[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote: Hello Team I have some questions : 1°) I need your help, to find the better way to upgrade my 3 servers linked (replicat). I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same time the IPAServer (or separately 

[Freeipa-users] Re: Problems after replacing SSL certificates

On 6/5/20 7:50 PM, John Burns via FreeIPA-users wrote: I have this exact same error on ipa-certupdate, after deleting certs that expired on May 30. Were you able to find any leads in the time since this post? ipa-certupdate is needed after "ipa-cacert-manage install" commands, prior to

[Freeipa-users] Re: AddTrust CA expiration

On 6/4/20 9:21 PM, Peter Lewis via FreeIPA-users wrote: On May 30, 2020, the AddTrust CA expired as a CA. I'll get to the IPA issue after a bit of background in case everyone is not familiar. The external certs we're using are from InCommon and were cross signed by AddTrust and when we

[Freeipa-users] Re: Add Windows host in Freeipa

On 6/4/20 10:07 AM, dmitriys via FreeIPA-users wrote: Good day! I tried add windows host in Freeipa and get Hi, can you provide a little more context? What do you mean by "add windows host in Freeipa", which command are you running and what is the output? It's difficult to understand from a

[Freeipa-users] Re: IPA -> AD trust : can't ssh with an AD user

Hi, in order to use AD users or groups in HBAC/sudo rules, you need to first create an external group (ipa group-add --external extgrp) that will contain your AD users/groups, then create a posix group (ipa group-add grp) and add the external group as member of the posix group (ipa

[Freeipa-users] Re: sub-cas ipa-certupdate

On 6/3/20 6:07 PM, Rob Crittenden via FreeIPA-users wrote: Natxo Asenjo via FreeIPA-users wrote: hi, in the rhel 8 documentation I came across this:

[Freeipa-users] Re: Migrating or adding CA to a replica after-the-fact?

On 6/2/20 3:28 PM, Auerbach, Steven via FreeIPA-users wrote: Can we add the CA mastery or CA replica to an IPA v4 server that is a replica and later promote to CA mastery?  We have a IPA v3 server that has been the only CA master for several years. We have a recent IPAv4 replica that was set

[Freeipa-users] Re: Questions about IDM Smartcard Login

On 5/12/20 10:08 PM, tom smith via FreeIPA-users wrote: I did not run the script, because I had already done most of what is in the script by the time I found it. I have imported all of the certificates into the /etc/pki/nss database and I ran this command against my certificate. Command:

[Freeipa-users] Re: Users and Admin access for AD Accounts

On 5/2/20 2:18 PM, TomK via FreeIPA-users wrote: Hey All, Let's suppose I have two AD groups: unixadmin unixusers In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA functions. Whereas for the unixusers, I would like to give R/O access. I've already done the group

[Freeipa-users] Re: failed to verify krb5 credentials: Server not found in Kerberos database

On 4/30/20 7:55 AM, Faraz Younus via FreeIPA-users wrote: HI Team, I'm getting subjected on when enrolled to new FreeIPA how can it be fixed ? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Cannot delete old server after migration

On 4/29/20 3:11 PM, Ronald Wimmer via FreeIPA-users wrote: I followed the guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating to migrate my server (including CA renewal master). When I try to uninstall

[Freeipa-users] Re: Problems after replacing SSL certificates

On 4/20/20 8:39 PM, Andreas Bulling via FreeIPA-users wrote: Andreas Bulling via FreeIPA-users wrote: You have a chicken and egg problem. When replacing your certs on an existing infrastructure you first have to add your new CA certs using ipa-cacert-manage, then run ipa-certupdate on all

[Freeipa-users] Re: dirsrv hangs soon after reboot

On 4/20/20 8:28 AM, Kees Bakker via FreeIPA-users wrote: Hey, I'm looking for advice how to analyse/debug this. On one of the masters the dirsrv is unresponsive. It runs, but every attempt to connect it hangs. The command "systemctl status" does not show anything alarming ●

[Freeipa-users] Re: Centos 6 FreeIPA Client install Error

On 4/16/20 2:54 PM, Faraz Younus via FreeIPA-users wrote: No its not the role , i'm using command module ipa-client-install -U -w {{ freeipa_temp_kerberos_password }} --mkhomedir --hostname {{ freeipa_client_hostname }} --ntp-server {{ ipaclient_ntp_servers }} --domain {{ ipaclient_domain }}

[Freeipa-users] Re: How to set up kerberized web service with access control?

