Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

I have tested this but the hosts don't get an enrolled status. I have tried _kerberos TXT "MYREAL.DOMAIN.TLD" and without the quotes. I can't see any logging about it. Any idea ? Thanks! Matt 2017-04-04 20:50 GMT+02:00 Matt . <yamakasi@gmail.com>: > Hi Alexander, >

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

useraccess on systems. 2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> Nope, I provision my servers and they are added to my FreeIPA >> environment which auths my systeadmins. But on a server I provisioned >> I need to install FreeIPA as

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

he network at all but I think it's nice when I don't have to maintain my local users there to login to the box for maintenance so I thought it would be nice when SSSD checked my default IPA-environment server for that. 2017-04-07 23:24 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Matt

Re: [Freeipa-users] IPA Ldap only as Client on different IPA server

and the clientconfig for sssd is not there anymore because of the 'ipa-client-install --uninstall' 2017-04-07 23:11 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> When I have a full ipa setup and I want to add a host to it that is >> installed or needs t

[Freeipa-users] IPA Ldap only as Client on different IPA server

faster the IPA LDAP only server is installed ? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

Hi Alexander, Superb, thanks a lot for this quick fix! Matt 2017-04-04 20:48 GMT+02:00 Alexander Bokovoy <aboko...@redhat.com>: > On ti, 04 huhti 2017, Matt . wrote: >> >> Hi guys, >> >> Is it possible to create in a simple way the SRV domains for kerberos >

[Freeipa-users] Auto create kerberos/ldap SRV records on subdomain

Hi guys, Is it possible to create in a simple way the SRV domains for kerberos on subdomains ? it's a pain to add them all manually when you have a lot of subdomains. I hope someone has a solution. Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Hi Rob, I have this solved, I think it was an issue in the foreman-proxy. The reason why there are two users in the role was to test other usernames, as you cannot use foreman-proxy for this for an example. I need to update the Foreman ticket about it. Thanks for helping out. Cheers, Matt

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Hi Rob, Thanks for the update, the same error happens when I add a new host, so I'm lost, the same for the Foreman devs. What can I check/test further ? Thanks, Matt 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> Hi Rob, >> >> T

Re: [Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Hi Rob, Thanks, but what do you mean here ? The Foreman has a script which should be OK for it: https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm Can you check this maybe ? Thanks, Matt 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

ule type: permission Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld Type: host Permission flags: V2, MANAGED, SYSTEM Number of entries returned 3 Can anyone help me out as I'm unsure where this goes wrong.

Re: [Freeipa-users] IPA 4.4 CA Replications

IPA CA renewal master: server1.lci.devdomain.com On Thu, Mar 2, 2017 at 12:39 AM Martin Basti <mba...@redhat.com> wrote: > > > On 01.03.2017 22:00, Matt Wells wrote: > > I have two new IPA 4.4 servers on CentOS7 installed in a lab. I built the > first, joined

[Freeipa-users] IPA 4.4 CA Replications

I have two new IPA 4.4 servers on CentOS7 installed in a lab. I built the first, joined the second and promoted it to be a master. Thus far all went well. I then ran the ipa-ca-install and when I log back in I see that it has "domain,CA" attached to it. However when I hit the main IPA page it

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi Flo, Yes it does! Thanks for that. Is it not possible to remove a certificate fully as it always syncs this way ? Or remove it from /etc/httpd/alias, then from ldap and then sync again ? Cheers, Matt 2017-02-21 9:03 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: > On 02/20/2017

Re: [Freeipa-users] sysaccounts max length

Oh sorry, I thought I did, must have been some conceptmail then :) 2017-02-20 21:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> Hi All, >> >> Yes as I stated I see software, multiple, having issues with usernames >> larger then 28 chara

Re: [Freeipa-users] sysaccounts max length

Hi All, Yes as I stated I see software, multiple, having issues with usernames larger then 28 characters. Cheers, Matt 2017-02-20 15:53 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > David Kupka wrote: >> On Sat, Feb 18, 2017 at 03:06:21PM +0100, Matt . wrote: >>&g

