Re: [Freeipa-users] Failed to setup replica, slapi_ldap_bind fails

Filip Pytloun wrote: > I am using Ubuntu 16.04 (Xenial), there's no /etc/openldap That's the problem right there. I don't believe Ubuntu supports setting up replication agreements yet due to gnutls vs NSS issues. An effort is being made upstream to eliminate the need for TLS during agreement

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier wrote: > >> On Feb 10, 2016, at 3:01 AM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >>> >>> [09/Feb/2016:12:55:41 -0600] conn=109598 fd=287 slot=287 SSL >>> connection from master_ip to master_ip

Re: [Freeipa-users] smart cards caintaining multiple certificates

Michael Rainey (Contractor) wrote: > I recently discovered something that may be a little off in the SSSD > Design Docs > . > When using the certutil command shown below to dump the PEM encoded > certificates from the

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier wrote: On Feb 9, 2016, at 2:58 AM, Rob Crittenden <rcrit...@redhat.com> wrote: Timothy Geier wrote: The debug log has a lot of instances of: Could not connect to LDAP server host xxx. port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Sock

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier wrote: The debug log has a lot of instances of: Could not connect to LDAP server host xxx. port 636 Error netscape.ldap.LDAPException: IO Error creating JSS SSL Socket (-1) Internal Database Error encountered: Could not connect to LDAP server host xxx. port 636 Error

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier wrote: Greetings all, For the record,this is a CentOS 7.2 box with all current patches. (ipa-server-4.2.0-15.el7.centos.3.x86_64, etc.) The situation is that pki-tomcatd on the lone CA server in our IPA cluster refuses to start cleanly. The issues started earlier this week

Re: [Freeipa-users] nss unrecognized name alert with SAN name

John Obaterspok wrote: Hi, I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan I recently started to get nss error "SSL peer has no certificate for the requested DNS name." when I'm accesing my https://gitserver.my.lan Previously this worked fine if I had set "git config

Re: [Freeipa-users] nss unrecognized name alert with SAN name

John Obaterspok wrote: Hi, I have a ipa.my.lan and a cname gitserver.my.lan pointing to ipa.my.lan I recently started to get nss error "SSL peer has no certificate for the requested DNS name." when I'm accesing my https://gitserver.my.lan Previously this worked fine if I had set "git config

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

Timothy Geier wrote: Greetings all, For the record,this is a CentOS 7.2 box with all current patches. (ipa-server-4.2.0-15.el7.centos.3.x86_64, etc.) The situation is that pki-tomcatd on the lone CA server in our IPA cluster refuses to start cleanly. The issues started earlier this week

Re: [Freeipa-users] [freeipa-users] Configuring Automount on Ubuntu Clients

Jon wrote: Hello, How do I configure automount for Ubuntu 14.04 clients? My procedure on CentOS has been: install free-ipa client, run ipa-client-install (auto configures with dns discovery), run ipa-client-automount. However, when I run this on the ubuntu client, I receive the following

Re: [Freeipa-users] Apple OpenDirectory Integration

"Răzvan Corneliu C.R. VILT" wrote: Hi Guys, I've done a small scale demo of using FreeIPA instead of an Open Directory Server to serve Apple OS X clients. This is based on my experiences from one year ago (Ticket #4813). I've also attached some screenshots. This is very cool and excellent

Re: [Freeipa-users] Obtaining certificate private keys for Apache/etc.

Christopher Young wrote: Thanks. That's good advice and good to know. I'm going to be trying to work this into an Ansible role, so having a command listing helps alot. That leads to a curious question if anyone has thought about building an Ansible module(s) for manipulating FreeIPA objects.

