On Wed, 2009-08-12 at 13:30 +0200, Mark Hannessen wrote:
> Thank you very much,
> Sounds perfect to me.
>
> I am however still running into a problem.
> I tried changing the password using MD5
>
> $coded = array('userpassword' => "{MD5}" . base64_encode( pack( "H*", md5(
> $newpassword ) ) ) );
> roadmap and if so , when it will be release ?
Hi Rachid,
at the moment we do not have a firm release date yet, but we are working
to have something out by winter time.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
On Wed, 2009-09-23 at 10:46 +0200, Tomasz Z. Napierala wrote:
> Hi,
>
> I'm currently deploying IPA in our server infrastructure and I came
> across one particular problem.
> I have several development servers hooked up to IPA. Devs are locally
> developing code on them, accessing it through Samb
it uses?
No and exposing passwords over the network is a particularly bad idea
anyways. Can't you use a pam module on your client to perform kerberos
authentication instead of compromising all your network accounts for a
stupid client ?
Simo.
--
Simo
ven write a small howto on the freeipa.org wiki should you
feel particularly generous :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ight have caused this.
Can you check the krb5kdc logs ?
dn="uid=kdc,cn=sysaccounts,cn=etc,dc=live,dc=tipp24,dc=net" is the
account used by the kdc (in v1). So it looks like the KDC went crazy
trying to connect to the ldap server.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
would be really appreciated and so on.
You don't need a developer to help, just look at the project and
identify a week area where you think you can contribute and let us know
what you plan to do.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
there ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Mon, 2009-10-26 at 08:46 +, Andy Singleton wrote:
> As far as I can see, whatever was trying to connect kept trying, and
> filling up new slots as they became available until I rebooted.
How many clients do you have ?
Simo.
--
Simo Sorce * Red Hat, Inc * Ne
't help you further unless we can find what
caused so many connections.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
(or direct connection to
ldap and ldappasswd operation).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Sun, 2009-11-01 at 22:26 -0500, Dan Scott wrote:
> On Sat, Oct 31, 2009 at 12:50, Simo Sorce wrote:
> > On Fri, 2009-10-30 at 18:16 -0400, Dan Scott wrote:
> >> OK, that makes sense, thanks. But there's still one thing I don't
> >> really understand. How
On Tue, 2009-11-03 at 16:31 -0500, Dan Scott wrote:
> Sorry again, forgot to CC the mailing list.
>
> Dan
>
> On Tue, Nov 3, 2009 at 16:10, Dan Scott wrote:
> > Hi,
> >
> > On Mon, Nov 2, 2009 at 07:33, Simo Sorce wrote:
> >> On Sun, 2009-11-01 at
I'm just
> starting, if somebody says FreeIPA v2 has this already, I don't mind
> switching to it.
v2 is a bit experimental at the moment. It is great if you want to see
what's going on and help testing but it is not production ready.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ation settings on the fly. Some apply immediately, some other
changes may require a DS restart.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
aclient.example.com (This still need passwd.)
So you did successfully kinit on the PC and on the Mac ?
You can get more info on what is going on by using ssh -vvv
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ers.
This second part requires a way to provide the other realm users
to your system. At the moment we do not have any automated mechanism in
FreeIPA itself or in the client to provide that. We will work on these
features next year.
Simo.
--
Simo Sorce * Re
umaraswamy
The best way is to provide sudo access for the users you want to grant
root privs to.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
or long times or it
will get completely out of sync with the other replicas.
Of course, as Rob already pointed out, you may want to add replication
channels between replicas so that your master server is not critical
for replication if you have to shut it down.
Simo.
--
Simo Sorce * Red Hat, Inc *
On Mon, 1 Feb 2010 10:57:35 -0800
Scott Kaminski wrote:
> What is it that i'm missing here?
Anything in /etc/hosts ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.re
cate clients to
the LDAP server there should be no other issues.
Note that in v2 with sssd as a client we assume we can use SASL/GSSAPI
by default, but with current clients/freeipa server we don't.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_
ssue.
If you obtained a ticket for your server and it still falls back to
password auth I suggest looking at the server's logs.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
es not change group memberships it only updates
the memberof attribute to keep it in sync with the member ones.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
d 389's memberOf plugin, which should I
> enable?
