Re: [Freeipa-users] Authenticate on GNOME display manager with freeipa
On 12.05.2017 12:25, tuxderlinuxfuch...@gmail.com wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > sessionrequiredpam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) Don't add it manually, it'll get removed next time pam-auth-update is run. Instead run pam-auth-update yourself and enable "create home directory on login". -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] New server install failing
On 25.04.2017 23:59, Robert L. Harris wrote: > >I'm trying to install freeipa-server on an ubuntu 16.04 box, fresh > install, but it keeps failing: > > Running ipa-server-upgrade... > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > *IOError: [Errno 2] No such file or directory: > u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif.modified.out'* > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information Works just fine on a chroot, so your setup is not a clean one as that EXAMPLE-COM thing would suggest. The upgrader is only run if ipa is set up. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-client-install generates bad sssd.conf
On 03.03.2017 16:53, Rob Crittenden wrote: > Harald Dunkel wrote: >> On 03/03/17 10:14, Jakub Hrozek wrote: >>> On Fri, Mar 03, 2017 at 09:56:55AM +0100, Harald Dunkel wrote: This is systemd-only? Wouldn't it be better to create a working sssd.conf, no matter what? >>> >>> It is up to whoever is creating the sssd.conf. As I said, the change is >>> backwards-compatible. If you want the services to be started by sssd, >>> then list them in the services line. If you want to have them started on >>> demand and have a simpler configuration, you rely on the systemd services >>> manager. >>> >> >> Understood. I will try 1.15.1 as soon as possible. >> >> Reading ipa-client-install it appears to me that the other >> services haven't been omitted on purpose. I have the >> impression that nss and pam have simply been forgotten. >> >> sssd's ssh service is defined only if ipa-client-install >> is allowed to touch the ssh or sshd configuration, but I >> have *no* idea why there is such a correlation. >> >> Would somebody mind to look into this? > > This is managed by authconfig on Fedora/RHEL systems. Not sure what > Debian does in this regard. Timo? pam-auth-update configures pam, there's nothing else to be configured.. I just ran ipa-client-install on Ubuntu zesty with freeipa-client 4.4.3-3ubuntu1, and services on the newly created sssd.conf look fine: services = nss, sudo, pam, ssh -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Dogtag certs did not auto-renew, very stuck!
On 23.02.2017 02:04, Peter Fern wrote: > On 23/02/17 05:26, Rob Crittenden wrote: >> It's been many moons since I worked on nss-pem but from what I can tell >> it should be buildable outside of NSS so can ship as a separate package. >> You might try building it locally to see if it resolves the issues for >> you. It resides at https://github.com/kdudka/nss-pem > > I had to modify an include path, and it links against some static libs > (libfreebl.a, libnssb.a, libnssckfw.a) that are not included in the > current Debian libnss3 packages, so a non-trivial packaging effort. And > because certmonger appears to use nss directly, linking against a > different libcurl variant is also probably not an option. > > There are other issues too - the default cert store path of > /etc/httpd/alias is still used in the deb package, however the correct > path is /etc/apache2/nssdb. Good stuff, neatly hardcoded in src/dogtag.c. Thanks for pointing this out, I'll get that fixed at least.. And as you noticed, packaging nss-pem is not a trivial task because of the way it uses private NSS api's that the libnss maintainer refuses to make public.. OpenSSL, anyone? :P -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing on Ubuntu
On 21.02.2017 17:33, Robert L. Harris wrote: > This was a clean install of Ubuntu. If I install freeipa-server I get > the error from the original email. If I do a "apt install > freeipa-server" I do see it will install python-ipaserver. When I let > it run it downloads and everything and starts setting everything up. I > get this: > > Processing triggers for ureadahead (0.100.0-19) ... > Errors were encountered while processing: > 389-ds-base > freeipa-server > freeipa-server-dns > E: Sub-process /usr/bin/dpkg returned an error code (1) And I installed it on a clean chroot and the packages installed fine without issues. Note that the pki-server spam is expected and not an error. > If I run the python command you gave me at this point I get this: > > python2 -c 'from ipaserver.install import installutils; print "yes" if > installutils.is_ipa_configured() else "no";' > yes This means that you have some files around which a clean install should not have. Check the contents of /var/lib/ipa/sysrestore. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing on Ubuntu
On 20.02.2017 22:26, Robert L. Harris wrote: > > python2 -c 'from ipaserver.install import installutils; print "yes" if > installutils.is_ipa_configured() else "no";' > Traceback (most recent call last): > File "", line 1, in > ImportError: No module named ipaserver.install Then how did you manage to get it installed.. freeipa-server depends on python-ipaserver so you should have it available :) -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Debian client installation
On 17.02.2017 17:37, Per Qvindesland wrote: > Hi All > > I have installed free ipa client by using > http://www.pakjiddat.pk/articles/all/installing-freeipa-client-on-debian > which works, but I am unable to get the sudo to work, on debian 7.11 > machines, sssd installed version is 1.9.6 which I think is pretty old. > > Does anyone have any suggestions on how to get sudo to work on debian 7? > perhaps another more updated how to? you need sudo built with sssd support, which that repo is lacking. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Installing on Ubuntu
