On Fri, 27 May 2016, Ben .T.George wrote:
HI
i ran some commands from AD side and the Trust status got changed.Below is
the command i used on AD
netdom trust /d: /verify
Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"
> With the “allow all” HBAC rule enabled, we have no trouble logging in to any
> machine via ssh. When we disable the “allow all” rule and make specific per-
> machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable
> results, primarily resulting in an inability to login via
On Thu, May 26, 2016 at 12:08:11PM +0200, Youenn PIOLET wrote:
> Hi there,
>
> For your information :
> I just realised today that the certificate signing using web interface was
> still broken.
>
> I've got 3 caIPAserviceCert.cfg files on my system :
>
> Locate caIPAserviceCert.cfg output
>
With the “allow all” HBAC rule enabled, we have no trouble logging in to any
machine via ssh. When we disable the “allow all” rule and make specific
per-machine rules (as per the idea of ‘host based’ in HBAC), we get
unpredictable results, primarily resulting in an inability to login via ssh.
HI
i ran some commands from AD side and the Trust status got changed.Below is
the command i used on AD
netdom trust /d: /verify
Before it was : "waiting for confirmation by remote side" and not it got
changed to "Trust type: Active Directory domain"
But when i am trying to map AD group, it
Thanks! For the use case where IPA, and not AD, is the authoritative
source it's actually working out very well if we can solve this last
issue. With regard to the work in 4.4, from what I've read about it, I
am not 100% sure it will work. In this case the "alternate principal"
is a
Hi All
i have given share key and the status is like below.
[root@zkwipamstr01 ~]# ipa trust-add --type=ad "corp.example.com.kw"
--trust-secret
Shared secret for the trust:
Added Active Directory trust for realm "corp.example.com.kw"
On 26.05.2016 17:31, Zak Wolfinger wrote:
I’m following the instructions on how to migrate from FreeIPA version 3.0 to
4.3. Our 3.0 implementation does NOT have CA running. We want to enable CA
Server with 4.3.
Can we enable CA after the migration? Instructions to do so?
or
Can we
That looks good. I see you are using an external DNS source for the IPA domain, correct? You may need to do some additional steps on the FreeIPA server, because by default it will configure BIND and populate resource records for the IPA domain (for example, SRV records like
I was trying to do it on the same instance. I think I figured it out. PWM
uses port 8080 by default, but FreeIPA has an interface to the CA server on the
same port. Changed PWM to a different port and it works.
Thanks!
> On May 26, 2016, at 11:29 AM, Michael ORourke
Alexander,
I use both trust AND synchronization. Our IPA is authoritative. We add
the "ntUser" objectclass and related attributes and 389ds automatically
creates a corresponding AD account and password changes are likewise
propagated. This is necessary since FreeIPA can not act as a Global
Did you try installing PWM on a separate instance, or are you trying to install
it on the FreeIPA server? I don't recall any issues with pki-tomcat when I
setup PWM (older version), but I installed it on a VM that was joined to
FreeIPA.
-Mike
-Original Message-
>From: Zak Wolfinger
On Thu, 26 May 2016, John Meyers wrote:
All,
I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
password sync so u...@ipa.domain.com is the same person as
u...@ad.domain.com.
Trust doesn't use synchronization. Your
All,
I have two-way trust established between IPA.DOMAIN.COM and
AD.DOMAIN.COM. The users are sync'ed via a replication agreement and
password sync so u...@ipa.domain.com is the same person as
u...@ad.domain.com.
With "KrbLocalUserMapping On" in the Apache config, everything works
great for
Hi,
me and Pavel Reichl were developing pam_hbac and today we tagged our first
release.
pam_hbac is a standalone PAM module for enforcing HBAC access control
defined on an FreeIPA server. It is meant as a solution for platforms
that do not ship with SSSD like Solaris or for setups where you
On 25/05/16 20:27, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 16:46, Rob Crittenden wrote:
lejeczek wrote:
On 25/05/16 14:19, Rob Crittenden wrote:
lejeczek wrote:
hi there,
I'm trying to set up a replica with: --setup-dns
--no-forwarders
--setup-ca
installer fails at:
barry...@gmail.com wrote:
externaly signed CA - Godaddy Exppired.
Already add new to db /etc/https/alias / -L and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname
lejeczek wrote:
hi everybody
I'm trying to set up a replica but process fails:
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
ipa.ipapython.install.cli.install_tool(Replica): ERRORA CA is
already configured on
Abhijeet Kasurde wrote:
Hi all,
I am able to reproduce this issue.