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi Rob, Yes it does, I understood that there was some reason the duplicate might exist, but I wonder more why does the RootCA show up when I removed it and comes back after adding the two intermediates ? Thanks Matt 2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>:

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi, The install seems to be OK this way, but I'm still confused about the duplicated and the RootCA. Cheers, Matt 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi@gmail.com>: > Hi Florance, > > > I'm actually stil investigating this as the following occurs. > > I have re

[Freeipa-users] sysaccounts max length

Hi Guys, Does anyone know what the max length is for a sysaccount username is ? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi Flo, Sure I can, I will look through the steps closely tomorrow and will create some lineup here. Cheers, Matt 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: > On 02/16/2017 09:55 PM, Matt . wrote: >> >> Hi Flo! (if I may call you like that,

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi Flo! (if I may call you like that, saves some characters in typing but with this extra line it doesn't anymore :)) This works perfectly, thank you very much. No questions further actually :) Cheers, Matt 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <f...@redhat.com>: > On 02/1

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi, Is there any update on this ? I need to install 3 other instances but I would like to know upfront if it might be a bug. Thanks, Matt 2017-02-14 17:59 GMT+01:00 Matt . <yamakasi@gmail.com>: > Hi Florance, > > Sure I can, here you go: > > Fedora 24 > Freeipa VER

Re: [Freeipa-users] Cannot install 3rd party certificate

Certs are valid, I will check what you mentioned. I'm also no fan of bundles, more the seperate files but this doesn't seem to work always. At least for the CAroot a bundle was required. Matt 2017-02-14 14:51 GMT+01:00 Sullivan, Daniel [CRI] <dsulliv...@bsd.uchicago.edu>: > Have you

Re: [Freeipa-users] Cannot install 3rd party certificate

Hi Dan, Ues i have tried that and I get the message that it misses the full chain for the certificate. My issue is more, why is the Server-Cert being removed on a certupdate ? Cheers, Matt 2017-02-14 2:18 GMT+01:00 Sullivan, Daniel [CRI] <dsulliv...@bsd.uchicago.edu>: > Is

[Freeipa-users] Cannot install 3rd party certificate

Directory Manager password: Enter private key unlock password: list index out of range The ipa-server-certinstall command failed. If I do a #ipa-certupdate the Server-Cert is removed from /etc/httpd/alias and the install fails because of this. What can I do to solve this ? Thanks, Matt -- Manage

[Freeipa-users] User with rights for only adding hosts

Hi, Is it possible to create a user that can/is allowed (to) only add hosts using the ipa-client-install ? Would be nice to know. Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org

[Freeipa-users] Sync (some) users between IPA servers

synced users so they can login on both environments (servers). Would there be some way to accomplish this ? Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to make email as mandatory field before user creation

Doesn't get the user a default mailaddress when you add him under the REALM domain ? 2017-01-02 17:50 GMT+01:00 Petr Vobornik : > On 01/02/2017 05:00 PM, nirajkumar.si...@accenture.com wrote: >> Hi Team, >> >> Is there any way to make email as mandatory field before creating

Re: [Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

and fine. I also had some weird DNS error and bind didn't want to start anymore because of expecting a ; I thought this had something todo with a forwarder which wasn't. For now I'm good, but do you want extra info ? Thanks, Matt 2016-10-18 7:49 GMT+02:00 Martin Babinsky <mbabi...@redhat.

[Freeipa-users] Upgrade 4.4.2-1.fc24 security library failure.

