Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2017-01-05 Thread Brian J. Murrell
On Wed, 2017-01-04 at 16:21 -0500, Jeff Goddard wrote: > I don't want to hijack someone else's thread but I'm having what > appears to > be the same problem and have not seen a solution presented yet. The problem and solution were presented. These two messages basically embody the problem I had:

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-30 Thread Brian J. Murrell
[ Sent just to the list. Hopefully Martin is on it. ] On Thu, 2016-12-22 at 10:06 +0100, Martin Babinsky wrote: > > Hi Brian, Hi Martin, > DS should use /etc/sysconfig/dirsrv to set its KRB5_KTNAME env > variable  > to /etc/dirsrv/ds.keytab. Ah-ha! This was the problem. When I upgraded from

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell
Some additional information. I can't seem to use the CLI either. Perhaps that is expected: # kinit admin Password for ad...@example.com: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m Default principal: ad...@example.com Valid starting ExpiresService principal 21

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell
On Wed, 2016-12-21 at 17:50 +0100, Petr Spacek wrote: > Okay, I believe that this is the problem: > > On 21.12.2016 15:53, Brian J. Murrell wrote: > > [21/Dec/2016:09:39:12.003351818 -0500] conn=77028 fd=107 slot=107 > > connection from local to /var/run/slapd-EXAMPLE.COM.so

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell
On Wed, 2016-12-21 at 15:04 +0100, Petr Spacek wrote: > > I'm really curious what you will find out :-) It seems to be like this, over and over again: [21/Dec/2016:09:39:02.124732240 -0500] conn=77025 fd=107 slot=107 connection from 10.75.22.1 to 10.75.22.247 [21/Dec/2016:09:39:02.125630906 -05

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-21 Thread Brian J. Murrell
On Wed, 2016-12-21 at 08:24 +0100, Petr Spacek wrote: > > You can try to add line > KRB5_TRACE=/dev/stdout > to > /etc/sysconfig/ipa-dnskeysyncd [27472] 1482320667.240500: Retrieving ipa-dnskeysyncd/server.example@example.com from FILE:/etc/ipa/dnssec/ipa-dnskeysyncd.keytab (vno 0, enctype

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-20 Thread Brian J. Murrell
On Tue, 2016-12-20 at 11:55 +0100, Martin Basti wrote: > > So there are actually no issues with credentials, it needs more  > debugging, in past we have similar case but we haven't found the > root  > cause why it doesn't have the right credentials after kinit. So, to be clear, all I did was kini

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell
On Mon, 2016-12-19 at 17:26 +0100, Martin Basti wrote: > > On 19.12.2016 13:19, Brian J. Murrell wrote: > > On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote: > > > Hello, > > > > > > could you recheck with SElinux in permissive mode? > &

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-19 Thread Brian J. Murrell
On Mon, 2016-12-19 at 09:42 +0100, Martin Basti wrote: > > Hello, > > could you recheck with SElinux in permissive mode? Yeah, still happens even after doing: # setenforce 0 Cheers, b. signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Fre

Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-17 Thread Brian J. Murrell
On Fri, 2016-12-16 at 22:53 -0500, Brian J. Murrell wrote: > Hi, > > After upgrading to EL 7.3 which included an upgrade of IPA from > 4.2.0- > 15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting:  > > 22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind...

[Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

2016-12-16 Thread Brian J. Murrell
Hi, After upgrading to EL 7.3 which included an upgrade of IPA from 4.2.0- 15.0.1.el7.centos.19 to 4.4.0-14.el7.centos I'm getting: 22:01:00 ipa-dnskeysyncd ipa : INFO LDAP bind... 22:01:00 ipa-dnskeysyncd ipa : ERRORLogin to LDAP server failed: {'desc': 'Invalid credent

Re: [Freeipa-users] dynamic dns working for forward zone but not reverse zone

2016-05-31 Thread Brian J. Murrell
On Mon, 2016-05-30 at 13:43 +0200, Petr Spacek wrote: > > Can you query the SOA record from the reverse zone, please? > > $ dig @10.75.22.247 0.10.8.in-addr.arpa. SOA Ahhh.  That's the problem.  The subnet is 10.8.0.0/24 so the query should be for 0.8.10.in-addr.arpa. Sometimes it just takes a

