[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Florence Blanc-Renaud via FreeIPA-users]

On 2/22/20 12:40 AM, dmitriys via FreeIPA-users wrote:

When execute  ipa-certupdate  get this :

ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: 
KerberosError: No valid Negotiate header in server response
ipapython.admintool: ERROR: No valid Negotiate header in server response
ipapython.admintool: ERROR: The ipa-certupdate command failed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


Hi,

are you able to get a kerberos ticket and use ipa * commands?
For instance:
kinit admin
ipa ping

If this is not working, please have a look at the logs in 
/var/log/httpd/error_log. This error may happen when the gssproxy 
service is not running or misconfigured.


HTH,
flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[dmitriys via FreeIPA-users]

When execute  ipa-certupdate  get this :

ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: 
KerberosError: No valid Negotiate header in server response
ipapython.admintool: ERROR: No valid Negotiate header in server response
ipapython.admintool: ERROR: The ipa-certupdate command failed.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

[Florence Blanc-Renaud via FreeIPA-users]

On 2/21/20 5:56 PM, dmitriys via FreeIPA-users wrote:

Hi!
I use freeipa-server  4.7.0~pre1+git20180411-2ubuntu2  on Ubuntu 18.04.4 LTS

I installed  freeipa-serve  in default mode ( ipa-server-install )
Now i try change certificate on Comodo as write in this article 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
my steps:
1 ipa-cacert-manage -p 'password' -n COMODO -t C,, install 
addtrustexternalcaroot2.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful



Hi,
Looks like you forgot the ipa-certupdate step.

HTH,
flo


2 ipa-server-certinstall -w -d /home/xattab/ldap_comodo.key ldap_comodo.pem -vvv
get error
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 
'dbm:/tmp/tmpPsRUhs', '-V', '-n', 'CN=ldap.soft2bet.com', '-u', 'V', '-f', 
'/tmp/tmpPsRUhs/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's 
Certificate issuer is not recognized.

ipapython.ipautil: DEBUG: stderr=
ipapython.admintool: DEBUG:   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
 return_value = self.run()
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 113, in run
 self.install_dirsrv_cert()
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 139, in install_dirsrv_cert
 'restart_dirsrv %s' % serverid)
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 291, in import_cert
 self.check_chain(pkcs12_file.name, pin, cdb)
   File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 277, in check_chain
 "to install the CA certificate." % str(e))

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

How to fix it ?
Can anybody help me ))) ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Issue with Using 3rd part certificates for HTTP/LDAP

[dmitriys via FreeIPA-users]

Hi!
I use freeipa-server  4.7.0~pre1+git20180411-2ubuntu2  on Ubuntu 18.04.4 LTS

I installed  freeipa-serve  in default mode ( ipa-server-install )
Now i try change certificate on Comodo as write in this article 
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
my steps:
1 ipa-cacert-manage -p 'password' -n COMODO -t C,, install 
addtrustexternalcaroot2.crt
Installing CA certificate, please wait
CA certificate successfully installed
The ipa-cacert-manage command was successful

2 ipa-server-certinstall -w -d /home/xattab/ldap_comodo.key ldap_comodo.pem -vvv
get error
ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 
'dbm:/tmp/tmpPsRUhs', '-V', '-n', 'CN=ldap.soft2bet.com', '-u', 'V', '-f', 
'/tmp/tmpPsRUhs/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=certutil: certificate is invalid: Peer's 
Certificate issuer is not recognized.

ipapython.ipautil: DEBUG: stderr=
ipapython.admintool: DEBUG:   File 
"/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in execute
return_value = self.run()
  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 113, in run
self.install_dirsrv_cert()
  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 139, in install_dirsrv_cert
'restart_dirsrv %s' % serverid)
  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 291, in import_cert
self.check_chain(pkcs12_file.name, pin, cdb)
  File 
"/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_server_certinstall.py", 
line 277, in check_chain
"to install the CA certificate." % str(e))

ipapython.admintool: DEBUG: The ipa-server-certinstall command failed, 
exception: ScriptError: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: Peer's certificate issuer is not trusted (certutil: 
certificate is invalid: Peer's Certificate issuer is not recognized.
). Please run ipa-cacert-manage install and ipa-certupdate to install the CA 
certificate.
ipapython.admintool: ERROR: The ipa-server-certinstall command failed.