Re: [Freeipa-users] Joining realm failed with "SSL certificate problem: self signed certificate in certificate chain"

Harald Dunkel wrote: > Hi folks, > > Problem: ipa-client-install fails with > > # rm -f /etc/ipa/ca.crt > # ipa-client-install > Discovery was successful! > Hostname: srvl023.ac.example.com > Realm: EXAMPLE.COM > DNS Domain: example.com > IPA Server: ipa1.example.com > BaseDN: dc=example,dc=com

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

David Zabner wrote: > Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? > It seems like this is the only place where the library is referenced one way > or the other… > You need to set this globally: KrbConstrainedDelegationLock ipa And I assume you replaced $realm

Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously

David Zabner wrote: > Ok so I added the line "KrbConstrainedDelegationLock ipa” to ipa.conf (httpd > configuration) > > > My error log is now full of network errors: > config looks right to me. Does this mean that some requests are successful and others are not? I'd set LogLevel debug in

Re: [Freeipa-users] IPA Web Portal using outdated ciphers, breaking with some clients

Jeff Hallyburton wrote: > Hi, > > We're also seeing that the free-ipa web-portal is using TLS 1.2 by > default, which is being flagged as insecure / obsolete. This also seems > to be causing some clients (some instances of Chrome) to fail logins: > > [Fri Jan 29 18:34:26.638350 2016] [:error]

Re: [Freeipa-users] FREAK Vulnerability

> > Where am I going wrong? dse.ldif is written out when the server shuts down so any changes you make to it while 389-ds is running are lost. rob > > Terry > > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: 28 January 2016 04:4

Re: [Freeipa-users] Service account to enroll hosts

ministrator,cn=roles,cn=accounts,dc=contoso,dc=com changetype: modify add: member member: uid=hostadmin,cn=sysaccounts,cn=etc,dc=contoso,dc=com rob > > On Thu, Jan 28, 2016 at 1:03 AM, Rob Crittenden <rcrit...@redhat.com> wrote: >> Marat Vyshegorodtsev wrote: >>> Hi! >

Re: [Freeipa-users] Moving default "admin" user to service accounts

Marat Vyshegorodtsev wrote: > Hi! > > My FreeIPA deployment is a part of PCI cardholder data environment. > > Hence, I have to comply with with the requirements such as 8.1.1 > (assign unique ID to each user) and 8.5 (do not use generic or shared > IDs). > > I would like to move this user under

Re: [Freeipa-users] FREAK Vulnerability

Marat Vyshegorodtsev wrote: > My two cents: > > My "magic" string for NSS is like this (I had to move to Fedora 23 > from CentOS in order to get more recent NSS version though): > > NSSProtocol TLSv1.2 > NSSCipherSuite >

Re: [Freeipa-users] Service account to enroll hosts

Marat Vyshegorodtsev wrote: > Hi! > > I'm trying to build an auto-enrollment script that would leverage a > service account to enroll hosts. > > Here is the LDIF for this service account: > https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a > > This service account is created successfully,

Re: [Freeipa-users] Master Error with two Master CentOS 7.2

Günther J. Niederwimmer wrote: > Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz: > Hello Ludwig, > >> you got a replicaid (97) leftover form the previous install for the >> o=ipaca backend. The other backend is ok, ipa-replica-manage del did the >> cleanup, but

Re: [Freeipa-users] Problem adding user

Birnbaum, Warren (ETW) wrote: > Hello, > > I am trying to add a user into FreeIPA that already exists in > /etc/passwd. How can I add him into FreeIPA and employ all the > functionality? What is your goal in keeping the user in both systems? rob -- Manage your subscription for the

Re: [Freeipa-users] Master Error with two Master CentOS 7.2

Lukas Slebodnik wrote: > On (26/01/16 12:47), Rob Crittenden wrote: >> Günther J. Niederwimmer wrote: >>> Am Dienstag, 26. Januar 2016, 17:13:03 CET schrieb Ludwig Krispenz: >>> Hello Ludwig, >>> >>>> you got a replicaid (97) leftover form t

Re: [Freeipa-users] Support status of additional OU's / acis in ipa ds

Alexander Bokovoy wrote: > On Sat, 23 Jan 2016, William Brown wrote: >> Hi, >> >> I'm wondering about what the freeipa support policy is on adding an >> extra OU to the root of my domain, as well as my own acis. Will FreeIPA >> ignore this? Or will it potentially cause future issues? >> >> IE