On 4/16/20 10:09 AM, Dominik Vogt via FreeIPA-users wrote: Hi folks, on RHEL8.0, we've set up a small cluster with a FreeIPA server and two clients, one running a browser (Firefox) and the other running a web server (tomcat). (IdM is still configured with the defaults.) Now, what is the

[Freeipa-users] Re: Migration (in place)

On 4/7/20 11:48 AM, Christian Reiss via FreeIPA-users wrote: Hey, I converted my 3 server setup within a day and without any (visible) hiccup(s). Thank you for that! The only issue is that I do not have any CA or CRL Server anymore. The first Server (no1, updated last) warned me, but I was

[Freeipa-users] Re: Integration Freeipa with Keycloak

Hi, I never tried it myself, but this blog should provide you with the correct attribute/filters: https://blog.delouw.ch/2019/06/01/openid-and-saml-authentication-with-keycloak-and-freeipa/ HTH, flo On 4/1/20 3:24 PM, dmitriys via FreeIPA-users wrote: Hi! I tried connect freeipa to

[Freeipa-users] Re: How Set authentication for ldapsearch

On 3/27/20 9:40 AM, dmitriys via FreeIPA-users wrote: Hi! When i use command ldapsearch -h ldap.exemple.com -p 389 -x -b dc=exemple,dc=com -L I get all information about my instance without any authentication How i can set authentication to this action ? -x means "Use simple authentication

[Freeipa-users] Re: Add new Identity Settings for users Freeipa

On 3/24/20 11:24 AM, dmitriys via FreeIPA-users wrote: Good day! I setup integration Freeipa with Jamf. I mapped default user attributes from Identity Settings like: Job Title First name Last name Email In Jamf i have more user attributes (Department, Building). My question is How i can

[Freeipa-users] Re: Managing different Sub CAs in FreeIPA without their shared Root CA

On 3/20/20 12:32 PM, Alex P via FreeIPA-users wrote: I continued setting this up. From the externally signed ipa root CA I was trying to create a nested structure of additional CAs. However this doesn't seem to be supported. Is that correct? Here is similar of what I tried: Root (externally

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/19/20 11:29 AM, Faraz Younus via FreeIPA-users wrote: Thanks now we decided to go with self signed certificate. currently i'm migrating my old ipa-client to new ipa server but getting below error while I allowed all ports on ipaserver. My IPA client version is 3.0 and my latest version

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

On 3/17/20 11:44 AM, Bhavin Vaidya via FreeIPA-users wrote: Hello Flo, thank you for your response. [root@srv01 ~]# ipa config-show | grep renewal   IPA CA renewal master: srv01.arteris.com We followed following step, but Certificates will not renew. Stopped NTP and went back to 2018-05-11

[Freeipa-users] Re: How to add options to api.Command of python ipalib module

On 3/17/20 10:21 AM, Diadormu ZMJ via FreeIPA-users wrote: example: api.Command.user_show(u'admin') I want to add a --all option like the command line I want to process freeipa users and host information with python Hi, you can simply call api.Command.user_show(u'admin', all=True) flo

[Freeipa-users] Re: Expired Certificates, rolling back time didn't help

On 3/16/20 11:44 PM, Bhavin Vaidya via FreeIPA-users wrote: Hello, We had similar issue 2 yrs back, and resurface as it didn't auto-renew. Went back in time to 2016-06-11 as well as 2020-02-20, restarted "certmonger", didn't update. Hi, you need to check first which server is your renewal

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/15/20 10:27 PM, Faraz Younus via FreeIPA-users wrote: I'll try to add this suggested config and restart ipactl But as per you it should not have been the case to install client on master why is that ? Hi, when ipa-server-install is run to setup a node as an IPA master, the installer

[Freeipa-users] Re: FreeIPA with certificates from external CA and KDC

On 3/13/20 3:46 PM, Peter Tselios via FreeIPA-users wrote: Hello, I have a small project to install a FreeIPA cluster on CentOS 7.7. We have our own CA and they provided me already with a private key and a certificate file for the servers. My problem is that I cannot make ipa-server to install

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/13/20 8:43 AM, Faraz Younus via FreeIPA-users wrote: cat /etc/ipa/default.conf #File modified by ipa-client-install [global] basedn = dc=fixedandmobile,dc=com realm = FIXEDANDMOBILE.COM domain = fixedandmobile.com server =

[Freeipa-users] Re: External & Letsencrypt Certificate | Failed on IPA update.

