuring > certificate server instance ). > > Rob, I know you mention something about waiting on a prompt (Y/N), but I > don't see it in any of the logs. 

[Freeipa-users] Re: ipa-setup-ca

You can tar them up, gzip them, redact as needed and reply to the thread. As long as the result is < 256k it should go through ok. rob Omar wrote: > Rob & Flo, > > How can I send you some of the install, debug, and spawn logs? > > On Mon, Mar 18, 2024 at 2:27 PM Omar

[Freeipa-users] Re: ipa-setup-ca

It sounds like it that is y/N prompt you are seeing if it waits until enter is pressed. rob Omar wrote: > Sorry for the late reply.  I'm sure the CA Certs are the correct ones.  > I will attempt to do the replicas again and this time I'll trace the > logs to make sure I catch the errors and

[Freeipa-users] Re: Cannot enroll a 4.9 client to 4.10 server fails with PrincipalName not found

Kroon PC, Peter via FreeIPA-users wrote: > Thanks for the super fast reply! I'll do my best to reply in-line, but I'm > bound to outlook, which doesn't like it too much. > >>> Hi all! >>> >>> I'm working on updating my freeipa server from rocky 8 to 9. I'm playing >>> around with a virtual

[Freeipa-users] Re: ipa-setup-ca

Omar via FreeIPA-users wrote: > Here is some more info: > > WARNING: The CA service is only installed on one server ( hostname here>). > It is strongly recommended to install it on another server. > Run ipa-ca-install(1) on another master to accomplish this. > > > The

[Freeipa-users] Re: Cannot enroll a 4.9 client to 4.10 server fails with PrincipalName not found

Kroon PC, Peter via FreeIPA-users wrote: > Hi all! > > I'm working on updating my freeipa server from rocky 8 to 9. I'm playing > around with a virtual machines as playground server and client, since I'd > rather not break my everything right away. As part of this, I first installed >

[Freeipa-users] Re: "Internal server error 'Link'" from ClonesConnectivyAndDataCheck health check on RHEL 8 when talking to RHEL 9 server

Sam Morris via FreeIPA-users wrote: > On 12/03/2024 12:27, Rob Crittenden via FreeIPA-users wrote: >>> I guess the newer version of Dogtag in RHEL 9 doesn't include this >>> "Link" attribute, but pki.cert:CertDataInfoCollection.from_json in RHEL >>>

[Freeipa-users] Re: Failed FreeIPA replica installation

D S via FreeIPA-users wrote: > And another update. Tried patching the file - still the same issue. > Note: line 863 now has ca_kdc_check(self.api instead of ca_kdc_check(ldap > [Wed Mar 13 19:07:28.353046 2024] [:error] [pid 13823] File >

[Freeipa-users] Re: Failed FreeIPA replica installation

D S via FreeIPA-users wrote: > Hello, I've encountered several issues while installing freeipa replica. > > I have freeipa 4.6.8 master and the replica I tried installing is 4.9.12. Rather than focusing on the versions, what OS release are you using? There are known crypto incompatibilities

[Freeipa-users] Re: Number of concurrent connections are decreased by replication.

seojeong kim via FreeIPA-users wrote: > Hello Rob > As you said, If any group member exceed 3K then you can experience slow down > in server response. > But in the big size of operation environment, members( especially the number > of hosts) exceeding 3k is not that uncommon. > So, I wonder

[Freeipa-users] Re: pki-tomcatd not starting

Omar wrote: > roger that.  I thought about doing the: > ipa-cacert-manager, but that would be wrong, correct? Correct, assuming your updated cert is from the same CA. > > if I do the ipa-server-certinstall, do I need to specify either -d / -w > / or -k?  Thanks, You want -d (directory server)

[Freeipa-users] Re: pki-tomcatd not starting

Omar via FreeIPA-users wrote: > okay, so I think you found the issue: > > $ certutil -L -d /etc/dirsrv/slapd-APP-UAAP-MAXAR-COM -n > 'CN=ldap.app.uaap.maxar.com > ,OU=UAAP,O=Maxar Technologies > Inc,L=Herndon,ST=Virginia,C=US' | grep Not >             Not Before:

[Freeipa-users] Re: "Internal server error 'Link'" from ClonesConnectivyAndDataCheck health check on RHEL 8 when talking to RHEL 9 server

Sam Morris via FreeIPA-users wrote: > I tracked down the source of the myserious "Internal server error > 'Link'" message when running this health check. It's caused by having a > mixture of both RHEL 8 and RHEL 9 servers. > > The error message in context: > > # ipa-healthcheck >

