abhai, Rob Crittenden. My apologies if I left anyone
out.
I have two machines left to convert to IPA and can hardly believe sometimes
that I've finally arrived at this point. So, thanks again for everyone for
their work on this incredibly complex and critical set of software.
- Orion
--
Orion
On 04/03/2017 09:03 AM, Orion Poplawski wrote:
> On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>>> I seem to be having some issues with users/groups that may be leading to
>>> errors in the subdomai
On 04/03/2017 02:08 AM, Jakub Hrozek wrote:
> On Fri, Mar 31, 2017 at 05:08:13PM -0600, Orion Poplawski wrote:
>> I seem to be having some issues with users/groups that may be leading to
>> errors in the subdomain status. Can anyone parse this for me?
>>
>> (Fri
On 04/03/2017 02:10 AM, Alexander Bokovoy wrote:
> On ma, 03 huhti 2017, Jakub Hrozek wrote:
>> On Fri, Mar 31, 2017 at 04:07:16PM -0600, Orion Poplawski wrote:
>>> I'm seeing messages like this:
>>>
>>> (Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
>>&
is OK on failed request?
(Fri Mar 31 16:54:26 2017) [sssd[be[nwra.com]]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane
13:27:38 2017) [sssd[be[nwra.com]]] [sysdb_cache_search_groups]
(0x2000): No such entry
(Fri Mar 31 13:27:38 2017) [sssd[be[nwra.com]]]
[ipa_add_ad_memberships_get_next] (0x0020): There are unresolved external
group memberships even after all groups have been looked up on the LDAP server.
--
Orion
On 01/30/2017 01:38 AM, Jakub Hrozek wrote:
> On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote:
>> EL7.3
>> Users are in active directory via AD trust with IPA server
>>
>> sudo is configured via files - users in our default "nwra" group
On 03/10/2017 10:52 PM, Alexander Bokovoy wrote:
> On pe, 10 maalis 2017, Orion Poplawski wrote:
>> I'm using ipa-client-add with --unattended and a OTP to enroll machines at
>> install time. I'd like to be able to add them to a particular hostgroup at
>> the same time
- Orion
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
Manage your subscription for the Freeipa
eeipa to authorize it. I tried following instructions
>>> for LDAP access, but it doesn’t work. NFS seems to use a different,
>>> two-stage method for getting credentials, so that’s not a surprise. There
>>> are, not surprisingly, no useful error messages even with logging turned
>>> a
ke
-i eth0 00:25:64:e0:05:fa
seem to appear in the failed attempt but not a successful one.
--
Orion Poplawski
Technical Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder
messages even with logging turned all the way
> up.
>
>
I'm interested in this as well. All I've been able to find so far is:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/
haven't tried anything.
--
Orion Poplawski
Technical Manager 72
.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA DivisionFAX: 303-415-9702
3380 Mitchell Lane or...@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
--
Manage your subscription for the Freeipa-users mailing list
On 09/02/2016 03:15 PM, Lukas Slebodnik wrote:
On (24/08/16 11:42), Orion Poplawski wrote:
While that is definitely *a* convention, it's not the one we've used which
puts users by default in shared groups (nwra, visitors, etc). For example:
uid=2941(user) gid=1991(nwra)
The user "
FWIW - I've filed https://fedorahosted.org/freeipa/ticket/6293 to request the
ability to set the primary group for AD trust users.
On 08/24/2016 11:42 AM, Orion Poplawski wrote:
> While that is definitely *a* convention, it's not the one we've used which
> puts users by default in shared
trust users.
>
> Kind regards,
>
> Justin Stephenson
>
>
> On 08/23/2016 06:27 PM, Orion Poplawski wrote:
>> Is there any way to control the default gid for AD trust users? At the
>> moment
>> each user has it's own default group, e.g.:
>>
>> uid
Is there any way to control the default gid for AD trust users? At the moment
each user has it's own default group, e.g.:
uid=22603(user@ad.domain) gid=22603(user@ad.domain)
It would be nice to be able to set this to an actual group.
Thanks.
--
Orion Poplawski
Technical Manager
On 12/02/2015 01:42 PM, Andy Thompson wrote:
> Since updating to RHEL 7.2 I've got issues with ns-slapd hanging the system
> up after a period of time. The directory becomes unresponsive to searches or
> any connections. After a restart I see
>
> [02/Dec/2015:15:27:41 -0500] - slapd started.
On 12/07/2015 12:17 PM, Rob Crittenden wrote:
> Orion Poplawski wrote:
>> I just upgraded my SL7 box to ipa-server-4.2.0, but this process appears to
>> have broken ipa. From the ipaupgrade.log:
>>
>> 2015-12-07T17:47:46Z DEBUG Starting external process
>> 2015
On 11/23/2015 04:50 AM, Petr Vobornik wrote:
On 11/23/2015 04:44 AM, Orion Poplawski wrote:
Trying to install freeipa-server on Fedora 23. When I try to connect to
the web UI from a non-domain EL7 client with firefox I get:
Runtime error
Web UI got in unrecoverable state during "init&q
s/dojo/dojo.js?v=40203:1:9085
tn@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:8961
nn@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:9025
ln/i@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?v=40203:1:10123
p.injectUrl/i@https://moria.menegroth.us/ipa/ui/js/dojo/dojo.js?
