[Freeipa-users] Re: Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

Hi, just a wild guess but was ipa installed with a umask more restrictive than 022? You may also want to start ipa in debug mode in order to have more traces: $ cat /etc/ipa/server.conf [global] debug=True $ ipactl restart HTH, Flo On 01/18/2018 08:42 AM, Alexandre Pitre via FreeIPA-users

[Freeipa-users] Re: Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

SELinux is disabled in our CentOS template. Good hypothesis tho. On Jan 18, 2018 01:36, "Tony Brian Albers via FreeIPA-users" < freeipa-users@lists.fedorahosted.org> wrote: > On 01/18/2018 02:24 AM, Alexandre Pitre via FreeIPA-users wrote: > > Hi, > > > > I recently deployed a new FreeIPA domain

[Freeipa-users] ipa-server-install get error Configuration of CA failed

Hi, I was installing FreeIPA on REDHAT 6.7. I used yum install ipa-server and then ipa-server-install. But the ipa-server-install failed with below error, can anyone give some advice on why could be the root cause? Thanks ahead. [3/21]: configuring certificate server instanceipa :

[Freeipa-users] Re: Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

On 01/18/2018 02:24 AM, Alexandre Pitre via FreeIPA-users wrote: > Hi, > > I recently deployed a new FreeIPA domain running on CentOS 7.4 and > FreeIPA 4.5 > > The installation went without hiccups but the WebUI isn't working as > expected. Logging in with admin failed with this error: > >

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

That being said, just tried again on an ubuntu 14.04 node with these same CLI params, and it failed, but the logs are complaining about "SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user", which never was reported in the ubuntu 16 system's logs.

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Just attempted the '--server' option you mention, as well as the '--domain' value that the parameter requires, and it actually SUCCEEDED in joining! I received "Client configuration complete." via the ipa-client-install command and was just able to successfully login to this node with a user in

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Server: = [root@sfca-do-4 ~]# ipa --version VERSION: 4.4.4, API_VERSION: 2.215 [root@sfca-do-4 ~]# cat /etc/fedora-release Fedora release 25 (Twenty Five) Client Node: = root@sfca-do-1:~# ipa-client-install --version 4.3.1 root@sfca-do-1:~# cat /etc/lsb-release DISTRIB_ID=Ubuntu

[Freeipa-users] Login failed due to unknow reason on the WebUI on new FreeIPA 4.5 installation

Hi, I recently deployed a new FreeIPA domain running on CentOS 7.4 and FreeIPA 4.5 The installation went without hiccups but the WebUI isn't working as expected. Logging in with admin failed with this error: Login failed due to an unknow reason. I've seen this issue with every FreeIPA 4.5

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Chris Moody wrote: > Thanks for taking a look gents.  Ask and ye shall receive.  :) > What version of IPA is this and what platform? Before an install can you ensure that there is nothing in /etc/krb5.conf.d/ (except may be crypto-policies)? Same with /var/lib/sss/pubconf/krb5.include.d/

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

Dimitris Zilaskos wrote: > Hi, > > Just wondering if anyone had the time to take a look at this. My > understanding is that everything works up to the point that kerberos > authentication takes place successfully, but for some reason the ticket > obtained does not get stored. I guess I'd try to

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Affirmative, it is all caps in the logs. I can re-send the log with the redactions case sensitive if that's helpful.  My apologies for causing confusion via my obfuscation. -Chris On 1/17/18 12:36 PM, Robbie Harwood wrote: > Chris Moody writes: > >> On 1/17/18 8:27 AM,

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Yes - I am redacting just the 2nd level domain name portion from any logs. -Chris On 1/17/18 8:27 AM, Robbie Harwood wrote: > Chris Moody writes: > >> Thanks for taking a look gents.  Ask and ye shall receive.  :) >> >> -Chris >> >> ===[ CLI output ]== >>

[Freeipa-users] Re: Basic Certificate Creation Question

That's an incredible response, thank you so much Alexander. I'll take my time digesting that and look into correcting the current configuration. With all that information I am pretty certain I can resolve several other mis-configured services, I can't thank you enough! On Wed, Jan 17, 2018 at

[Freeipa-users] Re: Basic Certificate Creation Question

On ke, 17 tammi 2018, Callum Guy wrote: Hi Alex, I have now managed to create valid certificates after following your provided example however I do have some questions. Firstly in my situation there are multiple proxy instances which are servicing this domain, for this reason I attempted to

[Freeipa-users] Re: freeipa-client joins keep failing : Cannot find KDC for realm

Chris Moody writes: > Thanks for taking a look gents.  Ask and ye shall receive.  :) > > -Chris > > ===[ CLI output ]== > root@sfca-do-1:~# ipa-client-install -p admin --mkhomedir > --hostname=`hostname` > Discovery was successful! > Client hostname:

[Freeipa-users] Re: how to avoid ntpd?

Harald Dunkel via FreeIPA-users wrote: > On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote: >> >> That's fine but it doesn't address the original problem: he doesn't want >> anything managing the clock on his system at all: >> >> "some ipa servers in my environment are not permitted

[Freeipa-users] Re: how to avoid ntpd?

On 01/15/2018 09:04 PM, Rob Crittenden via FreeIPA-users wrote: That's fine but it doesn't address the original problem: he doesn't want anything managing the clock on his system at all: "some ipa servers in my environment are not permitted to change the clock." These are LXC containers

[Freeipa-users] Re: CCacheError: did not receive Kerberos credentials

Hi, Just wondering if anyone had the time to take a look at this. My understanding is that everything works up to the point that kerberos authentication takes place successfully, but for some reason the ticket obtained does not get stored. Best regards, Dimitrios On Mon, Jan 15, 2018 at 9:21

[Freeipa-users] Re: Basic Certificate Creation Question

Thanks so much Alexander - I'll have a go and come back if I experience any difficulties. Have a good day! On Wed, Jan 17, 2018 at 11:06 AM Alexander Bokovoy wrote: > On ke, 17 tammi 2018, Callum Guy via FreeIPA-users wrote: > >Hi All, > > > >I'm planning to add a

[Freeipa-users] Re: Basic Certificate Creation Question

On ke, 17 tammi 2018, Callum Guy via FreeIPA-users wrote: Hi All, I'm planning to add a subdomain certificate for an internal web service using FreeIPA CA however in my example I am applying the certificate to an interim proxy server. For example I want to sign a certificate for

[Freeipa-users] Basic Certificate Creation Question

Hi All, I'm planning to add a subdomain certificate for an internal web service using FreeIPA CA however in my example I am applying the certificate to an interim proxy server. For example I want to sign a certificate for "web.domain.com" and serve it on host "proxy.domain.com". Based on what I