[Freeipa-users] Authenticating sudo with ipa on Centos

Hello, I have set up IPA on a private network and have hit some bumps configuring sudo access for the clients. kinit seems to work fine for both client and server, user and root. When I load the edited /etc/sssd/sssd.conf and try to change user passwords I get System is offline, password change

Re: [Freeipa-users] Authenticating sudo with ipa on Centos

It is a bit strange that your ipa_domain and ipa_hostname are the same. I think the domain should be just local. I'd run klist -kt /etc/krb5.keytab to see what principals are in there. ipa_hostname = 192-168-0-110.local ipa_server = _srv_, 192-168-0-100.local Hi, I'm a little confused. They

Re: [Freeipa-users] Authenticating sudo with ipa on Centos

Hi, ipa_domain and ipa_hostname was indeed a config error. Also, using a .local domain caused all manner of problems. Thanks all for your help! Andrew On 21 October 2013 21:03, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote: Andrew

[Freeipa-users] DNS resource records problem. subdomains and /16's.

Hello, I have created two DNS resource records. 51.10.in-addr.arpa. and test.domain.com. It seems that it does not like to use the 51.10.in-addr.arpa. for addresses. Must I specify each /24? In addition, if I am adding a host node.subdomain.test.nsslabs.com. It does not like this either. Must I

Re: [Freeipa-users] DNS resource records problem. subdomains and /16's.

:80:3B:A9:1D:5E (ssh-dss), 05:11:9B:EE:D0:7A:BA:9D:BA:48:18:82:84:8F:25:82 (ssh-rsa) On 28 October 2013 15:20, Rob Crittenden rcrit...@redhat.com wrote: Andrew Holway wrote: Hello, I have created two DNS resource records. 51.10.in-addr.arpa. and test.domain.com. It seems that it does not like

Re: [Freeipa-users] DNS resource records problem. subdomains and /16's.

1800 900 604800 86400 ;; Query time: 153 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Oct 28 04:30:39 2013 ;; MSG SIZE rcvd: 104 On 28 October 2013 15:33, Andrew Holway andrew.hol...@gmail.com wrote: Here is some info from FreeIPA . . . [root@freeipa ~]# ipa host-show Host name

Re: [Freeipa-users] DNS resource records problem. subdomains and /16's.

Sorry, I didn't mean to sent the last mail. However the FreeIPA has correctly set reverse and forward DNS. I have trimmed it up a bit for clarity. Forward DNS for this host is working but reverse DNS is not: [root@freeipa ~]# dig node002.test.nsslabs.com @localhost ;; QUESTION SECTION:

Re: [Freeipa-users] DNS resource records problem. subdomains and /16's.

: 3600 Active zone: TRUE Allow query: any; Allow transfer: none; Number of entries returned 2 On 28 October 2013 15:43, Andrew Holway andrew.hol...@gmail.com wrote: Sorry, I didn't mean to sent the last mail. However the FreeIPA has

Re: [Freeipa-users] sudo client on CentOS 6.4?

For 6.4 use these instructions. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html Thanks, Andrew On 29 October 2013 13:59, Bret Wortman bret.wort...@damascusgrp.com wrote: I'm trying to bring some CentOS 6.4 systems into our IPA network, and everything seems to be

[Freeipa-users] Domain Controllers

Hello, I am trying to work out how to organise some domain controllers. I understand that you can only have one domain controller per domain and one domain per domain controller. corp.com is controlled by a corporate active directory. We would like to create two linux subdomains controlled by

[Freeipa-users] AD - Freeipa trust confusion

Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. In the GUI I can see the following in Trusts » prattle.com. Realm name: prattle.com Domain NetBIOS name: PRATTLE Domain Security Identifier:

Re: [Freeipa-users] AD - Freeipa trust confusion

-0C090E17, comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server is unavailable'} Failed to setup winsync replication On 1 January 2014 22:27, Andrew Holway andrew.hol...@gmail.com wrote: Hello, I am attempting to set up trust between my test freeipa server at ipa.wibble.com

Re: [Freeipa-users] AD - Freeipa trust confusion

/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal d...@redhat.com wrote: On 01/02/2014 07:38 AM, Andrew Holway wrote: I have gotten a little further along with this but am

Re: [Freeipa-users] AD - Freeipa trust confusion

I turned off all the AD processed on my windows domain controller. The error did not change. On 2 January 2014 17:07, Andrew Holway andrew.hol...@gmail.com wrote: I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle

Re: [Freeipa-users] AD - Freeipa trust confusion

You are still setting up a replication agreement not a trust. Oh, I am following the redhat documentation here: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html This seems to indicate that the directory server

