[Freeipa-users] Advise for the best way to achieve AD Caching?

Hey All, I'm looking for a bit of direction around the best way to configure/setup an on-site cache &/or replica from an AD Server which will be uni-directional (AD -> IPA/slapd) The master are multiple AD Servers located around the place, and we exist in a place which is outside of the core

Re: [Freeipa-users] Dogtag migration to FreeIPA

On Wed, May 04, 2016 at 06:51:20PM -0700, Ha T. Lam wrote: > Hi, > > We have an in-house CA system managed by a stand-alone Dogtag system, we > would like to integrate it with our FreeIPA system which is already in use > and is setup with the company LDAP. I'm new to FreeIPA and I have some >

Re: [Freeipa-users] Lost master 1 with CA service

On Wed, May 04, 2016 at 08:45:19PM +0800, barry...@gmail.com wrote: > Hi all: > > I got master 1have ca and server 2 replicatiomng . Now master 1 > fail all lost. > > Can i skip.it just make server 3 repliacted slaved or must > recovered master 1. > I take it `Server 2' was installed without

[Freeipa-users] Dogtag migration to FreeIPA

Hi, We have an in-house CA system managed by a stand-alone Dogtag system, we would like to integrate it with our FreeIPA system which is already in use and is setup with the company LDAP. I'm new to FreeIPA and I have some questions about this process: 1. Is it possible to add our current Dogtag

[Freeipa-users] Get Creation Time / Last Login Time for Users

Hello, We're looking for a way to get last login time and creation time for users configured in FreeIPA. This information doesn't seem to be in the WebUI and ipa user-status only provides limited information (last failed/successful logins in seconds since epoch). Is there a supported way to get

Re: [Freeipa-users] get freeipa to update ad users and groups more often

Hi, I avoided the slow filling group by using the AD-Group with spaces (was a tad more challenging for scipting) But here's the releases (some of them) ipa 4.2 and sssd 1.13 ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 sssd-common-1.13.0-40.el7_2.2.x86_64 sssd-client-1.13.0-40.el7_2.2.x86_64

Re: [Freeipa-users] service cert to a host/member/service

lejeczek wrote: hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-re­quest -add --prin­ci­pal are stored in

Re: [Freeipa-users] get freeipa to update ad users and groups more often

On Wed, May 04, 2016 at 05:00:50PM +0200, Rob Verduijn wrote: > to make sure I did the following on the ipa host > > systemctl stop sssd.service > rm -f /var/lib/sss/db/* > systemctl start sssd.service > > now there is no cheating from cach > getent passwd u...@ad-domain.com works and gives

[Freeipa-users] service cert to a host/member/service

hi users, as one follows official docs and issues a certificate for a service/host, one wonders what is the correct way to move such a certificate to a host(which is domain member) ? I understand certificates issued with: $ ipa cert-re­quest -add --prin­ci­pal are stored in ldap backend, (yet I

Re: [Freeipa-users] get freeipa to update ad users and groups more often

to make sure I did the following on the ipa host systemctl stop sssd.service rm -f /var/lib/sss/db/* systemctl start sssd.service now there is no cheating from cach getent passwd u...@ad-domain.com works and gives userid id u...@ad-domain.com works fine and show all goups the user is a member of

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

On Wed, May 4, 2016 at 9:07 AM, Rob Crittenden wrote: > Anthony Cheng wrote: >> >> Small update, I found an article on the RH solution library >> (https://access.redhat.com/solutions/2020223) that has the same error >> code that I am getting and I followed the steps with

Re: [Freeipa-users] get freeipa to update ad users and groups more often

On Wed, May 04, 2016 at 04:20:19PM +0200, Rob Verduijn wrote: > This goes especially for ad groups that are bested in ipa_groups > > ie : > microsft group is defined as an external group, > and that external group is member of an ipa group > and that ipa group takes forever. > > Regards > Rob

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

On Wed, May 04, 2016 at 04:16:38PM +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history > > of 3 > > > > ipa pwpolicy-mod

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

On Wed, 2016-05-04 at 16:16 +0200, Martin Kosek wrote: > On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > > Hi, > > > > I am running a freeipa server 4.2.x. > > > > I have the following password global password policy set to force a history > > of 3 > > > > ipa pwpolicy-mod global_policy

Re: [Freeipa-users] Who uses FreeIPA?

On Wed, May 04, 2016 at 04:23:00PM +0200, Martin Kosek wrote: > On 05/04/2016 09:23 AM, Jakub Hrozek wrote: > > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: > >> On (03/05/16 15:09), Alexandre de Verteuil wrote: > >>> Hello all, > >>> > >>> I've deployed FreeIPA in my home lab

Re: [Freeipa-users] sudorule

On 05/04/2016 03:41 PM, Armstrong, Jeffrey wrote: > Hi > > I’m trying to add a to add a sudo command to a sudo rule. It’s executing the > command but it’s not adding the sudo command. > > ipa sudorule-add-allow-command –sudocmds "/bin/su " bkrc_rule > >Rule name: bkrc_rule > >

Re: [Freeipa-users] Who uses FreeIPA?

