[Freeipa-users] Re: UPN group name@domain in id output

On 3/24/21 5:18 PM, Alfred Victor via FreeIPA-users wrote: Hi FreeIPA, We have found the cause was a GUI change. I have spoken with my colleague, who at first did not recall any change, but after looking and given the log did realize. It seems like this function may be poorly described in

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/24/21 8:20 AM, Miguel Hinojosa via FreeIPA-users wrote: Thank you a lot Florence. It worked perfectly, no issues after downgrade package on both nodes. Glad to know the workaround fixed your issue, and thanks for closing the loop. flo ___

[Freeipa-users] Re: UPN group name@domain in id output

On 3/23/21 7:57 PM, Alfred Victor via FreeIPA-users wrote: I should clarify that I have now asked all involved and no one recognizes this change, so is it fair to assume adding a replica has somehow imparted this, or should we dig through logs? Hi, I didn't find any place in the code where

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/23/21 11:29 AM, Florence Blanc-Renaud wrote: On 3/23/21 10:38 AM, Miguel Hinojosa via FreeIPA-users wrote: We're facing some intermittent failures in IPA server, where the corresponding IPA groups are not mapped correctly (some or all ipa groups are missing). Short description of the

[Freeipa-users] Re: Intermittent failures in IPA server: IPA groups are not mapped correctly (some or all ipa groups are missing).

On 3/23/21 10:38 AM, Miguel Hinojosa via FreeIPA-users wrote: We're facing some intermittent failures in IPA server, where the corresponding IPA groups are not mapped correctly (some or all ipa groups are missing). Short description of the set up: 2 IPA server nodes, both have a trust with AD

[Freeipa-users] Re: UPN group name@domain in id output

On 3/22/21 9:26 PM, Alfred Victor via FreeIPA-users wrote: Hi Rob, This is on a newly re-enrolled client (it runs force-join, previously it joined with different arguments but the machine does not have any data that itself persists between boots). I don't see the issue on a previously

[Freeipa-users] Re: Deprecate/sync howto/troubleshooting DNS pages re: ds-seen requirement?

On 3/18/21 5:20 PM, Harry G. Coin via FreeIPA-users wrote: Notice the two pages regarding DNSSEC (the 'howto' and the 'troubleshooting') discuss a requirement to give a command ( ... ds-seen ... ), requiring many arguments.  The docs call for this command to occur for each domain after the DS

[Freeipa-users] Re: Multi-Master addition to existing cluster

On 3/16/21 2:49 PM, Mark Potter via FreeIPA-users wrote: I have a working FreeIPA cluster and need to start deploying for other geolocations. I deployed with freeipa-ansible. While I can find docs on multi-master setups I am struggling to find the initial setup bits. Would it be best to

[Freeipa-users] Re: Replication broken

On 3/9/21 10:59 AM, Antoine Gatineau via FreeIPA-users wrote: I could rebuild my cluster from backup before the upgrade to CentOS Stream. So I'll be able to work from there. On Mon, 2021-03-08 at 17:41 +0100, Antoine Gatineau via FreeIPA-users wrote: Hello, I'm on freeipa 4.9.0 on CentOS

[Freeipa-users] Re: Problems after upgrade

On 3/3/21 10:24 AM, Ronald Wimmer via FreeIPA-users wrote: On 03.03.21 10:13, Alexander Bokovoy wrote: On ke, 03 maalis 2021, Ronald Wimmer via FreeIPA-users wrote: Some time ago we upgraded our IPA servers from CentOS 7.x to Oracle Linux 8.3. We did it exactly as recommended in the respective

[Freeipa-users] Re: FreeIPA Multi-master dse.ldif updates

On 3/1/21 9:47 PM, Yuri Krysko via FreeIPA-users wrote: Hello, We run two IPA servers in a multi-master replication topology. Could anyone please advise if it is normal to have dse.ldif files on both IPA servers be updated every minute roughly with nsState attribute being modified by

[Freeipa-users] Re: blank page for migration URL: File does not exist: /usr/share/ipa/ui/js/freeipa/menu.js

On 2/19/21 10:39 PM, Robert Kudyba via FreeIPA-users wrote: Running freeipa-server-4.9.1-1.fc33.x86_64 with httpd-2.4.46-9.fc33.x86_64 and the domain/ipa/migration page is blank. The only thing in the page source is:                             var dojoConfig = {            

[Freeipa-users] Re: Something changed regarding enrollment permissions?

