[Freeipa-users] ipa topology re-initialize

> I'm having problems with replication on my two node ipa cluster (left-right, > right-left) so I tried to re-initialize my replica. > > [root@idm02 ~]# ipa topologysegment-find domain > > -

[Freeipa-users] Re: password reset privileges

Tiemen Ruiten wrote: > Hello, > > Sorry for the late reply. This is the latest FreeIPA version in CentOS > 7.3 (4.4.0-14). > > Indeed the helpdesk role should be sufficient. I tried with the User > Administrator role as well, but that made no difference. Since it's > working for you, it's

[Freeipa-users] Re: FreeIPA and postfix issue.

I can only second that. Official FreeIPA plugins for Postfix and Dovecot would be immensely helpful. Someone made a plugin that adds mailAlternateAdress to the scheme and ui, which is somewhat related to this issue: https://github.com/pdf/freeipa-user-mailalternateaddress

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

On ma, 07 elo 2017, Sameer Gurung via FreeIPA-users wrote: Hi All, I have a network consisting of both windows and linux clients running windows server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows clients authenticate against the *AD DC* *(domain windows.foo)* and the

[Freeipa-users] Re: IPA <-> Samba AD trust issue

On ma, 07 elo 2017, Yuri Moens via FreeIPA-users wrote: The previous error_log I attached was already created with log level = 100. I've tried to run the command again and attached the log file again but it seems to be pretty much the same. I see in the logs that it fails at the verification

[Freeipa-users] Re: Correcting errors in the CA master certificate

Yeah, I was referring to the instructions in https://www.freeipa.org/page/Certmonger#Manually_renew_a_certificate which discuss manual renewal of a certificate which is interesting to us since the all the nodes in the IPA cluster on prod have the same cert that's expiring on Tuesday. For what

[Freeipa-users] Re: Unable to login with AD users

> On 10 Aug 2017, at 20:15, Eddleman, David via FreeIPA-users > wrote: > > >This probably means the user can’t be resolved at all, so the authentication > >process doesn’t even make it to the PAM phase. Does ‘getent passwd > >user@domainfqdn’ work? >

[Freeipa-users] Re: Unable to login with AD users

>This probably means the user can’t be resolved at all, so the authentication >process doesn’t even make it to the PAM phase. Does ‘getent passwd >user@domainfqdn’ work? Returns nothing. >Are you testing on the IDM server itself or on one of the clients? I would >suggest to make the IDM server

[Freeipa-users] Re: Correcting errors in the CA master certificate

Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > You may recall earlier when I said that we wound up pulling an expired cert > on one of our staging IPA replicas after updating the xmlrpc_server variable > to point to a different host. It's not clear to us how best to fix that cert >

[Freeipa-users] Re: howto replace an externally signed CA

On 08/10/2017 04:47 PM, Harald Dunkel wrote: Hi folks, On Wed, 2 Aug 2017 16:24:00 +0200 Florence Blanc-Renaud wrote: Hi, You can follow the steps described here:

[Freeipa-users] FreeIPA client offline with sudo

The clients machines on my network from time to time get brought to another network and plugged in to test programs that are being developed. In the past this hasn't been an issue as it's usually a short stay and thus the kerberos key is cached and doesn't expire. Recently I have had a user

[Freeipa-users] Re: Correcting errors in the CA master certificate

Hey Rob, You may recall earlier when I said that we wound up pulling an expired cert on one of our staging IPA replicas after updating the xmlrpc_server variable to point to a different host. It's not clear to us how best to fix that cert (although I suppose we could roll back time on the

[Freeipa-users] FIPA 2FA OTP+PASSWORD

Hello all, I have enabled password+OTP authentication for a user and able to sync tokens and SSH. While ssh to server using FIPA credentials it's asking authentication in two steps as First Factor and Second Factor . But i just want to give it in a single line password ,Can any one suggest how to

[Freeipa-users] Re: expired certificates - pki-tomcat not running

Hello, following steps works in my cloned test scenario: cp /var/log/pki/server/upgrade/10.2.2/1/oldfiles/var/lib/pki/pki-tomcat/conf/Catalina/localhost/ca.xml /etc/pki/pki-tomcat/Catalina/localhost/ca.xml rsync -a

[Freeipa-users] Re: Failed Upgrade?

On 08/09/2017 09:30 PM, Ian Harding via FreeIPA-users wrote: On 8/9/17 3:05 AM, thierry bordaz wrote: Hi Ian, Thanks for having gather those data. # # So pkidbuser entries have a same (old) userCertificate likely generated during install # But only freeipa-sea has a new

[Freeipa-users] Re: ID view is not overriding user attributes

(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0] (Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu

[Freeipa-users] Re: Issue with FreeIPA and Kerberized NFSv4 Client on Ubuntu 16.04LTS

I ran into that problem too [1]. The only way I got it to work was to place the credential cache in /tmp. Like so: $ KRB5CCNAME=/tmp/krb5cc_keesb kinit I think the file name does not matter, but I'm not quite sure. [1] https://www.redhat.com/archives/freeipa-users/2017-March/msg00049.html

[Freeipa-users] Issue with FreeIPA and Kerberized NFSv4 Client on Ubuntu 16.04LTS

I’m not sure if my problem is with IPA or Kerberized NFSv4 but I’m hoping the list may be able to help. I’m trying to get a Kerberized NFSv4 client going on an Ubuntu 16.04LTS system that’s enrolled to IPA with an AD trust. I can mount the filesystem successfully with: mount -o sec=krb5 -t