[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[barrykfl]

hi all:


Thx ad title

ipa : ERRORcert validation failed for
"CN=server.abc.com,O=WISER
S.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to
'https://server.ABC.com:944
4/ca/ee/ca/profileSubmitSSLClient': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's
Certi  ficate has expired.
cannot connect to
'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie
nt': (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

[barrykfl]

externaly signed CA - Godaddy Exppired.

Already add new to db /etc/https/alias / -L  and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif

Start stop IPA no cert issue . but server ipa prepare fail.

IPA replica still say cert expiry , any where I missed ?


Thanks


2016-05-25 19:30 GMT+08:00 Martin Basti :

>
>
> On 25.05.2016 04:36, Barry wrote:
>
> Hi:
>
> Which location i should renew cert?
> Http/alias
> Etc/dirsrv/slapd*
>
> Enough?
>
>
> We need to know if you have IPA configured with
> * externaly signed CA
> * or selfsigned CA
> * or if you have any other certificates from different CAs
>
> If I remember correctly you wrote in one email that you have a certificate
> from godaddy, which certificate?
>
> In case you have self signed CA certificate you should follow:
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> Martin
>
> 2016年5月24日 下午10:01 於 "Rob Crittenden"  寫道：
>
>> barry...@gmail.com wrote:
>>
>>> hi all:
>>>
>>>
>>> Thx ad title
>>>
>>> ipa : ERRORcert validation failed for "CN=server.abc.com
>>> ,O=WISER S.COM "
>>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>>> preparation of replica failed: cannot connect to
>>> 'https://server.ABC.com:944  4/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi  ficate has expired.
>>> cannot connect to
>>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie  nt':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>>
>>
>> The root of all your problems is that your certificates are expired.
>> Fixing this should be your priority. This is probably going to involve
>> going back in time to when the certificates are still valid, restarting
>> IPA, restarting certmonger and waiting for things to properly renew. It can
>> take some time as the certificates don't all renew at once.
>>
>> I suspect that once renewed and returned to current time the rest of your
>> problems will, for the most part, go away.
>>
>> rob
>>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Where should the CA Location

[barrykfl]

Hi :

I renew External CA cert below ...seem server-cert ok.

But ca CERT FAIL..
I ALREADY PASTE ON
/etc/httpd/alias
/etc/dirsrv/slapd-PKI-IPA
/etc/dirsv/slapd-ABX-com
/var/lib/pki-ca/alias 's CA conf

any idea?

 ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert Server-Cert
of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8179 - Peer's Certificate issuer is not recognized.)
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] where is the CA cert located ?

[barrykfl]

Hi :

I already follow the procedure to install new CA and add ca.crt to the
library I known ...where still missed ?

 ABC-COM...[28/Jun/2016:15:45:53 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com of
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8179 - Peer's Certificate issuer is not recognized.)


What files it relate to this ca.cert?


thks

Bar
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] free ipa cluster replication features

[barrykfl]

hi aLL;
i have 2 free ipa in same cluster.

if a node1 fail stop... i found the connection of their replciation stop
after nod1 fail. now i directly input to the node 2 new accounts ,

will these new accounts syn back when node 1 start up again.?

my issue is that it seem no.

Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] error after change cert

[barrykfl]

hi:

i changed cert lareadty but seemit still keep hisoty of godadday any help.??


www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for
family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
-8174 - security library: bad database.)
[06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable
to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
security library: bad database.)
[06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
[06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error after change cert

[barrykfl]

the cert already in httpd / ldap side. but it prompt error

[06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
[06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.

*.wisers.com - COMODO CA Limited u,u,u
COMODO RSA Domain Validation Secure Server CACT,C,C
COMODO RSA Certification Authority   CT,C,C


2015-07-06 20:01 GMT+08:00 :

> hi:
>
> i changed cert lareadty but seemit still keep hisoty of godadday any
> help.??
>
>
> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com, Inc.) for
> family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> -8174 - security library: bad database.)
> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization: Unable
> to retrieve private key for cert *.www.com - GoDaddy.com, Inc. of family
> cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8174 -
> security library: bad database.)
> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error after change cert

[barrykfl]

Do u meant this :

i already add the cert to nss and even \etc\ipa\ ca.cert repalced


[root@(LIVE) slapd-Wwww-COM]$   certutil -d /etc/pki/nssdb  -L

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

COMODO RSA Domain Validation Secure Server CACT,C,C
IPA CA   CT,C,C
COMODO RSA Certification Authority   CT,C,C


2015-07-06 21:39 GMT+08:00 Rob Crittenden :

> barry...@gmail.com wrote:
>
>> the cert already in httpd / ldap side. but it prompt error
>>
>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.
>>
>> *.wisers.com  - COMODO CA
>> Limited u,u,u
>> COMODO RSA Domain Validation Secure Server CACT,C,C
>> COMODO RSA Certification Authority   CT,C,C
>>
>
> Taking a wild guess here due to limited information, but check the value
> of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS
> nickname of the server certificate to use.
>
> rob
>
>
>>
>> 2015-07-06 20:01 GMT+08:00 mailto:barry...@gmail.com
>> >>:
>>
>> hi:
>>
>> i changed cert lareadty but seemit still keep hisoty of godadday any
>> help.??
>>
>>
>> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
>> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com,
>> Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable
>> Runtime error -8174 - security library: bad database.)
>> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization:
>> Unable to retrieve private key for cert *.www.com  -
>> GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape
>> Portable Runtime error -8174 - security library: bad database.)
>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are
>> valid
>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2
>> Failed.
>>
>>
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] error after change cert

[barrykfl]

any command make it refresh ? it seem still getiing old godaddy hisotry?

2015-07-06 21:45 GMT+08:00 :

> Do u meant this :
>
> i already add the cert to nss and even \etc\ipa\ ca.cert repalced
>
>
> [root@(LIVE) slapd-Wwww-COM]$   certutil -d /etc/pki/nssdb  -L
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> COMODO RSA Domain Validation Secure Server CACT,C,C
> IPA CA   CT,C,C
> COMODO RSA Certification Authority   CT,C,C
>
>
> 2015-07-06 21:39 GMT+08:00 Rob Crittenden :
>
>> barry...@gmail.com wrote:
>>
>>> the cert already in httpd / ldap side. but it prompt error
>>>
>>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are valid
>>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2 Failed.
>>>
>>> *.wisers.com  - COMODO CA
>>> Limited u,u,u
>>> COMODO RSA Domain Validation Secure Server CACT,C,C
>>> COMODO RSA Certification Authority   CT,C,C
>>>
>>
>> Taking a wild guess here due to limited information, but check the value
>> of nsSSLPersonalitySSL in cn=RSA,cn=encryption,cn=config. This is the NSS
>> nickname of the server certificate to use.
>>
>> rob
>>
>>
>>>
>>> 2015-07-06 20:01 GMT+08:00 >> barry...@gmail.com>>:
>>>
>>> hi:
>>>
>>> i changed cert lareadty but seemit still keep hisoty of godadday any
>>> help.??
>>>
>>>
>>> www-COM...[06/Jul/2015:19:59:15 +0800] - SSL alert: Security
>>> Initialization: Can't find certificate (*.wwwcom - GoDaddy.com,
>>> Inc.) for family cn=RSA,cn=encryption,cn=config (Netscape Portable
>>> Runtime error -8174 - security library: bad database.)
>>> [06/Jul/2015:19:59:15 +0800] - SSL alert: Security Initialization:
>>> Unable to retrieve private key for cert *.www.com  -
>>> GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape
>>> Portable Runtime error -8174 - security library: bad database.)
>>> [06/Jul/2015:19:59:16 +0800] - SSL failure: None of the cipher are
>>> valid
>>> [06/Jul/2015:19:59:16 +0800] - ERROR: SSL Initialization phase 2
>>> Failed.
>>>
>>>
>>>
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] what error log i should check

[barrykfl]

server 1

ipa-replica-manage list
Segmentation fault (core dumped)

server 2
ipa-replica-manage list
Can't contact LDAP server


but it seem still syn as i add new ac then server 2 have

i delete server2 's anme server 1 still delte.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] 2 servers replicatong if onefail_how_made itreplicate the differential?

[barrykfl]

Tried.noramlly it replicationg but if one fail and still add new users. The
recovered server not syn back.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Differential data on cluster syn back to server1

[barrykfl]

Hi:

I have 2 servers clusters replicating ...server1 down server2 take up role
running,
if server 1 turn on again I found the differential ac/data created on
server2 not replicate back to server 1 ...any idea ?