On 2/17/21 12:56 PM, Ronald Wimmer via FreeIPA-users wrote: On 19.10.20 11:38, Ronald Wimmer via FreeIPA-users wrote: Today we did not manage to enroll new hosts with our enrollment user. The only thing we changed is that we added the Permission "System: Remove hosts" to the "Host Enrollment"

[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

On 2/9/21 10:40 AM, SRM via FreeIPA-users wrote: First of all thank you for taking time & replying. I thought "ipa-cacert-manage renew" is for renewing IPA CA & "ipa-certupdate" is for renewing certificates, so should I use "ipa cert-request" to get renew / new certificates. And pki-tomcatd

[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

On 2/8/21 4:11 PM, SRM via FreeIPA-users wrote: I see some one else opened another thread with similar issue, but the error messages are different so I'm going ahead & seeking help on a new thread. I've inherited a FreeIPA installation from somebody used among 5 physical servers with one

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 2:56 PM, Manuel Gujo via FreeIPA-users wrote: Hi, I re-sync the date to today and ran ipa-cert-fix but it returns an error [root@ipa1 ~]# ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 2:03 PM, Manuel Gujo via FreeIPA-users wrote: Hi Florence, thanks for the answer it's a single IPA server, VERSION: 4.6.8, API_VERSION: 2.237 Hi, The CA is self-signed and still valid, and you are lucky because this ipa version already provides a new tool called ipa-cert-fix that

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

On 2/8/21 11:59 AM, Manuel Gugliucci via FreeIPA-users wrote: Hello, I'm running a freeipa server over a cloudera cluster, on 2020-12-31 all the certs expired and did not renew by itself. After I set the system date before the expiration date, I tried ipa-cacert-renew but returns an error

[Freeipa-users] Re: IPA compat mode

On 1/28/21 10:27 AM, Jacquelin Charbonnel via FreeIPA-users wrote: Hi folks, Overall, what is the goal of the IPA compat mode, and what are the consequences of enabling/disabling it ? And specifically, what's the differences between : # ipa migrate-ds --with-compat ... and #

[Freeipa-users] Re: Exipred SSL for https and Ldap

On 1/25/21 11:36 PM, Ahmed ElShafaie via FreeIPA-users wrote: Also when I run ipa-certupdate trying https://identity.ashlex.com/ipa/session/json [try 1]: Forwarding 'schema' to json server 'https://identity.ashlex.com/ipa/session/json' Major (851968): Unspecified GSS failure. Minor code may

[Freeipa-users] Re: chronyd support in freeipa server?

On 1/20/21 10:31 PM, Kent Brodie via FreeIPA-users wrote: OK, chronyd support is great to know that it's there. How, exactly, do I de-integrate ntpd from my existing freeipa server setup and switch to chronyd? ___ FreeIPA-users mailing list --

[Freeipa-users] Re: expired lets encrypt certificates - how to fix/reinstall

On 1/10/21 11:31 PM, Sinh Lam via FreeIPA-users wrote: So I have this problem where the certificates have expired. I created a new one but however when trying to apply the new certs using ipa-server-certinstall, http works but when trying to get it to apply to ldap it fails with a "peer's

[Freeipa-users] Re: problem with AD user login

On 12/31/20 12:51 AM, Suchismita Panda via FreeIPA-users wrote: Hi, We have a pair of FreeIPA servers (1 master and 1 replica) Freeipa server version 4.6.8 Recently when we are trying to enroll any new freeipa client to the server, the installation goes successful, but AD user login does not 

[Freeipa-users] Re: Access LOG Files / configuration - zip ?

