Re: [Freeipa-users] Replica issue / Certificate Authority

On Wed, Jan 04, 2017 at 01:19:19PM +, Christophe TREFOIS wrote: > Hi Florence, > > I did what you said, and then the status went to CA_WORKING. Then I restart > ipa and certmonger and the status went to CA_UNREACHABLE. > Then i did “resubmit” again and now the status is back to MONITORING, bu

Re: [Freeipa-users] ipa replica installation help

HI yes i did the same and still port is not listening. [root@zkwipamstr01 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.151.4.64 zkwipamstr01.kw.example.com

Re: [Freeipa-users] ipa replica installation help

On Wed, Jan 04, 2017 at 03:12:12PM +0300, Ben .T.George wrote: > HI > > port 8009 is not listening in master server > > and i added ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 in hosts file. > Did you add this to the host file on the master (then `systemctl

Re: [Freeipa-users] ipa replica installation help

HI anyone please help me to fix this. Regards, Ben On Wed, Jan 4, 2017 at 3:12 PM, Ben .T.George wrote: > HI > > port 8009 is not listening in master server > > and i added ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 in hosts file. > > still getting same er

[Freeipa-users] IPA to IPA migration

This is something I’ve looked at lately and a manual proof of concept I just did (using ideas from https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA) makes it seem theoretically possible (though it looks like, barring the migration of the kerberos master key,

[Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

Hello everyone, I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an Active Directory domain controller. When a client attempts to lookup any DNS record other than those to which FreeIPA is authoritative the client reports NXDOMAIN and the FreeIPA server has the fol

Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly create users, however user id is correct

On (08/12/16 10:24), Bjarne Blichfeldt wrote: >> -Original Message- >> From: David Kupka [mailto:dku...@redhat.com] >> Sent: 8. december 2016 09:40 >> To: Bjarne Blichfeldt ; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] nfsv4+kerberos: group ID not mapped on newly >> create user

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

I don't want to hijack someone else's thread but I'm having what appears to be the same problem and have not seen a solution presented yet. Here is the output of journalctl -xe after having tried to start named: Jan 04 15:48:42 id-management-2.internal.emerlyn.com named-pkcs11[3948]: loading conf

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

>From the logs: /var/log/dirsrv/slapd-DOMAIN-COM/errors ... a few warnings about cache size, NSACLPLugin and schema-compat-plugin [04/Jan/2017:12:14:21.392642021 -0600] slapd started. Listening on All Interfaces port 389 for LDAP requests /var/log/dirsrv/slapd-DOMAIN-COM/access ... lots of entrie

Re: [Freeipa-users] Replica issue / Certificate Authority

To all, So to recap, if I hit resubmit once, I get a CA_WORKING, if I do it immediately after again, I get a MONITORING, but the “ca-error: Invalid cookie” comes back. How can I get a valid cookie back? Thanks for your help, Christophe > On 4 Jan 2017, at 14:19, Christophe TREFOIS wrote: > >

[Freeipa-users] CA crt renew -- encoding mismatch

Hello, recently we renewed our CA crt. Later we noticed the new CA certificate uses different encoding in Issuer and Subject: subject= organizationName = UTF8STRING:INTGDC.COM commonName= UTF8STRING:Certificate Authority issuer= organizationName = PRI

[Freeipa-users] Fwd: Unspecified GSS failure. Minor code may provide more information KDC has no support for encryption type

Hi Team, My other node's are working fine. It's not asking any password. Please let me know to fix this issue. thanks to reach out me Here it is output from working node:--- debug1: Authentications that can continue: publickey,gssapi-with-mic, password debug1: Next authentication method: gssapi-w

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

Do you have a list of all log files involved in IPA? Would be good to consolidate them into ELK for analysis. 2017-01-04 2:48 GMT-06:00 Florence Blanc-Renaud : > On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote: > >> Thanks for your reply. >> >> This was the initial error I asked for help a whil

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

Alan Latteri wrote: > Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is > the version provided. > Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is > out of our control. Either way it's a bug somewhere in ipa-client, it should require a min