[Freeipa-users] Re: ipa-healthcheck timeout too short for ClonesConnectivyAndDataCheck

Sam Morris via FreeIPA-users wrote: > All three of my IPA servers have this health check failing: > > [root@ipa3 ~]# ipa-healthcheck --source > pki.server.healthcheck.clones.connectivity_and_data --check > ClonesConnectivyAndDataCheck --output-type=human > Internal server error 'Link' >

[Freeipa-users] Re: pki-tomcatd not starting

Omar Pagan via FreeIPA-users wrote: > Hello, > > I came back from vacation and noticed that the pki-tomcatd was not running. > All other services are running fine, I can kinit admin and search for users, > I can also log into the UI and see everything. When I try to start the > service I see

[Freeipa-users] Re: Login failed due to an unknown reason

ITreers UA via FreeIPA-users wrote: > Thank you for the reply. > > As I understood from your reply it's not possible to migrate passwords > without "migration" procedure after the ipa migrate-ds? > During my test migrations from earlier (start of the last month) I have > managed to migrate and

[Freeipa-users] Re: Number of concurrent connections are decreased by replication.

seojeong kim via FreeIPA-users wrote: > Hello Rob, > I have an extra question on this thread. > On the client side, ldap_search request was triggered periodically and in the > situation of large host group such as 3k members exceeded, ldap latency was > happening. In our client

[Freeipa-users] Re: Number of concurrent connections are decreased by replication.

Jaehwan Kim via FreeIPA-users wrote: > Hello Rob, > > 2 automembership functions add a host to 2 hostgroups by checking keywords in > the host description, > - 'servicename=...' for 1st hostgroup > - 'groupname=...' for 2nd hostgroup. > > 10K hosts are managed by IPA, and 2.9K hosts were in

[Freeipa-users] Re: disable OTP authentication on specific hosts

Giuseppe Calo via FreeIPA-users wrote: > Hi Robert Crittend > then if i set EnforceLDAPOTP and users has OTP defined the LDAP BIND will > need 2 factor? > Where can i set EnforceLDAPOTP ? Please note that I use 4.10.0-7 (not 4.11 as > wrote in https://pagure.io/freeipa/issue/5169) This is a

[Freeipa-users] Re: Number of concurrent connections are decreased by replication.

Jaehwan Kim via FreeIPA-users wrote: > Hello. > > I verified that this disconnection happens because new hosts are continuously > added into a SINGLE BIG host-group by automembership, which results in slow > response of ldap search. > I also verified that the disconnection does't happen if

[Freeipa-users] Re: disable OTP authentication on specific hosts

Sam Morris via FreeIPA-users wrote: > On 28/02/2024 17:23, Sam Morris via FreeIPA-users wrote: >> Another approach is possible, where you don't configure the >> authentication indicator requirement on the host/service objects >> within the directory; instead, the hosts/services are themselves >>

[Freeipa-users] Re: unable to install freeipa replica

seddik alaoui ismaili wrote: > I tried to kill the process, but did'nt help > > Error showed : > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. We really need more details on what it is you're doing an seeing. The install log for example.

[Freeipa-users] Re: unable to install freeipa replica

seddik alaouiismaili via FreeIPA-users wrote: > Thank you for the reply.. > It's for ipa running on replica(client) server > > So you think i can kill the process, and re-install replica ?? I'm just curious about the history. Is this a leftover from a previous failed installation? Normally

[Freeipa-users] Re: unable to install freeipa replica

seddik alaouiismaili via FreeIPA-users wrote: > > > I tried to install freeipa server and replica, and replica install showed > this error : > > ``` > ipa requires ports 389 and 636 for the directory server. these are currently > in use 389 > ``` > actualy 389 port is used on replica/client

[Freeipa-users] Re: Locked users synchronisation

Ales Rozmarin via FreeIPA-users wrote: > Hi guys, > > I'm not sure if this is ok or not. I have two freeipa servers and when user > get locked I can see this only on one server. I check ipa-healthcheck and > both servers working OK. Do I have to change any settings for that or this is > how

[Freeipa-users] Re: Cannot sudo on one system

I think you first need to figure out why SSSD can't find your KDC: Cannot find KDC for realm "GSIL.ORG". It looks like SSSD is considering the domain to be offline so is probably not looking up the rules at all. rob Jeremy Tourville via FreeIPA-users wrote: > I am unable to sudo but I can login

[Freeipa-users] Re: Kerberos principal expiration

kt s via FreeIPA-users wrote: > when I login in with administrator, I got an error "Kerberos principal > expiration". > > I can't login in now ,so how to change Kerberos principal time. You'll need your Directory Manager password which was set during IPA server installation. Since you don't

