[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

2019-10-16 Thread Vinícius Ferrão via FreeIPA-users
On 16 Oct 2019, at 16:01, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Vinícius Ferrão wrote: On 15 Oct 2019, at 17:49, Rob Crittenden mailto:rcrit...@redhat.com> > wrote: Vinícius Ferrão wrote: Hi Rob On 15 Oct 2019, at 10:22, Rob Crittenden

[Freeipa-users] autofs debugging

2019-10-16 Thread danielle lampert via FreeIPA-users
Hello, I'm running CENTOS 7.4 and I'm struggling to make autofs work with a direct map. I believe I followed correctly the documentation (Linux Domain Identity, Authentication, and Policy Guide) but I can't find why it's not working. Mounting manually is OK. Where should I start to look ? thanks

[Freeipa-users] Re: SSH Hostbased Authentication with FreeIPA

2019-10-16 Thread Rob Crittenden via FreeIPA-users
Vinícius Ferrão wrote: > > >> On 15 Oct 2019, at 17:49, Rob Crittenden > > wrote: >> >> Vinícius Ferrão wrote: >>> Hi Rob >>> On 15 Oct 2019, at 10:22, Rob Crittenden >>> > wrote: Vinícius

[Freeipa-users] Re: Commands ipa topologysegment-find/show are confusing

2019-10-16 Thread Rob Crittenden via FreeIPA-users
Jesús Marín García via FreeIPA-users wrote: > Hello everyone: > > These days I have been doing a freeipa upgrade on a production cluster, > what requires to perform multiple operations on the cluster for doing it > without service interruption. > One of the tasks was to ensure the topology is a

[Freeipa-users] Commands ipa topologysegment-find/show are confusing

2019-10-16 Thread Jesús Marín García via FreeIPA-users
Hello everyone: These days I have been doing a freeipa upgrade on a production cluster, what requires to perform multiple operations on the cluster for doing it without service interruption. One of the tasks was to ensure the topology is a complete graph, where each node have a connection with

[Freeipa-users] Re: Single label domain usage

2019-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ke, 16 loka 2019, Sven Ludwig via FreeIPA-users wrote: Hi Alexander, Thanks for the quick answer. As I am forced to use a non-email-product to write emails, please consider the following as "quoted properly" - i did my very best ;) ;) I'm reformatting the answers to fit the view, no

[Freeipa-users] Re: Single label domain usage

2019-10-16 Thread Sven Ludwig via FreeIPA-users
Hi Alexander, Thanks for the quick answer. As I am forced to use a non-email-product to write emails, please consider the following as "quoted properly" - i did my very best ;) >>Are there any further problems with using single label domains >>currently or in the future? >There are problems

[Freeipa-users] Re: Single label domain usage

2019-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ke, 16 loka 2019, Alexander Bokovoy via FreeIPA-users wrote: On ke, 16 loka 2019, Sven Ludwig via FreeIPA-users wrote: Hi @audience, I'd like to ask is there is a chance to continue using single label domains with freeipa. We learned the hard way that this feature was restricted to use. It

[Freeipa-users] Re: Single label domain usage

2019-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ke, 16 loka 2019, Sven Ludwig via FreeIPA-users wrote: Hi @audience, I'd like to ask is there is a chance to continue using single label domains with freeipa. We learned the hard way that this feature was restricted to use. It cannot be bypassed by any command line option. I found that this

[Freeipa-users] Single label domain usage

2019-10-16 Thread Sven Ludwig via FreeIPA-users
Hi @audience, I'd like to ask is there is a chance to continue using single label domains with freeipa. We learned the hard way that this feature was restricted to use. It cannot be bypassed by any command line option. I found that this all comes down to a check in the ipalib/util.py, which

[Freeipa-users] Re: How to make ipa root certificate available system wide

2019-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ti, 15 loka 2019, Kevin Vasko via FreeIPA-users wrote: Well that’s the thing, I didn’t realize the service certificate was revoked as I thought the entire point of validating the client cert was to validate the entire “chain” with OCSP. Im using IPAs internal cert system. Yeah, I kept

[Freeipa-users] Re: Windows clients and domain_realm mappings

2019-10-16 Thread Alexander Bokovoy via FreeIPA-users
On ke, 16 loka 2019, Pieter Baele via FreeIPA-users wrote: The only open issue we have with IPA is Windows clients not being directed to the Kerberos servers of the IPA realm. I think there is lack of a context here in your question. For forest trust to Active Directory, all cross-realm

[Freeipa-users] Windows clients and domain_realm mappings

2019-10-16 Thread Pieter Baele via FreeIPA-users
The only open issue we have with IPA is Windows clients not being directed to the Kerberos servers of the IPA realm. We can solve this issue using domain_realm registry keys as mentioned on the mailing list before. But is there any different method to accomplish this? As far as I know/read,