On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> I think the thing that frustrates the most is that id u...@domain.com is
> returning correct data on both but they can't loginand I can't even
> show that this is the case because now they can login. Difficult to
> reproduce :/
I think the thing that frustrates the most is that id u...@domain.com is
returning correct data on both but they can't loginand I can't even
show that this is the case because now they can login. Difficult to
reproduce :/
--
The most dangerous phrase in the language is, "We've always done
Ok, the bad news is that it didn't last. We are still having the same
problem - HBAC is rejecting users because not all jobs are being discovered
on the host.
I turned the debug_level up to 10 as requested, but to be honest, it's
impossible to find anything in the logs because it's so verbose - su
Sumit,
I have set the names of all the Domain Controllers to be resolvable to the IP
of the one reachable Domain Controller in /etc/hosts
/etc/hosts:Reachable_IP_BOX 172.10.10.1DC1
172.10.10.1DC2 172.10.10.1..
However, I still see the fo
On 07/18/2016 06:12 AM, Petr Spacek wrote:
On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote:
Would a DNS view (bind) work?
http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm
Also, depending on what you are using for NAT, some devices will mangle the
reply payload of A record looku
On Mon, 2016-07-18 at 11:42 -0400, Rob Crittenden wrote:
> That I'm not sure. Kai might know.
Since there were several open questions, we discussed that on IRC.
To summarize here: if you want to install a CA that should be trusted by all
applications on a system, you probably shouldn't install in
Hi all,
Did any ipa/sssd developer had a chance to take a look at this issue?
Updating to the latest version available for CentOS 7 didn't fix it:
ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64
ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64
ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64
sssd-ipa-1.1
*Update: my webserver and LDAP certificates were expired at 2016-07-18
15:54:36 UTC and the certificates are in CA_UNREACHABLE state.*
*Could you please help us? *
[root@caer tmp]# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20111214223243':
status: CA_
Yes, PKI is running and I don't see any errors in selftests, I have
followed https://access.redhat.com/solutions/643753 and restarted the PKI
in step 10.
The only change which I made was clean up userCertificate;binary before
adding new userCertificate in LDAP, which is step 12.
[root@caer ~]# /e
Sumit Bose wrote:
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that up
On 07/18/2016 05:45 AM, Linov Suresh wrote:
> Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA and
> certmonger. Look like certificates were renewed. But I'm getting a different
> error now,
>
> *ca-error: Internal error: no response to
> "http://caer.teloip.net:9180/ca/ee/c
On 07/18/2016 03:57 PM, Rob Crittenden wrote:
> Grant Wu wrote:
>> Thanks for the information. Do you know if there are any plans to
>> support cross-realm trust with general KDCs?
>
> https://fedorahosted.org/freeipa/ticket/4867
>
> rob
In general, IPA contains krb5 component which can be in t
On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote:
> Sumit Bose wrote:
> > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > > > On (16/07/16 10:19), Martin Štefany wrote:
> > > > >
> > > > > Hello Sumit,
Grant Wu wrote:
Thanks for the information. Do you know if there are any plans to
support cross-realm trust with general KDCs?
https://fedorahosted.org/freeipa/ticket/4867
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-user
Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
logs, but same proble
On Mon, Jul 18, 2016 at 01:36:30PM +, Sullivan, Daniel [AAA] wrote:
> > Are also users that are not part of this group misbehaving?
>
> Not that I am aware of. I’ll get you a real answer though. Are there any
> known workarounds to the @ problem used to transform group names (i.e. a more
>
> Are also users that are not part of this group misbehaving?
Not that I am aware of. I’ll get you a real answer though. Are there any
known workarounds to the @ problem used to transform group names (i.e. a more
robust ‘override_space’ option)? I looked a the doc briefly but can’t find
anyt
On Mon, Jul 18, 2016 at 11:56:24AM +, Sullivan, Daniel [AAA] wrote:
> Hi, Jakub,
>
> In line with your performance tuning document referenced prior in this
> thread, I’ve actually already implemented the three configuration changes
> you specified (prior to identifying this issue). Right now
Hi, Jakub,
In line with your performance tuning document referenced prior in this thread,
I’ve actually already implemented the three configuration changes you specified
(prior to identifying this issue). Right now I am focusing on the use case
documented below, because as of right now I am un
I logged into my IPA master, and found that the cert had expired again, we
renewed these certificates about 18 months ago.
Our environment is CentOS 6.4 and IPA 3.0.0-26.
I followed the Redhat documentation, How do I manually renew Identity
Management (IPA) certificates after they have expi
Thanks for the information. Do you know if there are any plans to support
cross-realm trust with general KDCs?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
On 18.7.2016 03:25, Sullivan, Daniel [AAA] wrote:
> Would a DNS view (bind) work?
>
> http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm
>
> Also, depending on what you are using for NAT, some devices will mangle the
> reply payload of A record lookups as they traverse NAT to avoid h
On 7/18/2016 9:50 AM, Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:
Hello Sumit,
seems that upgrade to F24 broke things again. This time no AVCs, empty SS
On Mon, Jul 18, 2016 at 09:33:35AM +1000, Lachlan Musicman wrote:
> Ok, I've just spoken with my colleague that has been involved in the IPA
> roll out, and he said he thought that override_space wasn't compatible with
> ID overrides?
I haven't tested that to be honest. But just using my knowledge
On Sun, Jul 17, 2016 at 10:00:28PM +0100, Peter Pakos wrote:
> On 17 July 2016 at 09:03, Alexander Bokovoy wrote:
>
> > Your sssd configuration does not mention what DN is used to bind to the
> > LDAP server to retrieve the data. This means you are using anonymous
> > bind. Since FreeIPA 4.0 ther
On Fri, Jul 15, 2016 at 04:35:54PM +, Sullivan, Daniel [AAA] wrote:
>
> Jakub,
>
> Thank you for replying to me. Before I forget I will say that I am still on
> sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had
> any problems logging into that system yet. That
On Mon, Jul 18, 2016 at 09:17:06AM +1000, Lachlan Musicman wrote:
> Previously we did have the default_domain_suffix set, but we had to unset
> it. I can't remember why we had to - something to do with
> ownership/permissions and our filesystem (IBM v7000) not playing nice iirc.
> We really wanted
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
> On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
> > On (16/07/16 10:19), Martin Štefany wrote:
> > >
> > > Hello Sumit,
> > >
> > > seems that upgrade to F24 broke things again. This time no AVCs, empty
> > > SSSD
> > > l
28 matches
Mail list logo