On 12/28/20 11:03 AM, Karim Bourenane via FreeIPA-users wrote: Hello Team Its possible to know where the access log files in /var/log/dirsrv/slapd./ are configured. Its possible to active the gzip process for this files ? Hi, please refer to Directory Server documentation

[Freeipa-users] Re: Insufficient access

On 12/31/20 12:32 PM, Ivan Isakov via FreeIPA-users wrote: Hello, When I try to perform command after command kinit admin: ipa group-remove-member group --users=test I get next: Failed members: member user: test: Insufficient access: Insufficient 'write' privilege to the 'member' attribute

[Freeipa-users] Re: "missing attribute sn" error on migration

On 12/23/20 10:19 AM, Jacquelin Charbonnel via FreeIPA-users wrote: Hi everyone, To create a nice new proper domain in CentOS8 (with a new name and so), I use "ipa migrate-ds" on a fresh installed Centos8 server, to retrieve entries from my current domain in CentOS7 : ipa migrate-ds

[Freeipa-users] Re: repair ca

On 12/21/20 11:31 AM, Evg Hertz via FreeIPA-users wrote: getcert list -f /var/lib/ipa/ra-agent.pem | grep expires expires: 2022-06-20 19:31:51 UTC I dont find /var/lib/ipa/ra-agent.pem in output ldapsearch -D "cn=directory manager" -W -b o=ipaca Hi, please type the whole command

[Freeipa-users] Re: repair ca

On 12/18/20 3:38 PM, Evg Hertz via FreeIPA-users wrote: Hello I need to fix CA Failed to authenticate to CA REST API How I can reinstall/reconfigure only CA. or export users(with hash passwords)/groups. and import on new installation. Help me please. Hi, this error usually happens when the

[Freeipa-users] Re: bricked beyond belief?

On 12/17/20 12:33 AM, lejeczek via FreeIPA-users wrote: Hi everyone. I'm trying to add fourth replica to existing IPA domain and it does not want to work, but don't mind that for now. Failed replica no. 4 now is not happy to go away, not happy at all. ~]$ ipa-server-install --uninstall

[Freeipa-users] Re: a shortcut a small mayhem - a replica's way

On 12/16/20 7:18 PM, lejeczek via FreeIPA-users wrote: On 16/12/2020 17:29, Rob Crittenden wrote: lejeczek via FreeIPA-users wrote: Hi guys. I'm trying to spin up a new replica: ...   [25/41]: restarting directory server    [26/41]: creating DS keytab    [error] CalledProcessError:

[Freeipa-users] Re: Installation fails in adding CA certificate entry - certutil does not support --seimple-self-signed

On 12/15/20 5:07 PM, iulian roman via FreeIPA-users wrote: After some plumbing and manual operations I managed to have CA running during installation of the FreeIPA server. Currently the install fails in : Configuring directory server (dirsrv) [2/3]: adding CA certificate entry

[Freeipa-users] Re: subsystemCert appears out of date

On 11/27/20 11:54 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, I've raised that issue as requested including this full email chain so far: https://pagure.io/freeipa/issue/8600 Sorry to seem dense, but ssl certs and keys are definatly not my strong suite, and the whole freeipa setup se have

[Freeipa-users] Re: Unable to remove incomplete replication entry - topology plugin?

On 11/25/20 6:21 AM, Robert.Mattson--- via FreeIPA-users wrote: Dear FreeIPA Community, We’re having a problem joining a host to an IPA realm. We created a host account in the realm and added that host to the IPA replicas group. We installed the ipa-client and ipa-server RPMS on the

[Freeipa-users] Re: subsystemCert appears out of date

On 11/24/20 10:50 AM, Marc Pearson | i-Neda Ltd wrote: Thanks Flo, I'm suprosed I didn't catch that typeo: certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM Certificate Nickname Trust Attributes

[Freeipa-users] Re: subsystemCert appears out of date

On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, I'm getting a database error when running that command: # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Sorry,

[Freeipa-users] Re: Certificate operation cannot be completed: Unable to communicate with CMS (403)

On 11/18/20 5:23 PM, Corey Devenport via FreeIPA-users wrote: On 11/17/20 6:27 PM, Corey Devenport via FreeIPA-users wrote: Hi, you need first to identify the right RA cert to use. On all the servers, check the content of /var/lib/ipa/ra-agent.pem, for instance with: # openssl x509 -noout

[Freeipa-users] Re: subsystemCert appears out of date

On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate: [root@red-auth01 ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command

[Freeipa-users] Re: when will my ca certificate expire?

