Re: [Freeipa-users] add SubjectAltName (SAN) to IPA certificate

On 09/12/2015 02:57 PM, Brian J. Murrell wrote: > Due to the bug in mod_nss that prevents SNI from functioning (i.e. > limits a port to a single certificate) I need to add SANs > (SubjectAltName) to the certificate that freeipa created for the > webserver (Server-Cert) so that I can add more

Re: [Freeipa-users] ocsp server not respondig after migrating from centos 6.7 to 7.1

On 09/12/2015 09:51 AM, Natxo Asenjo wrote: > On Sat, Sep 12, 2015 at 9:43 AM, Natxo Asenjo > wrote: > >> hi, >> >> In a test network I followed the procedure especified in >>

Re: [Freeipa-users] V6 and v4

On 09/13/2015 04:33 PM, Janelle wrote: > Hello, > > I read something recently that if ip v6 is disable on a server this hurts > performance in some way? Is there more info on this or did I misread it? > > Thank you > ~J The only area where I recall disabled IPv6 causing trouble is

Re: [Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

On 09/11/2015 03:29 PM, Rob Crittenden wrote: > Craig White wrote: >> Following instructions from here… >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >> >> >> >> RHEL6 server >> >>

Re: [Freeipa-users] Vector/hi-res logo

On 09/08/2015 08:13 PM, Ian Pilcher wrote: > Now that I'm actually using IPA authentication for a few services within > my house, I'm going to set up a simple "start page" with a few links, > including a link to IPA web UI for password changes. I'd like to use > the FreeIPA logo, but I've only

Re: [Freeipa-users] Logging?

On 09/09/2015 09:50 PM, Janelle wrote: > Hello, > > I was wondering if anyone has played with thee extended logging of IPA and > specifically SSSD and the kibana dashboards they put together. > https://www.freeipa.org/page/Centralized_Logging > > I can't seem to get "clients" to send the login

Re: [Freeipa-users] Replacing the "master"

On 09/08/2015 04:23 PM, Martin Kosek wrote: > On 09/06/2015 10:45 PM, Steven Jones wrote: >> >> Martin Kosek wrote: >>> On 09/04/2015 12:00 AM, Rob Crittenden wrote: >>>> Steven Jones wrote: >>>>> I have a 3 node IPA cluster, I have replaced

Re: [Freeipa-users] Replacing the "master"

On 09/06/2015 10:45 PM, Steven Jones wrote: > > Martin Kosek wrote: >> On 09/04/2015 12:00 AM, Rob Crittenden wrote: >>> Steven Jones wrote: >>>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >>>> try and re

Re: [Freeipa-users] Replacing the "master"

On 09/04/2015 12:00 AM, Rob Crittenden wrote: > Steven Jones wrote: >> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I >> try and remove the last one the master? it says, >> >> "[root@vuwunicoipam001 thing]# ipa-replica-manage del >> vuwunicoipam002. >>

Re: [Freeipa-users] stubborn old replicas

On 08/26/2015 05:31 PM, Simo Sorce wrote: On Wed, 2015-08-26 at 06:36 -0700, Janelle wrote: Hello all, My biggest problem is losing replicas and then trying to delete the entries and rebuild them. Here is a perfect example, I simply can't get rid of these (see below). I have tried (of

Re: [Freeipa-users] Missing data encountered + Incremental update failed and requires administrator action

On 08/21/2015 07:17 PM, Benjamin Reed wrote: I recently upgraded my CentOS7 machine to the latest el7.1 updates, and had oomkiller trigger in the middle of yum upgrade. I managed to recover by doing a number of things including restoring dirsrv's data/config from backup and re-running

Re: [Freeipa-users] Adding virtual servers to IPA httpd

On 08/23/2015 07:04 PM, Ian Pilcher wrote: Is it possible to add name- or port-based virtual servers to IPA's Apache server (without interfering with any of the IPA functions)? FreeIPA can play well with other stuff running on the same Apache as long as you do not break it's Apache

