Hi,
We only used the default trust view. Recently a colleague added another ID
View.
After that when adding a lot of new users from AD, with overrides in the
Default Trust View we were not able to resolve the new users (id: ‘xx’:
no such user)
on IPA clients. No problem on the IPA servers (a
Hi ,
Current IPA environment is using lowercase usernames.
But we also have a LDAP environment in which usernames are in UPPERCASE.
This is used for "some" krb tickets possibilities.
Imagine we add users to the Default Trust View and adapt login to
UPPERCASE. Can we expect some troubles or nuisan
On Fri, Oct 18, 2019 at 8:26 AM Alexander Bokovoy
wrote:
> On pe, 18 loka 2019, Pieter Baele wrote:
> >All Windows clients are properly enrolled into the AD domain.
> >
> >We can't use two-way trust because of reasons you explained here before. A
> >one-way external trust is used. All perfectly e
ations)(we are reaching out to RH)
Sincerely Pieter
On Wed, 16 Oct 2019, 10:08 Alexander Bokovoy, wrote:
> On ke, 16 loka 2019, Pieter Baele via FreeIPA-users wrote:
> >The only open issue we have with IPA is Windows clients not being directed
> >to the Kerberos servers of t
The only open issue we have with IPA is Windows clients not being directed
to the Kerberos servers of the IPA realm.
We can solve this issue using domain_realm registry keys as mentioned on
the mailing list before.
But is there any different method to accomplish this?
As far as I know/read, Wind
Hi,
We use an IPA domain for a large part of our internal servers.
Our first one-way trust implementation was not properly working because of
routing issues.
Two-way trust in our environment is not possible, because normal users are
limited.
(we can resolve 'system/service' accounts without those
I tried various approached to get Renewable tickets :
modifying the kdc
modifying krb5.conf
using kadmin.local on every replica to modify the principal; which is not
working - as designed (?)- in IPA
What should I do to get a ticket with the correct R flag from IPA ?
I don't think this is SSSD rel
RHEL is indeed available for Power 8 and Power 9.
But FreeIPA server is not, only the clients / sssd :-(
On Mon, Nov 12, 2018 at 7:14 PM Rob Crittenden wrote:
> Pieter Baele via FreeIPA-users wrote:
> > Seriously? I could not find them in our internal satellite 6 install and
> &
Seriously? I could not find them in our internal satellite 6 install and
support was going more into the subject of the IBM acquisition then
technical stuff
On Mon, 12 Nov 2018, 17:55 Rob Crittenden, wrote:
> Pieter Baele via FreeIPA-users wrote:
> > Anyone an idea what the timeline/r
Anyone an idea what the timeline/roadmap is for FreeIPA ipa-server PPC64LE
build for Centos 7 (or RH IDM on RHEL 7/8)
I only see some packages for PowerPC on Fedora and Ubuntu
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To
might be confused with
> the FQDN response.
>
> Finally, on IPA masters do not reconfigure SSSD to output non-FQDN
> names. This breaks badly compat tree and if you'd use legacy clients
> with trust to AD, there is no way to fix that.
>
> >
> >Thx for any advice
&g
't it?)
Thx for any advice
On Thu, Sep 6, 2018 at 9:23 AM Alexander Bokovoy
wrote:
> On to, 06 syys 2018, Pieter Baele via FreeIPA-users wrote:
> >Hi,
> >
> >I've one more application that doesn't behave very properly with FQDN
> users.
> >
Hi,
I've one more application that doesn't behave very properly with FQDN users.
For LDAP, this is no longer a problem as we use AD directly for
applications now.
But this application uses PAM, so somehow I do need to present it a
shortname as described in
https://docs.pagure.org/sssd.sssd/design_
Hi,
Would it somehow be possible to - partially - sync AD users (max 200) with
IPA while still using a trust with the same domain?
Logically this sounds like a bad idea, but my colleagues would really
really like to use IPA also for AIX. The biggest limitation is that the AIX
client doesn't work
tely...
> >There goes the use-case for our Unix admins - np ;-)
> You can server IPA users there. Anything else really depends on AIX
> playing together which it is not, it seems.