Re: [Freeipa-users] FREAK Vulnerability

Christian Heimes wrote: > On 2016-01-21 15:51, Martin Kosek wrote: >> On 01/21/2016 03:31 PM, Terry John wrote: >>> I've been trying to tidy the security on my FreeIPA and this is causing me >>> some problems. I'm using OpenVAS vulnerability scanner and it is coming up >>> with this issue >>>

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Nathan Peters wrote: > [18/Jan/2016:09:28:33 -0800] conn=18732 op=10 ADD > dn="cn=replica,cn=dc\3Ddev-globalrelay\2Cdc\3Dnet,cn=mapping tree,cn=config" > [18/Jan/2016:09:28:33 -0800] conn=18732 op=10 RESULT err=68 tag=105 > nentries=0 etime=0 > [18/Jan/2016:09:28:33 -0800] conn=18732 op=11

Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Nathan Peters wrote: > I assume you mean look at the DS log on the machine being installed?\ I think he meant on the master that generated the prepare file. There may be some left-over, unexpected entry. rob > > There is no "err=68" anywhere in the access file : > > [root@dc2-ipa-dev-van

Re: [Freeipa-users] GID, groups and ipa group-show

Petr Spacek wrote: > On 15.1.2016 08:48, David Kupka wrote: >> On 14/01/16 22:09, Rob Crittenden wrote: >>> Prasun Gera wrote: >>>> This is an old thread, but I can confirm that this is still an issue on >>>> RHEL 7.2 + 4.2. This creates problems when t

Re: [Freeipa-users] ns-slapd using all CPU ressources

Domingues Luis Filipe wrote: > Hi all, > > On our infra, we have two machines running Fedora with FreeIPA installed. > > we have an issue with ns-slapd using 100% of CPU after a while. If we > restart the service, it starts to use all CPU resources after one day. > > Outpute of the command

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Peter Pakos wrote: > On 14/01/2016 18:51, Rob Crittenden wrote: >> You need to add the new root certs to the pki NSS database. > > As far as I can see those 3 new CA certs are already in the database > (unless you're talking about a different db): > > $ certut

Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Peter Pakos wrote: > On 15/01/2016 15:04, Rob Crittenden wrote: >> Discussed in IRC last night but for the sake of history, he needed to >> add the CA's to the dogtag NSS database in >> /var/lib/pki/pki-tomcat/alias/ with a trust of C,,. > > Yes, I added new root c

Re: [Freeipa-users] User Lockout even with special password Policy

policy-show --user > What about sysaccounts ? They seem to be locked also with too many > logins, and this concerns me as they are not POSIX. They may be getting the global policy applied. rob > > > > 2016-01-14 15:16 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >&g

Re: [Freeipa-users] User Lockout even with special password Policy

0 to disable lockout. > Can we make sure we apply a policy to the sysaccounts users or is that > undoable ? You'd have to set krbPwdPolicyReference to the dn of the policy you want to use for that sysaccount user. That requires the objectclass krbPrincipalAux. rob > > 2016-01-14 16:5

Re: [Freeipa-users] User Lockout even with special password Policy

Matt . wrote: > Hi Guys, > > I'm having an issue that a user which I use for the API is getting > locked out from time to time. > > I have created a specific password policy for this user with: > > Lockout duration (seconds) 0 > > But this doesn't help much. > > Anyone an idea how I can make

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0

Nathan Peters wrote: > This just keeps on getting better and better. > > > > I need this replication working properly because it has caused about 7 > or 8 builds to fail today alone so I decided to just be done with > troubleshooting and remove the server from the domain and re-initialize it.