Re: [Freeipa-users] private groups

On 08/20/2015 11:57 AM, Detlev Habicht wrote: Hi all, i am new using IPA and learning IPA i am also learning some other things new for me. Migrating our system to IPA i found some problems with private groups. We don’t used it up to now. Trying to disable this feature with

Re: [Freeipa-users] HBAC rules not applying to Solaris clients

On 08/15/2015 07:05 PM, Natxo Asenjo wrote: On Sat, Aug 15, 2015 at 5:24 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: sipazzo wrote: and my users are able to authenticate to the directory but the hbac rules are not being applied. Any user

Re: [Freeipa-users] migrating openldap 2

On 08/07/2015 03:25 PM, Marcelo Roccasalva wrote: Hi, I need to migrate an ldap tree from openldap 2 (including qmail schema). Which would be the shortest path? I see there was no reply to the mail. I would suggest including more details about what you are trying to achieve. FreeIPA does not

Re: [Freeipa-users] time restricted access

On 08/13/2015 05:11 PM, David Kupka wrote: On 13/08/15 17:01, Marcelo Roccasalva wrote: Hello, I've installed freeIPA 4.1.0 under CentOS 7 and I need to restric authentication to one or more time ranges but I failed to find such a configuration... TIA Hello, you're probably looking for

Re: [Freeipa-users] Sudden replication failure

On 08/10/2015 10:05 PM, Burke Rosen wrote: Hello, I'm running two replicated freeIPA servers. One of them spontaneously failed. After taking the misbehaving server down, the remaining replicant handled everything fine. I restored the system to its original working state by uninstalling

Re: [Freeipa-users] ipa v4 on CentOS6

On 08/17/2015 01:15 PM, Ramy Allam wrote: Hello, I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine. And need to setup ipa-4.1.0 on a CentOS *6* machine. CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6 please ? The reason i need to setup

Re: [Freeipa-users] IPA client enrollment check

On 08/04/2015 03:10 PM, Thomas Lau wrote: Does anyone know how could I check if client enrolled or not? trying to automate enrollment process by using generic tool since I am using Ubuntu, only ipa-client-install available. Hello Thomas, I am not aware of some general API/CLI for that.

Re: [Freeipa-users] Admin password not accepted during replica install

When this command failed for me, it usually was a problem with SSSD on the master. The service was down, offline or simply something wrong was with it. On the master, I would try: $ id admin $ ssh admin@localhost # (with password) If that works, try manual $ ssh admin@ipa.master.server # with

Re: [Freeipa-users] ipa-replica-prepare error

On 07/30/2015 05:28 PM, Orion Poplawski wrote: On 07/28/2015 11:09 PM, Jan Cholasta wrote: Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a): On 07/20/2015 12:57 AM, Jan Cholasta wrote: Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a): On 07/14/2015 11:53 PM, Jan Cholasta wrote: #

Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

On 07/31/2015 10:10 AM, Natxo Asenjo wrote: Hi, Maybe just one more redirect if people come directly to https://freeipa.org? Right, this is the last missing part. I did not implement it yet as I would first need to set up some own redirecting machine that I could trust and upload FreeIPA

Re: [Freeipa-users] Is there any delay after applied rules to user?

wrote: On Wed, Jul 29, 2015 at 04:32:42PM +0200, Martin Kosek wrote: On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel

Re: [Freeipa-users] bind-dynamicdb TKEY update

Hello Jorgen, Given you ask on this list, I assume you are asking if this CVE is fixed in FreeIPA DNS feature which utilizes BIND. The answer is - it depends :-) As the bug itself is in BIND, it depends if the patch made it for given downstream platform. As for Fedora and/or RHEL, I checked with

Re: [Freeipa-users] Is there any delay after applied rules to user?

