Re: [Freeipa-users] Stale NFS file handle
You can get authentication failure if the user's home is on a NFS which is failing to re-mount. The stale NFS handle usually means the NFS server changed fsid of the exported volume after its reboot. This usually happens if you are exporting a LVM partition via NFS. The workaround is to specify fsid of the exported volume manually in /etc/exports HTH, Ondrej On 09/12/2012 08:26 PM, george he wrote: Hello, My ipa server and my nfs server are the same machine running centos 6.3. The server was accidentally down and rebooted. But then I got authentication failsure on some clients when tried to log on through gdm, and blue screen (no desktop, no panels) on some others. On some clients that I was on before the server was downthe, I got Stale NFS file handle. Yet on some other clients, everything is fine. All clients are running centos 6.3, too. Is there a way (e.g. restarting some services) to get the above problems away instead of rebooting the clients? Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA 2.2 and windows clients with MIT kerberos distribution
Hi all, Some days ago i've said on freeipa IRC channel that the documentation on freeipa + apache + SNI (located here http://freeipa.org/page/Apache_SNI_With_Kerberos) was wrong. I've set up a apache server with SNI and tested sso with mit kerberos on windows 7 64bits + firefox . On my windows 7 client, sso don't work if i set dummyhost apache virtualhost Krb5KeyTab and KrbServiceName, but works if Krb5KeyTab and KrbServiceName are those of real host. This behavior is reversed with fedora 17 + firefox client: sso works only if dummyhost apache virtualhost Krb5KeyTab and KrbServiceName are those of the dummyhost. So, the conclusion is: the documentation is good for linux clients (at least on fedora 17 + firefox), but not for windows clients I think it will be good to have the same behavior on linux and windows client because it will be painful in cross platform environments if it stay as this. rcrit said on IRC that you are working on v3 at this time, it will be good to know if the v3.0 have the same behavior, but i don't have resources at this time to setup another test environment with v3 beta. Detailed test configuration: (see attached apache config extract for virtualhost configuration) IPA server: OS: CentOS 6.3 IPA: ipa-server.x86_64 2.2.0-16.el6 389 ds: 389-ds-base.x86_64 1.2.10.2-20.el6_3 IPA Realm: EXAMPLE.COM Apache SNI server: OS: CentOS 6.3 real hostname: projects.foo.example.com dummy host 1: svn.example.com dummy host 2: redmine.example.com [...] Windows client: OS: Windows 7 64Bits. Browser: Firefox 15.0.1, 14.0.x (32bits) MIT Kerberos dist: 3.2.2 (32bits) (http://web.mit.edu/kerberos/dist/) GNU/Linux client: OS: Fedora 17 x86_64 Browser: Firefox 15 (latest provided by fedora) Kerberos: (latest provided by fedora) Have a nice day. Regards. Baptiste. works_with_linux_clients.conf Description: Binary data works_with_windows7_clients.conf Description: Binary data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Questions about FreeIPA vs 389DS
Hello all, It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts. I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned), the upcoming IPAv3 Trust feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications.. I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance. So how others are solving this paradox? they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS? they add custom schemas to FreeIPA 389DS? the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...? what about upgrades after this modifications were done? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] clients very slow
Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Thanks! Dave +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA Automount cross-location support
Hi, I opened a request a while ago for Automount cross-location support. https://bugzilla.redhat.com/show_bug.cgi?id=768177 https://fedorahosted.org/freeipa/ticket/1699# I see from the comments that it's uncertain how this can be implemented. Could the Virtual Views in 389-ds be used to implement this the cross location maps? I'm picturing the ability to add a virtual automount map to an automount location, where you select an existing map from one of the other automount locations to display. All changes to the map will be done in the original map in it's orignal automount location, but it will be displayed in both automount locations. Any thoughts to that solution? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Automount cross-location support
Sorry, the parameter mentioned below has already been implemented :-) On 09/13/2012 04:12 PM, Ondrej Valousek wrote: I guess the easiest implementation would be using pre-defined variable in automount map names. The variable would be then defined by an automount process using the -D parameter. The other option (maybe easier) would be to ask sssd developers to add another option to sssd - say: ldap_autofs_search_base so you could specify a different search base for every site Ondrej On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: Hi, I opened a request a while ago for Automount cross-location support. https://bugzilla.redhat.com/show_bug.cgi?id=768177 https://fedorahosted.org/freeipa/ticket/1699# I see from the comments that it's uncertain how this can be implemented. Could the Virtual Views in 389-ds be used to implement this the cross location maps? I'm picturing the ability to add a virtual automount map to an automount location, where you select an existing map from one of the other automount locations to display. All changes to the map will be done in the original map in it's orignal automount location, but it will be displayed in both automount locations. Any thoughts to that solution? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Automount cross-location support