On 18.02.2017 03:24, Robert L. Harris wrote: > >I have an Ubuntu 16.04 test system which is currently clean. I'm > trying to install freeipa-server via apt and I'm getting an error about > files missing : > > Setting up freeipa-server (4.3.1-0ubuntu1) ... > Running ipa-server-upgrade... > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > IOError: [Errno 2] No such file or directory: > u'/etc/dirsrv/slapd-EXAMPLE-COM/dse.ldif' > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > dpkg: error processing package freeipa-server (--configure): > subprocess installed post-installation script returned error exit status 1 > dpkg: dependency problems prevent configuration of freeipa-server-dns: > freeipa-server-dns depends on freeipa-server (>= 4.3.1-0ubuntu1); however: > Package freeipa-server is not configured yet. It shouldn't run ipa-server-upgrade on a clean install. What does: python2 -c 'from ipaserver.install import installutils; print "yes" if installutils.is_ipa_configured() else "no";' return? -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Contributing translations, modules (was Re: help)
On 02.11.2016 03:03, 郑磊 wrote: > Hello Timo Aaltonen, > I got your mail information from the changelog file of the freeipa > deb package. I'm using freeipa on Ubuntu, and having a test and research > with the function of freeipa. At the same time, I have carried on the > chinese translation to the web interface, also added own log module in > web interface, which can record our operation. However, For these > changes I don't know how to interact with the organization or community. > Whether I need to join an organization or community? Who should I > contact with? Please help me. Thank you! Hi, freeipa upstream would be your contact, you can try freeipa-users first, here's how to contribute: http://www.freeipa.org/page/Contribute and here's where you can join the list: https://www.redhat.com/mailman/listinfo/freeipa-users I've CC'd this reply there. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
On 16.10.2016 08:00, Jochen Hein wrote: > Timo Aaltonen <tjaal...@ubuntu.com> writes: > >> On 15.10.2016 22:33, Jochen Hein wrote: >>> Timo Aaltonen <tjaal...@ubuntu.com> writes: >>> >>>> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! >>> >>> Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've >>> just updated my laptop to Ubuntu 16.10, and now the freeipa packages are >>> "orphaned", because these packages seems to be missing from yakkety. Is >>> there a reason for this? I didn't see a bugreport for it. >> >> Looks like it was due to a misunderstanding.. it got removed from Debian >> first (because of new uploads getting blocked due to minified javascript >> not being actual source), then added back and synced to yakkety, but >> again removed from there for the same reason it got removed from Debian.. > > That's what I've feared. > >> I'll check if it can be added back. > > Thanks for looking into it. The dropped binaries are back, you can find them from yakkety-updates. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
On 15.10.2016 22:33, Jochen Hein wrote: > Timo Aaltonen <tjaal...@ubuntu.com> writes: > >> Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! > > Thanks for your work on packaging FreeIPA for Ubuntu (and Debian). I've > just updated my laptop to Ubuntu 16.10, and now the freeipa packages are > "orphaned", because these packages seems to be missing from yakkety. Is > there a reason for this? I didn't see a bugreport for it. > > I guess for an already enrolled client an actual package for sssd and > kerberos will be ok, but freeipa for new clients would be fine. > > BTW, most of my servers run Debian - freeipa packages would be most > welcome. Right now I use older packages to enroll Debian hosts. Looks like it was due to a misunderstanding.. it got removed from Debian first (because of new uploads getting blocked due to minified javascript not being actual source), then added back and synced to yakkety, but again removed from there for the same reason it got removed from Debian.. I'll check if it can be added back. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
On 21.09.2016 11:34, Deepak Dimri wrote: > Thanks Timo, > > The "DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y" > command works on the terminal but within ansible playbook i am getting > > [Errno 2] No such file or directory", "rc": 2} when adding > command: DEBIAN_FRONTEND=noninteractive apt-get install freeipa-client -y > > > any idea how can i get this resolved for ansible? i tried > "export DEBIAN_FRONTEND=noninteractive" and then "apt-get install > freeipa-client -y" but that did not help either still getting [Errno 2] > No such file or directory", "rc": 2} no idea about that, but you could also preseed the debconf priority beforehand and then run apt-get, something like: echo 'debconf debconf/priority select critical' > /tmp/preseed debconf-set-selections /tmp/preseed apt-get ... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA client installation on ubuntu 14.04
On 21.09.2016 09:41, Deepak Dimri wrote: > Hi All, > > I am trying to install freeipa client on my ubuntu client via ansible > script. I have "apt-get update" and "apt-get install freeipa-client -y" > these basic commands added in my playbook but the problem is when i run > "apt-get install freeipa-client" with or without -y option it opens up > some graphical interface confirming the IPA realm and other details. I > did not find any option with in "apt-get install freeipa-client"to make > it deployment unattended. Can anyone please tell me the how i can > automate ipa-client installation on ubuntu? > > The same process works fine with RHEL using yum but i am unable to do so > for ubuntu with apt-get the dialog is from krb5-common, and you can skip it with DEBIAN_FRONTEND=noninteractive apt-get install ... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
