January 2019 - FreeIPA-users - Fedora Mailing-Lists

by Natxo Asenjo

hi, at work I am testing using a light sub-ca with openvpn to limit the scope of hosts that can auto request a certificate. So far so good, really impressed with how well it works. The question I cannot answer is: are there specific urls for crl/ocsp for sub-cas, or do the 'generic' crl/ocsp url apply to sub-cas as well? Thanks for your support. Regards, -- Groeten, natxo

5 years, 2 months

3
2
0 / 0

Transitive trust with AD domain that has already a trust with a 3rd domain.

by SOLER SANGUESA Miguel

Hello, I have 2 AD domains on windows 2016 with a forest trust, two-way, and "Selective authentication": mydomain.com <--trust--> other.company.org Now I have built an IDM instance on RHEL 7.5 and IPA version 4.5.4 on the subdomain "ipa.mydomain.com". I need to use users from the 2 domains above, to I have created a trust transitive and one way: ipa.mydomain.com --trust--> mydomain.com But I can not do the trust between ipa.mydomain.com <-- other.company.org because on AD side there is already a trust between other.company.org and the root of ipa (mydomain.com). As the trust is transitive, in theory users from other.company.org should be allowed on ipa subdomain because: ipa.mydomain.com --trust--> mydomain.com <--trust--> other.company.org I can get a kerberos TGT with: "kinit user(a)OTHER.COMPANY.ORG" But I can not do "id user(a)other.company.org" neither I can add it to an external group, it complains: member group: user(a)other.company.org: invalid 'trusted domain object': domain is not trusted" Should I change something on the sssd or kerberos configuration for make the users trusted by my trust work? Is the "Selective authentication" configured at AD level the problem? thanks. Thanks & Regards. ______________________________

5 years, 2 months

2
3
0 / 0

Re: [systemd-devel] systemctl condreload - Is it a thing?

by Ian Pilcher

On 1/30/19 10:11 AM, Andy Pieters wrote: > man page on Centos > try-restart PATTERN... > Restart one or more units specified on the command line if > the units are running. This does nothing if units are not running. > Note that, for compatibility with Red Hat init > scripts, condrestart is equivalent to this command. Yes, but I'm asking about condreload (not condrestart). -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

5 years, 2 months

1
1
0 / 0

certmonger with certs/keys not owned by root

by Ian Pilcher

I am setting up FreeRADIUS on my "network server" at home, which also runs FreeIPA. Naturally, I would like to use certmonger to issue, track, and renew the certificate(s) used by FreeRADIUS. Unfortunately, ipa-getcert only works when run as root, and it writes the certificate and key files as root/0600, leaving them unreadable by radiusd. I can obviously change the permissions of the files, but certmonger will presumably reset them when it renews the certificate. I feel like I must be missing something obvious. certmonger must be usable with services that run as a non-root user, right? -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

5 years, 2 months

2
1
0 / 0

LDAP account for service

by Ian Pilcher

Continuing my adventures with FreeRADIUS ... It seems that there's no escaping the need to create a dedicated LDAP user for FreeRADIUS, so that it can see group membership information. I've already created a FreeIPA service - radius/ipa.example.com(a)EXAMPLE.COM - so that I could issue a certificate for PEAP and monitor it with certmonger. (Yes, FreeRADIUS is running on the same server as FreeIPA.) Is it possible to somehow create a "service user" associated with this service that FreeRADIUS can use as an LDAP login? Thanks! -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

5 years, 2 months

2
2
1 / 0

Expired Certificates.

