Hi all,
"Because I can try" I gave a shot on installing freeipa-server on
a Raspberry Pi 2. I used Fedora 21 for this. Installing looks
promising, but fails somewhere halfway:
[8/27]: starting certificate
server instance
[error]
s: "CA did not start in 300.0s"
I might try to hack the services.py script but anyone got another
suggestion?
Kind regards,
Winfried
Op 02-04-15 om 13:38 schreef Martin
Basti:
On 02/04/15 12:53, Wi
/usr/lib/python2.7/site-packages/ipalib/constants.py
Modify file and run ipa-server-install, it should work.
HTH
Martin
On 07/04/15 10:05, Winfried de Heiden wrote:
Hi,
I gave it a try, but neit
Hi all,
One of the nice FreeIPA features is a host will be added to DNS
automatically when the client is installed. However, in some situations
using an other, external, DNS server is prefered. Now, this is possible but
hosts have to added manually to this other DNS-server.
Is it possible to h
Hi all,
Creating an AD-trust works nicely. However, for some customers
both AD and IPA don't have have DNS "for their own", the use
external DNS (Infoblox for example)
Now, is is possible to create an AD trust without a build-in
(bind) IPA-DNS?
Hi all,
Playing around with freeipa on Fedora 22 after installing I cannot
access the UI. Firefox will tell
"sec_error_reused_issuer_and_serial".
I allready have an Freeipa (Fedora 21 based) and somewhere there
seems to be a conflict in the cer
ate name (generated
automatically during install) is the same on both and because the domain
matches then firefox throws the ssl warning.
I have the same thing in my environments for production and dr where the domain
name is the same in both.
Regards,
Les
From: freeipa-users-boun...@redhat.c
9, 2016 at 08:16:13AM +0200, Winfried de Heiden wrote:
Hi all,
I can install libvert-libev but removing libverto-tevent will
remove 123
dependencies also. (wget, tomcat and much more...)
Hence, I installed libverto-libev, but dit not remove libverto-
tevent to give
it a try. After ipactl restart
eview: https://github.com/krb5/krb5/pull/471
Once merged, we will backport the fix into all existing Fedora
releases. So you should get an update via a simple: dnf update.
On Thu, 2016-06-16 at 10:28 +0200, Winfried de Heiden wrote:
Hi all,
"So it looks a bit like a libverto 3
Hi all,
Started as "just because it's possible" running FreeIPA on a
BananaPI or Raspberry PI turned to out to be rather succesfull
and for more than a year I use FreeIPA at home.
OK, running on small boards like Raspberry PI it never wil
Hi all,
Bugzilla created:
https://bugzilla.redhat.com/show_bug.cgi?id=1400462
Winfried
Op 01-12-16 om 09:19 schreef Petr
Spacek:
On 1.12.2016 09:07, Winfried de Heiden wrote:
Hi all,
Started as
Hi all,
In order for an external application to communicate with IPA and/or modify
on (free)Ipa, we want to use the JSON API.
Where can I find documentation how to use this API?
Thankz!
Winny
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/li
Hi all,
For some reason, we only want to use the Active Directory user
from an Active Directory using a Trust. (groups like "Domain
Users" are of no use...)
Is it possible to ignore (hide) ALL groups from a particular
Domain (trust)/
/2015 10:50 AM, Winfried de Heiden wrote:
Hi all,
For some reason, we only want to use the Active Directory user from an Active
Directory using a Trust. (groups like "Domain Users" are of no use...)
Is it possible to ignore (hide) ALL groups from a particular Domain
Hi all,
I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
# ipa hbacrule-show testuser
Rule name: testuser
Enabled: TRUE
Users: testuser
Hosts: fedora23-server.blabla.bla
Services: sshd
Hence, " te
On Mon, Nov 23, 2015 at 04:55:31PM +0100, Winfried de Heiden wrote:
Hi all,
I created some hbac rule on freeipa-server 4.1.4 on Fedora 22
# ipa hbacrule-show testuser
Rule name: testuser
Enabled: TRUE
Users: testuser
Hosts: fedora23-server.blabla.bla
Hi all,
Running as an ordinary user, straight from the beginning.
