- FreeIPA-users - Fedora mailing-lists

Redmine ?
by lejeczek 18 Jul '25

18 Jul '25

Hi guys. I used this - https://www.freeipa.org/page/HowTo/Authenticating_Redmine_with_IPA to setup Redmine - in container - with LDAP, which conn-tests ok, but ldap users fail to login. I also conn-test outside of Redmine - all seems okey. ... conn=226 op=0 BIND dn="uid=redmine,cn=sysaccounts,cn=etc,dc=mine,dc=priv" method=128 version=3 conn=226 op=0 RESULT err=53 tag=97 nentries=0 wtime=0.000134983 optime=0.000054222 etime=0.000188403 ... Which I think means misconfigured bind ? I fiddled with Base DN but to no avail. Anybody runs Redmine - successfully? thanks, L.

2 2

Problem mounting kerberised nfs over a second network
by wodel youchi 18 Jul '25

18 Jul '25

Hi, I have a freeipa server on the mgmt network, and an nfs-server and an nfs-client that have two network ports, one on the mgmt network, the second on the storage network. I did configure NFS with kerberos with automount (to mount users home directories) and it did work using the mgmt network, but when I changed my export to use the storage network it won't work anymore. I get "permission denied" when I login. How can I make this work? Regards.

2 1

Proper method for updating client /var/lib/ipa-client/pki/ bundles
by Ty zang 17 Jul '25

17 Jul '25

Hey all, I am troubleshooting an authentication issue with my clients that happened after a mass PKI cert expiration on my third party CA (root, issuer, and a ton of others). When I authenticate on a client to IPA, it sends my request to the RADIUS server (RSA Auth Mgr) and prompts for first token and second token. Once I enter those, it lets me in (SSH). But for xRDP, it keeps failing and the only log I have on RSA is "bad tokencode but good PIN". I do see an error code 7 in one of the logs (was it secure log?). So that is how I got to where I am. I looked at /etc/krb5.conf and it points to two files: /var/lib/ipa-client/pki/ca-bundle /var/lib/ipa-client/pki/kdc-ca-bundle When I look at the certs in these files, I do see the expired root and issuer (and a valid IPA certificate authority cert). What is the proper way to update these two third party certs in these files on the ipa clients? Should I use keytool/openssl to rip the old ones out and import the new PEM files? I believe I already dropped these two certs under /etc/pki/ca-trust/source/anchors/ and ran "update-ca-trust" but these files seem remain invalid. Just looking for the proper way, so appreciate the help!

3 2

No valid Negotiate header in server response, keytabs regenerated
by Felix O 16 Jul '25

16 Jul '25

Hi, when trying to run any ipa cli commands, they fail with the message ipa: ERROR: No valid Negotiate header in server response. Trying to sign into the web ui fails by unknown error. The instance has had its certificates expired and then renewed using ipa-cert-fix, after which the problem occurred. I have regenerated the host keytab and gssproxy keytab using the following commands, to no success. (the command succeeds, but it doesn't help the issue) ipa-getkeytab -s ipa.example.com -p host/ipa.example.com(a)EXAMPLE.COM -k /etc/krb5.keytab ipa-getkeytab -s ipa.example.com -p HTTP/ipa.example.com(a)EXAMPLE.COM -k /var/lib/ipa/gssproxy/http.keytab Felix

5 9

Users without an ipaNTSecurityIdentifier cannot authenticate on the new replica server
by Tien Cao Huy 16 Jul '25

16 Jul '25

Dear, I’ve added a new replica server. The replication completed successfully, but users without an ipaNTSecurityIdentifier are unable to log in to the WebUI on the new replica server. The other (older) replica servers are still working fine. Only users with an ipaNTSecurityIdentifier can authenticate successfully. How can I resolve this issue? Should I run the command ipa config-mod --enable-sid --add-sids on this replica server? I need to know if I follow this command it will affect the active server working now? Best regards,

4 12

Cannot join realm domain from Initial Setup (Enterprise login)
by William Oprandi 16 Jul '25

16 Jul '25

I try to be able to join my realm from Initial Setup without success. I always get the error message "Couldn't log in as user: Couldn't connect to the xxx domain: Cannot contact any KDC for realm 'XXX'" But if I use `realm discover` and `realm join` commands, it installs necessary packages and the host is correctly enrolled into FreeIPA Also fail from settings > users > Add Enterprise Login, "Failed to log into domain" (despite "Valid domain") I don't see errors from realmd service I don't know what to check

3 8

command completion in 4.12.2 in container
by lejeczek 15 Jul '25

15 Jul '25

Hi guys. I have newly installed 4.12.2 in container where 'ipa ' does not complete - whereas older 4.10.1 also in container, does do it. Both have bash-completion - am I missing something? many thanks, L.

3 2

Re: pki-tomcat won't start after CA certs updated, getcert still shows a lot of expired certs
by Schrier, William (Contractor) 14 Jul '25

14 Jul '25

I think we are ready to cut our losses on this server. At this point, I am planning on simply building a new server (Oracle Linux 8 is the highest approved in our environment at this time) and installing a new FreeIPA server. Is there a way I could extract all the useful information I need out of my current FreeIPA server without taking any of the certs so I could import it into the new FreeIPA server to get it up to speed quickly to cutover? Will the ipa-backup/ipa-restore commands work for this? Will that even work when changing OS and version as part of the restore? Is this better handled as a new thread? Thanks for all the help with this! I truly appreciate it! Will

1 0

Unable to create freeipa instance
by CoreyLee Hassell 14 Jul '25

14 Jul '25

I am redoing freeipa infrastructure in my homelab because I need RSNv3s for ACME to work. However, on both Fedora 42 and Alma 10, I get the following error during CA setup. Command used: `ipa-server-install --setup-dns --no-forwarders --random-serial-numbers --ssh-trust-dns --mkhomedir` [20/33]: requesting RA certificate from CA [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nocerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmp_vwkehi7', '-passin', 'file:/tmp/tmp_kb5jcg3', '-nodes'] returned non-zero exit status 1: 'Error outputting keys and certificates\n80F281632D7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:\n80F281632D7F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:84:maybe wrong password\n') CalledProcessError(Command ['/usr/bin/openssl', 'pkcs12', '-nocerts', '-in', '/root/ca-agent.p12', '-out', '/var/lib/ipa/tmp_vwkehi7', '-passin', 'file:/tmp/tmp_kb5jcg3', '-nodes'] returned non-zero exit status 1: 'Error outputting keys and certificates\n80F281632D7F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:\n80F281632D7F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:crypto/pkcs12/p12_decr.c:84:maybe wrong password\n') The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Fedora 42 (freeipa-server package 4.12.2-14.fc42) On alma, OpenSSL is `OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)` The freeipa-server package is ipa-server-4.12.2-15.el10.aarch64.rpm

3 4

Monitoring the ID ranges
by Aurelien Bompard 09 Jul '25

09 Jul '25

Hey folks! On Fedora we have reached the limit of our ID ranges again. I've added a fourth additional ID range, but I wonder if there would be a way for us to monitor ID range usage in Nagios / Zabbix, so that we anticipate it next time rather than having users failing to create a new account. I'd like to get the number of free IDs, is there something like this in IPA already? I see that there are some interesting functions in ipaserver/install/ipa_idrange_fix.py, should I try to write a script using them, or on the contrary avoid using them if they are private? Thanks! Aurélien

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users