Is it possible to syn back the different data manually or force syn?
if both servers on , it can be replcationg normally,


THX & Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 cannot syn update to server 2 after restart

[barrykfl]

server 2 can syn update to server 1 but reverse fail

Any idea? error below:

Can't contact LDAP server



[26/Apr/2016:18:40:13 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[26/Apr/2016:18:40:19 +0800] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=ABC,dc=com--no CoS Templates found, which should be
added before the CoS Definition.
[26/Apr/2016:18:40:19 +0800] set_krb5_creds - Could not get initial
credentials for principal [ldap/central.abc@abc.com] in keytab
[FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for
requested realm)
[26/Apr/2016:18:40:19 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Credentials cache file
'/tmp/krb5cc_492' not found)) errno 0 (Success)
[26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth
failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_492' not found))
[26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
for LDAPI requests
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Replication bind with GSSAPI auth
resumed
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Missing data encountered
[26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
meTocentral02.ABC.com" (central02:389): Incremental update failed and
requires administrator action

>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

Hi:

Without restarting dirsrv possible do that ?


thx Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

Do u meant use ldapmodify?
I tried update the dse.ldif but it will fall back after a while.
2016年4月27日 下午7:10 於 "David Kupka"  寫道：

> On 27/04/16 12:48, barry...@gmail.com wrote:
>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
> Hello Barry,
>
> this ldapsearch should list all attributes that needs restart after
> modification:
>
> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
> nsslapd-requiresrestart
>
> I don't see nsslapd-security listed so it should be possible to change it
> in runtime.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] can live turn off nsslapd-security: to off ?

[barrykfl]

thx let me try as i dont want stop dirsrv but live disable nsslapd security.
2016年4月27日 下午7:26 於 "David Kupka"  寫道：

> On 27/04/16 13:15, barry...@gmail.com wrote:
>
>> Do u meant use ldapmodify?
>> I tried update the dse.ldif but it will fall back after a while.
>>
>> 2016年4月27日 下午7:10 於 "David Kupka" > > 寫道：
>>
>> On 27/04/16 12:48, barry...@gmail.com 
>> wrote:
>>
>> Hi:
>>
>> Without restarting dirsrv possible do that ?
>>
>>
>> thx Regards
>>
>> barry
>>
>>
>>
>>
>> Hello Barry,
>>
>> this ldapsearch should list all attributes that needs restart after
>> modification:
>>
>> $ ldapsearch -D "cn=Directory Manager" -w Secret123 -b cn=config
>> nsslapd-requiresrestart
>>
>> I don't see nsslapd-security listed so it should be possible to
>> change it in
>> runtime.
>>
>> --
>> David Kupka
>>
>>
> Yes, I mean ldapmodify.
>
> Editing dse.ldif while dirsrv is running has no effect because it is read
> only at start and written at least before exit.
>
> If you REALLY need to edit dse.ldif be sure to stop dirsrv then edit it
> and start dirsrv again.
>
> --
> David Kupka
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

Hi All:

Any method can fall back the default ipa cert if I didn't backup orginal?

Now the slapd and ipa cert storage quite a mess so they cant replicate even
disabled nsslapd:security to off


thx
Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

ipa-server-3.0.0-37.el6.x86_64  << here

2016-04-29 19:36 GMT+08:00 Martin Basti :

> Please keep, user-list in CC
>
> You did not send all information I requested.
>
> Please use `rpm -ql ipa-server` to get exact version number
>
>
> On 29.04.2016 13:32, barry...@gmail.com wrote:
>
> Error.is from Gss api And i m thinkbif it relate cert issue.
>
> Server1> server 2 fail
> Server 2   > server1 ok
>
> Freeipa 3.0  both
>
> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (Credentials cache file '/tmp/krb5cc_492' not
> found)) errno 0 (Success)
> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
> not found))
> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All Interfaces
> port 389 for LDAP requests
> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
> for LDAPI requests
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Replication bind with GSSAPI auth resumed
> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
> meTocentral02.ABC.com " (central02:389):
> Missing data encountered
> [26/Apr/2016:18:40:23 +0800]
>
>
> On 29.04.2016 13:02, barry...@gmail.com wrote:
>
> Hi All:
>
> Any method can fall back the default ipa cert if I didn't backup orginal?
>
> Now the slapd and ipa cert storage quite a mess so they cant replicate
> even disabled nsslapd:security to off
>
>
> thx
> Barry
>
>
> Hello Barry,
>
> Can you provide more info?
>
> What is your IPA version, OS?
> What are the symptoms you are experiencing?
> What do you mean by default ipa cert ?
> Can you provide logs from replicas?
> Can you provide `getcert list` command output?
> Can you provide `ipactl status` from both server?
>
> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
> certificates are involved in this.
>
> Martin
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

server 1:
ipa-server-3.0.0-26.el6_4.4.x86_64

server2

ipa-server-3.0.0-37.el6.x86_64

2016-04-30 1:10 GMT+08:00 :

>
> ipa-server-3.0.0-37.el6.x86_64  << here
>
> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>
>> Please keep, user-list in CC
>>
>> You did not send all information I requested.
>>
>> Please use `rpm -ql ipa-server` to get exact version number
>>
>>
>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>
>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>
>> Server1> server 2 fail
>> Server 2   > server1 ok
>>
>> Freeipa 3.0  both
>>
>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>> found)) errno 0 (Success)
>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perform
>> interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [26/Apr/2016:18:40:19 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
>> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor
>> code may provide more information (Credentials cache file '/tmp/krb5cc_492'
>> not found))
>> [26/Apr/2016:18:40:19 +0800] - slapd started.  Listening on All
>> Interfaces port 389 for LDAP requests
>> [26/Apr/2016:18:40:19 +0800] - Listening on /var/run/slapd-ABC-COM.socket
>> for LDAPI requests
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Replication bind with GSSAPI auth resumed
>> [26/Apr/2016:18:40:23 +0800] NSMMReplicationPlugin - agmt="cn=
>> meTocentral02.ABC.com " (central02:389):
>> Missing data encountered
>> [26/Apr/2016:18:40:23 +0800]
>>
>>
>> On 29.04.2016 13:02, barry...@gmail.com wrote:
>>
>> Hi All:
>>
>> Any method can fall back the default ipa cert if I didn't backup orginal?
>>
>> Now the slapd and ipa cert storage quite a mess so they cant replicate
>> even disabled nsslapd:security to off
>>
>>
>> thx
>> Barry
>>
>>
>> Hello Barry,
>>
>> Can you provide more info?
>>
>> What is your IPA version, OS?
>> What are the symptoms you are experiencing?
>> What do you mean by default ipa cert ?
>> Can you provide logs from replicas?
>> Can you provide `getcert list` command output?
>> Can you provide `ipactl status` from both server?
>>
>> Replication uses GSSAPI, at least on new IPA versions, I'm not sure if
>> certificates are involved in this.
>>
>> Martin
>>
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Inplace upgrade

[barrykfl]

Hi :

How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64

to  ipa-server-3.0.0-37.el6.x86_64

This is minor version upgrade , can it just type update command?


Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inplace upgrade

[barrykfl]

Can speicific ninor version?
2016年5月4日 下午1:15 於 "Devin Acosta"  寫道：

> Barry,
>
> Yes you should be able to just do a: "yum update ipa-server" and you
> should be good to go.
>
>
> --
> Devin Acosta, RHCE, LFCE
> Linux Certified Engineer
> e: de...@linuxguru.co
>
>
> On May 3, 2016 at 9:10:04 PM, barry...@gmail.com (barry...@gmail.com)
> wrote:
>
> Hi :
>
> How to in place upgrade ipa-server-3.0.0-26.el6_4.4.x86_64
>
> to  ipa-server-3.0.0-37.el6.x86_64
>
> This is minor version upgrade , can it just type update command?
>
>
> Regards
>
> Barry
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fail to Start up the server

[barrykfl]

Hi:

Before the server can start up if i disable nasslsecuiry in dse.ldif.
But now after I update to minor version from -3.0.0-26 to
ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea
.
I think it not relate to ssl cert issue.