Re: [Freeipa-users] GID, groups and ipa group-show

Prasun Gera wrote: > This is an old thread, but I can confirm that this is still an issue on > RHEL 7.2 + 4.2. This creates problems when there are roles associated > with groups, but group membership through GID is broken. I had migrated > all old NIS accounts into ipa. I then added the host

Re: [Freeipa-users] configure: error: xmlrpc-c/base.h not found

Anthony Cheng wrote: > Hi all, > > I am getting an error with make for both freeipa-4.3.0 > and freeipa-4.2.0; both errors are the same: > > checking for xmlrpc-c/base.h... no > configure: error: xmlrpc-c/base.h not found > make: *** [client-autogen] Error 1 > > I read from

Re: [Freeipa-users] FreeIPA Replica / HA Issues

Jeff Hallyburton wrote: > We've deployed a FreeIPA server in a client infrastructure and now we're > working on making that setup HA. We've created a replica and I can > verify that the replica has connectivity to the existing master and > ensured that the auto-discovery DNS records are set up

Re: [Freeipa-users] tricky one in OpenLDAP migration, groups

me update link the user to it. rob > ~J > > On 1/13/16 7:59 AM, Rob Crittenden wrote: >> Janelle wrote: >>> Hello, >>> >>> This may not be possible, or if it is I am going to guess it is not >>> going to be easy. If I have an old OpenLDAP enviro

Re: [Freeipa-users] tricky one in OpenLDAP migration, groups

Janelle wrote: > Hello, > > This may not be possible, or if it is I am going to guess it is not > going to be easy. If I have an old OpenLDAP environment with users who > never had unique UIG/GID - in other words, the GID was not unique to a > user, instead it was some global group. Well, I was

Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0 plus ldapmodify freezes up

Nathan Peters wrote: > (I apologize if this isn’t threading properly, I signed up with another > email address since my primary ISP is having issues right now) > > > > So to recap about the issues in this thread : > https://www.redhat.com/archives/freeipa-users/2016-January/msg00139.html > >

Re: [Freeipa-users] Documentation on Testing page

Anthony Cheng wrote: > Hi all, > > I have been looking at the documentation, specifically the test page: > http://www.freeipa.org/page/Testing > > It looks like it has missing info on the Build section, specifically I > don't see reference to a makefile or where to run make to build the >

Re: [Freeipa-users] Setup of freeipa 4.2.3 failed

Markus Roth wrote: > Am Freitag, den 08.01.2016, 13:25 +0100 schrieb Martin Babinsky: >> On 01/08/2016 01:06 PM, Markus Roth wrote: >>> Hi all, >>> >>> I tried to install freeipa server (freeipa-server.armv7hl >>> 4.2.3-1.1.fc23), but the installation failed. >>> >>>

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

Alexander Bokovoy wrote: > On Fri, 08 Jan 2016, Karl Forner wrote: >> Ok. >> >> I read a work-around on https://blog-rcritten.rhcloud.com/?p=50 >> >> It says that if one has figured out a safe new range for the replica, the >> range could be set using: >> >> ldapmodify -x -D 'cn=Directory Manager'

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

Karl Forner wrote: > > > I purposely used rather weak working in my blog to ensure that one > thinks carefully about making this kind of change. If your original > master can be brought back up that is definitely the best way to > resolve it. > > > ok, I'll try this first. >

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

Karl Forner wrote: > Hello, > > If I go to active users, click Add, fill in log, first and last name, > then click "Add", I get the error message: > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable

Re: [Freeipa-users] Queries on migrating nis netgroups

Martin Kosek wrote: > On 01/05/2016 04:24 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 01/04/2016 10:41 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>> ... >>>>> I anyway tried to add externalHost to the shadow hos

Re: [Freeipa-users] unable to effectively delete a replica agreement

Karl Forner wrote: > > > > > > It hangs forever. > > How long is forever? > > > officially it's about 15 mns. Do you mean that this delay could be > expected ? Forever is a measurement of patience. I'd have expected a timeout at some point. To really diagnose things we'd probably

Re: [Freeipa-users] Queries on migrating nis netgroups

Martin Kosek wrote: > On 01/04/2016 10:41 PM, Rob Crittenden wrote: >> Martin Kosek wrote: > ... >>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify >>> as DM >>> and it worked: >>> >>> # ipa netgroup-sh

Re: [Freeipa-users] FreeIPA 4.x + CentOS 6.4

Lukas Slebodnik wrote: > On (05/01/16 15:11), bahan w wrote: >> Hello. >> >> I have some questions related to this point : >> 1. On a RHEL6.6, may I install the package ipa-client 4.x and enroll to an >> ipa server 4.x located on a RHEL7 ? May you remind me the version of sssd >> embedded with

