On 11/28/2017 11:13 AM, Rob Crittenden via FreeIPA-users wrote:
Rob Morin via FreeIPA-users wrote:
Hello all...
I was wondering if someone could help me out, is it possible to have a
user administer only one host/server. Meaning they would log on to
freeipa gui and be able to change a password
On 11/10/2017 12:08 PM, Christophe TREFOIS via FreeIPA-users wrote:
Hi,
How did you proceed? One by one just a yum update on all pending packages?
--
Little late to the party, but FWIW, I just upgraded one of our IPA
servers from 7.3 to 7.4 doing yum -y update. Worked like a charm. I do
On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote:
Hi list,
RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I
go from sssd-ipa to sssd-ldap. I would prefer to continue to use
sssd-ipa to allow the existing HBAC rules to function.
Is there a known workaround to
So, I'm /this/ close to getting a pair of servers in Alaska (on very
slow links) setup for IPA authentication. I've followed the
documentation here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html
since these two
On 10/13/2017 11:23 AM, Rob Crittenden wrote:
The kvno should match that of the keytab. If not you'll need to
regenerate it.
Note that by default ipa-getkeytab generates new keys every time it is
executed.
rob
Addendum to my previous reply. I /can/ 'kinit mark.haney' and supply my
On 10/13/2017 09:48 AM, Mark Haney wrote:
I tried changing HOST/ to host/ and got this:
Certificate at same location is already used by request with nickname
"20171013123749"
Seems it doesn't matter on this setup. Oh, probably should mention
this is a CentOS 6.9 box. In case that matters.
On 10/13/2017 09:17 AM, Rob Crittenden wrote:
Mark Haney via FreeIPA-users wrote:
I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration. This should be easy to answer. I've got all the
necessaries
On 10/13/2017 09:00 AM, Mark Haney wrote:
I'm pretty sure ya'll are tired of my stupid questions, but I've got
that new Geek smell with regards to IPA, and definitely with manual
configuration. This should be easy to answer. I've got all the
necessaries manually setup and I'm at the step to
On 10/12/2017 02:06 PM, Rob Crittenden wrote:
Mark Haney wrote:
Maybe some holy water wouldn't be a bad idea.
On the bright side if anyone were ever to log into the machines then
the sssd cache would likely make it far easier on subsequent attempts.
rob
True. Forunately, we
On 10/12/2017 01:32 PM, Rob Crittenden wrote:
Mark Haney via FreeIPA-users wrote:
That's a tough one. ipa-client-install makes many (a dozen?)
connections while it does its thing.
You might try pre-generate the host entry and keytab, ship it to the
machine, then use the --keytab option
I appreciate all the ideas on how to fix the SSL cert issue on updating
to 4.5.0, I'll work on that next week I hope.
This one should be much quicker (hopefully). My boss has insisted that
I get ipa-clients working on a half-dozen or so servers located in
Alaska. (Believe me, I argued
On 10/10/2017 05:46 PM, Simo Sorce wrote:
Could you perhaps do something weird with the default shell setting?
probably can use oddjob/oddjob_mkhomedir properly configured on the
various servers.
Simo.
Actually it was even simpler than that, and goes to show what happens
when you
Due to people not documenting squat here over years, one of our servers
configurations got jacked up when I migrated it from OpenLDAP to IPA.
This is a CentOS 6 server that runs RANCID to pull customer edge router
configs. The old OpenLDAP setup had a policy in Kerberos that would
create a
On 10/10/2017 12:47 AM, Alka Murali via FreeIPA-users wrote:
Hello Team,
I have integrated my Ubuntu/Debian and CentOS Servers as IPA Clients
to my FreeIPA Server. The custom sudo rule added by me also works for
the users assigned to the rule.
The first login attempt as well as sudo access
On 10/09/2017 12:24 PM, Andrew Meyer wrote:
I'm heading down that route as well. But I would like to have both
options available to the boss.
I'm not sure if my syntax is incorrect. That's where I need help.
Can't help you there, brother. Our LDAP setup was crap from the
beginning, so we
I never said I didn't like. Just that it's not that complicated to setup a
playbook to do what you're doing.
On Thu, Oct 5, 2017 at 11:17 AM, Thomas Woerner wrote:
> Hello Mark,
>
> On 10/05/2017 03:57 PM, Mark Haney wrote:
> > I've been doing this using a custom Ansible
I've been migrating a lot of our customer boxes from a local install of
our master LDAP database (yeah, I know) to our IPA servers. Nearly all
these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as
well) and I've built an ansible playbook to make the migration changes.
