Hi,
Sorry, my fault, there was a FW fule in between.
Thanks for the heads up.
Matt
2014-08-07 14:53 GMT+02:00 Petr Spacek pspa...@redhat.com:
On 5.8.2014 11:24, Matt . wrote:
Hi,
I got this solved but the replica doesn't do it's forwards on the
zone's it need to foreward for, the master
Trying to upgrade from FreeIPA 3.0 running on CentOS 6 to 3.3 on CentOS
7 using migration. I seem to have run into some certificate problems and
the replica installation halts half-way through. We have a simple
CA-structure, where FreeIPA has been installed as a sub-ca directly
under ca root ca.
Hello everyone,
I'm running through an issue where an application needs its server's hostname
to be in short name format, such as server and not server.example.com. When
I started deploying FreeIPA in the very beginning of this year, I remember I
couldn't install freeipa-client with a bare
On Fri, 08 Aug 2014, Bruno Henrique Barbosa wrote:
Hello everyone,
I'm running through an issue where an application needs its server's
hostname to be in short name format, such as server and not
server.example.com. When I started deploying FreeIPA in the very
beginning of this year, I remember
Kerberos is dependent on A records in dns. The instance (as in
principal/instance@REALM) should match the A record in dns.
There is absolutely no Kerberos dependency on hostnames being fully
qualified. I have all my devices named with short names and I have no
issues with Kerberos ticketing.
Correction, its primary/instance@REALM
On Aug 8, 2014 10:57 AM, brendan kearney bpk...@gmail.com wrote:
Kerberos is dependent on A records in dns. The instance (as in
principal/instance@REALM) should match the A record in dns.
There is absolutely no Kerberos dependency on hostnames being
On 08/08/2014 08:57 AM, brendan kearney wrote:
Kerberos is dependent on A records in dns. The instance (as in
principal/instance@REALM) should match the A record in dns.
There is absolutely no Kerberos dependency on hostnames being fully
qualified. I have all my devices named with short
Arent all of those lookups done in dns? Wouldnt that mean hostnames being
fqdn's is irrelevant?
On Aug 8, 2014 12:11 PM, Rich Megginson rmegg...@redhat.com wrote:
On 08/08/2014 08:57 AM, brendan kearney wrote:
Kerberos is dependent on A records in dns. The instance (as in
On 08/08/2014 10:56 AM, brendan kearney wrote:
Arent all of those lookups done in dns?
Yes.
Wouldnt that mean hostnames being fqdn's is irrelevant?
Not sure what you mean.
I guess if you issued your server certs with a subject DN of
cn=hostname, instead of cn=hostname.domain.tld, and
The cert should have the fqdn, just like the kerberos instance, but the
hostname is not required to be fq'd. The lookup of a short name, as well
as and more specifically the IP, in dns will result in the fqdn being
returned by dns (the short name resolution being affected by domain and
search
On 08/08/2014 11:17 AM, brendan kearney wrote:
The cert should have the fqdn, just like the kerberos instance, but
the hostname is not required to be fq'd. The lookup of a short name,
as well as and more specifically the IP, in dns will result in the
fqdn being returned by dns (the short
Double check your example. -h means the hostname of the ldap server to
connect to and issue your query to. Man page calls it ldaphost.
I have not run across a client that does cert validation using ldap. Is
that IPA specific?
It seems that a lot of effort is being spent to justify a
On 08/08/2014 12:21 PM, brendan kearney wrote:
Double check your example. -h means the hostname of the ldap server
to connect to and issue your query to. Man page calls it ldaphost.
Yes.
I have not run across a client that does cert validation using ldap.
Is that IPA specific?
I'm
Maybe I am reading too far into rfc 1178, but I hardly think making
hostnames required to be fqdns is in anybodys interest. It is not a
requirement now in any other technology anywhere, so what is the impetus to
push it? I dont see any value in it
On Aug 8, 2014 2:37 PM, Rich Megginson
On 08/08/2014 01:16 PM, brendan kearney wrote:
Maybe I am reading too far into rfc 1178,
http://tools.ietf.org/html/rfc1178
This memo provides information for the Internet
community. It does not specify any standard.