Hi Guys, I'm having a failure on my upgrade for 4.4.2-1 on Fedora 24 I already checked some info and: ldapsearch -Y GSSAPI -b cn=CAcert,cn=ipa,cn=etc,$SUFFIX Gives me TU instead of MII as expected. Any suggestions further ? Thanks, Matt 2016-10-17T22:19:10Z DEBUG Starting external process

Re: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu COMODORSAAddTrustCA C,C,C I hope this helps. Cheers, Matt 2016-10-01 17:04 GMT+02:00 Matt . <yamak

[Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user

TED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) What can cause this ? I'm on FreeIPA, version: 4.4.1 I hope we can sort this out. Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeip

[Freeipa-users] cleanallruv - no replica's :(

Hey all I hoped anyone may be able to assist. I had 2 dead replica's and use the cleanallruv.pl as they refused to leave otherwise. ` /usr/sbin/cleanallruv.pl -v -D "cn=directory manager" -w - -b 'dc=mosaic451,dc=com' -r 17 ` 17 being the bad guy. Well it ran `woohoo` but deleted all of my

[Freeipa-users] FreeIPA as CA for your own internal webservices

and that works, FreeIPA itself is now trusted. But how to do this for other webservices no matter what software I use ? I hope someone can give me direction here. Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go

[Freeipa-users] Two Factor auth and Windows desktop

Hi all! I had a question about something that I'm sure has been covered. I promise that I'm trying to find those articles but thus far I've found some pieces but nothing 100%; however I'm still looking. I have two networks - ad.example.com ( active directory ) - linux.example.com ( IPA )

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

And then allow the ip of the ipa server for update or tranfser on the slave ? Because I don't see anything coming in. 2016-08-23 12:47 GMT+02:00 Petr Spacek <pspa...@redhat.com>: > On 23.8.2016 12:43, Matt . wrote: >> OK, but what kind of records are you talking about then ? &

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

OK, but what kind of records are you talking about then ? 2016-08-23 12:25 GMT+02:00 Petr Spacek <pspa...@redhat.com>: > On 23.8.2016 09:07, Martin Basti wrote: >> >> >> On 23.08.2016 02:08, Matt . wrote: >>> Hi Guys, >>> >>> What is the wa

[Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

Hi Guys, What is the way to notify or update a Bind slave which is not an IPA server ? Do I need to manuallu add an also-notify to the /etc/bind.conf on the IPA master or is there a different way how to accomplish this ? I hope this is possible and anyone can explain me how. Thanks! Matt

[Freeipa-users] Active directory integration with FreeIPA domain

through a Forest Trust. FWIW, I'm using CentOS 7 with FreeIPA 4 (tried Ubuntu 16.04, but couldn't get Trust established at all) and Server 2012 for AD. I also can't see anyone else doing it this way round... is what I'm trying to do impossible? Thanks in advanced for any help Thanks Matt -- Manage

[Freeipa-users] ipa-server-upgrade fails on PKI CentOS 7.2

Hi, I have some issue with the ipa-server-upgrade command where PKI fails. This seems to be a known issue but I'm unsure where to report it as it's fixed in FC https://bugzilla.redhat.com/show_bug.cgi?id=1328522 Does someone have a clue how to get around this ? Thanks! Matt -- Manage your

Re: [Freeipa-users] Users directory Browsing -

, 2016 at 12:37 AM Petr Spacek <pspa...@redhat.com> wrote: > On 8.3.2016 15:29, Matt Wells wrote: > > For my use case it is. Essentially the system will be application auth > for > > separate groups that have no need to know of one another, almost a > > multi-te

Re: [Freeipa-users] Users directory Browsing -

you can read /etc/passwd file > which has info about all users on that box. This doesn't cause issues. > > On 8 March 2016 at 03:03, Matt Wells <matt.we...@mosaic451.com> wrote: > >> Hi all, I had a quick question. I swear I had this before but that could >> be the

[Freeipa-users] Users directory Browsing -

Hi all, I had a quick question. I swear I had this before but that could be the voices telling me it's true A normal user is logging into IPA (4.2.0) and filling in their phone number and info no problem. However when that user clicks on accounts above they are then able to peruse the entire

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

because it just does it that way. 2016-02-18 16:08 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > David Kupka wrote: >> On 17/02/16 10:47, Matt . wrote: >>> Hi David, >>> >>> I have tested your way out and it seems to be OK. >>> >>&g

