[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

2018-02-14 4:55 GMT+08:00 Rob Crittenden : > Umarzuki Mochlis wrote: >> 2018-02-13 22:59 GMT+08:00 Rob Crittenden : >>> Umarzuki Mochlis via FreeIPA-users wrote: it stuck with "status: SUBMITTING" when I issue command "ipa-getcert list" after I

[Freeipa-users] Re: user/admin

Charles Hedrick via FreeIPA-users wrote: > There’s a convention of creating admin instances for users, usually named > user/admin. IPA doesn’t seem to allow such instances. Is there a way to make > them work? > > As far as I can tell the instance can only be a hostname. That doesn’t seem >

[Freeipa-users] Re: user/admin

I can actually create a principal foo/admin by creating a user foo-admin and change the principal. But kinit can’t use it, so it’s not terribly useful. > On Feb 13, 2018, at 4:52 PM, Charles Hedrick wrote: > > There’s a convention of creating admin instances for users,

[Freeipa-users] user/admin

There’s a convention of creating admin instances for users, usually named user/admin. IPA doesn’t seem to allow such instances. Is there a way to make them work? As far as I can tell the instance can only be a hostname. That doesn’t seem like a sensible restriction.

[Freeipa-users] Re: IPA-Server Deletion issues

Jamal Mahmoud via FreeIPA-users wrote: > Hi Rob, > > I've isolated the output on lithium when i ran > ipa-replica-manage del oxygen.eggvfx.ie > --force --cleanup > It's quite heavy still but here it is This is helpful. It shows that oxygen is being looked for in the IPA

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

Umarzuki Mochlis wrote: > 2018-02-13 22:59 GMT+08:00 Rob Crittenden : >> Umarzuki Mochlis via FreeIPA-users wrote: >>> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert >>> list" after I resubmit cert renew "get-cert resubmit -i ID" >> >> Which request is

[Freeipa-users] Re: IPA users and local groups question

Jeff Goddard via FreeIPA-users wrote: > First off thanks to everyone who makes FreeIPA. Its an awesome product > that we love.  > > We're working at breaking our application up into micro services and > using docker containers and deployment automation. As part of this I > have a deploy user in

[Freeipa-users] Re: IPA users and local groups question

> On 13 Feb 2018, at 21:04, Jeff Goddard via FreeIPA-users > wrote: > > First off thanks to everyone who makes FreeIPA. Its an awesome product that > we love. > > We're working at breaking our application up into micro services and using > docker

[Freeipa-users] IPA users and local groups question

First off thanks to everyone who makes FreeIPA. Its an awesome product that we love. We're working at breaking our application up into micro services and using docker containers and deployment automation. As part of this I have a deploy user in IPA and a rundeck server that performs tasks as this

[Freeipa-users] Re: Fixing limit on DNS searches

On Tue, Feb 13, 2018 at 8:13 PM, Natxo Asenjo wrote: > > the canonical way to do this is using ldap paging, with ldapsearch you > could try using the -E pr= parameter, where could be 1000 for > instance. That way you know you are always under the limit imposed

[Freeipa-users] Re: Fixing limit on DNS searches

On Tue, Feb 13, 2018 at 3:33 PM, Bret Wortman via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > I've run up against a limit I can't seem to adjust. > > When listing a particular DNS zone which has well over 5000 hosts in it, > we keep getting "Search result has been truncated:

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

On Tue, 2018-02-13 at 19:23 +0100, Ray via FreeIPA-users wrote: > Hi Simo, > > > > Hi Simo, > > > > > > > > Hi there, > > > > > > > > > > I'm trying to make Apache to access a kerberized document root on > > > > > CentOS > > > > > 7 using gssproxy. So far without success. On the web server

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

Hi Simo, Hi Simo, > > Hi there, > > > > I'm trying to make Apache to access a kerberized document root on > > CentOS > > 7 using gssproxy. So far without success. On the web server machine > > (=NFS client) I configured a gss-proxy config file: > > > > # cat /etc/gssproxy/99-nfs-client.conf >

[Freeipa-users] Re: Fixing limit on DNS searches

Looking at it now. On 02/13/2018 01:09 PM, Rob Crittenden wrote: Bret Wortman via FreeIPA-users wrote: I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been truncated: Configured

[Freeipa-users] Re: Fixing limit on DNS searches

Bret Wortman via FreeIPA-users wrote: > I've run up against a limit I can't seem to adjust. > > When listing a particular DNS zone which has well over 5000 hosts in it, > we keep getting "Search result has been truncated: Configured > administrative server limit exceeded." > > I've tried fixing

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

Comment inline. On Tue, 2018-02-13 at 16:58 +0100, Ray via FreeIPA-users wrote: > Hi Simo, > > > > Hi there, > > > > > > I'm trying to make Apache to access a kerberized document root on > > > CentOS > > > 7 using gssproxy. So far without success. On the web server machine > > > (=NFS client)

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

Hi Simo, Hi there, I'm trying to make Apache to access a kerberized document root on CentOS 7 using gssproxy. So far without success. On the web server machine (=NFS client) I configured a gss-proxy config file: # cat /etc/gssproxy/99-nfs-client.conf [service/nfs-client] mechs = krb5

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

2018-02-13 22:59 GMT+08:00 Rob Crittenden : > Umarzuki Mochlis via FreeIPA-users wrote: >> it stuck with "status: SUBMITTING" when I issue command "ipa-getcert >> list" after I resubmit cert renew "get-cert resubmit -i ID" > > Which request is stuck? Can you provide the output

