Re: [Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2

On ke, 12 loka 2016, Robert Sturrock wrote: Hi All. We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better connectivity to our (large) organisational AD service for Linux clients. We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) in the hope

Re: [Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2

On 12 October 2016 at 15:23, Robert Sturrock wrote: > Hi All. > > We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide > better connectivity to our (large) organisational AD service for Linux > clients. > > We have setup IPA and configured a suitable AD trust

[Freeipa-users] External (AD) groups and sudo/hbac in IPA 4.2

Hi All. We’re attempting to setup an IPA (4.2) service on RHEL7.2 to provide better connectivity to our (large) organisational AD service for Linux clients. We have setup IPA and configured a suitable AD trust (with SID POSIX mapping) in the hope that users will be able to access IPA resources

Re: [Freeipa-users] FreeIPA and Samba

If you just need to join a handful of windows machines to a freeIPA domain, try with these instructions: https://www.redhat.com/archives/freeipa-users/2013-September/msg00226.h tml Best regards  El mar, 11-10-2016 a las 17:43 -0700, Alan Latteri escribió: > > > > > I am trying to get this to

Re: [Freeipa-users] IPA Client Install problems

Thank you, Rob. For reference, my full log can be found here: http://pastebin.com/6VLaQjYw But I would postulate that the interesting bit is this: > 2016-10-11T22:10:15Z DEBUG stdout=Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > ;; flags:; ZONE: 0,

Re: [Freeipa-users] FreeIPA and Samba

I am trying to get this to work, but our Samba server is not the same machine as out IPA server, and these instructions seem to assume that. Any ideas? All I need is the 1 windows machine in our network to be able to access our linux based server, using the same user/pass as that of our IPA

[Freeipa-users] IPA Client Install problems

First off... new to the list, thank you in advance for your assistance! My server is Fedora 24 Server, running in a VirtualBox virtual machine. I have FreeIPA Server 4.3.2-2.fc24, installed from the standard repositories, and dnf says it's up to date. FreeIPA has a trust set up with an Windows

Re: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed

Things have been working better (so far) after taking some steps I read here: https://www.redhat.com/archives/freeipa-users/2016-January/msg00257.html On Mon, Oct 10, 2016 at 6:48 PM, Fil Di Noto wrote: > After an IPA server is re-initialized it immediately begins failing >

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

Ah, yes, thank you, Alexander. I agree it would help if I followed the example better. It would also help if I understood the example so a little description of what each command does would be very helpful. It looks like that ACI record does exist. Now how would I remove these LDAP records?

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

On ti, 11 loka 2016, John Popowitch wrote: It doesn't look like there are any entries. # ldapsearch -x -b 'cn=certprofiles,cn=ca,dc=aws,dc=cappex,dc=com' -s base aci 'ldapsearch -x' is 'use simple authentication instead of SASL' -- given that you didn't specify any identity for simple

[Freeipa-users] bind-dyndb-ldap issues

i am using bind-dyndb-ldap on fedora 24 without FreeIPA, and continue to have my logs swamped with errors about "check failed" from settings.c and fwd.c. i am completely up to date with every package, so the latest versions of everything are installed. [settings.c : 420:

[Freeipa-users] Password Complexity Requirements Seems Insufficient

I just joined this list, so if this question has been asked before (and I'll bet it has), I apologize in advance. A google search was unrevealing, so I'm asking here: we're running FreeIPA Version 3.0.0 on CentOS 6.6. It looks like the password complexity requirements are limited to setting

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

Here you have example kinit admin ldapsearch -Y GSSAPI -b 'cn=certprofiles,cn=ca,dc=,dc=' -s base aci On 11.10.2016 17:48, John Popowitch wrote: Thanks, Martin. But I'm afraid you've gone beyond my level of LDAP knowledge. How would I check for that ACI? -John *From:*Martin Basti

[Freeipa-users] Different Database Generation ID

I have this error in the log of my FreeIPA server freeipa-sea.bpt.rocks: [11/Oct/2016:09:04:39 -0700] NSMMReplicationPlugin - agmt="cn=masterAgreement1-seattlenfs.bpt.rocks-pki-tomcat" (seattlenfs:389): The remote replica has a different database generation ID than the local database. You may

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

Thanks, Martin. But I'm afraid you've gone beyond my level of LDAP knowledge. How would I check for that ACI? -John From: Martin Basti [mailto:mba...@redhat.com] Sent: Tuesday, October 11, 2016 10:38 AM To: John Popowitch; freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA v4.2 stopped

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

On 11.10.2016 17:21, John Popowitch wrote: I agree that is weird. Several of the other managed permissions are updated successfully and they are very similar. Yes, I can try to remove the permission manually. Is there any risk in corrupting or breaking the system? This is, I believe, one

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

I agree that is weird. Several of the other managed permissions are updated successfully and they are very similar. Yes, I can try to remove the permission manually. Is there any risk in corrupting or breaking the system? This is, I believe, one of three IPA servers in a multi-master replication.

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

That's weird because the code is checking if a permission exists before it tries to add a new one Can you try to remove 'System: Modify Certificate Profile' manually from LDAP and re-run ipa-server-upgrade? On 11.10.2016 15:53, John Popowitch wrote: 2016-10-10T19:51:38Z DEBUG Updating

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

2016-10-10T19:51:38Z DEBUG Updating managed permission: System: Modify Certificate Profile 2016-10-10T19:51:38Z DEBUG Destroyed connection context.ldap2_82077392 2016-10-10T19:51:38Z ERROR Upgrade failed with This entry already exists 2016-10-10T19:51:38Z DEBUG Traceback (most recent call last):

Re: [Freeipa-users] sssd 1.14.1, HBAC still not working?

On Tue, Oct 11, 2016 at 03:28:55PM +1100, Lachlan Musicman wrote: > After further testing, I've discovered that the dev system wasn't working > as well as I thought it was: HBAC and sshd don't seem to be playing well > together on one server, but fine on the other? > > ie, I can run the same

Re: [Freeipa-users] Replication attrlist_replace nsslapd-referral failed

Hi, you don't specify the version you are using: If it is 389-ds-base-1.3.4.0-33.el7_2.x86_64 the following may apply: >>> we have identified an issue with this version, it includes a fix for 389-ds ticket #48766, which was incomplete and resolved shortly after the release of this version (it

Re: [Freeipa-users] FreeIPA v4.2 stopped working, wants me to run ipa-server-upgrade, but has errors

On 10.10.2016 23:30, John Popowitch wrote: Hello FreeIPA community. I've inherited a group of three FreeIPA v4.2 servers on CentOS 7.2. I had to reboot one of the servers and now IPA won't run saying, "Upgrade required: please run ipa-server-upgrade command." But when I run