[Freeipa-users] DirSrv hanging

2017-01-06 Thread Adam Bishop
I have a standalone FreeIPA instance that is becoming unresponsive every few hours. While in this state it will accept connections, but will not do anything with them (i.e. if you connect an ldaps client to 636, you see SYN->SYNACK->ACK->ClientHello, but a ServerHello is not returned). This syst

[Freeipa-users] Getting error "Permission denied (publickey, gssapi-with-mic, password)" when running below ssh command

2017-01-06 Thread Chen Lufan
Dear Team, I am new to freeIPA and GSS authentication so maybe someone can shed a light on where the issue is when I perform below ssh? Your help will be greatly appreciated! host2$ ssh -F /home/user/config u...@host1.example.com I got below error in audit.log in host1 : type=CRYPTO_SE

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I have to confess I'm in over my head already. Another shot in the foot isn't going to help. Is there good documentation for solving the problem on the version I'm using? Jeff On Fri, Jan 6, 2017 at 5:44 PM, Rob Crittenden wrote: > Jeff Goddard wrote: > > Rob, > > > > I'm getting this error: ce

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Rob, > > I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d > /var/lib/pki-ca/alias -t u,u,Pu > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The > certificate/key database is in an old, unsupported format. The database is in /var/lib/pki/pki-to

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Rob, > > I'm missing something in either the syntax of execution. I'm getting > this error: > > ldap_modify: Invalid DN syntax (34) > additional info: invalid dn > > Just as a reminder the version of ipa I'm on is 4.4. I'd need to see the ldif you're trying to appl

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Rob, I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d /var/lib/pki-ca/alias -t u,u,Pu certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. Jeff On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden wrote: > Jeff

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Rob, I'm missing something in either the syntax of execution. I'm getting this error: ldap_modify: Invalid DN syntax (34) additional info: invalid dn Just as a reminder the version of ipa I'm on is 4.4. Jeff On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden wrote: > Jeff Goddard wrote:

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > I've followed the instructions related to my error here: > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still > haven't found a solution. Look at these instructions http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Look only at the ipaCert part, particul

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley
First we have to query the NSS database to get the current ipaCert certificate for the ipara user and store it into a file: # cd /tmp # certutil -a -d /etc/httpd/alias/ -n ipaCert -L | sed '/^-.*/d' | tr -d '\r\n' > ipaCert.cert Then we need to replace the userCertificate attribute with the conte

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I've followed the instructions related to my error here: http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't found a solution. Jeff On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard wrote: > Alan, > > Thank you so VERY much. That resolved the issue for the CA signing > certifi

Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication

2017-01-06 Thread Jake
Worked. Thank You! - Original Message - From: "Rob Crittenden" To: "Jake" , "freeipa-users" Sent: Friday, January 6, 2017 3:24:35 PM Subject: Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication Jake wrote: > Hey All, > > I need to reinstall the re

Re: [Freeipa-users] Replication has stopped and server errors

2017-01-06 Thread sipazzo
I have changed the number of db locks to 4. After restart, each server reports a lot of these type errors: DSRetroclPlugin - delete_changerecord: could not delete change record 6038434 As well as immediately coming up with these errors (even after re-initializing) 06/Jan/2017:12:10:12 -0800

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Alan, Thank you so VERY much. That resolved the issue for the CA signing certificate. However I'm still seeing ca-error: Server at " https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess"; replied: 1: Invalid Credential. On multiple requests which have expiration d

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Alan Heverley
Looks like you need to get the PIN associated to the cert. # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf Then replace with the PIN in the command above. # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P -c dogtag-ipa-ca-renew-agent On Fr

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I think my problem is deeper than that. I was following this guide: http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands related to having an external CA - which we do not have. I now get this message for the CA: Request ID '20170101

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > I've done this. > [root@id-management-1 ipa]# date > Sun Jan 1 01:12:27 EST 2017 > > getcert list give me this as the first entry: > > Request ID '20150116162120': > status: CA_UNREACHABLE > ca-error: Server at > https://id-management-1.internal.emerlyn.com

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
I've done this. [root@id-management-1 ipa]# date Sun Jan 1 01:12:27 EST 2017 getcert list give me this as the first entry: Request ID '20150116162120': status: CA_UNREACHABLE ca-error: Server at https://id-management-1.internal.emerlyn.com/ipa/xml failed request, will retry: 400

Re: [Freeipa-users] unable to add or remove replica after prepare and failed replication

2017-01-06 Thread Rob Crittenden
Jake wrote: > Hey All, > > I need to reinstall the replica ipa03.ipa.example.com after > ipa-server-install --uninstall, however. > > > ipa-replica-install replica-info-ipa03.example.com.gpg > Directory Manager (existing master) password: > > The host ipa03.example.com already exists on the mas

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > Flo, > > I'm not able to access the link you posted. I did find this thread > though > https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html > > and have set the time back and resubmitted

[Freeipa-users] Unable to add new replicas - Total update aborted - Replica has a different generation ID than the local data.