>
Oh sorry, no I misunderstood. You can't have both enabled they would
interfere, only one or the other.
The 389 memberof plugin is probably better now, as we merge all the
code we developed for ipa in there. But unless you
ve the right password
for both google apps *and* your company resources.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
tting it
up for the first time.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
vpn ? Is it just the fact that tinc allows inbound
connections, or is there more ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
to help the effort. Although at the
moment we do not have time/resources to start an effort on our own, we
may reconsider this after we get 2.0 out of the door.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
kerberos libraries disallowing DES.
Try adding allow_weak_crypto = true to your krb5.conf or alternatively
rekey your NFS credentials to add RC4/AES keys (rekeying works only if
both client and server kernels supporting anything but DES, I think
F13's kernels sh
On Thu, 27 May 2010 12:27:49 -0400
Simo Sorce wrote:
> Tom,
apologies, I meant Thomas, not enough sleep I gues :/
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mail
On Thu, 27 May 2010 19:13:47 +0200
Thomas Sailer wrote:
> On Thu, 2010-05-27 at 12:27 -0400, Simo Sorce wrote:
>
> > Try adding allow_weak_crypto = true to your krb5.conf or
> > alternatively rekey your NFS credentials to add RC4/AES keys
> > (rekeying works only i
an you check /var/log/audit/audit.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
re are quite a few
things that need to be changed.
First of all sambaGroupType is a fixed value, not a counter, so the
DNA configuration for it just need to be removed.
Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so
the DNS in that configuration are incorrect for v1.2.2, the DN to be
use
utes beyond the default one we set on
user/group creation. v2.x should make this possible.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
et the cache by stopping SSSD and
deleting the appropriate file in /var/lib/sss/db and restarting SSSD.
The db file to be deleted has the domain name (as used in the sssd.conf
section tag) in the file name.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
ected by the results of the 'id' command.
Ok this is the expected behavior.
> Maybe the cache was corrupted?
Unlikely, maybe your SSSD went offline and wasn't able to get back
online for some reason until you restarted it ?
Simo.
--
Simo S
policy that requires you to use a strong
password. If you don't like that you will have to alter and relax the
password policies.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
a user logs in its information (including its group
membership) is refreshed and validated, so at login time the membership
is correctly updated for that user across all its groups.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-use
On Thu, 22 Jul 2010 15:30:23 -0400
Scott Duckworth wrote:
> On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce
> wrote:
>
> > On Thu, 22 Jul 2010 11:10:25 -0400
> > Scott Duckworth wrote:
> >
> > > I removed all files from /var/lib/sss/db/ and restarted sssd.
&g
On Thu, 22 Jul 2010 16:22:45 -0400
Scott Duckworth wrote:
> On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce wrote:
>
> > On Thu, 22 Jul 2010 15:30:23 -0400
> > Scott Duckworth wrote:
> >
> > > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce
> > > wrote:
listing any one user and a group he is
> a member in your server of will be very helpful.
>
memberof is not required by rfc2307bis. Actually it is not even
mentioned by rfc2307bis, so it is our fault if we depend on it.
rfc2307bis actually mentions only
ompared to some sites.
Scott,
can you tell me roughly how many groups you have, and how big they get
up to ?
Also do you have nested groups (groups containing other groups) ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing lis
gracefully, at least through an option.
> If a user has a groupOf/groupMembership attribute pointing to a group
> outside of ldap_group_search_base, will this be handled gracefully?
Yes, the entry will simply be ignored if not resolvable.
Si
on
deployments that do not use any form of nesting.
The parameter should actually probably be an integer that determines
the level of nesting we allow to search at runtime, with 0 meaning none
and any other value up to a maximum we define allowing deeper and
deeper nesting.
Simo.
--
Simo S
t as long as you do not put them
under the cn=accounts subtree and keep them generally away from any IPA
controlled subtree.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
aintext auth (require using SSL) in that case though you will
neeed to know the user DN.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
t,kdestroy and friends) just do not support it now and tend to
wipe out everything.
I think I've seen recently something about this so maybe voicing the
problem on the "kerberos" (at mit.edu) mailing list may spark a good
discussion.
On my side I will try to make this pro
>
> Does anyone have any pointers/ideas for how I can fix this?