On 3/13/20 6:42 AM, Faraz Younus via FreeIPA-users wrote: I can have the update on below LDAP error ? What is the content of the /etc/ipa/default.conf file? Especially, is there a value for "ldap_uri" and does it start with "ldap_uri = ldapi://..." ? flo On Wed, Mar 11, 2020 at 6:34 PM

[Freeipa-users] Re: Managing different Sub CAs in FreeIPA without their shared Root CA

On 3/11/20 5:01 PM, Alexander Petrenz via FreeIPA-users wrote: Hi, I'm new to FreeIPA and I have a conceptual question. I have an existing PKI-Infrastructure with one root CA and three derived Sub-CAs. Now I want to change the PKI-Management to FreeIPA without replacing the already existing

[Freeipa-users] Re: Having issues/confusion about setting up a forwarding zone

On 3/5/20 5:54 PM, mike clagett via FreeIPA-users wrote: hi all, Here is my scenario. I will just use .mike as my TLD example here: TLD domain - .mike Primary FreeIPA server that is serving as my master DNS - freeipa.mike Within this setup, I want to set up a dns zone called dev.mike, with

[Freeipa-users] Re: recuring error during ipa-replica-install

On 2/26/20 12:42 PM, LHEUREUX Bernard via FreeIPA-users wrote: I tried multiple times to solve the upgrade fail, but didn't I finally decided to completely reinstall that machine from scratch but the ipa-replica-install always refuse to perform to the end... I'm really stuck... Hi, do you

[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)

On 2/25/20 8:27 PM, Chris Bacott via FreeIPA-users wrote: Oh wow. Well, thank you very much for showing me how to enable the debug logging for the whole app stack, that proved to reveal exactly what the issue was. Turns out, apache mod_security was blocking the access from "ipa host-del".

[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)

On 2/25/20 6:25 PM, Chris Bacott via FreeIPA-users wrote: Thank you for the reply. There is no errors with getting any certs at all, that's why this is baffling me. The 403 error is making me think this is either an apache or tomcat issue. Strange issue, indeed. You can enable debug logs:

[Freeipa-users] Re: ipa host-del ERROR Unable to communicate with CMS (403)

On 2/25/20 4:18 PM, Chris Bacott via FreeIPA-users wrote: Hello, I've been searching for resolution on this issue for a while now, but it seems all of the issues others have encountered were unrelated. Host OS: CentOS 8.1.1911 All packages up to date. This is a stock installation of

[Freeipa-users] Re: Split domain for IPA and internal machines

On 2/25/20 12:10 AM, Nicholas DeMarco via FreeIPA-users wrote: I've configured FreeIPA servers in identity.demarcohome.com , and my internal machines are in int.demarcohome.com . I added discovery SRV records to the

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

On 2/22/20 12:40 AM, dmitriys via FreeIPA-users wrote: When execute ipa-certupdate get this : ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: KerberosError: No valid Negotiate header in server response ipapython.admintool: ERROR: No valid Negotiate header in server

[Freeipa-users] Re: Issue with Using 3rd part certificates for HTTP/LDAP

On 2/21/20 5:56 PM, dmitriys via FreeIPA-users wrote: Hi! I use freeipa-server 4.7.0~pre1+git20180411-2ubuntu2 on Ubuntu 18.04.4 LTS I installed freeipa-serve in default mode ( ipa-server-install ) Now i try change certificate on Comodo as write in this article

[Freeipa-users] Re: external cert sign request - how to sign?