Ondrej Valousek wrote: Sorry, the parameter mentioned below has already been implemented :-) He wants to be able to share a common set of maps between locations rather than having to duplicate them across each location. We're limited by the LDAP clients at this point because they just query a basedn and can't really do anything complex. Using a virtual view is one of the options we've considered, but honestly we haven't spent a lot of time looking into this yet. The problem with trying to virtually add things to a location is it could get very complex very quickly and either hamper performance, debugging, or both very quickly. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Automount cross-location support
Hi, That still only supports one automount location. Currently, a map has to be redefined in every automount location if the same map is to be used for several locations. My request is to be able to share maps between the automount locations, as well as having the per location maps available today. Regards, Siggi On Thu, September 13, 2012 16:24, Ondrej Valousek wrote: Sorry, the parameter mentioned below has already been implemented :-) On 09/13/2012 04:12 PM, Ondrej Valousek wrote: I guess the easiest implementation would be using pre-defined variable in automount map names. The variable would be then defined by an automount process using the -D parameter. The other option (maybe easier) would be to ask sssd developers to add another option to sssd - say: ldap_autofs_search_base so you could specify a different search base for every site Ondrej On 09/13/2012 03:55 PM, Sigbjorn Lie wrote: Hi, I opened a request a while ago for Automount cross-location support. https://bugzilla.redhat.com/show_bug.cgi?id=768177 https://fedorahosted.org/freeipa/ticket/1699# I see from the comments that it's uncertain how this can be implemented. Could the Virtual Views in 389-ds be used to implement this the cross location maps? I'm picturing the ability to add a virtual automount map to an automount location, where you select an existing map from one of the other automount locations to display. All changes to the map will be done in the original map in it's orignal automount location, but it will be displayed in both automount locations. Any thoughts to that solution? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Questions about FreeIPA vs 389DS
On 09/13/2012 07:01 AM, mailing lists wrote: Hello all, It is difficult for newcomers to cope with all this 389DS/FreeIPA stuff, after reading the project documentation and several mail messages in the archives I still have some unanswered questions so I would be very grateful if list members could answer the following doubts. I need use services in an Active Directory environment and the WinSync solution has important limitations, the MODRDN operation is not handled correctly losing the relation with AD objects (it delete and add the entry so a new SID and GUID is assigned), What version of 389-ds-base are you using? the upcoming IPAv3 Trust feature seems very promising because AFAIK no sinchronization is necessary, but by using IPA it seems very restrictive to support current applications which need a LDAP hierarchical tree, custom schema with custom objectclassess and attributes, custom ACLs for applications.. I know about Directory Server virtual views, but I'm worried about the consequences of low level manipulation of the FreeIPA Directory Server instance. So how others are solving this paradox? they run 389DS with (fractional) replication towards (or from) FreeIPA 389DS? they add custom schemas to FreeIPA 389DS? the do low level manipulation of FreeIPA 389DS for ACLs, plugin activation, ...? what about upgrades after this modifications were done? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
Hi, why are legit users including those in the admin group out of scope? and how do I put legit users in scope? and why doesnt the winsync doc section at least comment (obviously) that I have to change scopes? kind of bad news when I lose all my users... regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 14 September 2012 12:30 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
Hi, Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 14 September 2012 2:56 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 06:30 AM, Rob Crittenden wrote: Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
On 09/13/2012 02:39 PM, Steven Jones wrote: Hi, why are legit users including those in the admin group out of scope? They are out of scope of the winsync agreement. Let's say you have in AD cn=Users,dc=example,dc=com cn=Adminusers,dc=example,dc=com and in IPA cn=users,cn=accounts,dc=example,dc=com and you set up your winsync agreement as nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA flattens hierarchies when it syncs users from AD to DS. Let's say you have cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith and uid=jsmith,cn=Users,dc=example,dc=com because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355 But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user? and how do I put legit users in scope? ? and why doesnt the winsync doc section at least comment (obviously) that I have to change scopes? change scopes? kind of bad news when I lose all my users... indeed regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 14 September 2012 12:30 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
