[Freeipa-users] Broken dirsrv and SSL certificate in CA-less install of FreeIPA 4.4 on CentOS 7.3
Martin Basti
mbasti at redhat.com
Wed Jan 4 12:59:04 UTC 2017
On 30.12.2016 11:54, Martin Basti wrote:
>
> Hello,
>
> The first half of the first issue is this bug:
> https://fedorahosted.org/freeipa/ticket/6226
>
> you have to enable SSL on server manually after installation
>
>
> The second half of the first issue shouldn't be related to ticket
> above, but I don't know more details I'll leave this for IPA CA gurus
>
>
> The second issue is unrelated to certificates, I believe that
> something in dirsrv causes this unusual behavior. I saw this before
> with other users.
>
> * both no such entry for HTTP principal, or for topology plugin are
> the same issue
>
> * all users have this issue with CA-less installation, but not always
> reproducible, I'm not sure if there can be a step in CA-less install
> that can cause this
>
> * entries are in database (were added previously by installer) but
> during installation the search failed with no such entry, ldapsearch
> after installation works
>
> * in access log SRCH is before ADD operation, but this is against the
> steps in installer, entry is added first and even installer failed
> hard so there is no way how to add it after failure caused by not
> found error.
>
> [29/Dec/2016:10:33:02.775715491 +0000] conn=16 op=1 SRCH base="krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk" scope=0 filter="(objectClass=*)" attrs=ALL
> [29/Dec/2016:10:33:02.775892719 +0000] conn=16 op=1 RESULT err=32 tag=101 nentries=0 etime=0
> This caused installation failure (IMO - there is no more SRCH operation for HTTP principal in log) ^^^^^^
> ......
> [29/Dec/2016:10:33:05.487917960 +0000] conn=17 op=10 ADD dn="krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"
> [29/Dec/2016:10:33:05.492213776 +0000] conn=17 op=10 RESULT err=0 tag=105 nentries=0 etime=0 csn=5864e653000000040000
> [29/Dec/2016:10:33:05.492372184 +0000] conn=17 op=11 MOD dn="krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"
> [29/Dec/2016:10:33:05.494649080 +0000] conn=17 op=11 RESULT err=0 tag=103 nentries=0 etime=0 csn=5864e653000100040000
> [29/Dec/2016:10:33:05.494816357 +0000] conn=17 op=12 MOD dn="krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK,cn=services,cn=accounts,dc=pakos,dc=uk"
> These were added after failure ??? ^^^^^
>
> I need a DS guru assistance to resolve this :)
> Martin^2
Ticket for this issue has been opened
https://fedorahosted.org/freeipa/ticket/6575 Martin^2
> On 29.12.2016 19:13, Peter Pakos wrote:
>> Access log: https://files.pakos.uk/access.txt
>> Error log: https://files.pakos.uk/ipareplica-install.log.txt
>> I hope it helps.
>> On 29 December 2016 at 12:52, Peter Pakos <peter at pakos.uk
>> <mailto:peter at pakos.uk>> wrote:
>>
>> Hi guys,
>> I'm facing yet another problem with CA-less install of FreeIPA
>> replica and 3rd party SSL certificate.
>> Few days ago I deployed a new CA-less server (ipa02) by running
>> the following command:
>>
>> ipa-server-install \ -r PAKOS.UK <http://PAKOS.UK> \ -n
>> pakos.uk <http://pakos.uk> \ -p 'password' \ -a
>> 'password' \ --mkhomedir \ --setup-dns \
>> --no-forwarders \ --no-dnssec-validation \
>> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --dirsrv-pin='' \
>> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --http-pin='' \ --http-cert-name=AlphaWildcardIPA \
>> --idstart=1000
>>
>> This server appears to be working OK.
