Options for remote home directories
by Kevin Vasko
Trying to find the best option for me for better “shared” “/home” directories.
I ideally would like to give everyone a network based /home directory so I could quota the folders so people would quit filling up every severs /home directory.
We have two major use cases, the first isn’t much of a problem, but combined with the second it makes a problem.
* We have servers that people login to with their LDAP that are always connected to our NFS server.
* We also have laptops that users login with their LDAP account and connect to the network via VPN.
I realize I can force everyone’s home directory to like /nfshome/<user> in freeIPA, but the problem with this is if they are remote on the laptop it causes all kinds of issues when they aren’t on the VPN.
What are my options for handling this? Should I just quota everyone on the severs and tell everyone to use /nfshome/<user> and then leave the laptops alone?
1 year, 7 months
CentOS 7 ipa-client-install issues
by Mark Johanson
Hello,
Having an issue with our CentOS 7 boxes joining FreeIPA. When I run the ipa-client-install command It does its thing up to a point. At which point the server slows to a dead crawl:
Discovery was successful!
Client hostname: newclient.test.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: freeipa2.example.com
BaseDN: dc=example,dc=com
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2020-12-04 02:53:05
Valid Until: 2040-12-04 02:53:05
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://freeipa2.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa2.example.com/ipa/json'
trying https://freeipa2.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa2.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa2.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://freeipa2.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
At this point we are now just hanging.
In trying to debug the issue, I start the client install and with sssctl I increase the debug to 10 and when it reaches the point of hanging, I found the following in the logs:
sssd_example.com.log:
(2022-10-19 10:18:37): [be[example.com]] [request_watch_destructor] (0x0400): Deleting request watch
(2022-10-19 10:18:37): [be[example.com]] [set_server_common_status] (0x0100): Marking server 'freeipa1.example.com' as 'name resolved'
(2022-10-19 10:18:37): [be[example.com]] [be_resolve_server_process] (0x0200): Found address for server freeipa1.example.com: [192.168.1.1] TTL 193
(2022-10-19 10:18:37): [be[example.com]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://freeipa1.example.com'
(2022-10-19 10:18:37): [be[example.com]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA].
(2022-10-19 10:18:37): [be[example.com]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_70orma]
(2022-10-19 10:18:37): [be[example.com]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_70orma]
(2022-10-19 10:18:37): [be[example.com]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(2022-10-19 10:18:37): [be[example.com]] [create_tgt_req_send_buffer] (0x0400): buffer size: 60
(2022-10-19 10:18:37): [be[example.com]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [16003]
(2022-10-19 10:18:37): [be[example.com]] [child_handler_setup] (0x2000): Signal handler set up for pid [16003]
(2022-10-19 10:18:37): [be[example.com]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
(2022-10-19 10:18:37): [be[example.com]] [write_pipe_handler] (0x0400): All data has been sent!
(2022-10-19 10:18:43): [be[example.com]] [get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to TGT child [16003] reached.
(2022-10-19 10:18:43): [be[example.com]] [get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending SIGKILL to TGT child
(2022-10-19 10:18:43): [be[example.com]] [read_pipe_handler] (0x0400): EOF received, client finished
(2022-10-19 10:18:43): [be[example.com]] [child_sig_handler] (0x1000): Waiting for child [16003].
(2022-10-19 10:18:43): [be[example.com]] [child_sig_handler] (0x0020): child [16003] failed with status [7].
(2022-10-19 10:18:43): [be[example.com]] [child_callback] (0x0020): LDAP child was terminated due to timeout
(2022-10-19 10:18:43): [be[example.com]] [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one
(2022-10-19 10:18:43): [be[example.com]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1242
(2022-10-19 10:18:43): [be[example.com]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa1.example.com' as 'not working'
(2022-10-19 10:18:43): [be[example.com]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'freeipa1.example.com' as 'not working'
(2022-10-19 10:18:43): [be[example.com]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
(2022-10-19 10:18:43): [be[example.com]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(2022-10-19 10:18:43): [be[example.com]] [get_server_status] (0x1000): Status of server 'freeipa2.example.com' is 'name not resolved'
(2022-10-19 10:18:43): [be[example.com]] [get_port_status] (0x1000): Port status of port 389 for server 'freeipa2.example.com' is 'neutral'
(2022-10-19 10:18:43): [be[example.com]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(2022-10-19 10:18:43): [be[example.com]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(2022-10-19 10:18:43): [be[example.com]] [get_server_status] (0x1000): Status of server 'freeipa2.example.com' is 'name not resolved'
(2022-10-19 10:18:43): [be[example.com]] [resolv_is_address] (0x4000): [freeipa2.example.com] does not look like an IP address
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_step] (0x2000): Querying files
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'freeipa2.example.com' in files
(2022-10-19 10:18:43): [be[example.com]] [set_server_common_status] (0x0100): Marking server 'freeipa2.example.com' as 'resolving name'
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_step] (0x2000): Querying files
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'freeipa2.example.com' in files
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'freeipa2.example.com' in DNS
(2022-10-19 10:18:43): [be[example.com]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(2022-10-19 10:18:43): [be[example.com]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2022-10-19 10:18:43): [be[example.com]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2022-10-19 10:18:43): [be[example.com]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(2022-10-19 10:18:43): [be[example.com]] [request_watch_destructor] (0x0400): Deleting request watch
(2022-10-19 10:18:43): [be[example.com]] [set_server_common_status] (0x0100): Marking server 'freeipa2.example.com' as 'name resolved'
(2022-10-19 10:18:43): [be[example.com]] [be_resolve_server_process] (0x0200): Found address for server freeipa2.example.com: [192.168.1.2] TTL 266
(2022-10-19 10:18:43): [be[example.com]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://freeipa2.example.com'
(2022-10-19 10:18:43): [be[example.com]] [krb5_add_krb5info_offline_callback] (0x4000): Removal callback already available for service [IPA].
