[Freeipa-users] Re: FeeIPA SSL chain

All good. I worked with duo support last night. Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: FeeIPA SSL chain

This is what I have been following: https://github.com/gudmmk/howtos/blob/master/duo_authproxy-with-freeipa.md https://duo.com/docs/authproxy-reference https://help.duo.com/s/article/2209?language=en_US https://community.duo.com/t/directory-sync-with-idm/2171/19 Here is the error output.

[Freeipa-users] FeeIPA SSL chain

Hello, I am trying to find the correct way to get the FreeIPA SSL certificate in pem format. So far I have the following commands: kinit $USER_WITH_ADMIN_PRIVS ipa ca-show ipa ca-show --certificate-out=/etc/pki/tls/private/server.key I don't think this is right. I need this to get the

[Freeipa-users] Re: ssh key issues

Found the offending server which had a completely different IP address. Deleted it anyways. Problem fixed. Thanks! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: ssh key issues

How do I remove it once I find it? I tried stopping sssd and deleting everything in /var/lib/sss/db/* but it throw the same error when trying to SSH to the new server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To

[Freeipa-users] Re: ssh key issues

I tried this. I ran into this problem earlier this year but can't remember what I did to fix it. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora

[Freeipa-users] Re: ssh key issues

Where did you run this? On a FreeIPA server? Or the affected server? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: ssh key issues

I just ran sss_cache -H and that didn't fix it. Still getting this: [andrew.meyer@jump01 ~]$ ssh ameyer@10.150.10.130 @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

[Freeipa-users] ssh key issues

I recently cleaned up a few server in my home lab. Deleted servers that I no longer needed. However It seems I have a server with an IP address that used previously. FreeIPA is reporting that it is in /var/lib/sss/pubconf/known_hosts but I can't reverse engineer the hostname by doing sshkey

[Freeipa-users] New DNS records not populating

I recently had a server that didn't get added to DNS but was joined to FreeIPA system. I just went backto fix it. I tried removing the host rebooting and re-adding it to the FreeIPA system. After doing this new DNS records did not get added. I went back to manually add the DNS records

[Freeipa-users] Re: New IPA server

Remove the ipv6_disabled=1 line from grub. On Monday, March 30, 2020, 12:40:08 PM CDT, Rob Crittenden wrote: Andrew Meyer via FreeIPA-users wrote: > I fixed it.  Figured it out. Great! I'm curious, what did you need to do? thanks rob > > Sent from Yahoo Mail on Android

[Freeipa-users] Re: New IPA server

I fixed it.  Figured it out. Sent from Yahoo Mail on Android On Fri, Mar 27, 2020 at 8:45 AM, Rob Crittenden wrote: Andrew Meyer via FreeIPA-users wrote: > I am building out a new IPA server environment and I am getting the following > error: > > [user@freeipa001 ~]$ sud

[Freeipa-users] Re: New IPA server

So I tried enabling but it doesn't seem like its working. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] New IPA server

I am building out a new IPA server environment and I am getting the following error: [user@freeipa001 ~]$ sudo ipa-server-install --setup-dns --setup-kra --setup-adtrust --auto-reverse --ssh-trust-dns --auto-forwarders --allow-zone-overlap IPv6 stack has to be enabled in the kernel and some

[Freeipa-users] ansible-freeipa client install error

I am trying to use the ansible-playbook to install the client on CentOS 8. I am getting the following error: TASK [ipaclient : Install - Check if one of password or keytabs are set]

[Freeipa-users] Re: MFA alternative

Got it working. Need to refine instructions. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] dhcp dynamic update

Hello, I was trying to search the mailing list before emailing about this but has anyone set this up https://archyslife.blogspot.com/2019/01/freeipa-integrating-your-dhcpd-dynamic.html OR https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update in their environment? In the past I

[Freeipa-users] Re: freeipa failing to start after update

Glad to know this will be fixed! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: freeipa failing to start after update

