[Freeipa-users] Please Provide the IPA Client Configuration Doc for Ubuntu 12.04, 14.04

Hi Team, Could you provide the client setup guide for Ubuntu systems. And we are using FreeIPA 4.2.0 version. it's been a while trying to find the document for Ubuntu with latest version FreeIPA Server, even now can not find the doc. so kindly provide the same doc via mail as soon as good. even

Re: [Freeipa-users] HBAC and AD users

I've updated all the relevant hosts and the FreeIPA server to the COPR sssd 1.14.0 release and the problem seems to have disappeared. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 15 July 2016 at 10:09, Lachlan Musicman

Re: [Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

This line: We have SELinux disabled on all of our servers, but we hadn't disabled this check in sssd.conf. So we enabled it in sssd.conf and everything worked fine. Should read that we *disabled* selinux. selinux_provider = none Cheers L. -- The most dangerous phrase in the language is,

[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names

Hey, While hunting this sssd/hbac/AD user problem, I noticed in the selinux_child.log a lot of errors that look like this: (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446 [libsemanage] (0x0020): could not parse seuser record (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446

Re: [Freeipa-users] HBAC and AD users

On 14 July 2016 at 17:44, Sumit Bose wrote: > On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > > > Installed Packages >

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I wanted to follow up on this thread in case others are experiencing this problem. Installing SSSD 1.14 from the copr repository seems to have completely eliminated the HBAC issue on all systems that were exhibiting the problem as previously described.

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hello Daniel, Just to clarify the issue: user 'a.cri.dsulli...@bsdad.uchicago.edu' is a member of IDM POSIX group 'cri-cri_server_administrators_ipa' which is linked to the external group used for the AD trust. The following HBAC rule is not working to allow SSH access

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

When i tried to create the replica from another server, it fails giving me this? [root@ipa02-aws ~]# ipa-replica-prepare ipa03-aws.rsinc.local --ip-address 10.40.x.x Directory Manager (existing master) password: If you installed IPA with your own certificates using PKCS#12 files you must provide

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:52), Tomas Simecek wrote: >Hi Lukas, >sorry to say, but nothing helps. > >I have just updated IPA server, so that now it is: >[root@svlxxipap ~]# cat /etc/redhat-release >CentOS Linux release 7.2.1511 (Core) > >with: >[root@svlxxipap ~]# rpm -qa|grep ipa

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

ipa01-jap was a host that is no more, is there a simple way to clear these replication agreements to clean it up? On Thu, Jul 14, 2016 at 7:14 AM, Petr Vobornik wrote: > On 07/14/2016 12:57 PM, Martin Kosek wrote: > > On 07/13/2016 04:24 AM, Devin Acosta wrote: > >> > >> I

Re: [Freeipa-users] FreeIPA (Add Replica fails on GSSAPI)

On 07/14/2016 07:18 AM, Bjarne Blichfeldt wrote: > Well, I just had the same problem, but in my case I also tried to install a > ca: > > “ipa-replica-install --setup-ca …..” > > Without “--set-up” the installation succeeded. > > Regards, > > Bjarne > The error below is not related to CA.

Re: [Freeipa-users] named-pkcs11 fails on new ipa replica

On 07/13/2016 08:51 PM, Bob Hinton wrote: > Hi, > > We are trying to create a new replica on RHEL 7.2 > > This completes but named-pkcs11 fails to start - > > systemctl status named-pkcs11.service > ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native > PKCS#11 >Loaded:

Re: [Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

On 07/14/2016 07:13 AM, Grant Wu wrote: > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a > pain point for quite some time. I've heard that FreeIPA might be a solution > worth exploring. > > I would like to try to avoid user visible disruption if

Re: [Freeipa-users] Freeipa replication issue

On 07/14/2016 10:10 AM, Stefan Uygur wrote: > Hi Alexander, > Thanks for a quick reply first of all and to be honest actually I have tried > that link too, it didn't work either. > > This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is > RHEL 6 > > When I reproduce the

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/14/2016 12:57 PM, Martin Kosek wrote: > On 07/13/2016 04:24 AM, Devin Acosta wrote: >> >> I was trying to create another Replica but then noticed it was constantly >> having >> issues trying to finish the joining of the replication. I then ran the >> command: >> repl-monitor.pl

Re: [Freeipa-users] Freeipa replication issue

Hi Alexander, Thanks for a quick reply first of all and to be honest actually I have tried that link too, it didn't work either. This is my ipa version: ipa-server-3.0.0-47.el6_7.2.x86_64 and the system is RHEL 6 When I reproduce the last step of the instructions you provided: ldappasswd -h

[Freeipa-users] Freeipa replication issue

Hi All, Sorry if this would appear to be an obvious issue and maybe someone has already discussed about it but I couldn't get anywhere information about how to resolve this issue that I am experiencing. Basically I have an IPA master server where the admin password was originally the same as

Re: [Freeipa-users] Freeipa replication issue

On Thu, 14 Jul 2016, Stefan Uygur wrote: Hi All, Sorry if this would appear to be an obvious issue and maybe someone has already discussed about it but I couldn't get anywhere information about how to resolve this issue that I am experiencing. Basically I have an IPA master server where the

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I have a brief follow up question regarding this issue; I’m actually not bent on using HBAC; it is a nice feature and I’d like to use it, but at the end of the day I’m not married to the idea of managing this type of policy centrally; in theory, group or user based access control using

