On Thu, Feb 4, 2016 at 4:23 PM, Nordgren, Bryce L -FS
wrote:
> An RHEL 7 host filesystem may have the same basic structure as an Ubuntu
> trusty container filesystem, but may have different users defined,
> particularly for running services and for owning the files those services
> must touch. To
An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty
container filesystem, but may have different users defined, particularly for
running services and for owning the files those services must touch. To what
extent do you want the same users to be enforced between the c
Right, I haven't messed with IDMU in quite some time, so I'm not exactly sure.
Personally, I override using sssd, because all of my users use bash by default.
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jon
Sent: Thursday, February 04, 2016 2:57
Hi Josh,
I think that's exactly the problem though, how does one set POSIX
attributes in AD from Linux guests?
The RedHat documentation has a big warning that the Microsoft IDMU has been
deprecated.
>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integrat
hi all,
I tried and figured it out..
ipa sudorule-add-runasuser --users=
Is the command syntax I was looking for.
I guess that if the --users isn't an ipa user it is automatically
flagged as an external user.
Cheers
Rob Verduijn
2016-02-04 17:33 GMT+01:00 Jakub Hrozek :
> On Thu, Feb 04, 2
For AD users, I believe you have two options.
1) Set the POSIX value on the user in AD for the shell
2) Set the following in your client's sssd.conf:
[nss]
override_shell = /bin/bash
This would obviously be global per IPA client.
Josh
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-use
Hello,
How does one manage linux attributes for AD users. Primarily in my case,
I'm looking to change the default shell to either Bash or KSH depending on
the user.
I can create a .profile that either sources bash or ksh rcs... e.g.:
>> $ cat ~/.profile
>> bash ./.bashrc
This is really less th
Hi,
I just configured a trust between an IPA and an Active Directory to
authenticate IPA users in Windows machines joined in AD domain. The login is
successfull, but only after several minutes (nearly 25 minutes) in the first
attempt; in the next attempts, the required time goes from 5 to 10 m
Note: sudo rule "testSudo" fails when using user group. But succeeds
when using a directly defined user.
sudo rule "sudo-1" fails when user defined directly, but hosts are
defined with host group.
The behaviour that I'm observing is: sudo rules are not functioning any
time the user or
Greetings all,
For the record,this is a CentOS 7.2 box with all current patches.
(ipa-server-4.2.0-15.el7.centos.3.x86_64, etc.)
The situation is that pki-tomcatd on the lone CA server in our IPA cluster
refuses to start cleanly. The issues started earlier this week after the certs
subsystemCe
On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora
wrote:
> On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> > I am trying to set up a docker image with a specific development
> > environment. We use idm 4.2 for authentication, and non-kerberized nfs
> > (including home) for data storag
Hello,
How do I configure automount for Ubuntu 14.04 clients? My procedure on
CentOS has been: install free-ipa client, run ipa-client-install (auto
configures with dns discovery), run ipa-client-automount. However, when I
run this on the ubuntu client, I receive the following errors:
>> root@u
Hi all,
We are currently running a 3-replica (all are setup with the —setup-ca flag)
cluster on Fedora 21, with FreeIPA 4.1.4.
We would like to slowly upgrade to the new version and move away from Fedora to
CentOS 7.2.
We were thinking of the following:
- Create 3 CentOS machines with —setup-
I have a few Macs with 10.7 (mini) and 10.9 (MB air). Let me know if I
can help using them as guinea piggies
On Thu, Feb 4, 2016 at 11:57 AM, Alexander Bokovoy wrote:
> On Thu, 04 Feb 2016, "Răzvan Corneliu C.R. VILT" wrote:
>>
>>
It's static data. It's a concatenation of multiple strings: a
On Thu, 04 Feb 2016, "Răzvan Corneliu C.R. VILT" wrote:
It's static data. It's a concatenation of multiple strings: a
hard-coded one, the uid and the realm. It only changes if you rename
the user account. It is used to route the authn phase to the Kerberos
account (no PAM configuration!!!).
I
On 02/03/2016 06:02 PM, Ossi Ahosalmi wrote:
> I'm trying to use our organizations wildcard certificate in IPA. Certificate
> is
> signed by a trusted CA.
>
> Running:
> ipa-server-certinstall -w -d
>
> with next combinations:
>
> - separate .key, .crt and ca chain, all in PEM format
> - .crt
On Thu, Feb 04, 2016 at 04:00:50PM +, Baird, Josh wrote:
> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no
> problem.
>
> Example:
>
> Rule name: TestDBAs
> Description: access for members of the TestDBAs group
> Enabled: TRUE
> Command category: all
> Us
Yeah, this seems strange:
--externaluser=STRExternal User the rule applies to (sudorule-find only)
--runasexternaluser=STR
External User the commands can run as (sudorule-find
only)
--runasexternalgroup=STR
External
That does seem to work for me as well,
however I can only add the external user via the web-gui
Any idea how to do this with the command line tools ?
Rob Verduijn
2016-02-04 17:00 GMT+01:00 Baird, Josh :
> Actually, I use local (external) users in my sudo rules in IPA 4.2 with no
> problem.
>
>
Actually, I use local (external) users in my sudo rules in IPA 4.2 with no
problem.