On 11/17/20 3:56 PM, Harald Dunkel via FreeIPA-users wrote: Hi folks, how can I list the expiration dates of the ca certificate chain, before it is too late? External ca. Regards Harri ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Certificate operation cannot be completed: Unable to communicate with CMS (403)

On 11/17/20 6:27 PM, Corey Devenport via FreeIPA-users wrote: Update: In using the command ipa-certupdate all of the IPA Servers have all the certs as MONITORING, including the caSigningCert. However, the authentication problem persists, and I still get the 403 cannot communicate with CMS

[Freeipa-users] Re: subsystemCert appears out of date

On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote: Hi Flo, Thanks for the help. Included is the output of all the commands as you requested. These were all run from a single freeIPA server (red-auth01). kinit admin; ipa server-role-find --role "CA server" Password for

[Freeipa-users] Re: subsystemCert appears out of date

On 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: Hi All, My subsystem cert appears to have gone out of date, and I’m unable to get it to update. This has become an issue on my production environment, and my current work around has been to take the system date back by

[Freeipa-users] Re: How to get a private key for a service certificate to use with TLS?

On 11/16/20 10:38 AM, Scott Reed via FreeIPA-users wrote: I created some service certificates for some of my machines that are using FreeIPA. I followed the instructions that were in the web interface. Now, we need to establish the keys so that we can use them for TLS communications between

[Freeipa-users] Re: Weub UI fails with "Login failed due to an unknown reason."

On 11/12/20 3:13 PM, Thomas Boroske via FreeIPA-users wrote: Hi Flo, I am seeing the same (with SE Linux since we use that too): ll -Z /var/lib/ipa-client/pki/kdc-ca-bundle.pem -rw-r--r--. root root unconfined_u:object_r:realmd_var_lib_t:s0 /var/lib/ipa-client/pki/kdc-ca-bundle.pem

[Freeipa-users] Re: Weub UI fails with "Login failed due to an unknown reason."

On 11/11/20 8:22 AM, Thomas Boroske via FreeIPA-users wrote: Hi Rob, when I run openssl x509 -text -in /var/kerberos/krb5kdc/kdc.crt I get output containing the lines: Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm:

[Freeipa-users] Re: ipa-server-install (How to disable checking online DNS) ?

On 10/20/20 10:11 AM, rodentskie--- via FreeIPA-users wrote: Hello, I'm currently configuring freeipa. When I run the command "ipa-server-install", I got these errors: Checking DNS domain biotechfarms.net., please wait ... ipapython.admintool: ERRORDNS zone biotechfarms.net. already exists

[Freeipa-users] Re: Adding Host through FreeIPA web UI

On 10/16/20 12:23 PM, anilkumar panditi via FreeIPA-users wrote: Hi, Thank you very much. i was able to enroll the host into ipa. Now i have one more problem, when ever the LDAP user(s) logs in for the very first time into the added host, its not creating the home directory like /home/user(s)

[Freeipa-users] Re: Adding Host through FreeIPA web UI

On 10/15/20 5:07 PM, anilkumar panditi via FreeIPA-users wrote: I am trying to add a host through FreeIPA UI , and followed the below procedure. Click on Hosts Tab> Add> enter details like Hostname, IP , and checked force And ADD. My host is added but , under Enrollment section

[Freeipa-users] Re: pki-tomcat wont start; LDAP auth failure

On 10/8/20 12:53 PM, Arjen Heidinga via FreeIPA-users wrote: Hello all! Since sime time my pki-tomcat deamon can't connect to the LDAP., ging me an error (below). The root-CA was expired in the meantime, I fixed it with some hack-n-slashwork. I am not sure what credentials (none, client

[Freeipa-users] Re: Replication Error

On 10/2/20 12:06 PM, Ronald Wimmer via FreeIPA-users wrote: On 02.10.20 11:43, Florence Blanc-Renaud wrote: On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct  2 09:41:30 pipa02.linux.mydomain.at

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/20/20 1:31 PM, Stuart McRobert via FreeIPA-users wrote: Dear flo, Thanks for the helpful links. To check whether replication is possible between the three freeipa servers, via the web interface on each, I have successfully created three new users: + On server 1 create a new user 1 and