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, sorry to say, but nothing helps. I have just updated IPA server, so that now it is: [root@svlxxipap ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) with: [root@svlxxipap ~]# rpm -qa|grep ipa ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 13:06), Tomas Simecek wrote: >Hi Lukas, >I did as you said. >Logs are attached to this mail. > Thank you very much for provided data. The main problem is that full refresh of sudo rules did not store any rules. It might be caused by following errors which might be caused by issues

Re: [Freeipa-users] Web UI access from outside the home network via port forwarding

Hi Jan, Cool doc. Thanks for writing it up! > On 14 Jul 2016, at 07:52, Jan Pazdziora wrote: > > On Mon, Jul 11, 2016 at 07:00:04PM -0700, Harry Kashouli wrote: >> >> I have a freeipa server set up, and would like to access the Web UI >> remotely (from outside my

[Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment

Hi all, I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a pain point for quite some time. I've heard that FreeIPA might be a solution worth exploring. I would like to try to avoid user visible disruption if possible, however. This means that we would like to keep our

[Freeipa-users] named-pkcs11 fails on new ipa replica

Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service;

[Freeipa-users] Sync & BaseDN change

Hello I hope this finds the right thread because the original thread was replied ot the list and not my email... I need to sync to another ldap directory which has a different SUFFIX than IPA sets up. I successfully imported from our OpenLDAP to IPA but I still need to sync with a separate

Re: [Freeipa-users] Replication Agreement issues noticed with repl-monitor.pl

On 07/13/2016 04:24 AM, Devin Acosta wrote: > > I was trying to create another Replica but then noticed it was constantly > having > issues trying to finish the joining of the replication. I then ran the > command: > repl-monitor.pl , It appears i have several >

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 12:43), Tomas Simecek wrote: >Thanks Lukas, >to be honest I am not sure what do you mean by "Please test with id >simecek.to...@sd-stc.cz." >It is the user I am testing with all the time. > >Here is what I see on client where sudo does not work: >[simecek.to...@sd-stc.cz@zp-cml-test

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Thanks Lukas, to be honest I am not sure what do you mean by "Please test with id simecek.to...@sd-stc.cz." It is the user I am testing with all the time. Here is what I see on client where sudo does not work: [simecek.to...@sd-stc.cz@zp-cml-test ~]$ id uid=988604700(simecek.to...@sd-stc.cz)

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 11:26), Tomas Simecek wrote: >Hi Lukas, >we have Active Directory group "UnixAdmins" >. >We have IPA external group ad_admins_external >, which has >Windows "UnixAdmins" group as a member. >We have local IPA group

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Rob, thanks, but this is not the case. Firstly, for initial test purposes I am not limiting sudo to specific commands, in the rule it is set to "any". Secondly, it fails even in non-symlink cases: [root@zp-cml-test ~]# which service /sbin/service [root@zp-cml-test ~]# ll /sbin/service

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

hi, just a long shot here.. I've been battling sudo for a couple days now and found that my issue was one related to symlinks on centos7 'which cat' says /bin/cat but on centos /bin is a symlink to /usr/bin and sudo knows a symlink when it sees one and to prevent abuse it requires the 'real'

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

Hi Lukas, we have Active Directory group "UnixAdmins" . We have IPA external group ad_admins_external , which has Windows "UnixAdmins" group as a member. We have local IPA group grpunixadmins

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (14/07/16 10:09), Tomas Simecek wrote: >Thanks all of you guys, >I have updated to: >sssd-krb5-common-1.13.3-22.el6_8.4.x86_64 >sssd-1.13.3-22.el6_8.4.x86_64 >sssd-ldap-1.13.3-22.el6_8.4.x86_64 >sssd-client-1.13.3-22.el6_8.4.x86_64 >sssd-ad-1.13.3-22.el6_8.4.x86_64

Re: [Freeipa-users] named-pkcs11 fails to start on new replica [SOLVED]

On 14/07/2016 08:39, Martin Babinsky wrote: > On 07/13/2016 09:56 PM, Bob Hinton wrote: >> Hi, >> >> We are trying to create a new replica on RHEL 7.2 >> >> This completes but named-pkcs11 fails to start - >> >> systemctl status named-pkcs11.service >> ● named-pkcs11.service - Berkeley Internet

Re: [Freeipa-users] HBAC and AD users

On Thu, Jul 14, 2016 at 11:47:41AM +1000, Lachlan Musicman wrote: > Ok, I have some logs of sssd 1.13.0 not working. Same values as before: > > FreeIPA server: Centos 7, ipa 4.2, API_VERSION 2.156 > > Installed Packages > Name: ipa-server > Arch: x86_64 > Version : 4.2.0 >

Re: [Freeipa-users] named-pkcs11 fails to start on new replica

On 07/13/2016 09:56 PM, Bob Hinton wrote: Hi, We are trying to create a new replica on RHEL 7.2 This completes but named-pkcs11 fails to start - systemctl status named-pkcs11.service ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded

Re: [Freeipa-users] sudo - differences between Centos 6.5 and Centos 7.0?

On (13/07/16 10:32), Danila Ladner wrote: >Update to this one: >It has been running smoothly on 6.5 > >[root@dev-zlei.sec1 ~]# cat /etc/redhat-release >CentOS release 6.5 (Final) > >[root@dev-zlei.sec1 ~]# rpm -qa | grep sssd >sssd-client-1.12.4-47.el6.x86_64 >sssd-ldap-1.12.4-47.el6.x86_64