[Freeipa-users] Re: Special admin account for one server/host only?

On 11/28/2017 11:13 AM, Rob Crittenden via FreeIPA-users wrote: Rob Morin via FreeIPA-users wrote: Hello all... I was wondering if someone could help me out, is it possible to have a user administer only one host/server. Meaning they would log on to freeipa gui and be able to change a password

[Freeipa-users] Re: Upgrade from CentOS 7.3 to 7.4 - Safe?

On 11/10/2017 12:08 PM, Christophe TREFOIS via FreeIPA-users wrote: Hi, How did you proceed? One by one just a yum update on all pending packages? -- Little late to the party, but FWIW, I just upgraded one of our IPA servers from 7.3 to 7.4 doing yum -y update.  Worked like a charm. I do

[Freeipa-users] Re: RHEL/CentOS 5 and IPA 4.5

On 11/06/2017 10:58 AM, Sigbjorn Lie via FreeIPA-users wrote: Hi list, RHEL/CentOS 5.11 clients does not seem to work with IPA 4.5 unless I go from sssd-ipa to sssd-ldap. I would prefer to continue to use sssd-ipa to allow the existing HBAC rules to function. Is there a known workaround to

[Freeipa-users] Manual IPA client install

So, I'm /this/ close to getting a pair of servers in Alaska (on very slow links) setup for IPA authentication.  I've followed the documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html since these two

[Freeipa-users] Re: Manual client configuration

On 10/13/2017 11:23 AM, Rob Crittenden wrote: The kvno should match that of the keytab. If not you'll need to regenerate it. Note that by default ipa-getkeytab generates new keys every time it is executed. rob Addendum to my previous reply.  I /can/ 'kinit mark.haney' and supply my

[Freeipa-users] Re: Manual client configuration

On 10/13/2017 09:48 AM, Mark Haney wrote: I tried changing HOST/ to host/ and got this: Certificate at same location is already used by request with nickname "20171013123749" Seems it doesn't matter on this setup.  Oh, probably should mention this is a CentOS 6.9 box. In case that matters.

[Freeipa-users] Re: Manual client configuration

On 10/13/2017 09:17 AM, Rob Crittenden wrote: Mark Haney via FreeIPA-users wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries

[Freeipa-users] Re: Manual client configuration

On 10/13/2017 09:00 AM, Mark Haney wrote: I'm pretty sure ya'll are tired of my stupid questions, but I've got that new Geek smell with regards to IPA, and definitely with manual configuration.  This should be easy to answer.  I've got all the necessaries manually setup and I'm at the step to

[Freeipa-users] Re: IPA curl timeout on slow link

On 10/12/2017 02:06 PM, Rob Crittenden wrote: Mark Haney wrote: Maybe some holy water wouldn't be a bad idea. On the bright side if anyone were ever to log into the machines then the sssd cache would likely make it far easier on subsequent attempts. rob True.  Forunately, we

[Freeipa-users] Re: IPA curl timeout on slow link

On 10/12/2017 01:32 PM, Rob Crittenden wrote: Mark Haney via FreeIPA-users wrote: That's a tough one. ipa-client-install makes many (a dozen?) connections while it does its thing. You might try pre-generate the host entry and keytab, ship it to the machine, then use the --keytab option

[Freeipa-users] IPA curl timeout on slow link

I appreciate all the ideas on how to fix the SSL cert issue on updating to 4.5.0, I'll work on that next week I hope. This one should be much quicker (hopefully).  My boss has insisted that I get ipa-clients working on a half-dozen or so servers located in Alaska.  (Believe me, I argued

[Freeipa-users] Re: IPA policy creation

On 10/10/2017 05:46 PM, Simo Sorce wrote: Could you perhaps do something weird with the default shell setting? probably can use oddjob/oddjob_mkhomedir properly configured on the various servers. Simo. Actually it was even simpler than that, and goes to show what happens when you

