Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

2016-08-03 Thread Alexander Bokovoy
On Wed, 03 Aug 2016, Jake wrote: Hello All, I'm new to FreeIPA and am having some issues with my endpoints. First attempts to login as usern...@legacy.example.org always fail with: Logs on client: sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 sshd[3771]:

Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

2016-08-03 Thread Jake
Thanks Jakub, turns out 'getent password usern...@legacy.example.org' only works on 1 of the 4 ipa servers (the one I created the domain trust with). I re-ran ipa-adtrust-install on them and no change, is there a similar post I can follow to correct these & retrace my steps or does the trust

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Alston, David
Greetings! >> 2. Active Directory must never know anything about a DNS domain >> freeipa.company.com (I'm not sure why) > Correct because if that happened then AD considers the whole subdomain as > part of its realm and trust routing will not work. Doesn't that mean that we have to have the

Re: [Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

2016-08-03 Thread Jakub Hrozek
> On 3 Aug 2016, at 20:14, Jake wrote: > > Hello All, > I'm new to FreeIPA and am having some issues with my endpoints. > > First attempts to login as usern...@legacy.example.org always fail with: > Logs on client: > sshd[3771]: Invalid user usern...@legacy.example.org

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Simo Sorce
On Wed, 2016-08-03 at 13:52 -0500, Alston, David wrote: > Greetings! > > That sounds like great news! Just to make sure I understand correctly.. > > 1. Any server managed by FreeIPA must NEVER have had a computer object > associated with them in AD? (even if it has now been deleted) No,

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Alston, David
Greetings! That sounds like great news! Just to make sure I understand correctly.. 1. Any server managed by FreeIPA must NEVER have had a computer object associated with them in AD? (even if it has now been deleted) 2. Active Directory must never know anything about a DNS domain

Re: [Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Simo Sorce
On Wed, 2016-08-03 at 13:24 -0500, Alston, David wrote: > Greetings! > > Everyone seems to say that you can't have a domain trust across two > Kerberos realms (FreeIPA and Active Directory) if the hosts share the same > DNS domain. > > Hadoop seems to do this just fine, though. I'm

Re: [Freeipa-users] Third Party Certificate

2016-08-03 Thread Ian Harding
On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote: > On 08/02/2016 03:17 PM, Ian Harding wrote: >> Hello! >> >> I have been using FreeIPA for a while in our network with 6 replicas and >> it's been working great. I seem to have made a wee mistake though and >> I'd appreciate some help. >> >>

[Freeipa-users] FreeIPA and AD trusts on the same DNS domain

2016-08-03 Thread Alston, David
Greetings! Everyone seems to say that you can't have a domain trust across two Kerberos realms (FreeIPA and Active Directory) if the hosts share the same DNS domain. Hadoop seems to do this just fine, though. I'm in the process of helping someone setup a trust between the Kerberos

[Freeipa-users] Login Troubles with Centos7 and external users (4.2.0-15.0.1.el7.centos.17)

2016-08-03 Thread Jake
Hello All, I'm new to FreeIPA and am having some issues with my endpoints. First attempts to login as usern...@legacy.example.org always fail with: Logs on client: sshd[3771]: Invalid user usern...@legacy.example.org from 192.168.1.123 sshd[3771]: input_userauth_request: invalid user

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Simo Sorce
On Wed, 2016-08-03 at 13:03 -0500, Brad Cesarone wrote: > Does it just need the objectclass? Does it care if there are any > values assigned to the attributes underneath the posixaccount object > class? The posixAccount, as per schema, requires: - cn - uid - uidNumber - gidNumber - homeDirectory

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Martin Basti
On 03.08.2016 20:03, Brad Cesarone wrote: Does it just need the objectclass? Does it care if there are any values assigned to the attributes underneath the posixaccount object class? All must attributes are required. objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Standard

Re: [Freeipa-users] Replicating users/groups from AD

2016-08-03 Thread Alston, David
Greetings! I understand now that attempts to replicate user accounts from AD into FreeIPA isn't going to be getting any updates any time soon because the library being used to sync is basically defunct. I'll start a new thread with my question about FreeIPA Kerberos realm trusting

[Freeipa-users] Deleted Replica Problems

2016-08-03 Thread Ian Harding
I deleted a replica that had a corrupted ldap database and it caused some problems. I'm now getting the dreaded [root@edinburghnfs ianh]# ipa-replica-manage connect freeipa-sea.bpt.rocks Connection unsuccessful: freeipa-sea.bpt.rocks is an IPA Server, but it might be unknown, foreign or