On 01.09.2016 00:19, Timo Aaltonen wrote: > On 31.08.2016 11:18, Petr Spacek wrote: >> On 31.8.2016 00:23, Timo Aaltonen wrote: >>> On 29.08.2016 10:34, Timo Aaltonen wrote: >>>> On 21.04.2016 22:01, Timo Aaltonen wrote: >>>>> >>>>> ps. Debian unstable will have 4.3.1 once the package has gone through >>>>> the NEW queue because the packaging got split in certain ways >>>> >>>> No it did not, because the ftpmaster rejected the upload since it ships >>>> with minified javascript which is not considered modifiable source code. >>>> And the old version has now been removed from Debian because it was >>>> unmaintainable. >>>> >>>> So I hope #5639 will be resolved at some point. Note that Debian doesn't >>>> require the javascript to be minified during package build, just that >>>> the source would ship the unminified copy as well. >>> >>> Turns out it wasn't too much of an effort to pull in unminified bits of >>> everything that is shipped minified (just ~630kB..), so I guess Freeipa >>> will be uploaded back fairly soon... >> >> Timo, >> >> can you share script/procedure you used? It would save us some time spent on >> re-inventing what you have done :-) >> >> We need to see how complex change it would be so we could pull it into master >> eventually. > > I put it in https://fedorahosted.org/freeipa/ticket/5639 > > for dojo & build I looked at the profile.js files. But now I see that I > didn't look at webui.profile.js... could be something is missing still. well, at least the Debian ftpmaster was happy enough to accept 4.3.2-1 to experimental with the new list, so the exile didn't last for too long. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
On 31.08.2016 11:18, Petr Spacek wrote: > On 31.8.2016 00:23, Timo Aaltonen wrote: >> On 29.08.2016 10:34, Timo Aaltonen wrote: >>> On 21.04.2016 22:01, Timo Aaltonen wrote: >>>> >>>> ps. Debian unstable will have 4.3.1 once the package has gone through >>>> the NEW queue because the packaging got split in certain ways >>> >>> No it did not, because the ftpmaster rejected the upload since it ships >>> with minified javascript which is not considered modifiable source code. >>> And the old version has now been removed from Debian because it was >>> unmaintainable. >>> >>> So I hope #5639 will be resolved at some point. Note that Debian doesn't >>> require the javascript to be minified during package build, just that >>> the source would ship the unminified copy as well. >> >> Turns out it wasn't too much of an effort to pull in unminified bits of >> everything that is shipped minified (just ~630kB..), so I guess Freeipa >> will be uploaded back fairly soon... > > Timo, > > can you share script/procedure you used? It would save us some time spent on > re-inventing what you have done :-) > > We need to see how complex change it would be so we could pull it into master > eventually. I put it in https://fedorahosted.org/freeipa/ticket/5639 for dojo & build I looked at the profile.js files. But now I see that I didn't look at webui.profile.js... could be something is missing still. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
On 21.04.2016 22:01, Timo Aaltonen wrote: > > ps. Debian unstable will have 4.3.1 once the package has gone through > the NEW queue because the packaging got split in certain ways No it did not, because the ftpmaster rejected the upload since it ships with minified javascript which is not considered modifiable source code. And the old version has now been removed from Debian because it was unmaintainable. So I hope #5639 will be resolved at some point. Note that Debian doesn't require the javascript to be minified during package build, just that the source would ship the unminified copy as well. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Ubuntu 16.04 / FreeIPA 4.3 install
On 11.05.2016 17:14, Zak Wolfinger wrote: > I’m trying to set up FreeIPA as a replica. I’ve followed the > instructions in section 4 here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#prepping-replica > > The replica install appears to be successful, but when I try to do > ‘ipactl start’ I get this: > > IPA is not configured (see man pages of ipa-server-install for help) > > I’ve looked through the man pages but I’m not seeing what needs to be > done. 4.3 on ubuntu supports only domain level 1 replicas, so you need to have 4.3 server installed first and then install a client and promote it to a replica. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
27.04.2016, 09:24, Harald Dunkel kirjoitti: > On 04/26/2016 05:29 PM, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > > Is this 3rd party code? yes: https://fedorahosted.org/freeipa/ticket/5639 > Anyway, I was talking about a *private* backport of freeipa 4.3.1 > and its dependencies to Jessie. Of course I would be glad to make > these backports available in the official jessie-backports as well, > but I would need a sponsor for uploading. Go for it, at least if the dependencies are manageable. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