Is the (default) suid of/usr/bin/su causing this?
Anyway: the info requested:
/var/log/secure will tell:
Nov 24 11:04:11 fedora23-server su: pam_systemd(su:sessio
rspective, all other HBAC
services are what this user is allow to do; "su" and "su-l" defines that
OTHER user may become this user by using su.
A bit strange, but this is how is works. Anyone disagree?
Winny
Op 24-11-15 om 14:04 schreef Jakub Hrozek:
On Tue, Nov 24, 2015
Hi all,
Using a RHEL or Centos 5.11 as a legacy client (using sssd) seems
to work.
I created an external group which is member of a posix group.
Putting an AD user in the external group works, but it seems to
take ages beofre it takes effect.
Hi all,
Using entry_cache_timeout to set different cache timeout for sssd
works well. However, it doesn't seem to work for Trusted Domain
Users (using AD trust)
I made some changes, cleaned the cache but expiry will stay on a
(too long) 10 (ten
:
On 12/09/2015 12:58 PM, Winfried de Heiden wrote:
Hi all,
Using entry_cache_timeout to set different cache timeout for sssd works well.
However, it doesn't seem to work for Trusted Domain Users (using AD trust)
I made some changes, cleaned the cache but expiry
Using an EL7 client, lot's of times the IPA
(posix) groups are missing, or partly missing. Doing some
debugging, sssd_pac.log shows:
(Mon Dec 14 17:19:08 2015)
[sssd[pac]] [pac_user_get_grp_info] (0x2000): Group with SID
[S-1-5-21-1802245919-297953600
1.13.0-40 as an IPA client
RHEL 6.7 with sssd 1.12.4-47 as an IPA client
Winny
Op 15-12-15 om 09:59 schreef Sumit
Bose:
On Mon, Dec 14, 2015 at 05:47:38PM +0100, Winfried de Heiden wrote:
Using an EL7 client, lot's of times the IPA (
n Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
Hi all,
Even more strange, logging in using SSH public/private keys the problem
disappears and all groups are available!
Strange.?!
this is expected, because if you use SSH keys no PAC is involved
15-12-15 om 16:19 schreef Sumit
Bose:
On Tue, Dec 15, 2015 at 03:44:46PM +0100, Winfried de Heiden wrote:
Hi all,
Even more strange, logging in using SSH public/private keys the problem
disappears and all groups are available!
Strange
Hi all,
Adding AD-users to an IPA external group seems to be problematic.
However, adding AD-groups (with AD-users as members) to a IPA
external groups seems to work well. Four group were created and
all are shown.
Smell a bit like a bug, does'
n out...?
Cheers!
Winny
Op 16-12-15 om 10:01 schreef Sumit
Bose:
On Wed, Dec 16, 2015 at 09:46:37AM +0100, Winfried de Heiden wrote:
Hi all,
Adding AD-users to an IPA external group seems to be problematic. However,
adding AD-groups (with AD-use
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy
something like this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true
along with adding the
"RHEL 6.x libkrb5 has no support for KDC proxy"
Too bad, I was afraid for that
Winny
Op 25-01-16 om 08:36 schreef Alexander
Bokovoy:
HEL 6.x libkrb5 has no support for KDC proxy
--
Manage your subscription for
OK clear, many thanks!
Winny
Op 25-01-16 om 09:45 schreef Christian
Heimes:
On 2016-01-25 08:17, Winfried de Heiden wrote:
Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc
Hi all,
I' m trying to enable OTP:
- Enabled "Two factor authentication (password + OTP)" for a
particular user.
- Added a OTP token, FreeOTP on an Android that is, for the user
which all went fine.
Trying to login will fail. After
Hi all,
Using an Active Directory Trust with IPA all works fine but
there's an disadvantage: it might brong in lots and lots of groups
I am not interested in since it mainly hit Windows and/or Office
stuff.
Now, is it possible to filter AD-grou
> Settings) by using the SID?
