Re: [Freeipa-users] IPA certificates expired, please help!

Thank you very much Rob. Let me remove the duplicate certificates and try to renew the certificates again to see if "*ca-error: Internal error: no response to "http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert_num=63=true=true

Re: [Freeipa-users] change GID not work

On (22/07/16 10:07), Rob Crittenden wrote: >Junhe Jian wrote: >> Hello, >> >> i have a problem to change/set the GID. >> >> I create a new Group with a GID 999 in GUI not work. IPA generate a new >> GID within the Range. > >You are running into https://fedorahosted.org/freeipa/ticket/2886 >

Re: [Freeipa-users] Bypass pre-hashed passwords verification

Sébastien Julliot wrote: Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr

Re: [Freeipa-users] IPA certificates expired, please help!

Linov Suresh wrote: Could you please verify, if we have set correct trust attributes on the certificates *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca

Re: [Freeipa-users] Odd Password Issue Across the realm

Auerbach, Steven wrote: I don't think so. The sssd service is running on the client server. But it is configured with cache_credentials=true. I also notice a key ipa_server = _srv_, ipa02.<>.local. The thing is, that second name does was replaced a number of months ago by a server named

[Freeipa-users] Cannot renew expired certificates in IPA 4.2

Hello, as in the link bellow, your help will be appreciated! https://bugzilla.redhat.com/show_bug.cgi?id=1343796 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Unable to add CA on an already configured replica

Current topology: ipa-srv1<->ipa-srv2 ipa-srv1 already has CA installed but NOT ipa-srv2. The reason I would like to add CA on ipa-srv2 is because I want the setup to ultimately become ipa-srv2<->ipa-srv2<->ipa-srv3 however I am unable to create gpg replication file on ipa-srv2 (to be used to

[Freeipa-users] Question DNS

Hello List, what is the best way to include a local DNS Server? Can I configure on a IPA DNS Server (extern) views for a internal DNS without problems ? Is the named Configuration is overwritten by Updates or other ? I have read now much FreeIPA Doc's but found nothing for this Problem ? --

Re: [Freeipa-users] Replicating users/groups from AD

On Fri, 2016-07-22 at 09:59 -0500, Alston, David wrote: > Greetings! > > I realize that FreeIPA is supposed to be setup as master of its > own domain, but are there any plans to continue the account > replication functionality that has already been in FreeIPA? I had > heard rumor that it

[Freeipa-users] Replicating users/groups from AD

Greetings! I realize that FreeIPA is supposed to be setup as master of its own domain, but are there any plans to continue the account replication functionality that has already been in FreeIPA? I had heard rumor that it would be possible to have FreeIPA and Active Directory coexist in

Re: [Freeipa-users] IPA certificates expired, please help!

I agree with you Jakub, I will start separate thread for separate issues. On Fri, Jul 22, 2016 at 10:31 AM, Jakub Hrozek wrote: > On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > > I'm facing another issue now, my kerberos tickets are not renewing, > >

Re: [Freeipa-users] IPA certificates expired, please help!

On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote: > I'm facing another issue now, my kerberos tickets are not renewing, In general I think it's better to start separate threads about separate issues. That way people who only scan the subject lines can see if this thread is something

Re: [Freeipa-users] Bypass pre-hashed passwords verification

Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

On Fri, Jul 22, 2016 at 03:04:01PM +0100, Peter Pakos wrote: > Jakub Hrozek wrote: > > > I'm glad it works now, but why did you choose to use the LDAP back end > > over the IPA back end? By using LDAP, you gain the ability to not enroll > > clients with ipa-client-install, but you loose the ease

Re: [Freeipa-users] IPA certificates expired, please help!

Could you please verify, if we have set correct trust attributes on the certificates *root@caer ~]# certutil -d /var/lib/pki-ca/alias/ -L* Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI subsystemCert cert-pki-ca

Re: [Freeipa-users] sssd shows deleted users as well

under the "configure global security part" of jenkins, we can specify how jenkins will fetch users for authentication. One option is "Unix user/group database" . wherein, it will do a getent passwd and fetch users from there. Other is to specify ldap. There are few other ways as well but haven't

Re: [Freeipa-users] change GID not work

Junhe Jian wrote: Hello, i have a problem to change/set the GID. I create a new Group with a GID 999 in GUI not work. IPA generate a new GID within the Range. You are running into https://fedorahosted.org/freeipa/ticket/2886 This is fixed in freeIPA 3.2. Basically 999 was the "magic"

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

Jakub Hrozek wrote: > I'm glad it works now, but why did you choose to use the LDAP back end > over the IPA back end? By using LDAP, you gain the ability to not enroll > clients with ipa-client-install, but you loose the ease of > manageability, HBAC, easy SUDO integration, not to mention you

Re: [Freeipa-users] IPA certificates expired, please help!

