I have another software in that role.
Here it is - https://www.ispsystem.com/software/dnsmanager
It's frontend for managing zones and pdns+mysql as backend.
So when I configuring new hosts, these servers play as authoritative dns.
No special configuring for freeipa server, only ipa-server-install w
Sorry, missed words, I meant - such setup of freeipa without DNS completely.
2018-02-13 17:25 GMT+03:00 Andrew Radygin :
> I'm running FreeIPA 4.5 server with several hundred hosts and dozens of
> users. And it's perfectly fine, especially if you already have another
> instrument for dns managing
I'm running FreeIPA 4.5 server with several hundred hosts and dozens of
users. And it's perfectly fine, especially if you already have another
instrument for dns managing.
I haven't experienced any problems from such setup so far.
2018-02-13 17:10 GMT+03:00 Andrew Meyer via FreeIPA-users <
freeipa
I think you should launch tcpdump on all specified ports and simultaneously
run ipa-client enroll.
2018-02-02 14:36 GMT+03:00 skrawczenko--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Checked TCP 80,443,389,88, 636,464 all open except tcp/7389 which is not
> used i suppose.
> As
Maybe firewall on client host?
I would look to allowed ports and traffic exchange.
2018-02-02 14:09 GMT+03:00 skrawczenko--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hundreds of clients have been joined earlier, never such an issue.
> What could have happened please advise?
>
Wow! It's really important question.
I'm joining with it. It's good to be able to know what happening with
IPA-infra.
Espesially - ssh/sudo working (in general at least, with out concearning
about HBAC+Policy groups).
2018-01-31 22:04 GMT+03:00 Alex Corcoles via FreeIPA-users <
freeipa-users@lists
Though you can completely rebuild preprod servers, still it would be
interesting how to reconnect prod servers with replicas again.
2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> ok, did a little googling, and seems like KRA refers to the "vault"
Hello,
You should provide more information - logs, errors, commands that you
execute. More information - more chance you'll get help here.
2018-01-26 10:50 GMT+03:00 barrykfl--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hi :
>
> when reboot the server the certomenger.service al
Hi Alex!
I've set up on Debian 8 ipa-client recently.
And here is my notes on this process, maybe it would be helpfull.
1. Enable sid repo
2. Install freeipa-client and python-sss packages
3. Update python-six to 1.10+
4. Restart dbus service
5. ipa-client-install command
In the end - I've got co
This error doesn't familiar for me, but I'd at least try to compile 4.5 for
excluding versioning issues.
And maybe you can find some hint from ansible role for manual freeipa
client installing from Lee Wiscovitch in "debian 8 freeipa-client" thread.
2018-01-05 23:42 GMT+03:00 Cody Rathgeber via Fr
o Aaltonen :
> On 04.01.2018 12:48, Andrew Radygin via FreeIPA-users wrote:
> > Flo,
> > I've checked certmonger dbus config - it's okay and identical to another
> > one working.
> > But after restart dbus - certmoner configured and installed successful.
&g
}} dest=/etc/pam.d/{{ item }} owner=root group=root
> mode=0644
> with_items:
> - common-account
> - common-auth
> - common-password
> - common-session
>
> - name: ssh - add sshd_config
> copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root
&
Support ot Cloudliunx replied - there is different minor version of ipa-client
package from Centos 7 main upstream, and it has bug.
Promise to update package in they repo during the nearest week.
___
FreeIPA-users mailing list -- freeipa-users@lists.fed
Hello!
I'm trying to install ipa-client on Cloudlinux 7.4, and got following error:
[root@web01-cp ipaplatform]# ipa-client-install
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 22, in
from ipaclient.install import ipa_client_install
File
"/usr/lib/python2.7
I encountered this problem once more.
At this time I go further in debug and found out, that this problem may be
the result of conflict with existing local user, that belong to group,
described in sudoers file.
After complete deleting the local user - problem seems to be fixed.
2017-12-11 18:03 GM
Hello!
I have freeipa server 4.5 on Centos 7.
And want to enroll host on Debian 8 to domain.
