[Freeipa-users] LDAP Conflicts

resolution API | | | But not sure if I am looking in the right place. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

Hi,Was there any out-come to this? I running: sudo1.8.12-1ubuntu3, which is well behind up to date releases. Many thanks,James Harrison From: James Harrison To: "freeipa-users@redhat.com" ; "pbrez...@redhat.com" Cc: "pbrez...@redhat.com" Sent: Monday,

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

All,debian 1.8.19-1 doesnt work, but Ubuntu 1.8.12-1ubuntu3 does. James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

All,1.8.19-1 from Debian does not appear to work too. James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Saturday, 7 January 2017, 15:34 Subject: Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

Any ideas? From: James Harrison To: "freeipa-users@redhat.com" Sent: Thursday, 5 January 2017, 13:36 Subject: FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1 Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate

[Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

Hi all,I having problems with a FreeIPA client running Ububtu Xenial. I can authenticate OK, I get a kerberos ticket, but cannot run sudo. I get 1 rule returned, which I expect. Many thanks,James Harrison (Thu Jan  5 12:09:57 2017) [sssd[sudo]] [ldb] (0x4000): Destroying timer event 0x1c11e30

[Freeipa-users] Manually configuring Freeipa bind configs to host secondary zones

s it supported or will they just be over-written by Freeipa? I've been hunting for an answer online, but found nothing about this. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freei

Re: [Freeipa-users] Free IPA Openssh client install error

dynamically loading authorized user keys. Public key authentication of IPA users will not be available. From: James Harrison To: "freeipa-users@redhat.com" Sent: Wednesday, 14 December 2016, 15:18 Subject: Free IPA Openssh client install error Hi,I installed the freeipa

[Freeipa-users] Free IPA Openssh client install error

Is there a fix? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's  credentials. AD Still doesn't work. Thanks From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent:

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

I tried to clone the git repos and I got access right errors James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticati

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.locall) However auth issues still the same as Precise. Doesnt accept the ssh public key stored with the IPA user or the Trust ID view user. Xenial has no problems. Regards,James Harrison From: James Harrison To

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

tions Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted SSSD service could not be stopped Client uninstall complete. From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re

[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

seem to authenticate against the public ssh key from the id override user. I appreciate any help you can send my way. Best regards, James Harrison Below is more information root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL Password for x_james.harrison@AD.DOMAIN.LOCAL: root

[Freeipa-users] Something I dont get with FriiIPA and AD Trusts and Users and Greoups

n 5.5) allows me to do what? Am I supposed to get a synchronised list of Domain Admin users in Free IPA? I can log in to a Linux client using AD credentials, regardless of the AD users external map (The user I'm logging is with is a member of the AD Domain Admins group). Many thanks,Jame

[Freeipa-users] Differences between "ipa-replica-manage connect --winsync..." and ipa-adtrust-install ... ipa trust-add...

accomplish the same goal: to get AD user accounts? Which one is preferred? Best regards,James Harrison -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

Hello.Thanks for your help Martin that worked. James Harrison  On Thu, 10 Nov, 2016 at 12:15, Martin Basti wrote: On 10.11.2016 13:00, James Harrison wrote: Hi All, We use port 2234 for all sshd connections on our systems. It looks loke ipa-conncheck uses port 22. Can this

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

ur network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. From: James Harrison To: "freeipa-users@redhat.com" Sent: Thursday, 10 November 2016, 12:00 Subject: Specify different ssh port for ipa-con

[Freeipa-users] Specify different ssh port for ipa-conncheck

Hi All,We use port 2234 for all sshd connections on our systems. It looks loke ipa-conncheck uses port 22. Can this be changed to use 2234? This would be for replicas and clients I presume. This is quite urgent. Many thanks,James Harrison -- Manage your subscription for the Freeipa-users