Re: [Freeipa-users] Freeipa-users Digest, Vol 90, Issue 9

to use a keytab. We can only move the earth so much at a time. rob > > thank you, > > - cal sawyer > > Date: Mon, 4 Jan 2016 14:07:40 -0500 >> From: Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> >> To: Cal Sawyer <ca...@blue-bol

Re: [Freeipa-users] IPA, autofs, kerberos

Cal Sawyer wrote: > Hi > > After getting autofs working using automountmaps in IPA, i've discovered > that upon rebooting a client i have no automounts. If i ssh into the > client and obtain a ticket as admin, after restarting autofs (as root), > I can once again see access automounted

Re: [Freeipa-users] unable to effectively delete a replica agreement

Karl Forner wrote: > I am running a master freeIPA called "ipa" in an adelton/freeipa-server > (freeIPA 4.1.4). > I am able to create a replica server "ipa2", still in an > adelton/freeipa-server. > > If I stop my ipa2 replica, and try to delete the replication agreement: > >

Re: [Freeipa-users] Avoid auto-setting krbpasswordexpiration to pwdpolicy?

Martin René Mortensen wrote: > Hi, > > I am setting up an LDAP connection from our Identity Management system > which provisions our IPA servers with fresh users and groups. > I set it up pretty nice so far, with some added privileges for change > admin passwords and avoiding password resets. >

Re: [Freeipa-users] Queries on migrating nis netgroups

Martin Kosek wrote: > On 12/22/2015 12:10 PM, Roderick Johnstone wrote: >> Hi >> >> I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. >> >> I need to have the netgroups set up in freeipa before migrating systems to be >> freeipa clients. >> >> At this point I'm trying to understand

Re: [Freeipa-users] Issue with ipa 4.2.0 upgrade

Orion Poplawski wrote: > I just upgraded my SL7 box to ipa-server-4.2.0, but this process appears to > have broken ipa. From the ipaupgrade.log: > > 2015-12-07T17:47:46Z DEBUG Starting external process > 2015-12-07T17:47:46Z DEBUG args='/bin/systemctl' 'is-active' > 'certmonger.service' >

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Andrey Ptashnik wrote: > Martin, > > For my education, how did you identify that from my output? The +nsuniqueid= in the dn. When managing entries in IPA it constructs the DN based on the values provided which is why you got a notfound for webapps001.mz984, because it literally doesn't exist.

Re: [Freeipa-users] Ldap search for enrolled boxes

Sean Hogan wrote: > Hello, > > Does anyone have a ldapsearch syntax that will check the database for > all enrolled hosts within IPA and ignore non-enrolled hosts? I am not > familiar enough with the schema yet to know which containers contain > what. I know there is a flag on the gui for

Re: [Freeipa-users] "DNS resource record not found" error when searching or deleting records

Andrey Ptashnik wrote: > Dear Team, > > I’m trying to remove DNS records from IPA server and getting following > error: "ipa: ERROR: webapps001.mz984: DNS resource record not found" > I suspect that there was such server "webapps001.mz984" in the past > properly added to IPA server via

Re: [Freeipa-users] Sudo question

wed at all. I'd suggest you bump up the sssd debug level to better see what is happening. rob > > > > > > Inactive hide details for Rob Crittenden ---12/02/2015 04:26:24 > PM---Sean Hogan wrote: > Hi All,Rob Crittenden ---12/02/2015 04:26:24 > PM---Sean Hogan wrote

Re: [Freeipa-users] Problem with ipa-csreplica reinitialize

Łukasz Jaworski wrote: > Hi, > > We have strange problems in our environment. > > After ipa-csreplica-manage re-initialize servers crash (it happens very > often, after second or third try, all dc, and pki replication gone. I've > reinstalled server and setup new replication). There aren't any >

Re: [Freeipa-users] Sudo question

64 > device-mapper-multipath-0.4.9-80.el6_6.3.ppc64 > > > Server: > rpm -qa | grep ipa > sssd-ipa-1.12.4-47.el6.x86_64 > ipa-admintools-3.0.0-47.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.12.4-47.el6.x86_64 > ipa-client-3.0.0-47.el6.x86_6

Re: [Freeipa-users] Documentation on the JSON format for ipa-web?