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Brad Cesarone
Does it just need the objectclass? Does it care if there are any values assigned to the attributes underneath the posixaccount object class? -Martin Basti wrote: - To: Brad Cesarone From: Martin Basti Date:

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Martin Basti
On 03.08.2016 19:58, Brad Cesarone wrote: Hi Martin I've been playing with adding objectclasses to the non-posix user. I have so far added inetuser, ipaobject, ipasshuser. He started with top, person, organizationalPerson, inetOrgPerson and two custom classes. You need this 'posixaccount'

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Brad Cesarone
Hi Martin I've been playing with adding objectclasses to the non-posix user. I have so far added inetuser, ipaobject, ipasshuser. He started with top, person, organizationalPerson, inetOrgPerson and two custom classes. Nothing came up in /var/log/dirsrv/slapd-*/access when running the search

Re: [Freeipa-users] Declarative configuration options?

2016-08-03 Thread Martin Basti
On 01.08.2016 22:50, Mike LoSapio wrote: Hi there, Is there anyone out there with a good system for storing users, groups, hosts, etc.. in some sort of version controlled repo w/ flat files that could plug into "two-man" workflows for user-account creation and privilege/group membership

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-03 Thread Richard Harmonson
On Wed, Aug 3, 2016 at 12:49 AM, Florence Blanc-Renaud wrote: > On 08/02/2016 04:52 AM, Richard Harmonson wrote: > >> On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik > > wrote: >> >> On 07/31/2016 07:45 AM, Richard Harmonson

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Rob Crittenden
Martin Basti wrote: On 03.08.2016 18:38, Brad Cesarone wrote: Hello All I'm trying to figure out how the webUI populates the user page. I have a mix of posix users and non-posix users. The non-posix users were added using an LDIF and imported fine. I am able to view them using ipa user-show,

Re: [Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Martin Basti
On 03.08.2016 18:38, Brad Cesarone wrote: Hello All I'm trying to figure out how the webUI populates the user page. I have a mix of posix users and non-posix users. The non-posix users were added using an LDIF and imported fine. I am able to view them using ipa user-show, ldapsearch, and if

[Freeipa-users] IPAv3.0 WebUI User Population

2016-08-03 Thread Brad Cesarone
Hello All I'm trying to figure out how the webUI populates the user page. I have a mix of posix users and non-posix users. The non-posix users were added using an LDIF and imported fine. I am able to view them using ipa user-show, ldapsearch, and if I navigate to them using the user details

Re: [Freeipa-users] RPM Update fails on some replicas in ipa-server-upgrade

2016-08-03 Thread Patrick Hurrelmann
On 20.07.2016 17:09, Patrick Hurrelmann wrote: > Hi all, > > today I updated all of our IPA servers (CentOS 7.2) with some minor RPM > updates, but one of the replicas failed with: > > RemoteRetrieveError: Gettext('Failed to authenticate to CA REST API', > domain='ipa', localedir=None) > > Log

Re: [Freeipa-users] How to delete a managed group

2016-08-03 Thread Rob Crittenden
Bob Hinton wrote: On 03/08/2016 07:15, Petr Spacek wrote: On 3.8.2016 00:58, Bob Hinton wrote: Hi, Something went wrong when trying to restore some preserved users so I deleted them and then tried to recreate them. This failed with - ipa: ERROR: Unable to create private group. A group

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

2016-08-03 Thread Florence Blanc-Renaud
On 08/02/2016 04:52 AM, Richard Harmonson wrote: On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik > wrote: On 07/31/2016 07:45 AM, Richard Harmonson wrote: > I having challenges resuming ipa-server-install --external-ca. I am reasonably

Re: [Freeipa-users] How to delete a managed group

2016-08-03 Thread Bob Hinton
On 03/08/2016 07:15, Petr Spacek wrote: > On 3.8.2016 00:58, Bob Hinton wrote: >> Hi, >> >> Something went wrong when trying to restore some preserved users so I >> deleted them and then tried to recreate them. This failed with - >> >> ipa: ERROR: Unable to create private group. A group 'X'

Re: [Freeipa-users] How to delete a managed group

2016-08-03 Thread Petr Spacek
On 3.8.2016 00:58, Bob Hinton wrote: > Hi, > > Something went wrong when trying to restore some preserved users so I > deleted them and then tried to recreate them. This failed with - > > ipa: ERROR: Unable to create private group. A group 'X' already exists. > > Trying to delete this