Winny
Op 10-02-16 om 09:42 schreef Jakub
Hrozek:
On Tue, Feb 09, 2016 at 11:58:46AM +0100, Winfried de Heiden wrote:
Hi all,
Using an Active Directory Trust with IPA all works fine but there's a
Hi all,
I get lot's of messages in my log (journalctl -u
named-pkcs11.service -p err ) like these:
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone
example.com/IN (signed): could not get zone keys for secure
dynamic update
Feb 22
the current
DNS)
Winny
Op 22-02-16 om 11:10 schreef Petr
Spaceopendnssec
On 22.2.2016 09:36, Winfried de Heiden wrote:
Hi all,
I get lot's of messages in my log (journalctl -u named-pkcs11.service -p err )
like these:
Feb 22
16 14:02, Winfried de Heiden wrote:
Hi all,
Following
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was
most usefull, It turned out the package "freeipa-server-dns"was missing.
Strange, I am running DNS, but...:
* I upgraded form Fedora 22
16 14:18, Winfried de Heiden wrote:
Hi all,
And so did I, following
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:
ipa-dns-install --dnssec-master
The log file for this installation can be found in /var/log/ipaserver-instal
4, I curious to test
Kind regards,
Winny
Op 30-05-16 om 17:54 schreef Jakub
Hrozek:
On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote:
On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote:
Can't wait!
Winny
Op 30-05-16 om 18:39 schreef Martin
Basti:
On 30.05.2016 18:16, Winfried de
Heiden wrote:
Hi all,
Thanks for the quick answer even though I
..?
Just curious!
Winny
Op 30-05-16 om 18:39 schreef Martin
Basti:
On 30.05.2016 18:16, Winfried de
Heiden wrote:
Hi all,
Thanks for the quick answer even though I
Hi all,
I am trying to setup Freeipa with otp using the freeotp app. All
looks fine, adding the user to the FreeOTP app also works fine.
The users looks like:
ipa user-show otpuser
User login: otpuser
First name: otp
Last nam
Hi all,
I tried the FreeIPA webUI, ssh and "su -
otpuser", all the same result.
Winny
Op 07-06-16 om 15:02 schreef Alexander
Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
Winny
Op 07-06-16 om 16:13 schreef Alexander
Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I tried the FreeIPA webUI, ssh and "su - otpuser", all the same
result.
device that is generating the OTP tokens. I have had
issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander
Bokovoy <aboko...@redhat.com>
wrote:
On Tue, 07 Jun 2016, Winfried de Heiden
No, neither HOTP works...
Op 07-06-16 om 17:09 schreef Prashant
Bapat:
Do HOTP tokens work fine ?
On 7 June 2016 at 20:37, Winfried de
Heiden <w...@dds.nl>
p 07-06-16 om 19:15 schreef Nathaniel
McCallum:
On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote:
Adding Nathaniel to look into it.
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Adn some more dubgging for you guys...:
un 7 17
hreef Winfried
de Heiden:
Hi all,
Well, the libverto is there some time
allready (yep, it's running on a Bananapi!), doesn't feel like a
recent update, so a
Name : libverto
Version : 0.2.6
Hi all,
Any news/progress about FreeIPA 4.4?
On http://www.freeipa.org/page/Roadmap: FreeIPA 4.4: feature
release. Release planned for end of May 2016.
Any updated release date...?
Winny
--
Manage your subscription for the Freeipa-users maili
ow what libverto *backend* you are using. Please
provide the output from this command: rpm -qa 'libverto*' 'krb5*'
On Wed, 2016-06-08 at 08:34 +0200, Winfried de Heiden wrote:
Hi all,
Well, the libverto is there some time allready (yep, it's running on
a Bana
Winny
Op 08-06-16 om 19:15 schreef Nathaniel
McCallum:
Can you please try:
# dnf install libverto-libev
# dnf remove libverto-tevent
# ipactl restart
On Wed, 2016-06-08 at 18:30 +0200, Winfried de Heiden wrote:
Well, here your are:
rpm -qa 'l
Winny
Op 09-06-16 om 18:51 schreef Sumit
Bose:
On Thu, Jun 09, 2016 at 08:42:59AM -0400, Nathaniel McCallum wrote:
On Thu, 2016-06-09 at 10:46 +0200, Sumit Bose wrote:
On Thu, Jun 09, 2016 at 08:16:13AM +0200, Winf
52 matches
Mail list logo