Marc Boorshtein wrote: > FreeIPA Team, > > I've created a plugin for working with freeipa, but right now its > using reverse engineered JSON that I then turned into Java POJOs. It > works but I'd like to have something a bit better managed. Is there > any documentation or a place in the code

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 16:27, Rob Crittenden wrote: >> Christian Heimes wrote: >>> On 2015-11-30 12:51, Martin Basti wrote: >>>> >>>> >>>> On 28.11.2015 00:14, Rob Crittenden wrote: >>>>> Martin Štefany wro

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 12:51, Martin Basti wrote: >> >> >> On 28.11.2015 00:14, Rob Crittenden wrote: >>> Martin Štefany wrote: >>>> Hello, >>>> >>>> I remember experiencing this, but I'm not sure of solution. I thi

Re: [Freeipa-users] Ticket transfer from host to host

Thomas Lau wrote: > Hi Rob, > > So what you are trying to say is that it's nothing to do with FreeIPA > but ssh client itself? Correct. rob > > On Mon, Nov 30, 2015 at 11:39 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: >

Re: [Freeipa-users] CA installation failed on server

Christian Heimes wrote: > On 2015-11-30 17:48, Martin Basti wrote: >> If I did read logs right, there was ipa-server-installed, CA >> uninstallation failed and now IPA server install is failing because new >> CA cannot be installed due the old instance of CA. > > Martin, you are right. Daniel

Re: [Freeipa-users] Ticket transfer from host to host

Thomas Lau wrote: > ​Hi all, > > I am running FreeIPA 3.3.x in our environment. First I did is kinit on > client 1, then ssh to host A, it works fine; But then if I want to ssh > from host A to host B, I have to do kinit again, is there have a way to > do ticket transfer? Or is it call "Ticket

Re: [Freeipa-users] (no subject)

Martin Štefany wrote: > Hello, > > I remember experiencing this, but I'm not sure of solution. I think it's > related to apache (httpd) and his group. > > My notes for IPA installation on CentOS 7.x say: > > # groupadd -g 48 apache > # yum -y install ipa-server bind bind-dyndb-ldap > # usermod

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

pretty sure that nss_ldap supports RFC2307bis but it's really just a distant memory. rob > *Jeffrey Stormshak, RHCSA | Sr. Linux Engineer* > > Platform Systems | IT Operations Infrastructure > > CCC Information Services, Inc. > > Phone: (312) 229-2552 > > > From: Jakub Hrozek

Re: [Freeipa-users] user question

Ainsworth, Thomas wrote: > Question: > > How can you set the password policy to require at least four (4) new > characters when the user is setting their password? I assume you mean 4 new characters as compared to the current password? I don't know of a way to do that. I don't believe the

Re: [Freeipa-users] FreeIPA user can't login to linux.

ent > Rob, how to check the missed manage entry? A managed group needs the attribute mepManagedBy with a value of the dn that is managing it and the objectclass mepManagedEntry. rob > > 2015-11-20 0:11 GMT+08:00 Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

essage- > From: Jeffrey Stormshak > Sent: Tuesday, November 17, 2015 10:49 AM > To: Jeffrey Stormshak; Rob Crittenden; Jakub Hrozek; freeipa-users@redhat.com > Subject: RE: [Freeipa-users] Oracle Linux 5.5 - Legacy Question > > I meant "did" forget.