I've
On 09/14/2017 09:41 AM, Alexander Bokovoy wrote:
On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
Sigh. As I said, I edited the repo to point DIRECTLY to 6.9 and got the
same result. Care to explain that with some other policy? Even then,
DOWNLOADING the RPM still will not install
com>
wrote:
> On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote:
>
>> Well this is interesting. The latest version of sudo
>> is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The
>> issue here is that this box is CentOS 6.4 and I can't fully upd
14 Sep 2017, at 14:15, Mark Haney via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> Well this is interesting. The latest version of sudo
> is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The
> issue here is that this box is CentOS 6.4 an
13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via
> FreeIPA-users wrote:
> > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote:
> > > On 09/13/2017 03
On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote:
Hi Mark,
Not all CentOS releases are created equal. Support for Sudo appeared later in
IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8
should work fine. I’ve recently enrolled a few rhel 6.4
One of my biggest projects is to use ansible to kill OpenLDAP clients on
our production servers and install ipa-client and configured. I'm
probably 95% there with automating the process (still trying to figure
out what pam_ldap crap is floating around after uninstalling those
packages and
On 09/08/2017 12:10 PM, Simo Sorce wrote:
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
Probably the dumbest question you'll get all day, but we've got a
hundred or so VMs with OpenLDAP on them (as clients pointing to a
master). Are there any gotchas to replacing
Probably the dumbest question you'll get all day, but we've got a
hundred or so VMs with OpenLDAP on them (as clients pointing to a
master). Are there any gotchas to replacing OpenLDAP with FreeIPA? I'm
using Ansible to push the client install to the VMs, with a task for
uninstalling
On 08/04/2017 02:19 PM, Rob Crittenden wrote:
You'd have to do it using LDAP directly. There is nothing really wrong
with having a few revoked certs.
rob
I suppose that's fine, it just offends my sense of order. Thanks for
the info.
--
Mark Haney
Network Engineer at NeoNova
919-460-3330
So now that we have a nicely replicating domain and ca, I'd like to rid
myself of these revoked certificates which I tried as a way to fix the
replication and setting up of a CA. Is there a way to delete these
certs out of the store?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330
On 08/03/2017 08:34 AM, Fraser Tweedale wrote:
Mark, that's great news; I'm glad you were able to resolve the
issue.
Everyone gets the tunnel vision sometimes :)
I wish you a successful rollout to production.
Cheers,
Fraser
Actually, let me update you on this. I finally got a chance to
On 08/02/2017 04:17 PM, Fraser Tweedale wrote:
- /var/log/ipareplica-install.log from replica
- /etc/pki/pki-tomcat/ca/debug from both master and replica
Those logs should do for a start.
I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both
master and replica. Depending on
On 08/02/2017 07:25 AM, Fraser Tweedale wrote:
On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote:
Providing the dogtag debug log might be helpful. The replica install log
shows that the GoDaddy CA chain was imported and trusted reasonably
(C,,) but the installer later claims it
On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:
you can connect to IPA web UI on the server to revoke the cert:
https://server.ipadomain.com/ipa/ui, then navigate to Authentication >
Certificates, click on the certificate corresponding to the replica
which failed installation
On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote:
Hi,
you can connect to IPA web UI on the server to revoke the cert:
https://server.ipadomain.com/ipa/ui, then navigate to Authentication >
Certificates, click on the certificate corresponding to the replica
which failed installation
On 08/01/2017 03:26 AM, Florence Blanc-Renaud wrote:
another user hit the same problem as you (ipa-replica-install
--setup-ca fails during pkispawn and the PKI debug log shows an error
related to updateNumberRange). He managed to workaround the issue by
un-enrolling the failing replica and
On 07/24/2017 10:25 PM, Fraser Tweedale wrote:
Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log
file (ideally the whole thing)?
Also to clarify: ``ipa-replica-install --setup-ca'' installs a new
replica including the CA role. To install the CA role on an
existing replica use
Heh. That's the EXACT SAME error I kept getting whether I ran the
install-ca from an existing replica, or when adding a CA while installing a
new replica. Glad I'm not the only one seeing such weird errors.
On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <
replica with CA and
pull those logs if/when that fails.
On Mon, Jul 24, 2017 at 10:25 PM, Fraser Tweedale <ftwee...@redhat.com>
wrote:
> On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users
> wrote:
> > Prior to my employment, one of our engineers setup an IPA s
On 07/13/2017 09:57 PM, Fraser Tweedale wrote:
OK, I think I understand.
ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been
set up with a certificate issued by the IPA CA, which your browser
does not trust.
There are two ways forward here:
1. You can use
On 07/12/2017 08:34 PM, Fraser Tweedale wrote:
Which version(s) of FreeIPA?
ipa-server-4.4.0-14.el7.centos.7.x86_64
Which service(s) (HTTP, LDAP?).
HTTPS. I haven't checked LDAPS yet. It appears this is only related to
HTTPS. To give a bit of backstory, the primary host [ipa0] was
38 matches
Mail list logo