Re: [Freeipa-users] Split backup actions in stop - backup - start commands

to check that out further. An ipactl start is not needed it seems as the ipa-backup command seems to start ipa at any time again. Do you understand/agree here ? 2016-02-17 8:00 GMT+01:00 David Kupka <dku...@redhat.com>: > On 16/02/16 20:26, Matt . wrote: >> >> Hi, >>

[Freeipa-users] Split backup actions in stop - backup - start commands

Hi, I'm fugiring out if it's possible to strip the ipa start and stop from the backup method and actually do a fullbackup manually started. Any idea ? Thanks! Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http

[Freeipa-users] User Lockout even with special password Policy

way by lots of logins or tries, etc and be able to test it functions allright ? Thanks. Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User Lockout even with special password Policy

-01-14 16:58 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> OK, nice,but this user failed on kinit but is in the group where the >> policy is set to 0. >> >> Can I check on the commandline if it applies to that setting by >> querying ldap in

Re: [Freeipa-users] User Lockout even with special password Policy

My fault from the maxfail, I was referencing some doc from side_control and mixed it up. For the sysaccount part sounds doable. I will report back for that! thanks a lot! 2016-01-14 19:06 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> OK, this looks good, but

Re: [Freeipa-users] User Lockout even with special password Policy

with too many logins, and this concerns me as they are not POSIX. 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: > Matt . wrote: >> Hi Guys, >> >> I'm having an issue that a user which I use for the API is getting >> locked out from time to time

Re: [Freeipa-users] Samba Authentication progres

in minutes :) Thanks and have a great new year ! (With MIT!) Matt 2015-12-30 16:38 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>: > On Wed, 30 Dec 2015, Matt . wrote: >> >> Hi John, >> >> With which OS, package version and config ? On Ubuntu 15.10 I'm not >

Re: [Freeipa-users] Samba Authentication progres

Hi John, With which OS, package version and config ? On Ubuntu 15.10 I'm not able it seems. Thanks! 2015-12-30 9:43 GMT+01:00 John Obaterspok <john.obaters...@gmail.com>: > Hi Matt, > > It already works fine to use kerberos ticket to access samba shares. > > -- john > &

[Freeipa-users] Samba Authentication progres

Hi guys, How is the progres on the Samba (Share) Authentication for FreeIpa ? I hope we already have some work around to use the FreeIPA credentials for authing network shares. Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo

[Freeipa-users] IPA Json Selfsigned certificate

Hi guys, I'm testing out some installation and want to update my docs. I'm using a self signed cert and need to talk to the json/api. Which certs do I need to combine for my request, as I need an issuer too. The /etc/ipa/ca.crt combined with an export of the webcert ? Matt -- Manage your

[Freeipa-users] Trust Issues W/ Logins on Windows Desktops

Hi all, I hoped I may glean some brilliance from the group. I have a Freeipa Server sitting atop a Fedora 21 server. The initial plan was to replicate users+passwords with Windows 2012R2 server but following some of the information in the other posts and docs we've moved to a trust. The trust

[Freeipa-users] What todo when a company/domain name should be changed ?

make this more clear as I think this is good knowledge to have upfront anything and any case. Thanks! matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Guys, Please keep this topic updated as many people seem to have this question. What's the status at your side ? Cheers, Matt 2015-09-04 15:27 GMT+02:00 Matt . <yamakasi@gmail.com>: > Hi, > > Does everyone have this working or gived up on it ? > > Chers, > >

Re: [Freeipa-users] AD Trust Issues

Is the fix in CentOS or RHEL yet? On Fri, Sep 11, 2015 at 1:34 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 11 Sep 2015, Matt Wells wrote: > >> I've been working on an AD trust with our freeipa servers but have run >> into >> some of the same issues

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, Does everyone have this working or gived up on it ? Chers, Matt 2015-08-26 20:07 GMT+02:00 Matt . <yamakasi@gmail.com>: > Chris, > > How far are you on this ? I'm stuck atm :( > > I hope you have some reference notes to follow and check out. > > Thanks! &g