Re: [Freeipa-users] Remove AD domain in auth commands

https://www.redhat.com/archives/freeipa-users/2016-November/msg00031.html On 07.11.2016 12:05, James Harrison wrote: Anyone ? Sent from Yahoo Mail on Android On Fri, 4 Nov, 2016 at 11:04, James Harrison wrote: Hello, I've installed FreeIPA 4.2 master using Centos and I have a Wind

Re: [Freeipa-users] Remove AD domain in auth commands

Anyone ? Sent from Yahoo Mail on Android On Fri, 4 Nov, 2016 at 11:04, James Harrison wrote: Hello, I've installed FreeIPA 4.2 master using Centos and I have a Windows 2012R2 with its AD schema emulating a Windows 2012 system I have established a trust between the two and it appea

[Freeipa-users] Remove AD domain in auth commands

only way to ssh to the master IPA server is like this: ssh "x_@IPAWIN.LOCAL"@10.10.10.10 Another example is using kinit: I have to do the following to get a credential:kinit x_@IPAWIN.LOCAL Ideally I would not need or use the "@IPAWIN.LOCAL". Can anyone help? Be

Re: [Freeipa-users] Promote CA-less replica

Hello all, That is really good to know. Thank you for helping me out with this. James From: Rob Crittenden To: "jamesaharriso...@yahoo.co.uk" ; Martin Babinsky ; "freeipa-users@redhat.com" Sent: Friday, 21 October 2016, 14:18 Subject: Re: [Freeipa-users] Pro

Re: [Freeipa-users] Promote CA-less replica

y get to use 4.2 of FreeIPA, but the Ubuntu version is 4.4.2. Is there 4.4.2 for CentOS? Best regardsJames Harrison  From: Rob Crittenden To: James Harrison ; Martin Babinsky ; "freeipa-users@redhat.com" Sent: Wednesday, 19 October 2016, 14:28 Subject: Re: [Freeipa-users] Promote CA-

Re: [Freeipa-users] Promote CA-less replica

"replica" run the ipa-replica-prepare script once ipa-replica-install has been successfully run? Thank you for any help.Best regards,James Harrison From: Martin Babinsky To: freeipa-users@redhat.com Sent: Wednesday, 19 October 2016, 11:01 Subject: Re: [Freeipa-users] Promote

[Freeipa-users] Promote CA-less replica

a CA. Our CA is Comodo and we have configured FreeIPA to use a certificate, key and interim certificates from Comodo. using the options: --http_pkcs12=--http_pin= --dirsrv_pkcs12=... --dirsrv_pin= Hope someone can help. Quite urgent. Regards, James Harrison -- Manage your

Re: [Freeipa-users] PKI Authentication Issues

ed, Mar 23, 2016 at 4:31 PM, Petr Vobornik wrote: > On 03/23/2016 03:50 PM, Sam James wrote: > >> Hello everyone, >> >> I've been banging my head against the wall for a few days now trying to >> resolve >> an issue with PKI and I'm hoping I might get som

[Freeipa-users] PKI Authentication Issues

Hello everyone, I've been banging my head against the wall for a few days now trying to resolve an issue with PKI and I'm hoping I might get some help. First some context. About a week ago I was alerted that all of our replicas were offline due to pki-tomcatd not starting. Futher investigation

Re: [Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

Wed, 2016-01-13 at 18:10 -0500, James Kinney wrote: > I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and > the replica process is failing to install on the new system: > > 2016-01-13T17:27:46Z DEBUG Starting external process > 2016-01-13T17:27:46Z DEBUG args=

[Freeipa-users] replica install failing with : "Clone does not have all the required certificates"

I need to upgrade from IPA3.0 to IPA4.2 (from centos 6.7 to 7.2) and the replica process is failing to install on the new system: 2016-01-13T17:27:46Z DEBUG Starting external process 2016-01-13T17:27:46Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpjklK4o' 2016-01-13T17:28:19Z DEBUG Pro