How to fix it ?
Can anybody help me ))) ?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: disparity between ipa-client-install and ipa host-add

[Rob Crittenden via FreeIPA-users]

Jay Fenlason via FreeIPA-users wrote:
> On Thu, Feb 20, 2020 at 05:19:50PM -0500, Rob Crittenden wrote:
>> Jay Fenlason via FreeIPA-users wrote:
>>> When attempting to debug another problem with FreeIPA, I noticed
>>> something odd:
>>>
>>> If I have an IPA domain example.com, I can do an ipa-client-install
>>> from a machine named c.d.example.com and it successfully adds the
>>> client to the domain and updates IPA's DNS, but if I do an ipa
>>> host-add of c.d.example.com it gives an error saying
>>> ipa: ERROR: DNS zone d.example.com. not found
>>> which is correct, inasmuch as I never created a d.example.com zone.
>>> But ipa-client-install happily added c.d to the example.com zone.  So
>>> which of these two commands is doing the right thing?
>>
>> ipa-client-install, via ipa-join, creates the host using the non-cli API
>> call join rather than host-add directly. join calls host-add with
>> --force so DNS checks are skipped.
>>
>> The client, as you point out, by default will try to add the DNS records
>> itself in a later step, so it is not enforced up front.
> 
> Thank you for your useful analysis of why they work differently.
> 
> Note that
> ipa host-add c.d.example.com --force --ip-address 192.168.56.5
> fails with the same error as
> ipa host-add c.d.example.com --ip-address 192.168.56.5
> 
> So you can't use --force with the command line to get the same
> behavior as ipa-client-install.

If you include an IP address then --force is ignored because it implies
that the host is already in DNS since you are trying to add an address
for it.

> The question here is really one of design.  Should these commands
> behave differently?
> 
> Should ipa-client-install be able to create a c.d entry in the example.com
> zone, or should it flag the missing d.example.com domain as an error
> the way ipa host-add does?

As I said before, it's there because the client will use nsupdate to
attempt to update DNS. This doesn't happen with host-add.

> Or should ipa host-add add the c.d entry to the example.com zone the
> way ipa-client-install does?

It's there to make the admin pause a second since adding a host without
DNS is not all that useful.

> Or should both of them create the d.example.com zone and add the c
> entry to it? :-)

An enrollment can't create zones.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Lost pass to replica's /root/cacert.p12 - can I re-create it? I have present dir manager pass and primary /root/cacert.p12

[Rob Crittenden via FreeIPA-users]

Morgan Cox via FreeIPA-users wrote:
> Thank you for the response Rob!
> 
> Is there anywhere I can see an example command for PKCS12Export ?

Right, no man page :/

https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/command-line_tools_guide/pkcs12export

> Reason: For PCI compliance, as we are using self signed certs 

Uh, ok? Anyway, just be sure to keep this file safe as it literally
contains the keys to the kingdom.

rob

> 
>> Morgan Cox via FreeIPA-users wrote:
>>
>> The PKCS12Export command can regenerate it.
>>
>> I'm curious though, what are you intending to do with it?
>>
>> rob
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Reissue IPA LDAP cert with SAN

[Sam Morris via FreeIPA-users]

I did exactly that last month (with two servers running on RHEL rather
than CentOS) and didn't run into any problems or surprises.

