Re: [Freeipa-users] Would fixing hosts file break kerberos

On Thu, 2016-11-17 at 15:53 -0500, William Muriithi wrote: > Afternoon. > > I just noticed that I used inappropriate way of setting up my hosts > files and I am planning to make a fix. I am however worried this may > break Kerberos. Should this change be of concern and have anyone made > the

[Freeipa-users] FreeIPA 3 to FreeIPA 4 migration and Kerberos realm is a forwarded zone

Hello, My existing FreeIPA 3.0 (CentOS 6) setup is as follows: Kerberos Realm: test.com I have several DNS zones test.com dev.test.com stage.test.com qa.test.com prod.test.com mgmt.test.com ipa01.mgmt.test.com - FreeIPA 3.0 Master ipa02.mgmt.test.com - FreeIPA 3.0 Replica The FreeIPA servers

[Freeipa-users] Is there an simple way to add in sudo time window options in FreeIPA?

Would like to establish valid sudo usage windows with sudonotbefore and sudonotafter options. However, I did not see an easy way to set this up other than via an sudo options text entry line. Is there another menu-driven way that shows a schedule of allowed times? Bob Kleinberg Lead System

[Freeipa-users] LDAP bind permitted for expired passwords

Looking at FreeIPA 4.2 under CentOS 7: I find that LDAP simple binds succeed even for DNs whose krbPasswordExpiration time has passed. Is this fixed, or is it possible to change this? The reason I ask is because some applications use LDAP bind as a password validation oracle: for example, if

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

Morgan Marodin wrote: > What do you mean with backup database? > > Updating again the mod_nss RPM, Apache doesn't start ... so, this is the > problem. You said "and restoring the original /etc/httpd/alias/ folder". Original from what, where did that come from? So merely updating mod_nss breaks

Re: [Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

Got it working, after uninstalling and reinstalling the replica. Not sure why it did not work at the first place... On Fri, Nov 18, 2016 at 7:15 PM, deepak dimri wrote: > Hello All, > > I have IPA Master deployed in AWS US West region and replica in US East > region.

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

Morgan Marodin wrote: > It works! > Thanks for your support. > > Anyway, I will try to update againt mod_nss package! :D Glad it's working for you. I'm curious what the backup database was for. Did you create that? rob > Bye! > > > 2016-11-18 15:21 GMT+01:00 Morgan Marodin

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

It works! Thanks for your support. Anyway, I will try to update againt mod_nss package! :D Bye! 2016-11-18 15:21 GMT+01:00 Morgan Marodin : > A little good news. > > Downgrading the *mod_nss* RPM package, and restoring the original > */etc/httpd/alias* folder,

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

A little good news. Downgrading the *mod_nss* RPM package, and restoring the original */etc/httpd/alias* folder, *ipa-server-upgrade* procedure has finished well: *# ipa-server-upgradeUpgrading IPA: [1/10]:

Re: [Freeipa-users] IPA 4.4 replica installation failing

Martin, Yes, this is the exact scenario. My lab started with a RHEL 7.2 master/replica with 'domain level' set to 0. I raised the 'domain level' to 1, and now I'm trying to introduce a new replica into the environment. I will check on 'nsds5replicabinddn' and report back. Thanks, Josh

[Freeipa-users] Getting "Your session has expired. Please re-login." when trying to access IPA Replica

Hello All, I have IPA Master deployed in AWS US West region and replica in US East region. The replication installation went successfully however when i am trying to access the replication web UI (after making proxypass changes etc..) i am getting Error. I have ProxyPassReverseCookieDomain set

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

On Fri, Nov 18, 2016 at 12:09:41PM +0100, rajat gupta wrote: > Hi, > > > I removed the pam_winbind module. User are able to login now. But some time > they are not. Below are logs when user are not able to login. Also SSH see comment at the end of the email. > login is very slow for AD user.

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

I've tried to add it to a new test folder, with a new certificate nickname, and then to replace it to *nss.conf*. But the problem persists: *# certutil -V -u V -d /etc/httpd/test -n ipa01certcertutil: certificate is valid* *# tail -f /var/log/httpd/error_log* *[Fri Nov 18

Re: [Freeipa-users] Freeipa-users Digest, Vol 100, Issue 48

Hi, I removed the pam_winbind module. User are able to login now. But some time they are not. Below are logs when user are not able to login. Also SSH login is very slow for AD user. I am using sssd 1.4 = rpm -qa | grep sssd sssd-krb5-common-1.14.0-43.el7.x86_64

Re: [Freeipa-users] IPA 4.4 replica installation failing

On 11/18/2016 09:16 AM, Martin Babinsky wrote: On 11/17/2016 03:51 PM, Baird, Josh wrote: Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]:

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

On 11/18/2016 10:04 AM, Morgan Marodin wrote: Hi Florence. I've tried to configure the wrong certificate in nss.conf (/ipaCert/), and with this Apache started. So I think the problem is in the /Server-Cert/ stored in //etc/httpd/alias/, even if all manul checks are ok. These are logs with the

Re: [Freeipa-users] My IPA installation doesn't work after upgrade

Hi Florence. I've tried to configure the wrong certificate in nss.conf (*ipaCert*), and with this Apache started. So I think the problem is in the *Server-Cert* stored in */etc/httpd/alias*, even if all manul checks are ok. These are logs with the wrong certificate test: *# tail -f

Re: [Freeipa-users] IPA 4.4 replica installation failing

On 11/17/2016 03:51 PM, Baird, Josh wrote: Hi all, In my IPA 4.4 lab (RHEL 7.3), I'm trying to install/configure a new replica, and I seem to be hitting something similar to #5412 [1]. The 'ipa-replica-install' is getting stuck on: [4/26]: creating installation admin user Dirsrv error