I've found freeipa-client 4.4 in the sid repo, installing of it was almost
successful...
apt-get cannot complete configuring for certmonger, and I've got following
error:
==
# journalctl -u certmonger
So are you telling, your ds-389 isn't responding to simple ldapsearch for
instance, even if there is no huge amount of logins to hosts? Just from
refreshing cache on host clients? But if you doesn't have sssd (that do
kernel-caching of privileges), therefore all your clients every time doing
ldapse
Ahhh, never mind.
It seems that wrong time on that system broke sudo.
Can anybody explain this?
2017-12-11 15:50 GMT+03:00 Andrew Radygin :
> Hello!
>
> I've got interesting problem,
> I have very simple hbac and sudo rules, one hbac for admins group and the
> same sudo rule for the same user gro
Hello!
I've got interesting problem,
I have very simple hbac and sudo rules, one hbac for admins group and the
same sudo rule for the same user group - all members of this group could do
anything and everywhere.
I cannot do sudo on some of machines, it's just doesn't accepting password,
but initia
Does sssd caching of privileges is working?
I mean, suppose if there is no reply from IPA-server, it should use local
cache for existing users.
2017-12-11 0:08 GMT+03:00 Aaron Hicks via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hello the list,
>
>
>
> We’ve got a number (hundreds)
It's really interesting question, I'd like to know it too.
2017-12-11 5:38 GMT+03:00 Anvar Kuchkartaev via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hello I would like to setup one way trust between 2 different freeipa
> structures which belongs to different companies. The stucture
I see, thanks for the information.
2017-12-07 16:52 GMT+03:00 Alexander Bokovoy :
> On to, 07 joulu 2017, Rob Crittenden via FreeIPA-users wrote:
>
>> Andrew Radygin via FreeIPA-users wrote:
>>
>>> Anyone?
>>> Of course this kind R&D question, but anyway I
Harald,
Maybe in the ldap certificate container you already have the same
certificate you're trying to install, but it has another key or untrusted?
Then try to delete it via ldapdelete and certutil -d and then try again
install new one.
2017-12-07 17:20 GMT+03:00 Harald Dunkel via FreeIPA-users <
Anyone?
Of course this kind R&D question, but anyway I need to know.
2017-12-06 17:15 GMT+03:00 Andrew Radygin via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:
> Hello everybody,
>
> I want to know, is there possibility to change default ldap scheme, where
&g
Hello everybody,
I want to know, is there possibility to change default ldap scheme, where user
and groups are storing.
For instance, I have:
cn=USER, cn=groups, cn=accounts, dc=domain,dc=net
cn=GROUP-OF-USERS, cn=groups, cn=accounts, dc=domain,dc=net
It seems to be too straightforward. Can I
er install comodo_inter2.crt
ipa-server-certinstall -w comodo_base.crt comodo.key comodo_ca.crt
systemctl restart httpd
Thank you, really-really thank you! :)
2017-12-01 11:40 GMT+03:00 Florence Blanc-Renaud :
> On 12/01/2017 09:29 AM, Andrew Radygin via FreeIPA-users wrote:
>
>> Does anybo
Does anybody have any clue about what I have to do with it? Florence?
Should I delete self-sign SSL from ipa-server CA completely?
As I understood - there is some conflict between new CA and old, am I right?
2017-11-30 14:33 GMT+03:00 Andrew Radygin via FreeIPA-users <
freeipa-us
> On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
>
> Hi,
>
> no need to start over with a different nickname if the certificates are
> already in LDAP. "ipa-cacert-manage install" adds them in the LDAP
> server below cn=certificates,cn=ipa,cn=e
> On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote:
> Hi,
>
> the ca certs need to be added from the root to the one that issued the
> server cert:
> 1/ ipa-cacert-manage install root.crt + ipa-certupdate
> 2/ ipa-cacert-manage install inter1.crt + ipa-certu
I see, mechanism is clear for me.
I took my CA chain from
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2
And my chain is following:
main cert
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO
RSA Domain Vali
30 matches
Mail list logo