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Chris, How far are you on this ? I'm stuck atm :( I hope you have some reference notes to follow and check out. Thanks! Matt 2015-08-20 22:15 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Would be great to see! If I have it working and we have 2-3 testcases I think we can add

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

HI Guys, Anyone still a working clue/test here ? I didn't came further as it seems there need to be some domain join / match following the freeipa devs. Thanks! Matt 2015-08-13 13:09 GMT+02:00 Matt . yamakasi@gmail.com: Hi, I might have found somthing which I already seen in the logs

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Chris, Would be great to see! If I have it working and we have 2-3 testcases I think we can add it to the IPA docs! Keep me updated! Thanks Matt 2015-08-20 8:49 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Matt Once I got Samba and FreeIPA integrated (by the good old

[Freeipa-users] Windows users, Samba Shares - FreeIPA

discussion about what's best, What's best ? The ksetup as known on the IPA pages doesn't let me login on Windows 10, so if people can share their working ways for the current version with would be great! Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

~]$ smbclient //smb-01.domain.local/shares ... Checking NTLMSSP password for MSP\myusername failed: NT_STATUS_WRONG_PASSWORD ... SPNEGO login failed: NT_STATUS_WRONG_PASSWORD Maybe I have an issue with encrypted passwords ? When we have this all working, I think we have a howto :D Thanks! Matt 2015-08

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

, Matt 2015-08-13 12:02 GMT+02:00 Matt . yamakasi@gmail.com: Hi Youenn, OK thanks! this takes me a little but futher now and I see some good stuff in my logging. I'm testing on a Windows 10 Machine which is not member of an AD or so, so that might be my issue for now ? When testing

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

DOMAIN\username as username So, the IPA way should work. Any comments here ? Cheers, Matt 2015-08-12 19:00 GMT+02:00 Matt . yamakasi@gmail.com: HI GUys, I'm testing this out and I think I almost setup, this on a CentOS samba server. I'm using the ipa-adtrust way of Youeen but it seems we

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, Yes that is known for SSSD, but there must be another way maybe ? I wonder what the future is there, as it seems there is non when this is not changed I guess. 2015-08-09 9:11 GMT+02:00 Jakub Hrozek jhro...@redhat.com: On Fri, Aug 07, 2015 at 11:49:24PM +0200, Matt . wrote: Hi Alexander

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Chris, This sounds great! What are you using now, both CentOS ? So Samba and FreeIPA ? Maybe it's good to explain which way you used now in steps too, so we can combine or create multiple howto's ? At least we are going somewhere! Thanks, Matt 2015-08-09 14:54 GMT+02:00 Christopher Lamb

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, Yes I know about anything but which way did you use now ? 2015-08-09 20:56 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I am on OEL 7.1. - so anything that works on that should be good for RHEL and Centos 7.x I intend to add a how-to to the FreeIPA Wiki over

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Alexander, Yes this is know, but it's not usable yet, at least not on an Ubuntu Samba server as far as I know ? If so, maybe you can help us out here to clear this up how to do it. Thanks! Matt 2015-08-07 23:09 GMT+02:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 06 Aug 2015

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Alexander, Yes I'm on the same path, but for now I would like to get it working on Ubuntu for the time being. Are you sure Ubuntu is no MIT ? We have discusses that some time ago on IRC and it seemed to be that Ubuntu was build against MIT. Cheers, Matt 2015-08-07 23:37 GMT+02:00 Alexander

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Chris, OK, than we might create two different versions of the wiki, I think this is nice. I'm still figuring out why I get that: IPA Error 4205: ObjectclassViolation missing attribute sambaGroupType required by object class sambaGroupMapping Matt 2015-08-06 16:09 GMT+02:00 Christopher

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, OK, this sounds already quite logical, but I'm still refering to the old howto we found earlier, does that one still apply somewhere or not at all ? Thanks, Matt 2015-08-06 12:23 GMT+02:00 Youenn PIOLET piole...@gmail.com: Hey guys, I'll try to make a tutorial soon, sorry I'm quite

