Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Simo Sorce 
On Wed, 2014-03-12 at 22:03 +, Todd Maugh wrote:
> skipping the con check due to a clock skew error

If your clock is wrong you won't have a functional replica anyway.
Fix the clock.

Simo.

> 
> From: Rob Crittenden [rcrit...@redhat.com]
> Sent: Wednesday, March 12, 2014 2:39 PM
> To: Todd Maugh; Simo Sorce; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica
> 
> Todd Maugh wrote:
> > Im seeing this error:
> >
> > where is the install log located
> >
> > [root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
> > /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
> > --skip-conncheck
> > Directory Manager (existing master) password:
> >
> > Configuring NTP daemon (ntpd)
> >[1/4]: stopping ntpd
> >[2/4]: writing configuration
> >[3/4]: configuring ntpd to start on boot
> >[4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > A CA is already configured on this system.
> 
> # /usr/bin/pkiremove -pki_instance_root=/var/lib
> -pki_instance_name=pki-ca --force
> 
> > [root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
> > /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
> > --skip-conncheck
> > Directory Manager (existing master) password:
> >
> > Configuring NTP daemon (ntpd)
> >[1/4]: stopping ntpd
> >[2/4]: writing configuration
> >[3/4]: configuring ntpd to start on boot
> >[4/4]: starting ntpd
> > Done configuring NTP daemon (ntpd).
> > Configuring directory server (dirsrv): Estimated time 1 minute
> >[1/31]: creating directory server user
> >[2/31]: creating directory server instance
> >[3/31]: adding default schema
> >[4/31]: enabling memberof plugin
> >[5/31]: enabling winsync plugin
> >[6/31]: configuring replication version plugin
> >[7/31]: enabling IPA enrollment plugin
> >[8/31]: enabling ldapi
> >[9/31]: disabling betxn plugins
> >[10/31]: configuring uniqueness plugin
> >[11/31]: configuring uuid plugin
> >[12/31]: configuring modrdn plugin
> >[13/31]: enabling entryUSN plugin
> >[14/31]: configuring lockout plugin
> >[15/31]: creating indices
> >[16/31]: enabling referential integrity plugin
> >[17/31]: configuring ssl for ds instance
> >[18/31]: configuring certmap.conf
> >[19/31]: configure autobind for root
> >[20/31]: configure new location for managed entries
> >[21/31]: restarting directory server
> >[22/31]: setting up initial replication
> > Starting replication, please wait until this has completed.
> > [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
> > error: Can't contact LDAP server]
> 
> Why are you skipping the conncheck? It looks like there is a firewall issue.
> 
> rob
> 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Rich Megginson 

On 03/12/2014 05:07 PM, Todd Maugh wrote:

so to verify this

I am able to log in to the AD server as idmadmin with the password I'm 
using in the winsync agreement.


I guess you mean that login to Windows using the standard Windows login 
dialog is working correctly?  And that this is still not working correctly:


[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w 
"XX" s base -b "cn=Users,dc=bwinc,dc=local"


Do you have the Windows administrator password?  If so, can you try 
something like this:


[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=administrator,cn=Users,dc=bwinc,dc=local" 
-w "XX" s base -b "cn=Users,dc=bwinc,dc=local"


Is AD configured to allow external LDAP binds?


is there a log I can  look at to see what it is getting tripped up on.


I suppose you could try somewhere in the Windows Event Viewer . . .



I double checked all the security groups  for the AD user and they all 
look good




*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 3:47 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:

thanks Rich,

when I run that  I get the following:


*[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" 
-w "XX" s base -b "cn=Users,dc=bwinc,dc=local"

ldap_bind: Invalid credentials (49)
*


*Invalid credentials almost always means your password "XX" is not 
correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"


*
*additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580

*



*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 3:30 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:

Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect 
--winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" 
--bindpw "XX" --passsync "XX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local

Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to 
certificate database for idm-master-els.ops.boingo.com

ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: 
DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, 
v2580', 'desc': 'Invalid credentials'}

Failed to setup winsync replication


not sure where to look for the logs for this to see what the 
invalivd credentials are or wether this might still be a cert issue 
or a log in issue or what not?


You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" 
-w "XX" -s base -b "cn=Users,dc=bwinc,dc=local"





Thanks in advance for the help

-Todd




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users






___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Todd Maugh 
so to verify this

I am able to log in to the AD server as idmadmin with the password I'm using in 
the winsync agreement.

is there a log I can  look at to see what it is getting tripped up on.

I double checked all the security groups  for the AD user and they all look good



From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:47 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:
thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s 
base -b "cn=Users,dc=bwinc,dc=local"
ldap_bind: Invalid credentials (49)

Invalid credentials almost always means your password "XX" is not correct 
for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local"

additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:30 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com 
ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, 
dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" 
-s base -b "cn=Users,dc=bwinc,dc=local"



Thanks in advance for the help

-Todd





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Rich Megginson 

On 03/12/2014 04:39 PM, Todd Maugh wrote:

thanks Rich,

when I run that  I get the following:


*[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" 
-w "XX" s base -b "cn=Users,dc=bwinc,dc=local"

ldap_bind: Invalid credentials (49)
*


*Invalid credentials almost always means your password "XX" is not 
correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"


*
*additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580

*



*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 3:30 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:

Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect 
--winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" 
--bindpw "XX" --passsync "XX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local

Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to 
certificate database for idm-master-els.ops.boingo.com

ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, 
comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 
'Invalid credentials'}

Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log 
in issue or what not?