[Freeipa-users] Re: ipa-server-install --dirsrv-config-file example

Alex M via FreeIPA-users wrote: > Martin, > > After some tests, i found that the value for the > nsslapd-sasl-max-buffer-size is reset to default (2097152) during > installation. It is correct? > > ipa-server-install -d --dirsrv-config-file=update.ldif > > update.ldif > > dn: cn=config

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

Umarzuki Mochlis via FreeIPA-users wrote: > it stuck with "status: SUBMITTING" when I issue command "ipa-getcert > list" after I resubmit cert renew "get-cert resubmit -i ID" Which request is stuck? Can you provide the output of ipa-getcert list -i ID? rob > > 2018-02-13 10:05 GMT+08:00 Fraser

[Freeipa-users] Re: Apache HTTPD with kerberized NFS4 document root

On Tue, 2018-02-13 at 15:35 +0100, Ray via FreeIPA-users wrote: > Hi there, > > I'm trying to make Apache to access a kerberized document root on CentOS > 7 using gssproxy. So far without success. On the web server machine > (=NFS client) I configured a gss-proxy config file: > > # cat

[Freeipa-users] Re: deploying freeipa

I have another software in that role. Here it is - https://www.ispsystem.com/software/dnsmanager It's frontend for managing zones and pdns+mysql as backend. So when I configuring new hosts, these servers play as authoritative dns. No special configuring for freeipa server, only ipa-server-install

[Freeipa-users] Re: deploying freeipa

Thank you, that will help.  I don't want to have to go down that road but it's looking more and more like I will have to. On Tuesday, February 13, 2018 8:34 AM, Alexander Bokovoy via FreeIPA-users wrote: On ti, 13 helmi 2018, Andrew Meyer via

[Freeipa-users] Apache HTTPD with kerberized NFS4 document root

Hi there, I'm trying to make Apache to access a kerberized document root on CentOS 7 using gssproxy. So far without success. On the web server machine (=NFS client) I configured a gss-proxy config file: # cat /etc/gssproxy/99-nfs-client.conf [service/nfs-client] mechs = krb5 cred_store =

[Freeipa-users] Re: deploying freeipa

On ti, 13 helmi 2018, Andrew Meyer via FreeIPA-users wrote: Fish the entries?  Can you elaborate on that a bit more? Since FreeIPA auto-builds txt records and what not for client machines...How did you do that? Or did you not utilize that? When you install IPA master without integrated DNS

[Freeipa-users] Fixing limit on DNS searches

I've run up against a limit I can't seem to adjust. When listing a particular DNS zone which has well over 5000 hosts in it, we keep getting "Search result has been truncated: Configured administrative server limit exceeded." I've tried fixing this in a number of ways. We've shut down the

[Freeipa-users] Re: deploying freeipa

What is your authoritative DNS?  MS AD?  Are you manually populating the records?  My boss wants to eliminate DNS from this equation because he thinks we will have to maintain another set of DNS servers.  If FreeIPA is only authoritative for its own zone and managing servers within the zone,

[Freeipa-users] Re: deploying freeipa

Sorry, missed words, I meant - such setup of freeipa without DNS completely. 2018-02-13 17:25 GMT+03:00 Andrew Radygin : > I'm running FreeIPA 4.5 server with several hundred hosts and dozens of > users. And it's perfectly fine, especially if you already have another >

[Freeipa-users] Re: deploying freeipa

I'm running FreeIPA 4.5 server with several hundred hosts and dozens of users. And it's perfectly fine, especially if you already have another instrument for dns managing. I haven't experienced any problems from such setup so far. 2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <

[Freeipa-users] Re: deploying freeipa

Fish the entries?  Can you elaborate on that a bit more? Since FreeIPA auto-builds txt records and what not for client machines...How did you do that? Or did you not utilize that? On Tuesday, February 13, 2018 2:58 AM, Alex Corcoles via FreeIPA-users

[Freeipa-users] Re: ipa-server-install --dirsrv-config-file example

Martin, After some tests, i found that the value for the nsslapd-sasl-max-buffer-size is reset to default (2097152) during installation. It is correct? ipa-server-install -d --dirsrv-config-file=update.ldif update.ldif dn: cn=config changetype: modify replace: nsslapd-maxsasliosize

[Freeipa-users] Migration AD trust and group

Hi, I am looking into migrating an existing deployment of LDAP with hundreds of users and hundreds of groups into a IPA solution with trust against AD. All users currently exists with the same names in AD but groups does not, one solution would be adding all those groups to AD with gidNumber

[Freeipa-users] Re: deploying freeipa

You can, but you need to add the DNS entries that FreeIPA adds to its domain to your DNS server. What I did was install FreeIPA in a test environment and fish the entries from there. On Tue, Feb 13, 2018 at 4:37 AM, Andrew Meyer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: >

[Freeipa-users] Re: wildcard ssl on free-ipa 3.1

it stuck with "status: SUBMITTING" when I issue command "ipa-getcert list" after I resubmit cert renew "get-cert resubmit -i ID" 2018-02-13 10:05 GMT+08:00 Fraser Tweedale : > On Tue, Feb 13, 2018 at 08:53:10AM +0800, Umarzuki Mochlis via FreeIPA-users > wrote: >> Hi, >> >>