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

name, this is not OK also. We sure need to make some howto, I think we can nail this down :) Thanks for the heads up! Matthijs 2015-08-05 7:51 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt If I use Apache Directory Studio to add an attribute ipaCustomFields to cn

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, This sounds great to me too, but a howto would help to make it more clear about what you have done here. The thread confuses me a little bit. Can you paste your commands so we can test out too and report back ? Thanks! Matt 2015-08-05 15:18 GMT+02:00 Christopher Lamb christopher.l

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [username] - [username] FAILED with error NT_STATUS_NO_SUCH_USER I also wonder if I shall still sync the users local, or is it needed ? Thanks again, Matt 2015-08-04 14:16 GMT+02:00 Christopher

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

it manually as an attribute it still fails when I add a user on this sambagrouptype as it's needed by the other attributes So that is my issue I think so far. Any clue about that ? No problem you don't know something or are no guru we are all learning! :) Cheers, Matt 2015-08-04 21:22 GMT+02:00

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, Yes, log is anonymised. It's strange, my user doesn't have a SambaPwdLastSet, also when I change it's password it doesn't get it in ldap. There must be something going wrong I guess. Matt 2015-08-04 17:45 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt I assume

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

In my previous reply, I ment no group.js at all . 2015-08-03 12:17 GMT+02:00 Matt . yamakasi@gmail.com: Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Chris, Thanks for that verification! It seems that: /usr/share/ipa/ui/group.js Is not there on IPA.4.1, also there is no .js at all on the whole system. Any idea there ? Thanks again! Matt 2015-08-03 9:53 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt Thankfully I

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

) ? Thanks again! Matt 2015-08-03 13:20 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: HI Matt It looks like I skipped that step ... (And as we already had samba groups in place, did not need to make new ones via the WebUI). However a quick google trawled up this old thread that has

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

are they are sligtly different on 4.1 Thanks! 2015-08-01 19:51 GMT+02:00 Matt . yamakasi@gmail.com: Hi, Yes I found that earlier, that looks good and even better when you confirm this as really usable. For Samba 4 the IPA devs are very busy but I wonder indeed what happends when we need to move

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

way to go for now, even when this thread is such old ? Thanks! Matt 2015-08-01 9:48 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi Matt For a how to of Samba FreeIPA integration using schema extensions, see this previous thread https://www.redhat.com/archives/freeipa-users/2015

[Freeipa-users] Admin password not accepted during replica install

Hi Guys, I'm doing a replica install there my admin password for the SSH check to the master is not accepted. The password is not expired, I can use it on the GUI and even changing it in the GUI doesn't fix this. What can I check ? Cheers, Matt -- Manage your subscription for the Freeipa

Re: [Freeipa-users] Admin password not accepted during replica install

Hi, This didn't fix it yet. I wonder if there are any checks I can do as in the very past I was able to do a simple replica without any issues. Matt 2015-08-01 21:34 GMT+02:00 Janelle janellenicol...@gmail.com: Double check you do not have AllowGroups set in your /etc/ssh/sshd_config file

Re: [Freeipa-users] Admin password not accepted during replica install

kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15 1:05 PM, Matt . wrote: This actually the most important part, and the GSS Failure concerns

Re: [Freeipa-users] Admin password not accepted during replica install

there are no AllowGroups in sshd, it has to be in one of those 2 places. ~J On 8/1/15 1:26 PM, Matt . wrote: kinit admin works perfectly, that is such strange. 2015-08-01 22:15 GMT+02:00 Janelle janellenicol...@gmail.com: lastly -- on the master - do you get the same error if you kinit admin? ~J On 8/1/15

[Freeipa-users] Ubuntu Samba Server Auth against IPA

NTLMSSP authentication. It might not be that easy to have a Samba Shares only server. Any idea here how to accomplish ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi, This is nice to have confirmed. Is it possible for you to descrive what you do ? It might be handy to add this to the IPA documentation also with some explanation why... Cheers, Matt 2015-07-31 16:55 GMT+02:00 Christopher Lamb christopher.l...@ch.ibm.com: Hi We use the Samba extensions