Re: [Freeipa-users] Password Policy Inquiry

Ainsworth, Thomas wrote: > Greetings, > > How in FreeIPA would one set the password policy equivalent > to**the*pam.d* paramater *difok*? > This paramater ensures the new password has at least N number of > characters different than > the current password. >

Re: [Freeipa-users] FreeIPA user can't login to linux.

t as managed. rob > > 2015-11-16 13:43 GMT+08:00 zhiyong xue <xuez...@gmail.com > <mailto:xuez...@gmail.com>>: > > I am using IPA 4.1 in CenOS7. And I can login to system after "id > syncopex5", maybe it's cache problem. > > 2015

Re: [Freeipa-users] proftpd with ipa

inal Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Thursday, November 19, 2015 10:51 AM > To: Provenzo, Patrick C; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] proftpd with ipa > > patrickcprove...@eaton.com wrote: >> I cannot get proftpd t

Re: [Freeipa-users] proftpd with ipa

patrickcprove...@eaton.com wrote: > I cannot get proftpd to authenticate with IPA. I received the following > messages in /var/log/secure > > > > proftpd[21477]: 151.##.##.## (151.#.##.##[151.##.##.##]) - USER > e0026887: no such user found from 151.##.##.## [151.##.##.##] to > 151.##.##.## >

Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

Sparks, Alan wrote: > I still can’t find the problem after a lot of searching, can someone > give me a little advice? Assembling a POC of FreeIPA 4.1.0 server > (stock CentOS-7 packages) and a CentOS 6.7 server with their stock 3.0.0 > packages. Sudo version on the client is sudo-1.8.6p3. >

Re: [Freeipa-users] FreeIPA Internal Server Error

Unknown wrote: > I'm new here so first of all want to say hello to everyone. > > I'm implementing FreeIPA in our environment. Everything was fine till i > figure out listing of one domain stops working. When im trying to list > zone via web panel i'm getting "Internal Server Error". It is

Re: [Freeipa-users] Help understanding issue with CentOS freeipa sudo host groups

Sparks, Alan wrote: > >>> [root@als-centos0002 sys-ops]# nisdomainname >>> dakar.useast.hpcloud.net >>> >>> [root@als-centos0002 sys-ops]# getent netgroup opsauto >>> opsauto >>> (als-ubuntu0001.oa.ftc.hpelabs.net,-,eucalyptus.internal) >>>

Re: [Freeipa-users] Oracle Linux 5.5 - Legacy Question

Jeffrey Stormshak wrote: Thank you for the response. If I may, can you expand more on the sudoers response? More details from my configuration ... The current setup for me is that all my sudoers rules/commands and groups are defined and stored in the RHEL 7.1 IDM LDAP. When I create the

Re: [Freeipa-users] Minimal compatibility with REHL / CentOS 5.5

Andrey Ptashnik wrote: > Hello IPA team, > > I’m wondering if there is any compatibility that can be established with > legacy RHEL CentOS 5.5 machines. Is there any easy way to setup minimal > feature set like central authentication and maybe something else? ipa-client exists there. You can use

Re: [Freeipa-users] FreeIPA user can't login to linux.

zhiyong xue wrote: > We integrated the Apache Syncope server with FreeIPA server. So user can > self register ID from Apache Syncope then synchronize to FreeIPA. The > problems are: > *1) User created from Apache Syncope can't login to linux. The user > created from FreeIPA web gui works well.*

Re: [Freeipa-users] IPA with external CA signed certs

Gronde, Christopher (Contractor) wrote: For those of you that have been helping me...thank you! For all those following along here is the status of my issues. I ended up replacing the krbprincipal key and the user certificate in LDAP to match what is on the master and I am no longer getting

Re: [Freeipa-users] IPA with external CA signed certs

James Masson wrote: On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson wrote: Hi list, I successfully have IPA working with CA certs

Re: [Freeipa-users] IPA with external CA signed certs

James Masson wrote: On 12/11/15 15:21, Rob Crittenden wrote: James Masson wrote: On 30/10/15 13:52, Rob Crittenden wrote: James Masson wrote: On 26/10/15 16:11, Martin Kosek wrote: On 10/26/2015 04:05 PM, James Masson wrote: On 19/10/15 21:06, Rob Crittenden wrote: James Masson

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 08:30:47PM -0800, Prasun Gera wrote: You are right in that the fullchain.pem doesn't have the root certificate. I ran "openssl x509 -in chain.pem -noout -text", and saw that it had Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3, and

