Re: [Freeipa-users] IPA Client will authenticate users

On Thu, Jan 19, 2017 at 04:33:59PM -0600, Michael Rainey (Contractor) wrote: > Hello everyone, > > I have come across a problem which you might find interesting. With all of > the systems I have running, there is one system which refuses to > authenticate any user who needs to login. I have

Re: [Freeipa-users] manually apply patches from upstream

On 20/01/17 06:23, Jeff Clay wrote: I’m using Centos 7 and have installed 4.4.0-14, however I’m using Google Cloud and needing some updates that have already been made upstream at https://fedorahosted.org/freeipa/ticket/5814 I have downloaded

Re: [Freeipa-users] manually apply patches from upstream

On to, 19 tammi 2017, Jeff Clay wrote: I’m using Centos 7 and have installed 4.4.0-14, however I’m using Google Cloud and needing some updates that have already been made upstream at https://fedorahosted.org/freeipa/ticket/5814 I have downloaded

[Freeipa-users] manually apply patches from upstream

I’m using Centos 7 and have installed 4.4.0-14, however I’m using Google Cloud and needing some updates that have already been made upstream at https://fedorahosted.org/freeipa/ticket/5814 I have downloaded the diffs from the 3 commits to the

[Freeipa-users] performance scaling of sssd / freeipa

Hi, I’ve received incredibly good support from this mailing list previously; I am hoping that somebody can help me succeed in my ongoing efforts. I have spent a few days on this at this point and I can’t seem to figure it out how to address this issue. On my DCs I am seeing excessive

Re: [Freeipa-users] Kerberos Clock Skew too great

Rakesh Rajasekharan writes: >> Great, glad it's fixed! Are these VMs? If not, you may wish to >> (re?)configure automatic syncing. > > yes these are AWS instances. How do I reconfigure auto syncing . Is > there a documentation I can follow. During install of the

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

Even more interesting... I tried to modify one of the records that was not displaying properly in the "active users" group, and sure enough the webui complained that the "Requested By" (relabeled "manager") field was not filled in since it was blank. It also, however, complained that the "User

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

On to, 19 tammi 2017, Steve Huston wrote: On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy wrote: In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client side plugins into different paths (ipaserver/plugins and ipaclient/plugins instead of being common in

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

On Thu, Jan 19, 2017 at 11:16 AM, Alexander Bokovoy wrote: > In short, FreeIPA 4.2 -> 4.4 change was by splitting server and client > side plugins into different paths (ipaserver/plugins and > ipaclient/plugins instead of being common in ipalib/plugins). The client > code was

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

Steve, On to, 19 tammi 2017, Steve Huston wrote: I'm running a RHEL derivative (Springdale Linux) and discovered that between 7.2 and 7.3 there were quite a few changes, one of which was the version of FreeIPA installed. Fortunately my server is still in the testing phase, and I hadn't

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

On to, 19 tammi 2017, Bret Wortman wrote: It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs. What do I

Re: [Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

I'm generating CSRs like this: # certutil -R -d $DB -a -g 2048 -v 60 -s "CN=${HOST},O=DAMASCUSGRP.COM" -8 ${SHORTHOST},${HOST} Then pasting this into the web interface of our IPA instance under "Actions->New Certificate" on the host's page. I then use Actions->View Certificate and see

[Freeipa-users] Backend & UI plugin update for 4.4.x

I'm running a RHEL derivative (Springdale Linux) and discovered that between 7.2 and 7.3 there were quite a few changes, one of which was the version of FreeIPA installed. Fortunately my server is still in the testing phase, and I hadn't finished things for deployment yet. I discovered that

[Freeipa-users] Signing certs with longer lifetimes (FreeIPA CA)

It seems all our certs being signed by the FreeIPA CA are given 2 year expirations. We'd like to increase that to 5 years. I've added "-v 60" to our certutil commands generating the CSRs, but the CA is still only issuing 24 month certs. What do I need to change to issue certs with longer

Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]

Now I get this: [root@ipa1 ~]# kinit admin kinit: Generic error (see e-text) while getting initial credentials -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] modify schema - add group email and display attribute

On to, 19 tammi 2017, Sandor Juhasz wrote: I think ipa permission-mod "System: Read Groups" --includedattrs=mail --includedattrs=displayname solved my issue. Yep, that's one solution. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] modify schema - add group email and display attribute

I think ipa permission-mod "System: Read Groups" --includedattrs=mail --includedattrs=displayname solved my issue. Sándor Juhász System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: "Sandor Juhasz"

Re: [Freeipa-users] modify schema - add group email and display attribute

Most probably i don't. At least i have never created one, neither did this http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf refer anything like that. How do i do it? Sándor Juhász System Administrator ChemAxon Ltd . Building Hx, GraphiSoft Park, Záhony utca 7, Budapest,

Re: [Freeipa-users] modify schema - add group email and display attribute

On to, 19 tammi 2017, Sandor Juhasz wrote: One more issue. Service user cannot see the new attribute. It does see the objectclass. ldif: dn: cn=schema changetype: modify add: objectclasses objectclasses: ( 1.3.6.1.4.1.49232.1.1 NAME 'groupMail' SUP top STRUCTURAL MAY ( mail $ displayname )

Re: [Freeipa-users] modify schema - add group email and display attribute

One more issue. Service user cannot see the new attribute. It does see the objectclass. ldif: dn: cn=schema changetype: modify add: objectclasses objectclasses: ( 1.3.6.1.4.1.49232.1.1 NAME 'groupMail' SUP top STRUCTURAL MAY ( mail $ displayname ) X-ORIGIN 'Extending FreeIPA' )

Re: [Freeipa-users] Lookups Failing With AD Forwarder (and DNSSEC)

On 18.01.2017 20:52, Jason B. Nance wrote: I have a pair of FreeIPA 4.4.0 servers setup whose forwarders are each set to an Active Directory domain controller. When a client attempts to lookup any DNS record other than those to which FreeIPA is authoritative the client reports NXDOMAIN and