> Andy, you can install FreeIPA as a sub-CA of your offline root.
> Support for creating sub-CAs *within* FreeIPA, under the "main"
> FreeIPA CA (which in your case is a sub-CA of your offline root), is not yet
> available but I am working on that. But if you only need one CA as a sub-CA
> of an
> >
> >If I can get an exclusion for the sub-CA bits, can that be added at a
> >later time and just run with a root CA for now? Can it perform all of
> >the needs of an org CA outside of an IPA environment?
> Not through the IPA interfaces but standard Dogtag is there, with its (albeit
> a
> bit
Is freeipa in RHEL7.2 able to be used as an organizational CA these days? I
have a requirement to set one up and like the IPA interface and tools, but
can't sort out the current state in 4.2 to decipher whether this is possible,
or even reasonable to try. I need to setup an org sub CA with an
> On 02/23/2016 05:10 PM, Andy Thompson wrote:
> >>>> On 02/23/2016 03:02 PM, Andy Thompson wrote:
> >>>>> Came across one of my replicas this morning with the following in
> >>>>> the error log
> >>>>>
> >>>>
> >> On 02/23/2016 03:02 PM, Andy Thompson wrote:
> >>> Came across one of my replicas this morning with the following in
> >>> the error log
> >>>
> >>> [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> >>&g
> On 02/23/2016 03:02 PM, Andy Thompson wrote:
> > Came across one of my replicas this morning with the following in the
> > error log
> >
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:3
> -Original Message-
> From: Baird, Josh [mailto:jba...@follett.com]
> Sent: Tuesday, February 2, 2016 9:13 AM
> To: Andy Thompson <andy.thomp...@e-tcc.com>; freeipa-
> us...@redhat.com
> Subject: RE: freeipa client in DMZ
>
> I believe the sssd clients wil
Are ports required to be open for a freeipa client in a DMZ to the AD DCs for
trusted users to login? I've got everything open to the IPA servers required
and can lookup users and sudo rules and such but trusted users are not able to
login.
Thanks
-andy
*** This communication may contain
update - ns-slapd
> hanging
> >> system
> >>
> >>On 2.12.2015 22:02, Alexander Bokovoy wrote:
> >>
> >>On Wed, 02 Dec 2015, Andy Thompson wrote:
> >>
> >>Since updatin
apd hanging system
>
> On 12/03/2015 08:33 AM, Andy Thompson wrote:
>
>
>
>
>
> -Original Message-
> From: freeipa-users-boun...@redhat.com <mailto:freeipa-
> users-boun...@redhat.com> [mailto:freeipa-users-
>
apd hanging system
>
> On 2.12.2015 22:02, Alexander Bokovoy wrote:
> > On Wed, 02 Dec 2015, Andy Thompson wrote:
> >> Since updating to RHEL 7.2 I've got issues with ns-slapd hanging the
> >> system up after a period of time. The directory becomes unresponsive
> >&g
What does everyone do for backup/restore of their IPA infrastructure? I've
read over the backup and restore on freeipa.org just want some real world
application out there.
Right now all of our backups are done at the SAN level. We snap the SAN
aggregate containing the VMs and have those
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Hoffmaster, John
> Sent: Monday, October 12, 2015 3:46 PM
> To: freeipa-users@redhat.com
> Subject: [Freeipa-users] Free IPA to Microsoft AD 2008R2 trust question
>
>
> On 09/30/2015 09:04 PM, Andy Thompson wrote:
> >> On Wed, Sep 30, 2015 at 12:17:22PM +, Andy Thompson wrote:
> >>>> On 09/21/2015 10:42 PM, Andy Thompson wrote:
> >>>>>> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
>
> On Wed, Sep 30, 2015 at 12:17:22PM +0000, Andy Thompson wrote:
> > > On 09/21/2015 10:42 PM, Andy Thompson wrote:
> > > >> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
> > > >>>> -Original Message-
> >
> On 09/21/2015 10:42 PM, Andy Thompson wrote:
> >> On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
> >>>> -Original Message-
> >>>> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> >>>> Sent: Monday, September 2
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Pavel Reichl
> Sent: Thursday, September 24, 2015 5:18 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
>
> Hello Andy,
>
>
gt;
> On Wed, Sep 23, 2015 at 06:03:45PM +, Andy Thompson wrote:
> > On one of my servers I'm getting
> >
> > Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session):
> > session opened for user user by (uid=0) Sep 23 13:35:07 mdhixuatisamw03
> sshd[8
> -Original Message-
> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> Sent: Thursday, September 24, 2015 1:17 AM
> To: Andy Thompson <andy.thomp...@e-tcc.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] IPA server failover
>
> On W
Ok it will take me a while to get my test environment setup to match what I
have in prod currently and I can do some testing at that point in time.