On 07/29/2015 03:22 PM, Dewangga Bachrul Alam wrote: Hello! I'm using FreeIPA 4.1.x on CentOS 7, Is there any delay after applied some rules to specified user? [root@ipa ~]# ipa sudorule-show Rule name: wheel Rule name: Wheel Enabled: TRUE Host category: all Command category:

Re: [Freeipa-users] OT: https://www.freeipa.org missing intermediate certificate

On 07/10/2015 04:36 PM, Natxo Asenjo wrote: hi, earlier today I was reading a post about the new freeipa version on my mobile device and got plenty of warnings about an invalid certificate. On a fedora laptop no warnings, but this is the problem: $ curl -LIv https://www.freeipa.org * Rebuilt

Re: [Freeipa-users] FreeIPA Server Won't Start Up After ipactl restart

On 07/14/2015 02:47 PM, Sina Owolabi wrote: Hi Please, I would really need some help in troubleshooting one of my domain servers which I restarted the IPA services. Its an CentOS 7.1 server running ipa-4.1.0 [root@dc01 ~]# ipactl start Existing service file detected! Assuming stale, cleaning

Re: [Freeipa-users] OTP vs sudo

On 07/16/2015 06:58 PM, Bendl, Kurt wrote: I'm planning our implementation of IdM/IPA, and I'm unclear about how I can implement IPA's OTP for privileged access. I need to be able to set up systems so: * accounts can auth using traditional userid/password * privileged access (sudo)

Re: [Freeipa-users] dnssec support in 4.1

On 07/22/2015 03:52 PM, Andrew E. Bruno wrote: On Wed, Jul 22, 2015 at 04:48:33PM +0300, Alexander Bokovoy wrote: On Wed, 22 Jul 2015, Andrew E. Bruno wrote: Apologies if this has been answered before but we're interested in dnssec support in FreeIPA. Running Centos 7.1.1503, ipa-server

Re: [Freeipa-users] sendmail.schema

On 07/09/2015 11:09 AM, Rudolf Gabler wrote: Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment),

Re: [Freeipa-users] services-based authentication

On 07/08/2015 10:11 AM, ilaria cianci wrote: Hi All, I am a new user and I have a question about FreeIPA authentication methods. Can FreeIPA select different auth methods (i.e. otp, password, etc) for the same user based on the service he wants to access? I mean using this user should use

Re: [Freeipa-users] Multiple CA certificates

On 07/09/2015 01:25 PM, Joseph, Matthew (EXP) wrote: Hello, We are currently in the process of replacing our IdM 3.x server with 4.x. There are going to be some major directory changes during the upgrade so I need to keep both the old and new IdM servers up and running separately. This

Re: [Freeipa-users] KRA? 4.2?

On 07/10/2015 02:56 AM, Janelle wrote: Hello, I see 4.2 is released today with lots of cool new features. I think I understand the new Vault, but am not familiar with KRA? Wondering if there might be some information on what this is? ~Janelle KRA (or DRM) is the Dogtag subsystem we use for

Re: [Freeipa-users] IPA Replication Questions

RHEL guide has https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-topology.html#repl-tools Does that help? On 07/07/2015 03:06 PM, John Stein wrote: Thanks for the reply. Maybe this should be added to

Re: [Freeipa-users] Userpassword randomly not working anymore.

On 07/05/2015 01:08 AM, Matt . wrote: Hi Guys, I created a bug where no response is on yet for a week, so I thought to ask the mailinglist if someone has seen this behaviour. Hi Matt, Sorry for the delay in the answer in Bugzilla, most of the team is now very busy with FreeIPA 4.2

Re: [Freeipa-users] What is the recommended way to create an Administrator account through the web ui?