[04/May/2016:17:32:52 +0800] - SSL alert: CERT_VerifyCertificateNow: verify
certificate failed for cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8181 -
Peer's Certificate has expired.)
[04/May/2016:17:32:52 +0800] - 389-Directory/1.2.11.25 B2013.325.1951
starting up
[04/May/2016:17:32:52 +0800] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[04/May/2016:17:32:52 +0800] - libdb: file ipaca/id2entry.db4 has LSN
14/8738497, past end of log at 14/8626491
[04/May/2016:17:32:53 +0800] - libdb: Commonly caused by moving a database
from one database environment
[04/May/2016:17:32:53 +0800] - libdb: to another without clearing the
database LSNs, or by removing all of
[04/May/2016:17:32:53 +0800] - libdb: the log files from a database
environment
[04/May/2016:17:32:53 +0800] - libdb:
/var/lib/dirsrv/slapd-PKI-IPA/db/ipaca/id2entry.db4: unexpected file type
or format
[04/May/2016:17:32:53 +0800] - dbp->open("ipaca/id2entry.db4") failed:
Invalid argument (22)
[04/May/2016:17:32:53 +0800] - dblayer_instance_start fail: Invalid
argument (22)
[04/May/2016:17:32:53 +0800] - start: Failed to start databases, err=22
Invalid argument
[04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database
[04/May/2016:17:32:53 +0800] - WARNING: ldbm instance userRoot already
exists
[04/May/2016:17:32:53 +0800] - ldbm_config_read_instance_entries: failed to
add instance entry cn=userRoot,cn=ldbm database,cn=plugins,cn=config
[04/May/2016:17:32:53 +0800] - ldbm_config_load_dse_info: failed to read
instance entries
[04/May/2016:17:32:53 +0800] - start: Loading database configuration failed
[04/May/2016:17:32:53 +0800] - Failed to start database plugin ldbm database
[04/May/2016:17:32:53 +0800] - Error: Failed to resolve plugin dependencies
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin 7-bit check is
not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Account Usability
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: accesscontrol plugin ACL Plugin is
not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin ACL preoperation
is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin attribute
uniqueness is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Auto Membership
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: object plugin Class of Service is not
started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin deref is not
started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin HTTP Client is
not started
[04/May/2016:17:32:53 +0800] - Error: database plugin ldbm database is not
started
[04/May/2016:17:32:53 +0800] - Error: object plugin Legacy Replication
Plugin is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Linked Attributes
is not started
[04/May/2016:17:32:53 +0800] - Error: preoperation plugin Managed Entries
is not started
[04/May/2016:17:32:54 +0800] - Error: object plugin Multimaster Replication
Plugin is not started
[04/May/2016:17:32:54 +0800] - Error: object plugin Roles Plugin is not
started
[04/May/2016:17:32:54 +0800] - Error: object plugin Views is not started
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Inplace upgrade

[barrykfl]

U meant it fail  start if update minor version only?
2016年5月4日 下午7:25 於 "Lukas Slebodnik"  寫道：

> On (04/05/16 13:17), barry...@gmail.com wrote:
> >Can speicific ninor version?
> Yes you can
>
> yum update ipa-server-3.0.0-37.el6.x86_64
>
> However, it can fail if this version is not available in repositories.
>
> BTW the latest version in el6 is 3.0.0-47.el6
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Lost master 1 with CA service

[barrykfl]

Hi all:

I got master 1have ca and server 2 replicatiomng . Now master 1 fail all
lost.

Can i skip.it just make server 3 repliacted slaved or must recovered master
1.

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Restore form full backup but some warns/error ok , BUT WORK OK service

[barrykfl]

Hi All:


I restore from backup but some lib / pki error come.
As the package is  ipa-server-3.0.0-26.el6_4.4.x86_64
But now is   ipa-server-3.0.0-47.el6.centos.2.x86_64   , it seem no harm ?

How to tune it ?



Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]
Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server
command-line interface')
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [  OK  ]
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

 Hello Barry,

Can you provide more info?

What is your IPA version, OS?

CENTOS 6.5

server1 - ipa-server-3.0.0-47.el6.centos.2.x86_64
server 2 - ipa-server-3.0.0-37.el6.x86_64

What are the symptoms you are experiencing?

server1 's update not transfer to server 2 but server 2 can transfer to
server 1 even cert expired

What do you mean by default ipa cert ? if cert is issue then fall back to
orginal not expire self sign cert.

Can you provide logs from replicas?

>From server 2

[09/May/2016:12:09:05 +0800] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error 49
(Invalid credentials) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure.  Minor code may provide more information (Unknown error))
errno 0 (Success)
[09/May/2016:12:09:05 +0800] slapi_ldap_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error 49 (Invalid credentials)

Can you provide `getcert list` command output?

Serevr 1 -  Number of certificates and requests being tracked: 0.  < NO
record
Server 2-

Number of certificates and requests being tracked: 3.
Request ID '20140106083849':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-ABC-COM',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=central02.ABC.com ,O=ABC.COM

expires: 2015-12-19 06:40:44 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv ABC-COM
track: yes
auto-renew: yes
Request ID '20140106083931':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ABC-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=central02.ABC.com ,O=ABC.COM

expires: 2015-12-19 06:40:46 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20140106083944':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=ABC.COM 
subject: CN=IPA RA,O=ABC.COM 
expires: 2015-11-12 08:41:45 UTC
eku: id-kp-ABCAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


Can you provide `ipactl status` from both server?

Server1 - Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING


Server 2 =

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

Now don't want any cert ,just GASSAPI work...

2016-05-02 18:28 GMT+08:00 Martin Basti :

> Hello,
>
> Can you try to upgrade server to the same version?
>
> You did not provided all information I requested.
>
> Martin
>
>
> On 29.04.2016 19:13, barry...@gmail.com wrote:
>
> server 1:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> server2
>
> ipa-server-3.0.0-37.el6.x86_64
>
> 2016-04-30 1:10 GMT+08:00 :
>
>>
>> ipa-server-3.0.0-37.el6.x86_64  << here
>>
>> 2016-04-29 19:36 GMT+08:00 Martin Basti :
>>
>>> Please keep, user-list in CC
>>>
>>> You did not send all information I requested.
>>>
>>> Please use `rpm -ql ipa-server` to get exact version number
>>>
>>>
>>> On 29.04.2016 13:32, barry...@gmail.com wrote:
>>>
>>> Error.is from Gss api And i m thinkbif it relate cert issue.
>>>
>>> Server1> server 2 fail
>>> Server 2   > server1 ok
>>>
>>> Freeipa 3.0  both
>>>
>>> slapd_ldap_sasl_interactive_bind - Error: could not perform interactive
>>> bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1):
>>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may
>>> provide more information (Credentials cache file '/tmp/krb5cc_492' not
>>> found)) errno 0 (Success)
>>> [26/Apr/2016:18:40:19 +0800] slapi_ldap_bind - Error: could not perfor

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

Do u meant the error related to OS?
2016年5月9日 下午7:17 於 "Lukas Slebodnik"  寫道：

> On (09/05/16 12:14), Barry wrote:
> >  Hello Barry,
> >
> >Can you provide more info?
> >
> >What is your IPA version, OS?
> >
> >CENTOS 6.5
> >
> Please upgrade to latest CentOS 6.7
> there are known bugs in CentOS 6.5
> which are already fixed in CentOS 6.7.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server 1 and server 2 cannot replicate now may be ssl cert expire

[barrykfl]

Just wonder the freeipa package will have bugs if os too.old.
2016年5月10日 下午3:09 於 "Lukas Slebodnik"  寫道：

> On (10/05/16 08:19), barry...@gmail.com wrote:
> >Do u meant the error related to OS?
> I mean that there are known bugs in FreeIPA components.
> 389-ds, sssd 
> CentOS 6.5 is quite old version.
>
> I would really recommend to upgrade to the latest CentOS.
> If there are still problems on latest CentOS then
> we can try to continue with troubleshooting.
>
> It does not worth to spend time with analyzing already fixed bugs.
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Upgrade to new IPA

[barrykfl]

Hi all:

I m using freeipa 3.0 ...is there a fast way  to export username / password
and migrate to
new 4.0 server not inplace upgrade .?


Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Restore form backup , start servrer will error but sucess

[barrykfl]

Hi:

Restore form backup follow the procedure below:
http://www.freeipa.org/page/V3/Backup_and_Restore

Now server web page launch but canot access
Sorry you are not allowed to access this service.

Starting dirsrv:
PKI-IPA... [  OK  ]
WISERS-COM...  [  OK  ]
Starting KDC Service
Starting Kerberos 5 KDC:   [  OK  ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server:  [  OK  ]
Starting MEMCACHE Service
Starting ipa_memcached:[  OK  ]
Starting HTTP Service
Starting httpd:[  OK  ]
Starting CA Service


Starting CA Service
Traceback (most recent call last):
  File "/usr/sbin/pki-server", line 88, in 
cli = PKIServerCLI()
  File "/usr/sbin/pki-server", line 34, in __init__
super(PKIServerCLI, self).__init__('pki-server', 'PKI server
command-line interface')
  File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in __init__
self.modules = collections.OrderedDict()
AttributeError: 'module' object has no attribute 'OrderedDict'
Starting pki-ca:   [  OK  ]


Any idea above?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Restore form backup , start servrer will error but sucess

[barrykfl]

So now how can i restore the normal status.

Can i export those acc out and restore to new server if same schema.?