Re: [Freeipa-users] mastercrl files

Martin Kosek wrote: On 11/10/2015 10:59 PM, Fraser Tweedale wrote: On Tue, Nov 10, 2015 at 07:02:42PM +0100, Natxo Asenjo wrote: hi, do we need to keep all the MasterCRL-MMDD-HHMMSS.der files or can we purge them on a regular basis (say, keep 60 days dump the rest)? $ ls -l | wc -l 3621

Re: [Freeipa-users] Sync with SUN DS 5.2

Seike neg wrote: > Hello, > Is there a way to import users and password from SUN DS automatically > (script, sync, etc...). > I have a SUN DS LDAP in the office and I want to do a read only sync from him > to a brand new freeipa server. > The freeipa server is suppose to act as a kerberos, ldap

Re: [Freeipa-users] crl url redirecting to https

Natxo Asenjo wrote: > hi, > > I just noticed some stuff was not functioning properly and it's because > the crl url is being redirected to https (centos 6.7). > > > $ curl http://kdc01.unix.domain.tld/ipa/crl/ > > > 301 Moved Permanently > > Moved Permanently > The document has moved

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

Gronde, Christopher (Contractor) wrote: > This gave me a huge return! Appears to be a long list of all the servers and > applications whose users authenticate to the IPA servers. > > ldapsearch -x -h 172.16.100.161 -D "cn=directory manager" -W -b > "dc=itmodev,dc=gov"

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

Gronde, Christopher (Contractor) wrote: > Is it possible to delete the mapping and try it and if it doesn't work or > breaks something else add it back? How would I go about deleting this > mapping? Or adding the mapping for principal name in the right order? > So what I'd do is this: Do

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

Gronde, Christopher (Contractor) wrote: > I restarted dirsrv and attempted to start krb5kdc and this is what the error > log shows > > # tail /var/log/dirsrv/slapd-ITMODEV-GOV/errors > [09/Nov/2015:11:01:02 -0500] - WARNING: userRoot: entry cache size 10485760B > is less than db size 28016640B;

Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error)

ere returned This would be in /var/log/dirsrv/slapd-YOUR_REALM/access rob > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Monday, November 09, 2015 11:46 AM > To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; &g

Re: [Freeipa-users] unable to delete dead freeipa replica

Andrew Holway wrote: > Actually I'm starting to feel like this is a bug. Managed to get the old > IPA server back up and ran . > > "ipa-server-install --uninstall" > > Which completed successfully and gave the advice: > > Replication agreements with the following IPA masters found: freeipa- >

Re: [Freeipa-users] problems with NFS service principal

j...@use.startmail.com wrote: > Hello everyone, > > I initially followed freeipa NFS documentation for setting up external stand > alone NFS server > > ipa host-add mickey.corp.example.org > ipa service-add nfs/mickey.corp.example.org > ipa-getkeytab -s razoul.corp.example.org -p

Re: [Freeipa-users] Client enrolment user

suggestions they would be seriously entertained. rob > > > Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone > > Original message > From: Rob Crittenden <rcrit...@redhat.com> > Date: 11/05/2015 10:18 (GMT-05:00) > To: Freeipa-users@red

Re: [Freeipa-users] re-enrolling clients with --force-join getting /var/lib/sss/pubconf/known_hosts conflicts

Brian J. Murrell wrote: > On Wed, 2015-11-04 at 15:37 -0500, Brian J. Murrell wrote: >> I am trying to re-enroll clients after re-installing their O/S (EL6) >> using: >> >> # ipa-client-install --force-join ... >> >> Per http://www.freeipa.org/page/V3/Forced_client_re-enrollment but I >> am >>

Re: [Freeipa-users] let's encrypt integration and best practices for mod_nss/mod_ssl

connection requires a full SSL/TLS handshake. I don't think it's a show-stopper. rob > > Are these relevant/serious ? Can they be mitigated ? > > > On Thu, Nov 5, 2015 at 6:51 AM, Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrot

<    1   2   3   4   5   6   7   8   9   10   >