On 07/03/2015 05:45 PM, nat...@nathanpeters.com wrote: I have been trying to create accounts in FreeIPA that have the same level of permission as the built-in administrator account. Basically, I want to do the equivalent of what you can do in Active Directory by adding someone to the Domain

Re: [Freeipa-users] Question for AD trust and Webservices

On 06/15/2015 02:19 PM, Henry Hofmann wrote: Hi, I have a question about using IPA (v.4) with an AD (2012) Trust. Is it possible to login with a user from the Active Directory Domain to an Web-Service (like redmine) which is configured to the IPA LDAP? I have understand this by read this

Re: [Freeipa-users] Is something.local hostname possible

On 06/12/2015 05:40 PM, James Benson wrote: Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James What do you mean

Re: [Freeipa-users] IPA very very slow

Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between

Re: [Freeipa-users] Specific rights needed to enroll a new host

On 06/12/2015 01:30 AM, Christopher Young wrote: I'm trying to develop a process in Ansible to enroll new hosts (as well as check beforehand to see if the host is already enrolled). I was wondering a couple of things: #1. Has anyone else worked out a process for doing this using a non 'admin'

Re: [Freeipa-users] IPA very very slow

0m0.073s user0m0.012s sys 0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys 0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List

Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA

, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 From: Martin Kosek mko...@redhat.com To: Christopher Lamb christopher.l...@ch.ibm.com, freeipa-users@redhat.com Sent: Wednesday, June 10, 2015 9:22:03 AM Subject: Re: [Freeipa-users] LDAP authentication for JIRA using FreeIPA

Re: [Freeipa-users] migrating 3.0 - 4.1: passwords not migrated?

On 06/10/2015 03:18 PM, Tamas Papp wrote: hi, Currently there are CentOS 6.5 servers and IPA 3.0. The goal is migrating users to CentOS 7.1 and IPA 4.1. This is the command I use: $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo

Re: [Freeipa-users] migrating 3.0 - 4.1: passwords not migrated?

On 06/10/2015 03:32 PM, Christopher Lamb wrote: Hi Tamas I think the general advice is to replicate rather than to migrate. I am sure Martin K will jump in on this. Yes :-) However some weeks ago, when doing a very similar move to yours, we chose to migrate (we were misled by some very

Re: [Freeipa-users] Is It OK to mix RHEL7 and CentOS 7 IPA domain servers?

On 06/05/2015 03:16 PM, Sina Owolabi wrote: Hi Due to our subscriptions running out, OT: time to renew! :-) I'm forced to have to use CentOS7 in our domain as IPA replica servers to join our existing RHEL7 server. Is this OK, or are there any issues I should be aware of? Thanks in

Re: [Freeipa-users] Successful Install on VB...

JFTR, this is the respective section in the guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ports It should have those ports covered as well. On 06/05/2015 11:49 PM, Janelle

Re: [Freeipa-users] Could not update DNSSSHFP records when joining domain

On 06/05/2015 12:27 AM, nat...@nathanpeters.com wrote: I am running FreeIPA 4.1.3 on CentOS7. I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42. The client hostname is ipaclient.login.mydomain.net. The FreeIPA domain is mydomain.net. This post here :

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 --Solved

#Cannot_authenticate_on_client Cheers Chris From: Martin Kosek mko...@redhat.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Cc: Jakub Hrozek jhro...@redhat.com, Rob Crittenden rcrit...@redhat.com Date: 03.06.2015 10:39 Subject

Re: [Freeipa-users] Sudo hangs after reenrollment of some servers in fresh IPA domain

On 06/04/2015 05:06 PM, Cory Carlton wrote: I would check for DNS resolution from the machine executing the sudo, to the IPA server. I would also suggest cleaning SSSD caches, since you reinstalled against the same domain, but actually different server (/var/lib/sss/db/) On Thu, Jun 4, 2015

Re: [Freeipa-users] IPA Error 4301: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)

On 06/02/2015 10:10 PM, Chris Tobey wrote: Hi everyone, This is my first time posting here - please be gentle. Ok :-) I currently have ~40 CentOS 6.6 servers authenticating against my FreeIPA server running on another CentOS 6.6 server. (ipa-server-3.0.0-42.el6.centos.x86_64 and

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 --Not Solved

, Martin, Alexander et al for their help and suggestions so far. Chris Thanks for the background. The pain you are getting is exactly the reason why migration via replication to RHEL-7.1 is a better choice :-) Please let us know the result, I am curious how this works out. From: Martin