(2022-10-19 10:18:43): [be[example.com]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_B0Adsl]
(2022-10-19 10:18:43): [be[example.com]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_B0Adsl]
(2022-10-19 10:18:43): [be[example.com]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...
(2022-10-19 10:18:43): [be[example.com]] [create_tgt_req_send_buffer] (0x0400): buffer size: 60
(2022-10-19 10:18:43): [be[example.com]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [16020]
(2022-10-19 10:18:43): [be[example.com]] [child_handler_setup] (0x2000): Signal handler set up for pid [16020]
(2022-10-19 10:18:43): [be[example.com]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for TGT child
(2022-10-19 10:18:43): [be[example.com]] [write_pipe_handler] (0x0400): All data has been sent!
(2022-10-19 10:18:49): [be[example.com]] [get_tgt_timeout_handler] (0x4000): timeout for sending SIGTERM to TGT child [16020] reached.
(2022-10-19 10:18:49): [be[example.com]] [get_tgt_timeout_handler] (0x0400): Setting 2 seconds timeout for sending SIGKILL to TGT child
(2022-10-19 10:18:49): [be[example.com]] [read_pipe_handler] (0x0400): EOF received, client finished
(2022-10-19 10:18:49): [be[example.com]] [child_sig_handler] (0x1000): Waiting for child [16020].
(2022-10-19 10:18:49): [be[example.com]] [child_sig_handler] (0x0020): child [16020] failed with status [7].
(2022-10-19 10:18:49): [be[example.com]] [child_callback] (0x0020): LDAP child was terminated due to timeout
(2022-10-19 10:18:49): [be[example.com]] [sdap_kinit_done] (0x0080): Communication with KDC timed out, trying the next one
(2022-10-19 10:18:49): [be[example.com]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: src/providers/ldap/sdap_async_connection.c: sdap_kinit_done: 1242
(2022-10-19 10:18:49): [be[example.com]] [fo_set_port_status] (0x0100): Marking port 389 of server 'freeipa2.example.com' as 'not working'
(2022-10-19 10:18:49): [be[example.com]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'freeipa2.example.com' as 'not working'
(2022-10-19 10:18:49): [be[example.com]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service IPA
At which point this just scrolls over and over as it works through all of the IPA servers and then starts all over again.
I thought it might be firewall on either the client box or the IPA nodes but I don't get the general error about needing ports open from the ipa-client-install and from the client I can telnet to all the ports:
root@newclient [0.04 ] ~ #telnet freeipa1.example.com 389
Trying 192.168.1.1...
Connected to freeipa1.example.com.
Escape character is '^]'.
The odd thing is our Almalinux 8 boxes do not have this issue with the same exact firewall wall setup as the CentOS 7 boxes.
I've been trying to figure this out for a few days now and could use some assistance if someone might be able to point me.
Thanks,
Discovery was successful!
Client hostname: newclient.test.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: freeipa2.example.com
BaseDN: dc=example,dc=com
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2020-12-04 02:53:05
Valid Until: 2040-12-04 02:53:05
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://freeipa2.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa2.example.com/ipa/json'
trying https://freeipa2.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa2.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa2.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://freeipa2.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
1 year, 7 months
What privilege does a samba admin user need for ldapsam
by Kees Bakker
Hello,
Since I have trouble with ipasam I am now trying to get ldapsam working.
I have a IPA user for the bind in smb.conf
The problem is that smb and winbind won't start because it wants to create
domain the domain info. This user has no privilege for that. My question is:
what privilege does such a user need in IPA?
Or, is it perhaps possible to run ipa-adtrust-install --add-sids on this Samba
server (which is not a IPA master)?