On 11/11/2015 12:57 AM, Jakub Hrozek wrote:
> On Tue, Nov 10, 2015 at 11:44:12AM -0700, Orion Poplawski wrote:
>> I see that AD trust users don't get their posix shell set:
>>
>> # getent passwd user
>> u...@ad.nwra.com:*:2260345:2260345:A User:/export
On 11/11/2015 12:57 AM, Jakub Hrozek wrote:
> On Tue, Nov 10, 2015 at 11:44:12AM -0700, Orion Poplawski wrote:
>> I see that AD trust users don't get their posix shell set:
>>
>> # getent passwd user
>> u...@ad.nwra.com:*:2260345:2260345:A User:/export
/server?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
--
Manage your subscription for the Freeipa
it with:
ipa-certupdate
Which wrote out a correct /etc/ipa/ca.crt.
See https://fedorahosted.org/freeipa/ticket/5117#comment:16
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane
On 07/28/2015 11:09 PM, Jan Cholasta wrote:
Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12
On 07/20/2015 12:57 AM, Jan Cholasta wrote:
Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
# ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
Directory
On 07/14/2015 11:53 PM, Jan Cholasta wrote:
Hi,
Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a):
On 07/08/2015 11:31 AM, Orion Poplawski wrote:
But then when I go to make a replica:
# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12
On 07/08/2015 11:31 AM, Orion Poplawski wrote:
But then when I go to make a replica:
# ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
--dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX
Directory Manager (existing master) password:
(SEC_ERROR_LIBRARY_FAILURE
On 06/01/2015 08:54 AM, Rob Crittenden wrote:
Orion Poplawski wrote:
On 05/28/2015 03:09 PM, Rob Crittenden wrote:
Orion Poplawski wrote:
We did a CAless install:
ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a
`cat
/etc/ldap.secret` --root-ca-file=PositiveSSLCA2
/tls/certs/nwra.com.crt -inkey
/etc/pki/tls/private/nwra.com.key -certfile
/etc/pki/tls/certs/PositiveSSLCA2.crt -out nwra.com.p12
ipa-server-4.1.0-18.sl7_1.3.x86_64
Any thoughts?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX
On 05/28/2015 03:09 PM, Rob Crittenden wrote:
Orion Poplawski wrote:
We did a CAless install:
ipa-server-install -r NWRA.COM -n nwra.com -p `cat /etc/ldap.secret` -a `cat
/etc/ldap.secret` --root-ca-file=PositiveSSLCA2.crt
--dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin= --http_pkcs12
= server.nwra.com:88
admin_server = server.nwra.com:749
}
[domain_realm]
.nwra.com = NWRA.COM
nwra.com = NWRA.COM
# = #
.# = #
Any idea where the #'s are coming from?
ipa-server-3.3.3-28.el7_0.3.x86_64
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder
that yourself with a COPR repository:
https://copr.fedoraproject.org/coprs/pviktori/freeipa/.
Any reason not to have EL6/7 branches in the COPR repo?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell
On 01/09/2014 06:07 AM, Martin Kosek wrote:
On 01/08/2014 07:16 PM, Orion Poplawski wrote:
Two questions:
- Any ETA on an updated 3.3.3 Users Guide?
Our current plan is to release next documentation release along with FreeIPA
3.4, when more documentation fixes are factored in.
Just
Two questions:
- Any ETA on an updated 3.3.3 Users Guide?
- Is AD/IPA synchronization still supported in 3.3.3? Will it always?
Thanks!
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane
. This is
*way* out of our (and I suspect many other small businesses) price range.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301
On 02/19/2013 03:10 PM, Simo Sorce wrote:
On Tue, 2013-02-19 at 14:38 -0700, Orion Poplawski wrote:
This is a followup to some previous discussions. I have been lobbying to keep
(and fix) the ability to install your own certificates when configuring IPA in
order to make use of wildcard SSL
to easily distribute and apply the ones you need.
Solves the problem but from a different side.
Orion, if implemented would it work for you?
My biggest concerns are Windows and OS X clients. Probably need to look
at the various mozilla deployment tools.
--
Orion Poplawski
Technical Manager
Is there a recommended way to distinguish between real human user accounts
in IPA and non-human system accounts in IPA?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane
On 02/15/2013 09:45 AM, Petr Viktorin wrote:
On 02/15/2013 05:36 PM, Orion Poplawski wrote:
Is there a recommended way to distinguish between real human user
accounts in IPA and non-human system accounts in IPA?
What kind of system accounts do you have in IPA? Consider not storing them
in as.
Also some accounts that own files and some services run as that are needed on
multiple machines. I suppose we could use puppet to manage those, but ldap
seems more convenient.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX
unless you are extraordinarily careful to remove privileges
normally granted by IPA, it could lead to the complete compromise of your
network.
Understood. This is actually all before we have moved to IPA, but are
exploring things.