Re: [Freeipa-users] Valid Sender ? - Re: Using Privacyidea with FreeIPA - part 1/n

Hi Jochen, this is a very important point. Every application is adopting two factor authentication with OTP. This is great - we always hoped for such a security awareness. But the important difference is: The common webapplication that finally will implement TOTP ("this cloudy algorithm which w

Re: [Freeipa-users] Valid Sender ? - Re: Using Privacyidea with FreeIPA - part 1/n

...by the way. This is probably the reason, why Red Hat uses the predecessor of privacyIDEA as central 2FA authentication system for the OTP authentication. Kind regards Cornelius Am Freitag, 30. Dezember 2016 08:21:36 UTC+1 schrieb Cornelius Kölbel: > > Hi Jochen, > > this is a very important

Re: [Freeipa-users] LDAP replication conflicts, but no apparent data damage

Then you have to update cn=ipaservers entry with correct values and remove the others On 04.01.2017 14:27, dan.finkelst...@high5games.com wrote: Yes, along with two name-conflicted "duplicates": id:image001.jpg@01D1C26F.0E28FA60 *Daniel Alex Finkelstein*| Lead D

Re: [Freeipa-users] LDAP replication conflicts, but no apparent data damage

Yes, along with two name-conflicted "duplicates": [cid:image001.png@01D26664.649DC670] [id:image001.jpg@01D1C26F.0E28FA60] Daniel Alex Finkelstein| Lead Dev Ops Engineer dan.finkelst...@h5g.com | 212.604.3447 One World Trade Center, New

Re: [Freeipa-users] Replica issue / Certificate Authority

Hi Florence, I did what you said, and then the status went to CA_WORKING. Then I restart ipa and certmonger and the status went to CA_UNREACHABLE. Then i did “resubmit” again and now the status is back to MONITORING, but the cookie error is back. Any advice? [root@lums3 ~]# getcert list -n ipa

Re: [Freeipa-users] Replica issue / Certificate Authority

Hi Flo, The id needed to execute that command would come from where exactly? Is it the one from getcert list -n ipaCert? Thanks Christophe Sent from my iPhone > On 4 Jan 2017, at 13:49, Florence Blanc-Renaud wrote: > >> On 01/04/2017 12:41 PM, Christophe TREFOIS wrote: >> Hi Fraser, >> >>

Re: [Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3

On 30.12.2016 11:54, Martin Basti wrote: Hello, The first half of the first issue is this bug: https://fedorahosted.org/freeipa/ticket/6226 you have to enable SSL on server manually after installation The second half of the first issue shouldn't be related to ticket above, but I don't k

Re: [Freeipa-users] Replica issue / Certificate Authority

On 01/04/2017 12:41 PM, Christophe TREFOIS wrote: Hi Fraser, We encountered the same issue. We exported the certificate from a "good" replica, using certutil. We then used certutil -A -n ipaCert -d /etc/httpd/alias/ -i /opt/sysadmin/cacert.crt -a -t CT,C on the bad server and then restarted ipa,

Re: [Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones

On 01/04/2017 10:28 AM, James Harrison wrote: > Hi All, > I realise Free IPA doesn't yet support secondary zones in the web > interface or command line tools (I might be wrong :) ) When I talk > about secondary zones I mean a zone replicated from Windows DNS masters. > > Can the Free IPA bind confi

Re: [Freeipa-users] ipa replica installation help

HI port 8009 is not listening in master server and i added ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 in hosts file. still getting same error [28/44]: restarting directory server ipa : CRITICAL Failed to restart the directory server (Command '/bin/sy

Re: [Freeipa-users] Debian: libpam-sss pam-configs update?