Part of my smb.conf
###################################################
# Global parameters
[global]
create krb5 conf = No
dedicated keytab file = /etc/samba/samba.keytab
disable spoolss = Yes
domain logons = Yes
domain master = Yes
kerberos method = dedicated keytab
ldap debug level = 99
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = no
ldap suffix = dc=example,dc=com
ldap user suffix = cn=users,cn=accounts
ldap admin dn = uid=samba_admin,cn=users,cn=accounts,dc=example,dc=com
#log level = 99
log level = 1
log file = /var/log/samba/log.%m
max log size = 100000
# passdb backend = ipasam:ldaps://rotte.example.com
passdb backend = ldapsam:ldap://rotte.example.com
realm = EXAMPLE.COM
registry shares = Yes
security = USER
workgroup = EXAMPLE
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
#rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
###################################################
The error I'm getting is:
###################################################
[2022/10/17 10:28:05.097093, 0] ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for EXAMPLE failed with NT_STATUS_UNSUCCESSFUL
[2022/10/17 10:28:05.097202, 0] ../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2022/10/17 10:28:05.097307, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
pdb backend ldapsam:ldap://rotte.example.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/10/17 10:28:05.097524, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the 'passdb backend' variable in your smb.conf file., error code 22
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /etc/openldap/ldap.conf
ldap_init: using /etc/openldap/ldap.conf
ldap_url_parse_ext(ldaps://rotte.example.com)
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
[2022/10/17 10:41:56.487397, 0] ../../source3/winbindd/winbindd.c:1723(main)
winbindd version 4.16.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
[2022/10/17 10:41:56.487826, 1] ../../lib/param/loadparm.c:1766(lpcfg_do_global_parameter)
lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
[2022/10/17 10:41:56.509672, 1] ../../source3/passdb/pdb_ldap_util.c:235(add_new_domain_info)
add_new_domain_info: failed to add domain dn= sambaDomainName=EXAMPLE,dc=example,dc=com with: Insufficient access
Insufficient 'add' privilege to add the entry 'sambaDomainName=EXAMPLE,dc=example,dc=com'.
[2022/10/17 10:41:56.509704, 0] ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info)
smbldap_search_domain_info: Adding domain info for EXAMPLE failed with NT_STATUS_UNSUCCESSFUL
[2022/10/17 10:41:56.509731, 0] ../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common)
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
[2022/10/17 10:41:56.509748, 0] ../../source3/passdb/pdb_interface.c:181(make_pdb_method_name)
pdb backend ldapsam:ldap://rotte.example.com did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
[2022/10/17 10:41:56.509791, 0] ../../lib/util/become_daemon.c:119(exit_daemon)
exit_daemon: daemon failed to start: Failed to initialize passdb backend! Check the 'passdb backend' variable in your smb.conf file., error code 22
###################################################
--
Kees
1 year, 7 months
LDAP search result: 'Size limit exceeded'.
by Kamil Sakhabutdinov
Hi, everybody.
I'm using FreeIPA, version: 4.6.8.
I get an error 'Size limit exceeded' when I query elements in accounts catalog using ldapsearch or maybe some ldap client, and it shows max 2000 records.
The ipaSearchRecordsLimit in etc\ipaconfig is set to -1.
There is now nsslapd-sizelimit attribute in scheme.
Attributes nsSizeLimit, nsLookThroughLimit, nsPagedLookThroughLimit and nsPagedSizeLimit don't have value for any user in cn=users,cn=accounts,$BASEDN.
Can you please help where more I can find attributes or any reason that can cause this limit?
1 year, 7 months
Freeipa client and kerberos access to AD
by iulian roman
Hello everybody,
I have a FreeIPA setup with AD trust which works properly. I recently noticed that authentication does not work on some freeipa clients which are in a firewalled network. All ports to the FreeIPA servers were allowed in the firewall. Checking the logs , I observed that kerberos client on freeipa clients does try to connect directly to Active Directory Domain Controllers , not only to the KDC in FreeIPA server.
Can anyone please explain or point to the documentation where it is mentioned exactly why do we still need direct connectivity to AD on port 88 for FreeIPA clients ?
Regards,
iulian
1 year, 7 months
Odd replication method
by Jim Kinney
I have a multi-site production setup with a total of 8 ipa servers and a
second, very tiny test setup run by a single ipa servers.
When designed, the plan was the test and prod systems were totally
separate, no sync, users can have different passwords on both systems.
Of course it's now a requirement that user data - name, id, group
memberships, etc. as well as POSIX groups be in sync for security reasons.
Out of 500+ production users, only about 60 are allowed access to the test
system.