You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w 
"XX" -s base -b "cn=Users,dc=bwinc,dc=local"





Thanks in advance for the help

-Todd




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] AIX kerberos client to IPA

2014-03-12 Thread KodaK 
I had this issue, but I gave up.  I have my users either log into a Linux
box to change passwords or use a web based password reset I set up for them.

When your users log in successfully do they have tickets?  That's my
situation: they can get tickets once they're logged in, but can't change
when prompted at login, nor can they change interactively using passwd.

If you ever figure anything out let me know, but I spent quite a bit of
time on it (once I had the workaround I stopped, though.  You may be more
persistent.)

Good luck,

--Jason


On Wed, Mar 12, 2014 at 4:52 PM, Rob  wrote:

>
> Hi,
>
> I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server.
> The
> AIX server is configured to use netgroups and all that works for existing
> the
> users.
>
> The problem is when a users password expires or when a new user is created.
> They cannot change their password
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for "testuser"
> testuser's Old password:
> testuser's New password:
> Connection to localhost closed.
>
> The problem seems to be related to not getting a kerberos ticket as kinit
> can
> be used to change the password.
>
> Logging is enabled but no logs ever get updated
>
> [logging]
> kdc = FILE:/var/krb5/log/krb5kdc.log
> admin_server = FILE:/var/krb5/log/kadmin.log
> kadmin_local = FILE:/var/krb5/log/kadmin_local.log
> default = FILE:/var/krb5/log/krb5lib.log
>
> Anybody ever come across this? Or know how to get logging working?
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Todd Maugh 
thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s 
base -b "cn=Users,dc=bwinc,dc=local"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:30 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com 
ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, 
dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" 
-s base -b "cn=Users,dc=bwinc,dc=local"



Thanks in advance for the help

-Todd





___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Rich Megginson 

On 03/12/2014 04:18 PM, Todd Maugh wrote:

Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect 
--winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" 
--bindpw "XX" --passsync "XX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local

Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to 
certificate database for idm-master-els.ops.boingo.com

ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, 
comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 
'Invalid credentials'}

Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in 
issue or what not?


You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w 
"XX" -s base -b "cn=Users,dc=bwinc,dc=local"





Thanks in advance for the help

-Todd




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] [freeipa] Issues with Winsync agreement

2014-03-12 Thread Todd Maugh 
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect --winsync 
--binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" 
--passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer 
adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?


Thanks in advance for the help

-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Todd Maugh 
skipping the con check due to a clock skew error

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, March 12, 2014 2:39 PM
To: Todd Maugh; Simo Sorce; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

Todd Maugh wrote:
> Im seeing this error:
>
> where is the install log located
>
> [root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
> /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
> --skip-conncheck
> Directory Manager (existing master) password:
>
> Configuring NTP daemon (ntpd)
>[1/4]: stopping ntpd
>[2/4]: writing configuration
>[3/4]: configuring ntpd to start on boot
>[4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> A CA is already configured on this system.

# /usr/bin/pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca --force

> [root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
> /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
> --skip-conncheck
> Directory Manager (existing master) password:
>
> Configuring NTP daemon (ntpd)
>[1/4]: stopping ntpd
>[2/4]: writing configuration
>[3/4]: configuring ntpd to start on boot
>[4/4]: starting ntpd
> Done configuring NTP daemon (ntpd).
> Configuring directory server (dirsrv): Estimated time 1 minute
>[1/31]: creating directory server user
>[2/31]: creating directory server instance
>[3/31]: adding default schema
>[4/31]: enabling memberof plugin
>[5/31]: enabling winsync plugin
>[6/31]: configuring replication version plugin
>[7/31]: enabling IPA enrollment plugin
>[8/31]: enabling ldapi
>[9/31]: disabling betxn plugins
>[10/31]: configuring uniqueness plugin
>[11/31]: configuring uuid plugin
>[12/31]: configuring modrdn plugin
>[13/31]: enabling entryUSN plugin
>[14/31]: configuring lockout plugin
>[15/31]: creating indices
>[16/31]: enabling referential integrity plugin
>[17/31]: configuring ssl for ds instance
>[18/31]: configuring certmap.conf
>[19/31]: configure autobind for root
>[20/31]: configure new location for managed entries
>[21/31]: restarting directory server
>[22/31]: setting up initial replication
> Starting replication, please wait until this has completed.
> [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
> error: Can't contact LDAP server]

Why are you skipping the conncheck? It looks like there is a firewall issue.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] AIX kerberos client to IPA

2014-03-12 Thread Rob 

Hi,

I have configured an AIX 6.1 server to connect to a RHEL 6.5 IPA server. The 
AIX server is configured to use netgroups and all that works for existing the 
users.