[Freeipa-users] IPA 4.2 - installer changes for --external-ca

in IPA 4.1. We do more than 10 installs of IPA per day as part of CI, I think now we're back to a working configuration again. Hopefully this will help others who come along this path. James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA with external CA signed certs

On 12/11/15 15:21, Rob Crittenden wrote: James Masson wrote: On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I

Re: [Freeipa-users] IPA with external CA signed certs

On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream

Re: [Freeipa-users] IPA with external CA signed certs

On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a diff

Re: [Freeipa-users] IPA with external CA signed certs

On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs signed by an upstream Dogtag. Now I'm trying to use a CA cert signed by a different type of CA - Vault. Setup fails, using the same 2 step IPA setup process as used

[Freeipa-users] IPA with external CA signed certs

ype option. Likely, IPA doesn't like the certificate - however, I can't pinpoint why. Errors below. thanks James M ### -BEGIN CERTIFICATE- MIIDdzCCAl+gAwIBAgIUTKucjDpTMZ/oPmgnxR1MznVhktkwDQYJKoZIhvcNAQEL BQAwVjEZMBcGA1UEAxMQbXljYS5leGFtcGxlLmNvbTE5

Re: [Freeipa-users] Automatic IPA CA cert generation

On 24/09/15 01:20, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an auto

Re: [Freeipa-users] Automatic IPA CA cert generation

On 23/09/15 11:03, Fraser Tweedale wrote: On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: On 22/09/15 17:02, James Masson wrote: Hi, we're building IPAs in an automated fashion, for environments that get created and destroyed a lot. At the moment, the CA certs used inside

[Freeipa-users] Automatic IPA CA cert generation

7;m hoping to avoid the need to have to use/send this automatically generated CSR every time. thanks James M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] PKI-CAD service fails, IPA won't start

ails, due to either the PKI-CAD service failing or the timeout. Sorry for the wall of text. James Cassidy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Issues

This is a virtual machine, rng-tools-5-4.fc22.x86_64 is installed ... I did just try to create a gpg key and it seemed to have entropy issues... I did however run the command $ rngd -W 4096 $ cat /proc/sys/kernel/random/entropy_avail to fill the entropy up again (previously reporting around 30

Re: [Freeipa-users] Issues

Freeipa 4.1.4 On 06/18/2015 10:28 AM, Simo Sorce wrote: On Thu, 2015-06-18 at 10:08 -0500, James Benson wrote: Hi all, I'm a fairly advanced user, however, having issues with setting up freeIPA. I've started with Fedora 22 server (both with minimal install and basic install), mo

[Freeipa-users] Issues

o increase the timeout value, but no luck. Suggestions? Thanks, James smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa-users Digest, Vol 83, Issue 65

dera server as authentication, but I can't tie it to our domain since I'm not in charge of it and frankly I tried and just goes to oblivion since I'm inside the firewall and the domain is outside and not going to punch those holes. Anyone else have thoughts? James On 06/12/201

[Freeipa-users] Is something.local hostname possible

Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James smime.p7s Description: S/MIME Cryptographic Signa

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

:56 GMT+02:00 thierry bordaz : > Hi, > > Would you update your master to 389-ds-base-1.2.11.15-56.el6, before > attempting the upgrade to 7 ? > > thanks > thierry > > On 06/08/2015 12:30 PM, James James wrote: > > My master version is 389-ds-base-1.2.11

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

My master version is 389-ds-base-1.2.11.15-50.el6_6.x86_64 . Thanks. 2015-06-08 10:25 GMT+02:00 thierry bordaz : > Hello James, > > The fact that the master is more powerfull than the replica increase the > possibility to hit that bug. > The bug fix is on the master side. The

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

machine for the replica ? How can I limit the cpu/memory in the physical machine (with cgroups ??). Any hints will be appreciated .. Regards James 2015-05-18 14:04 GMT+02:00 thierry bordaz : > On 05/15/2015 05:11 PM, James James wrote: > > ok Rob. Thanks for your help. I will wai

[Freeipa-users] Successful Install on VB...