Re: [Freeipa-users] AD - Freeipa trust confusion

As for AD users we need to look at the client and see what is going on there. What is your client? Version and component? Is it using latest SSSD? If not additional steps might be needed. Please provide the details about the clients. Please start with trying AD users on the IPA server itself,

Re: [Freeipa-users] AD - Freeipa trust confusion

result: 32 No such object # numResponses: 1 On 2 January 2014 20:06, Andrew Holway andrew.hol...@gmail.com wrote: As for AD users we need to look at the client and see what is going on there. What is your client? Version and component? Is it using latest SSSD? If not additional steps might

Re: [Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

If you add debug_level = 5 into every section of /etc/sssd/sssd.conf Restart sssd Try and log in again cat /var/log/sssd/* And paste that somewhere. On 2 January 2014 21:45, Genadi Postrilko genadip...@gmail.com wrote: Its a newly installed IPA Server, haven't added any Rules. The

Re: [Freeipa-users] AD - Freeipa trust confusion

To generate the winbind logs on the server, can you do 'smbcontrol winbindd debug 100', then request the trusted user. The winbind logs would be at /var/log/samba/log.w* I truncated all of the files in /var/log/samba and then make a single login attempt. These are the files that were non zero

Re: [Freeipa-users] AD - Freeipa trust confusion

or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back to testing on client. [r...@ipa.wibble.com ~]# wbinfo -i b...@prattle.com failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user b...@prattle.com Would this be an

Re: [Freeipa-users] AD - Freeipa trust confusion

[r...@ipa.wibble.com ~]# wbinfo --all-domains BUILTIN WIBBLE PRATTLE [r...@ipa.wibble.com ~]# wbinfo --own-domain WIBBLE On 3 January 2014 15:06, Andrew Holway andrew.hol...@gmail.com wrote: or simply run wbinfo on the server to check winbindd can properly retrieve users before moving back

Re: [Freeipa-users] Setting up sudo

It actually took me a long time to find this information. It is poorly documented but this mailing list post works. :) https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html On 13 February 2014 23:17, Todd Maugh tma...@boingo.com wrote: the documentation is kinda vague on some

Re: [Freeipa-users] passwordless login into IPA clients possible from non IPA client?

Hi Fred, You can add your public keys to the users profile via the GUI of CLI. Take contents of the .ssh/id_rsa.pub from your Fedora20 Laptop and insert it in the GUI. User - ACCOUNT SETTINGS - SSH public keys - add http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/user-keys.html

[Freeipa-users] Backup / Restore

Hello, I am being tasked with setting up freeipa for an organisation. A replica will be created but they also require a backup / restore strategy. Has anyone implemented backup restore? Ideas? Recommendations? Dragons? Thanks, Andrew ___

[Freeipa-users] Root certificates

Hello, I would like to install the root certificate from my freeipa installation into some browsers and other clients. If this statement makes sense; does anyone have a guide for this? Thanks, Andrew ___ Freeipa-users mailing list

Re: [Freeipa-users] Root certificates

I would like to install the root certificate from my freeipa installation into some browsers and other clients. If this statement makes sense; does anyone have a guide for this? All you need to do is installing http://ipaserver/ipa/config/ca.crt . Brilliant! Thanks.

[Freeipa-users] services and openSSL and stuff

Hello, I would like to use freeipa CA to manage certs for our organisation. In testing this out I have created an SSL key with the following. openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key This CSR I pasted into the service certificate UI and have a tick next to

Re: [Freeipa-users] services and openSSL and stuff

What are the certs for? At the moment for a third party application however we would like to issue our own certs for everything SSL such as LDAPs or OpenVPN. It is quite a powerful feature to be able to install an organisations root key on a clients machine and then be able to bosh out certs at

Re: [Freeipa-users] services and openSSL and stuff

There are also some good docs and examples in the certmonger git repo in docs folder and here. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/certmongerX.html Hi, The docs seem to explain quite well how to request a certificate but not how to actually issue a certificate.