Manual backup restore i test before should work.
2016年5月10日 下午8:16 於 "Martin Basti"  寫道：

> There is no ipa-restore or ipa-backup commands even on RHEL6.7, centos6.7,
> so I have no idea how you got that commands there. If you just copy files
> manually it is not working as you can see.
>
> Martin
>
> On 10.05.2016 14:12, Barry wrote:
>
> The bottom manual files based backup restore . I remember there s one for
> 3.0
>
> And test work before.
> 2016年5月10日 下午8:00 於 "Petr Vobornik"  寫道：
>
>> On 05/10/2016 01:49 PM, Martin Basti wrote:
>> > No there is not python 2.7 on centos 6.x, maybe there is something
>> wrong in the
>> > code, let me check first
>>
>> How did you run the backup and restore? AFAIK it was introduced in
>> FreeIPA 3.2, then it was introduced in ipa 3.3 release on RHEL 7. It is
>> not on RHEL 6.
>>
>> >
>> >
>> > On 10.05.2016 13:34, Barry wrote:
>> >>
>> >> Ipa 3.0 e47
>> >>
>> >> Centos 6.5 . Just update python?
>> >>
>> >> 2016年5月10日 下午6:58 於 "Martin Basti"
>> >> <mba...@redhat.com> 寫道：
>> >>
>> >>
>> >>
>> >> On 10.05.2016 12:41, barry...@gmail.com 
>> wrote:
>> >>> Hi:
>> >>>
>> >>> Restore form backup follow the procedure below:
>> >>> http://www.freeipa.org/page/V3/Backup_and_Restore
>> >>>
>> >>> Now server web page launch but canot access
>> >>> Sorry you are not allowed to access this service.
>> >>>
>> >>> Starting dirsrv:
>> >>> PKI-IPA... [  OK  ]
>> >>> WISERS-COM... [  OK  ]
>> >>> Starting KDC Service
>> >>> Starting Kerberos 5 KDC:   [  OK
>> ]
>> >>> Starting KPASSWD Service
>> >>> Starting Kerberos 5 Admin Server:  [  OK
>> ]
>> >>> Starting MEMCACHE Service
>> >>> Starting ipa_memcached:[ OK  ]
>> >>> Starting HTTP Service
>> >>> Starting httpd:[ OK  ]
>> >>> Starting CA Service
>> >>>
>> >>>
>> >>> Starting CA Service
>> >>> Traceback (most recent call last):
>> >>>   File "/usr/sbin/pki-server", line 88, in 
>> >>> cli = PKIServerCLI()
>> >>>   File "/usr/sbin/pki-server", line 34, in __init__
>> >>> super(PKIServerCLI, self).__init__('pki-server', 'PKI server
>> >>> command-line interface')
>> >>>   File "/usr/lib/python2.6/site-packages/pki/cli.py", line 39, in
>> __init__
>> >>> self.modules = collections.OrderedDict()
>> >>> AttributeError: 'module' object has no attribute 'OrderedDict'
>> >>> Starting pki-ca:   [ OK  ]
>> >>>
>> >>>
>> >>> Any idea above?
>> >>>
>> >>>
>> >>
>> >> You are using the old python, python 2.7 is required, which
>> version of OS
>> >> and IPA do you use?
>> >> Martin
>> >>
>> >
>> >
>> >
>>
>>
>> --
>> Petr Vobornik
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] revise back cert of freeipa

[barrykfl]

Hi :

Before I use goddy cert and everything workfine for a year now the cert
expired.

and break the muial agreement .whatever command I type it shown cant
contact ldap server.

can I just fall back the ipa self sign cert if I have backup?
pls advise the detail procedure

Regards.

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Renable 7389 port on multimaster

[barrykfl]

Hi :


2 servers configured as multi master nut one of them cannot telnet  7389

how can I check and renable it ?

Server  cannot telnet 7389 should I reinstall CA service ...is it
rerelated ?
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING

thks

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] want to make new replicas but cert expire

[barrykfl]

Hi:

I type ipa-replica-install server --ip 192.168.1.3

it show my cert expire nwhere location I should input the cert ?

trusted by the user.)
preparation of replica failed: cannot connect to
'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
-8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
marked

thkx
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] want to make new replicas but cert expire

[barrykfl]

Already change a new cert no.errror prompt when start server. But using
ipa-replica install.same error out. So.i.should miss some.folder not yet
replace.
2016年5月19日 上午2:01 於 "Rob Crittenden"  寫道：

> barry...@gmail.com wrote:
>
>> Hi:
>>
>> I type ipa-replica-install server --ip 192.168.1.3
>>
>> it show my cert expire nwhere location I should input the cert ?
>>
>> trusted by the user.)
>> preparation of replica failed: cannot connect to
>> 'https://ipa.cora.nwra.com:9444/ca/ee/ca/profileSubmitSSLClient': [Errno
>> -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been
>> marked
>>
>
> You need to sort out your expired certs before you can create a new master.
>
> Why not just renew the GoDaddy certs?
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Renewal of new cert concept

[barrykfl]

Hi:

As stated in the guidline online.../root/ipa.crt is the server cert
generated by 3rd patry CA ? or the CA cert itself that need to pair with
server cert later. thx


Give the CSR to your external CA and have them issue you a new certificate.
We assume that the resulting certificate is saved into the /root/ipa.crt
file. We also assume that the /root/external-ca.pem file contains the
external CA certificate chain in the PEM format. The renewal needs to be
done on the IdM CA designated for managing renewals. One way to identify
the first-installed IdM server is to see if the value for subsystem.select
is New:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain

[barrykfl]

Any one knows how to add new attribute or object class  to the user
accounts ...eg. added department and id creation date in those users info
field.

Can use 389 / redhat driectory console ? I tried to edit 99user.ldif seem
not shown up new attribute.

barry


2014-02-05 Martin Kosek :

> Good! Note that we plan to enhance SSSD to leverage the new Kerberos
> authlocal
> API to avoid having to update krb5.conf on each system. This is the
> upstream
> ticket:
>
> https://fedorahosted.org/sssd/ticket/1835
>
> Martin
>
> On 02/05/2014 03:27 PM, Mark Gardner wrote:
> > Thanks, That was what I missed.
> >
> >
> > On Wed, Feb 5, 2014 at 2:39 AM, Alexander Bokovoy  >wrote:
> >
> >> On Tue, 04 Feb 2014, Mark Gardner wrote:
> >>
> >>> I'm trying to configure our CentOS IPA Client for Single Sign On from
> our
> >>> trusted AD domain.
> >>> SSO works fine when I ssh to the IPA server, but not to the CentOS
> Client.
> >>> It prompts for password which it accepts, so it's getting the
> >>> authentication from the AD domain.
> >>>
> >>> Fedora 20 IPA Server
> >>> CentOS 6.5 IPA Client
> >>> Win 2012 AD Domain Server
> >>>
> >>> Setup as IPA as a subdomain of AD.
> >>> AD Domain: test.local
> >>> IPA Domain: hosted.test.local
> >>>
> >>> Anybody run into this?  Suggestions?
> >>>
> >> Each client needs to be configured to accept AD users' SSO.
> >>
> >> Check that /etc/krb5.conf contains auth_to_local rules mapping
> principals
> >> from
> >> AD to their names as returned by SSSD.
> >>
> >> SSH daemon is picky about principal/name mapping.
> >> --
> >> / Alexander Bokovoy
> >>
> >
> >
> >
> > ___
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] HOW to Add employeenumber to user easily? there is account object with emoployee number ttribute

[barrykfl]

Hi:

I can make it show on ldap browser or the ui but finding where to add it in
command base.

ipa  user-mod  ---employeenumber no such parameter.

Moreover can i change the attribute just by name and make use of it.

E.g. i found car license no really useful for staff so i want to change the
label to  staff id card number

Regards]

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] export user info

[barrykfl]

Dear all:

Which command can export /show all users a/c and info? better in table
format .

Regards

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Upgrade of Free ipa in CENTOS 6

[barrykfl]

Dear all:

Any one have exp to upgrade ipa-server-3.0.0-26.el6_4.4.x86_64 to
ipa-server-3.0.0-37.el6_4.4.x86_64 ( jus t minor patch/upgrade it think )

Is it just yum install then ok ??? i notice some official document but they
are 3.3 free ipa of fedora ...just yum / run the rpm and not necessary shut
down.

Is it same in CENTOS ipa 3.0 server one ?

http://www.freeipa.org/page/Releases/3.2.0#Upgrading
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] By default on port 389 , any encryption between client and server

[barrykfl]

Hi all:

Some doc said it already build in TLS on 389 ... is it nsslapd-minssf on
the dse.ldif?

Should i need to set 636 ldaps ? or set higher nsslapd-minssf enough?

What document tell the default secure connection of free ipa?

thks

barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Allow freeipa send password to user

[barrykfl]

Is it possible to set allow password to send to user after user request.

I used one of the self password service pwm but it seem it is not
compatible to retriveal of password
using cert request / Answer and questions retrieval

thks

barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Response attribute to allow user unlock and retreval password

[barrykfl]

Dear all:

Any attribute allow user to retrieve password and response to unlock and
allow to send plain text password.?