27;ve tried to check the services, however, they don't seem to want to start (no errors, just don't see them in the service status menu) Any help would be great as I would greatly like to use the website over commands if possible. Thank you, James smime.p7s Description: S/MIM

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

ok Rob. Thanks for your help. I will wait for the Scientific Linux 6.7 . Best. James 2015-05-15 16:58 GMT+02:00 Rich Megginson : > On 05/15/2015 08:46 AM, James James wrote: > > [root@ipa ~]# rpm -q 389-ds-base > 389-ds-base-1.2.11.15-50.el6_6.x86_64 > > > Ok. Looks li

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

[root@ipa ~]# rpm -q 389-ds-base 389-ds-base-1.2.11.15-50.el6_6.x86_64 2015-05-15 16:32 GMT+02:00 Rich Megginson : > On 05/15/2015 08:22 AM, James James wrote: > > I think that : > > Starting replication, please wait until this has completed. > Update in progress, 1

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

:55 AM, James James wrote: > > Is it possible to change the nsds5ReplicaTimeout value to get rid of this > timeout error ? > > > What timeout error? > > > 2015-04-17 4:52 GMT+02:00 Rich Megginson : > >> On 04/15/2015 10:44 PM, James James wrote: >> >

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Is it possible to change the nsds5ReplicaTimeout value to get rid of this timeout error ? 2015-04-17 4:52 GMT+02:00 Rich Megginson : > On 04/15/2015 10:44 PM, James James wrote: > > The ipareplica-install.log file in attachment ... > > > Here are the pertinent bits: > &

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

The ipareplica-install.log file in attachment ... 2015-04-16 2:22 GMT+02:00 Rob Crittenden : > Rich Megginson wrote: > > On 04/15/2015 02:58 PM, James James wrote: > >> Nothing on the replica .. maybye a process on the master. How can I > >> check that ? > >

Re: [Freeipa-users] Replication seems to begin but failed after 127 seconds ...

Nothing on the replica .. maybye a process on the master. How can I check that ? 2015-04-15 21:37 GMT+02:00 Rich Megginson : > On 04/15/2015 12:43 PM, James James wrote: > > Here the log > > 2015-04-15 18:58 GMT+02:00 Rich Megginson : > >> On 04/15/2015 09:

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

all the CA I've got this message : [root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U CA is already installed. Should I have to promote the replica to a standalone master before installing the CA ? Any hints will be appreciated... James 2015-04-08 7:27 GMT+02:00 Jan Ch

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

le to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek : > On 04/07/2015 01:44 PM, James James wrote: > > ok. > > > > Is there a way to migrate from an external CA to a CA-less or a > self-sign

Re: [Freeipa-users] Replica with external ca + custom subject in certificate

ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? 2015-04-07 12:51 GMT+02:00 Martin Kosek : > On 04/03/2015 11:39 AM, James James wrote: > > Hello, > > > > I want to initialize a new replica with an external CA. My Certificate > >

[Freeipa-users] ipa and external ca

--subject="O=orga,C=FR,OU=MyOU" Does somebody knows how to do ? Best. James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

[Freeipa-users] Replica with external ca + custom subject in certificate

Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com How can I do with the ipa-server-install command ? I have been trying for f

Re: [Freeipa-users] Password entry through Trust not correct

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Saturday, March 21, 2015 10:42 AM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password entry through Trust not correct On 03/20/2015 08:56 PM, McEvoy, James

[Freeipa-users] Password entry through Trust not correct

option --enablerfc2307bis when I run authconfig. from a freeipa client: $ getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004::/home/enas.net/jemcevoy: from the ipa server: [root@ipa ~]# getent passwd jemce...@enas.net jemce...@enas.net:*:10001:10004:James McEvoy:/home/enas.net