[Freeipa-users] Re: Replication Error

On 10/2/20 9:56 AM, Ronald Wimmer via FreeIPA-users wrote: By coincidence I found something in /var/log/messages that does not look too good: Oct  2 09:41:30 pipa02.linux.mydomain.at ns-slapd[1905]: [02/Oct/2020:09:41:30.887447735 +0200] - ERR - NSMMReplicationPlugin - send_updates -

[Freeipa-users] Re: Adding a KRA

On 10/2/20 11:03 AM, Ronald Wimmer via FreeIPA-users wrote: At the moment we only have KRA on one of our eight IPA servers. Is it sufficient to issue the ipa-kra-install command on a replica where the CA role is already present? Hi, yes, ipa-kra-install can be used to install a replica KRA.

[Freeipa-users] Re: BadRequest when using freeipa-python

On 9/21/20 7:55 AM, Ronald Wimmer via FreeIPA-users wrote: On 18.09.20 19:47, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: On 18.09.20 13:04, Rafael Jeffman via FreeIPA-users wrote: On Thu, Sep 17, 2020 at 9:59 AM Ronald Wimmer via FreeIPA-users

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/17/20 10:12 PM, Stuart McRobert via FreeIPA-users wrote: Dear All, Thanks to everyone for their help with this. In summary the problem was an inconsistency between the certificate stored in a file and in ldap, as described at the bottom of flo's blog:

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/16/20 11:42 AM, Stuart McRobert via FreeIPA-users wrote: Dear flo, At this point you also need to restart pki: Thanks, restarted and resubmitted the request, then wait, but sadly I guess something else may also need attention? Best wishes Stuart

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/16/20 10:52 AM, Stuart McRobert via FreeIPA-users wrote: Dear flo, Thank you for your help with this, but something still seems to be preventing the renewal from actually happening even after going back in time, and waiting. My service slot is open until lunchtime today so hopefully be

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

On 9/9/20 9:58 AM, Stuart McRobert via FreeIPA-users wrote: Dear flo, there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward. First of all, please confirm that the server is the CA renewal master: # ipa config-show | grep "CA renewal"

[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

Hi, there is only one certificate that failed to renew, and the repair should (hopefully) be straightforward. First of all, please confirm that the server is the CA renewal master: # ipa config-show | grep "CA renewal" The output should display your hostname. If that's not the case, we need

[Freeipa-users] Re: FreeIPA DNS (named-pkcs11) failover

On 9/6/20 5:48 PM, Peter Larsen via FreeIPA-users wrote: I have two FreeIPA servers both are working as DNS servers for the network. Each IPA server is in the DNS server list, so they serve as "backup" for one another. I had one of the server's named-pkcs11 fail last night and somehow the second

[Freeipa-users] Re: CentOS 7 --> 8 migration for FreeIPA with external CA?

On 9/4/20 11:44 AM, Harald Dunkel via FreeIPA-users wrote: Hi folks, I have found several migration guidelines from Centos 7 to 8. AFAIU the procedure is to setup a new CentOS 8 FreeIPA server, and then to migrate the "master" from the old to the new host. See [1], for example. Having myself

[Freeipa-users] Re: ipa-replica-install failing

On 8/19/20 11:53 AM, Denis Nazarov via FreeIPA-users wrote: Hi, I have the same issue with freeipa 4.3.1 on ubuntu 16.04 and freeipa 4.8.6 on ubuntu 20.20 (packages from ubuntu 19.10). Have you solved this issue? Hi, I assume you are referring to this email thread:

[Freeipa-users] Re: FreeIPA + Freeradius

On 8/24/20 6:40 PM, Alessandro Minonzio via FreeIPA-users wrote: Hi, I'n new about FreeIPA ( v. 4.6.5 ) and I ask help about first configuration with FreeRadius on Centos 7. I need documentation or suggestion about this implementation. Could somone help me? Hi, you can find documentation in

[Freeipa-users] Re: Can't reinstate replica from scratch after it was off for 6 months

On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote: TL;DR: Unfortunately this doesn't help. I see this on Replica when running 'ipa-server-install --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/13/20 2:35 PM, Louis Bohm via FreeIPA-users wrote: Addig the DNS fixed it. Just one more question.  Should I be updating the file /etc/openldap/ldap.conf to include both masters on the URL line on the clients?  The only master that was listed there was the first master created. Hi,

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/12/20 1:16 PM, Louis Bohm via FreeIPA-users wrote: Yes the client was installed not using the —server option.  So it looks like my issue is DNS.  We have DNS external to the IPA hosts.  Is there a simple way for me to get a list of all the DNS records that need to be added to our DNS

[Freeipa-users] Re: Multimaster error adding user when one master down.