[andrew.meyer@freeipa01 ~]$ sudo ipactl --ignore-service-failures start Existing service file detected! Assuming stale, cleaning and proceeding Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting httpd Service Starting ipa-custodia Service

[Freeipa-users] freeipa failing to start after update

I am running CentOS 8.x and have updated to the latest version of IPA and CentOS 8. I rebooted after updating and am now getting the following: Jan 20 12:55:29 freeipa01 server[7889]: arguments used: stop Jan 20 12:55:30 freeipa01 systemd[1]: Stopping 389 Directory Server

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

So since I was using an externally registered domain. The install script didn't create the SSHFP records. I am still working on delegating DNS to my FIPA server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

Ok I have pointed the domain to my IP address (also setup DDNS with the registrar). Howevver BIND still fails. Nov 14 20:46:28 freeipa01.asm.caprica.space named-pkcs11[23802]: starting BIND 9.11.4-P2-RedHat-9.11.4-17.P2.el8_0.1 (Extended Support Version) Nov 14 20:46:28

[Freeipa-users] Re: FreeIPA fails to start on CentOS 8

Sure. Give me a bit to gather that. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] FreeIPA fails to start on CentOS 8

I am trying to migrate to CentOS 8 in my home lab. And I have gotten FreeIPA installed. However I am using caprica.space as my domain name but I don't think bind/named likes me using that. Is this an issue the version in FreeIPA or did I do something wrong? I found this out because FreeIPA

[Freeipa-users] ansbile-freeipa client install

Hello I have setup ansible to use install freeipa client on my CentOS 7/8 machines. I am able to get the packages installed however when it goes through the configuration I am getting the following: TASK [ipaclient : Install - Ensure that IPA client packages are installed]

[Freeipa-users] Re: adding external 2FA

Would you mind showing me how you have FreeRADIUS setup? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: FreeIPA and Windows AD users

Does the user have be in both sets of IDMs? On Thursday, July 25, 2019, 9:52:39 AM CDT, Alexander Bokovoy wrote: On to, 25 heinä 2019, Andrew Meyer via FreeIPA-users wrote: >I have successfully gotten FreeIPA to communicate with MS Windows Server >2012r2 using Active Driectory.

[Freeipa-users] FreeIPA and Windows AD users

I have successfully gotten FreeIPA to communicate with MS Windows Server 2012r2 using Active Driectory.  I am able to log in to my jump hosts via SSH.  However when I log using a windows user I get the following: fedora1 :) > ssh james.kirk@meye...@jump01.asm.meyer.local Password: Last login:

[Freeipa-users] 2FA alternatives

I think I have emailed about this recently before but is there a way other than using RADIUS to use a 3rd party 2FA provider (Duo, Authy or RSA) with the current version of FreeIPA?  I know that you could easily add it using 4.0 and 4.1 ( I could be wrong on the version).  If not is that

[Freeipa-users] Re: Ad integration

Excellent thank you! On Monday, July 22, 2019, 12:01:53 PM CDT, François Cami wrote: On Mon, Jul 22, 2019 at 6:51 PM Andrew Meyer via FreeIPA-users wrote: > > [andrew.meyer@freeipa01 ~]$ id james.kirk > id: james.kirk: no such user > [andrew.meyer@freeipa01 ~]$ id willia

[Freeipa-users] Re: Ad integration

: On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote: > Once this is done I should be able to do id user.name and get the Active > Directory user correct? Resolving users is unrelated to mapping groups. You should be able to resolve users already. -- / Alexander Bokovoy Sr. Pri

[Freeipa-users] Re: Ad integration

Once this is done I should be able to do id user.name and get the Active Directory user correct? On Monday, July 22, 2019, 11:03:10 AM CDT, Alexander Bokovoy wrote: On ma, 22 heinä 2019, Andrew Meyer wrote: >0;47m  Getting this:                                                         