[Freeipa-users] Firewalld rules to allow AD Join

Hi FreeIPA Users: I can only get my new Fedora 21 freeipa to server to setup a trust with Active Directory if I turn off the firewall on the ipa server. I have looked through all the doc on which ports to open but have had no luck getting the join to work with firewalld running... Can someon

[Freeipa-users] Web UI customization

Hello, I am with a ipa 3.3 server on centos 7. I want to customize the web ui user add page (to include krbprincipalexpiration field with a jquery calendar... ). I have read http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf , https://pvoborni.fedorapeople.org/api/#!/guide/Phases

Re: [Freeipa-users] issues with secondary groups? (sssd)

; client install with ansible or puppet. Currently just trying to get it > > working with simple sssd/ldap only auth. > > I would recommend against enrolling clients in any other way than with > ipa-client-install. > > I've CC-ed James Shubin, who worked on automating client

Re: [Freeipa-users] FreeIPA 4.0.4 now in Debian unstable!

ion to detail, sponsored them for me before I got upload rights, > and most importantly stuck around all this time :) > > > -- > t > > -- Awesome news! If someone is willing to test, I'm willing to write the patches to puppet-ipa [1] so that it works on Debian. Let m

Re: [Freeipa-users] sysctl and/or limits.conf?

On 13 October 2014 18:18, Dmitri Pal wrote: > On 10/12/2014 08:07 PM, James wrote: >> >> On 12 October 2014 19:55, Janelle wrote: >>> >>> Hi again, >>> >>> I was wondering if there were any suggestions for performance of IPA and >>> s

Re: [Freeipa-users] sysctl and/or limits.conf?

; masters/replicas. Are there any formulas to follow? > > thanks If you get an answer to this, or if you know of any other performance tuning params, let me know and I'll build it in to puppet-ipa. Thanks, James -- Manage your subscription for the Freeipa-users mailing list: https://ww

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

On 7 October 2014 21:55, Fraser Tweedale wrote: > This is great. Can we use the GNOME project's experience as a story > or case study in promoting FreeIPA to other projects/communities? > IMO we need a couple of examples like this on the freeipa.org front > page. I would recommend waiting a lit

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

On 7 October 2014 19:54, Dmitri Pal wrote: > On 10/07/2014 09:27 AM, James wrote: >> >> On 7 October 2014 05:58, Alexander Bokovoy wrote: >>> >>> Hi! >>> >>> As Andrea Veri describes in the blog[1], GNOME Project's infrastructure >>&

Re: [Freeipa-users] Enrolling with multiple IPA servers

e accepted. "Shape" means how do I algorithmically define who is neighbours with who. The two provided are "flat" and "ring": [1] https://github.com/purpleidea/puppet-ipa/blob/master/DOCUMENTATION.md#topology [2] https://github.com/purpleidea/puppet-ipa/tree/master/lib/puppet/

Re: [Freeipa-users] GNOME Project moved to FreeIPA for managing its account information

On 7 October 2014 05:58, Alexander Bokovoy wrote: > Hi! > > As Andrea Veri describes in the blog[1], GNOME Project's infrastructure > is now powered by FreeIPA. While GNOME was already using SSSD since very > early days of SSSD project, move to FreeIPA on the server side took more > time. Yup :)

Re: [Freeipa-users] freeipa-client on Debian Wheezy

Hi Alexandre, Thanks for your effort. I am facing some issues with the numeezy freeipa debian client. 1 ) When I use ipa-client-install I can't specify the ca-cert path and I have to import my CA cert in /etc/pki/nssdb 2 ) When I try to make ipa-client-automount, the rpc.idmapd, rpc.gssd deamons

Re: [Freeipa-users] ACI for ipa-getkeytab

SOLVED. realm-proxy has to be indirect member of : memberofindirect: cn=manage host keytab,cn=privileges,cn=pbac,dc=example,dc=com Thanks for your help. 2014-09-09 16:59 GMT+02:00 Rob Crittenden : > James James wrote: > > My user : realm-proxy is in a group (Smart Proxy Host Manageme