26.04.2016, 16:52, Harald Dunkel kirjoitti: > Hi Timo, > > On 04/18/2016 02:08 PM, Timo Aaltonen wrote: >> >> The old package used to create /etc/pki/nssdb on postinst, but with 644 >> permissions so I'm not sure why they have 600 here. 4.1.4 in >> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 >> to unstable this week, which should fix this for good. >> > > AFAICS there are just a few pending dependencies for 4.3.1 > on Jessie. Would you recommend to backport? I already did > it for sssd. I guess 4.3.1 would need to be in sid first, and it just got rejected because of the minified javascript (bug #787593). Don't know when that'll get fixed. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Ubuntu 16.04 released with FreeIPA 4.3.1
Howdy! Ubuntu 16.04 LTS got released today, and it comes with FreeIPA 4.3.1! The biggest feature of this version is that it also supports replication by client promotion to replica master. IPA on Debian/Ubuntu has been a single-master thing until now.. FreeIPA is in the community-supported section of the package archive called "universe". What this means is that it's not officially supported by Canonical, but the community. While I and some others have tried to poke it from every angle we can, it might still have hidden bugs that need fixing, so feel free to try it out and report any issues you might find on Launchpad! ps. Debian unstable will have 4.3.1 once the package has gone through the NEW queue because the packaging got split in certain ways -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
18.04.2016, 10:14, David Kupka kirjoitti: > On 15/04/16 15:16, Harald Dunkel wrote: >> Hi David, >> >>> Hello Harri, >>> >>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by >>> default the permissions are set to: >>> >>> $ ls -dl /etc/ipa/nssdb/ >>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ >>> >>> $ ls -l /etc/ipa/nssdb/ >>> total 80 >>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db >>> -rw---. 1 root root40 Apr 15 14:00 pwdfile.txt >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db >>> >>> Please check the permission on your system. If it's different and you >>> (or system admin) haven't changed it please file a ticket >>> (https://fedorahosted.org/freeipa/newticket). >>> >> >> Sorry, I should have mentioned that the client runs Debian >> with freeipa 4.0.5. >> >> # ls -al /etc/ipa/ >> total 24 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. >> -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt >> -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf >> >> >> No nssdb. AFAICS only the ipa servers in my lan have a >> directory /etc/ipa/nssdb (CentOS 7). >> >> On the clients I can see a cert8.db in /etc/pki/nssdb. >> Looking at the time stamp it seems to be related to freeipa. >> >> # ls -al /etc/pki/nssdb/ >> total 76 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. >> -rw--- 1 root root 65536 Dec 29 08:32 cert8.db >> -rw--- 1 root root 16384 Dec 29 08:32 key3.db >> -rw--- 1 root root 16384 Dec 29 08:32 secmod.db >> >> No pwdfile.txt . I would guess the key database has been created >> with --empty-password. >> >> Does this look familiar, or is this misconfigured and weird? >> >> >> Sorry for asking stupid questions, but the setup in my lan is >> all I have. I have never had a chance to see another freeipa >> installation. Hope you don't mind? >> >> >> Regards >> Harri >> > > Hello Harri, > actually the version and OS information makes a difference :-) > > Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I > don't recall at what version we switched to /etc/ipa/nssdb but it was > some time ago. > > I have reproduced the issue on Debian and after changing the access > rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command > needs to access the IPA CA certificate stored there to verify identity > of FreeIPA server. > > I haven't seen this issue on Fedora so I'm adding Timo who is porting > FreeIPA on debian. Timo have you met this issue? The old package used to create /etc/pki/nssdb on postinst, but with 644 permissions so I'm not sure why they have 600 here. 4.1.4 in experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 to unstable this week, which should fix this for good. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 22.02.2016, 10:00, Filip Pytloun kirjoitti: > My change was already applied in bind9 (1:9.10.3.dfsg.P2-4) > experimental; urgency=medium > > I don't know if it could be shipped by sssd package as the policy > is for usr.bin.named binary. oh right, good point :) I guess these rules should still get added to usr.sbin.sssd so I'll apply them. - -- t -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWysC2AAoJEMtwMWWoiYTcuOMQAJqB2A0xzUyar/AiBR2PEoON EeJEfF6m06vnpU7Vj1f4RfaBv5pcC/OxtHTStfbwc7pV+kgcX7tXe4B7LqaSt+fB bBTdr6Sef2VDzNZTM9kzetYd0vNzpSTTL9uwQ8qvlyigQ+PmFlkAD4sLhuMEGRBc Q+Dr71NtSNYCKlQrQYcK4X2HbIFIK4KlHIfHHbBAgdbOj563QyJSnSXNFtZ2BoGC b3M6hYEFm0Rml4o2Oo+zhbaEl0phLbdhcfwfC9JkZgYNMCtsKBhJce4kZH/s3LQt 4g8Xbz/dr05W02amQJ+Qj0BmM5I6NlXJZPpPojD90el86bP4O8dJGcxiqJIrvfDv RZKvWzyxk/C+IrL8dkjVF0kZFuZ/8plfRAMpqJkvAOZTDLpE27O+E5DMnZL0q9Ok zOQjZvjHup1VBTKF0G59qkDJO/f09oruLx2lspPSEjFOmyaZE8zw1rr458HE9UsC StUC4YlDyp1mFo8H7i0C2Xmr236utccaIplaawq4OhdGKojMJQDVjgAdbt08lbDn VVvf2Z8X2Fu3l5WLQpHOUsZFoNCQ+sG2lGeVdYiPdH3JHPt1WnvreM5kKf01VMj6 gvSwQXP8XloBY7Vx4qEDhk+xXE9+WCIo+lfW7Du20ggJm9pjwLwV9TYb4SoUuHPp QBUu0inQi5TLe0pfEGhQ =s2YH -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients
14.02.2016, 09:14, Filip Pytloun kirjoitti:
> Hello,
>
> we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
> server for 2 months with no critical issues.
>
> Using newer freeipa-client was not needed, only sssd update from here,
> because trusty version is buggy:
> https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty
>
> On server side, it was only needed to fix apparmor policy for bind to
> fix FreeIPA DNS zones:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314
/var/lib/sss* bits belong to the apparmor profile shipped by sssd..
mind removing them from the bind profile and testing this to
/etc/apparmor.d/usr.sbin.sssd instead?