--
Orion Poplawski
Technical Manager 303-415
so I'll need to retest this.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP. This may have been before I
started using
it. The LDAP address book searches look for
attributes that the *person objectclasses provide. Without them, they are
excluded.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane
On 02/15/2013 01:42 PM, John Dennis wrote:
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups
On 02/15/2013 02:02 PM, John Dennis wrote:
On 02/15/2013 03:57 PM, Orion Poplawski wrote:
On 02/15/2013 01:56 PM, John Dennis wrote:
On 02/15/2013 03:46 PM, Simo Sorce wrote:
This is an interesting use case, it would probably be appropriate to
have a RFE filed to allow to create ipa users
On 02/15/2013 01:46 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 12:01 -0700, Orion Poplawski wrote:
What brought this up was the need to sync users from LDAP into another
authentication system, and for that system we only wanted real human people
to be listed.
Also, we don't want
On 02/15/2013 02:34 PM, John Dennis wrote:
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15/Feb/2013:11:17:21 -0700] conn=931 op=1 SRCH
base=ou=people,dc=nwra,dc=com scope=2
filter=(|(mail=*apache*)(cn=*apache*)(givenName=*apache*)(sn
On 02/15/2013 04:03 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
On 02/15/2013 02:34 PM, John Dennis wrote:
On 02/15/2013 04:16 PM, Orion Poplawski wrote:
Hmm, that is the filter in TB for me too, but:
[15
On 02/15/2013 04:06 PM, Orion Poplawski wrote:
On 02/15/2013 04:03 PM, Simo Sorce wrote:
On Fri, 2013-02-15 at 17:12 -0500, John Dennis wrote:
On 02/15/2013 04:54 PM, Orion Poplawski wrote:
Yup, then it adds it:
filter=((objectClass=person)(|(mail=*apac*)(cn=*apac*)(givenName=*apac*)(sn
certificate provider?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
and Firefox.
Thoughts, comments, suggestions?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
On 01/23/2013 02:30 PM, Rob Crittenden wrote:
Dmitri Pal wrote:
On 01/23/2013 03:45 PM, Orion Poplawski wrote:
On 01/23/2013 01:43 PM, Dmitri Pal wrote:
Yes please. Let us do it on the user list.
Ticket URL:https://fedorahosted.org/freeipa/ticket/3360#comment:14
So, my goal in using
-ca
/var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
...
[16/30]: configuring ssl for ds instance
creation of replica failed: Could not find a CA cert in
/tmp/tmpPAtailipa/realm_info/dscert.p12
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office
On 01/17/2013 09:27 AM, Rob Crittenden wrote:
Orion Poplawski wrote:
But then on ipa-replica-install, problems as predicted:
ipa-replica-install --setup-ca
/var/lib/ipa/replica-info-ipapub.cora.nwra.com.gpg
...
[16/30]: configuring ssl for ds instance
creation of replica failed: Could
, dogtagcert,
replica_fqdn, subject_base)
File /usr/sbin/ipa-replica-prepare, line 143, in export_certdb
raise e
Any suggestions?
I don't really understand how the dogtag ca fits in with this scenario.
Should I just get rid of it? Can I?
--
Orion Poplawski
Technical Manager
=nwra,dc=com in clients.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
On 01/14/2013 01:40 PM, Nalin Dahyabhai wrote:
On Mon, Jan 14, 2013 at 12:06:35PM -0700, Orion Poplawski wrote:
We're looking at migrating from 389ds to ipa. Currently our users
are in ou=People with rfc2307 attributes. Is there any way to
provide an ou=people,dc=nwra,dc=com compatibility
this is already address in 3.1 since it only creates a single instance.
Are there any IPA backup utilities on the horizon?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane
On 01/10/2013 03:22 PM, Rich Megginson wrote:
On 01/10/2013 02:59 PM, Orion Poplawski wrote:
With our current 389ds installs we are making use of the db2bak.pl and
db2ldif utilities to backup the ds database. Looking at my ipa 2.2.0
install these scripts were create for the PKI-IPA ds server
On 01/10/2013 03:29 PM, Orion Poplawski wrote:
On 01/10/2013 03:22 PM, Rich Megginson wrote:
On 01/10/2013 02:59 PM, Orion Poplawski wrote:
With our current 389ds installs we are making use of the db2bak.pl and
db2ldif utilities to backup the ds database. Looking at my ipa 2.2.0
install
On 01/10/2013 03:50 PM, Rich Megginson wrote:
On 01/10/2013 03:45 PM, Orion Poplawski wrote:
FWIW -
Here's my current backup script (in /etc/cron.daily/dirsrv-backup). Did this:
mv /usr/lib64/dirsrv/slapd-PKI-IPA /var/lib/dirsrv/scripts-PKI-IPA
ln -s /var/lib/dirsrv/scripts-PKI-IPA /usr
:
_kerberos.cora.nwra.com. TXT NWRA.COM
it will then automatically look for:
_kerberos._udp.nwra.com. SRV
Which will hold the servers for the other office.
Any suggestions?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415
65 matches
Mail list logo