[Freeipa-users] IPA policy creation

Due to people not documenting squat here over years, one of our servers configurations got jacked up when I migrated it from OpenLDAP to IPA.  This is a CentOS 6 server that runs RANCID to pull customer edge router configs.  The old OpenLDAP setup had a policy in Kerberos that would create a

[Freeipa-users] Re: FreeIPA Sudo Issue

On 10/10/2017 12:47 AM, Alka Murali via FreeIPA-users wrote: Hello Team, I have integrated my Ubuntu/Debian and CentOS Servers as IPA Clients to my FreeIPA Server. The custom sudo rule added by me also works for the users assigned to the rule. The first login attempt as well as sudo access

[Freeipa-users] Re: planning for migration

On 10/09/2017 12:24 PM, Andrew Meyer wrote: I'm heading down that route as well.  But I would like to have both options available to the boss. I'm not sure if my syntax is incorrect.  That's where I need help. Can't help you there, brother.  Our LDAP setup was crap from the beginning, so we

[Freeipa-users] Re: ansible-freeipa

I never said I didn't like. Just that it's not that complicated to setup a playbook to do what you're doing. On Thu, Oct 5, 2017 at 11:17 AM, Thomas Woerner wrote: > Hello Mark, > > On 10/05/2017 03:57 PM, Mark Haney wrote: > > I've been doing this using a custom Ansible

[Freeipa-users] CentOS 6 system 4 error

I've been migrating a lot of our customer boxes from a local install of our master LDAP database (yeah, I know) to our IPA servers.  Nearly all these boxes are CentOS 6 (we have a smattering of C7 and C5 boxes as well) and I've built an ansible playbook to make the migration changes.  I've

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On 09/14/2017 09:41 AM, Alexander Bokovoy wrote: On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: Sigh.  As I said, I edited the repo to point DIRECTLY to 6.9 and got the same result.  Care to explain that with some other policy?  Even then, DOWNLOADING the RPM still will not install

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

com> wrote: > On to, 14 syys 2017, Mark Haney via FreeIPA-users wrote: > >> Well this is interesting. The latest version of sudo >> is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The >> issue here is that this box is CentOS 6.4 and I can't fully upd

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

14 Sep 2017, at 14:15, Mark Haney via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > Well this is interesting. The latest version of sudo > is sudo-1.8.6p3-29.el6_9.x86_64. Mine is sudo-1.8.6-7.el6.x86_64. The > issue here is that this box is CentOS 6.4 an

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

13, 2017 at 4:25 PM, Jakub Hrozek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via > FreeIPA-users wrote: > > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: > > > On 09/13/2017 03

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: Hi Mark, Not all CentOS releases are created equal. Support for Sudo appeared later in IPA and you’ll probably need to update sssd and ipa-client. The one in 6.8 should work fine. I’ve recently enrolled a few rhel 6.4

[Freeipa-users] IPA sudo rules CentOS 6 vs CentOS 7

One of my biggest projects is to use ansible to kill OpenLDAP clients on our production servers and install ipa-client and configured.  I'm probably 95% there with automating the process (still trying to figure out what pam_ldap crap is floating around after uninstalling those packages and

[Freeipa-users] Re: Replacing OpenLDAP with FreeIPA

On 09/08/2017 12:10 PM, Simo Sorce wrote: On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote: Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master).  Are there any gotchas to replacing

[Freeipa-users] Replacing OpenLDAP with FreeIPA

Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master).  Are there any gotchas to replacing OpenLDAP with FreeIPA?  I'm using Ansible to push the client install to the VMs, with a task for uninstalling

[Freeipa-users] Re: Deleting revoked certs from CA master

On 08/04/2017 02:19 PM, Rob Crittenden wrote: You'd have to do it using LDAP directly. There is nothing really wrong with having a few revoked certs. rob I suppose that's fine, it just offends my sense of order. Thanks for the info. -- Mark Haney Network Engineer at NeoNova 919-460-3330