-- 
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A
892B  1855 D20B 4202 5CDA 27B9



signature.asc
Description: This is a digitally signed message part
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: clients not able to login

[Sumit Bose via FreeIPA-users]

On Fri, Feb 21, 2020 at 12:32:54PM -, Sunil Phogat via FreeIPA-users wrote:
> > On Thu, Feb 20, 2020 at 08:59:01AM -, Sunil via FreeIPA-users wrote:
> > 
> > Hi,
> > 
> > please check
> > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to see how
> > to enable debugging in SSSD. There are also common issues described.
> > 
> > Since there is a 'permission denied' error, I wonder if you already had
> > some HBAC rules enabled and disabled the 'allow_all' rule?
> > 
> > bye,
> > Sumit
>  
> Thx Sumit for views
> 
> HBAC rules enabled : allow_all
> 
> This is the sssd logs I get :
> 
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [dp_pam_handler] (0x0100): 
> Got request with the following data
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> command: SSS_PAM_CHAUTHTOK

Hi,

this is a request trying to change the password, this is typically not
related to authentication.

> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> domain: sunil.lan
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> user: sku...@sunil.lan
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> service: sshd
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> tty: ssh
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> ruser:
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> rhost: 127.0.0.1
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> authtok type: 1
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> newauthtok type: 1
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> priv: 1
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> cli_pid: 21631
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
> logon name: not set
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
> (0x0100): Trying to resolve service 'IPA'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [be_resolve_server_process] 
> (0x0200): Found address for server ipa.sunil.lan: [10.0.9.229] TTL 7200
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_set_port_status] 
> (0x0100): Marking port 0 of server 'ipa.sunil.lan' as 'not working'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
> (0x0100): Trying to resolve service 'IPA'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
> SSSD is unable to complete the full connection request, this internal status 
> does not necessarily indicate network port issues.
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
> SSSD is unable to complete the full connection request, this internal status 
> does not necessarily indicate network port issues.
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0100): 
> Resetting the status of port 0 for server '(no name)'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolve_srv_send] (0x0200): 
> The status of SRV lookup is neutral
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolv_getsrv_send] 
> (0x0100): Trying to resolve SRV record of '_ldap._tcp.sunil.lan'

Looks like DNS is not configured properly, are you using the DNS server
integrated in FreeIPA or an external one?

bye,
Sumit

> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [child_sig_handler] 
> (0x0100): child [21639] finished successfully.
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolv_discover_srv_done] 
> (0x0040): SRV query failed [4]: Domain name not found
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_set_port_status] 
> (0x0100): Marking port 0 of server '(no name)' as 'not working'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolve_srv_done] (0x0040): 
> Unable to resolve SRV [1432158236]: SRV record not found
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [set_srv_data_status] 
> (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [be_resolve_server_process] 
> (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned 
> [1432158236]: SRV record not found
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
> (0x0100): Trying to resolve service 'IPA'
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
> SSSD is unable to complete the full connection request, this internal status 
> does not necessarily indicate network port issues.
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
> SSSD is unable to complete the full connection request, this internal status 
> does not necessarily indicate network port issues.
> (Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
> (0x0020): No

[Freeipa-users] Re: clients not able to login

[Sunil Phogat via FreeIPA-users]

> On Thu, Feb 20, 2020 at 08:59:01AM -, Sunil via FreeIPA-users wrote:
> 
> Hi,
> 
> please check
> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html to see how
> to enable debugging in SSSD. There are also common issues described.
> 
> Since there is a 'permission denied' error, I wonder if you already had
> some HBAC rules enabled and disabled the 'allow_all' rule?
> 
> bye,
> Sumit
 
Thx Sumit for views

HBAC rules enabled : allow_all

This is the sssd logs I get :