On 2/14/20 9:39 AM, lejeczek via FreeIPA-users wrote: On 13/02/2020 14:46, Fraser Tweedale wrote: On Thu, Feb 13, 2020 at 11:59:34AM +, lejeczek via FreeIPA-users wrote: hi everyone, how, if possible at, to have IPA sing a cert sign request which is not part of IPA's domain/realm? many

[Freeipa-users] Re: Confusion on LDAP changes for NIS automounts

On 2/7/20 1:50 AM, Russell Jones via FreeIPA-users wrote: For those that find this later, these settings will show up if you search cn=config specifically. No idea why it doesn't show up on a full dump. Hi, with the following search: > [root@freeipa4 ~]# ldapsearch -x -D "cn=Directory

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30)fails to start

CET, Florence Blanc-Renaud via FreeIPA-users wrote: ... We can see that there is an inconsistency between the /var/lib/ipa/ra-agent.pem file and the LDAP content. You need to choose which one to pick as the source of truth and update the other one. If the cert in /var/lib/ipa/ra-agent.pem

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

in this case we need to work on this single node... Jochen On Monday, February 03, 2020 08:36 CET, Florence Blanc-Renaud via FreeIPA-users wrote: On 2/2/20 11:30 PM, Jochen Demmer via FreeIPA-users wrote: > Hi, > > this is the outputs: > [root@srv107 ipa]# openssl x509 -noout -in /va

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

If everything is OK on the renewal master, you can copy the file /var/lib/ipa/ra-agent.pem to the failing node srv107. HTH, flo Shall I  just adjust the serial and try again? Jochen On Friday, January 31, 2020 10:29 CET, Florence Blanc-Renaud via FreeIPA-users wrote: This error occurs when

[Freeipa-users] Re: Replica not renewing IPA certificates

On 1/31/20 2:03 PM, Roderick Johnstone via FreeIPA-users wrote: Hi This is freeipa (ipa-server-4.6.5-11.el7_7.3.x86_64) on RHEL7 with freeipa's own internal CA. One of my ipa server replicas (host3) has not renewed its IPA system certificates and is now showing ca-error: Invalid cookie:

[Freeipa-users] Re: Update: Add "mkhomedir" after install

On 1/29/20 4:52 PM, Nicholas DeMarco via FreeIPA-users wrote: In Dec 2015, to effectively add the mkhomedir install option after configuration, Martin Štefany suggested using authconfig. I'm not having success with

[Freeipa-users] Re: Multi site deployment strategy - Server vs Replica

On 1/29/20 11:12 AM, Daniel PC via FreeIPA-users wrote: Hello I'm building a cluster with 8 servers divided into 2 sites of 4 servers. I understand from the documentation that only the first server should be installed as a server, all others can be installed as replicas from the first one.

[Freeipa-users] Re: pki-tomcat doesn't start, it can't update certificate

On 1/28/20 1:35 PM, Serge Barkov via FreeIPA-users wrote: I have a freeipa with two nodes. I have no problem with one of them but on the other one pki-tomcat can't start. ipacts starts with --ignore-service-failure and pki-tomcatd Service: STOPPED The first thing I found a certificate expired

[Freeipa-users] Re: After install FreeIPA server - ipa: WARNING: Failed to read schema: [Errno 13] Permission denied...

On 1/21/20 10:46 AM, Bedrosian Baol via FreeIPA-users wrote: I tried to install the FreeIPA server as suggested here: https://computingforgeeks.com/install-and-configure-freeipa-server-on-ubuntu/ It seems to be all right: :~$ kinit admin > Ok :~$ klist Ticket cache:

[Freeipa-users] Re: sudo rule doesn't work

On 1/18/20 11:37 AM, Elhamsadat Azarian wrote: Hi dear Florence Thanks of ur reply I wasnt at office and today i chacked parameteres but i cant find them in sssd.conf! How can  i check or set values of them? Hi, (adding back freeipa-users mailing list) All the parameters are described in

[Freeipa-users] Re: Option to allow single-label domains

On 1/20/20 3:39 PM, Ronald Wimmer via FreeIPA-users wrote: Is there a possibility to allow ipa-server-install for a single-label domain? I would like to use IPA at home and will definitely never connect it to an AD. Any version <= 4.6.4 allows the server installation with single-label

[Freeipa-users] Re: WARNING Could not update DNS SSHFP records.