Regards

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Grey button in Reset password in the gui

[barrykfl]

Dear all:

I created a account of operator and added roles of user admin with reset
/modify passwor priviges.

but when he login , the reset password button is grey ?

Any permission i should assign more...

Now can only add this operator to admin group so all full access right.

thks

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Any command can change the direcoty manager password

[barrykfl]

hi:

I accidently changed uid admin 's password  ...and then change back orginal.

BUT it seem that it also modify CN+directory manager also can now conflcit.s

soem user cann not access using if cn= direcory manager.

any idea ? i tried the follwig command it says ssl conenection already
establsied and error.


~]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd \
   -ZZ -D 'cn=directory manager' -W \
   -S uid=admin,cn=users,cn=accounts,dc=domain,dc=com
New password:
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Change admin password will change directory manager also ???

[barrykfl]

Dear all:
As title ?

I changed admin (uid) and then change back orginal passwd . It seem it also
syn to directoy manager. I wonder

Now all applications integrated wih using CN=directory manger all fail to
connect authroization fail.

Any idea ? should i also change the directory manager password also ?

Any command annd ref can use ?


Thanks
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export User fields from IPA

[barrykfl]

No export all func, ..but .it can export one account per time ..so i use a
while loop to do it with a txt file.


Is there a function to export/create report of these fields from the IPA?
I'm not finding anything in the guide.  Thanks.



These are some of the fields we know will need in a list of all accounts:



Userlogin (userid/username)

Job Title

Firstname

Lastname

Fullname

Email Address

Telephone Number

Org. Unit

User Groups

Account Enabled/Disabled

Date Created

Password Expiration

Last pw change

Last login/authentication date/time


2014-03-20 23:38 GMT+08:00 Mcadams, Shaun :

>  Is there a function to export/create report of these fields from the
> IPA?  I'm not finding anything in the guide.  Thanks.
>
>
>
> These are some of the fields we know will need in a list of all accounts:
>
>
>
> Userlogin (userid/username)
>
> Job Title
>
> Firstname
>
> Lastname
>
> Fullname
>
> Email Address
>
> Telephone Number
>
> Org. Unit
>
> User Groups
>
> Account Enabled/Disabled
>
> Date Created
>
> Password Expiration
>
> Last pw change
>
> Last login/authentication date/time
>
> Lockout Status
>
>
>
>
>
> Shaun McAdams
>
> National Government Services
>
> Health IT : CPI-Predictive Modeling
>
> (o) - 317.595.4905 <317.595.4905%20>/ x2004905
>
> (c) - 317.430.9845
>
>
>
>  *CONFIDENTIALITY NOTICE:* This e-mail message, including any
> attachments, is
> for the sole use of the intended recipient(s) and may contain confidential
> and privileged information or otherwise be protected by law. Any
> unauthorized review, use, disclosure or distribution is prohibited. If you
> are not the intended recipient, please contact the sender by reply e-mail
> and destroy all copies of the original message.
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] using 3rd party cert not self sign cert in ipa

[barrykfl]

Dear all:

whe install it already genrate a self sign cert  called mydomain.com . and
run ca service.  now i want to check if it ok to install 3rd party
replcacing ..so

to httpd my ldap it will be https: my co domain (official cert ). and
replcabelow.

/etc/ipa/ca.crt
/usr/share/ipa/html/ca.crt

Is it possible ? or any side effect on the infrsturture if chane the cert,.
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I saw some info on web ...but i now already launch and many users
connected. if i replaced the cert will it make the ldap invalid for
exisiting users.???


Regafs

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] stop alias of https://abc.com/ipa/ui/

[barrykfl]

Dear sir:

where can i set stop alias of /ipa/ui redirection...and let

it just use https://abc.com/ipa/ui/  absolute path?

thks

barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Any coomand can extract the private of the freeipa domain

[barrykfl]

i want to extract the private key of the self sign cert
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Try to re-import self sign cert fail after used 3rd paty cert

[barrykfl]

Dear all:

I did change usin g 3rd party cert and now i tried to reimport the orginal
self sign cert i backup before all in p12 format.

Server-cert,p12 and ipacert.p12 i follow here and import successful.

BUT it show error during restart httpd that say untrust source. even i
added to  "NSSEnforceValidCerts off" httpd worked but web site unable to
access,  Any where i missed that i must make it trust again./

Also i tried 2nd way  ipa-server-certinstall -w --http_pin=1234 ( i
backup p12 's password )  Server-cert.p12 but say incorrect password

it seem that the pin file txt inside is encrypted and not as same as the
password i created when  in the Server-cert.p12

any idea ?

7 23:58:19 2014] [error] SSL Library Error: -8172 Certificate is signed by
an untrusted issuer
[Thu Mar 27 23:58:19 2014] [error] Unable to verify certificate
'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can
start until the problem can be resolved.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] change min and max lifetime of random password

[barrykfl]

Found a error today. when browse the cert serices ..is it realte to dog tag
system ...how to restart ?

Certificate operation cannot be completed: Unable to communicate with CMS
(Not Found)
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] add a cert of .net insetad of .com error ?

[barrykfl]

Dear all:

I added *.abc.net cet to  certutil -d /etc/httpd/alias  and
/etc/dirsrv/slapd-ABC-COM

But error comes out after when i login the UI of service and cick in entry .

cannot connect to 'https://cert1.abc.com:443/ca/agent/ca/displayBySerial':
[Errno -12276] (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely
with peer: requested domain name does not match the server's certificate.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Handle openssl issue

[barrykfl]

Dear all:

http://heartbleed.com/ < openssl announced before.

We use 3rd part official cert ref. to this and convert to pck12 format by
openssl. ( centos 6.4 ipa 3.0)

http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

any patch for ipa need to added or OS level ?


Regards

Barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] goddday wild card cert error

[barrykfl]

Dear all:

my host is abc.def.com

I import a cert *.def.com of godaddy to dirsrv and warning / error prompt
any idea?
is it i cannot use *.def cert and must use a full host cert . abc.def.com???

Shutting down dirsrv:
PKI-IPA... [  OK  ]
def-COM...  [  OK  ]
Starting dirsrv:
PKI-IPA... [  OK  ]
def-COM...[04/Jun/2014:17:23:28 +0800] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for cert *.def.com -
GoDaddy.com, Inc. of family cn=RSA,cn=encryption,cn=config (Netscape
Portable Runtime error -8172 - Peer 's certificate issuer has been marked
as not trusted by the user.)
   [  OK  ]
[root@(LIVE)~]$ service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] convert krbExtraData password to plain text

[barrykfl]

dear all:

Is it possible to quiry freeipa 's account password and displan in plain
txt ?

or convert krbExtraData to plaintxt. rather than reset it.

Regards

barry
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Error comes out at command prompt after add Godaddy cert

[barrykfl]

Now cannot use ipa command line like ipa passwd, any missing ? need
reimport back the ipa cert?


ipa: ERROR: did not receive Kerberos credentials


certutil -d /etc/dirsrv/slapd-ABC-COM -L

Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
*.abc.com - GoDaddy.com, Inc. u,u,u
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] user forget passowrd how to make them able to reset

[barrykfl]

Hi:

Any token method through email can allow user authorize by rest password
their own if password cannot retriveal?
What response attribute  should be use ?

I tried use pwm ( password manager ) to ask the fereep ipa by generate a
token to it ,.

but no idea how freeipa accept the token and allow to reset and give direct
link to user.

Regards

Barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Matser master not syn some user account cannot be deleted

[barrykfl]

Hi:

FOund master 1 and 2 not sysn, some acocunts not syn but try to delete
those account cannot be recreate as it pompt that the posix private group
present

and i found there is not ipa-group del coomands at my version freeipa 3 in
centos

any idea ?

barry
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Rebuild agrrenment of cluster 1 and 2

[barrykfl]

Now

node1 can show ipa-replica-manage list

1.abc.com: master
2.abc.com: master

But at node 2 type ipa-replica-manage list
Can't contact LDAP server

It seem break on one side nod2 any method to rebuild?
the server trust build in self ca cert before but then it change to godaddy
cert.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

[barrykfl]

Yes they are running. Server 1 can syn to server2 but error at server 2
like this.
2014/7/3 下午10:14 於 "Rob Crittenden"  寫道：