Re: [Freeipa-users] services and openSSL and stuff

-tracking -i 20140426115309 Else you will see this message: Certificate at same location is already used by request with nickname 20140426115309. And here is some official docs I just found: http://www.freeipa.org/page/Certmonger#OpenSSL On 26 April 2014 09:02, Andrew Holway andrew.hol...@gmail.com

Re: [Freeipa-users] Hardening freeipa on the internet

I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? -- Petr^2 Spacek ___ Freeipa-users mailing

[Freeipa-users] Practical and theoretical limits of FreeIPA

So I am looking at ways of building a distributed user database for millions of users (specifically 5 million at the moment) and I am thinking that freeIPA might be a good thing to test for this kind of use case. I would assume that at least a third of these users would want to authenticate every

[Freeipa-users] SSSD in redundant configuration

Hello, Im wondering how we should be handing SSSD for redundant configurations on our freeipa clients. We have three freeipa servers; how can we make SSSD check another freeipa in the event that one goes down? It appears we can do something like the following: ipa_hostname =

Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing

Hi, I think this is perhaps a bug? Thanks, Andrew On 13 March 2015 at 15:55, Andrew Holway andrew.hol...@gmail.com wrote: On 13 March 2015 at 15:33, Michael Lasevich mlasev...@gmail.com wrote: Is SELinux on? Yes, ipa-server-install is running in the initrc_t domain but I guess its

[Freeipa-users] SSSD in redundant configuration

,'cvml','freeipa-users-boun...@redhat.com');] *On Behalf Of *Andrew Holway *Sent:* Wednesday, March 18, 2015 9:40 AM *To:* freeipa-users@redhat.com javascript:_e(%7B%7D,'cvml','freeipa-users@redhat.com'); *Subject:* [Freeipa-users] SSSD in redundant configuration Hello, Im

[Freeipa-users] Minimum rights to enrol a client

Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] SSSD in redundant configuration

!!) but we are trying to do all of this automated with saltstack which is a bit of a challenge. Thanks, Andrew On 20 March 2015 at 09:00, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote: I wasn't precise enough, I meant the sssd version

[Freeipa-users] SSSD in redundant configuration - part 2

Hi, I am having one of those really annoying pesky troubles. I add clients to freeipa but the first time I am logging in and trying to sudo with my freeipa credentials the sudo is not working. If I restart the SSSD process this usually fixes it but not always. Im going to try and do some

Re: [Freeipa-users] SSSD in redundant configuration

ldap_sasl_authid = host/test-freeipa-client-3.cloud.domain.de ldap_sasl_realm = CLOUD.DOMAIN.DE krb5_server = _srv_ Thanks, Andrew On 19 March 2015 at 10:29, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote: Cool stuff. Thanks. I

Re: [Freeipa-users] SSSD in redundant configuration

I wasn't precise enough, I meant the sssd version, sorry. But given that you're on RHEL-7, I think you can switch to: sudo_provider=ipa That does indeed seem to work. Thanks! and remove all the ldap_ config parameters as well as krb5_server. -- Manage your subscription for the

[Freeipa-users] Backwards compatability

Hi, We have a mix of Centos 6 and Centos 7 machines which we would like to manage with FreeIPA. I remember that setting up freeipa on Centos 6 can be a bit tricky although I found this method which works. https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html I imagine the

[Freeipa-users] Saltstack and ipa-install on Centos7 failing

Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD' returned non-zero exit status 1 Saltstack outputs the command

Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing

wrote: On 03/13/2015 07:43 AM, Andrew Holway wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting the following error: failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmp5witgD

Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing

Old bug report - https://bugzilla.redhat.com/show_bug.cgi?format=multipleid=959953 On 13 March 2015 at 15:24, Andrew Holway andrew.hol...@gmail.com wrote: Hi Dimitri type=AVC msg=audit(1426243559.181:623): avc: *denied* { create } for pid=2740 comm=ns-slapd name=imports scontext

Re: [Freeipa-users] Saltstack and ipa-install on Centos7 failing

:c0.c1023 root 4503 23.7 4.8 323356 48860 pts/1 S+ 14:53 0:00 /usr/bin/python -E /sbin/ipa-server-install On Mar 13, 2015 7:46 AM, Andrew Holway andrew.hol...@gmail.com wrote: Hallo I have a quite odd situation. I am using saltstack to set up freeipa servers on Centos 7 but I am getting

Re: [Freeipa-users] Is systemd really a requirement for freeipa 4.x?

When I look at the SPEC file for freeipa-4.1.3, I see requirements around Systemd. Is that really a hard requirement, or is it possible to run newer FreeIPA (that is to say 4.x) on a host that hasn't been infested by systemd From an SELinux standpoint systemd is far superior to initd as it

Re: [Freeipa-users] Can freeIPA work without Kerberos and DNS

Hi, As far as I understand it Kerberos service tickets are granted for a user to access a particular principle (host/service@REALM) and cannot be reused. Kerberos uses symmetric key cryptography so, if someone were able to access the memory of the machine, then they may indeed be able to snoop

Re: [Freeipa-users] OTP integrations

the password from the database, appends on the OTP and actually does the auth... On 1 April 2015 at 13:15, Andrew Holway andrew.hol...@gmail.com wrote: It is simple to configure OpenVPN with authentication against FreeIPA in Fedora 21, all the heavy lifting is done by SSSD: I have to say