>> Then yesterday I deployed a client (ipa01):
>>
>> ipa-client-install \ -p admin \ -w 'password' \ --mkhomedir
>>
>> Next, I promoted it to IPA server:
>>
>> ipa-replica-install \ -w 'password' \ --mkhomedir \
>> --setup-dns \ --no-forwarders \ --no-dnssec-validation \
>> --dirsrv-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --dirsrv-pin='' \ --dirsrv-cert-name=AlphaWildcardIPA \
>> --http-cert-file=/root/ssl/star.pakos.uk.pfx \
>> --http-pin='' \ --http-cert-name=AlphaWildcardIPA
>>
>> After it finished, I've noticed that dirsrv wasn't running on
>> port 636 on ipa01.
>> Further investigation revealed that the SSL wildcard certificate
>> (AlphaWildcardIPA) wasn't installed in dirsrv DB and CA
>> certificates were named oddly (CA 1 and CA 2):
>>
>> [root at ipa01 ~]# certutil -L -d /etc/httpd/alias/ Certificate
>> Nickname Trust Attributes SSL,S/MIME,JAR/XPI AlphaWildcardIPA
>> u,u,u CA 1 ,, CA 2 C,, [root at ipa01 ~]# certutil -L -d
>> /etc/dirsrv/slapd-PAKOS-UK/ Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI GlobalSign Root CA - GlobalSign nv-sa ,,
>> AlphaSSL CA - SHA256 - G2 - GlobalSign nv-sa C,,
>>
>> This is what I found in the error log:
>>
>> [29/Dec/2016:01:43:58.852745536 +0000] 389-Directory/1.3.5.10
>> <http://1.3.5.10> B2016.341.2222 starting up
>> [29/Dec/2016:01:43:58.867642515 +0000] default_mr_indexer_create:
>> warning - plugin [caseIgnoreIA5Match] does not handle
>> caseExactIA5Match [29/Dec/2016:01:43:58.889866051 +0000]
>> schema-compat-plugin - scheduled schema-compat-plugin tree scan
>> in about 5 seconds after the server startup!
>> [29/Dec/2016:01:43:58.905267535 +0000] NSACLPlugin - The ACL
>> target cn=groups,cn=compat,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.907051833 +0000] NSACLPlugin - The ACL
>> target cn=computers,cn=compat,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.908396407 +0000] NSACLPlugin - The ACL
>> target cn=ng,cn=compat,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.909758735 +0000] NSACLPlugin - The ACL
>> target ou=sudoers,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.911133739 +0000] NSACLPlugin - The ACL
>> target cn=users,cn=compat,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.912416230 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.913644794 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.914901802 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.916158004 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.917409810 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.918636743 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.919904210 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.921175543 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.922417264 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.923818252 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.925218237 +0000] NSACLPlugin - The ACL
>> target cn=vaults,cn=kra,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.928474915 +0000] NSACLPlugin - The ACL
>> target cn=ad,cn=etc,dc=pakos,dc=uk does not exist
>> [29/Dec/2016:01:43:58.943158867 +0000] NSACLPlugin - The ACL
>> target cn=casigningcert
>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not
>> exist [29/Dec/2016:01:43:58.944679679 +0000] NSACLPlugin - The
>> ACL target cn=casigningcert
>> cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pakos,dc=uk does not
>> exist [29/Dec/2016:01:43:59.060335708 +0000] NSACLPlugin - The
>> ACL target cn=automember rebuild membership,cn=tasks,cn=config
>> does not exist [29/Dec/2016:01:43:59.066618653 +0000] Skipping
>> CoS Definition cn=Password Policy,cn=accounts,dc=pakos,dc=uk--no
>> CoS Templates found, which should be added before the CoS
>> Definition. [29/Dec/2016:01:43:59.100168779 +0000]
>> schema-compat-plugin - schema-compat-plugin tree scan will start
>> in about 5 seconds! [29/Dec/2016:01:43:59.108366423 +0000] slapd
>> started. Listening on All Interfaces port 389 for LDAP requests
>> [29/Dec/2016:01:43:59.109788596 +0000] Listening on
>> /var/run/slapd-PAKOS-UK.socket for LDAPI requests
>> [29/Dec/2016:01:44:04.117095313 +0000] schema-compat-plugin -
>> warning: no entries set up under cn=ng, cn=compat,dc=pakos,dc=uk
>> [29/Dec/2016:01:44:04.142962437 +0000] schema-compat-plugin -
>> warning: no entries set up under cn=computers,
>> cn=compat,dc=pakos,dc=uk [29/Dec/2016:01:44:04.164958006 +0000]
>> schema-compat-plugin - Finished plugin initialization.