On 1/20/20 12:03 AM, Daniel PC via FreeIPA-users wrote: Hi, were you able to solve the problem? I'm facing the same issue with Freeipa 4.8.0 Hi, which version of sssd is installed on your system? The issue looks a lot like https://bugzilla.redhat.com/show_bug.cgi?id=1755643 which got

[Freeipa-users] Re: External CA renewal and self-signed surprise

On 1/20/20 1:54 AM, Rob Foehl via FreeIPA-users wrote: On Mon, 20 Jan 2020, Fraser Tweedale wrote: On Mon, Jan 13, 2020 at 04:58:05AM -0500, Rob Foehl via FreeIPA-users wrote: On Thu, 2 Jan 2020, Rob Foehl via FreeIPA-users wrote: The question remains: how do I get rid of the self-signed CA

[Freeipa-users] Re: FreeIPA 4.8.1 on Fedora 31 (upgraded from F30) fails to start

On 1/20/20 9:39 AM, Jochen Demmer via FreeIPA-users wrote: I suffer the exact same problem and already tried to upgrade twice but every time the update fails. The ldap server does not listen when I check with ss or netstat. I reverted back to Fedora 30 with snapshots every time. Hi, can you

[Freeipa-users] Re: FreeIPA ipa-replica-install hangs on "No status yet" during the first replication

On 1/17/20 4:32 PM, Damien Bras via FreeIPA-users wrote: Hi, During the installation of one of our FreeIPA replica (with ipa-replica-install), the process hangs on "No status yet". Our domain is in domain level 1. It seems that the script is waiting for an attribute

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/17/20 8:40 AM, Ferdinand Babas via FreeIPA-users wrote: On 1/16/20 12:26 AM, Ferdinand Babas via FreeIPA-users wrote: Hi, the cert is present but its private key is missing. It looks like you lost many of the private keys on that node, do you have a backup somewhere of the NSS database?

[Freeipa-users] Re: Question about ipa group-add-member

On 1/15/20 6:17 PM, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Adding multiple users to one group is documented, but the other way around seems to be missing. Is there a way to add one user to multiple groups with one command ? Hi, with the GUI you can navigate to your

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

On 1/16/20 10:16 AM, luckydog xf via FreeIPA-users wrote: Thanks, I did it as your instruction, the old serial 268238851 was revoked and invalid. A new serial was generated and valid already. == # 268238851, certificateRepository, ca, ipaca dn:

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/16/20 12:26 AM, Ferdinand Babas via FreeIPA-users wrote: On 1/14/20 11:41 PM, Ferdinand Babas via FreeIPA-users wrote: Agreed, any date between June 1 and June 4 should be ok. ipaCert is the most important cert to renew and should be handled first. The man page for getcert-list explains

[Freeipa-users] Re: can't access the web interface of freeIPA

On 1/15/20 9:12 AM, cyrine stambouli via FreeIPA-users wrote: Hello, I have a problem to access the freeIPA interface, well I have installed freeIPA in centos 7 server, the iinstallation was well done without any errors , but i am not able to access web interface , do you have any idea to fix

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/14/20 11:41 PM, Ferdinand Babas via FreeIPA-users wrote: On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote: Hi, you need to carefully pick the date in the past. At that given date, all your certs must be valid (ie notbefore < date < notafter). It's likely that you choose a date

[Freeipa-users] Re: Disable SSLv3 and RC4 ciphers on ipa-server 3.0.0

ipa server, and subsequently tomcat, which is a task I'm not looking forward to. Terry On Tue, Jan 14, 2020 at 7:20 AM Florence Blanc-Renaud via FreeIPA-users <mailto:freeipa-users@lists.fedorahosted.org>> wrote: On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote:

[Freeipa-users] Re: Disable SSLv3 and RC4 ciphers on ipa-server 3.0.0

On 1/14/20 11:58 AM, Mauricio Tavares via FreeIPA-users wrote: On Tue, Jan 14, 2020 at 4:16 AM Florence Blanc-Renaud via FreeIPA-users wrote: On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote: We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having

[Freeipa-users] Re: Disable SSLv3 and RC4 ciphers on ipa-server 3.0.0

On 1/13/20 8:38 PM, Terry Soucy via FreeIPA-users wrote: We are running FreeIPA 3.0.0 on CentOS 6 (directly from the OS repository). I am having trouble disabling SSL3 and RC4 ciphers on port 9443 (pki-cad) ipa-server-3.0.0 tomcat6-6.0.24 I've been modifying /etc/pki-ca/server.xml with