On Wed, Jan 04, 2017 at 10:39:37AM +0100, Jochen Hein wrote: > > Hi, > > I'm still working on my Debian systems to get local login to work with > OTP. > > In /etc/pam.d/common-auth we have: > auth[success=2 default=ignore] pam_unix.so nullok_secure > auth[success=1 default=ignore]

Re: [Freeipa-users] Replica issue / Certificate Authority

Hi Fraser, We encountered the same issue. We exported the certificate from a "good" replica, using certutil. We then used certutil -A -n ipaCert -d /etc/httpd/alias/ -i /opt/sysadmin/cacert.crt -a -t CT,C on the bad server and then restarted ipa, and certmonger. Now, the certificate is correct bo

[Freeipa-users] replication failing

Hi All, I have repliation issue on my Freeipa server and getting below error. Please give me any advised to fix this issue. NSMMReplicationPlugin - process_postop: Failed to apply update (53103a520001006b) error (-1). Aborting replication session(conn=1315 op=6) [04/Jan/2017:03:03:09 -0800]

Re: [Freeipa-users] ipa replica installation help

On 01/04/2017 10:59 AM, Ben .T.George wrote: > HI > > i tried the method mentioned on that document and it end up with below error. > My > DNS is managed by external box and i dont want to create any DNS record on > these > servers. > > and the command which i tried is(non client server) > >

Re: [Freeipa-users] Unspecified GSS failure. Minor code may provide more information KDC has no support for encryption type

On Mon, Jan 02, 2017 at 11:03:36PM +0530, tarak sinha wrote: > Hi Team, > > I am getting below error while trying to ssh my host without password. > > Unspecified GSS failure. Minor code may provide more information KDC has no > support for encryption type Where do you see this error, on the cli

[Freeipa-users] Debian: libpam-sss pam-configs update?

Hi, I'm still working on my Debian systems to get local login to work with OTP. In /etc/pam.d/common-auth we have: auth[success=2 default=ignore] pam_unix.so nullok_secure auth[success=1 default=ignore] pam_sss.so use_first_pass On CentOS we have something more complicated in

Re: [Freeipa-users] ipa replica installation help

HI i tried the method mentioned on that document and it end up with below error. My DNS is managed by external box and i dont want to create any DNS record on these servers. and the command which i tried is(non client server) ipa-replica-install --principal admin --admin-password P@ssw0rd --doma

Re: [Freeipa-users] Kerberos authentication failed: kinit: Included profile directory could not be read while initializing Kerberos 5 library

On (03/01/17 20:35), Alan Latteri wrote: >Well on new installs of Cent 7.2, when I do `yum install ipa-client`, that is >the version provided. >Unfortunately, most of our systems have to be on Cent 7.2, not 7.3, and it is >out of our control. > You will install el7.3 on CentOS 7.2 by default. If

Re: [Freeipa-users] how to make email as mandatory field before user creation

On 01/03/2017 06:45 PM, Petr Vobornik wrote: On 01/02/2017 08:46 PM, nirajkumar.si...@accenture.com wrote: Hi Prtr, Can you please suggest how to do it with plugins and which plugin I need to use and how to integrate that plugin with freeipa. Thanks Niraj Disclaimer: the example below is not

[Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones

Hi All,I realise Free IPA doesn't yet support secondary zones in the web interface or command line tools (I might be wrong :) ) When I talk about secondary zones I mean a zone replicated from Windows DNS masters. Can the Free IPA bind configs be manually altered to host secondary zones. Is it su

Re: [Freeipa-users] updating certificates

On 12/24/2016 01:58 AM, Josh wrote: Hi Rob, I'd like to really clarify renew certificate process. I can successfully update certificates in /etc/dirsrv/slapd-domain and /etc/httpd/alias but any new ipa client gets expired certificate still present someplace in LDAP. I was trying to use ipa-serve

Re: [Freeipa-users] Asking for help with crashed freeIPA istance

On 01/02/2017 07:24 PM, Daniel Schimpfoessl wrote: Thanks for your reply. This was the initial error I asked for help a while ago and did not get resolved. Further digging showed the recent errors. The service was running (using ipactl start --force) and only after a restart I am getting a stack

Re: [Freeipa-users] ipa replica installation help

On 01/04/2017 07:21 AM, Ben .T.George wrote: HI while trying to create ipa replica, i am getting below error, Replica creation using 'ipa-replica-prepare' to generate replica file is supported only in 0-level IPA domain. The current IPA domain level is 1 and thus the replica must be created by