@@ -33,6 +33,7 @@
/var/lib/sss/* rw,
/var/lib/sss/db/* rwk,
+ /var/lib/sss/mc/initgroups r,
/var/lib/sss/pipes/* rw,
/var/lib/sss/pipes/private/* rw,
/var/lib/sss/pubconf/* rw,
@@ -42,6 +43,7 @@
/{,var/}run/sssd.pid rw,
profile /usr/lib/@{multiarch}/sssd/* {
+/var/lib/sss/pubconf/krb5.include.d/** rw,
/var/lib/sss/pubconf/krb5.include.d/ rw,
}
--
t
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients
04.02.2016, 19:28, Jon kirjoitti: > Is Ubuntu not supported with FreeIPA? Is there an updated install > script? I installed the freeipa-client from public repos. > >>> ii freeipa-client > 3.3.4-0ubuntu3.1amd64 > FreeIPA centralized identity framework -- client >>> ii python-freeipa > 3.3.4-0ubuntu3.1amd64 > FreeIPA centralized identity framework -- python modules The stock packages in 14.04 are rather old, you'd probably be happier with the 4.0.5-based client available on the PPA: https://launchpad.net/~freeipa/+archive/ubuntu/4.0 -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Stuck getting sudo working with Ubuntu client
On 21.04.2015 22:45, Lukas Slebodnik wrote: On (20/04/15 17:54), Andrew Sacamano wrote: Thanks again, Lukas! I was wondering if the overlaps of names was a problem, so I redid parts of my IPA setup to rename them - thanks for pointing out the ticket! Also, your suggestion to use ldap_group_object_class = ipaUserGroup worked - which saves me the trouble of tracking that down in six months when my IPA domain grows and the performance issues associated with enumerate begin to manifest. Many thanks - you are extraordinarily helpful. My colleagues and I are quite grateful for all your advice! You are welcome, I'm glad I could help. You can file a ticket to backport patch for ticket #2471 in your distribution. Please do, I've pulled the patch in git but need a bug# for SRU: https://bugs.launchpad.net/ubuntu/+source/sssd/+filebug -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA for Debian Wheezy, Ubuntu 12.04
On 15.01.2015 11:54, Petr Spacek wrote: On 15.1.2015 09:36, Lukas Slebodnik wrote: Hi List Please is it really possible to have Debian and Ubuntu serve as IPA clients? I've tried some instructions/guidelines on the list and they always fail with the IPA client install being halfway completed and sssd's configuration file moved to .deleted. I'm really interested in getting this to work and I'll appreciate any help I can get. Failing that are there any alternatives? Please see http://www.freeipa.org/page/Troubleshooting#Client_Installation If it does not help then please post more information about your problem, namely: - exact package versions (keep in mind that Wheezy is a moving target) What do you mean by moving target? wheezy is codename for the latest release is Debian 7.8. It is also (currently) known as stable Sure, but Debian allows packages updates after release - or not? no new upstream releases, unless via $release-backports I mean that Debian Wheezy does not necessarily identify particular package version. ..so it does, in practise. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA 4.0.4 now in Debian unstable!
Hi! Sooo.. as a followup to last weeks announcement about Dogtag 10.2 getting in Debian, today marks the day that FreeIPA finally made it to the distro! And unless release critical bugs are found it'll migrate to the testing branch after spending 10 days on unstable, just in time before the freeze of the next release. The past week was spent on fixing the remaining issues around client server install. Thanks to everyone on #freeipa-devel that helped me on times of despair :) It'll take some time to wrap the distro patches into something that upstream could accept with a straight face.. In the meantime, feel free to kick the tires by installing 'freeipa-server' or 'freeipa-client' and report bugs if you find any! The packages will also get in the next Ubuntu release, and I'll backport them to 14.04 later this year. ps. special thanks to Benjamin Drung who joined the ranks of pkg-freeipa-devel earlier this year, reviewed all the new packages with attention to detail, sponsored them for me before I got upload rights, and most importantly stuck around all this time :) -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Install FreeIPA 4 on ubuntu
On 22.08.2014 18:16, Chris Whittle wrote: Thanks Timo so Fedora is really the only one it's supported on for now? Fedora/RHEL/Centos etc, yes. Maybe by x-mas we'll have something in Debian unstable working. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Install FreeIPA 4 on ubuntu
On 22.08.2014 18:38, Chris Whittle wrote: But just Centos 7 right? right, if you need v4 -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Install FreeIPA 4 on ubuntu
On 21.08.2014 04:27, Chris Whittle wrote: Is there instructions anywhere? My FreeIPA 3 on CentOS died so I'm starting over there is no server for ubuntu/debian yet -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Ubuntu updates, client backport for 12.04
Hi So the archive version of freeipa-client on Ubuntu 12.04 has been in a limbo state until now, because the package got reworked too much for newer releases that trying to push updates would have taken a lot of paperwork and other effort.. But 14.10/utopic finally has a smoothly installing client based on 3.3.4, and I've also pushed the updates fixing ntp/chronyd issues to 14.04 (not accepted to trusty-proposed yet) and backported this version to 12.04 too. You can install it for 12.04 from the freeipa ppa: apt-add-repository ppa:freeipa https://launchpad.net/~freeipa/+archive/ubuntu/ppa/+packages and for this you also need the sssd ppa: apt-add-repository ppa:sssd/updates https://launchpad.net/~sssd/+archive/ubuntu/updates I've verified that install/uninstall works fine, certmonger stop/start fails on uninstall but it should be harmless. Only thing missing from it that I know of is that --mkhomedir does not work because of https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1336869 Also, beware that the version of nss on the ppa gets obsolete when a new security release is published, which means that new installs should create nssdb's by hand, or forcefully install the ppa version once and then upgrade.. the db's shouldn't vanish on upgrade. ps. server is still WIP, currently blocked on getting Dogtag deps accepted in the Debian archive, but the goal is still to have everything in by November before 'jessie' freezes.. we'll see -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa-client installation(debug) on Ubuntu 10.04 12.04