2017-01-06 Thread Steve Viola
Hello, I'm running FreeIPA 3 on CentOS 6.8, and have a bit of a bind on my hand. Replication appeared to break with all replicas, and trying to initialize new replicas will not proceed. I've taken my cluster apart to the point where I have one server with no replicas, and attempting to add replica

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Flo, I'm not able to access the link you posted. I did find this thread though https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html and have set the time back and resubmitted a request. Still no success. Any further hints? On Fri, Jan 6, 2017 at 11:52 AM, Florence Blanc-Renaud

[Freeipa-users] unable to add or remove replica after prepare and failed replication

2017-01-06 Thread Jake
Hey All, I need to reinstall the replica ipa03.ipa.example.com after ipa-server-install --uninstall, however. ipa-replica-install replica-info-ipa03.example.com.gpg Directory Manager (existing master) password: The host ipa03.example.com already exists on the master server. You should rem

Re: [Freeipa-users] Should IPA Replica DNS SOA Serials match?

2017-01-06 Thread Baird, Josh
Yes, this is expected. >From the IPA documentation [1]: "The IdM-integrated DNS is multi-master. SOA serial numbers in IdM zones are not synchronized between IdM servers. For this reason, configure DNS slave servers to only use one IdM master server. This prevents zone transfer failures caused

[Freeipa-users] Should IPA Replica DNS SOA Serials match?

2017-01-06 Thread Jake
Hey All, I currently have 4 ipa 4.2 masters and none of the SOA Serials match, is this expected behavior of bind-ldap? ipa01 - 1483710336 ipa02 - 1483709696 ipa03 - 1483730432 ipa04 - 1483714048 Thanks! -Jake -- Manage your subscription for the Freeipa-users mailing list: https://www.r

Re: [Freeipa-users] IPA to IPA migration

2017-01-06 Thread Mateusz Małek
Hi, On 06.01.2017 16:42, Ian Harding wrote: On 01/05/2017 07:17 AM, Rob Crittenden wrote: Timothy Geier wrote: This is something I’ve looked at lately and a manual proof of concept I just did makes it seem theoretically possible (...) Why migrate at all? Maybe I'm just not smart enough, but

Re: [Freeipa-users] FreeIPA + /etc/named.conf

2017-01-06 Thread TomK
On 1/5/2017 2:17 PM, Martin Basti wrote: On 05.01.2017 20:03, TomK wrote: Hey All, QQ. Should the DNS forwarders be updated in /etc/named.conf? Until I manually change /etc/named.conf, can't ping the windows AD cluster: mds.xyz. Nor can I get dig to resolve the SRV records (dig SRV _ldap._

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

2017-01-06 Thread James Harrison
Any ideas? From: James Harrison To: "freeipa-users@redhat.com" Sent: Thursday, 5 January 2017, 13:36 Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get

[Freeipa-users] disable inactive accounts and delete old accounts

2017-01-06 Thread Giger, Justean
I am trying to use the krblastsuccessfulauth attribute to detect accounts that have been inactive for >90 days as per this post: https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html I need to be able to disable these accounts at 90 days then delete them after 180 days. However,

Re: [Freeipa-users] Replication has stopped and server errors

2017-01-06 Thread Martin Basti
On 06.01.2017 00:29, sipazzo wrote: I have6 ipa servers in 3 locations running 4.2.0-15.0.1on RHEL 7. Ipa1-dev is the CA Renewal and CRL Master server and where most of our updates (host enrollment, password changes) end up taking place. Servers had been running fine. Over the holidays we star

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
On 01/06/2017 05:36 PM, Jeff Goddard wrote: Thanks Flo, I was able to add the host to the keytab once I found the correct command and then was able to issue [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ip

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Andy Brittingham
Sorry for the delay, was doing some troubleshooting. Here is what I know now: The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu 14.04). SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work. Users in the admin group can't log into these hosts. I created