[Freeipa-users] Re: Ad integration

Number of entries returned 1[andrew.meyer@freeipa01 ~]$  On Monday, July 22, 2019, 10:26:29 AM CDT, Alexander Bokovoy wrote: On ma, 22 heinä 2019, Andrew Meyer via FreeIPA-users wrote: > He

[Freeipa-users] Ad integration

Hello,I am working on setting up FreeIPA with AD integration and seem to be running into an issue.  Its possible that I am also doing something wrong. I am setting it up to talk to MS Windows Server 2012r2.  Following directions on https://www.freeipa.org/page/Active_Directory_trust_setup  I

[Freeipa-users] Re: adding external 2FA

I was hoping to not use a radius server in between. Sent from Yahoo Mail on Android On Tue, Jul 9, 2019 at 3:59 PM, Jochen Hein wrote: Andrew Meyer via FreeIPA-users writes: > I am trying to research how to add other 2FA providers to FreeIPA.  > Has anyone added Duo or somethin

[Freeipa-users] adding external 2FA

I am trying to research how to add other 2FA providers to FreeIPA.  Has anyone added Duo or something else to FreeIPA/IPA in the most recent versions? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] mapping freeipa to local users and group

I want to map my freeipa users to local users on a particular server.  I have read a few sites that say to do sss_override.  However I am running into a problem: [andrew.meyer@server01 ~]$ sudo sss_override user-add andrew.meyer -n ameyer Other than LOCAL view already exists in domain

[Freeipa-users] ipa services continue to fail

Currently in my environment I have 6 servers 2 in my local office and 2 in each region in AWS.  The AWS servers are all running CentOS 7.x with FreeIPA 4.5.x running on all 6.  The AWS servers are all t2.medium w/ unlimited turned on.  Occasionally we issues with all 6 where one of the

[Freeipa-users] Re: dirsrv not starting

Please disregard for now.  I compared it to another server and found that dir...@example.net is incorrect.   On Friday, November 16, 2018 2:46 PM, Andrew Meyer via FreeIPA-users wrote: I just noticed that I have 2 dirsrv systemctl units as well. See below: [root@freeipa02 slapd

[Freeipa-users] Re: dirsrv not starting

       389 Directory Server[root@freeipa02 slapd-EXAMPLE-NET]# On Friday, November 16, 2018 2:40 PM, Andrew Meyer via FreeIPA-users wrote: We have 2 servers in our AWS west environment running CentOS 7.  The server just went unresponsive and I rebooted it.  After it came back up

[Freeipa-users] dirsrv not starting

We have 2 servers in our AWS west environment running CentOS 7.  The server just went unresponsive and I rebooted it.  After it came back up it won't start drisrv service.  I get the following errors from systemd/journalctl: [root@freeipa02 slapd-EXAMPLE-NET]# systemctl status dir...@example.net

[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP

I have this working w/o HBAC rules and not using OTP. On Friday, November 16, 2018 8:21 AM, Eric via FreeIPA-users wrote: Any luck yet, Kevin?  No luck here yet.  On Fri, Nov 9, 2018 at 10:56 PM, Kevin Vasko wrote: I’m following this because I’m having same issue. Since the

[Freeipa-users] Re: Creating proxy users for PWM. Which is better DN?

I also had to extend the schema.  I'm not in front of my instructions right now. Sent from Yahoo Mail on Android On Mon, Nov 12, 2018 at 12:27, Rob Crittenden via FreeIPA-users wrote: Joyce Babu via FreeIPA-users wrote: > I am trying to setup PWM for allowing users to reset their

[Freeipa-users] Re: Creating proxy users for PWM. Which is better DN?

