All,
A final head's up for users that land on this thread.
I was able to reduce all outstanding latency after realizing via debug
logs that I had inadvertently created a "loop" of sorts via HBAC
rules.
The "loop" was caused by an HBAC rule which included both the POSIX
group and its externally
All,
Just a head's up for users that land on this thread.
Make sure that you do not create any groups whose names are actual AD
usernames, i.e. "amber12" and "amber12". If you do, client look-ups
will stall and fail.
As a result of this find, we'll make sure to add a prefix/suffix to
the group
Alexander,
Thank you for your support!
John DeSantis
Il giorno gio 2 mag 2019 alle ore 16:30 Alexander Bokovoy
ha scritto:
>
> On Thu, 02 May 2019, John Desantis via FreeIPA-users wrote:
> >Alexander,
> >
> >Apologies for the delay in responding. Our A.D. admins have been quite busy.
> >
> >>
On Thu, 02 May 2019, John Desantis via FreeIPA-users wrote:
Alexander,
Apologies for the delay in responding. Our A.D. admins have been quite busy.
Can you remove it from IPA and add
ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain --gid
10001
after you added
Alexander,
Apologies for the delay in responding. Our A.D. admins have been quite busy.
> Can you remove it from IPA and add
>
> ipa idoverridegroup-add 'Default Trust View' adglobalposixgroup@ad.domain
> --gid 10001
>
> after you added adglobalposixgroup in AD?
Alright, this was done and the
On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
Thanks for your continued support.
I'm not saying about that at all.
Can you show output of
ipa group-show --all --raw adglobalposixgroup
Sure thing!
PROD:15:13:34-root@ipaserver1:~
# ipa group-show --all --raw adglobalposixgroup
dn:
Alexander,
Thanks for your continued support.
> I'm not saying about that at all.
>
> Can you show output of
>
> ipa group-show --all --raw adglobalposixgroup
Sure thing!
PROD:15:13:34-root@ipaserver1:~
# ipa group-show --all --raw adglobalposixgroup
dn:
On ma, 29 huhti 2019, John Desantis wrote:
Alexander,
>Yes, the group was created within the IPA domain via the cli, and this
>error is only manifest in the client log. However, the GID of the
>group (10001) is supplied via the AD trust using the POSIX range.
That isn't going to work at all.
Alexander,
> >Yes, the group was created within the IPA domain via the cli, and this
> >error is only manifest in the client log. However, the GID of the
> >group (10001) is supplied via the AD trust using the POSIX range.
> That isn't going to work at all.
>
> For IPA groups POSIX IDs should be
Hello all,
So, for anyone following this thread, I've been able to make some
progress but not enough to consider the configuration production
ready.
After watching sssd logs ([domain] debug_level = 10, [sssd]
debug_level = 10, and [nss] debug_level = 10) on both the client and
server, I am able
Hello all,
Doh! I realized that I hadn't actually attached the logs; so much
for trouble-shooting!
Thanks,
John DeSantis
Il giorno lun 22 apr 2019 alle ore 13:07 John Desantis
ha scritto:
>
> Hello all,
>
> I've pretty much exhausted my searching in order to find a solution to
> a problem
The documentation on this is pretty good. Basically, you can ’trust’ AD from
FreeIPA, which means the users from AD can be used in IPA. Groups too.
Passwords must be set and reset in AD, but everything you need for Linux (SSH
keys, host rules etc) can be done in IPA.
Whoa …… thanks for this. Now I think I am on the right path now.
Thanks for the help.
R
> On 12 Sep 2018, at 13:44, Alexander Bokovoy via FreeIPA-users
> wrote:
>
> On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
>>
>>
>>> On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
On 12 Sep 2018, at 13:07, Alexander Bokovoy via FreeIPA-users
wrote:
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out
successful deployment to manage our
On ke, 12 syys 2018, Ryan via FreeIPA-users wrote:
Hi, All
Off the bat I would like to say being new to freeIPA and rolling out
successful deployment to manage our servers has been amazing, very few
hiccups.
Which brings me to my next question, I have been asked if FreeIPA can
be uses with
I have an open RFE for global catalogs for a while now. Last update for target
release is 7.5/7.6 timeframe :(
-- gracie mobile
> On Feb 6, 2018, at 7:25 AM, Alexander Bokovoy via FreeIPA-users
> wrote:
>
>
>
> - Original Message -
>> Hi,
- Original Message -
> Hi,
>
> Clearly my Google skills are lacking, as I've not been able to find anything
> definitive (mainly just old versions of IPA)
>
> We have a well used FreeIPA domain, but I have a few appliances and
> applications that require Active Directory. I can find
You could probably establish two-way trust between AD and IPA domains. Is seems
such configuration is supported:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust-one-two-way
-
Boris Sukhinin
18 matches
Mail list logo