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

On Wed, Jun 3, 2015 at 10:05 AM, bahan w bahanw042...@gmail.com wrote: Hello Martin. Unfortunately for me, I cannot migrate OS so I need to make it work with RHEL 6.4. :-( Best regards. Le 3 juin 2015 09:39, Martin Kosek mko...@redhat.com a écrit : On 06/02/2015 06:27 PM, bahan w wrote

Re: [Freeipa-users] ipa-client-install remove the passwordless connection with root

On 06/02/2015 06:27 PM, bahan w wrote: Hello ! I send you this mail because I have a problem linked with SSH and FreeIPA. I have multiple servers : - One with FreeIPA server 3.0.0-26 - The others with FreeIPA client 3.0.0-26 They are running on RHEL 6.4. I configured a root user on

Re: [Freeipa-users] Fw: ssh problem with migrated FreeIPA client on EL7.1 --Not Solved

On 06/02/2015 06:15 PM, Christopher Lamb wrote: Hi Earlier today I setup 2 throwaway EL7.1 VMs to help narrow down the cause of this problem. Let's call them HOST09 and HOST10 Both are mimimum installs of EL7.1, with NTPD installed and configured. HOST09 had ipa-client 4.1 installed

Re: [Freeipa-users] vSphere and freeIPA

On 05/29/2015 01:59 PM, s...@zy.io wrote: Afternoon, I'm currently attempting to set up an existing vsphere environment to use freeipa 4.1.0 for authentication, following this guide: http://www.freeipa.org/page/HowTo/vsphere5_integration I've followed it all through, and for the purposes for

Re: [Freeipa-users] password expiration

On 06/01/2015 07:50 PM, Tamas Papp wrote: hi All, I'm stuck: $ kinit admin Password for admin@CXCLIENTS: kinit: Password incorrect while getting initial credentials [root@ipa-clients1 ~]$ kinit admin Password for admin@CXCLIENTS: Password expired. You must change it now. Enter new password:

Re: [Freeipa-users] how to delete duplicate?

On 06/02/2015 03:11 AM, Janelle wrote: I have a duplicate user. Same exact name, but different UID's. But there does not seem to be a way to do ipa user-del on anything other than username, which ends up returning: # ipa user-del another_username ipa: ERROR: The search criteria was not

Re: [Freeipa-users] password expiration

, Záhony utca 7, Budapest, Hungary, H-1031 Cell: +36704258964 --- *From: *Martin Kosek mko...@redhat.com *To: *Tamas Papp tom...@martos.bme.hu, freeipa-users@redhat.com *Sent: *Tuesday, June 2, 2015 9:54:43 AM *Subject: *Re

Re: [Freeipa-users] password expiration

On 06/02/2015 11:42 AM, Tamas Papp wrote: On 06/02/2015 10:35 AM, Martin Kosek wrote: You would need to do the modifications as Directory Manager or other user in adminsgroup. To resolve this, you would need manually fix admin entry attribute krbPasswordExpiration to some future date

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

Kosek wrote: On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email

Re: [Freeipa-users] SEC_ERROR_LEGACY_DATABASE

On 05/29/2015 01:27 AM, David Lin wrote: Hi, When I try to add multiple hosts, on the web UI, when I go to the host tab, I get Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. What does this mean? That's strange. CCIng

Re: [Freeipa-users] dirsrv keytab revoked

On 05/29/2015 07:48 AM, Christoph Kaminski wrote: Hi I have had a defect entries in ldap for a replica and deleted them. But now the dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The replica starts but it cant connect other replicas (but other replicas can connect to it).