I just did this.  I setup the pwm users under the normal account setup. Sent from Yahoo Mail on Android On Sat, Nov 10, 2018 at 10:57, Joyce Babu via FreeIPA-users wrote: I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM

[Freeipa-users] Re: DNs forwaders

I remember entering a ldap command that would show me the forwaders of all the servers.  However ipa dnsserver-find gave me exactly what I wanted. On Wednesday, October 31, 2018 9:15 AM, Andrew Meyer via FreeIPA-users wrote: Please disregard. On Wednesday, October 31, 2018 9:04

[Freeipa-users] Re: DNs forwaders

Please disregard. On Wednesday, October 31, 2018 9:04 AM, Andrew Meyer via FreeIPA-users wrote: I have configured DNS forwarders in each of my FreeIPA servers.  However I want to be able to go back and verify they are there.  I can't remember how to get that information.  I am

[Freeipa-users] DNs forwaders

I have configured DNS forwarders in each of my FreeIPA servers.  However I want to be able to go back and verify they are there.  I can't remember how to get that information.  I am running CentOS 7 latest with FreeIPA version 4.5.0.  I want to say there is an LDAP command I found. This is not

[Freeipa-users] pwm

Hello,I am working on getting pwm setup with FreeIPA.  However I'm running into some issues.  I have it pretty much configured but I am getting error in the logs for pwm. Sep  4 11:09:21 pwm01 server: 2018-09-04T11:09:21Z, ERROR, cluster.ClusterMachine, 5093 ERROR_CLUSTER_SERVICE_ERROR (error

[Freeipa-users] adding users

So we are starting the final phase of our migration and I am trying to add all the users to FreeIPA.  But i'm getting an error and i'm not sure why.  I've also never gotten this in the past when adding users. [root@freeipa01 ~]# ipa user-add user.name --first=User --last=name --email

[Freeipa-users] Re: pwm - password reset portal

Meyer via FreeIPA-users wrote: Has anyone setup the self service password module?I have it setup and working on tomcat on a seperate server. If so I have a few questions: 1) did you install this on the freeipa main server or another server? 2)  Did you have allow anonymous searching for pwm?  I

[Freeipa-users] pwm - password reset portal

Has anyone setup the self service password module?I have it setup and working on tomcat on a seperate server. If so I have a few questions: 1) did you install this on the freeipa main server or another server? 2)  Did you have allow anonymous searching for pwm?  I have a user account setup for

[Freeipa-users] Re: dns discovery failed

Meyer via FreeIPA-users wrote: > So I decided to rebuild my setup at home.  I am running this on CentOS 7 > latest and have gotten the server working just fine.  I am trying to > setup a client server and getting the following: > > [ameyer@jump01 vmware-tools-distrib]$ sudo ipa

[Freeipa-users] dns discovery failed

So I decided to rebuild my setup at home.  I am running this on CentOS 7 latest and have gotten the server working just fine.  I am trying to setup a client server and getting the following: [ameyer@jump01 vmware-tools-distrib]$ sudo ipa-client-install [sudo] password for ameyer: DNS discovery

[Freeipa-users] Re: accessing the api

to trust the IPA CA. rob > > > On Monday, August 20, 2018 3:26 PM, Rob Crittenden via FreeIPA-users > wrote: > > > Andrew Meyer via FreeIPA-users wrote: >> Hello, >> I'm having some difficulty accessing the API.  Following the directions >> shown h

[Freeipa-users] Re: accessing the api

: Andrew Meyer via FreeIPA-users wrote: > Hello, > I'm having some difficulty accessing the API.  Following the directions > shown here:   > > Far away to be identical > <https://vda.li/en/docs/freeipa-management-in-a-nutshell/> > >     > > >   

[Freeipa-users] accessing the api

Hello,I'm having some difficulty accessing the API.  Following the directions shown here:   Far away to be identical | | | Far away to be identical Identity management chaos or a development of a fun | | | I am trying to use the following curl commands:curl -kv -H

[Freeipa-users] Re: Documented monitoring best practices

I know this is an old thread, but there are no changes to FreeIPA that cnmonitor might conflict with are there? On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users wrote: Alex Corcoles via FreeIPA-users wrote: > On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein

[Freeipa-users] DNS Forwarders

Is it possible to have a per server zone forwarder in /etc/named.conf and NOT break replication?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code