Here is some last messages of /var/log/httpd/error_log
[Thu May 26 17:13:36.269546 2016] [mpm_prefork:notice] [pid 17657]
AH00170: caught SIGWINCH, shutting down gracefully
[Thu May 26 17:14:42.196661 2016] [core:notice] [pid
Hi all,
I am able to reproduce this issue.
Here is some last messages of /var/log/httpd/error_log
[Thu May 26 17:13:36.269546 2016] [mpm_prefork:notice] [pid 17657]
AH00170: caught SIGWINCH, shutting down gracefully
[Thu May 26 17:14:42.196661 2016] [core:notice] [pid 23685] SELinux
policy
On 05/26/2016 12:12 PM, lejeczek wrote:
hi people
I've noticed that --uninstall leaves httpd unable to restart.
I think it's what was not cleaned up in /etc/httpd/alias
I logs I see:
[Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS initialization
failed. Certificate database:
hi everybody
I'm trying to set up a replica but process fails:
[37/38]: tuning directory server
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
ipa.ipapython.install.cli.install_tool(Replica): ERRORA
CA is already configured on this system.
hi people
I've noticed that --uninstall leaves httpd unable to restart.
I think it's what was not cleaned up in /etc/httpd/alias
I logs I see:
[Thu May 26 11:03:43.318091 2016] [:error] [pid 6930] NSS
initialization failed. Certificate database: /etc/httpd/alias.
[Thu May 26 11:03:43.318113
Hi there,
For your information :
I just realised today that the certificate signing using web interface was
still broken.
I've got 3 caIPAserviceCert.cfg files on my system :
Locate caIPAserviceCert.cfg output
1. New profile : /usr/share/ipa/profiles/caIPAserviceCert.cfg
2. Old broken profile
Hello Alander,
Thanks for the links, I hope it is for me possible to install it correct ?
The next question is, is it possible to integrate this in a owncloud
installation ?
This is the Background, to create this webserver for owncloud and with users
from IPA ?
A hard way . ;-).
Am
On 26.5.2016 08:01, Günther J. Niederwimmer wrote:
> Hello,
> I installed the DNS-Module for IPA Server (update to 4.3.1, info from the
> List)
>
> But now I have missing Entry in the Zone File (?) I have no signed "A" or
> "" Entys in the Zone File?
>
> My test for This Domain on
On Thu, 26 May 2016, Günther J. Niederwimmer wrote:
Hello Alexander,
Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy:
On Thu, 26 May 2016, Günther J. Niederwimmer wrote:
>Hello,
>
>can any help to find the correct way to configure a Webserver with IPA.
>(mod_nss)
>
>I
Hello Alexander,
Am Donnerstag, 26. Mai 2016, 09:41:38 CEST schrieb Alexander Bokovoy:
> On Thu, 26 May 2016, Günther J. Niederwimmer wrote:
> >Hello,
> >
> >can any help to find the correct way to configure a Webserver with IPA.
> >(mod_nss)
> >
> >I can't create a correct DB in /etc/httpd/alias
Hello David,
Am Donnerstag, 26. Mai 2016, 08:09:17 CEST schrieb David Kupka:
> On 26/05/16 07:42, Günther J. Niederwimmer wrote:
> > Hello,
> >
> > can any help to find the correct way to configure a Webserver with IPA.
> > (mod_nss)
> >
> > I can't create a correct DB in /etc/httpd/alias
> >
On Thu, 26 May 2016, Günther J. Niederwimmer wrote:
Hello,
can any help to find the correct way to configure a Webserver with IPA.
(mod_nss)
I can't create a correct DB in /etc/httpd/alias
I search on the INet and read the install Log from ipa-server but it is for me
not possible to found a
On 26/05/16 07:42, Günther J. Niederwimmer wrote:
Hello,
can any help to find the correct way to configure a Webserver with IPA.
(mod_nss)
I can't create a correct DB in /etc/httpd/alias
I search on the INet and read the install Log from ipa-server but it is for me
not possible to found a
Hello,
I installed the DNS-Module for IPA Server (update to 4.3.1, info from the
List)
But now I have missing Entry in the Zone File (?) I have no signed "A" or
"" Entys in the Zone File?
My test for This Domain on "http;//dnsviz.net
I Have entry for /MX, /SOA, /TXT, /NS, but I miss /A,
32 matches
Mail list logo