Oops, the slapd messages are arriving every 60s, not 5m.
On 05/18/2017 08:56 AM, Bret Wortman wrote:
httpd_error seems to give the most information. When i try to use ipa
cert-show:
ipa: INFO: [jsonserver_kerb] ad...@damascusgrp.com: ping(): SUCCESS
(111)Connection refused: AH00957: AJP
/slapd-DAMASCUSGRP-COM/errors or access when I
issue the request, but periodic messages do appear about every 5 minutes
or so.
On 05/18/2017 08:43 AM, Bret Wortman wrote:
On 04/26/2017 06:02 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So I can see my certs using cert-find, but can't get
On 04/26/2017 06:02 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So I can see my certs using cert-find, but can't get details using
cert-show or add new ones using cert-request.
# ipa cert-find
:
--
Number of entries returned 385
these individual components at this level very well. When something
goes wrong, it's not trivial to solve. Well, for me it isn't, anyway. ;-)
Bret
On 05/02/2017 10:50 AM, Bret Wortman wrote:
I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps
out as looking like an error.
The cert
try to copy one of the *dse.ldif* to dse.ldif and try to
restart, but that file maybe up to date.
Ludwig
On 05/09/2017 12:00 PM, Bret Wortman wrote:
We had an unplanned power outage which may have affected one of our
freeipa servers. When trying to start, it now errors out.
# ipactl start
I can see.
Where else can I look? I've got two servers up, but I'd like to have all
3 operational.
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand at http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.c
Wortman wrote:
I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps
out as looking like an error.
The cert-show failure is troubling, but my inability to get CSRs
turned into certs is what's actually driving this.
Bret
On 04/26/2017 06:02 PM, Rob Crittenden wrote:
Bret Wortman
I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps out
as looking like an error.
The cert-show failure is troubling, but my inability to get CSRs turned
into certs is what's actually driving this.
Bret
On 04/26/2017 06:02 PM, Rob Crittenden wrote:
Bret Wortman wrote
Flo,
I did find that issue and made those corrections to our /etc/hosts file,
but the problem persists.
Thanks for the idea!
Bret
On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote:
On 04/26/2017 04:33 PM, Bret Wortman wrote:
So I can see my certs using cert-find, but can't get
On 04/26/2017 10:22 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Digging still deeper:
# ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (503)
Looks like this is an HTTP
to
communicate with CMS (503)
#
Is this an IPV6 thing? Because ipactl shows everything green and
certmonger is running.
Bret
On 04/26/2017 09:03 AM, Bret Wortman wrote:
Digging still deeper:
# ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM
ipa: ERROR
available?
On 04/26/2017 08:41 AM, Bret Wortman wrote:
Using the firefox debugger, I get these errors when trying to pop up
the New Certificate dialog:
Empty string passed to getElementById(). (5)
jquery.js:4:1060
TypeError: u is undefined app.js:1:362059
Empty
)
jquery.js:4:1060
TypeError: t is undefined app.js:1:217432
I'm definitely not a web kind of guy so I'm not sure if this is helpful
or not. This is on 4.4.0, API Version 2.213.
Bret
On 04/26/2017 08:35 AM, Bret Wortman wrote:
Good news. One of my servers _does_ have CA installed. So why does
Good news. One of my servers _does_ have CA installed. So why does
"Action -> New Certificate" not do anything on this or any other server?
Bret
On 04/25/2017 02:52 PM, Bret Wortman wrote:
I recently had to upgrade all my Fedora IPA servers to C7. It went
well, and
17 18:48:21
krbtgt/damascusgrp@damascusgrp.com
#
What's my best path of recovery?
--
*Bret Wortman*
The Damascus Group
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
I don't know that what we did is the most correct or even best way to
manage an upgrade, but here's what I did.
We started with two nodes, ipa1 and ipa2. Both running Fedora.
I built a new system, ipa3, and installed IPA on it, then made it a replica.
I then removed the replication agreements
I saw as I was working through it, and it's in fact what I did.
Migrating the last server to CentOS right now.
Thanks for the help!
On 03/29/2017 09:53 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Never mind. Lost my mind.
ipa-replica-install followed by ipa-ca-install appears
Never mind. Lost my mind.
ipa-replica-install followed by ipa-ca-install appears to be the ticket.
Bret
On 03/29/2017 06:22 AM, Bret Wortman wrote:
I've tried googling but keep coming up with beer recipes.