[Freeipa-users] DNS issues

So I've had my FreeIPA setup for about 6 months now at my company.  As of recently i'm seeing some issues where if I try to dig against the servers I get nothing back.  I do not have a global forwarder setup because it should automatically go outbound if its not in its own table, correct? This

[Freeipa-users] Re: keycloak

Thanks for the clarification! On Thursday, June 7, 2018 2:32 PM, Jochen Hein via FreeIPA-users wrote: Rob Crittenden via FreeIPA-users writes: > I don't know where Keycloak upstream is. Look at http://www.keycloak.org Jochen -- This space is intentionally left blank.

[Freeipa-users] keycloak

what is the difference between keycloak and freeipa? Is there a free version of this?  Is that what ipsilon is?  If not is there a repo for this?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] ipsilon

Not sure if this is the right place for support w/ ipsilon.  But I got it installed and I'm able to browse the to website and login now.  However when I go to the login stack there are some button to the right of the login plugins, and they say that's it.  What does that mean?  Also I've

[Freeipa-users] Re: ipsilon

What about on CentOS 7? On Tuesday, May 22, 2018 5:08 AM, Jan Pazdziora via FreeIPA-users wrote: On Thu, May 17, 2018 at 10:53:13PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On to, 17 touko 2018, Andrew Meyer wrote: > > So I followed the

[Freeipa-users] authoritative name-server

In my current freeipa setup when I go in to the dns zone I see the authoritative name server is incorrect.  When I removed the server shouldn't it have changed it? Also when I go look at the bind config in /var/named/dyndb-ldap/master/example.net/raw the SOA line shows the correct server. 

[Freeipa-users] Re: ipsilon

-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=94fe5ec3-1608-4977-840a-8b186f4eee28 On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote: >H

[Freeipa-users] ipsilon

Has anyone installed this on their prod FreeIPA installation?  I need to hook FreeIPA into some other auth systems that don't support LDAP.___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] auth to pther providers still using freeipa

My company is wanting to use FreeIPA for everything.  However we also utilize other external services that have their own auth system but can support oauth, or gsuite/facebook etc etc.  Is this possible w/ FreeIPA? Also,Searching through google I found this - Ipsilon.  Would you recommend I use

[Freeipa-users] Re: adding users to other user groups

Ok.  I will check this out. Thank you! On Monday, May 14, 2018 10:59 AM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On ma, 14 touko 2018, Andrew Meyer via FreeIPA-users wrote: >Hello,I am trying to add a new user to another group.  T

[Freeipa-users] adding users to other user groups

Hello,I am trying to add a new user to another group.  This group was setup for another user.  When I create the user is seems to do the same thing as when I create them on a local system.  I get a User and a group for the user as well.  However when I go to add another user to that newly

[Freeipa-users] Re: A record discrepency

/named/dyndb-ldap/ipa/master/zone.net/ and try to cat the raw file and its not there...  I did a ipa-replica-manage re-initialize thinking that would bring it over and it didn't.   BTW,This is CentOS 7.4 and FreeIPA 4.5.x. Thank you! On Friday, May 11, 2018 8:27 AM, Andrew Meyer via FreeIPA

[Freeipa-users] A record discrepency

On one of my FreeIPA servers I have an A record that points to the correct IP in the web ui, but when I go look at the raw file in /var/named/dyndb-ldap/ipa/master/zone.net/raw it is incorrect.  I have done a kinit admin, and then ipa-replica-manage re-initialize --from

[Freeipa-users] clients-per-query

So in my logs on I am getting the following: -23-Apr-2018 01:25:20.041 clients-per-query decreased to 14 I have not seen this on any other DNS server I have come across. IS this normal fro FreeIPA? Can the limits be increased by default?___

[Freeipa-users] IPA Error 4203 DatabaseError

I seem to have 1 server that constantly gets out of sync with the other 3 servers.  Currently I am getting this error when I try to add a user:Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors log). I am trying to find the log files and figure out what I

