Well, I certainly don't understand what happened under the covers, but is
100% clear to me that the users got "deleted" in AD while "preserving" them
in IPA.
I could see an argument where "ipa user-del user --preserve" is technically
still a delete (semantics).
I might look at migrating to a
Rob Brown wrote:
> yeah, I did find the users in AD under:
> CN=Deleted Objects,DC=foo,DC=domain,DC=com
> and, the users actually have the attribute:
> isDeleted = TRUE
> so, looks like they were actually deleted (from AD perspective).
> It seems like the delete sync is two-way (surprising, since
On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote:
> We've setup a two-way trust with AD and it seems to have worked, but it
> doesn't look like it is working correctly.
>
> The kerberos commands (kinit and kvno) work fine, but things like 'id
>
Our company recently implemented freeipa to replace a cent5 kerberos
infrastructure. We set it up with a Winsync agreement with an AD domain,
and is working pretty well.
Our user disposition workflow in AD is this: user account is disabled, and
moved to a "terminated users" OU in AD. The account
On Thu, Jul 20, 2017 at 10:41 AM, Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Kat via FreeIPA-users wrote:
> > Hi,
> >
> > If I have a simple pair of FreeIPA servers and one is showing different
> > failed auth times for a user -- is this a good indication
Kat via FreeIPA-users wrote:
> Hi,
>
> If I have a simple pair of FreeIPA servers and one is showing different
> failed auth times for a user -- is this a good indication they are out
> of sync? Should I not see same failures on both?
The lockout attributes are per-server (not replicated).
rob
lejeczek via FreeIPA-users wrote:
>
>
> On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
>> lejeczek via FreeIPA-users wrote:
>>> hello fallas
>>>
>>> those certs I see with:
>>> $ ipa cert-find
>>> is it possible to get private key(s) for a given cert? With means of
>>> (any)command
Hi,
If I have a simple pair of FreeIPA servers and one is showing different
failed auth times for a user -- is this a good indication they are out
of sync? Should I not see same failures on both?
-k
___
FreeIPA-users mailing list --
Hi,
Using SSSD 1.15.2-1 and FreeIPA Client 4.4.4-1 on Debian Stretch 9.0 generates
a broken SSSD configuration.
Adding the services manually to sssd.conf fixes this:
services = nss, sudo, pam, ssh
For some reason, ipa-client-install thinks we have socket-activated SSSD
services, but we don’t.
On 19/07/17 20:06, Rob Crittenden via FreeIPA-users wrote:
lejeczek via FreeIPA-users wrote:
hello fallas
those certs I see with:
$ ipa cert-find
is it possible to get private key(s) for a given cert? With means of
(any)command line?
Not from the CA, no.
The CA doesn't store the private
10 matches
Mail list logo