28.07.2014 20:29, jaseywang kirjoitti: Hi I tried to install freeipa-client on Ubuntu 10.04 12.04, but none of them worked :-( At the moment, only 12.04 ships the apt repo so that I can use apt to install the freeipa-client(2.1.4-0ubuntu1). Although I can installed the package successfully, I can't make it work during my ipa-client-install process, I just follow the instruction as the below docs says: https://ashbyte.com/ashbyte/wiki/FreeIPA/Ubuntu http://ubuntuforums.org/showthread.php?t=2207956 But failed with --debug options on, below is the message it produced during installation: --- Obviously, the package is buggy, and it just copied configs from Redhat that is not suitable for Ubuntu. Not quite like that. Just ignore the certmonger bits and configure with --no-ntp and it should install more or less fine. Haven't seen the host TGT issue before.. And 14.04 LTS has an updated client too, though it also needs --no-ntp for now. As for Ubuntu 10.04, I google a lot, but found far less info about it. Basically, the documentation of 10.04 and 12.04 is really really rare, I havent' find any good cases that run them smoothly. There never was any client for 10.04.. and won't be unless someone else steps in and backports all the bits that it needs So, can anybody help me to debug the above error on Ubuntu 12.04, and any suggestion or good reference on Ubuntu distribution? Thank you. The end goal is to not need any special references for Debian/Ubuntu, but we're not there yet.. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] error while setting up installing freeipa-client in ubuntu 12.04 lts
On 24.03.2014 13:17, Sabin Ranjit wrote: hi, since days im trying to install the freeipa-client in ubuntu 12.04. I followed the following mail too: http://www.redhat.com/archives/freeipa-users/2013-June/msg00091.html but it didnt work. i followed the following steps: apt-get build-dep python-lxml apt-get install python-software-properties apt-get install software-properties-common apt-add-repository ppa:freeipa/ppa apt-add-repository ppa:sssd/updates apt-get -y install openssh-server freeipa-client sssd but when i run the ipa-client-install i the error: There was a problem importing one of the required Python modules. The error was: /usr/lib/i386-linux-gnu/libgssapi.so.3: symbol krb5_ntlm_init_get_challange, version HEIMDAL_KRB5_2.0 not defined in file libkrb5.so.26 with link time reference how to fix this issue? please provide me proper solution/direction. thanks in advance get rid of the heimdal bits first, I don't think these work with other than MIT krb5. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian
On 03.09.2013 23:30, Nathan Kinder wrote: On 09/01/2013 01:35 PM, Timo Aaltonen wrote: On 01.09.2013 21:43, Dmitri Pal wrote: On 09/01/2013 02:20 PM, Timo Aaltonen wrote: On 31.08.2013 00:04, Dmitri Pal wrote: Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. I would like to organize the effort to get Dogtag 10 ported to Debian. I know that there are a lot of dependencies needed for this to happen. I can create and maintain a wiki page to track all of the work that is needed to get this porting done. Do you have a list of Dogtag 10 dependencies that are not currently packaged for Debian that I can use as a starting point? Once we have a clear outline of what is needed, we can start trying to divide up and schedule the work. Alright, nice! This is the list I sent to debian-java a year ago, roughly in dependency order: codehaus-parent keytool-maven-plugin maven-help-plugin maven-idea-plugin maven-jarsigner-plugin maven-jxr maven-source-plugin geronimo-parent-poms geronimo-annotation plexus-mail-sender maven-release plexus-resources maven-checkstyle-plugin maven-pmd-plugin maven-anno-plugin maven-reporting-api maven-changes-plugin maven-deploy-plugin apache-james-project javamail base64coder gdata-java sonatype-oss-parent forge-parent mojo-parent maven-plugin-build-helper relaxngcc xsom glassfish-fastinfoset jvnet-parent glassfish-jaxb-api glassfish-dtd-parser stax-ex istack-commons rngom glassfish-jaxb maven-jaxb2-plugin jboss-parent jandex jboss-specs-parent jboss-annotations jetty-parent jetty-toolchain jetty-version-maven-plugin scannotation snakeyml resteasy There might be errors, now that I know that the fedora package of resteasy doesn't built everything to make the deps a bit easier? And at least codehaus-parent, mojo-parent and jetty-parent are packaged and pushed to git.debian.org but since I'm not a DD (yet) I can't upload them. The debian java policy means that the actual package names are like 'libmojo-parent-java' etc., in case you try to find a package. Do you have more details on the maven issue you were running up against? if my notes are to be trusted, it was that keytool-maven-plugin wants v16 of mojo-parent, and not v30 that is in git now.. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SSSD] FreeIPA on Debian
On 31.08.2013 00:04, Dmitri Pal wrote: Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. Other blockers off the top of my head include: - support for shared certificate database in NSS * patches sent to the Debian bug (#537866), maintainer isn't too responsive - dyndb support in bind * haven't asked the maintainer to add it to bind9, it might happen - porting the IPA server installer for Debian * this has been discussed on the list at some point, and I guess upstream knows best how the code needs to be organized to make it happen.. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in yep, and I need to send the platform module for the client soon, the latest version seems to be working fine. 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages. I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team.. Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above? I could send an email to debian-devel@ asking if someone is interested in helping us out. And maybe blog about it too (on planet.ubuntu.com).. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SSSD] FreeIPA on Debian
On 01.09.2013 21:43, Dmitri Pal wrote: On 09/01/2013 02:20 PM, Timo Aaltonen wrote: On 31.08.2013 00:04, Dmitri Pal wrote: Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of When FreeIPA will be available on Debian? has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. Hi, As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too.. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x. I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects.. Other blockers off the top of my head include: - support for shared certificate database in NSS * patches sent to the Debian bug (#537866), maintainer isn't too responsive How can we help? I don't think you can, guess it just needs some perseverance on my side.. - dyndb support in bind * haven't asked the maintainer to add it to bind9, it might happen Are you talking about byndb maintainer or bind9 Debian maintainer? May be we should connect the two? the debian bind maintainer, I heard from the dyndb maintainer that bind10 might support it natively, but getting that in Debian might still be further in the future, so if we'd need dyndb by early next year it's probably needed to have it via bind9 first. 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages. I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team.. Are you the only person there so far? pretty much, there have been some debian developers sponsoring packages to the distro (I'm not a DD yet), but they've all fled before too long :) -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ubunto client?