[Freeipa-users] Deleting revoked certs from CA master

So now that we have a nicely replicating domain and ca, I'd like to rid myself of these revoked certificates which I tried as a way to fix the replication and setting up of a CA. Is there a way to delete these certs out of the store? -- Mark Haney Network Engineer at NeoNova 919-460-3330

[Freeipa-users] Re: IPA replica with CA role problems

On 08/03/2017 08:34 AM, Fraser Tweedale wrote: Mark, that's great news; I'm glad you were able to resolve the issue. Everyone gets the tunnel vision sometimes :) I wish you a successful rollout to production. Cheers, Fraser Actually, let me update you on this. I finally got a chance to

[Freeipa-users] Re: IPA replica with CA role problems

On 08/02/2017 04:17 PM, Fraser Tweedale wrote: - /var/log/ipareplica-install.log from replica - /etc/pki/pki-tomcat/ca/debug from both master and replica Those logs should do for a start. I'd also like to see your /etc/pki/pki-tomcat/ca/CS.cfg from both master and replica. Depending on

[Freeipa-users] Re: IPA replica with CA role problems

On 08/02/2017 07:25 AM, Fraser Tweedale wrote: On Tue, Aug 01, 2017 at 02:55:26PM -0400, Rob Crittenden wrote: Providing the dogtag debug log might be helpful. The replica install log shows that the GoDaddy CA chain was imported and trusted reasonably (C,,) but the installer later claims it

[Freeipa-users] Re: IPA replica with CA role problems

On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation

[Freeipa-users] Re: IPA replica with CA role problems

On 08/01/2017 11:01 AM, Florence Blanc-Renaud wrote: Hi, you can connect to IPA web UI on the server to revoke the cert: https://server.ipadomain.com/ipa/ui, then navigate to Authentication > Certificates, click on the certificate corresponding to the replica which failed installation

[Freeipa-users] Re: IPA replica with CA role problems

On 08/01/2017 03:26 AM, Florence Blanc-Renaud wrote: another user hit the same problem as you (ipa-replica-install --setup-ca fails during pkispawn and the PKI debug log shows an error related to updateNumberRange). He managed to workaround the issue by un-enrolling the failing replica and

[Freeipa-users] Re: IPA replica with CA role problems

On 07/24/2017 10:25 PM, Fraser Tweedale wrote: Could you provide more of the /var/log/pki/pki-tomcat/ca/debug log file (ideally the whole thing)? Also to clarify: ``ipa-replica-install --setup-ca'' installs a new replica including the CA role. To install the CA role on an existing replica use

[Freeipa-users] Re: replica-install --setup-ca fails

Heh. That's the EXACT SAME error I kept getting whether I ran the install-ca from an existing replica, or when adding a CA while installing a new replica. Glad I'm not the only one seeing such weird errors. On Thu, Jul 27, 2017 at 12:28 PM, Petros Triantafyllidis via FreeIPA-users <

[Freeipa-users] Re: IPA replica with CA role problems

replica with CA and pull those logs if/when that fails. On Mon, Jul 24, 2017 at 10:25 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Mon, Jul 24, 2017 at 10:44:24AM -0400, Mark Haney via FreeIPA-users > wrote: > > Prior to my employment, one of our engineers setup an IPA s

[Freeipa-users] Re: Replication and SSL certs

On 07/13/2017 09:57 PM, Fraser Tweedale wrote: OK, I think I understand. ipa0 has been set up with a 3rd-party HTTP cert, but ipa1 has been set up with a certificate issued by the IPA CA, which your browser does not trust. There are two ways forward here: 1. You can use

[Freeipa-users] Re: Replication and SSL certs

On 07/12/2017 08:34 PM, Fraser Tweedale wrote: Which version(s) of FreeIPA? ipa-server-4.4.0-14.el7.centos.7.x86_64 Which service(s) (HTTP, LDAP?). HTTPS. I haven't checked LDAPS yet. It appears this is only related to HTTPS. To give a bit of backstory, the primary host [ipa0] was