[Freeipa-users] Re: sudo command group

Rob, For this are you referring to the search limit size? On Friday, April 6, 2018 9:29 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > So I'm having an issue with sudo policies where I have about ~200 &

[Freeipa-users] Re: sudoers questions

Yes, but what about adding the hostgroup to the sudo policy?  Do I still need to add the netgroup instead? On Wednesday, April 18, 2018 10:17 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > Hello,  >

[Freeipa-users] sudoers questions

Hello, I have been doing a lot of research on trying to get host groups to work with sudoers policies.  However I'm finding that this can't be done and the only achieved by using netgroups.  Is this true?    I just would like some validation/confirmation before I go to far down the rabbit

[Freeipa-users] modifying ttl on dns records

I am trying to modify the TTL for records in my zone.  When I try to do this I am getting the following error: [gatewayblend@freeipa01-dev ~]$ ipa dnsrecord-mod gatewayblend.local. andrew-test.stl1 --ttl=300No option to modify specific record provided.Current DNS record contents: SSHFP record:

[Freeipa-users] authoritative nameserver

A while ago I removed my original 2 FreeIPA server after adding 4 new ones.  However in the DNS zone for my FreeIPA server in the authoritative nameserver entry I still have the original nameserver.  Should this have been changed when I removed it?  Does this have to be changed manually?

[Freeipa-users] dns recursion

Another issue i'm having is that we have DNS setup with split horizon/views in R53.  We want to be able to get a copy of the internal zone from R53 from my local FIPA servers.  Is this possible?  I have zone forwards setup in FIPA so that if you are up in AWS VPC you can query R53.  However I

[Freeipa-users] sudo command group

So I'm having an issue with sudo policies where I have about ~200 commands in my sudoers, I added those commands to a group and I got an error in the WebUI: Search result has been truncated: Configured size limit exceeded Also when I run the ipa sudocmdgroup-show I don't see all the commands. 

[Freeipa-users] Re: NTP

  2118.44  76.063  freeipa03.stl1. 10.1.6.250       3 u   51   64   37   33.218  2922.96  19.715*LOCAL(0)        .LOCL.           5 l   57   64   37    0.000    0.000    0.000 On Tuesday, April 3, 2018 1:27 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

[Freeipa-users] Re: NTP

This is a mix of VMware VMs an AWS instances.  All CentOS 7. On Tuesday, April 3, 2018 1:04 PM, Rob Crittenden <rcrit...@redhat.com> wrote: Andrew Meyer via FreeIPA-users wrote: > I need some clarification on this.  I have my FreeIPA server in > talking.  NTP is working. 

[Freeipa-users] NTP

I need some clarification on this.  I have my FreeIPA server in talking.  NTP is working.  However Some servers are getting ntp drift.  If I go into /etc/ntp.conf I see that at the bottom FreeIPA adds server at the bottom of the file. ### Added by IPA Installer ###server 127.127.1.0 iburstfudge

[Freeipa-users] directory sync

So today I come in to work and find that one of my FreeIPA servers isn't synching with the rest of the cluster.  I have a policy set to to go in a big square.  I tried doing a ipa-replica-manage force-sync --verbose and then tried doing a re-initialize.  I have the networks wide open to allow

[Freeipa-users] replica unable to communicate

I need some help with this.  I am working with FreeIPA runnning on CentOS 7.4 verssion 4.5.0-22.  I have 2 servers in my AWS VPC and 2 servers at my local office.   For some reason I am not seeing replication happen (over ldaps?) from 1 server in my local office to the two servers up there. AWS

[Freeipa-users] replication broken

So for some reason yesterday my replication broke.  Checked out the logs and found this:Mar 20 14:16:02 freeipa01 systemd: ipa-dnskeysyncd.service: main process exited, code=exited, status=1/FAILUREMar 20 14:16:02 freeipa01 systemd: Unit ipa-dnskeysyncd.service entered failed state.Mar 20