-andy
From: Pavel Reichl <prei...@redhat.com>
Sent: Thursday, September 24, 2015 9:43 AM
To: Andy Th
> On 24.9.2015 15:29, Alexander Bokovoy wrote:
> > On Thu, 24 Sep 2015, Andy Thompson wrote:
> >>> -Original Message-
> >>> From: Alexander Bokovoy [mailto:aboko...@redhat.com]
> >>> Sent: Thursday, September 24, 2015 1:17 AM
> >>>
On one of my servers I'm getting
Sep 23 13:35:07 mdhixuatisamw03 sshd[8136]: pam_unix(sshd:session): session
opened for user user by (uid=0)
Sep 23 13:35:07 mdhixuatisamw03 sshd[8164]: pam_sss(sshd:setcred): Request to
sssd failed. Public socket has wrong ownership or permissions.
I've got all of my environments setup with two IPA servers. I'm fighting
intermittent problems with krb5kdc crashing on them in all of my environments
and I've opened a ticket with Redhat on that. What I can't figure out though
is why the clients will not fail over to the second functioning
>
> On Thu, Sep 17, 2015 at 11:42:54AM +, Andy Thompson wrote:
> > I've narrowed it down a bit doing some testing. The sudo rules work when
> I remove the user group restriction from them. My sudo rules all have my ad
> groups in the rule
> >
> > Rule name:
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Monday, September 21, 2015 3:29 PM
> To: Andy Thompson <andy.thomp...@e-tcc.com>
> Cc: freeipa-users@redhat.com; pbrez...@redhat.com
> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/
> On Mon, Sep 21, 2015 at 07:39:01PM +0000, Andy Thompson wrote:
> > > -Original Message-
> > > From: Jakub Hrozek [mailto:jhro...@redhat.com]
> > > Sent: Monday, September 21, 2015 3:29 PM
> > > To: Andy Thompson <andy.thomp...@e-tcc.com&
> > On Mon, Sep 21, 2015 at 07:39:01PM +, Andy Thompson wrote:
> > > > -Original Message-
> > > > From: Jakub Hrozek [mailto:jhro...@redhat.com]
> > > > Sent: Monday, September 21, 2015 3:29 PM
> > > > To: Andy Thompson <andy
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Friday, September 18, 2015 4:42 AM
> To: Andy Thompson <andy.thomp...@e-tcc.com>
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
>
>
; Sent: Tuesday, September 15, 2015 8:37 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] rhel 6.7 upgrade - sssd/sudo
>
> Sorry for not replying sooner, many of us were mostly offline last week.
>
> I'll try to reproduce locally..
>
> On Tue, Sep 15, 2015 at 12:24
I just updated several machines to RHEL 6.7 and seem to have broken my sudo
rules. I've tracked the problem down to having
Default_domain_suffix = ad.domain
In the sssd.conf. If I remove that I can login using the fqn from AD and sudo
rules are applied as configured. However I don't want to
Ok I've got a strange one going on. I just updated several machines to RHEL
6.7 and seem to have broken my sudo rules. I've tracked the problem down to
having
Default_domain_suffix = ad.domain
In the sssd.conf. If I remove that I can login using the fqn from AD and sudo
rules are applied
-Original Message-
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Andy Thompson
Sent: Monday, July 6, 2015 2:28 PM
To: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] nsslapd-maxbersize and cachememsize
I've got a couple warnings in different IPA installs that I'm not sure how to
find what values I should increase each config setting to.
In one install I'm seeing the following
[03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER
Element was too long, max allowable is
, Andy Thompson wrote:
I've got a couple warnings in different IPA installs that I'm not sure how
to
find what values I should increase each config setting to.
In one install I'm seeing the following
[03/Jul/2015:22:03:02 -0400] connection - conn=16143 fd=122 Incoming BER
Element
On Wed, Jul 01, 2015 at 10:12:54AM +0200, Jakub Hrozek wrote:
On Tue, Jun 30, 2015 at 08:16:05PM +, Andy Thompson wrote:
On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik
wrote:
On (15/05/15 17:27), Andy Thompson wrote:
Is there a way to enforce case
We have requirements to only allow AES encryption. I'm trying to understand
what is the default and where everything comes in to play, the user tickets
are AES when obtained using kinit, but the system keytab shows des3 and arcfour
in addition to AES.
So my questions are
What is
-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: Monday, May 18, 2015 10:33 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trusted user groups
On (18/05/15 13:55), Andy Thompson wrote:
-Original Message-
From
-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: Thursday, May 14, 2015 4:41 PM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trusted user groups
On (14/05/15 15:53), Andy Thompson wrote:
-Original Message-
From
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, May 18, 2015 4:07 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] username case sensitivity
On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote
+0200, Lukas Slebodnik wrote:
On (15/05/15 17:27), Andy Thompson wrote:
Is there a way to enforce case sensitivity for trusted AD users? I
am
trying to use username for ssh chroots and I can authenticated with
any case combination of UsERname but if ssh is set to match on
username
Is there a way to enforce case sensitivity for trusted AD users? I am trying
to use username for ssh chroots and I can authenticated with any case
combination of UsERname but if ssh is set to match on username then the
chroot is not enforced and the user is dropped to their usual home
I've noticed that trusted users supplementary ad groups don't show up until
after the users login to the box at least once. Is there a chance that
information will be dropped again at any point going forward?