[Freeipa-users] Re: sudo rule doesn't work

On 1/12/20 12:26 PM, Elhamsadat Azarian via FreeIPA-users wrote: Hi friends i define a SudoRule with this properties: rulename : rsyslog_rule Enabled : true RunAs group Category : All users :user-test hosts: ipacli-irvlt01.mydomain.com sudo Deny Commands : sudo /usr/bin/systemctl restart

[Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: [root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64 [root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number:

[Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: Hello Christian, It is an standard installation. [root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0 Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap - does the

[Freeipa-users] Re: Problem adding a RHEL 8.1 client

Hi, can you try to run the following on the client: $ update-crypto-policies --set LEGACY then retry the client install? (This is a workaround described in https://access.redhat.com/articles/3642912. RHEL8 enables less ciphersuites and protocols) flo On 1/10/20 12:49 PM, SOLER SANGUESA

[Freeipa-users] Re: Problem adding a RHEL 8.1 client

On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: Hello, I’m trying to add a RHEL 8.1 client with the following spec: OS: RHEL 8.1 (Ootpa) IPA: ipa-client-4.8.0-10 SSSD: sssd-2.2.0-19.el8.x86_64 My IDM server has: OS: RHEL 7.7 (Maipo) IPA: ipa-server-4.6.5-11.el7_7.3

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/9/20 6:44 AM, Ferdinand Babas via FreeIPA-users wrote: On 1/8/20 3:30 AM, Ferdinand Babas via FreeIPA-users wrote: Do you have the file /var/lib/pki/pki-tomcat/conf/password.conf ? Its content is usually: internal= replicationdb= If it's empty/missing, you can also check if there is a

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/8/20 3:30 AM, Ferdinand Babas via FreeIPA-users wrote: Hi Flo, Thanks for the response. On 1/6/20 10:12 PM, Ferdinand Babas via FreeIPA-users wrote: Hi, this error usually happens when there are issues with the subsystemCert cert-pki-ca. According to your certutil output, the cert is

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

On 1/7/20 10:04 AM, luckydog xf via FreeIPA-users wrote: I tried this way, but I have not found this entry. === ldapsearch -x -h localhost -D "cn=directory manager" -W > all.ldif Hi, if your /etc/openldap/ldap.conf is configured with default settings, it probably has BASE dc=,dc=com

[Freeipa-users] Re: Certificate not found: auditSigningCert cert-pki-ca - Can't run pki-tomcatd Service

On 1/6/20 10:12 PM, Ferdinand Babas via FreeIPA-users wrote: Hi All, I've been trying to work through this issue but can't find the magic formula to get it working so I'm turning to the community for help. We are currently running VERSION: 4.4.0, API_VERSION: 2.213 in a 4 node multi master

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

On 1/3/20 3:03 AM, luckydog xf via FreeIPA-users wrote: On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote: Hi, can you check if the cert is revoked with: $ certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'Server-Cert cert-pki-ca' | grep -i Serial (note the Serial number) $ ipa cert-show

[Freeipa-users] Re: Max renew for Kerberos tickets

Hi, please have a look at the documentation [1]. There are multiple levels where the ticket max life/max renew can be defined and the doc explains the various settings that must be taken into account. Hope this clarifies, flo [1]

[Freeipa-users] Re: External CA renewal and self-signed surprise

On 1/2/20 7:24 AM, Rob Foehl via FreeIPA-users wrote: Went to renew an externally-signed IPA CA certificate that was valid through today, and discovered that FreeIPA had decided to renew it with a self-signed cert a month ago, and had since reissued all other subsystem certs against that

[Freeipa-users] Re: Server-Cert cert-pki-ca was expired and wasn't renewed automatically

On 12/31/19 1:47 AM, luckydog xf via FreeIPA-users wrote: I reset system clock to Oct 27, while this certificate would expire in Nov 11. It's still valid and should be renewed by certmonger. So there is no reason it say the serial number was revoked. Hi, can you check if the cert is revoked

[Freeipa-users] Re: How to allow users to manage their own certs

On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote: We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate. I get the following error: Insufficient access: Principal

[Freeipa-users] Re: Letsencrypt and IPA

On 12/24/19 10:26 AM, Petar Kozić via FreeIPA-users wrote: I found that is bug in python module. I solved and installed my SSL when I do this: https://bugs.launchpad.net/ubuntu/+source/pyasn1/+bug/1785157 Can this be a problem in the future if I continue to using Let’s encrypt? Full debug