[Freeipa-users] dynamic dns working for forward zone but not reverse zone

2016-05-27 Thread Brian J. Murrell
I have a FreeIPA 4.2.0 on CentOS 7.2.  I have dynamic DNS updates working for a forward zone but they are failing (NOTAUTH) for a reverse zone.  Here are configuration of the two zones:   dn: idnsname=example.com.,cn=dns,dc=example,dc=com   Zone name: example.com.   Active zone: TRUE   Authoritati

Re: [Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

2015-11-09 Thread Brian J. Murrell
On Thu, 2015-11-05 at 16:25 -0500, Rob Crittenden wrote: > What is "flaky" about it? It will fail and then without doing anything else except waiting a second or two, a second invocation will succeed. But I think I know why. It seems to fail on the slave server but pass on the primary server.

Re: [Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

2015-11-05 Thread Brian J. Murrell
On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: > I am trying to re-enroll clients after re-installing their O/S (EL6) > using: > > # ipa-client-install --force-join ... > > Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I > am > finding tha

[Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

2015-11-04 Thread Brian J. Murrell
I am trying to re-enroll clients after re-installing their O/S (EL6) using: # ipa-client-install --force-join ... Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I am finding that after doing that for a given host, trying to ssh to it from another enrolled IPA client I am getti

Re: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

2015-09-26 Thread Brian J. Murrell
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: OK. I have refreshed my memory of how Kerberos works. > The sequence above: > > - Sets a random Kerberos key for a principal named > aster...@example.com >on IPA KDC and stores it to the local keytab file asterisk.keytab Yes. T

Re: [Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

2015-09-24 Thread Brian J. Murrell
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote: > You need to explain what are you trying to achieve first. Sure. It is entirely likely that I am misunderstanding what I should be doing. A system service needs to be able to authenticate to the service imap/linux.example.com as a give

[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t

2015-09-23 Thread Brian J. Murrell
I've put a kerberos principle into a keytab: # klist -k asterisk.keytab Keytab name: FILE:asterisk.keytab KVNO Principal -- 8 aster...@example.com using: # ipa-getkeytab -s server.example.com -p asterisk -k /tmp/aste

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-15 Thread Brian J. Murrell
On Tue, 2015-09-15 at 13:01 +0200, Martin Kosek wrote: > BTW, there was related thread on freeipa-users in the past, with some > links to > related information: > > https://www.redhat.com/archives/freeipa-users/2012-June/msg00216.html So this writeup seems to ignore the fact that Apache and the c

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-15 Thread Brian J. Murrell
On Sat, 2015-09-12 at 08:57 -0400, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so th

Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-14 Thread Brian J. Murrell
On Mon, 2015-09-14 at 08:28 +0200, Martin Kosek wrote: > Hello, Hi, > It is the right way to do it AFAIK, Indeed, no. It's a hack around the lack of SNI support in mod_nss. > however it would only work with FreeIPA 4.0 > or older: > > https://fedorahosted.org/freeipa/ticket/3977 That's righ

[Freeipa-users] add SubjectAltName (SAN) to IPA certificate

2015-09-12 Thread Brian J. Murrell
Due to the bug in mod_nss that prevents SNI from functioning (i.e. limits a port to a single certificate) I need to add SANs (SubjectAltName) to the certificate that freeipa created for the webserver (Server-Cert) so that I can add more virtual hosts to the same Apache instance (yes, I know this is

Re: [Freeipa-users] /var/kerberos/krb5kdc/principal missing

2013-10-03 Thread Brian J. Murrell
Thanks much! That got things back up and running. Now to go fix the errant configuration management recipe. Cheers, b. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] /var/kerberos/krb5kdc/principal missing

2013-10-03 Thread Brian J. Murrell
On 13-10-03 11:49 AM, Rob Crittenden wrote: Can clues on how it got to this point? Files changed, etc? Not really. This machine has been sitting mostly dormant in fact since I was last working on it a week or two ago. What does the dbmodules section of /etc/krb5.conf look like? And ther

[Freeipa-users] /var/kerberos/krb5kdc/principal missing

2013-10-03 Thread Brian J. Murrell
I have a FreeIPA server set up on EL 6.4 with the following package versions: ipa-admintools-3.0.0-26.el6_4.4.x86_64 krb5-libs-1.10.3-10.el6_4.6.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch krb5-server-1.10.3-10.el6_