How do you suggest adding the replica CA? I'm piecing together the
options I want
I've tried googling but keep coming up with beer recipes.
How do you suggest adding the replica CA? I'm piecing together the
options I want on my ipa-server-install command and am trying to
understand the CA-related options.
Thanks!
Bret
On 03/28/2017 08:45 AM, Bret Wortman wrote:
I'm
I'm not
if replication across versions is supported between these and IPA 4.4.0
(pki-ca 10.3.3).
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand at http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com
, what's the
best way to move the CA function from the node it's on now to one of the
freshly-upgraded hosts?
Thanks!
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand at http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list
nt to do something that'll get clobbered
at the next IPA upgrade.
Bret
On 01/19/2017 10:30 AM, Kimi Rachel wrote:
Mail
heyy Bret, how are you? lets talk details ..
On Thu, Jan 19, 2017 at 9:30 PM, Bret Wortman
<bret.wort...@damascusgrp.com <mailto:bret.wort...@damascusgrp.com>
ith longer lifetimes? We really
don't want to go around every 2 years and reissue certs...
--
*Bret Wortman*
Damascus Products
ph/fax: 1-855-644-2783
Wrap Buddies InDemand at http://bwortman.us/2ieQN4t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailma
Perfect. That did the trick. Many thanks, Flo.
Bret
On 09/28/2016 09:47 AM, Florence Blanc-Renaud wrote:
On 09/27/2016 08:00 PM, Bret Wortman wrote:
That looks like it worked, but I have a follow-on question:
I need to provide my RabbitMQ instance with a cacert file, a cert, and a
key file
do I get at the key that was used in the creation of this cert?
I can get the cacert, and I've got the newly-issued cert, but what about
the key?
Thanks!
Bret
On 09/27/2016 02:00 PM, Bret Wortman wrote:
That looks like it worked, but I have a follow-on question:
I need to provide my RabbitMQ ins
nux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request
On 09/27/2016 04:20 PM, Bret Wortman wrote:
Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
Is there a guide anywhere for how to obtain an SSL certificate for a new
server & service from the IPA CA master? Most of the guides I'm seeing
online use web pages at the major CAs to do this and I'd like to keep it
in the family.
Thanks!
--
*Bret Wortman*
<http://wrapbuddies.co
On 06/03/2016 01:04 PM, Rob Crittenden wrote:
Bret Wortman wrote:
On 06/03/2016 11:02 AM, Rob Crittenden wrote:
Bret Wortman wrote:
I'm not sure I'd call what we have "success" just yet. ;-)
You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
see how we go.
I'll check and report back Tuesday.
Bret Wortman
http://wrapbuddies.co/
On Jun 3, 2016, 1:04 PM -0400, Rob Crittenden<rcrit...@redhat.com>, wrote:
> Bret Wortman wrote:
> >
> >
> > On 06/03/2016 11:02 AM, Rob Crittenden wrote:
> > > Bret Wortman wrote:
&
On 06/03/2016 11:02 AM, Rob Crittenden wrote:
Bret Wortman wrote:
I'm not sure I'd call what we have "success" just yet. ;-)
You're right -- F21, IPA 4.1.4-1. I'll try the steps you outlined and
see how we go.
Rob, would you have just used the existing "localhost.key" i
rust
Like I said, I'm pretty sure this is all automatic in some more recent
versions of IPA.
rob
---
Bret
On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote:
Cool. I'll give this a go in the morning.
Bret Wortman
http://wrapbuddies.co/
On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale
rt as trusted? I thought having it be signed by the IPA CA would have
taken care of that.
# ls -l /etc/ipa/ca.crt
-rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt
#
---
Bret
On 06/02/2016 07:25 PM, bret.wort...@damascusgrp.com wrote:
Cool. I'll give this a go in the morning.
B
Cool. I'll give this a go in the morning.
Bret Wortman
http://wrapbuddies.co/
On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale<ftwee...@redhat.com>, wrote:
> On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote:
> > Sorry, let me back up a step. We need to
Scratch that. Decided to be daring and run "getcert resubmit -i" for
each cert (after verifying the first one worked), then shut ipa down,
advanced the date, re-enabled ntpd and started it back up. Looks clean.
On 04/29/2016 01:22 PM, Bret Wortman wrote:
Of course, I just
Of course, I just remembered that the server still thinks it's April 4,
and I still have some certs that are expiring as of 4-17-16. Before I
screw anything else up, what's the RIGHT way to renew those certs and
move the server back to real time?