[Freeipa-users] Re: Yum Update - Failed to authenticate to CA REST API - Past Fixes Don't Work

On 12/23/19 4:22 PM, Michael Plemmons via FreeIPA-users wrote: I am updating from 4.6.4-10 to 4.6.5-11 on on CentOS 7. The server I am working on is one of three in a production cluster. The yum update failed and I get the Failed to authenticate to CA REST API in the ipa upgrade log. I have

[Freeipa-users] Re: Letsencrypt and IPA

On 12/23/19 4:52 PM, Petar Kozić via FreeIPA-users wrote: Hi folks, I have one IPA server in production for my small environment. There I set Let’s Encrypt CA root and issue .p12 cert without problem. Now, I want to install FreeIPA on VPS, but I have problem with Let’s encrypt SSL. I can’t

[Freeipa-users] Re: Replacing the self-signed cert/CA with an external one ?

On 12/23/19 1:19 PM, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: I have two IdM/FreeIPA instances running in a test lab environment, built with self-signed certs and CA.  Both have CA installed. I want to replace the self-signed with a real, external CA as it will be in

[Freeipa-users] Re: New FreeIPA User - Bad Login Throttle or Progressive Delay or Brute Force Countermeasures

On 12/23/19 4:49 AM, Brad Chesney via FreeIPA-users wrote: ...Does FreeIPA have anything built in to add increasing sadness to a would be intruder in the event of successive failed authentication attempts? What is it called so I can search for the documentation on the topic? Hi, you can have

[Freeipa-users] Re: ipa-healthcheck: a replica says "RA agent description does not match", ""Request for certificate failed, Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)"

On 12/21/19 1:49 PM, Alex Corcoles via FreeIPA-users wrote: Hi, I'm monitoring using ipa-healthcheck and I just started getting: $ sudo ipa-healthcheck --severity CRITICAL --severity ERROR --failures-only ra.get_certificate(): EXCEPTION (Invalid Credential.) ra.get_certificate(): EXCEPTION

[Freeipa-users] Re: Sequence rollover

Hi, I am adding Directory Server's users list in CC as they have more knowledge. flo On 12/21/19 10:39 AM, Christophe TREFOIS via FreeIPA-users wrote: Dear all, Does anybody have any insights to give us ? Thanks a lot, Christophe __ *From:*Sarah PETER via FreeIPA-users *Sent:* mercredi

[Freeipa-users] Re: Make a CRL + OCSP stapling check

On 12/18/19 7:22 PM, iam pollux via FreeIPA-users wrote: Hello, We have a root CA and a subordinate CA with Freeipa. The root CA issues a certificate for the subordinate CA and the subordinate CA provides certificates to the client workstations. Since multi stapling is not available, is it

[Freeipa-users] Re: ipa-replica-install latest failure attempt:

On 12/2/19 7:10 PM, Auerbach, Steven via FreeIPA-users wrote: A couple of follow-up questions and some results of an ldap search... In your suggested ldapmodify statement: ldapmodify -h -p 389 -D "cn=directory manager" -W dn: cn=replica,cn=, cn=mapping tree,cn=config changetype: modify

[Freeipa-users] Re: yum update problem

On 11/28/19 10:33 AM, Natxo Asenjo via FreeIPA-users wrote: hi, sorry for the delay, priorities shifted a bit. Let's see, the serial # and validity of the cert in the kdc with problems: - note the serial ID of the cert, its subject and issuer: [root@kdc2 ~]# openssl x509 -noout -text -in

[Freeipa-users] Re: Replication issue, can't locate CSN, check_ipa_cosistency shows no errors

On 11/20/19 10:16 PM, Jones, Bob (rwj5d) via FreeIPA-users wrote: Thank you for the help Flo. Doing the ipa-csreplica-manage re-initialize corrected the issue I was seeing. Glad I was able to help, and thanks for the update. It's good to get confirmation that the issue was solved with the

[Freeipa-users] Re: yum update problem

On 11/20/19 8:13 PM, Natxo Asenjo via FreeIPA-users wrote: hi, after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble. [root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service:

[Freeipa-users] Re: Replication issue, can't locate CSN, check_ipa_cosistency shows no errors

