Yeah, adding the KDC cert didn't help. At this point managers are down the throat on getting it going whatever. Is there a way to migrate from using the external CA for everything except HTTP to setting it up as an IPA CA? Or I gotta rebuild the IPA stuff from scratch?
------------------------------ Thank you for your time,
Boyd H. Ako
boyd.hanalei.ako@gmail.com https://www.boydhanaleiako.me
PGP/GPG Public Key: https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134 ------------------------------
On Thu, Jun 27, 2019 at 10:57 PM Sumit Bose sbose@redhat.com wrote:
On Wed, Jun 26, 2019 at 04:14:27PM -1000, Boyd Ako wrote:
Thanks for all the help!
But, still nothing after uncommenting the pki anchors line. I added the same tar ball with the configs and logs. Also threw in a tail snippet I
had
running when trying to login.
Hi,
it looks like PKINIT is currently not configured completely on the IPA server. I added a couple of options how to move forward to the case.
bye, Sumit
Thank you for your time,
Boyd H. Ako
boyd.hanalei.ako@gmail.com https://www.boydhanaleiako.me
PGP/GPG Public Key: https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
On Tue, Jun 25, 2019 at 11:45 PM Sumit Bose sbose@redhat.com wrote:
On Tue, Jun 25, 2019 at 04:33:10PM -1000, Boyd Ako wrote:
I did the kerberos cert change as stated and it's still the same.
Hi,
I added a new comment to the case, I think we are near a solution.
bye, Sumit
Thank you for your time,
Boyd H. Ako
boyd.hanalei.ako@gmail.com https://www.boydhanaleiako.me
PGP/GPG Public Key:
https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
On Mon, Jun 24, 2019 at 10:06 PM Sumit Bose sbose@redhat.com
wrote:
On Fri, Jun 21, 2019 at 01:04:32PM +0200, Sumit Bose wrote:
On Thu, Jun 20, 2019 at 11:28:54PM -1000, Boyd Ako wrote: > CASE 02390764
Hi,
I have added a comment to the case to keep support in the loop as
well.
Please let's continue in the case.
Hi,
sorry for the delay but I didn't had a chance to check the logs yesterday. I added a new comment to the case.
bye, Sumit
bye, Sumit
> > > > > > > > > On Jun 20, 2019, at 22:30, Sumit Bose via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> > > > On Fri, Jun 21, 2019 at 01:14:33AM -0000, Boyd Ako via
FreeIPA-users
wrote:
> >> So, I created a Red Hat ticket to assist and the support is
pretty
non-productive.
> >> > >> I have a RHEL 7 "Workstation" setup as an IPA client that
most
of
the time works. However, there are occasions when the screen locks
out
due
to inactivity that I can't log back in. Most of the time it occurs
when I
use smartcard x.509 to login; but it also occasionally happens I
use
password to login intially. It's not very consistent on the
failures.
The
only way to login AFTER that is to annoyingly reboot or console in
as
root
and start a kerberos session.
> >> > >> The IPA server is using an external CA. On the client, the
CA
certs
on the smartcard are in /etc/pki/nssdb. The chain is Root CA -> ID Intermediate CA -> x.509 cert on token. All the CA's are external.
The
token cert did validate when using the Root Ca and ID CA certs
tacked
together for the CAfile in `openssl verify`. I added the following
to
the
sssd.conf:
> >> > >> =============================== > >> [domain/mydomain.com] > >> debug_level = 8 > >> account_cache_expiration = 5 > >> entry_cache_timeout = 28800 > >> > >> [pam] > >> debug_level = 8 > >> offline_credentials_expiration = 5 > >> =============================== > > > > Hi, > > > > did you add logs with debug_level=8 to the case you have
mentioned?
If
> > yes, please let me know the case number so that I can have a
look. If
> > not, please send the logs. If you prefer to not share them on
this
list
> > feel free to send them to me directly. > > > > bye, > > Sumit > > > >> > >> "pam_cert_auth = True" is in the PAM sect. I did run the
script
from the `ipa-advise` client-smart_card_script.
> >> _______________________________________________ > >> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
> >> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > _______________________________________________ > > FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> > > > Domo, > > Boyd H. Ako > > > boyd.hanalei.ako@gmail.com > (424) 244-9653 > https://www.boydhanaleiako.me > > “Coming together is a beginning. Keeping together is progress.
Working
together is success.” -Henry Ford
> > PGP/GPG Public Key:
https://sks-keyservers.net/pks/lookup?op=get&search=0xC58073B21618F134
>
freeipa-users@lists.fedorahosted.org