Re: [Freeipa-users] FreeIPA DNS (named)

2017-01-06 Thread Martin Basti
On 06.01.2017 15:38, Günther J. Niederwimmer wrote: Hello List, I have configured my domain (DNSSEC) with Freeipa Now I have to configure a internal ZONE with the same Domain NAME but with internal IP's. Is it possible to add a "view "internal"" "view "external"" to the named.conf or is thi

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Thanks Flo, I was able to add the host to the keytab once I found the correct command and then was able to issue [root@id-management-1 pki-tomcat]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful But th

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Florence Blanc-Renaud
On 01/06/2017 04:47 PM, Jeff Goddard wrote: Sorry for the typo. here is the correct output: ldapsearch -h id-management-1.internal.emerlyn.com SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
Sorry for the typo. here is the correct output: ldapsearch -h id-management-1.internal.emerlyn.com SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: When I look at the certificates I g

Re: [Freeipa-users] IPA to IPA migration

2017-01-06 Thread Ian Harding
On 01/05/2017 07:17 AM, Rob Crittenden wrote: > Timothy Geier wrote: >> This is something I’ve looked at lately and a manual proof of concept I >> just did (using ideas from >> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA) >> makes it seem theoretically pos

Re: [Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Rob Crittenden
Jeff Goddard wrote: > My environment is freeipa 4.4; centos 7.3. This system was upgraded as > of yesterday afternoon. I'm unable to start pki-tomcat. The debug log > show this entry: > > Internal Database Error encountered: Could not connect to LDAP server > host id-management-1.internal.emerlyn.

[Freeipa-users] FreeIPA DNS (named)

2017-01-06 Thread Günther J . Niederwimmer
Hello List, I have configured my domain (DNSSEC) with Freeipa Now I have to configure a internal ZONE with the same Domain NAME but with internal IP's. Is it possible to add a "view "internal"" "view "external"" to the named.conf or is this overwritten from the FreeIPA DNS Module ?? Is a oth

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Jakub Hrozek
On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote: > Hi, > > I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my > Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate > against the upgraded servers. It appears the problem is the versio

[Freeipa-users] Replication has stopped and server errors

2017-01-06 Thread sipazzo
I have 6 ipaservers in 3 locations running 4.2.0-15.0.1on RHEL 7. Ipa1-dev is the CARenewal and CRL Master server and where most of our updates (host enrollment,password changes) end up taking place. Servers hadbeen running fine. Over the holidays we started having some replication issuesand loo

[Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

2017-01-06 Thread Andy Brittingham
Hi, I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate against the upgraded servers. It appears the problem is the version of sssd that is installed in the earlier Ubuntu versions. Is this a k

[Freeipa-users] pki-tomcatd fails to start

2017-01-06 Thread Jeff Goddard
My environment is freeipa 4.4; centos 7.3. This system was upgraded as of yesterday afternoon. I'm unable to start pki-tomcat. The debug log show this entry: Internal Database Error encountered: Could not connect to LDAP server host id-management-1.internal.emerlyn.com port 636 Error netscape.ldap

Re: [Freeipa-users] Failed to connect, going offline (5 [Input/output error])

2017-01-06 Thread rajat gupta
sssd.conf from the ilt-gif-ipa02 [root@ilt-gif-ipa02 ~]# cat /etc/sssd/sssd.conf [domain/ipa.preprod.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.preprod.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ilt-gif-ipa02.ipa.pr

Re: [Freeipa-users] Failed to connect, going offline (5 [Input/output error])

2017-01-06 Thread Sumit Bose
On Fri, Jan 06, 2017 at 11:31:31AM +0100, rajat gupta wrote: > Hi, > > only few user are able to login. ipa ad-trust setup. more details are needed here. Can you at least share sssd.conf from the ilt-gif-ipa02? > > == > Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse

[Freeipa-users] Failed to connect, going offline (5 [Input/output error])

2017-01-06 Thread rajat gupta
Hi, only few user are able to login. ipa ad-trust setup. == Jan 6 10:48:36 ilt-gif-ipa02 sshd[22490]: reverse mapping checking getaddrinfo for ilp-noatun.man.cosng.net [146.213.128.135] failed - POSSIBLE BREAK-IN ATTEMPT! Jan 6 10:48:48 ilt-gif-ipa02 sshd[22490]: Invalid