[Freeipa-users] Re: How to recover from "split brain"

Though you can completely rebuild preprod servers, still it would be interesting how to reconnect prod servers with replicas again. 2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users < freeipa-users@lists.fedorahosted.org>: > ok, did a little googling, and seems like KRA refers to the "vault"

[Freeipa-users] Re: Issue with SCEP enrollment to sub-CA

As an update, the sscep application set works properly with the sub-CA so it's definitely an issue on the certmonger side of things. sscep in AES mode throws an exception in Dogtag and, unfortunately, sscep also doesn't support above SHA1. That said, it's at least reasonable isolation of the

[Freeipa-users] How to recover from "split brain"

I have 4 IPA servers, all masters, that were previously configured in a "full mesh" replication. 2 in "prod", 2 in "preprod". While trying to fix a replication issue, I accidentally did a: ipa-replica-manage del on one of the prod servers for BOTH preprod servers. Now, the prod servers don't

[Freeipa-users] Re: Host certificates association across IPA servers

David Harvey via FreeIPA-users wrote: > Dear ipa-users, > > I've recently observed a pattern where adding a host certificate to a > host only shows the association in the GUI for the server which issues > the cert. I'm running FreeIPA 4.4.4. > > I request a certificate from the host(s) in

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 4:07 PM, TomK via FreeIPA-users wrote: On 1/31/2018 2:34 PM, Jakub Hrozek via FreeIPA-users wrote: On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: On 1/31/2018 12:21 PM, TomK wrote: On 1/31/2018 9:41 AM, Jakub Hrozek wrote: See inline.. On Wed, Jan 31,

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 2:34 PM, Jakub Hrozek via FreeIPA-users wrote: On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: On 1/31/2018 12:21 PM, TomK wrote: On 1/31/2018 9:41 AM, Jakub Hrozek wrote: See inline.. On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: On 1/31/2018

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 2:34 PM, Jakub Hrozek via FreeIPA-users wrote: On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: On 1/31/2018 12:21 PM, TomK wrote: On 1/31/2018 9:41 AM, Jakub Hrozek wrote: See inline.. On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: On 1/31/2018

[Freeipa-users] Re: Certificates renewing with the wrong Subject

Roderick Johnstone via FreeIPA-users wrote: > On 25/01/2018 16:56, Roderick Johnstone via FreeIPA-users wrote: >> On 25/01/2018 13:43, Rob Crittenden via FreeIPA-users wrote: >>> Roderick Johnstone via FreeIPA-users wrote: On 24/01/2018 21:09, Rob Crittenden via FreeIPA-users wrote: >

[Freeipa-users] Re: certmonger .service fail to start

barrykfl--- via FreeIPA-users wrote: > Auto reboot fail , I just try manual bootup cermonger.service still fail > > sudo systemctl -f start  certmonger.service > > Jan 30 11:03:01 dbus[537]: [system] Activating systemd to h > Jan 30 11:03:01 dbus-daemon[537]: dbus[537]: [system] Activ > Jan 30

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: > On 1/31/2018 12:21 PM, TomK wrote: > > On 1/31/2018 9:41 AM, Jakub Hrozek wrote: > > > See inline.. > > > > > > On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: > > > > On 1/31/2018 3:18 AM, TomK via FreeIPA-users

[Freeipa-users] Re: Issue with SCEP enrollment to sub-CA

Hi Rob, Thanks for getting back to me, I have no idea how I missed this message. I dug through the CA and KRA debug logs and don't see any PKCS7 output anywhere. I've been running certmonger in debug mode connected to the foreground and haven't really gotten anywhere there either. I did

[Freeipa-users] Documented monitoring best practices

Hi all, Is there any official literature about how to monitor FreeIPA? The upstream guide mentions: 1) Testing clients using id https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/client-test 2) Adding a user on a

[Freeipa-users] Re: Home directory not being created in log in

In case you are using kerberized NFS4, make sure that in your /etc/exports file on your NFS server security is set to sys. In my setup, that was the only option worked (for mkhomedir): #cat /etc/exports /export/home  192.168.161.0/24(rw,sec=sys:krb5p,no_root_squash) Petros On 01/31/2018

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 12:21 PM, TomK wrote: On 1/31/2018 9:41 AM, Jakub Hrozek wrote: See inline.. On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote: My bad, did not include sssd-users earlier.  :( Hey All, I'm wondering if anyone came across

[Freeipa-users] Re: Home directory not being created in log in

Yes it is being exported via NFS. On Wed, Jan 31, 2018 at 9:51 AM, Petros Triantafyllidis wrote: > Is your home directory exported as NFS? As far as I remember there are > some differences between CentOS 6 and 7 regarding NFS versions that might > affect you. > > Petros > > > >

[Freeipa-users] Re: [SSSD-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 9:41 AM, Jakub Hrozek wrote: See inline.. On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote: My bad, did not include sssd-users earlier. :( Hey All, I'm wondering if anyone came across this error below.  We have two RHEL

[Freeipa-users] Re: Home directory not being created in log in

Is your home directory exported as NFS? As far as I remember there are some differences between CentOS 6 and 7 regarding NFS versions that might affect you. Petros On 01/31/2018 06:30 PM, Kristian Petersen via FreeIPA-users wrote: Update: I was putting together another client for a separate

[Freeipa-users] Re: Home directory not being created in log in

Update: I was putting together another client for a separate purpose that runs RHEL 6 instead of RHEL 7 and everything worked. So there must be something different between RHEL6 and RHEL7 that causes the steps I am using to fail on RHEL7. On Mon, Jan 29, 2018 at 4:37 PM, Kristian Petersen

[Freeipa-users] Host certificates association across IPA servers

Dear ipa-users, I've recently observed a pattern where adding a host certificate to a host only shows the association in the GUI for the server which issues the cert. I'm running FreeIPA 4.4.4. I request a certificate from the host(s) in question with something like: ipa-getcert request -f

[Freeipa-users] Re: Howto renew certificates with external CA?

Hello Flo, I've checked the certificates, there are several ones in the LDAP databases (got them with "ldapsearch -x -D "cn=Directory Manager" -W -b "uid=pkiuser,ou=people,o=ipaca", hope that's correct?) and one of them is identical to the one which I've got with certutil. I've also checked

[Freeipa-users] Re: Howto renew certificates with external CA?

On 01/30/2018 05:17 PM, Harald Husemann via FreeIPA-users wrote: Hello Flo, and thanks again for your response. First of all, I've figured out that the package "pki-symkey" was missing, so I've installed it with yum. Now, according to systemctl, pki-tomcatd is running:

[Freeipa-users] Re: Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote: My bad, did not include sssd-users earlier. :( Hey All, I'm wondering if anyone came across this error below.  We have two RHEL 7.4 servers with SSSD 1.15.2: http-srv01 and http-srv02 Both connect to the same AD DC host below:

[Freeipa-users] Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

Hey All, I'm wondering if anyone came across this error below. We have two RHEL 7.4 servers with SSSD 1.15.2: http-srv01 and http-srv02 Both connect to the same AD DC host below: addc-srv03.addom.com. Verified krb5.conf and sssd.conf both are identical. We can login on the http-srv01 and