The parts of ipa not in use that dictate totally separate systems are HBAC,
and RBAC. The test system was supposed to where rules were tested before
deployed across production clusters. We need to move away from the pushing
of static access.conf files for every change.
So setting up the test ipa server as part of the production ipa environment
is not an option. Additional user training on creating users twice as well
as all changes is a non-starter.
So now I'm down to a hideous, custom sync process that will not do
passwords (really bad idea) or setup a 389ds one-way sync from the
production backup ipa node to the test node. The single most important
aspect is when a user gets locked out on production it also happens on the
test system.
Is this one-way sync a feasible method to chase? I'll have to build a test
set up and validate "no production side harm" before I can implement
anything.
Probably need to dig through the fractional replication to only push over
user and group data.
1 year, 7 months
A huge Thank you
by Brodie, Kent
Messages like this do not get sent nearly enough.
Last week I was faced with the task of rebuilding my two freeipa servers --- needed a major OS upgrade, was still running on CentOS 7.... Which is end of life.
I was honestly terrified at the prospect, worried that SOMETHING in the process would go horribly wrong and I would end up with ldap broken.
I am thrilled to report that it all went absolutely flawlessly.
Deleted one of my two master replicas.
Wiped server, reinstalled fresh with Rocky 8.
Installed freeipa components, installed into the existing list of hosts.
Set new node as an "ipaserver".
Did a ipa-replica-install, joined new node back into the cluster as master-master setup.
Tweaked first-master-CA setting to point to the new node.
Passed ipa-healthcheck
Lather, rinse, repeat with the second Centos7 master node.
Done.
Freeipa, under the hood, is an extremely complex animal. But it also... just WORKS.
SO... just a huge thank you to ALL of the developers, the superusers who support the community, list admins, all of you.
The work is really appreciated.
-kcb
1 year, 7 months
Not use OTP for certain services
by Salva salva
Hi,
So we are using freeIPA and it works really well.
We are now in the situation where we would like to use Password+OTP for some stuff but not for others.
For example, it's totally fine to use password+OTP when doing sudo but when using Nexus authenitcation against LDAP we would like to not use OTP.
Is this possible?
Many thanks!
Best,
Salva
1 year, 7 months
Re: ipa-healthcheck: IPACertDNSSAN error
by Rob Crittenden
Brodie, Kent wrote:
>> So did I give you the wrong host to add or was the wrong host reported in the
>> healthcheck output?
>
> Not sure--- this again is the error: I saw it and thought, "why not try the HOSTNAME reported and not the SAN name " ?
>
> (misleading: the actual name of the server/host is indeed voq.rgd.mcw.edu). ipa-ca is an alias required by IPA somewhere)
I got it. It lists the SAN that are already in the cert, not what is
missing.
rob
>
>
>
> [
> {
> "source": "ipahealthcheck.ipa.certs",
> "check": "IPACertDNSSAN",
> "result": "ERROR",
> "uuid": "5576f96d-cee4-475e-b5ee-0466fe6bfa58",
> "when": "20221007165940Z",
> "duration": "0.422118",
> "kw": {
> "key": "20221006190547",
> "hostname": "ipa-ca.rgd.mcw.edu",
> "san": [
> "voq.rgd.mcw.edu"
> ],
> "ca": "IPA",
> "profile": "caIPAserviceCert",
> "msg": "Certificate request id {key} with profile {profile} for CA {ca} does not have a DNS SAN {san} matching name {hostname}"
> }
> }
> ]
>
1 year, 7 months
Re: ipa-healthcheck: IPACertDNSSAN error
by Rob Crittenden
Brodie, Kent via FreeIPA-users wrote:
>>> A redhat access article claims this can be fixed by adding entries for
>>> the host in the local hosts file (no go, no difference).
>>
>> Do you have a pointer to that article?
>
> https://access.redhat.com/solutions/6262721
I'll see about getting this corrected.
>
>
>>> Can anyone explain the seriousness of the following error, and perhaps
>>> also give me an idea what might fix it?
>>
>> It's really only important if you use the ACME service.
>
> OK, understood--- (but it's still bugging me...)
>
>
>> You can fix this with: getcert resubmit -i 20221006190547 -D voq.rgd.mcw.edu
>
> The command completed successfully, but made no difference. Healthcheck still shows the error.
>
> BUT: wait, I thought about the error and this answer. Re-executed the command with ipa-ca.rgd.mcw.edu instead of voq.rgd.mcw.edu and the healthcheck passes now.
So did I give you the wrong host to add or was the wrong host reported
in the healthcheck output?
thanks
rob
>
> Thank you (!).
>
> -Kent
>
> PS: apologies for the double-post earlier;; when I first submitted the question I sent it via my personal email, not a list member. Re-submitted fro proper account. But then the admin released my original post anyway. Whoops.
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
>
1 year, 7 months