Re: [Freeipa-users] Default gid for AD trust users

On (24/08/16 11:42), Orion Poplawski wrote: >While that is definitely *a* convention, it's not the one we've used which >puts users by default in shared groups (nwra, visitors, etc). For example: > >uid=2941(user) gid=1991(nwra) > The user "user" should be a member "nwra" group. If no then you

Re: [Freeipa-users] freeip-4.4.1 on CentOS 7.x ?

T.J. Yang wrote: Hi I was able to try out freeipa-4.4.1 on fedora 24 server by quick dnf enable at https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/ But for production, I am hoping to run 4.4.1 on CentOS 7 Where is the doc explaining on this howto for CentOS 7 ? It hasn't

[Freeipa-users] freeip-4.4.1 on CentOS 7.x ?

Hi I was able to try out freeipa-4.4.1 on fedora 24 server by quick dnf enable at https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/ But for production, I am hoping to run 4.4.1 on CentOS 7 Where is the doc explaining on this howto for CentOS 7 ? tj -- T.J. Yang -- Manage your

[Freeipa-users] Question about ID views

In looking at the ID Views functionality in FreeIPA, it looks like I can accomplish overrides (such as users’ shell in LDAP is /bin/bash, but on a certain subset of hosts, users get /some/restrictive/shell instead? (Use case #1: a bastion host or jump box where admins might want to validate

Re: [Freeipa-users] Default gid for AD trust users

FWIW - I've filed https://fedorahosted.org/freeipa/ticket/6293 to request the ability to set the primary group for AD trust users. On 08/24/2016 11:42 AM, Orion Poplawski wrote: > While that is definitely *a* convention, it's not the one we've used which > puts users by default in shared groups

[Freeipa-users] General query regarding nameserver enrtry

Hi All, My ipa-client-install fails until etc/resolve.conf gets updated with IPA nameserver entry. I want to avoid a task of updating resolve.conf in my automation script. Is there a way i can get my IPA client installation successful without updating resolve.conf? what options do i have?

Re: [Freeipa-users] Password change rights

On Fri, 02 Sep 2016, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 02 Sep 2016, Mike Driscoll wrote: Hello. I want to script the new user creation process. I read in section 9.4 that "any user who has password change rights can change a password and no password policies are applied,

Re: [Freeipa-users] Password change rights

Alexander Bokovoy wrote: On Fri, 02 Sep 2016, Mike Driscoll wrote: Hello. I want to script the new user creation process. I read in section 9.4 that "any user who has password change rights can change a password and no password policies are applied, but the other user must reset the password

Re: [Freeipa-users] Password change rights

On Fri, 02 Sep 2016, Mike Driscoll wrote: Hello. I want to script the new user creation process. I read in section 9.4 that "any user who has password change rights can change a password and no password policies are applied, but the other user must reset the password at the next login.” I

[Freeipa-users] Password change rights

Hello. I want to script the new user creation process. I read in section 9.4 that "any user who has password change rights can change a password and no password policies are applied, but the other user must reset the password at the next login.” I want to create an account with this limited

Re: [Freeipa-users] Replication scheme problem

On 09/01/2016 06:13 AM, Andrey Rogovsky wrote: > Hi! > I have 2 servers - ldap1 is FreeIPA (master) and ldap2 is 389 DS (slave). > One way replication ldap1 -> ldap2 is enabled but scheme is not > replicated: What version of 389-ds-base are you using? rpm -qa | grep 389-ds-base > > Log file

Re: [Freeipa-users] openLDAP to FreeIPA user migration

Morning Alexander, >>Failed user: >> aagrim: missing attribute "sn" required by object class >> "organizationalPerson" >> acctemp: missing attribute "sn" required by object class >>"organizationalPerson" >> ... > This looks like a common problem. I had recently made a small 'hack' to

Re: [Freeipa-users] openLDAP to FreeIPA user migration

On Fri, 02 Sep 2016, Ernedin Zajko wrote: Hi Alexander, thank you for this - i think this should even work for missing some mandatory (gid) attributes... Yes, this fixup module can be used for anything to inject. regards, --- Ernedin ZAJKO eza...@root.ba

Re: [Freeipa-users] openLDAP to FreeIPA user migration

Hi Alexander, thank you for this - i think this should even work for missing some mandatory (gid) attributes... regards, --- Ernedin ZAJKO eza...@root.ba > 340282366920938463463374607431768211456 On Thu, Sep 1, 2016 at 9:26 PM, Alexander Bokovoy wrote: > On Thu, 01

Re: [Freeipa-users] Migrate users with password from one IPA to another

Hi, is it possible to transfer the Kerberos Master Key to the new IPA Server? - rene On 31.08.2016 10:57, Rene Trippen wrote: On 25.08.2016 19:44, Rob Crittenden wrote: Rene Trippen wrote: Hi, I`ve got an IPA with a broken CA infrastructure (don`t know what happened, but new clients cannot

Re: [Freeipa-users] SUDO and group lookup in AD trust

On Fri, Sep 02, 2016 at 09:27:57AM +0200, Lukas Slebodnik wrote: > On (26/08/16 07:54), Jakub Hrozek wrote: > >On Thu, Aug 25, 2016 at 10:41:53PM +0200, Lukas Slebodnik wrote: > >> On (25/08/16 11:30), Troels Hansen wrote: > >> >Hmm, adding the CentOS SSSD 1.14 copr repo and running yum upgrade, >

Re: [Freeipa-users] SUDO and group lookup in AD trust

On (26/08/16 07:54), Jakub Hrozek wrote: >On Thu, Aug 25, 2016 at 10:41:53PM +0200, Lukas Slebodnik wrote: >> On (25/08/16 11:30), Troels Hansen wrote: >> >Hmm, adding the CentOS SSSD 1.14 copr repo and running yum upgrade, >> >getting a version 1.14.1, clean cache DB (complaing about cache being