On 04/29/2016 01:07 PM, Bret Wortman wrote
Hot damn! It's up and running. Web UI works. CLI works.
The chgrp did the trick.
Thank you Rob, Petr and Christian!
Bret
On 04/29/2016 01:04 PM, Rob Crittenden wrote:
Bret Wortman wrote:
We run with selinux disabled.
# getenforce
Disabled
# restorecon -R -v /etc/httpd/alias
# ipactl
, Bret Wortman wrote:
I'll put the results inline here, since they're short.
[root@zsipa log]# ls -laZ /etc/httpd/
drwxr-xr-x. root root system_u:object_r:httpd_config_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
drwxr-xr-x. root root system_u:object_r:cert_t:s0 alias
drwxr-xr
-04-29 16:51, Bret Wortman wrote:
It is contacting the correct machine. I tried again by IP with the same
results.
/etc/httpd/conf.d/ipa-pki-proxy.conf is dated May 20 2014.
Web UI won't load. CLI won't respond either. Commands just hang.
# netstat -ln | grep 443
tcp6 0
:(("java",pid=26522,fd=84))
LISTEN 13 128:::443:::*
users:(("httpd",pid=26323,fd=6))
#
On 04/29/2016 10:08 AM, Petr Vobornik wrote:
On 04/29/2016 02:53 PM, Bret Wortman wrote:
Despite "ipactl status" indicating that all proce
Despite "ipactl status" indicating that all processes were running after
step 1, step 2 produces "Unable to establish SSL connection."
Full terminal session is at http://pastebin.com/ZuNBHPy0
On 04/29/2016 07:29 AM, Petr Vobornik wrote:
On 04/29/2016 12:03 PM, Bret Wort
. I really
appreciate it.
Bret
On 04/29/2016 04:59 AM, Petr Vobornik wrote:
comments inline
On 04/28/2016 06:30 PM, Bret Wortman wrote:
Look, I'll be honest. When IPA is in this much of a knot, I don't know how to do
the simplest things with its various components. For example, I've no clue
don't find that in the ldapsearch results.
Assuming that was the ldapsearch command I needed to run
On 04/28/2016 12:04 PM, Petr Vobornik wrote:
On 04/28/2016 05:49 PM, Bret Wortman wrote:
My system shows pki-server is installed and V10.2.1-3.fc21, but I don't
have the pki-server bin
57]: INFO: Stopping service
Catalina
# systemctl | grep dirsrv@
dirsrv@PRIVATE-NET.service
loaded active running 389 Directory Server
PRIVATE-NET.
On 04/28/2016 12:04 PM, Petr Vobornik wrote:
On 04/28/2016 05:49 PM, Bret Wortman wrote:
My system shows pki
Okay. I got hung up on the first link doing some checking using
pki-server. I don't see any reference to ldapsearch in either message,
but I'll do what I can.
On 04/28/2016 12:04 PM, Petr Vobornik wrote:
On 04/28/2016 05:49 PM, Bret Wortman wrote:
My system shows pki-server is installed
:
On 04/28/2016 04:07 PM, Bret Wortman wrote:
Okay. This morning, I turned back time to 4/1 and started up IPA. It didn't
work, but I got something new and interesting in the debug log, which I've
posted to http://pastebin.com/M9VGCS8A. Lots of garbled junk came pouring out
which doesn't happen when I'm
. Is
/this/ significant?
On 04/27/2016 02:24 PM, Bret Wortman wrote:
I put excerpts from the ca logs in http://pastebin.com/gYgskU79. It
looks logical to me, but I can't spot anything that looks like a root
cause error. The selftests are all okay, I think. The debug log might
have something, but it might also
it's not.
On 04/27/2016 01:11 PM, Rob Crittenden wrote:
Bret Wortman wrote:
So in lieu of fixing these certs, is there an acceptable way to dump
them all and start over /without losing the contents of the IPA
database/? Or otherwise really screwing ourselves?
I don't believe there is a way
Was this at all informative?
On 04/26/2016 02:06 PM, Bret Wortman wrote:
On 04/26/2016 01:45 PM, Rob Crittenden wrote:
Bret Wortman wrote:
I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.
I mistyped one of these -- the 2016-03-11
On 04/26/2016 01:45 PM, Rob Crittenden wrote:
Bret Wortman wrote:
I think I've found a deeper problem, in that I can't update these
because IPA simply won't start at all now.