Dan, the memberof attribute is explicitly not replicated, and should be
simply re-generated on the receiving replica when "member" attributes
are replicated.
Are the IPA versions on the master and the replica the same
is correct
> because otherwise I get 'ldap_simple_bind: Invalid credentials'.
>
> Thanks,
>
> Dan
Sorry Dan, these kind of task need to be run with "cn=Directory
Manager" credentials I am afraid.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_
On Thu, 07 Oct 2010 09:20:29 -0600
Rich Megginson wrote:
> >
> Does IPA have its own memberOf plugin, or is it using the one from
> 389?
In v1, it had its own memberof plugin.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
F
n idea why it no longer works?
>
> What is the current party line with respect to nfs4 encryption types?
> The admin guide on the freeipa web page still requires des-cbc-crc.
> But MIT Kerberos seems to become increasingly hostile against des.
> And yes, I do have allow_weak_crypto
ilt against mozldap.
We have a patch that should be solving some issues against ipav2, if
that checks out we will se if we can backport them to ipa 1.2.2 but it
may take a little while.
Meanwhile you may want to try to downgrade 389-ds (make sure you
backup your data first).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Mon, 06 Dec 2010 18:31:37 +0100
Thomas Sailer wrote:
> On Mon, 2010-12-06 at 10:55 -0500, Simo Sorce wrote:
>
> Hi Simo,
>
> thanks for your response!
>
> > We are seeing an issue with F14 DS where it has been built against
> > opneldap libraries while we st
On Mon, 06 Dec 2010 19:43:29 +0100
Thomas Sailer wrote:
> On Mon, 2010-12-06 at 13:35 -0500, Simo Sorce wrote:
>
> > Keys are stored in ldap and asn.1 encoding is generated using ldap
> > libraries before storing it.
> > If that operation fails it may generate malformed
On Tue, 07 Dec 2010 10:51:55 +0100
Thomas Sailer wrote:
> On Mon, 2010-12-06 at 13:53 -0500, Simo Sorce wrote:
>
> Hi Simo,
>
> > I pushed the patch in git just today :)
>
> Your patch indeed helps :)
>
> I've adapted it to the fc14 srpm, compiled it, and a
ailer
has created a backport of the patch and posted a srpm on his fedora
people page.
We hope to address the issue as soon as possible, but we are short on
time in this period.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
ython-2.0.0.pre1-0.fc13.
> i686
> ipa-admintools-2.0.0.pre1-0.fc13.i686
> ipa-server-2.0.0.pre1-0.fc13.i686
> ipa-client-2.0.0.pre1-0.fc13.i686
>
> All my command line still works.
>
> Thanks for you help
>
> Ide
>
> ___
ng...@mycompany.com for
> krbtgt/ mycompany@uzdomain.ca
>
> The server is freeipa-2.0 -beta and O/S is fedora 13
>
> Any help will be greatly appreciated
Is ipa_kpasswd running ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 12 Jan 2011 20:02:14 +
ide4...@gmail.com wrote:
> Yes ipa_kpasswd is running.
>
>
> Sent on the TELUS Mobility network with BlackBerry
Can you check it was able to bind to udp ports ?
I just noticed it wasn't able to in my fedora 14, and posted a patch.
Simo
; is not defined
>
> So, can someone give me some advice about where else it may be
> reading the certificate from, or how I can do things "the proper way"
> for IPA?
/etc/ipa/ca.crt is another place where the cert can be found.
but for win
; PKI-IPA...[ OK ]
>
> INFO:root:stderr=
> unexpected error: DsInstance instance has no attribute 'subject_base'
I have opened ticket 807[1] to track this.
Would you be available to test a patch ?
Simo.
[1] https://fedorahosted.org/freeipa/ticket/807
--
Simo Sorce * R
On Wed, 19 Jan 2011 09:28:45 -0500
Simo Sorce wrote:
> On Wed, 19 Jan 2011 12:52:54 +0530
> Aravind GV wrote:
>
> > Hi All
> >
> > Please help me in adding a synchronization agreement. I followed (
> > http://freeipa.org/docs/2.0.0/Installation_Deployme
v stop
> INFO:root:stdout=Shutting down dirsrv:
> AGV-COM...[ OK ]
> PKI-IPA...[ OK ]
>
> *INFO:root:stderr=*
> *unexpected error: 'Env' object has no attribute 'ra_plugin'*
>
>
>
> Regards,
> AGV
>
> On Wed, Jan 19, 2
(3 given)*
I am sorry Aravind,
but at the moment I do not have a test environment that lets me test
winsync replication.