[Freeipa-users] Re: Error during enrolling

Dmitry Krasov via FreeIPA-users wrote: > Centos 9 ipa-client install error: > Failed to obtain host TGT: Major (458752): No credentials were supplied, or > the credentials were unavailable or inaccessible, Minor (2529639122): > Pre-authentication failed: No key table entry found for >

[Freeipa-users] Re: handling certificate expirations

Grant Janssen via FreeIPA-users wrote: > When I upgraded the servers to EL8 (I rebuilt from scratch using the old > hostnames), I had neglected to assign an IPA CA renewal master after the > old “boss” was retired. > This crime is of course it’s own punishment. > > I found the documentation for

[Freeipa-users] Re: automount timeouts

ed options from autofs or in ipa somewhere? > > > On 2/13/24 13:58, Rob Crittenden via FreeIPA-users wrote: >> Steve Berg via FreeIPA-users wrote: >>> Does IPA do anything to set a timeout on an nfs automount?  I'm seeing >>> some strange behavior on a few automounts

[Freeipa-users] Re: ipa client install as root but am told I need to be root

Mauricio Tavares via FreeIPA-users wrote: > On Tue, Feb 13, 2024 at 4:37 PM Rob Crittenden wrote: >> >> Mauricio Tavares via FreeIPA-users wrote: >>> So I am trying to add the first ipa client to my test environment. If >>> I am running ipa-client-install as a root, why is it barking that >>> >>>

[Freeipa-users] Re: ipa client install as root but am told I need to be root

Mauricio Tavares via FreeIPA-users wrote: > So I am trying to add the first ipa client to my test environment. If > I am running ipa-client-install as a root, why is it barking that > > nisdomainname: you must be root to change the domain name > > [root@idm-client1 /]# ipa-client-install

[Freeipa-users] Re: automount timeouts

Steve Berg via FreeIPA-users wrote: > Does IPA do anything to set a timeout on an nfs automount?  I'm seeing > some strange behavior on a few automounts and want to make sure I look > in the right places to look up and/or set a timeout for those filesystems. You can add options to an automount

[Freeipa-users] Re: Create IPA user via LDAP

Ronald Wimmer via FreeIPA-users wrote: > On 13.02.24 07:54, Ronald Wimmer via FreeIPA-users wrote: >> On 12.02.24 23:02, Rob Crittenden via FreeIPA-users wrote: >>> Ronald Wimmer via FreeIPA-users wrote: >>>> On 12.02.24 20:47, Alexander Bokovoy via FreeIPA-users wr

[Freeipa-users] Re: Create IPA user via LDAP

Ronald Wimmer via FreeIPA-users wrote: > On 12.02.24 20:47, Alexander Bokovoy via FreeIPA-users wrote: >> On Пан, 12 лют 2024, Ronald Wimmer via FreeIPA-users wrote: >>> On 12.02.24 15:54, Ronald Wimmer via FreeIPA-users wrote: On 12.02.24 14:15, Christian Heimes via FreeIPA-users wrote:

[Freeipa-users] Re: Installing CA certificate isuue

mskaraca--- via FreeIPA-users wrote: > Hi  > > I just wanted to say thank you to this list and especially to Rob > Crittenden.. > > I could not log in to freeipa-users, there may be a problem in logging > in with social network accounts. So I am sending this as an email.. > > Firstly My issue

[Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working

Oliver Nixon via FreeIPA-users wrote: > Hi Rob, > > Thanks for your reply. > > All I can find in the log is the following: > [08/Feb/2024:17:31:01.478681171 +] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [08/Feb/2024:17:31:01.667472180 +]

[Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working

Oliver Nixon via FreeIPA-users wrote: > Hi, > > I'm encountering the same issue after upgrading to 4.9.12. > I had previously imported users from another FreeIPA deployment and their > UIDs were outside of the defined ID ranges. > I've created a new ID range to encompass these and run the

[Freeipa-users] Re: Permission to create and manage OTP Tokens for non-admin user

Russ Long via FreeIPA-users wrote: > Tried adding objectclass to the attrs, but it is entirely possible I did > something incorrect as the users are still unable to view other OTP tokens > > Here's the current state of the policy: > > $ ipa permission-show test --all --raw > dn:

[Freeipa-users] Re: Permission to create and manage OTP Tokens for non-admin user

Russ Long via FreeIPA-users wrote: > There have been a couple threads about this in this forum, but I have not > been able to make anything work from those threads. I have a group of > non-admin users that I would like to have able to manage OTP tokens for all > users. > > I have attempted to

  1   2   3   4   5   6   7   8   9   10   >