Re: [Freeipa-users] inserting users via java

On 05/28/2015 11:00 PM, Timothy Worman wrote: On May 28, 2015, at 12:26 PM, Martin Kosek mko...@redhat.com wrote: On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11

Re: [Freeipa-users] inserting users via java

On 05/28/2015 07:10 PM, Timothy Worman wrote: On Mar 26, 2015, at 3:08 PM, Dmitri Pal d...@redhat.com wrote: On 03/26/2015 03:19 PM, Timothy Worman wrote: On Mar 26, 2015, at 11:42 AM, Martin Kosek mko...@redhat.com wrote: On 03/26/2015 07:37 PM, Timothy Worman wrote: Thanks everyone

Re: [Freeipa-users] question about password migration from ldap

On 05/28/2015 11:47 AM, David Lin wrote: Hi, I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

On 05/27/2015 10:08 AM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Martin Kosek wrote: On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific

Re: [Freeipa-users] FreeIPA 3.3.3 backup and restore

On 05/27/2015 04:14 AM, Thomas Lau wrote: Hi All, I was reading this page but seems very confusing: https://www.freeipa.org/page/V3/Backup_and_Restore#Data_Backup_.26_Restore_Process_.28online.29 We also have this: https://www.freeipa.org/page/Backup_and_Restore ​ipa-backup and ipa-restore

Re: [Freeipa-users] FreeIPA 3.3.3 backup and restore

Ok. If you upgrade to CentOS 7.1/FreeIPA 4.1+, you will have the command available. On 05/27/2015 12:16 PM, Thomas Lau wrote: CentOS Linux release 7.0.1406 (Core) - this is the version we are using now. On Wed, May 27, 2015 at 5:54 PM, Martin Kosek mko...@redhat.com wrote: On 05/27/2015

Re: [Freeipa-users] ipa-backup and ipa-restore

On 05/27/2015 08:04 AM, Lukas Slebodnik wrote: On (25/05/15 10:00), Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

On 05/26/2015 07:36 PM, Carlos Raúl Laguna wrote: Hello Martin, The email deployment it is a groupware in this scenario Kolab, kolab use 389 ad as main backend and it require some kolab ldap specific attribute to work properly, this is not a problem in fact is quite easy to use freeipa as

Re: [Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

On 05/25/2015 05:46 PM, Sina Owolabi wrote: Hi! Please how do I restore data to a freshly reinstalled IPA server from an existing CA-less replica that has had replication agreements removed? By restore, you mean actually migrate? We have a pending RFE for this:

Re: [Freeipa-users] Restore deleted RBAC Rules?

On 05/25/2015 04:27 PM, Striker Leggette wrote: Is it possible to restore deleted RBAC rules that were deleted from Permissions and Privileges? Hello Striker, Only if you did a data backup. I do not know about other way... More information and ideas about Backup and Restore in FreeIPA:

Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.

On 05/26/2015 12:21 AM, Carlos Raúl Laguna wrote: Any ideas how to overcome this? Winsync may be a better approach for us instead of cross-trust.Regards 2015-05-25 13:06 GMT-04:00 Carlos Raúl Laguna carlosla1...@gmail.com mailto:carlosla1...@gmail.com: How i can use a single backend for a

Re: [Freeipa-users] Haunted servers?

On 05/26/2015 12:20 AM, Janelle wrote: On 5/24/15 3:12 AM, Janelle wrote: And just like that, my haunted servers have all returned. I am going to just put a gun to my head and be done with it. :-( Why do things run perfectly and then suddenly ??? Logs show little to nothing, mostly because the

Re: [Freeipa-users] passwords

On 05/23/2015 10:21 PM, Janelle wrote: I have a question regarding passwords. It seems IPA does a very nice job of generating random passwords. Thanks! Is there a way to use that feature without actually setting it on a user? Something akin to pwgen? Thank you ~Janelle There is no

Re: [Freeipa-users] Freeipa Replicate hung

On 05/25/2015 12:45 AM, Bill Graboyes wrote: Hi List, I have been digging around on this system that hung for the past hour or two trying to figure out why dirserv seemed to be hung. It was not using resources, nor was there any information in any of the log files (dirserv, sssd, etc), it