Re: [Freeipa-users] ACI for ipa-getkeytab

My IPA version is 3.0.0 . Thanks 2014-09-09 1:22 GMT+02:00 Dmitri Pal : > On 09/08/2014 06:52 PM, James James wrote: > > Hi everybody, > > I want a user to be able to do ipa-getkeytab to retrieve the keys from > any host in the realm. > > How can I do this ? >

[Freeipa-users] ACI for ipa-getkeytab

Hi everybody, I want a user to be able to do ipa-getkeytab to retrieve the keys from any host in the realm. How can I do this ? Where I can find an ACI example ( https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html) which can helps me ? Thanks for your help. -- Manage your su

Re: [Freeipa-users] Centos 7 and 4.0

gt;> Error: Nothing to do > > > Am I missing something? I remember that there was a thread about Centos 7 > and FreeIPA 4 but for the life of me I can't find it. > > Thanks Just a guess but it's probably called ipa-server. You can use yum search too. Eg: 'yum se

[Freeipa-users] Multi-OS FreeIPA in puppet-ipa

: https://github.com/purpleidea/puppet-ipa/tree/feat/yamldata I'll rebase this branch as new patches are added, and I'll usually keep it current against git master. Once someone ACK's that it is working against another OS or version, then I'll maintain it in git master. Thank

Re: [Freeipa-users] Minimal permissions for "joiner" account?

umentation too confusing to follow at 1 am - > will be a project for another day. There is the python ipa API, not sure how stable or official it is, but if you look in my code I use it occasionally. > > Thanks for your help. Cheers, James -- Manage your subscription for the Freeipa-use

Re: [Freeipa-users] Minimal permissions for "joiner" account?

is a winning module, in the same way that rails saved ruby, so I would take a closer look) you can at least use it as a reference architecture when writing a salt module. That;s the beauty of Free Software! Good luck! HTH, James -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Minimal permissions for "joiner" account?

g to make is that the puppet module I linked you to does all of this automatically for you. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Minimal permissions for "joiner" account?

On Thu, Aug 14, 2014 at 4:23 PM, Michael Lasevich wrote: > I am not all too comfortable to run this as admin user and not quite ready > to set up the orchestration needed to pre-join the host. Re: orchestration, https://github.com/purpleidea/puppet-ipa Does this help? -- Manage your subscript

Re: [Freeipa-users] WebUI krbprincipal expiration calendar widegt

Thanks a lot for your answer. I will switch to RHEL 7 to use 3.3 .. Best regards. James 2014-08-11 17:05 GMT+02:00 Martin Kosek : > On 08/10/2014 01:58 PM, James James wrote: > > Hello, > > > > > > Is there a way to patch my ipa .3.0.0 with this patch: > > htt

[Freeipa-users] WebUI krbprincipal expiration calendar widegt

Hello, Is there a way to patch my ipa .3.0.0 with this patch: https://www.mail-archive.com/freeipa-devel@redhat.com/msg20528.html ? The DateTime data type will be very useful ! Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freei

Re: [Freeipa-users] FreeIPA + Chef

, you can consider using puppet instead, or start porting it to chef. A lot of the code can be re-used, since my module contains a good amount of puppet. HTH, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] SSSD and Autofs

OK. Maybe this should be precised in the documentation. By the way, thanks your help. Best regards. 2014-07-24 15:22 GMT+02:00 Jakub Hrozek : > On Thu, Jul 24, 2014 at 10:48:44AM +0200, James James wrote: > > The problem is solved. > > > > I had to explicity provides th

Re: [Freeipa-users] SSSD and Autofs

The problem is solved. I had to explicity provides the location in the ipa-client-automount command like this : ipa-client-automount --server=ipa.lix.polytechnique.fr --location=server1 -U Thanks again. 2014-07-24 10:22 GMT+02:00 James James : > The files are in attachment. > > T