I mistyped one of these -- the 2016-03-11 is actually 2018-03-11, and
2016-04-01 is actually 2036-04-01
I should also note that /var/log/dirsrv/slapd-PRIVATE-NET/errors ends
with a series of "csngen_new_csn - Warning: too much time skew (-2153860
secs). Current seqnum=1" errors.
On 04/26/2016 12:57 PM, Bret Wortman wrote:
I think I've found a deeper problem, in that I ca
property setting attempts that don't find matching properties. Then some
cipher errors, then it looks like named starts up okay, and everything
pauses for about 5 minutes before it all comes crashing back down.
Bret
On 04/26/2016 12:40 PM, Petr Vobornik wrote:
On 04/26/2016 06:00 PM, Bret Wor
/2016 03:26 PM, Bret Wortman wrote:
On our non-CA IPA server, this is happening, in case it's related and
illustrative:
# ipa host-del zw113.private.net
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
certificate/key database is in an old, unsupported format.
#
I would start
query: any;
Allow transfer: none;
Zone forwarders: 8.8.8.8
[root@ipa1 data]#
On 09/05/2014 01:56 PM, Petr Spacek wrote:
Hello,
On 5.9.2014 18:14, Bret Wortman wrote:
I've got an odd situation with one of our networks. Our systems are
properly
registered in DNS within IPA, and the web
zones defined)
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more
is
toggled to no. Before I make any wholesale change recommendations, I
wanted to check on this.
Thanks!
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
--
Manage your subscription for the Freeipa-users mailing list:
https
The CD is in the hands of the security folks now. I'll let you know when
I have it and can transfer the logs over to you.
It's only 2GB worth of data, but I hope it's informative.
Bret
On 05/28/2014 03:52 AM, Jakub Hrozek wrote:
On Tue, May 27, 2014 at 07:34:58PM -0400, Bret Wortman wrote
I'll get with my network guys and start troubleshooting.
Thanks!
On 05/27/2014 09:20 AM, Dmitri Pal wrote:
On 05/27/2014 08:41 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Crud. That was supposed to have a second comparison log too:
I found something in the slapd-FOO-NET/access log. I
I just checked to be sure, and we do already put all the IPA servers in
our client host tables just to be sure they can be reached even if DNS
goes down.
On 05/27/2014 09:20 AM, Dmitri Pal wrote:
On 05/27/2014 08:41 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Crud. That was supposed
No problem. We forced a re installation of openldap, which helped. Pam login is
still slow but sudo isn't. We'll keep chipping away at it.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On May 27, 2014, at 7:15 PM, Dmitri Pal d...@redhat.com wrote:
On 05/27/2014 09:44
/2014:09:22:56 -0400] conn=12896 op=4 RESULT err=0 tag=101
nentries=0 etime=0
[26/May/2014:09:22:56 -0400] conn=12896 op=5 UNBIND
[26/May/2014:09:22:56 -0400] conn=12896 op=5 fd=100 closed - U1
Bret
On 05/26/2014 09:51 AM, Bret Wortman wrote:
Okay, I found something in the slapd-FOO-NET/access
Yes, though it might be a bit more data than you're expecting.
Here's what we did to get the details out of a server (and import them
into another). I'm sure there's a more elegant solution, but this worked
for us. Also note that we didn't use all the data this export script
generated, but
Is the Python API documented anywhere? I've looked around without success.
On 05/23/2014 07:54 AM, Martin Kosek wrote:
On 05/23/2014 06:42 AM, Sanju A wrote:
Dear All,
Is there any command to export the user and host list to a csv or text format
There is no such command out of the shelf, I
did this locally on the ipa master:
# ssh zsipa.foo.net
# time ldapsearch -Y GSSAPI
base=uid=bretw,cn=uses,cn=accounts,dc=foo,dc=net
:
real0m0.847s
user 0m0.007s
sys 0m0.006s
#
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME
on a VMware VM, but we've had success deploying
IPA on VMs in the past, and our faster network is running VMs as well
(with one physical box).
Bret
On 05/23/2014 08:15 AM, Bret Wortman wrote:
Collecting my various threads together under one big issue and adding
this new data point:
Our web
-0400, Bret Wortman wrote:
More soft/anecdotal:
When executing sudo -i or sudo -iu the first time, we can expect
a several second delay before the command completes. If we then exit
the session and re-execute the command, it will complete almost
instantly. So whatever cache is holding
/23/2014 10:03 AM, Bret Wortman wrote:
On 05/23/2014 09:53 AM, Mauricio Tavares wrote:
On Fri, May 23, 2014 at 9:48 AM, Bret Wortman
bret.wort...@damascusgrp.com wrote:
More soft/anecdotal:
When executing sudo -i or sudo -iu the first time, we can expect a
several second delay
, clients have certs in these directories.