Re: [Freeipa-users] ipa-backup and ipa-restore

On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but

Re: [Freeipa-users] ipa-backup and ipa-restore

start sssd Many thanks Bob On 25/05/2015 07:10, Martin Kosek wrote: On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using mydomain.co.id then I have another 10 instance/servers using mydomain.com, I want to manage both of them on same

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 12:38 PM, Dewangga Bachrul Alam wrote: Hello! On 05/20/2015 05:30 PM, Martin Kosek wrote: On 05/20/2015 11:54 AM, Dewangga Bachrul Alam wrote: Hello! I've tried to setup my IPA server to work on multiple domain env, for the example, I have 20 instance/servers using

Re: [Freeipa-users] Configure IPA Server work with Multiple domain Env

On 05/20/2015 12:56 PM, Dewangga Bachrul Alam wrote: Thanks Martin, Better I leave the configuration as is :D So, If I want to add another domain, I just add and point them to master IPA Server, right? Right, after FreeIPA 3.2 (https://fedorahosted.org/freeipa/ticket/3544), dnszone-add

Re: [Freeipa-users] confused by ldapsearch results

On 05/20/2015 04:01 PM, Boyce, George Robert. (GSFC-762.0)[NICS] wrote: This worked for me: $ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=cm (|(uid=admin)(name=admin)) dn SASL/GSSAPI authentication started SASL username: ad...@example.com SASL SSF: 56 SASL data

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

? No, I do not see a problem with this setup. Clients will just simply use the capabilities they can do. We still tend to backport client features to RHEL-6.x, so it keeps getting the selected functionality (server does not). On 05/19/2015 08:14 PM, Martin Kosek wrote: On 05/19/2015 10:53 AM

Re: [Freeipa-users] certmonger + dogtag, bad parsing of returned certificate

On 05/19/2015 12:34 PM, marcin kowalski wrote: Hi, all. I am trying to integrate certmonger with dogtag instance, and so far i've stumbled on one odd problem. Hopefully this is the right list. I've generated some random cert with getcert request, it has communicated with dogtag, and i

Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

servers. Most directions are specific here http://www.freeipa.org/page/Troubleshooting We need to know first what specific error you are dealing with right now, to point you to right direction. Martin On Mon, May 18, 2015 at 10:15 AM, Martin Kosek mko...@redhat.com wrote: On 05/16/2015 12:19 PM

Re: [Freeipa-users] trusted user groups

On 05/18/2015 04:50 PM, Andy Thompson wrote: -Original Message- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: Monday, May 18, 2015 10:33 AM To: Andy Thompson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] trusted user groups On (18/05/15 13:55), Andy Thompson

Re: [Freeipa-users] Securing IPA Redux

. Martin On May 18, 2015, at 4:10 PM, Martin Kosek mko...@redhat.com wrote: On 05/15/2015 01:33 PM, Brian Topping wrote: In the (apparently) first message to the list in 2014, https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html https://www.redhat.com/archives/freeipa

Re: [Freeipa-users] replication again :-(

On 05/19/2015 03:23 AM, Janelle wrote: Once again, replication/sync has been lost. I really wish the product was more stable, it is so much potential and yet. Servers running for 6 days no issues. No new accounts or changes (maybe a few users changing passwords) and again, 5 out of 16 servers

Re: [Freeipa-users] Reinstall ipa client, problem with old CA

On 05/19/2015 04:04 AM, Dewangga Bachrul Alam wrote: Hello! I'm trying to reinstall ipa client, but have a problem with old/existing ca.crt in `/etc/ipa/ca.crt`. Should I remove it manually? Since the IPA server still on development and always reinstalled, I need to reproduce any possible

Re: [Freeipa-users] RedHat IDM Replica runs ony dirsrv, kinit and getent fail after reboot

On 05/16/2015 12:19 PM, Sina Owolabi wrote: Please help me. I am in dire straits, this is the linchpin of our network and we are suffering. I am sorry for delay in answering, but not many people here show up on the weekend. Comments below. On Sat, May 16, 2015 at 6:00 AM, Sina Owolabi