Hopefully this new patch should fix the remaining regressions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
>From 5c9952b5e166dde222bc8c5433ca97480432a980 Mon Sep 17 00:
e how to go
> about validating this assertion. I have not tried to restart the ipa
> services on the working server for fera that it might stop working.
Do you see errors in /var/log/krb5kdc.log ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
On Tue, 25 Jan 2011 14:33:14 -0500
James Roman wrote:
> On 01/25/2011 12:42 PM, Simo Sorce wrote:
> > On Tue, 25 Jan 2011 12:04:25 -0500
> > James Roman wrote:
> >
> >> I noticed today that one of our FreeIPA 1.2.2 servers has stopped
> >> issuing tickets
On Tue, 25 Jan 2011 15:58:35 -0500
James Roman wrote:
> On 1/25/11 2:44 PM, Simo Sorce wrote:
> > On Tue, 25 Jan 2011 14:33:14 -0500
> > James Roman wrote:
> >
> >> On 01/25/2011 12:42 PM, Simo Sorce wrote:
> >>> On Tue, 25 Jan 2011 12:04:25 -0500
On Thu, 2011-01-27 at 09:09 -0500, Uzor Ide wrote:
> Hi all
>
> How do I make admin password not to expire immediately after changing
> it?
It is always set to expire even if you use kpasswd to change it ?
Simo.
--
Simo Sorce * Red Hat, In
h with directory manager the accounts on both servers, do
you get back an identical userPassword field ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Thu, 27 Jan 2011 19:20:02 -0500
James Roman wrote:
> On 1/27/11 12:58 PM, Simo Sorce wrote:
> > On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
> >> So it looks like the replication password issue was a red herring
> >> as far as the kerberos is concerned. I i
c
was not "protected" against it.
In v2 we perfected the pw policies check so that the kerberos policies
covers also binds done against DS directly.
I also am adding a patch so that uid=kdc is protected in case DS policy
is enabled nonetheless for whatever reason.
Simo.
--
Simo S
On Fri, 28 Jan 2011 17:39:14 -0500
James Roman wrote:
> On 01/28/2011 10:39 AM, Simo Sorce wrote:
> >
> > Rirst of all.
> > I am glad this was resolved, it looked puzzling indeed.
> >
> > I just want to note that we do not support using the DS password
> &g
te the users/host/services data
by using the ipa user-add/host-add/srvice-add commands.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
to the latest bits.
>
> Can I upgrade from Beta-1 to Beta-2, or are they incompatible?
There are small incompatibilities, some new schema and some changes to
the DIT.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing
On Wed, 2 Feb 2011 09:28:38 -0500
Peter Doherty wrote:
>
> On Feb 2, 2011, at 09:09 , Simo Sorce wrote:
>
> > On Tue, 1 Feb 2011 22:30:50 -0500
> > Peter Doherty wrote:
> >
> >>
> >> On Feb 1, 2011, at 15:04 , Dmitri Pal wrote:
> >>>
to update any entry.
However we will evaluate whether integrating DHCP is something we can
do for a future release, or maybe something people are willing to
contribute.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailin
the time on your client is not within 5
min. of the time on the KDC.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton wrote:
> I can't get a Windows 7 client to authenticate against Freeipa (ver
> 2.0.0.pre2) running on Fedora 14.
Brett,
can you tell me what krb5-server package do you have installed ?
Simo.
--
Simo Sorce * Red Hat, Inc
DAP and set up apache
> to bind and auth against that. But I also want a seperate ldap
> admin account that can only edit this section, and not the rest of
> the FreeIPA data.
> Thanks.
It is possible to do using LDAP tools and then setting an ACI on the
container to give the user you
ffect everyone but afaik the lock-up bug has been fixed in
the 1.2.8 alphas.