[Freeipa-users] remote udate vectors

While doing some troubleshooting on replication I found that I have an old server in my replica list-ruvs.  How would I go about removing that?___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: FreeIPA in AWS

So I made the changes to the SecurityGroup in AWS and my local FreeIPA servers can't talk up.  I suspect this is something on the AWS side.  :-( On Tuesday, March 20, 2018 9:17 AM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Thank you sir!  I will

[Freeipa-users] FreeIPA in AWS

I have FreeIPA setup on CentOS 7 in AWS.  However we are looking to lock down communication over our VPN tunnel.  Trying to do some research to see what ports I need.  I've gotten most of them, 80,443,88,464,389,636,123.  I have it setup to allow UDP/TCP for both sides.  However in the amazon

[Freeipa-users] Re: Using different distros

Thanks for the response, I don't think we will be issuing SSL certs from FreeIPA to systems in AWS running Amazon Linux 2. On Monday, March 12, 2018 10:54 AM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: &g

[Freeipa-users] Using different distros

I have emailed in previously fro issues w/ Amazon Linux 2 as a replica server but I am wondering If I can use Amazon Linux 2 as a client machine to FreeIPA.  Will I run into the same issues with SSL (NSS vs OpenSSL) that I did with the replica? Thank

[Freeipa-users] removing a replica

I am trying to follow  HowTo/Remove replica in a managed topology - FreeIPA to remove replica servers correctly.  However when I do this I am running into an error: [andrew.meyer@infra-test-ipa ~]$ ipa topologysegment-delSuffix name: domainSegment name:

[Freeipa-users] client machines and server related questions

I have a few more questions regarding joining client machines to the domain. If I manually specify a FreeIPA server when joining the client to it, can I go back and add the _srv_ to the line in /etc/sssd/sssd.conf ?  Will doing that work just like if I did autodiscover? Can I specify more than 1

[Freeipa-users] Re: new client setup

Meyer via FreeIPA-users wrote: > I am trying to add another client in my main location and getting the > following information: > [user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net > --realm=stl1.example.net --mkhomedir --enable-dns-updates > Skip infra-test

[Freeipa-users] new client setup

I am trying to add another client in my main location and getting the following information:[user@freeipa01 ipa]$ sudo ipa-client-install --domain=stl1.example.net --realm=stl1.example.net --mkhomedir --enable-dns-updatesSkip infra-test-ipa.example.net.stl1.example.net: LDAP server is not

[Freeipa-users] Re: error when promoting new client to replica

unt of grief. rob > > > On Tuesday, March 6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > > Andrew Meyer via FreeIPA-users wrote: >> After getting the feedback previously from the mailing list (thank you >

[Freeipa-users] Re: error when promoting new client to replica

6, 2018 1:02 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: Andrew Meyer via FreeIPA-users wrote: > After getting the feedback previously from the mailing list (thank you > for all your help) I have deployed a CentOS 7 image in AWS.  I was able

[Freeipa-users] Re: error when promoting new client to replica

I think I figured out my problem.  I think its the Amazon Linux replica.  named-pkcs11 keeps dying which is causing my issues. On Monday, March 5, 2018 3:40 PM, Andrew Meyer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: After getting the feedback previousl

[Freeipa-users] error when promoting new client to replica

After getting the feedback previously from the mailing list (thank you for all your help) I have deployed a CentOS 7 image in AWS.  I was able to add teh client machine to the FreeIPA domain.  The CentOS 7 instance is a t2.medium which is a 2 proc by 4GB RAM.  But when I go to promote it I get

[Freeipa-users] Re: snmp monitoring

ers@lists.fedorahosted.org> wrote: On ma, 05 maalis 2018, Andrew Meyer via FreeIPA-users wrote: >When reading about monitoring replication I see that I can get this >setup using --setup-snmp, however on CentOS 7.x (latest) I don't have >that option.  Is it not in 4.5.0? Can you point to your sourc

  1   2   >