On 05/04/2016 09:23 AM, Jakub Hrozek wrote: > On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: >> On (03/05/16 15:09), Alexandre de Verteuil wrote: >>> Hello all, >>> >>> I've deployed FreeIPA in my home lab and I'm happy to have single >>> sign-on for all my Archlinux virtual

Re: [Freeipa-users] Inplace upgrade

On 05/04/2016 01:31 PM, barry...@gmail.com wrote: > U meant it fail start if update minor version only? > > 2016年5月4日 下午7:25 於 "Lukas Slebodnik" > 寫道： > > On (04/05/16 13:17), barry...@gmail.com wrote: >

Re: [Freeipa-users] get freeipa to update ad users and groups more often

This goes especially for ad groups that are bested in ipa_groups ie : microsft group is defined as an external group, and that external group is member of an ipa group and that ipa group takes forever. Regards Rob Verduijn 2016-05-04 16:10 GMT+02:00 Rob Verduijn : >

Re: [Freeipa-users] freeipa password policy ( hsitory ) getting reset with password reset

On 05/03/2016 08:20 AM, Rakesh Rajasekharan wrote: > Hi, > > I am running a freeipa server 4.2.x. > > I have the following password global password policy set to force a history > of 3 > > ipa pwpolicy-mod global_policy --history=3 --maxlife=90 --minlength=8 > --maxfail=3 --failinterval=300 >

[Freeipa-users] get freeipa to update ad users and groups more often

Hello, I'm using a trust to microsoft active directory to allow users access to linux servers. But when a user is added it takes a very long time for ipa to register this. And even more time for the ipa clients since they have to wait for the ipa servers. Since I hate to tell the users to wait

[Freeipa-users] sudorule

Hi I'm trying to add a to add a sudo command to a sudo rule. It's executing the command but it's not adding the sudo command. ipa sudorule-add-allow-command -sudocmds "/bin/su " bkrc_rule Rule name: bkrc_rule Enabled: TRUE - Number of members added 0 Thanks

Re: [Freeipa-users] Free IPA Client in Docker

Hosakote Nagesh, Pawan wrote: Our apps are running in a docker image based on Ubuntu 14.04 that cannot be changed to redhat. We want to install freeipa-clietn within this docker so that our app Uses freeipa ldap as against default ldap. The freeipa-client gets successfully installed in Ubuntu

Re: [Freeipa-users] ca-error: Error setting up ccache for local "host" service using default keytab: Clock skew too great.

Anthony Cheng wrote: Small update, I found an article on the RH solution library (https://access.redhat.com/solutions/2020223) that has the same error code that I am getting and I followed the steps with certutil to update the cert attributes but it is still not working. The article is listed

[Freeipa-users] OTP token policies.

Dear Developers, Firstly, thank you for a fantastic product. I have a few questions relating to OTP that I could not find the answers to in the Red Hat IdM manual, http://www.freeipa.org/page/V4/OTP document, and on both user and devel mailing lists. Hopefully I have not missed anything obvious

[Freeipa-users] Lost master 1 with CA service

Hi all: I got master 1have ca and server 2 replicatiomng . Now master 1 fail all lost. Can i skip.it just make server 3 repliacted slaved or must recovered master 1. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

Re: [Freeipa-users] Inplace upgrade

U meant it fail start if update minor version only? 2016年5月4日 下午7:25 於 "Lukas Slebodnik" 寫道： > On (04/05/16 13:17), barry...@gmail.com wrote: > >Can speicific ninor version? > Yes you can > > yum update ipa-server-3.0.0-37.el6.x86_64 > > However, it can fail if this version

[Freeipa-users] Fail to Start up the server

Hi: Before the server can start up if i disable nasslsecuiry in dse.ldif. But now after I update to minor version from -3.0.0-26 to ipa-server-3.0.0-47.el6.centos.2.x86_64 , it not allow me to start any idea . I think it not relate to ssl cert issue. [04/May/2016:17:32:52 +0800] - SSL alert:

Re: [Freeipa-users] Free IPA Client in Docker

On (03/05/16 21:27), Hosakote Nagesh, Pawan wrote: >Our apps are running in a docker image based on Ubuntu 14.04 that cannot be >changed to redhat. We want to install freeipa-clietn within this docker so >that our app >Uses freeipa ldap as against default ldap. > and that's the reason why you

Re: [Freeipa-users] How do I create single sudo grpoup for both Centos and Ubuntu?

Hi The problem was unclear for me with ubuntu and altrough in theory everything should work it did not so (checked fiew things that came to mind like kerberos sssd logs pam and figured out some problem with pam sssd integration so i went with the simplest solution (reinstall frreeipa-client

Re: [Freeipa-users] Who uses FreeIPA?

On 04.05.2016 09:23, Jakub Hrozek wrote: On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: On (03/05/16 15:09), Alexandre de Verteuil wrote: Hello all, I've deployed FreeIPA in my home lab and I'm happy to have single sign-on for all my Archlinux virtual machines and Fedora

Re: [Freeipa-users] Who uses FreeIPA?

On Tue, May 03, 2016 at 11:31:02PM +0200, Lukas Slebodnik wrote: > On (03/05/16 15:09), Alexandre de Verteuil wrote: > >Hello all, > > > >I've deployed FreeIPA in my home lab and I'm happy to have single > >sign-on for all my Archlinux virtual machines and Fedora laptops :) > > > >It took me lots