Re: [Freeipa-users] SSSD and Autofs

The files are in attachment. Thanks for you help. 2014-07-24 9:41 GMT+02:00 Jakub Hrozek : > On Wed, Jul 23, 2014 at 11:45:28PM +0200, James James wrote: > > HI guy, I've been struggling for a while tom make sssd works with > autofs . > > I have a freeipa server t

[Freeipa-users] SSSD and Autofs

HI guy, I've been struggling for a while tom make sssd works with autofs . I have a freeipa server that serves maps. When a client is enrolled and I make in a terminal root@host ~# ipa-client-automount -U everything is ok but i've got : root@host ~# automount -fd -vvv Starting automounter ver

Re: [Freeipa-users] FreeIPA replica topologies

On Thu, Jul 3, 2014 at 3:39 AM, Simo Sorce wrote: > Option TWO is preferable if you have the CA only on A. > You should be able to run the connect command on any administrative host > IIRC. Thanks for the reply! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat

[Freeipa-users] FreeIPA replica topologies

ected to the two peers we want to connect? Thanks again! James signature.asc Description: This is a digitally signed message part -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

should be well with the world again. Thanks for your help and guidance on this. Your level of support is better than I could have expected. On 1/6/14 11:01 AM, Rob Crittenden wrote: James Scollard wrote: That makes absolute perfect sense. Thanks for the clarification. Unfortunately I have an

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

-converter.html I need the server's private key file to convert from pkcs7 to pkcs12, but cant find it anywhere. Is there a command to export it or does it live in /var/lib or /etc somewhere? Thanks. On 1/6/14 4:09 AM, Jan Cholasta wrote: ipa-server-install --dirsrv_pkcs -- James E. Scollar

Re: [Freeipa-users] Globalsign External CA Certificate Import Failure

, Rob Crittenden wrote: James Scollard wrote: When attempting to run the second part of the installation with an external CA (Globalsign) using my signed certificate and CA certificate chain I get the following; [root@ldapm6x00 ~]# ipa-server-install --external_cert_file=/root/ldapm6x00.sun.weather.co

[Freeipa-users] Globalsign External CA Certificate Import Failure

certificate. I did nto see this problem with Network Solutions wildcard certificates though. Any suggestions would be appreciated. Thanks. -- James E. Scollard III Senior Cloud Systems Architect c: 615.730.4387 www.weather.com View my profile on LinkedIn

Re: [Freeipa-users] [Freeipa-devel] [SSSD] FreeIPA on Debian

works" or at least mostly, feel free to ping me somehow. HTH, James [1] https://github.com/purpleidea/puppet-ipa ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Providing minimal permissions to read replication status

On 1 August 2013 15:55, Rob Crittenden wrote: > James Hogarth wrote: > >> >> >> >> On 1 August 2013 09:36, Martin Kosek > <mailto:mko...@redhat.com>> wrote: >> >> >> The patch for this would do basically this: >> - rem

Re: [Freeipa-users] Providing minimal permissions to read replication status

e ldif (delegation.ldif and replica-acis.ldif) with the new role/privilege/permission and acis in install/share for the new installs and add an appropriate entry (not quite ldif) in install/updates to update the default schema of those updating in future, given no new attributes - right? Cheers, James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Providing minimal permissions to read replication status

ades due to schema differences - so was hoping to remain within the IPA command side of things... 1) Is this even possible with the ipa command? 2) If I use ldapmodify to add a new permission by hand via ldif for "Read Replication Agreements" will this likely bre

Re: [Freeipa-users] Question about design of ldap dns

ndb-ldap also doesn't need any of the per RRtype stuff so avoids complexity there... > Thank you for your time and passion! > > Well it's about time the linux world had something like this (rather than the old mish-mash of kerberos, openldap, etc and associated scripts to sort of glue users together that was the previous situation) so I champion it wherever I can! James ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

  1   2   3   >