On 8/11/20 11:16 PM, Louis Bohm via FreeIPA-users wrote: Environment: 2 IPA Masters running Centos 8 and IPA Server 4.8.0.13 Client running Lentos 8 and IPA Client 4.8.0.13 The masters were setup as MultiMasters (I think I have it correct). If I shutdown the first master (ipa01) so only ipa02

[Freeipa-users] Re: pki-tomcatd not starting

On 8/11/20 6:39 PM, Scott Z. wrote: First thing I did when I logged in this morning (I'm on Hawaii Standard Time) was run "ipactl status".  The return was "Directory Services: STOPPED", and "Directory Service must running in order to obtain status of other services". 1) Ran "getcert list",

[Freeipa-users] Re: Replication issue with CSN generator

On 8/10/20 11:51 AM, Morgan Marodin via FreeIPA-users wrote: My issue got worse, the certificate has expired on the replica server, and it can't be renewed because it cannot communicate with the master server. I can start the server using the /--ignore-service-failure/ parameter, but the

[Freeipa-users] Re: pki-tomcatd not starting

On 8/10/20 11:46 PM, Scott Z. via FreeIPA-users wrote: I stopped the ntp service with the command "timedatectl set_ntp 0" I set the new date to be Sept. 1st, 2019 with "timedatectl set-time 2019-09-01" I waiting a minute and then checked with the "date" command; the problem server believes it

[Freeipa-users] Re: pki-tomcatd not starting

On 8/10/20 7:56 PM, Scott Z. via FreeIPA-users wrote: On the failing node, the output of "getcert list" does not show any expired certs.  I have hand-copied the info info this email below (it's interesting to note that while the other IdM servers are tracking 9 certs, the problem server is

[Freeipa-users] Re: pki-tomcatd not starting

Hi, re-adding the mailing list as the conversation could also help others. On 8/8/20 12:06 AM, Scott Z. wrote: I did notice when I compare it to another IdM server in the environment, if I do a "certutil -L -d /etc.httdp/alias" the non-working server has a IPA CA certificate and a

[Freeipa-users] Re: CLI commands to unprovision a host, then set one time password?

On 8/7/20 12:49 PM, Bo Lind via FreeIPA-users wrote: We have a workflow where we sometimes reinstall enrolled hosts. The role of the host does not change, IP, hostname etc. stay unchanged. Our current workflow is to enter the GUI, select unprovision, set a one time password, and then enroll

[Freeipa-users] Re: Clarification on CA Cert renewal requested

On 8/6/20 6:35 PM, Khurrum Maqb via FreeIPA-users wrote: Run ipa-certupdate on all IPA-enrolled machines, including servers, to update local files. Thanks. I ran ipa-certupdate on a client and I see that it completed successfully. The output of `certutil -L -d /etc/ipa/nssdb/` shows a second

[Freeipa-users] Re: pki-tomcatd not starting

On 8/6/20 12:53 AM, Scott Z. via FreeIPA-users wrote: Thanks much for the assistance.  Here is where I am with your suggestions: 1) Checked on the cert with "certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' and I see that the Validity is indeed old (almost a year old

[Freeipa-users] Re: pki-tomcatd not starting

On 8/3/20 10:14 PM, Scott Z. via FreeIPA-users wrote: Not sure I'm sending this to the right place, but here it goes.  I inherited a FreeIPA/Identity Manager setup in an enclave (no internet access) environment that is running into problems.  There are at least 3 different IdM servers