[Freeipa-users] OTP integrations

Hello FreeIPA people, I must say that FreeIPA v4 looks very pretty and I am looking forward to trying out the new features. I'm wondering what application and tools can be used to authenticate with the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it how might we go about

Re: [Freeipa-users] OTP integrations

Yes. But stored in LDAP. Stored in LDAP salted I assume? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

Thanks Alexander. What happens to the passwords? Are they hashed by Kerberos? On 1 April 2015 at 15:14, Alexander Bokovoy aboko...@redhat.com wrote: On Wed, 01 Apr 2015, Andrew Holway wrote: Please could someone explain to me what is happening internally? In my head I have the following

Re: [Freeipa-users] SSSD in redundant configuration

Hi Jakub, Name: ipa-client Arch: x86_64 Version : 3.3.3 Release : 28.0.1.el7.centos.3 On 19 March 2015 at 17:33, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote: I am having problems with sudo and using _srv_

[Freeipa-users] verified certificates both sides of a TLS channel

Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with

Re: [Freeipa-users] Openvpn and Certificates

And et voila! It works! Although it does feel a bit hacky :) I do it the same way as I control my systems and can be sure there is one user per system for VPN access. Works nicely. Is it possible to manage key revocation? I understand that this mechanism is mostly quite broken. How long are

[Freeipa-users] Your session has expired. Please re-login.

Hello, Trying to log into the Gui I just get Your session has expired. Please re-login. Everything else appears to be working. I cannot find any useful logs. Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Your session has expired. Please re-login.

On Friday, 3 April 2015, Ben .T.George bentech4...@gmail.com wrote: HI i was facing the same issue last week and it got fixed now. always user WUI from firefox. install Kerbros plugin and certificate from ipa help page Hi George, Thanks for the advice. Did you discover the root of the

[Freeipa-users] FreeIPA SAML and Google Apps

Hi, Is it yet possible to use FreeIPA as an identity provider to Google Apps via SAML. I understand there was some project afoot Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for

Re: [Freeipa-users] Known issues with IPA on VM?

(The VM's have ever 4 CPU's and 2GB RAM, we have circa 120 Users/Groups) Are you using ECC memory? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Critique

In an obviously blatant promotion exercise and attempt to build page rank Please could I have some critique on this article? http://otternetworks.de/tech/freeipa-technical-brief/ Your feedback would be really appreciated Thanks, Andrew -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] Your session has expired. Please re-login.

cache somewhere or the system is a bit borked. :) On 3 April 2015 at 20:25, Ben .T.George bentech4...@gmail.com wrote: no, it's because of wrong ticket i guess. try the steps and let us know the output On Fri, Apr 3, 2015 at 2:23 PM, Andrew Holway andrew.hol...@gmail.com wrote

[Freeipa-users] Openvpn and Certificates

Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal. (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying

Re: [Freeipa-users] Openvpn and Certificates

On 1 April 2015 at 20:02, Nalin Dahyabhai na...@redhat.com wrote: On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use service certificates. From

Re: [Freeipa-users] access control

Hi Gunther, Typically one would use the freeipa tools to create users. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-users.html#adding-users As with any application. Modifying the database underneath is not recommended. Thanks, Andrew On 19 July 2015 at 17:58,

Re: [Freeipa-users] Client enrolment user

I'm finding that the new client to be installed is not accepting the password of my new host enrolment user. This password is working fine with kinit on other hosts and also working in the GUI. Any ideas what I am doing wrong here? On 5 November 2015 at 16:42, Andrew Holway <andrew.

Re: [Freeipa-users] unable to delete dead freeipa replica

The now dead IPA server is still seen as authoritative for the domain. [root@freeipa-prod-a-033 centos]# dig NS cloud.foo.com +short freeipa-prod-b-032.cloud.foo.com. freeipa-prod-a-033.cloud.foo.com. freeipa-prod-a-031.cloud.foo.com. On 5 November 2015 at 17:32, Andrew Holway <andrew.