>
> >
> >
> >
> >On Wed, Jul 25, 2018 at 1:56 PM Alexander Bokovoy
> >wr
Ok, thanks for the clarification.
So there is *no* possibility to serve AIX completely...
There goes the use-case for our Unix admins - np ;-)
On Wed, Jul 25, 2018 at 1:56 PM Alexander Bokovoy
wrote:
> On ke, 25 heinä 2018, Pieter Baele via FreeIPA-users wrote:
> >Is it somehow po
Is it somehow possible to have the uid field
in cn=users,cn=compat,dc=accnix,dc=infrabel,dc=be without the domain
extension?
It is causing problems for AD users using an IPA-AD trust
This problem was also discussed in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.o
dNumber: x
gidNumber: x
homeDirectory: /home/Accmsnet.railb.be/mcj7700
ipaAnchorUUID:: x
uid: mcj7...@accmsnet.railb.be
Thx a lot!
-- Pieter
On Wed, Jul 4, 2018 at 7:22 AM Alexander Bokovoy
wrote:
> On ke, 04 heinä 2018, Pieter Baele via FreeIPA-users wrote:
> >Hi,
> >
> >
I have currently been assisting an AIX colleague to use IPA as
authentication/authz provider for AIX systems.
That way we are moving to a common platform
We have found some examples on the web (AIX 5.x, AIX 6); information here
and there - but for the moment we still have a few issues.
The proprie
Hi,
On a test FreeIPA environment (4.5.0-22), a user is shown using the id
command, so ID Override is working as well.
id x...@accmsnet.railb.be
uid=8028(x...@accmsnet.railb.be) gid=4030(ucc)
groups=4030(ucc),702800513(domain us...@accmsnet.railb.be
),131849(ad_users)
However this particular
er if the product uses SSSD/PAM as identity store as well
somehow...
Sincerely Pieter
On Mon, Jul 2, 2018 at 2:15 PM Alexander Bokovoy
wrote:
> On ma, 02 heinä 2018, Pieter Baele via FreeIPA-users wrote:
> > Hi,
> >
> >We have an application (Spring LDAP backend) that
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA
domain for SSO auth.
No problems at all for internal FreeIPA users after they have a valid
ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an ine
Hi,
We have an application (Spring LDAP backend) that uses ketyabs in the IPA
domain for SSO auth.
No problems at all for internal FreeIPA users after they have a valid
ticket (using MIT Kerberos for Windows) and a correctly configured browser.
An AD user is never present in IPA itself as an ine
https://github.com/abajwa-hw/security-workshops/blob/master/Setup-knox-23.md
Adapts as necessary
On Mon, Nov 13, 2017 at 4:28 PM, Kat via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Curious if anyone has done any configuration in using Apache Knox and
> integrating into IP
inä 2017, Pieter Baele via FreeIPA-users wrote:
> >Hi,
> >
> >Is there a correct way to setup a public/private design using IPA for
> >Kerberos?
> >I am currently implementing Kerberos for our Hadoop cluster.
> >
> >For communication between nodes, I use RFC
Hi,
Is there a correct way to setup a public/private design using IPA for
Kerberos?
I am currently implementing Kerberos for our Hadoop cluster.
For communication between nodes, I use RFC 1918 addresses
This works properly, but adds a complexity for FreeIPA.
Hosts have a public interface which t
On Wed, Jul 5, 2017 at 7:28 PM Rob Crittenden wrote:
> Pieter Baele via FreeIPA-users wrote:
> > No, only "fresh" and updated RHEL 7.3 hosts.
>
> Ok, you were the one that brought up re-installing...
>
> > Connections are being made, but still ipa-client in
ob Crittenden wrote:
> Pieter Baele via FreeIPA-users wrote:
> > Hi,
> >
> > I've a weird problem with 2 hosts on ipa-client-install registration.
> > All my servers are using a 99% alike kickstart profile.
> >
> > 8 hosts did their registration almost immedia
Hi,
I've a weird problem with 2 hosts on ipa-client-install registration.
All my servers are using a 99% alike kickstart profile.
8 hosts did their registration almost immediately (after submit of admin)
But on 2 servers I am stuck with:
stderr=
trying to retrieve CA cert via LDAP from
Any
29 matches
Mail list logo