On 11/19/19 10:04 PM, Jones, Bob (rwj5d) via FreeIPA-users wrote: Hello, We have a 3 node multi-master IPA setup. These are running on Red Hat Enterprise Linux Server release 7.7 (Maipo) and all are version: Name: ipa-server Arch: x86_64 Version : 4.6.5 Release :

[Freeipa-users] Re: ipa-replica-install latest failure attempt:

On 11/19/19 9:31 AM, thierry bordaz via FreeIPA-users wrote: On 11/18/19 11:24 PM, Rob Crittenden wrote: Auerbach, Steven via FreeIPA-users wrote: Executed ipa-replica-prepare on an RHEL 6.9 server running ipa-server 3.0.0.1_51  (name : ipa01) Yum installed ipa-server, ipa-server-dns,

[Freeipa-users] Re: Inappropriate authentication when binding as service account

On 11/11/19 11:53 AM, Joyce Babu via FreeIPA-users wrote: Hello, I am trying to bind to ldap as a service account. I followed the advice in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/44Z4ANXQYKRNTEVNL35BK27X7Q67RVDQ/ and created a plain text

[Freeipa-users] Re: Unable to login to IPA console

On 11/13/19 8:41 AM, Nikita Deeksha wrote: Hi Florence, Please find the below getcert complete list. I had changed the time to*24 October 2019 *where all the certificates were valid, subsystem cert was renewed in the month of September 2019. Hi, according to your getcert output, 24 Oct

[Freeipa-users] Re: Unable to login to IPA console

On 11/8/19 4:33 PM, Nikita Deeksha via FreeIPA-users wrote: Alexander/Florence, While we were trying to renew the certificate the httpd cert, we went back in time where httpd cert was vaild and then tried to renew the cert, but in *Step7: Test CA operation* is failing with the below error.

[Freeipa-users] Re: Unable to login to IPA console

On 11/7/19 11:16 AM, Nikita Deeksha via FreeIPA-users wrote: Thanks for the update Alexander will check this and get back to you, wanted to check on another thing as well. Can you please help us to understand this error that we see for the cert in pki [root@ipa1 nikita.d]# for i in

[Freeipa-users] Re: Disaster Recovery Architecture for IPA servers setup replicating in full mesh

On 11/4/19 8:44 AM, Saurabh Garg via FreeIPA-users wrote: Hi All, Could anyone please share a Disaster Recovery Architecture for IPA servers setup replicating in full mesh with the details of backup and restore procedure. Regards, sgarg ___

[Freeipa-users] Re: ipa-client password

On 11/2/19 6:04 AM, TomK via FreeIPA-users wrote: Hey All, Given a line like this: ipa-client-install --force-join -p admin -w "*" --fixed-primary --server=idmipa01.nix.mds.xyz --server=idmipa02.nix.mds.xyz --domain=nix.mds.xyz --realm=NIX.MDS.XYZ -U 1) Is there a way to pull the

[Freeipa-users] Re: ipa-replica-install

On 10/18/19 2:44 PM, Joseph, Matthew via FreeIPA-users wrote: Hello, I’m currently running into an issue when trying to do the ipa-replica-install. I did the ipa-replica-prepare command and copied the replica gpg file to the new replica server and run the following command to do the install

[Freeipa-users] Re: Issues with Free IPA (Red Hat IDM). Sporadic lookup results. Different results in EL 6 and 7.

On 9/26/19 3:44 PM, Jones, Bob (rwj5d) via FreeIPA-users wrote: Thank you for the answer. My guess was it had something to do with the negative cache, but wasn’t sure. Unfortunately I’m not authorized to access bug #1717008 so cannot view the details in order to potentially confirm this is

[Freeipa-users] Re: Issues with Free IPA (Red Hat IDM). Sporadic lookup results. Different results in EL 6 and 7.

On 9/26/19 2:24 AM, Bob Jones via FreeIPA-users wrote: All, First the deets of the setup: 3 IDM servers on RHEL 7.7 ipa version VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10 Clients: EL7: ipa version 5.6.5, sssd version EL6: ipa version

[Freeipa-users] Re: getcert list status: NEED_CA issue

On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: Thanks Florence, is it safe to run "ipa-server-upgrade" ? Hi, generally yes :) We had a few tickets related to upgrade but they are mainly revealing already present issues (for instance because this CLI stops and starts the

<    1   2   3   4   5   6   7   8   >