>> [29/Dec/2016:01:44:20.113621699 +0000] ipa-topology-plugin -
>> ipa_topo_util_get_replica_conf: server configuration missing
>> [29/Dec/2016:01:44:20.115517170 +0000] ipa-topology-plugin -
>> ipa_topo_util_get_replica_conf: cannot create replica
>>
>> At this point I trashed ipa01 and tried to re-deploy it again
>> using the same commands. The install failed with the following
>> error message:
>>
>> Done configuring directory server (dirsrv). Configuring
>> ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]:
>> Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]:
>> configuring ipa-custodia to start on boot Done configuring
>> ipa-custodia. Configuring Kerberos KDC (krb5kdc). Estimated time:
>> 30 seconds [1/4]: configuring KDC [2/4]: adding the password
>> extension to the directory [3/4]: starting the KDC [4/4]:
>> configuring KDC to start on boot Done configuring Kerberos KDC
>> (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]:
>> configuring kadmin to start on boot Done configuring kadmin.
>> Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]:
>> configuring ipa_memcached to start on boot Done configuring
>> ipa_memcached. Configuring the web interface (httpd). Estimated
>> time: 1 minute [1/19]: setting mod_nss port to 443 [2/19]:
>> setting mod_nss cipher suite [3/19]: setting mod_nss protocol
>> list to TLSv1.0 - TLSv1.2 [4/19]: setting mod_nss password file
>> [5/19]: enabling mod_nss renegotiate [6/19]: adding URL rewriting
>> rules [7/19]: configuring httpd [8/19]: setting up httpd keytab
>> [9/19]: setting up ssl [error] NotFound: no such entry Your
>> system may be partly configured. Run /usr/sbin/ipa-server-install
>> --uninstall to clean up.
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR no such
>> entry ipa.ipapython.install.cli.install_tool(Replica): ERROR The
>> ipa-replica-install command failed. See
>> /var/log/ipareplica-install.log for more information
>>
>> Here's the full install log:
>> https://files.pakos.uk/ipareplica-install.log.txt
>> <https://files.pakos.uk/ipareplica-install.log.txt>
>> I've raised this problem on #freeipa channel (many thanks to
>> mbasti and ab for their help in investigating this issue with me)
>> however we didn't get too far and some further input from dirsrv
>> gurus is required here.
>>
>> [root at ipa01 ipa]# echo $SERVICE HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> [root at ipa01 ipa]# echo $DN
>> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=pakos,dc=uk
>> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN
>> -s sub Enter LDAP Password: # extended LDIF # # LDAPv3 # base
>> <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=pakos,dc=uk>
>> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>> # HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>,
>> services, accounts, pakos.uk <http://pakos.uk> dn:
>> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=p
>> akos,dc=uk krbExtraData::
>> AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
>> krbLastPwdChange: 20161229103250Z krbPrincipalKey::
>> MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>> LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
>> objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
>> objectClass: krbprincipal objectClass: krbprincipalaux
>> objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
>> HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>
>> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> managedBy: fqdn=ipa01.pakos.uk
>> <http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
>> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> ipaUniqueID:
>> 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
>> result: 0 Success # numResponses: 2 # numEntries: 1 [root at ipa01
>> ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
>> "krbprincipalname=*" Enter LDAP Password: # extended LDIF # #
>> LDAPv3 # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=pakos,dc=uk>
>> with scope subtree # filter: krbprincipalname=* # requesting: ALL
>> # # HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>, services, accounts, pakos.uk
>> <http://pakos.uk> dn:
>> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=p
>> akos,dc=uk krbExtraData::
>> AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
>> krbLastPwdChange: 20161229103250Z krbPrincipalKey::
>> MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>> LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
>> objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
>> objectClass: krbprincipal objectClass: krbprincipalaux
>> objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
>> HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>
>> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> managedBy: fqdn=ipa01.pakos.uk
>> <http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
>> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> ipaUniqueID:
>> 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
>> result: 0 Success # numResponses: 2 # numEntries: 1 [root at ipa01
>> ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN -s sub
>> "(objectclass=*)" Enter LDAP Password: # extended LDIF # # LDAPv3
>> # base <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=pakos,dc=uk>
>> with scope subtree # filter: (objectclass=*) # requesting: ALL #
>> # HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>,
>> services, accounts, pakos.uk <http://pakos.uk> dn:
>> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=p
>> akos,dc=uk krbExtraData::
>> AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
>> krbLastPwdChange: 20161229103250Z krbPrincipalKey::
>> MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>> LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
>> objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
>> objectClass: krbprincipal objectClass: krbprincipalaux
>> objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
>> HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>
>> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> managedBy: fqdn=ipa01.pakos.uk
>> <http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
>> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> ipaUniqueID:
>> 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
>> result: 0 Success # numResponses: 2 # numEntries: 1
>>
>> [root at ipa01 ipa]# ldapsearch -D "cn=Directory Manager" -W -b $DN
>> -s base Enter LDAP Password: # extended LDIF # # LDAPv3 # base
>> <krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=pakos,dc=uk>
>> with scope baseObject # filter: (objectclass=*) # requesting: ALL
>> # # HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>, services, accounts, pakos.uk
>> <http://pakos.uk> dn:
>> krbprincipalname=HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK>,cn=services,cn=accounts,dc=p
>> akos,dc=uk krbExtraData::
>> AAJS5mRYSFRUUC9pcGEwMS5wYWtvcy51a0BQQUtPUy5VSwA=
>> krbLastPwdChange: 20161229103250Z krbPrincipalKey::
>> MIHeoAMCAQGhAwIBAaIDAgEBowMCAQGkgccwgcQwaKAbMBmgAwIBBKESBBB5
>> NUQyJVZFPGYyMTZAUU0+oUkwR6ADAgESoUAEPiAA1r2NfOUD/7xph6tSb4hg/nTOwIVYhOusG/omq
>> a1qMz/ZVA/nn4pct9yNwFxKUGOFOz1suDz0l2Rur2vUMFigGzAZoAMCAQShEgQQOiQnZGE8Nk93V3
>> pvJSRLVaE5MDegAwIBEaEwBC4QAJbWI/ipYCPMu9I/jUqL39P0a9WHq8BdW2kpY9kYqsoy7D+A3fP
>> LwmAX3lYm objectClass: ipaobject objectClass: ipaservice
>> objectClass: krbticketpolicyaux objectClass: ipakrbprincipal
>> objectClass: krbprincipal objectClass: krbprincipalaux
>> objectClass: pkiuser objectClass: top ipaKrbPrincipalAlias:
>> HTTP/ipa01.pakos.uk at PAKOS.UK <mailto:ipa01.pakos.uk at PAKOS.UK>
>> krbCanonicalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> managedBy: fqdn=ipa01.pakos.uk
>> <http://ipa01.pakos.uk>,cn=computers,cn=accounts,dc=pakos,dc=uk
>> krbPrincipalName: HTTP/ipa01.pakos.uk at PAKOS.UK
>> <mailto:ipa01.pakos.uk at PAKOS.UK> ipaUniqueID:
>> 25dc5432-cdb2-11e6-a20e-005056a2f7f5 # search result search: 2
>> result: 0 Success # numResponses: 2 # numEntries: 1
>>
>> I must say that this a show stopper for us at WANdisco which is
>> holding back the upgrade from FreeIPA 4.2 to FreeIPA 4.4.
>> If there is anything else I can do to help with the
>> investigation, please just let me know.
>> Many thanks in advance.
>> --
>> Kind regards,
>> Peter Pakos
>>
>> --
>> Kind regards,
>> Peter Pakos
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170104/0498277f/attachment.htm>
More information about the Freeipa-users
mailing list