Rob,
I can run "ipa help" on 2 of the 3; the 3rd yields this:
# ipa help
ipa: ERROR: No valid Negotiate header in server response
Through some additional digging & log mining this morning, I figured out that
something went tango uniform in our NTP configuration, so two of the servers were agreeing
on the time (though incorrectly!) and this one, while closer, was far enough off the
others to cause a problem. I synced all 3 manually to a time source and voila.
Everything's back and looking groovy.
Bret Wortman
Founder, Damascus Products, LLC
855-644-2783 (tel:855-644-2783) | bret(a)wrapbuddies.co
(
https://link.getmailspring.com/link/ADADC439-6997-4785-8C55-D02AF4A61506@...)
http://wrapbuddies.co/
(
https://link.getmailspring.com/link/ADADC439-6997-4785-8C55-D02AF4A61506@...)
70 Main St. Suite 23 Warrenton, VA 20186
On Feb 26 2019, at 3:33 pm, Rob Crittenden <rcritten(a)redhat.com> wrote:
Bret Wortman wrote:
> I don't think it's the CSR. We've got 3 IPA servers. Two seem to be
> working just fine. One refuses to start named and /var/log/messages says
> it's due to:
>
> bind-dyndb-ldap version 11.1 compiled at 13:38:22 Aug 23, 2017, compiler
> 4.8.5 20150623 (Red Hat 4.8.5-16)
> LDAP error: Invalid credentials: bind to LDAP server failed
> couldn't establish connection in LDAP connection pool: permission denied
> dynamic database 'ipa' configuration failed: permission denied
>
> I don't believe anyone changed our authentication, and in fact the other
> two hosts don't have these issues. Where should I be looking first? This
> one is our primary CA, so I'd rather not lose it...
I'm not sure what you mean. Are you saying you can submit a request like
this on 2 of the 3 servers, or something else?
AFAIR bind-dyndb-ldap has its own keytab, /etc/named.keytab. I guess I'd
ensure that it is: readable, has matching kvno, can read/write the socket.
rob
>
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
>
http://wrapbuddies.co/
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
> 70 Main St. Suite 23 Warrenton, VA 20186
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
> On Feb 26 2019, at 10:22 am, Bret Wortman via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> It /looks/ like we've done everything in your guide. I've sent the
> requestor the docs at
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
> to see if that gets us any further in generating a CSR that works.
>
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
>
http://wrapbuddies.co/
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
> 70 Main St. Suite 23 Warrenton, VA 20186
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
http%253A%252F%252Finstagram.com%252Fwrapbuddies%26recipient%3DZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn&recipient=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D>
>
> On Feb 26 2019, at 10:18 am, Bret Wortman via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> failed to set perms (3140) on file
> (/var/run/ipa/ccaches/bretw(a)MY.NET)!, referrer:
> https:/zsipa3.my.net/ipa/ui/
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
> ipa: ERROR: non-public: TypeError: Incorrect Padding
> [traceback]
>
> I'll work through your how-to and see if that resolves anything
> for us.
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
>
http://wrapbuddies.co/
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
> 70 Main St. Suite 23 Warrenton, VA 20186
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
twitter.com%25252Fwrapbuddiesco%2526recipient%253DZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn%26recipient%3DZnJlZWlwYS11c2Vyc0BsaXN0cy5mZWRvcmFob3N0ZWQub3Jn&recipient=cmNyaXR0ZW5AcmVkaGF0LmNvbQ%3D%3D>
<
https://link.getmailspring.com/link/2902DF05-6BB4-46D2-951A-440762089FB0@...
>
> On Feb 25 2019, at 3:56 pm, Rob Crittenden <rcritten(a)redhat.com>
> wrote:
>
> Bret Wortman via FreeIPA-users wrote:
> We have some ESXi boxes that need CA-signed certs
> and we're trying to
> figure out how to properly construct a CSR so that
> our IPA CA will
> process it.
>
> I'm having them create the cert using these commands:
> # certutil -R -d $PATH_TO_DB -a -g 2048 -s
> "CN=${FQDN},O=MY.NET" -i
> ${SHORTHOSTNAME},${FQDN}
>
>
> I think you mean -8 and not -i right?
> and when I take the resulting file and try to sign
> it in the GUI, I
> get a 903 error. When I try from the command-line, I
> get prompted for
> the principal, which might be the problem since I'm
> not sure what it
> would be:
>
> # ipa cert-request my.csr
> Principal:
>
> Has anyone done this, or is it never going to work
> since the target
> system isn't actually an IPA client?
>
>
> A 903 is an internal error so there should be more info in
> /var/log/httpd/error_log.
>
> For this to work you need to:
> - pre-create the host in IPA
> - if you are going to use any service principal other than
> host/ then
> pre-create the service as well
> - allow the IPA machine that you are requesting the cert on
> to manage
> that service.
>
> This is also described in
>
https://rcritten.wordpress.com/2018/11/26/how-do-i-get-a-certificate-for-...
> with some additional details.
>
> rob
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
> <mailto:bret@wrapbuddies.co>
>
>
http://wrapbuddies.co/
> 70 Main St. Suite 23 Warrenton, VA 20186
> <
http://facebook.com/wrapbuddiesco>
> <
http://www.linkedin.com/in/bretwortman>
> <
http://twitter.com/wrapbuddiesco>
> <
http://instagram.com/wrapbuddies>
>
>
> photo
> *Bret Wortman*
> Founder, Damascus Products, LLC
>
> 855-644-2783 <tel:855-644-2783> | bret(a)wrapbuddies.co
> <mailto:bret@wrapbuddies.co>
>
>
http://wrapbuddies.co/
>
<
http://link.wisestamp.com/wf/click?upn=Gjsa-2BFCSunt9pf0TgWHHLiysuQa4Ukv-...
>
> 70 Main St. Suite 23 Warrenton, VA 20186
> <x-apple-data-detectors://3>
>
>
<
http://link.wisestamp.com/wf/click?upn=vpKJERi1tY7PB5Tngc96AybWG2oBJjuIZX...
>
<
http://link.wisestamp.com/wf/click?upn=JpWBgyEnwHH-2BZ-2F6q0khuJNj3-2BOPw...
>
<
http://link.wisestamp.com/wf/click?upn=frqkw0-2BXQfUAqxIenKLOlNVUb3mQcTCc...
>
<
http://link.wisestamp.com/wf/click?upn=LgCARJHnjtd3UE8bx6jzptjNRyekl8Pvwy...
>
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Sent from Mailspring
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Sent from Mailspring
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Sent from Mailspring