Re: [Freeipa-users] Securing IPA Redux

On 05/15/2015 01:33 PM, Brian Topping wrote: In the (apparently) first message to the list in 2014, https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html https://www.redhat.com/archives/freeipa-users/2014-January/msg0.html addressed questions about securing IPA and I

Re: [Freeipa-users] 4.1.4 and OTP

On 05/18/2015 01:49 AM, Janelle wrote: On 4/28/15 6:44 AM, Nathaniel McCallum wrote: On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: On 4/17/15 5:59 PM, Dmitri Pal wrote: On 04/17/2015 08:07 PM, Janelle wrote: On Apr 17, 2015, at 16:36, Dmitri Pal d...@redhat.com wrote: snip for

Re: [Freeipa-users] Old FreeIPA upstream guides removed (WAS: Re: Web UI: Migrated Admins missing action buttons)

On 04/27/2015 04:15 PM, Simo Sorce wrote: On Mon, 2015-04-27 at 12:51 +0200, Martin Kosek wrote: On 04/26/2015 08:23 AM, Alexander Bokovoy wrote: - Original Message - Hi Rob and Dimitri Migrating via Replica is the obvious way that I would have gone, had the FreeIPA /RedHat

Re: [Freeipa-users] using pathlen:0 for freeipa's CA certificate?

On 05/15/2015 09:22 AM, Fraser Tweedale wrote: On Fri, May 15, 2015 at 07:59:27AM +0200, Jan Cholasta wrote: Hi, Dne 5.5.2015 v 10:43 Martin Kosek napsal(a): On 05/04/2015 01:19 PM, Harald Dunkel wrote: Hi folks, Instead of a self-signed certificate I would like to use an external CA

Re: [Freeipa-users] Replication Update in progress : FALSE LDAP ERROR

On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: I have tried to setup synchronization between a FreeIPA domain and an AD domain. The certificates are in the right place. [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn cn=sync

Re: [Freeipa-users] AD Trust LDAP Compat mode w/ RHEL5/AIX

On 05/12/2015 10:48 PM, Gould, Joshua wrote: Hopefully I¹m missing something simple. For an IPA user: $ ldapsearch -x ³((uid=ipa_user)(objectclass=posixAccount))² -b dc=ipa,dc=example,dc=com This returns a match. For an AD user: $ ldapsearch -x

Re: [Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)

On 05/11/2015 05:14 PM, Thibaut Pouzet wrote: Hi ! I am running into a weird problem with my IPA Server, and the certificates management. My setup is : CentOS 6.6 pki-ca-9.0.3-38.el6_6.noarch ipa-server-3.0.0-42.el6.centos.x86_64 Linux ipa_server 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr

Re: [Freeipa-users] Revocation of Issuing CA certificates

On 05/06/2015 08:24 AM, Kamal Perera wrote: Dear All, How is the revocation of issuing CA certificates are handled? We are using OCSP responders for revocation checking of certificates issued by the Issuing CAs. So do we have to setup another OCSP or CRL distribution point to let the

Re: [Freeipa-users] IPA RUV unable to decode

On 05/05/2015 04:49 PM, Mark Reynolds wrote: On 05/05/2015 07:49 AM, Ludwig Krispenz wrote: On 05/05/2015 01:27 PM, Martin Kosek wrote: On 05/05/2015 12:38 PM, Vaclav Adamec wrote: Hi, I tried migrate to newest version IPA, but result is quite unstable and removing old replicas ends

Re: [Freeipa-users] Known issues with IPA on VM?

On 05/06/2015 07:48 AM, Christoph Kaminski wrote: Hi we have some undefinably problems here with IPA inside a VM (rhev/kvm). We has often zombie processes (defunct) with certmonger and dirsrv and segfaults (dmesg)... We have 8 IPA servers, 4 Hardware and 4 VM's with same Install

<    1   2   3   4   5   6   7   8   9   >