[Freeipa-users] Replica setup options

I've set up a replica in an IPA domain, and was surprised that it did not have DNS configured the same way that the first IPA server does.  Of the following options that I specified on the first install, which do I need to provide to a replica in order to get identical functionality, and where

[Freeipa-users] Re: FreeIPA connection limits?

On 12/11/2017 01:46 PM, Aaron Hicks via FreeIPA-users wrote: When the hosts behind the NAT process a job, it starts a burst of activity and initiating a large number of LDAP connections (multiple connections per host, about a hundred hosts) That seems like a relatively small number of

[Freeipa-users] Re: FreeIPA connection limits?

On 12/10/2017 01:08 PM, Aaron Hicks via FreeIPA-users wrote: We’ve got a number (hundreds) of hosts inside a private network, these all query the FreeIPA server for user and group information using NAT and a gateway server. However we’re having issues with the LDAP queries timing out or

[Freeipa-users] Re: Accessing KRB5 NFS from local system accounts

On 12/01/2017 09:52 AM, Simo Sorce via FreeIPA-users wrote: gssproxy dos not use libidmapd because it is not threads safe (among other issues), it is also not needed, because you can control mapping in auth_to_local in krb5.conf and that place is the correct place to deal with identity mapping

[Freeipa-users] Accessing KRB5 NFS from local system accounts

I'm troubleshooting a problem: A local system account (daemon) needs to access a file on an NFS4 filesystem with sec=krb5.  My understanding is that only processes which have a Kerberos ticket are able to access files on such a filesystem, and that seems to be the case on the system I'm

[Freeipa-users] Re: mysql and freeipa

On 11/01/2017 09:46 AM, Robbie Harwood wrote: None of that is particularly relevant unless you're specifically supporting MSCHAPv2 authentication. ... which you shouldn't do because it's broken: https://www.schneier.com/blog/archives/2012/08/breaking_micros.html ...and also not supported by

[Freeipa-users] Re: mysql and freeipa

On 10/31/2017 03:44 PM, Andrew Meyer via FreeIPA-users wrote: I've been following this website: FreeIPA: Giving permissions to service accounts. — Firstyear's blog-a-log None of that is

[Freeipa-users] Re: LDAP connection issue - ipa replica fails at replication task

On 10/27/2017 06:41 PM, Bhavin Vaidya via FreeIPA-users wrote: ldapsearch from client works, on same host which we are trying to create replica. (ran ipa-client to test and then uninstall). [root@ds04 certs]# ldapsearch -x -v -H ldaps://ds01.example.com -s base -b '' namingContexts -d 1 ...

[Freeipa-users] Re: Samba utilizing FreeIPA as Auth

On 10/04/2017 05:43 AM, Patrick No via FreeIPA-users wrote: ~~/etc/samba/smb.conf~~ security = ads I'm working on Samba integration, as well.  I think you might need to use "security = USER". ___

[Freeipa-users] Re: server setup in existing DNS zone

That's embarrassing. I noticed --allow-zone-overlap right after I sent that. I swear I looked for an option beforehand. Sorry for the noise. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] server setup in existing DNS zone

I'd like to set up a new FreeIPA instance with DNS, and I'd like to use a zone that already exists. My intention is to configure the ipa server, then delete the existing DNS zone and point NS records for that zone toward the ipa server. ipa-server-install fails when the domain given by --domain