(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [dp_pam_handler] (0x0100): Got 
request with the following data
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
command: SSS_PAM_CHAUTHTOK
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
domain: sunil.lan
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
user: sku...@sunil.lan
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
service: sshd
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
tty: ssh
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
ruser:
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
rhost: 127.0.0.1
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
authtok type: 1
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
newauthtok type: 1
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
priv: 1
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
cli_pid: 21631
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [pam_print_data] (0x0100): 
logon name: not set
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [be_resolve_server_process] 
(0x0200): Found address for server ipa.sunil.lan: [10.0.9.229] TTL 7200
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_set_port_status] (0x0100): 
Marking port 0 of server 'ipa.sunil.lan' as 'not working'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
SSSD is unable to complete the full connection request, this internal status 
does not necessarily indicate network port issues.
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
SSSD is unable to complete the full connection request, this internal status 
does not necessarily indicate network port issues.
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0100): 
Resetting the status of port 0 for server '(no name)'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolve_srv_send] (0x0200): 
The status of SRV lookup is neutral
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolv_getsrv_send] (0x0100): 
Trying to resolve SRV record of '_ldap._tcp.sunil.lan'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [child_sig_handler] (0x0100): 
child [21639] finished successfully.
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolv_discover_srv_done] 
(0x0040): SRV query failed [4]: Domain name not found
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_set_port_status] (0x0100): 
Marking port 0 of server '(no name)' as 'not working'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [resolve_srv_done] (0x0040): 
Unable to resolve SRV [1432158236]: SRV record not found
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [set_srv_data_status] 
(0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [be_resolve_server_process] 
(0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned 
[1432158236]: SRV record not found
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
(0x0100): Trying to resolve service 'IPA'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
SSSD is unable to complete the full connection request, this internal status 
does not necessarily indicate network port issues.
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [get_port_status] (0x0080): 
SSSD is unable to complete the full connection request, this internal status 
does not necessarily indicate network port issues.
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [fo_resolve_service_send] 
(0x0020): No available servers for service 'IPA'
(Fri Feb 21 07:28:25 2020) [sssd[be[sunil.lan]]] [be_run_offline_cb] (0x0080): 
Going offline. Running callbacks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_gu

[Freeipa-users] Re: Lost pass to replica's /root/cacert.p12 - can I re-create it? I have present dir manager pass and primary /root/cacert.p12

[Morgan Cox via FreeIPA-users]

Thank you for the response Rob!

Is there anywhere I can see an example command for PKCS12Export ?

Reason: For PCI compliance, as we are using self signed certs 

> Morgan Cox via FreeIPA-users wrote:
> 
> The PKCS12Export command can regenerate it.
> 
> I'm curious though, what are you intending to do with it?
> 
> rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Netscape Portable Runtime error -5999

[Sarah PETER via FreeIPA-users]

Hello,

on one of our FreeIPA servers we recently got the following error messages:

[05/Feb/2020:22:51:44.078229410 +0100] - ERR - write_function - PR_Write(392) 
Netscape Portable Runtime error -5999 (Invalid file descriptor.)
[21/Feb/2020:08:25:39.507298208 +0100] - ERR - write_function - PR_Write(273) 
Netscape Portable Runtime error -5999 (Invalid file descriptor.)

On the second incident, one of the other replicas shortly lost connection to 
the server with the above error:

[21/Feb/2020:08:25:39.619051486 +0100] - ERR - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meTolPA2" (IPA2:389) - Replication bind with 
GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()
[21/Feb/2020:08:25:43.220221699 +0100] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToIPA2" (IPA2:389): Replication bind with 
GSSAPI auth resumed

Does anyone know what these errors mean and if there's anything we should do 
about them? I tried searching for them, but came up with nothing. So far it 
seems it hasn't affected the operation of our FreeIPA infrastructure.

Thanks in advance for your help.

Best regards,
Sarah


Sarah Peter
LCSB Bioinformatics Core & UL HPC Team

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
sarah.pe...@uni.lu 
http://lcsb.uni.lu
-
This message is confidential and may contain privileged information. It is 
intended for the named recipient only. If you receive it in error please notify 
me and permanently delete the original message and any copies.
-

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org