Is this important, and if so what could be going wrong on my slower
network that might cause the certs to not get distributed or created
properly?
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME
connection might be a second faster, but will revert within an
hour or so.
On 05/22/2014 09:36 AM, Rob Crittenden wrote:
Bret Wortman wrote:
Where should my clients be getting the contents of /etc/openldap/certs from?
I've got one network where my IPA authentications are blazing fast and
one
the answer's
in the file. ;-)
On 05/22/2014 10:15 AM, Dmitri Pal wrote:
On 05/22/2014 09:43 AM, Bret Wortman wrote:
What we're seeing is slow GDM logins, ssh authentications, and sudo
-i responses on this network. On our other, these things are all
blazing fast. Here, they're on the order of 5-10
couldn't observe it enough and
someone must've changed something while I wasn't looking).
Bret
On 05/21/2014 10:19 PM, Rob Crittenden wrote:
Bret Wortman wrote:
It takes about 2 minutes. How would you like me to turn debugging on?
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
I'm
It doesn't seem to have helped -- we're still pretty slow even with IP
addresses in sssd.conf.
On 05/22/2014 11:07 AM, Dmitri Pal wrote:
On 05/22/2014 10:36 AM, Bret Wortman wrote:
I found that our slower system was using FQDNs for the list of IPA
servers; our faster system was using IPs. I'm
.
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
A. Then it's probably not the source of my performance problem. I
know when I shut down SSSD, that user's ssh times speed up incredibly.
Bret
On 05/22/2014 01:06 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
If this line is in /etc/nsswitch.conf:
passwd
. This will help out the local accounts,
at least. Now to keep working on those that aren't local.
Thanks for that tip, Simo!
On 05/22/2014 01:15 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 13:12 -0400, Bret Wortman wrote:
A. Then it's probably not the source of my performance problem. I
/replication.py,
line 961, in setup_replication
raise RuntimeError(Failed to start replication)
2014-0521T14:31:08Z DEBUG The ipa-replica-install command failed,
exception: RuntimeError: Failed to start replication
Any guidance on where to start looking?
--
*Bret Wortman*
http
Crittenden wrote:
Bret Wortman wrote:
This occurs on our first attempt to join as a replica. I've erased this
box and rebaselined it but the same thing happens. No network ports
being blocked that we know of, and another replica I created at the same
time installed its replica file without issue
:53 -0400] conn=2 op=3 MOD dn=cn=IPA Version
Replication,cn=Plugins,cn=config
[21/May/2014:10:28:53 -0400] conn=2 op=3 RESULT err=0 tag=103 nentries=0
etime=0
[21/May/2014:10:28:53 -0400] conn=2 op=4 UNBIND
On 05/21/2014 11:40 AM, Bret Wortman wrote:
On the new replica (asipa) I see in the access
It takes about 2 minutes. How would you like me to turn debugging on?
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On May 21, 2014, at 4:26 PM, Rob Crittenden rcrit...@redhat.com wrote:
Bret Wortman wrote:
On the new replica (asipa) I see in the access log almost
thoughts on where to look next? There's nothing at all logged in
/var/log/krb5kdc.log when I try to start it up, and there are so many
pieces to this that I'm not sure where to focus my efforts.
Thanks!
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description
move forward. Thanks for the
pointer, Martin.
Bret
On 04/30/2014 03:15 AM, Martin Kosek wrote:
On 04/28/2014 01:03 PM, Bret Wortman wrote:
We are planning to reconfigure our core Freeipa servers, basically building a
replacement infrastructure and migrating to it. What we're planning right now
?
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Crap. Thought I caught this before I sent it.
# rm -f /etc/ipa/ca.crt
On 04/29/2014 01:22 PM, Bret Wortman wrote:
I'd like to test migrating our clients from the old IPA infrastructure
to our newer F20-based servers but am having trouble with our first
clients. Unenrolling them from the old
these servers (VMs, most likely) up?
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman
something
inoperable?
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Not to be thick, but what's the best way to check the DS instance for a
pki entry?