[Freeipa-users] Re: DNS Delegation

On 7/31/20 1:03 AM, Christian Hernandez via FreeIPA-users wrote: I'm having an issue delegating a subdomain. My domain is cloud.chx and I ran the following. ipa dnsrecord-add cloud.chx dc1.ad --a-rec=192.168.1.253 ipa dnsrecord-add 1.168.192.in-addr.arpa. 253

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 4:54 PM, Lorenz Braun wrote: On 16.07.20 15:50, Florence Blanc-Renaud wrote: On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote: I was thinking something similar. I tried ``` [root@ipa01 ~]# ipa-cacert-manage renew Renewing CA certificate, please wait Error resubmitting

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote: Hi Flo, thanks for your feedback. I appreciate it a lot! On 16.07.20 14:32, Florence Blanc-Renaud wrote: Hi, this type of failure can happen when the certificates expire. You can check if that's the case using "getcert list" and look

[Freeipa-users] Re: Looking for help to get my IPA server running again

On 7/16/20 11:02 AM, Lorenz Braun via FreeIPA-users wrote: Hi there, i have been running an IPA install (4.5.0) on a CentOS 7 server for quite a while and had some problems with it. Eventually everything got worse and now it is not really usable anymore. It started with someone accidentally

[Freeipa-users] Re: LDAP conflicts and ldapsubentry

On 7/16/20 11:36 AM, David Harvey via FreeIPA-users wrote: Hi again, just a gentle bump to keep this visible, any advice on it or additional info I can provide? On Tue, 14 Jul 2020 at 19:29, David Harvey > wrote: Dear list, I noted from TFM

[Freeipa-users] Re: certmapdata issue

On 7/14/20 11:29 PM, Shane Frasier via FreeIPA-users wrote: Hello, I have users who kinit using their PIV (smartcard) certificates. Everything works great for users who happen to be "full" employees, but contractors' certificates never match. "Full" employees have certificates issues by:

[Freeipa-users] Re: Can't Add Replica: The changelog directory CLDB already exists and is not empty

Hi Andrey, it looks really similar to the issue https://bugzilla.redhat.com/show_bug.cgi?id=1590974 Can you check the access log and error log on the IPA server server-01.example.com? It seems that the issue happens when the replica installer tries to create the entry

[Freeipa-users] Re: FreeIPA/PKI CA/KRA Subsystem Certificate Renewal Failure (not yet expired)

On Mon, Jul 6, 2020 at 1:25 PM Rob Crittenden <mailto:rcrit...@redhat.com>> wrote: Florence Blanc-Renaud via FreeIPA-users wrote: > On 7/5/20 2:23 AM, Ilya Kogan via FreeIPA-users wrote: >> Hi, >> >> I seem to be facing a similar issue with one o

[Freeipa-users] Re: Can't Add Replica: The changelog directory CLDB already exists and is not empty

On 7/7/20 10:13 PM, Andrey Ptashnik via FreeIPA-users wrote: Team, I'm trying to install FreeIPA replica and constantly hitting this error below. OS where replica is being installed is a fresh install. IPA version 4.6.6 After this error Master does not have any record of replica anyway. Can

[Freeipa-users] Re: FreeIPA/PKI CA/KRA Subsystem Certificate Renewal Failure (not yet expired)

On 7/5/20 2:23 AM, Ilya Kogan via FreeIPA-users wrote: Hi, I seem to be facing a similar issue with one of my KRAs. My KRA certificates were, for some reason, not automatically renewed when they expired last month. Using `ipa-cert-fix` correctly fixed them on _one_ host. On the other, they

[Freeipa-users] Re: Adding new replica with CA fails.

On 7/6/20 5:18 PM, Guillermo Fuentes via FreeIPA-users wrote: Hi all, I'm having an issue creating a new replica with CA. The Directory Service installation works fine but adding the CA clone fails with a java.lang.NumberFormatException when getting the serial number range. This is the error

[Freeipa-users] Re: ipa-server-upgrade failed after yum update on CentOS7

Hi, as you have installed 4.6.5-11, the command ipa-cert-fix is available and should ease fixing the expired certs. The topology looks simple enough (a single master), so no need to worry about which server to fix first. More info available in [1] and in ipa-cert-fix man page. HTH, flo