You may want to try to upgrade 389ds with the version in
updates-testing and see if that fixes this problem.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users ma
gt; #
> # LDAPv3
> # base with scope oneLevel
> # filter: (objectclass=*)
> # requesting: dn
> #
>
> # search result
> search: 2
> result: 32 No such object
What is the realm name you choose ?
> # numResponses: 1
> [root@fed14-64-ipam001 /]#
>
> fed14-64-
this might not be helping with my issues as all my machines
> think its NZST while the IPA master server's software might be
> thinking they are telling it April? hence security certificates etc
> go "boom"?
No, it is just a display issue in the UI, internally all software
> >
> > 8><-
> >>
> >>
> >>
> >>
>
> Looks like you have no host key in the keytab. That's the root of the
> problem. Seems like IPA-client-install failed to populate it. Rob, do
> you have any i
ntil the
services are restarted.
Just pointing out this fact as a help point for other users testing
ipa-client-install in future.
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
been a problem if sssd just used the first key in the
keytab instead of trying to guess the principal name in advance. (Yeah being
stingy, no pressure Stephen :-)
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
>> Siggi
> >>
> >> _______
> >> Freeipa-users mailing list
> >> Freeipa-users@redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >>
> >
>
>
> Hi,
>
> I upgraded in place. I did the initial installation on the 12th of
> February. I think I started out with the first RC. Do I still have to
> reinstall?
Have you run ipa-ldap-updater after the rpm upgrade ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
is intended behavior or a bug?
Intended, to remove the AD replication link you need to 'disconnect'
the AD server.
Use:
ipa-replica-manage disconnect dc01.ad.nowhere.com
> After re-creating the sync agreement with the win-subtree option, IPA
> synced with AD successfully.
Great,
Simo.
ses certmonger to get an SSL
> server cert. This last step is done as a convenience, it otherwise
> isn't used by IPA. But if you wanted to setup an HTTP server that
> uses the same PKI as IPA you'd have a certificate and key available.
>
> cheers
--
Simo Sorce * Red Hat,
entention time of 10 years
> for backups. That's quite some time to keep a mapping table over
> new/old uids/gids.
>
> Third, we would need to map our applications to see if any of them
> store or use the GID.
>
> As you can see, migrating to IPA just became a much more ti
eros and DNS interrelate and how to
change client configuration if you choose different strategies.
Password syncing will have no problems related to DNS names, except,
perhaps for the need to change your SSL certificate (as X509 certs for
SSL embed the hostname of the server).
Simo.
--
Simo Sorce *
teAddress attribute such that it shows as a
> field in the WebUI?
I will let Adma reply to this one.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
e configuration instructions for other platforms, I am
sure the community can hack-up scripts to use them if instructions are
not enough. We can also host them if someone wants to contribute.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-use
gt; The second -p overrides the first.
And also probably changed the "admin" password to rubbish.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
cause.
Can you open a bug in the freeipa trac with logs showing that service is
responsible for the failure ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
On Wed, 2011-05-18 at 03:18 +, Steven Jones wrote:
> Im getting,
>
> "SASL bind failed!"
As I said earlier this is happening because you changed the admin
password with a random secret when you passed -p admin in the previous
attempt.
Simo.
--
Simo Sorce * Red
On Wed, 2011-05-18 at 20:30 +, Steven Jones wrote:
> Which is why I asked rob how to reset it which I didso its not
> that?..at least it makes no obvious sense that it is?
Once you reset the password as Rob told you all is fine again.
Simo.
--
Simo Sorce * Red Hat, Inc * Ne
ackends..or user areas where I cant do
> that...
It is not necessary, although I would recommend that you properly set
the ptr records at least for your servers in the DNS that is managing
your reverse zones.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Thu, 2011-05-19 at 01:41 +, Steven Jones wrote:
> I have an internal ajax error!
>
> :(
>
> the logs say,
Ping me later on IRC, I'd like you to run some commands, and it will be
easier done interactively.
Simo.
___
Freeipa-users mailing list
> Stopping sssd: [ OK ]
> Starting sssd: [ OK ]
> # id 'MIDD\juser'
> id: MIDD\juser: No such user
>
> David Guertin
>
This is normal, users are "loaded in" when they actually try to Log In.
Simo.
-
d in using SELinux.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
1 - 100 of 896 matches
Mail list logo