by Bhavin Vaidya

Hello, We rebooted our Primary FreeIPA server (ds01) and then it will not start pki-tomcatd, Kerberos will also not work, though it starts. We realized that 2 certificates have expired. we tried stopped ipa, stopped NTP, going back to Dec 14th, 2018 and restarted certmonger, bring back date but still no luck. this is our primary, and we do have 2 local and 2 remote FreeIPA server on them only one of the certificate (June 15th, 2018) is showing expired and others are good. Do we have to go back on date before June 15th, 2018 on ds01? Details are: [root@ds01 ~]# cat /etc/centos-release CentOS Linux release 7.4.1708 (Core) [root@ds01 ~]# ipa ca-find ------------ 1 CA matched ------------ Name: ipa Description: IPA CA Authority ID: 606<...........SNIP..........>450 Subject DN: CN=Certificate Authority,O=DOMAIN.COM Issuer DN: CN=Certificate Authority,O=DOMAIN.COM ---------------------------- Number of entries returned 1 ---------------------------- [root@ds02 ~]# ipa ping ------------------------------------------- IPA server version 4.5.0. API version 2.228 [root@ds01 ~]# KRB5_TRACE=/dev/stdout kinit admin [5509] 1547598366.261229: Getting initial credentials for admin(a)DOMAIN.COM [5509] 1547598366.267532: Sending request (171 bytes) to DOMAIN.COM [5509] 1547598366.268593: Resolving hostname ds01.domain.com [5509] 1547598366.269479: Sending initial UDP request to dgram 192.1xx.xxx.xxx:88 [5509] 1547598367.270712: Initiating TCP connection to stream 192.1xx.xxx.xxx:88 [5509] 1547598367.270884: Sending TCP request to stream 192.1xx.xxx.xxx:88 [5509] 1547598372.338780: Received answer (171 bytes) from dgram 192.1xx.xxx.xxx:88 [5509] 1547598372.338841: Terminating TCP connection to stream 192.1xx.xxx.xxx:88 [5509] 1547598372.338989: Response was from master KDC [5509] 1547598372.339095: Received error from KDC: -1765328324/Generic error (see e-text) kinit: Generic error (see e-text) while getting initial credentials [root@ds01 ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20180228053337': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=ds01.domain.com,O=DOMAIN.COM subject: CN=ds01.domain.com,O=DOMAIN.COM expires: 2019-03-07 06:24:12 UTC principal name: krbtgt/DOMAIN.COM(a)DOMAIN.COM certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20180315021457': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Audit,O=DOMAIN.COM expires: 2020-02-25 04:27:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180315021500': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=OCSP Subsystem,O=DOMAIN.COM expires: 2020-02-25 04:28:38 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180315021501': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=CA Subsystem,O=DOMAIN.COM expires: 2020-02-25 04:31:47 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180315021502': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=Certificate Authority,O=DOMAIN.COM expires: 2038-03-07 03:47:46 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180315021503': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=IPA RA,O=DOMAIN.COM expires: 2018-06-15 23:15:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20180315021504': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ds01.domain.com,O=DOMAIN.COM expires: 2018-12-16 21:02:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20180315021505': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ds01.domain.com,O=DOMAIN.COM expires: 2020-03-07 08:49:36 UTC principal name: ldap/ds01.domain.com(a)DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM track: yes auto-renew: yes Request ID '20180315021510': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.COM subject: CN=ds01.domain.com,O=DOMAIN.COM expires: 2020-03-07 08:49:51 UTC principal name: HTTP/ds01.domain.com(a)DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes thank you, Bhavin