[Freeipa-users] Re: ipa-server-upgrade failed after yum update on CentOS7

On 6/30/20 10:24 AM, Mariusz Stolarczyk via FreeIPA-users wrote: All, I did a routine server updates last night on my IPA server. After the reboot I first noticed the DNS was not resolving and the ipa.service failed. The ipa.service failed to start so I ran the following: # ipactl start

[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server

On 6/25/20 11:01 AM, Nathanaël Blanchet via FreeIPA-users wrote: Hello, I meet this error: ipa: ERROR: No valid Negotiate header in server on the master and I want to try the solution get there: https://access.redhat.com/solutions/3533431 but I don't remember when the "directory manager"

[Freeipa-users] Re: Root CA is changing in an AD Trust environment

On 6/24/20 2:01 PM, White, David via FreeIPA-users wrote: We have IdM / FreeIPA running on RHEL 7 boxes. This is a 6-node cluster that has an existing 1-way trust back to Active Directory. IdM is still acting as the CA for its own clients, and when we setup the trust, we used the following

[Freeipa-users] Re: Problems Cleaning Up After Migration and Upgrade

On 6/20/20 9:59 PM, Auerbach, Steven via FreeIPA-users wrote: I have finally been able to create an RHEL7/IPAv4 server using ipa-replica-prepare on a RHEL6/IPA v3 server (ipa01)(added the needed schema) and running ipa-replica-install on the RHEL7/IPAv4 server (ipa03).  I followed a number of

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/18/20 10:37 AM, luckydog xf via FreeIPA-users wrote: One more questions, In this thread (https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/) you mentioned that subsystemCert cert-pki-ca would map to pkidbuser. So the process is that dog-tag

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/12/20 2:52 PM, Karim Bourenane wrote: Hello Florence, All After your recommendation : yum update ipactl start ( start will be start ipa-server-upgrade too) In attachment the ipaupgrade.log file I hope the file will be taken by the website. Hi, can you check the content of the

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/18/20 6:06 AM, luckydog xf via FreeIPA-users wrote: [root@wocfreeipa ~]# export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias   [root@wocfreeipa ~]# [root@wocfreeipa ~]# export LDAPTLS_CERT='subsystemCert cert-pki-ca' [root@wocfreeipa ~]#  grep internal /etc/pki/pki-tomcat/password.conf

[Freeipa-users] Re: pki-tomcat fails to start after I update CA for dirsrv and httpd.

On 6/17/20 11:32 AM, luckydog xf via FreeIPA-users wrote: Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 I cannot login in FreeIPA web page. So I update CA by : # delete everything except IPA CA of httpd and dirsrv

[Freeipa-users] Re: automember hostgroup by account?

On 6/12/20 12:44 AM, Amos via FreeIPA-users wrote: Sorry to follow-up to an old thread, but is this still true? https://www.redhat.com/archives/freeipa-users/2015-February/msg00038.html Hi, 389-ds implemented a new feature that allows to run the automembership plugin on modify operations as

[Freeipa-users] Re: IPA web login: 401 "Login failed due to an unknown reason."

On 6/10/20 4:37 AM, Chris Carr via FreeIPA-users wrote: We are unable to login to the FreeIPA web console. However, it is able to tell when I use an incorrect password (shows "The password you entered is incorrect.") Also one of the CentOS servers getting ssh login credentials from our ipa

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/9/20 10:04 AM, Karim Bourenane via FreeIPA-users wrote: Hello Florence, all I have also only update ipa-*, but i have same Error. Its appears that unable to unlink the port 8433 TCPV6 by pki-tomcat used by FreeIPA. Im actually blocked with this minor update. Hi, do you mean that you

[Freeipa-users] Re: Last FreeIPA master is failing

On 6/10/20 8:42 PM, Ricardo Mendes via FreeIPA-users wrote: Hi Rob, Thanks a lot for your reply. It's because you are in the middle of an upgrade. You can add --skip-version-check to not do the upgrade until after the certs are renewed. Amazing! So I turned back the clock and: # ipactl

[Freeipa-users] Re: Last FreeIPA master is failing

On 6/10/20 4:13 PM, Ricardo Mendes via FreeIPA-users wrote: # certutil -d /etc/pki/pki-tomcat/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca

<    1   2   3   4   5   6   7   8   >