I guess the upshot is - if you think that FreeIPA is being too
Hello,
On 8.8.2014 21:16, brendan kearney wrote:
Maybe I am reading too far into rfc 1178, but I hardly think making
hostnames required to be fqdns is in anybodys interest. It is not a
requirement now in any other technology anywhere, so what is the impetus to
push it? I dont see any value in
Assume that FQDN is constructed as static hostname.domainname from
DHCP or via reverse DNS lookup. What happens if the machine (laptop)
moves from one network to another? What if the machine have multiple
interfaces?
As a result, any change in FQDN will break your Kerberos setup.
The
Hi everyone,
I know this is such a rich debate, and I mean no offense to you guys, but can
you focus answering my main question about FreeIPA and why can't I install/use
it without FQDN and/or even after install it with FQDN, will I have trouble
going back to the short name?
Thank you and
On 07/20/2014 06:37 PM, Rob Crittenden wrote:
sergey ivanov wrote:
Dear IPA developers, I'd like to describe what we are doing and ask
about existing ways to do it easier, or if there is no such ways - to
propose creating some tools to ease such way of migration.
We are preparing for migration
On 07/21/2014 04:10 AM, Alexander Bokovoy wrote:
On Mon, 21 Jul 2014, Petr Spacek wrote:
On 21.7.2014 09:30, Alexander Bokovoy wrote:
On Mon, 21 Jul 2014, Andreas Ladanyi wrote:
Hello,
i want to migrate an existing MIT Kerberos Realm to IPA and want to
setup a
cross realm trust
Let me elaborate. We haven't had time to work on this but it would be
really valuable if you could experiment with it a little bit.
Simo, Alexander, could you propose some dirty tricks to try?
The thread mentioned above has all needed information already.
Should we turn it into a HOWTO
On 07/22/2014 11:04 AM, KodaK wrote:
For various reasons, I need to move a lot of my IPA clients to a
different subnet.
I'd like to automate this as much as possible. My initial thought is
to use a combination
of puppet and ipa commands, but I wanted to see if anyone had any
advice.
On Thu, 2014-08-07 at 17:49 +0200, Luca Tartarini wrote:
Hi,
thanks for the reply, with Cherrypy 3.2.2 it works. Unfortunately now when
I try to login with 'admin' account ('admin' user created previously during
the installation of ipa-server) I can't see the Administration tab.
Basically
On 08/08/2014 02:35 PM, Simo Sorce wrote:
On Fri, 2014-08-08 at 10:09 -0600, Rich Megginson wrote:
On 08/08/2014 08:57 AM, brendan kearney wrote:
Kerberos is dependent on A records in dns. The instance (as in
principal/instance@REALM) should match the A record in dns.
There is absolutely no
On Fri, 2014-08-08 at 17:03 -0300, Bruno Henrique Barbosa wrote:
Hi everyone,
I know this is such a rich debate, and I mean no offense to you guys,
but can you focus answering my main question about FreeIPA and why
can't I install/use it without FQDN and/or even after install it with
FQDN,
On Fri, 2014-08-08 at 15:16 -0400, brendan kearney wrote:
Maybe I am reading too far into rfc 1178, but I hardly think making
hostnames required to be fqdns is in anybodys interest. It is not a
requirement now in any other technology anywhere, so what is the impetus to
push it? I dont see
On Fri, 2014-08-08 at 14:39 -0600, Rich Megginson wrote:
On 08/08/2014 02:35 PM, Simo Sorce wrote:
On Fri, 2014-08-08 at 10:09 -0600, Rich Megginson wrote:
On 08/08/2014 08:57 AM, brendan kearney wrote:
Kerberos is dependent on A records in dns. The instance (as in
On 8.8.2014 22:16, Dmitri Pal wrote:
On 07/22/2014 11:04 AM, KodaK wrote:
For various reasons, I need to move a lot of my IPA clients to a different
subnet.
I'd like to automate this as much as possible. My initial thought is to use
a combination
of puppet and ipa commands, but I wanted to
28 matches
Mail list logo