[Freeipa-users] unable to delete dead freeipa replica

One of our FreeIPA replicas had its filesystem hosed so we want to remove it. Can someone show me the sequence of commands to remove a down replica? Thanks, Andrew [root@freeipa-prod-a-033 centos]# ipa-replica-manage list p11-kit: ipa.p11-kit: x-public-key-info: invalid or unsupported

Re: [Freeipa-users] Client enrolment user

Thanks! On 5 November 2015 at 16:18, Rob Crittenden <rcrit...@redhat.com> wrote: > Andrew Holway wrote: > > Some time ago I saw an article on how to set up a user that can only > > enrol clients into freeipa. > > > > Does anyone have information on how t

Re: [Freeipa-users] unable to delete dead freeipa replica

e anything in the logs. Thanks, Andrew On 5 November 2015 at 16:58, Andrew Holway <andrew.hol...@gmail.com> wrote: > One of our FreeIPA replicas had its filesystem hosed so we want to remove > it. Can someone show me the sequence of commands to remove a down replica? > > Than

[Freeipa-users] Client enrolment user

Some time ago I saw an article on how to set up a user that can only enrol clients into freeipa. Does anyone have information on how to do this because we're currently using the admin user and this is a bit scary. Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] unable to delete dead freeipa replica

On 6 November 2015 at 15:28, Petr Vobornik <pvobo...@redhat.com> wrote: > On 11/05/2015 05:32 PM, Andrew Holway wrote: > >> Actually I'm starting to feel like this is a bug. Managed to get the old >> IPA server back up and ran . >> >> "ipa-server-i

[Freeipa-users] Server used in DOS attack on UDP port 0

Hi, One of our AWS machines was used in an DOS attack last night and I am looking for possible attack vectors. AWS tells me it was sending UDP port 0 traffic to a cloudflare address. This instance had an incorrectly configured AWS security group exposing all ports. The server in question is a

Re: [Freeipa-users] FreeIPA Deployment and resiliency

With a multi master setup FreeIPA could be considered "resilient" however this is dependant on some other architectural considerations. For our customers we deploy two per location and put both servers as entries in /etc/resolv.conf. As FreeIPA service discovery is done with SRV records this

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

Hi, I assume you are virtualising. Try adding "tinker panic 0" to /etc/ntp.conf. It should make it tolerant to heavily drifting virtual clocks. Cheers, Andrew On 10 September 2015 at 13:46, Prasun Gera wrote: > OS: RHEL 7.1 w IDM > > I'm seeing these messages in my

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

Thats odd. You would normally not need it on bare metal. It could be broken hardware. On 10 September 2015 at 14:05, Prasun Gera <prasun.g...@gmail.com> wrote: > Thanks. I'm not virtualizing though. Should I still add it ? > > On Thu, Sep 10, 2015 at 5:02 AM, Andrew Hol

[Freeipa-users] When changing passwords gui displays Login screen is showing

Hi, When a user changes their password the ipa gui briefly redirects to a login page. The user often has an impulse to click on the login button which, on occasion, can seem to cause a mess with the password change. Anyone else aware of this behaviour? ta Andrew -- Manage your subscription

[Freeipa-users] Reverse DNS

Hello, I see that our default installation of IdM is working quite well without rdns configured (its on AWS). We're not doing anything complicated with it yet but is there anything that definitely will not work? Cheers, Andrew -- Manage your subscription for the Freeipa-users mailing list:

[Freeipa-users] Automatic consistency checking

Hello, We've been using Freeipa on Centos for a while and found one day that the replication stuff was broken and that the LDAP database on our pair of IPA servers was inconsistent. We didn't know how long this had been broken for but we were not able to repair it either. We use AWS so we've now

Re: [Freeipa-users] Can kerberos SSSD provider be used against IPA

Hi William, SSSD and FreeIPA have been developed in tandem by pretty much the same group from Redhat and are both part of the Fedora project (upstream RHEL). It's unsurprising that SUSE are not mentioning FreeIPA because it is a core component of RHEL marketed as IDM (

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

my standard users, > etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable > selinux and then try again. > > > On Tue, May 16, 2017 at 1:52 PM Andrew Holway <andrew.hol...@gmail.com> > wrote: > >> This is pretty weird. FreeIPA installation normally wor

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

tabase exist? > > > > On Tue, May 16, 2017 at 2:12 PM Andrew Holway <andrew.hol...@gmail.com> > wrote: > >> Yea, I would try installing IPA then making the changes that you want. I >> think SELinux should be left enabled however. It makes admin super fun

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

t; >2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms > on VMWare ) > > > On Tue, May 16, 2017 at 12:29 PM Andrew Holway <andrew.hol...@gmail.com> > wrote: > >> Hallo, >> >> How much memory do you have on the machine. I have a s

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

Hallo, How much memory do you have on the machine. I have a sneaking suspicion that you're running out. Ta, Andrew On 16 May 2017 at 17:16, Robert L. Harris wrote: > > Last night I rolled back my snapshot. Here's what I have after the yum > install > > "minimal"

[Freeipa-users] Spam

Whats up with this wierd spam. This is the only list where I see this. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project