> Please keep relies on the list.
>
> barry...@gmail.com wrote:
> > I saw the error beloe and errpr log is it related ?
> >
> > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind - Error:
> > could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> > GSS failure.  Minor code may provide more information (Credentials cache
> > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
> > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not perform
> > interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>
> I believe this is fairly normal on a new startup. It has to start
> somewhere. The expired ticket errors below are unexpected since there
> are so many of them. Is your KDC running?
>
> ipactl status
>
> rob
>
> >
> >
> > 2014-07-02 14:15 GMT+08:00  barry...@gmail.com>>:
> >
> >
> > this is the error log i found at 2.abc.com 
> >
> > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not
> > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
> > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
> > agmt="cn=meTo1.abc.com " (central:389):
> > Replication bind with GSSAPI auth failed: LDAP error -2 (Local
> > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
> > failure.  Minor code may provide more information (Ticket expired))
> > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not
> > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
> > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:40 +0800] slapd_ldap_sasl_interactive_bind -
> > Error: could not perform interactive bind for id [] mech [GSSAPI]:
> > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > Error: Unspecified GSS failure.  Minor code may provide more
> > information (Ticket expired)) errno 0 (Success)
> > [30/Jun/2014:12:51:40 +0800] slapi_ldap_bind - Error: could not
> > perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
> error)
> >
> >
> > 2014-07-02 12:32 GMT+08:00  > >:
> >
> > yes on node 1 it is happening only node2 fail connect
> >
> > ipa-replica-manage list 2.abc.com 
> > Directory Manager password:
> >
> > 1.abc.com : replica
> >
> >
> >
> > 2014-06-30 20:59 GMT+08:00 Rob Crittenden  > >:
> >
> > Barry wrote:
> > > Hi:
> > >
> > > Server 1 and Sever 2 is cluster master master orginally ,
> > but server 2
> > > fail to connect server1 ,.
> > >
> > > ipa-replica-manage list shown Can't contact LDAP server
> > >
> > > But as server1 it is ok  master server1 master server2 ,
> > >
> > > It seem affect if update on server 1 then it syn to
> > server2 no problem
> > > but sometimes if modfy in server2 if fail to 

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

[barrykfl]

Just sure now one side flow is broken, if u update server1 , it 100% work
server2 will upgrade.
but if u update server2 there is chance non-syn e.g it create username  in
server1 with posfix grp >ok
but in server2 it only created posfix grp but no username /attribute it
occur serveral times. I have to use command line grp del ...etc. to force
del them and recreate them.,.

Result below:

server2.abc.com: replica
  last init status: None
  last init ended: None
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2014-07-04 00:33:18+00:00

Directory Manager password:

server1.abc.com: replica
  last init status: 0 Total update succeeded
  last init ended: 2014-06-20 10:07:02+00:00
  last update status: 0 Replica acquired successfully: Incremental update
succeeded
  last update ended: 2014-07-04 01:14:19+00:00



[root@(LIVE)server2 ~]$  ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING


2014-07-04 1:34 GMT+08:00 Rob Crittenden :

> barry...@gmail.com wrote:
> > Yes they are running. Server 1 can syn to server2 but error at server 2
> > like this.
>
> How do you know server 1 is syncing with server 2?
>
> On server 1 I'd run:
>
> ipa-replica-manage list -v `hostname`
>
> This will show the replication status.
>
> And what does ipactl status show on server 2?
>
> rob
>
> >
> > 2014/7/3 下午10:14 於 "Rob Crittenden"  > > 寫道：
> >
> > Please keep relies on the list.
> >
> > barry...@gmail.com  wrote:
> > > I saw the error beloe and errpr log is it related ?
> > >
> > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind -
> Error:
> > > could not perform interactive bind for id [] mech [GSSAPI]: LDAP
> error
> > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
> Unspecified
> > > GSS failure.  Minor code may provide more information (Credentials
> > cache
> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not
> > perform
> > > interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> >
> > I believe this is fairly normal on a new startup. It has to start
> > somewhere. The expired ticket errors below are unexpected since there
> > are so many of them. Is your KDC running?
> >
> > ipactl status
> >
> > rob
> >
> > >
> > >
> > > 2014-07-02 14:15 GMT+08:00  >   > >>:
> > >
> > >
> > > this is the error log i found at 2.abc.com 
> > 
> > >
> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind -
> > > Error: could not perform interactive bind for id [] mech
> [GSSAPI]:
> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > > Error: Unspecified GSS failure.  Minor code may provide more
> > > information (Ticket expired)) errno 0 (Success)
> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind -
> > > Error: could not perform interactive bind for id [] mech
> [GSSAPI]:
> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > > Error: Unspecified GSS failure.  Minor code may provide more
> > > information (Ticket expired)) errno 0 (Success)
> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could not
> > > perform interactive bind for id [] mech [GSSAPI]: error -2
> > (Local error)
> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
> > > agmt="cn=meTo1.abc.com 
> > " (central:389):
> > > Replication bind with GSSAPI auth failed: LDAP error -2 (Local
> > > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS
> > > failure.  Minor code may provide more information (Ticket
> > expired))
> > > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind -
> > > Error: could not perform interactive bind for id [] mech
> [GSSAPI]:
> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > > Error: Unspecified GSS failure.  Minor code may provide more
> > > information (Ticket expired)) errno 0 (Success)
> > > [30/Jun/2014:12:51:35 +0800] slapd_ldap_sasl_interactive_bind -
> > > Error: could not perform interactive bind for id [] mech
> [GSSAPI]:
> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
> > > Error: Unspecified GSS failure.  Minor code may provide more
> > > information (Ticket expired)) errno 0 (Success)
> > > [30/Jun/2014:12:51:35 +0800] slapi_ldap_bind - Error: could not
> > > perform intera

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

[barrykfl]

FOUND something strange that server 1 replicate to itself rather than
server2

Server1 access log > Wrong
[04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
192.168.15.89( server1 )  to 192.168.15.89 (server1)


Server 2 access log > OK
[04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from
192.168.15.89(server2) to 192.168.15.88 (server2)


2014-07-04 9:25 GMT+08:00 :

> Just sure now one side flow is broken, if u update server1 , it 100% work
> server2 will upgrade.
> but if u update server2 there is chance non-syn e.g it create username  in
> server1 with posfix grp >ok
> but in server2 it only created posfix grp but no username /attribute it
> occur serveral times. I have to use command line grp del ...etc. to force
> del them and recreate them.,.
>
> Result below:
>
> server2.abc.com: replica
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> succeeded
>   last update ended: 2014-07-04 00:33:18+00:00
>
> Directory Manager password:
>
> server1.abc.com: replica
>   last init status: 0 Total update succeeded
>   last init ended: 2014-06-20 10:07:02+00:00
>   last update status: 0 Replica acquired successfully: Incremental update
> succeeded
>   last update ended: 2014-07-04 01:14:19+00:00
>
>
>
> [root@(LIVE)server2 ~]$  ipactl status
> Directory Service: RUNNING
> KDC Service: RUNNING
> KPASSWD Service: RUNNING
> MEMCACHE Service: RUNNING
> HTTP Service: RUNNING
>
>
> 2014-07-04 1:34 GMT+08:00 Rob Crittenden :
>
> barry...@gmail.com wrote:
>> > Yes they are running. Server 1 can syn to server2 but error at server 2
>> > like this.
>>
>> How do you know server 1 is syncing with server 2?
>>
>> On server 1 I'd run:
>>
>> ipa-replica-manage list -v `hostname`
>>
>> This will show the replication status.
>>
>> And what does ipactl status show on server 2?
>>
>> rob
>>
>> >
>> > 2014/7/3 下午10:14 於 "Rob Crittenden" > > > 寫道：
>> >
>> > Please keep relies on the list.
>> >
>> > barry...@gmail.com  wrote:
>> > > I saw the error beloe and errpr log is it related ?
>> > >
>> > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind -
>> Error:
>> > > could not perform interactive bind for id [] mech [GSSAPI]: LDAP
>> error
>> > > -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
>> Unspecified
>> > > GSS failure.  Minor code may provide more information (Credentials
>> > cache
>> > > file '/tmp/krb5cc_492' not found)) errno 0 (Success)
>> > > [29/Jun/2014:02:00:58 +0800] slapi_ldap_bind - Error: could not
>> > perform
>> > > interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> >
>> > I believe this is fairly normal on a new startup. It has to start
>> > somewhere. The expired ticket errors below are unexpected since
>> there
>> > are so many of them. Is your KDC running?
>> >
>> > ipactl status
>> >
>> > rob
>> >
>> > >
>> > >
>> > > 2014-07-02 14:15 GMT+08:00 > >  > > >>:
>> > >
>> > >
>> > > this is the error log i found at 2.abc.com 
>> > 
>> > >
>> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind
>> -
>> > > Error: could not perform interactive bind for id [] mech
>> [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
>> > > Error: Unspecified GSS failure.  Minor code may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:31 +0800] slapd_ldap_sasl_interactive_bind
>> -
>> > > Error: could not perform interactive bind for id [] mech
>> [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
>> > > Error: Unspecified GSS failure.  Minor code may provide more
>> > > information (Ticket expired)) errno 0 (Success)
>> > > [30/Jun/2014:12:51:31 +0800] slapi_ldap_bind - Error: could
>> not
>> > > perform interactive bind for id [] mech [GSSAPI]: error -2
>> > (Local error)
>> > > [30/Jun/2014:12:51:31 +0800] NSMMReplicationPlugin -
>> > > agmt="cn=meTo1.abc.com 
>> > " (central:389):
>> > > Replication bind with GSSAPI auth failed: LDAP error -2 (Local
>> > > error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
>> GSS
>> > > failure.  Minor code may provide more information (Ticket
>> > expired))
>> > > [30/Jun/2014:12:51:34 +0800] slapd_ldap_sasl_interactive_bind
>> -
>> > > Error: could not perform interactive bind for id [] mech
>> [GSSAPI]:
>> > > LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI
>> > > Error: Unspecified GSS failure.