Example:
Rule name: TestDBAs
Description: access for members of the TestDBAs group
Enabled: TRUE
Command category: all
User Groups: testdbas
Host Groups: corp_oracle
RunAs External User: oracle
In
On Centos7.2 all patches applied I used the command:
ipa-client-install --enable-dns-updates
That configures the client for sudo as well if I'm not mistaken.
Rob Verduijn
2016-02-04 16:45 GMT+01:00 Jakub Hrozek :
> On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> Hello,
>>
>> I'
On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> I am trying to set up a docker image with a specific development
> environment. We use idm 4.2 for authentication, and non-kerberized nfs
> (including home) for data storage on the hosts.
Are the hosts IPA-enrolled?
> The goal is to r
On Centos7.2 all patches applied I used the command:
ipa-client-install --enable-dns-updates
Rob
2016-02-04 16:45 GMT+01:00 Jakub Hrozek :
> On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
>> Hello,
>>
>> I've noticed that the sudorule-add-runasuser no longer has en --external
>> o
On Thu, Feb 04, 2016 at 03:52:25PM +0100, Rob Verduijn wrote:
> Hello,
>
> I've noticed that the sudorule-add-runasuser no longer has en --external
> option
>
> What is the current method to add a local service account to a sud
> rule list so that users may run sudo as that service account (ie
>
I am trying to set up a docker image with a specific development
environment. We use idm 4.2 for authentication, and non-kerberized nfs
(including home) for data storage on the hosts. The goal is to run the
docker container such that when the user calls docker run, it just drops
into a shell with t
Hello,
I've noticed that the sudorule-add-runasuser no longer has en --external option
What is the current method to add a local service account to a sud
rule list so that users may run sudo as that service account (ie
apache or jboss)
Cheers
Rob Verudijn
--
Manage your subscription for the Fr
I'm trying to use our organizations wildcard certificate in IPA.
Certificate is signed by a trusted CA.
Running:
ipa-server-certinstall -w -d
with next combinations:
- separate .key, .crt and ca chain, all in PEM format
- .crt and ca bundled into one file, .key as a separate file
- everything
>> It's static data. It's a concatenation of multiple strings: a
>> hard-coded one, the uid and the realm. It only changes if you rename
>> the user account. It is used to route the authn phase to the Kerberos
>> account (no PAM configuration!!!).
> I wonder if we should use CoS plugin to get this
I reran the replica-install and interrupted the script to set debug=1. The
debug log didn't change very much at startup since the failure seems to
occur already in the pre-start selftest. So it is still the same
"java.lang.Exception: SystemCertsVerification: system certs verification
failure"
[04/
On Wed, Feb 03, 2016 at 11:20:01PM +, Nathan Peters wrote:
> We have a FreeIPA 4.1.4 domain running on CentOS 7.1.
>
> We have noticed that from certain machines, sudo is instant, and from others,
> it takes about 5 seconds.
>
> All machines involved can resolve each other through DNS (both
On Wed, Feb 03, 2016 at 11:10:50PM +, Simpson Lachlan wrote:
> When my users log into the IPA server, the id user over rides work.
>
> But they don't when we log into a client host?
>
> What are we doing wrong?
>
> The overrides are in the "Default Trust View" so should be applied to all
>
>> It is probably best to stick with the Apple schema otherwise there could be
>> pain later if something changes, requiring additional mapping.
>
> I wouldn't encourage it for two reasons:
> 1) The Apple schema is designed to be remapped to any other schema. That's
> the point of cn=config. Tha
On Thu, 04 Feb 2016, "Răzvan Corneliu C.R. VILT" wrote:
On 4 feb. 2016, at 12:16, Rob Crittenden wrote:
This is very cool and excellent work!
Thanks. I've done most of the R&D 1 year ago for a client that has a
medium Mac-only network. Since a year passed, I wanted to share my
results in ord
> On 4 feb. 2016, at 12:16, Rob Crittenden wrote:
> This is very cool and excellent work!
Thanks. I've done most of the R&D 1 year ago for a client that has a medium
Mac-only network. Since a year passed, I wanted to share my results in order
make sure that the information won't be lost or obs
"Răzvan Corneliu C.R. VILT" wrote:
Hi Guys,
I've done a small scale demo of using FreeIPA instead of an Open
Directory Server to serve Apple OS X clients. This is based on my
experiences from one year ago (Ticket #4813). I've also attached some
screenshots.
This is very cool and excellent work
Christopher Young wrote:
Thanks. That's good advice and good to know. I'm going to be trying
to work this into an Ansible role, so having a command listing helps
alot.
That leads to a curious question if anyone has thought about building
an Ansible module(s) for manipulating FreeIPA objects.
On Wed, Feb 3, 2016 at 8:08 PM, Sumit Bose wrote:
> On Wed, Feb 03, 2016 at 10:29:49AM +1100, Nik Lam wrote:
> > Hello,
> >
> > I installed ipa-server on Centos 7.1 and later did and upgrade of the
> whole
> > system to Centos 7.2.
> >
> > I think the FreeIPA version changed from 4.1.0 to 4.2.0 b
37 matches
Mail list logo