The problem is when a users password expires or when a new user is created. 
They cannot change their password

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for "testuser"
testuser's Old password:
testuser's New password:
Connection to localhost closed.

The problem seems to be related to not getting a kerberos ticket as kinit can 
be used to change the password.

Logging is enabled but no logs ever get updated

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log

Anybody ever come across this? Or know how to get logging working?

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Rob Crittenden 

Todd Maugh wrote:

Im seeing this error:

where is the install log located

[root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password:

Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.


# /usr/bin/pkiremove -pki_instance_root=/var/lib 
-pki_instance_name=pki-ca --force



[root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password:

Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
   [1/31]: creating directory server user
   [2/31]: creating directory server instance
   [3/31]: adding default schema
   [4/31]: enabling memberof plugin
   [5/31]: enabling winsync plugin
   [6/31]: configuring replication version plugin
   [7/31]: enabling IPA enrollment plugin
   [8/31]: enabling ldapi
   [9/31]: disabling betxn plugins
   [10/31]: configuring uniqueness plugin
   [11/31]: configuring uuid plugin
   [12/31]: configuring modrdn plugin
   [13/31]: enabling entryUSN plugin
   [14/31]: configuring lockout plugin
   [15/31]: creating indices
   [16/31]: enabling referential integrity plugin
   [17/31]: configuring ssl for ds instance
   [18/31]: configuring certmap.conf
   [19/31]: configure autobind for root
   [20/31]: configure new location for managed entries
   [21/31]: restarting directory server
   [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
error: Can't contact LDAP server]


Why are you skipping the conncheck? It looks like there is a firewall issue.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Todd Maugh 
but dont I have to remove it from the cert DB?

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Simo Sorce [s...@redhat.com]
Sent: Wednesday, March 12, 2014 2:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote:
> I need to remove the CA certs on a box from a previous IDM install
>
> what is the command to do this
>
> error im getting is
>
> A CA is already configured on this system.

rm /etc/ipa/ca.crt

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Todd Maugh 
Im seeing this error:

where is the install log located

[root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
[root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
error: Can't contact LDAP server]

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Simo Sorce [s...@redhat.com]
Sent: Wednesday, March 12, 2014 2:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote:
> I need to remove the CA certs on a box from a previous IDM install
>
> what is the command to do this
>
> error im getting is
>
> A CA is already configured on this system.

rm /etc/ipa/ca.crt

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Simo Sorce 
On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote:
> I need to remove the CA certs on a box from a previous IDM install
> 
> what is the command to do this
> 
> error im getting is
> 
> A CA is already configured on this system.

rm /etc/ipa/ca.crt

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Todd Maugh 
Red Hat 6.5

latest Ipa from yum




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, March 12, 2014 2:16 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On 03/12/2014 05:10 PM, Todd Maugh wrote:
I need to remove the CA certs on a box from a previous IDM install

what is the command to do this

error im getting is

A CA is already configured on this system.



Which OS and which version?

Thanks

-Todd



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Dmitri Pal 

On 03/12/2014 05:10 PM, Todd Maugh wrote:

I need to remove the CA certs on a box from a previous IDM install

what is the command to do this

error im getting is

A CA is already configured on this system.




Which OS and which version?


Thanks

-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] How to remove the CA cert from an IDM replica

2014-03-12 Thread Todd Maugh 
I need to remove the CA certs on a box from a previous IDM install

what is the command to do this

error im getting is

A CA is already configured on this system.


Thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Sudo Rule Command Line Option Arguments

2014-03-12 Thread Rashard . Kelly 
What is the correct way to add a flag inside a sudo command that will be 
added to a command group? When adding commands with no flags I have no 
issue such as "/usr/bin/yum info example*" but when I try to add options 
to the command like this "/usr/bin/yum --disableexcludes=all localinstall 
example*", It does not work even when escaping items like --. How does IPA 
handle a request like that?
 
ipa-client-3.0.0-37.el6.x86_64

[rkelly@hostname /]$ ipa sudocmdgroup-add-member --sudocmds "/usr/bin/yum 
--disableexcludes=all localinstall example*" yumsita
  Sudo Command Group: yumexample
  Description: Yum install Priviledges for example.com specific packages
  Member Sudo commands: /usr/bin/yum info example*, /usr/bin/yum update 
example*,
/usr/bin/yum remove example*, /usr/bin/yum install
example*, /usr/bin/yum localinstall example*, 
/usr/bin/yum
localupdate example*
  Failed members:
member sudo command: /usr/bin/yum --disableexcludes=all localinstall 
example*: no such entry
-
Number of members added 0
-


Thank You,
Rashard Kelly

This document is strictly confidential and intended only for use by the
addressee unless otherwise stated.  If you are not the intended recipient,
please notify the sender immediately and delete it from your system.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users