5 years, 2 months

4
8
0 / 0

Unable to migrate IPA3 to IPA4

by Robert Alba

Having Cert issues on a centos 6 IPA 3 server ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324) ipa config-mod --enable-migration=TRUE ipa: ERROR: cannot connect to u'https://lax4ipa01.mia.bill1st.local/ipa/xml': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate. Old server, pretty much cant register any new clients to. Willing to pay for support for migration help. Version/Release/Distribution ipa-server-3.0.0-47.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-47.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-47.el6.centos.x86_64 ipa-server-selinux-3.0.0-47.el6.centos.x86_64 device-mapper-multipath-0.4.9-87.el6.x86_64 libipa_hbac-1.12.4-47.el6.x86_64 libipa_hbac-python-1.12.4-47.el6.x86_64 device-mapper-multipath-libs-0.4.9-87.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64 root@lax4ipa01.mia.bill1st:~$ cat /etc/ipa/ca.crt -----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKExFNSUEu QklMTDFTVC5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE0MTEyNTE4MzgxN1oXDTM0MTEyNTE4MzgxN1owPDEaMBgGA1UEChMRTUlBLkJJ TEwxU1QuTE9DQUwxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXgRpqEULf5v40kMxTtEooRBlEu u8Kl1LyhXD5Oyvx4qpe7dQTM2EWKel7zm3j0Q2MP7utzTydxF4j4GToT8vlRdDXj gdZjBpV7qbCc/t6OVF7sAhqY6Hz5Gghx9UTZ3euGJcBC0rcWQPWjSQi4GFA06I1v MzoWWPoK/dY93eUgEnqXn1hdiD/ediPC5bXsgsERvKBl5LZ6xpbLYmpoNYeAh1KQ Yg3Wyluj1yel5f+qYTkm/I6UJxT3EHS2grEXizkOWWfuyNguWPKzsuLop3U7iz7K AycUAcxLVF1X1OxXIczlPv4hF91shwIUluIWBvhjfUttuAxp17Wt9eiGgbUCAwEA AaOBrzCBrDAfBgNVHSMEGDAWgBR0Qg2UtrPixTY+00wdObnpJGsxazAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUdEINlLaz4sU2PtNM HTm56SRrMWswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vbGF4 NGlwYTAxLm1pYS5iaWxsMXN0LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggEBAGNJYJGde8xLSkzSaJo4Q70PDP8gFOVq3x0FK59mkA/eEpV5HsPfbhWh FcH/T3m5etycX/lh52Y2lYuf4rULJEdEbrFhZmj8u3yd3IOrHCp4oLTb2RIr3EU/ YxNvt0Rq1+tQ7+wrrwZkltpOkZRb54N6JYf1D8SYOfo5278LcwOucHRscfMdtOzu +QRXwLD8+ifV0OCHdpDw2LyV1H3JnuvzEAlBy3uKvcXPO6qzhPuVyb62JK3+gdtV 6leBi5t9kFbYN5utfjRGy5eABLbTbiCz+100jbKDiBkGBXmVduQeXbP4nvkiQM5w mnAdvxgn1cNpeNhlYd//D60k5ckE0Us= -----END CERTIFICATE----- root@lax4ipa01.mia.bill1st:~$ certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u MIA.BILL1ST.LOCAL IPA CA CT,C,C getcert list Number of certificates and requests being tracked: 8. Request ID '20141125183905': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:15:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183906': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183907': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183908': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20141125183909': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141125183922': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL track: yes auto-renew: yes Request ID '20141125183953': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20141125184220': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2019-05-03 14:41:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes root@lax4ipa01.mia.bill1st:~$

5 years, 2 months

3
7
0 / 0

FreeIPA server has no UID range

by Ian Pilcher

Many moons ago I migrated my home FreeIPA server from CentOS 6 to CentOS 7 via replication. I've just tried to create a new user for the first time since, and I hit: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. I've found a few old mailing list messages that explain the reason that this happened, so I know that I need to create a "dnarange", but I haven't found anything that shows me exactly how to do that, or what the range should be. (Since I only have a single server, I would think that the default would be fine.) Any pointers would be appreciated. Thanks! -- ======================================================================== Ian Pilcher arequipeno(a)gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ========================================================================

5 years, 2 months

1
1
0 / 0

"floating IP" / HA IPA <= and Win AD one-way trust

by lejeczek

hi gents, I wonder if IPA when setup up on an "isolated" network segment, having one single point of communicating with outside, which specifically means Win AD, would established a trust and work okey later. A briefly sketched example... 1st IPA master 2nd & 3rd all on 10.10.10.0/24, with pacemaker/HA floating one IP between IPAs masters on 192.168.2.0, which is where whole Win AD is(and the rest of intranet). DNS is where the devil is, details. Can it be done? I read that zone views are discouraged and I do not think IPA's DNS support those anyway. Can DNS be "completed" without harming IPA in a way that incoming trust from AD can be achieved in above scenario? many thanks, L.

5 years, 2 months

2
3
0 / 0

IPA Infrastructure Design Question with multiple IPA Clusters

by TomK

Suppose I have the following scenario: AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Cluster 02 = d.b.a IPA Cluster 03 = e.b.a If I setup all 3 IPA clusters as subdomains of b.a, I know each one can establish a trust with the AD DC and I can authenticate as 'b.a\jack' through servers connected to each cluster. But if I want to do something like this (just theoretical): AD DC Cluster = b.a ( user: b.a\jack ) IPA Cluster 01 = c.b.a IPA Sub Cluster 01 = d.c.b.a IPA Sub Cluster 02 = e.c.b.a Meaning only c.b.a has a trust with the AD DC Cluster but d.c.b.a and e.c.b.a don't have a direct trust with the AD DC however c.b.a forwards anything on 'd' and 'e' over to the sub clusters. Can the IPA Cluster 01 'delegate' the AD DC trust to the sub IPA clusters? I imagine it's not possible. If by chance it is, what would I need to do to make that work? Guessing allowing the AD DC to trust the subdomains would be one of the things I need to do. But what else? -- Regards, TK -------------------------------------------------------------------------------------

5 years, 2 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2019