I'm facing another issue now, my kerberos tickets are not renewing, *[root@caer ~]# ipa cert-show 1* ipa: ERROR: Ticket expired *[root@caer ~]# klist* Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@teloip.net Valid starting ExpiresService principal 07/20/16 14:42:26

[Freeipa-users] change GID not work

Hello, i have a problem to change/set the GID. I create a new Group with a GID 999 in GUI not work. IPA generate a new GID within the Range. In Commandline the same ipa group-add --gid=999 --desc='Docker Group' docker Added group "docker"

Re: [Freeipa-users] sssd shows deleted users as well

On Fri, Jul 22, 2016 at 06:17:32PM +0530, Rakesh Rajasekharan wrote: > My specific requirement for having "enumerate=TRUE" was , we have a build > server with the jenkins set up. > And for authentication jenkins tries to get the localusers on the system. I'm not sure what you mean by localusers,

Re: [Freeipa-users] AD trust with POSIX attributes

Hi, thanks a lot for help guys. It's working now. I can successfully read POSIX attributes from AD. Just now I'am storring uidNumber, gidNumber, gecos, loginShell and unixHomeDirectory in AD. I have trouble with homedir. It's using subdomain_homedir from sssd.conf and not reflecting the

Re: [Freeipa-users] Bypass pre-hashed passwords verification

On 07/22/2016 11:42 AM, Sébastien Julliot wrote: > Hello everyone, > > I am currently trying to deploy FreeIPA as the new idm system in my > university but came across a problem I could not solve yet. I need to > bypass the pre-hashed passwords verification, not only on the user creation. > >

Re: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

A massive thank you to Jan Cholasta for handholding me while I was getting this problem fixed. This is how we did it... 1. List all CA certificates in LDAP directory: ldapsearch -b cn=certificates,cn=ipa,$basedn 2. Using ldapdelete (or LDAP browser), get rid of all certificates that shouldn't

Re: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

A massive thank you to Jan Cholasta for handholding me while I was getting this problem fixed. This is how we did it... 1. List all CA certificates in LDAP directory: ldapsearch -b cn=certificates,cn=ipa,$basedn 2. Using ldapdelete, get rid of all certificates that shouldn't be there, in my

[Freeipa-users] Bypass pre-hashed passwords verification

Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically

Re: [Freeipa-users] sssd shows deleted users as well

On Fri, Jul 22, 2016 at 10:28:30AM +0200, Lukas Slebodnik wrote: > On (22/07/16 13:25), Rakesh Rajasekharan wrote: > >Hi, > > > >I am running freeipa version 4.2.0 and sssd version 1.13.0 > > > >I have set "enumerate=True" to show IPA users as well in getent passwd. > > > >However, the getent

Re: [Freeipa-users] FreeIPA and slave MIT slave KDCs

On 21.7.2016 22:05, Diogenes S. Jesus wrote: > Hi everyone. > > I'm currently planning on deploying FreeIPA as the Master KDC (among other > things to leverage from the API and some other built-in features - like > replicas). > However I find (correct if I'm wrong) FreeIPA not very modular -

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

Ben and Petr, Thanks for your inputs, I'll keep an eye on those bug reports. Roberto On 22 July 2016 at 09:51, Petr Spacek wrote: > On 22.7.2016 04:43, Ben Lipton wrote: > > I'm not familiar enough with Fedora release engineering to know how this > gets > > fixed

Re: [Freeipa-users] named-pkcs11 doesn't start after bind update

On 22.7.2016 04:43, Ben Lipton wrote: > I'm not familiar enough with Fedora release engineering to know how this gets > fixed permanently, but I'll share some investigation I've done. > > This appears to be due to a change in the selinux-policy-targeted package that > happened recently. As of the

Re: [Freeipa-users] FreeIPA / Change SSL Certificate for Web Server

On 07/22/2016 05:08 AM, Devin Acosta wrote: I have just installed a newly created FreeIPA server running CentOS 7.2. I have a (wildcard) SSL Certificate that I want to use for the FreeIPA Web Management GUI. I tried to follow the directions listed here at the URL of