On 06.06.2013 15:51, Guy Matz wrote: Sorry, I should have mentioned that I need this for precise! ok, so the issue was that the ppa needs another ppa for sssd, for reference: https://launchpad.net/~sssd/+archive/updates I should probably push 1.9.5 there.. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing bind-dyndb-ldap version 3.2
On 21.05.2013 11:16, Petr Spacek wrote: On 21.5.2013 07:00, Timo Aaltonen wrote: No I meant the huge-ish patch to BIND that bind-dyndb-ldap depends on, available here: https://github.com/mnagy/bind-dynamic_db/downloads I haven't asked the Debian maintainer yet, but suspect there would be opposition to adding it to the bind package.. so upstream would be preferable of course. We contacted ISC a year ago and here is a reply from them (reply from Evan Hunt via RT): At a cursory glance this looks like quite good code, and we might indeed be interested in accepting it into BIND 9, as it has at least one feature we had hoped to support eventually (external database with the ability to serve DNSSEC). We can't commit it in its current form for a few reasons: first, there are no tests or documentation; second, there is no sample driver we can provide as guidance to implementors. (The LDAP driver you pointed to is good, but it's GPL, which means ISC is forbidden by corporate charter from shipping it.) We can probably help with tests and doc, but a sample driver with a BSD- compatible license would be a huge help, even if it only served static zones (such as the one in bind9/bin/tests/system/dlzexternal/driver.c). Out of curiosity, why did you decide to add a new API and new 'dynamic-db' configuration syntax instead of extending or improving the existing DLZ API? Would a merged approach be workable? Minimizing the number of different ways to accomplish the same thing would be desirable, if feasible. I see a few trivial ISC code-style incompatibilities, but nothing to worry about on that account. I'm planning to commit your patch to a CVS branch for further work, and will review the code in more detail later. From that time we didn't have time to move it forward. Any help is appreciated! Thanks for the update! I'm afraid what little time I have is best spent on getting rest of the stack ready for Debian/Ubuntu though ;) -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing bind-dyndb-ldap version 3.2
On 15.05.2013 11:58, Petr Spacek wrote: The FreeIPA team is proud to announce bind-dyndb-ldap version 3.2. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users What is the status on pushing the 'dynamic database API' to BIND upstream? -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Freeipa-devel] Announcing bind-dyndb-ldap version 3.2
On 20.05.2013 23:01, Dmitri Pal wrote: On 05/20/2013 09:21 AM, Timo Aaltonen wrote: On 15.05.2013 11:58, Petr Spacek wrote: The FreeIPA team is proud to announce bind-dyndb-ldap version 3.2. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list: http://www.redhat.com/mailman/listinfo/freeipa-users What is the status on pushing the 'dynamic database API' to BIND upstream? You mean to fold the ldap driver package into the core BIND package? There are no plans like this. Why? LDAP driver is a separate package and I am not sure BIND upstream would be interested in taking it in. No I meant the huge-ish patch to BIND that bind-dyndb-ldap depends on, available here: https://github.com/mnagy/bind-dynamic_db/downloads I haven't asked the Debian maintainer yet, but suspect there would be opposition to adding it to the bind package.. so upstream would be preferable of course. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu
On 23.01.2013 09:48, 小龙 陈 wrote: Date: Wed, 23 Jan 2013 08:28:57 +0100 From: d.sastre.med...@gmail.com To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] FreeIPA Client Setup in Windows 7 Ubuntu On Mon, Jan 21, 2013 at 07:37:39AM -0500, Dmitri Pal wrote: On 01/21/2013 04:45 AM, Vijay Thakur wrote: Guide me about Ubuntu 12.04 as FreeIPA Client setting. I know there have been work done for Ubuntu but we unfortunately I do not have information on the state of this work. Regarding Ubuntu, you can check, for example: http://packages.ubuntu.com/search?suite=allarch=anysearchon=nameskeywords=freeipa http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=389searchon=names http://packages.ubuntu.com/search?suite=allsection=allarch=anykeywords=sssdsearchon=names -- Primary key fingerprint: AD8F BDC0 5A2C FD5F A179 60E7 F79B AB04 5299 EC56 ___ The current version of sssd in any version of Ubuntu is broken. The packaging needs to pass '--datadir=/usr/share' or '$(prefix)' will show up in some python files. Bug report: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1079938 Unfortunately, it still hasn't been fixed. The updates for 12.04 (bumping sssd to 1.8.5 too) and 12.10 are uploaded, just not accepted to -proposed yet. I'll ping the SRU team to let them through.. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA status on Debian Ubuntu (was: Re: FreeIPA manual PAM setup help)
