I saw this question come up way back in the archives, so I thought I'd
ask to see if there's a better way to do it.
Basically I want users who log into my servers that run the FreeIPA
client to be given the local usergroup DOCKER. Is there a way to do
that? Is it controlled from the FreeIPA
Follow-up: I guess I can leave off the --hostname part of it and it
doesn't change the hostname.
On 2017-04-19 17:25, g...@greg-gilbert.com wrote:
> Rob, here's what I see in that log:
>
> 2017-04-19T21:18:23Z DEBUG Using servers from command line, disabling DNS
> discovery
>
\
--password="PASS" \
--hostname="{{ ansible_eth0.ipv4.address }}"
On 2017-04-19 16:27, Rob Crittenden wrote:
> g...@greg-gilbert.com wrote:
>
>> When the instances register themselves with FreeIPA, their hostnames get
>> changed to match their IP
When the instances register themselves with FreeIPA, their hostnames get
changed to match their IP; that's a FreeIPA rule, I believe. So in this
case, the hostname is 10.100.*.
ubuntu@10:~$ hostname
10.100.15.130
On 2017-04-19 14:53, Jason B. Nance wrote:
> Hi Greg,
>
>> I'm tryi
I'm trying to set up a rule based on server hostname. So for example,
10.100.* would be put into the 'developers' hostgroup. I can't figure
out the proper format of the inclusive regex. I've tried:
* 10.100.*
* 10\.100.*
* 10\.100
* .*100.*
and a few other
Actually I just saw Jakub's response, and that helped me out. I just
added this to the sssd.conf on the client, and it seems to work:
[domain/ipa.services.FOO]
ldap_sudo_smart_refresh_interval = 60
ldap_sudo_full_refresh_interval = 21600
Thanks, all!
On 2017-04-06 11:47, g...@greg
entry_cache_timeout = 60
Am I doing something wrong here?
On 2017-04-06 03:11, Martin Bašti wrote:
> On 06.04.2017 01:57, Greg Gilbert wrote:
>
>> Hey. I'm a bit new to FreeIPA, so apologies if this has already been
>> addressed. For reference, I'm running FreeIPA 4.4 server on CentOS
nodes, or requires a manual
restart of the sssd service. In this case, I'm testing adding and
removing a user from a sudo rule. Is this the correct behavior, or is
there a misconfiguration on my part somewhere?
- greg
--
Manage your subscription for the Freeipa-users mailing list:
https
in = dom.com
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = static,sss
[Static]
host/nfsclient.dom@dom.com = root
nfs/nfsclient.dom@dom.com = root
What have I missed / what else needs to be set up where to allow gssproxy
and kerberised NFS backed by IPA to map root on
try and force gssproxy to use that principal
instead of "host/...", but it didn't seem to work, gssproxy defaults to
"host/...". Possibly mis-understanding what this option is for, and
possibly "host/..." is the safer/standard option? I'm assuming it's default
for a reason,
upgrade and do
fresh OS installs between the replica migrations, all the better, as it can
be a bit of an added nuisance (trawling all the *.rpmnew config files and
making sure everything is correct).
--
Thanks,
Greg Kubok.
On 26 February 2017 at 11:08, Rob Verduijn <rob.verdu...@gmail.com>
risk? Setting
up a cross forest trust where the AD administrator retains total control over
everything, or putting foreign software on the Windows domain controllers to
copy user passwords to an untrusted entity?
- Greg
--
Manage your subscription for the Freeipa-users mailing list
No worries then. The IPA CA (dogtag) uses NSS for crypto so there is no way
the CA private key could have been exposed.
If you've issued SSL certs from the IPA CA for services running OpenSSL you
could re-issue those to be on the safe side, but IPA itself uses only NSS on
its servers.
I feel dumb, but I cannot seem to find anything about this. How do I rekey the
self-signed CA cert for IdM/IPA? It seems like it should be something simple,
but I’m not finding anything. CentOS 6.5 install. If you’ve got a place to
point me towards, that would be wonderful.
Thanks,
Greg
On Wed, Dec 7, 2011 at 14:22, Simo Sorce s...@redhat.com wrote:
On Wed, 2011-12-07 at 14:10 -0600, Greg Swift wrote:
I'm having a debate with our hostmaster. His general complaint is
that systems like AD and FreeIPA should not be so closely tied to the
domain name because some standard
15 matches
Mail list logo