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

Hi Lucas, Thank you for this reply. In this case it simply should work as it shoul by creating the symlinks, Or are there other issues we might get ? Thanks, Matt 2015-07-31 17:21 GMT+02:00 Lukas Slebodnik lsleb...@redhat.com: On (31/07/15 16:03), Matt . wrote: Hi Guys, I'm really

[Freeipa-users] LDAP to Free IPA Migration SSSD migration : example configuration of sssd.conf file?

is valid 4) Initiate a kerberos password-change to set the kerberos password equal to the LDAP password. Thanks for your help! -Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info

[Freeipa-users] Apache not starting because of cert password issue ?

is incorrect. [Wed Jul 08 22:55:11.742301 2015] [:error] [pid 9243] NSS initialization failed. Certificate database: /etc/httpd/alias. [Wed Jul 08 22:55:11.742350 2015] [:error] [pid 9243] SSL Library Error: -8177 The security password entered is incorrect Cheers, Matt -- Manage your subscription

Re: [Freeipa-users] Apache not starting because of cert password issue ?

Hi, No I'm testing some recovering strategies for the docs, so I need to have that checked. I have emailed Martin Kosek if he can enable the olders repo's again, would be great! Thanks, Matt 2015-07-09 3:23 GMT+02:00 Nigel Sollars nsoll...@gmail.com: Would it not be wise to keep with current

Re: [Freeipa-users] Apache not starting because of cert password issue ?

I now get: [Thu Jul 09 02:50:18.815219 2015] [:error] [pid 16615] Certificate not found: 'Server-Cert' So, it's no good at all :) 2015-07-09 3:27 GMT+02:00 Nigel Sollars nsoll...@gmail.com: Fair enough :) On Wed, Jul 8, 2015 at 9:25 PM, Matt . yamakasi@gmail.com wrote: Hi, No I'm

Re: [Freeipa-users] Apache not starting because of cert password issue ?

to a TLS/SSL issue in this thread, http://www.linuxquestions.org/questions/linux-server-73/centos-5-5-5-6-ssl-problem-874090/ Hope this helps, Regards On Wed, Jul 8, 2015 at 5:04 PM, Matt . yamakasi@gmail.com wrote: I'm facing a httpd server which won't start with ipa, so IPA fails

Re: [Freeipa-users] Userpassword randomly not working anymore.

Hi Martin, No problem I thought you guys needed a vacation but you are working on 4.2, wow sounds great! I can provide that but it will take some time as I cannot see when it happens so need to check. I might can post it tomorrow! Good luck there with the release! Cheers, Matt 2015-07-07 13

Re: [Freeipa-users] IPA replica without CA, how to become CA

to check but I thought I did what you said which didn't work... I need to debug it an report you this evening. Thanks, Matt 2015-07-06 17:54 GMT+02:00 Rob Crittenden rcrit...@redhat.com: Matt . wrote: Hi All, I'm cleaning up and playing around with some old dev setups and reviewing

Re: [Freeipa-users] IPA replica without CA, how to become CA

Rob, Isn't it impossible to install a CA on a replica when it's master died ? I know there is normally one CA, but this is kinda confusing me so I'm testing out scenarios. Thanks, Matt 2015-07-06 18:10 GMT+02:00 Matt . yamakasi@gmail.com: Hi Rob, OK, I had difficulties

Re: [Freeipa-users] IPA replica without CA, how to become CA

installation between 2 servers which only has one CA. Discussing this with Simo on IRC it seems to be some nice writing to have in the docs and now I found out... I'm trying to create this using my tests. But some unclear things have to be made clear first. Cheers, Matt 2015-07-06 19:01 GMT+02

[Freeipa-users] IPA replica without CA, how to become CA

of that I can setup a replica again. What is my best approach to test this ? Cheers, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project

  1   2   3   >