29.11.2012 21:30, Jakub Hrozek kirjoitti: On Thu, Nov 29, 2012 at 01:56:24PM -0500, 小龙 陈 wrote: I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen I could be wrong, but I don't think the IPA server is working in Ubuntu..I know the client bits are and there was an effort to package the server as well, but I don't think it's finished yet. right, the server isn't ready, client is limping along though not seen an update in a while. Timo would know better, though. here's a short summary: - 389ds is packaged and included in Debian Ubuntu - Dogtag 9 is packaged in git and worked the last time I tried, not pushed to either distros, since.. - Dogtag 10 is close(?) and I'd rather skip the transition if possible, then again.. - D10 needs RESTEasy, which in turn depends on nearly 50 new bits of software that needs to be packaged, mostly java/maven based (and there's a helper that should automate most of the packaging, haven't tried it yet though) - IPA server still needs the platform code rework, and I still need to rework the first patch to meet the review notes so not quite there yet :) t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SSSD-users] Problem with password reset on ubuntu 12.04 (lightdm)
On 20.11.2012 11:25, Marc Grimme wrote: Am 20.11.2012 09:39, schrieb Sumit Bose: On Mon, Nov 19, 2012 at 09:18:51PM +0100, Marc Grimme wrote: Hello sssd list. My problem is that a with sssd configured ubuntu 12.04 client cannot change a password that has to be set a new for IPA. As I've learned from the IPA list there are indications that sssd might be the problem in this case. With logging=10 in sssd.conf I see the following logs by sssd: When a user password expires the users are requested to change their password (in the login screen). They'll type their old password and then repeat it as part of the change process. Nevertheless - although the password matches - they are not issued to input their new password but get the error message that this action could not be performed (Password change failed. Server message..). I guess it is you PAM configuration. If you use a client side password checker, e.g. pam_cracklib or pam_pwquality.so, in the password section of you PAM configuration you have to add the 'use_authtok' option to pam_sss in the section. If you do not use any checker you must not use 'use_authtok' here because sssd would expect a password to be available on the PAM stack but no module sets it. From your description I guess you do not have a client-side password checker but 'use_authtok' is set. If this is the case, please remove 'use_authtok' and try again. HTH bye, Sumit ___ sssd-users mailing list sssd-us...@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi Sumit, thanks very much. I replaced the line /etc/pam.d/common-password: password sufficient pam_sss.so use_authtok with password sufficient pam_sss.so restarted lightdm and the password change succeeded like a charm. Right, the next upload to 12.04 will drop use_authtok from the pam config. The pam-auth-update tool unfortunately doesn't currently support the use case that sssd needs, where on the pam auth stack it should be with a lower priority than pam_unix, but on password stack it should be on top (or after pam_cracklib). That'll get fixed later.. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Other distro clients
02.02.2012 17:49, Stephen Gallagher kirjoitti: On Thu, 2012-02-02 at 10:44 -0500, Dmitri Pal wrote: On 02/02/2012 09:59 AM, Nigel Sollars wrote: Hi All, I notice online people have already asked about Clients for other linux distributions, my addition to this is how far ( if any ) along is the effort?. Is there an svn / git repo I can grab sources / test packages for say Debian or SuSE?. Any info would be most welcomed Some time ago SSSD was built for Suse. I am not sure it was maintained. I am not aware of any effort to port ipa-client to Suse. There is some effort to port ipa-client to Debian and Ubuntu but I do not know where the code for this is. The port to Debian and Ubuntu is being spearheaded by Timo Aaltonen (CCed). He has a PPA with a reasonably recent version of SSSD available that can be used with FreeIPA v2. Yeah, trying to get it all ready for the next release (12.04), and hoping to squeeze in SSSD 1.8 too. Have had less time lately to work on these, but it's still possible to get most of it in before feature freeze (feb 16th) and the rest as a freeze exception. Here are links to the related launchpad teams, in case folks are willing to test the packages (and file bugs!), once there's more to test: https://launchpad.net/~ubuntu-389-directory-server https://launchpad.net/~freeipa https://launchpad.net/~sssd t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA Ubuntu Client
28.01.2012 20:47, Stephen Gallagher kirjoitti: On Sat, 2012-01-28 at 17:22 +, Ranjandas A P wrote: Hi All, Is there anybody who is woking on packaging IPA Client for Ubuntu 10.04? I am trying to build ipa-client for Ubuntu but, stuck with Mozldap dependency. Hi, I'm concentrating on getting the pieces ready for the next LTS (12.04). Packages can be backported, but only after they've proven to work on the new release, so backporting will be a low priority for me at least for now. -- t ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