Re: [Freeipa-users] ipa-replica-manage list fail on server 2

[barrykfl]

FYI..
160: [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
192.168.156.89 to 192.168.156.89
163: [04/Jul/2014:12:35:30 +0800] conn=936207 op=-1 fd=73 closed - B1

There is not abt binding but i unsure how to fix ..




2014-07-09 2:01 GMT+08:00 Rich Megginson :

>  On 07/08/2014 02:16 AM, barry...@gmail.com wrote:
>
> Resent as size limit.
>
>
>  Here u are  server1 's access log seem one side broken
>
>  the problem is how to make it replicate again.
>
>  At server 1
>
>  it is ok  master server1 master server2
>
>
>   Another side server 2 contains 2 ip replication.
>
>  ipa-replica-manage list shown Can't contact LDAP server
>
>  I dont know why but the prolematic server is sever 2 not server 1
>
>  log of server2
> [08/Jul/2014:16:02:40 +0800] conn=3299731 fd=69 slot=69 connection from
> 192.168.15.89 (server1) to 192.168.15.88(server2)
>  [08/Jul/2014:16:02:40 +0800] conn=3299731 op=-1 fd=69 closed - B1
> [08/Jul/2014:16:02:40 +0800] conn=3299732 fd=69 slot=69 connection from
> 192.168.15.89 to 192.168.15.88
> [08/Jul/2014:16:02:40 +0800] conn=3299732 op=-1 fd=69 closed - B1
> [08/Jul/2014:16:02:41 +0800] conn=3299733 fd=69 slot=69 connection from
> 192.168.15.89 to 192.168.15.88
> [08/Jul/2014:16:02:41 +0800] conn=3299733 op=-1 fd=69 closed - B1
>
>
> You never answered my question below.  "Are you sure that this connection
> is a replication session?  Can you post all of the operations from the
> access log from conn=936207?"
>
> In the future, please avoid spamming the list with large log files.  In
> general, it's better to provide excerpts from the log files showing the
> problem, paste them to fpaste.org, and post the link to the mailing
> list.  If for some reason you need to post a large file, please use a file
> sharing service and post the link to the file.
>
> Can you take a look at your errors log from server 1 and server 2 and see
> if there are any relevant errors?
>
> If I had to guess, I would say that there is some sort of network error
> between server 1 and server 2 that causes the excessive closed - B1.
> Perhaps there will be more information in the errors log.
>
>
>
>
>
> 2014-07-07 22:21 GMT+08:00 Rich Megginson :
>
>>  On 07/04/2014 03:28 AM, barry...@gmail.com wrote:
>>
>> FOUND something strange that server 1 replicate to itself rather than
>> server2
>>
>>  Server1 access log > Wrong
>> [04/Jul/2014:12:35:30 +0800] conn=936207 fd=73 slot=73 connection from
>> 192.168.15.89( server1 )  to 192.168.15.89 (server1)
>>
>>
>>  Are you sure that this connection is a replication session?  Can you
>> post all of the operations from the access log from conn=936207?
>>
>>
>>
>>
>>  Server 2 access log > OK
>> [04/Jul/2014:12:35:30 +0800] conn=936208 fd=74 slot=74 connection from
>> 192.168.15.89(server2) to 192.168.15.88 (server2)
>>
>>
>> 2014-07-04 9:25 GMT+08:00 :
>>
>>>  Just sure now one side flow is broken, if u update server1 , it 100%
>>> work server2 will upgrade.
>>>  but if u update server2 there is chance non-syn e.g it create username
>>>  in server1 with posfix grp >ok
>>> but in server2 it only created posfix grp but no username /attribute it
>>> occur serveral times. I have to use command line grp del ...etc. to force
>>> del them and recreate them.,.
>>>
>>>  Result below:
>>>
>>>  server2.abc.com: replica
>>>   last init status: None
>>>   last init ended: None
>>>   last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>>   last update ended: 2014-07-04 00:33:18+00:00
>>>
>>>  Directory Manager password:
>>>
>>>  server1.abc.com: replica
>>>   last init status: 0 Total update succeeded
>>>   last init ended: 2014-06-20 10:07:02+00:00
>>>   last update status: 0 Replica acquired successfully: Incremental
>>> update succeeded
>>>   last update ended: 2014-07-04 01:14:19+00:00
>>>
>>>
>>>
>>>  [root@(LIVE)server2 ~]$  ipactl status
>>> Directory Service: RUNNING
>>> KDC Service: RUNNING
>>> KPASSWD Service: RUNNING
>>> MEMCACHE Service: RUNNING
>>>  HTTP Service: RUNNING
>>>
>>>
>>> 2014-07-04 1:34 GMT+08:00 Rob Crittenden :
>>>
>>>  barry...@gmail.com wrote:
 > Yes they are running. Server 1 can syn to server2 but error at server
 2
 > like this.

  How do you know server 1 is syncing with server 2?

 On server 1 I'd run:

 ipa-replica-manage list -v `hostname`

 This will show the replication status.

 And what does ipactl status show on server 2?

 rob

 >
 > 2014/7/3 下午10:14 於 "Rob Crittenden" >>>  > > 寫道：
 >
 > Please keep relies on the list.
 >
  > barry...@gmail.com  wrote:
 > > I saw the error beloe and errpr log is it related ?
 > >
 > > 29/Jun/2014:02:00:58 +0800] slapd_ldap_sasl_interactive_bind -
 Error:
 > > could not perform interactive bind for id [] mech [GSSAPI]:
 LDAP error
 > > -2 (Local error) (SASL(

[Freeipa-users] Possible to extract password of ldap

[barrykfl]

Hi :

Is it possible to read clear text of password of ipa users by admin ?

I m facing the issue of half  rollout as half vol.of  users changed
password already.

And if i deploy and reset all password then it may make issue for this half

and we dont have records which user password sent .
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Del private group fail even using command

[barrykfl]

Hi:

I follow command found from here and want to del priate group but fail any
idea?
It said line 5 attribute error , any synta xwrong?

ldapsearch -LLL -Y GSSAPI cn=barry

 ldapmodify -Y GSSAPI <-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] check access log of when a user login integrated system

[barrykfl]

Hi all:

I have a buzilla intgrated with ldap ,,,is it poosible to check
when the user login through the access log of ldap free ipa server ..

What sentence should it look like ?

thks

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] dirsrv access log redirect

[barrykfl]

Dear all:

I got 2 servers as cluster ... how can i redirect all logs server2 's
/var/log/dirsrv/slapd-abc.com/access to server 1 's  /var/log/dirsrv/
slapd-abc.com/access

so i can view once ?what config should consider ?  Or should i use syslog
to collect server2
and redirect all to server 1 ?

thks
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Max life set 0 already but still promot admin rese tpassword every 3 months

[barrykfl]

Hi:

i set max life no expiry already but still pomt reset password every 3
month

any idea to disable it ??? what happening

Regards
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

[barrykfl]

gpg

Creating SSL certificate for the Directory Server
ipa : ERRORcert validation failed for "CN=central.ABC.com,O=
ABC.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] make a new server and migrate old data

[barrykfl]

Hi:

I have freeipa 3.0 server ...and want to make a new server ignore any cert
related.

eg I clean install a server using default free ipa server cert ..and copy
dirsrv data to new.
can I just copy /etc/dirsrv  scheme..username /passwords and groups ?

Also if I copy these to 4.0 server any issue?


Regards

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

[barrykfl]

same as as replica gpg making....Found this cert 2015 expired only,,?
but I follow manual here:

https://www.freeipa.org/page/Using_3rd_part_certificates_
for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1

It imported as EXT-CA as Alias rather than sever cert by default...Is there
anywhere pointing wrong ?