On 09/13/2012 02:53 PM, Steven Jones wrote: Hi, Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? will be fixed in RHEL 6.4 - not sure what you mean by RHEL6 production tree regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 14 September 2012 2:56 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 06:30 AM, Rob Crittenden wrote: Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
On 09/13/2012 03:18 PM, Steven Jones wrote: with win-subtree can i specify more than one cn? for instance, --win-subtree cn=Staff,$SUFFIX,cn=admins,$SUFFIX or can I say, cn=$SUFFIX ? no regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 14 September 2012 8:53 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement Hi, Do you not think that maybe the winsync feature shouldnt then be disabled until its fix makes it to RHEL6 production tree? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, 14 September 2012 2:56 a.m. To: Rob Crittenden Cc: Steven Jones; freeipa-users@redhat.com Subject: Re: [Freeipa-users] winsync agreement On 09/13/2012 06:30 AM, Rob Crittenden wrote: Steven Jones wrote: I just setup a winsync agreement expect its wiped any IPA user that also exists in AD. Is this expected? if so how do I stop it doing that? The 389-ds winsync plugin is deleting entries that appear to be out of scope, https://fedorahosted.org/freeipa/ticket/2927 This is fixed in 389-ds-base 1.2.11.12 and later - 1.2.11.14 is in updates testing https://fedorahosted.org/389/ticket/355 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
Hi, So I have 6.3 and just lost all my IPA users. So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. Luckily I hadnt disabled the admin account yet.it was the only one left. I guess this stuff is a lot more complex than it looks. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8- will be fixed in RHEL 6.4 - not sure what you mean by RHEL6 production tree 8 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement
On 09/13/2012 05:11 PM, Steven Jones wrote: Hi, So I have 6.3 and just lost all my IPA users. In production or in a test environment? So anyone on 6.2/6.3 until they upgrade after December's 6.4 could lose all their IPA users if they do a winsync agreement and dont twig to that option being essential if they dont have a std AD. Please explain std AD. Not only that my admins are in a separate OU, so even if I had done a --win-subtree=cn=staff_users admins being elsewhere would have gone bye bye anyway. Let's say you have in AD cn=Users,dc=example,dc=com cn=Adminusers,dc=example,dc=com and in IPA cn=users,cn=accounts,dc=example,dc=com and you set up your winsync agreement as nsds7WindowsReplicaSubtree: cn=Users,dc=example,dc=com nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=example,dc=com That is, you want users in cn=Users,dc=example,dc=com to be in sync with cn=users,cn=accounts,dc=example,dc=com IPA uses a flat dit - users are grouped not by hierarchy but by attributes, as opposed to AD which uses hierarchies for grouping. So IPA flattens hierarchies when it syncs users from AD to DS. Let's say you have cn=jsmith,cn=Adminusers,dc=example,dc=com with samaccountname: jsmith and uid=jsmith,cn=Users,dc=example,dc=com because of the way that winsync works, it will think because the AD entry and the IPA have the same userid, they should be in sync - but because cn=jsmith,cn=Adminusers,dc=example,dc=com is outside the scope of cn=Users,dc=example,dc=com winsync will think that the user has moved outside the scope of the agreement, and will delete the user. Obviously it should not do that by default, hence https://fedorahosted.org/389/ticket/355 But why do you have users with the same userid in AD out of the scope of the sync agreement with the same userid as an IPA user? Luckily I hadnt disabled the admin account yet.it was the only one left. I guess this stuff is a lot more complex than it looks. :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 8- will be fixed in RHEL 6.4 - not sure what you mean by RHEL6 production tree 8 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] clients very slow
On 09/13/2012 09:54 AM, David Fitzgerald wrote: Hello Everyone, I work at a small university and I deployed freeIPA on my Linux network over the summer break with no (known) problems, and everything worked as expected. However, now that the semester has started and the Linux system is under a much higher load, I am noticing that my client machines will randomly slow to a crawl. For example, I have a lab of 25 machines. The students can log in ok, but after a time, a few of the machines will freeze so that the users on those machines cannot do anything. After a few minutes, the frozen machines will unfreeze, but other machines will freeze up. I can't see any pattern to what machines freeze up. I did not have this problem when running NIS, so I suspect it is something in freeIPA but I am not sure what to look for to solve the problem. Probably a setting somewhere needs tweaked but I don't know. The server and clients all run Scientific Linux 6.2. Can anyone help me troubleshoot this? Do you use SSSD as a client or something else? If SSSD we would need the nsswitch, pam, krb5.conf, sssd.conf configuration files and SSSD logs set to debug_level=8 or 9. What operation they are freezing on? Is it login/authentication or just suddenly, which probably indicates identity lookup. So freezes might be related to the DNS or name resolution lookups that those machines do. They might be accessing a DNS server that is down or misconfigured before failing over to a correct one. So resolve.conf, /etc/hosts would be helpful. But you might need to check the DNS configuration yourself. HTH Thanks! Dave +++ David Fitzgerald Department of Earth Sciences Millersville University Millersville, PA 17551 Phone: 717-871-2394 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users