On 04/28/2014 07:57 AM, Dmitri Pal wrote:
On 04/28/2014 07:52 AM, Bret Wortman wrote:
I'm trying to stand up a new ipa server on a clean box, and I keep
getting this error so _something_ is amiss but I'm
Great. I'll try that next.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Apr 28, 2014, at 8:33 AM, Petr Viktorin pvikt...@redhat.com wrote:
On 04/28/2014 01:52 PM, Bret Wortman wrote:
I'm trying to stand up a new ipa server on a clean box, and I keep
getting
I thought that might be it and didn't see anything but will look again.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
On Apr 28, 2014, at 8:20 AM, Dmitri Pal d...@redhat.com wrote:
On 04/28/2014 08:06 AM, Bret Wortman wrote:
Not to be thick, but what's the best way
On 04/28/2014 10:48 AM, Rob Crittenden wrote:
Bret Wortman wrote:
On 04/28/2014 10:21 AM, Bret Wortman wrote:
On 04/28/2014 08:33 AM, Petr Viktorin wrote:
According to the error you're getting, there is a CA instance already
installed.
After uninstalling IPA, destroy
On 04/28/2014 11:08 AM, Bret Wortman wrote:
On 04/28/2014 10:48 AM, Rob Crittenden wrote:
Bret Wortman wrote:
On 04/28/2014 10:21 AM, Bret Wortman wrote:
On 04/28/2014 08:33 AM, Petr Viktorin wrote:
According to the error you're getting, there is a CA instance already
installed.
After
On 04/28/2014 11:17 AM, Rob Crittenden wrote:
Bret Wortman wrote:
So is there a recommended way to clean it up and get it working?
Re-run pkidestroy, then if the subsequent IPA install fails closely
examine the logs to determine the reason. The problem in cases like
this is that the first
On 04/28/2014 11:52 AM, Rob Crittenden wrote:
Bret Wortman wrote:
On 04/28/2014 11:17 AM, Rob Crittenden wrote:
Bret Wortman wrote:
So is there a recommended way to clean it up and get it working?
Re-run pkidestroy, then if the subsequent IPA install fails closely
examine the logs
to be the critical piece? Could this be related to the servers
being VMs?
--
*Bret Wortman*
http://damascusgrp.com/
http://about.me/wortmanbret
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
On 04/28/2014 01:19 PM, Bret Wortman wrote:
I just got a new ipa server instantiated and haven't actually
installed any users or hosts on it yet. No replicas. No migrated data.
Yet when I run any ipa commands from the command line, it behaves
exactly as our older, troubled servers do
bash.
On 04/28/2014 01:32 PM, Simo Sorce wrote:
On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:
On 04/28/2014 01:19 PM, Bret Wortman wrote:
I just got a new ipa server instantiated and haven't actually
installed any users or hosts on it yet. No replicas. No migrated data.
Yet when I
On 04/28/2014 01:53 PM, Simo Sorce wrote:
On 04/28/2014 01:32 PM, Simo Sorce wrote:
On Mon, 2014-04-28 at 13:25 -0400, Bret Wortman wrote:
On 04/28/2014 01:19 PM, Bret Wortman wrote:
I just got a new ipa server instantiated and haven't actually
installed any users or hosts on it yet
sitant to go too far. This machine, however, is my program
manager's workstation, so it's pretty important to get back up and
running.
Thanks,
--
Bret Wortman
http://damascusgrp.com/
http://about.me/wortmanbret
BTW, this also fails when using the web UI -- I can see the entry
but not delete it.
On 03/27/2014 09:02 AM, Bret Wortman
wrote:
My IPA corruption continues and I'm afraid I'm going to have to
recreate it from scratch since no reasonable
That worked like a champ. As always.
Thanks, Rob.
Bret
On 03/27/2014 10:08 AM, Rob Crittenden wrote:
Bret Wortman wrote:
BTW, this also fails when using the web UI -- I can see the entry but
not delete it.
It sounds like you have a replication conflict entry. Try this search
size (number of passwords): 0
Character classes: 2
Min length: 8
Max failures: 6
Failure reset interval (seconds): 60
Lockout duration (seconds): 600
--
Bret Wortman
http://damascusgrp.com/
http://about.me/wortmanbret
Is there a way to set a password to not expire? I thought I read
somewhere that 0 did that, but apparently not.
On 03/06/2014 07:55 AM, Sumit Bose wrote:
On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote:
Strange behavior now with our passwords (and we still haven't solved
our
1 - 100 of 189 matches
Mail list logo