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI
*.ABC.com ,,
EXT-CA   CT,C,C
ABC.COM IPA CACT,,C
Server-Cert  u,u,u


Request ID '20160516111257':
status: CA_UNREACHABLE
ca-error: Server at https://central.ABC.com/ipa/xml failed request,
will retry: 907 (RPC failed at server.  cannot connect to '
https://central.ABC.com:443/ca/agent/ca/displayBySerial':
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=ABC.COM
subject: CN=central.ABC.com,O=ABC.COM
expires: 2015-11-23 08:42:52 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes

2017-03-07 19:24 GMT+08:00 Barry :

> Same as before I already follow  part < 4.1 as below:
>
> https://www.freeipa.org/page/Using_3rd_part_certificates_
> for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> comdo cert is new cert /
> It seem I m nearly right HTTP server side can read trust cert
> BUT seem dirsrv still lacking of a ca cert to verify it ./..
> but ca.crt changed to new already and imported
>
> ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert *.ABC.com -
> COMODO CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)
>
>
> 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud :
>
>> Hi,
>>
>> In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
>> Certificate Authority, and this file may be outdated. Running
>> ipa-certupdate may fix your issue. See [1]
>>
>> If it doesn't, you can start by identifying which certificate expired with
>> $ sudo getcert list | egrep -e 'expires|Request ID|subject'
>>
>> HTH,
>> Flo
>>
>> [1] https://pagure.io/freeipa/issue/6375
>>
>> On 03/07/2017 04:14 AM, barry...@gmail.com wrote:
>>
>>> gpg
>>>
>>> Creating SSL certificate for the Directory Server
>>> ipa : ERRORcert validation failed for "CN=central.ABC.com
>>> ,O=ABC.COM "
>>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>>> preparation of replica failed: cannot connect to
>>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>> cannot connect to
>>> 'https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>>   File "/usr/sbin/ipa-replica-prepare", line 490, in 
>>> main()
>>>
>>>   File "/usr/sbin/ipa-replica-prepare", line 361, in main
>>> export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
>>> replica_fqdn, subject_base)
>>>
>>>   File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
>>> raise e
>>>
>>>
>>>
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Make Gpg replica fail , where cert store I should update new ?

[barrykfl]

I think I already input all ca cert and server cert


certutil -d /etc/dirsrv/slapd-PKI-IPA/ -L
Trust Attributes

SSL,S/MIME,JAR/XPI
*.wisers.com  < it is the server wild card cert
already
EXT-CA   CT,C,C https://central.ABC9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 490, in 





2017-03-07 21:51 GMT+08:00 Rob Crittenden :

> barry...@gmail.com wrote:
> > same as as replica gpg making....Found this cert 2015 expired
> > only,,? but I follow manual here:
> >
> > https://www.freeipa.org/page/Using_3rd_part_certificates_
> for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> >  for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>
>
> If you are using 3rd party certs elsewhere then why not provide 3rd
> party certs for this replica as well?
>
> It seems like you aren't using the IPA-provided CA at all given its
> certs expired in 2015.
>
> rob
>
> >
> > It imported as EXT-CA as Alias rather than sever cert by default...Is
> > there anywhere pointing wrong ?
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> > *.ABC.com ,,
> > EXT-CA   CT,C,C
> > ABC.COM  IPA
> > CACT,,C
> > Server-Cert  u,u,u
> >
> >
> > Request ID '20160516111257':
> > status: CA_UNREACHABLE
> > ca-error: Server at https://central.ABC.com/ipa/xml failed
> > request, will retry: 907 (RPC failed at server.  cannot connect to
> > 'https://central.ABC.com:443/ca/agent/ca/displayBySerial':
> > (SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.).
> > stuck: no
> > key pair storage:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS
> > Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> > certificate:
> > type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
> nickname='Server-Cert',token='NSS
> > Certificate DB'
> > CA: IPA
> > issuer: CN=Certificate Authority,O=ABC.COM 
> > subject: CN=central.ABC.com ,O=ABC.COM
> > 
> > expires: 2015-11-23 08:42:52 UTC
> > key usage:
> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > eku: id-kp-serverAuth,id-kp-clientAuth
> > pre-save command:
> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> PKI-IPA
> > track: yes
> > auto-renew: yes
> >
> > 2017-03-07 19:24 GMT+08:00 Barry  > >:
> >
> > Same as before I already follow  part < 4.1 as below:
> >
> > https://www.freeipa.org/page/Using_3rd_part_certificates_
> for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1
> >  for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1>
> > comdo cert is new cert /
> > It seem I m nearly right HTTP server side can read trust cert
> > BUT seem dirsrv still lacking of a ca cert to verify it ./..
> > but ca.crt changed to new already and imported
> >
> > ABC-COM...[07/Mar/2017:19:17:22 +0800] - SSL alert:
> > CERT_VerifyCertificateNow: verify certificate failed for cert
> > *.ABC.com - COMODO CA Limited of family
> > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error
> > -8179 - Peer's Certificate issuer is not recognized.)
> >
> >
> > 2017-03-07 17:16 GMT+08:00 Florence Blanc-Renaud  > >:
> >
> > Hi,
> >
> > In IPA < 4.5, ipa-replica-prepare was using /etc/ipa/ca.crt as
> > Certificate Authority, and this file may be outdated. Running
> > ipa-certupdate may fix your issue. See [1]
> >
> > If it doesn't, you can start by identifying which certificate
> > expired with
> > $ sudo getcert list | egrep -e 'expires|Request ID|subject'
> >
> > HTH,
> > Flo
> >
> > [1] https://pagure.io/freeipa/issue/6375
> > 
> >
> > On 03/07/2017 04:14 AM, barry...@gmail.com
> >  wrote:
> >
> > gpg
> >
> > Creating SSL certificate for the Directory Server
> > ipa : ERRORcert validation failed for
> > "CN=central.ABC.com 
> > ,O=ABC.COM 
> >  

[Freeipa-users] Replica fail to create , all new cert already inside

[barrykfl]

Hi:

I already done input new cert but ipa-replica-prepare central03.ABC.com (ipa
3.0) it fail with the error as below:
which "location" I should check the old cert still inside some where

Below I already input CA / server cert ..and nssdb poting is right
..already spent serveral days to check where is it I also try direct use
pfx for the cert directly but same error comesout...seem it still use old
cert to compare.

Any idea ? many thanks

/var/lib/pki-ca/alias
/etc/dirsrv/slapd-PKI-IPA/
/etc/dirsrv/slapd-ABC-COM/
/etc/httpd/alias/
/etc/pki/nssdb/

I use similar commands as below: and follow steps here: https web side
already using new and dirsvr no error on starting only I cannot do replicas
.

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP#Procedure_in_IPA_.3C_4.1

certutil -A -d  /var/lib/pki-ca/alias/ -n 'EXT-CA' -t CT,C,C -a -i
/root/ca.crt


ipa : ERRORcert validation failed for "CN=central.ABC.com,O=
ABC.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
preparation of replica failed: cannot connect to '
https://central.ABCcom:9444/ca/ee/ca/profileSubmitSSLClient':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.

Regards

Barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Create Replica fail any idea?? thz

[barrykfl]

No expire cer prompt out ., All service ipa status oK.
and 9444 port can telent

Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] install freeipa amazon Linux

[barrykfl]

Hi:

anyone has exp install freeipa in amazon linx base on fredora?

I tried install repo myself but it fail only say no such freeipa

which repo ishould use ...I already tried many difference source still fail.

it seem it has its own amaz limux repo.

thks

barry
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] any idea this error ? relate to memory?

[barrykfl]

8443 port already firewall open but still fail..1G memory only in web
hosting..free 600 M still

2017-03-15T01:36:47Z DEBUG The ipa-server-install command failed,
exception: NetworkError: cannot connect to '
https://centralaws.ABC.com:8443/ca/rest/account/login': Could not connect
to centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR cannot connect to '
https://aws.ABC.com:8443/ca/rest/account/login': Could not connect to
centralaws.ABC.com using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR)
Network address type not supported.
2017-03-15T01:36:47Z ERROR The ipa-server-install command failed. See
/var/log/ipaserver-install.log for more information

thx
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] MAKE Freeipa replica not work now

[barrykfl]

Hi all:

9444 port can be telnet ...Any idea ? the log show below as I don't have
more idea... If I plan to
migrate to same version of server what I have to copy ? as I saw
step of migration also similar to replica so now stuck on the steps.
Any Manual copy steps ? as I copy and paste the LDAP of ABC.com
and slapd_PKI ..It cannot start up ...can I just move slapd_ABC.com
's ldif other ignored ? many thks

Preparing replica for central.ABC.com from central.wisers.com
Creating SSL certificate for the Directory Server
preparation of replica failed: cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
cannot connect to '
https://central.ABC.com:9444/ca/ee/ca/profileSubmitSSLClient':
(PR_END_OF_FILE_ERROR) Encountered end of file.
  File "/usr/sbin/ipa-replica-prepare", line 490, in 
main()

  File "/usr/sbin/ipa-replica-prepare", line 361, in main
export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert",
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 150, in export_certdb
raise e
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project