The reason I ask is that on our sftp boxes we chroot users based on group
+, Andy Thompson wrote:
I've noticed that trusted users supplementary ad groups don't show up
until after the users login to the box at least once.
That's expected with the versions you're running. Prior to 6.7, we could only
read the trusted users' group membership from the PAC blob
08, 2015 at 05:21:09PM +0300, Alexander Bokovoy wrote:
On Fri, 08 May 2015, Andy Thompson wrote:
On Fri, 08 May 2015, Andy Thompson wrote:
I'm having an issue with adding a trust to the domain with the
error below
ipa: ERROR: CIFS server communication error: code -1073741801
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, May 8, 2015 10:21 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote:
-Original Message
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, May 8, 2015 9:40 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote:
-Original Message
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, May 8, 2015 8:17 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] multi homed environment
On Fri, 08 May 2015, Andy Thompson wrote:
I'm trying to roll out IPA
I'm trying to roll out IPA in an existing windows environment where everything
is multi homed. I did not put my IPA server on all the subnets.
I'm having an issue with adding a trust to the domain with the error below
ipa: ERROR: CIFS server communication error: code -1073741801,
Is this possible or do they have to be local IPA accounts? Looking at options
for setting up freeradius with IPA on the backend and utilizing OTP, I've got a
test case setup and working for local accounts but a lot of our users are
trusted accounts.
From what I can tell it is not possible
You got a first replica where you failed to delete the entry.
You got a second replica where you succeeded to delete the entry.
On first replica you can see messages like:
[29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a
tombstone into a tombstone!
It appears that f82 is the user object and f87 is the group object. So you
are
right, I don't think f82 is what we were looking for, it just happened to have
the username in it when I grepped without filtering the uniqueid. I'm not
sure why it was having problems with the user group
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 29, 2015 7:05 AM
To: Andy Thompson; freeipa-users@redhat.com; Jakub Hrozek
Subject: Re: [Freeipa-users] allow trust users to login without domain
On 04/29/2015 12:57 PM, Andy Thompson wrote
In the environment I'm working on currently we have a single trusted AD domain
and will never have any additional domain trusts in place. Is there a way to
allow users to login without using @ad_domain in their username? We use DB2 in
the environment and it's from the dark ages and doesn't
I'm trying to delete an IPA account and I get a generic operations error when
trying to remove it. It looks like something is messed up with the group
object. The user doesn't show up in the ipausers group and there also isn't a
group object for the user in question. Here is the error from
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Wednesday, April 29, 2015 8:31 AM
To: Andy Thompson; freeipa-users@redhat.com; Ludwig Krispenz; Thierry
Bordaz
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 01:26 PM, Andy Thompson wrote:
I'm
This is looking like that on the replica where the errors are logged.
The entry is a tombstone but can not be find with the nsuniqueid.
If on that server you do
ldapsearch -LLL -o ldif-wrap=no -Hldap://mdhixnpipa02 -x -D cn=directory
manager -W -b dc=...
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 11:28 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:08 PM, Andy Thompson wrote
dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn:
nsuniqueid=7e1a1f87-e82611e4-99f1b343-
f0abc1a8,cn=username,cn=groups,c
n=accounts,dc=mhbenp,dc=lin
nscpentrywsi: objectClass;vucsn-55364a4200050004:
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 29, 2015 1:07 PM
To: Andy Thompson
Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 06:45 PM, Andy Thompson wrote
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 9:22 AM
To: thierry bordaz
Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:14 PM, thierry bordaz wrote
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:51 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
did you run the searches as directory manager
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:07 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 03:40 PM, Andy Thompson
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:28 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
can you do the followin search on both servers
-Original Message-
From: thierry bordaz [mailto:tbor...@redhat.com]
Sent: Wednesday, April 29, 2015 12:28 PM
To: Andy Thompson
Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 05:58 PM, Andy Thompson wrote
-Original Message-
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:59 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user
On 04/29/2015 04:49 PM, Andy Thompson
I try to set the sudo password but I get a message : GSSAPI Error
What's mean this kind of message ?
ldappasswd -Y GSSAPI -S -h my_server
uid=sudo,cn=sysaccounts,cn=etc,dc=my_domain,dc=com
New password:
Re-enter new password:
SASL/GSSAPI authentication started
-Original Message-
From: Sankar Ramlingam [mailto:sraml...@redhat.com]
Sent: Sunday, March 29, 2015 4:35 AM
To: Andy Thompson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] passwordStorageScheme
On 03/28/2015 12:32 AM, Andy Thompson wrote:
-Original Message
Relative newb here :) I'm doing some research trying to sort out the password
storage scheme being used on the freeipa LDAP instance. From everything I can
find it uses ssha but can be changed to ssha-512. But when I try to change
that attribute on the cn=config object like referenced here
68 matches
Mail list logo