our sudo / hbac rules and user
groups...
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, June 13, 2016 2:20 PM
To: Nathan Peters; Jakub Hrozek
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
Nathan Pete
There doesn't seem to be an option to add POSIX attributes to my sudo rules.
Which attributes should I be adding and how?
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Monday, June 13, 2016 1:57 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subjec
-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: Monday, June 13, 2016 1:54 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
On (13/06/16 20:24), Nathan Peters wrote:
>Taking a second look at the s
20:12:10 sudo[16270] <- sudo_grlist_delref_item @ ./pwutil.c:784
Jun 13 20:12:10 sudo[16270] <- sudo_grlist_delref @ ./pwutil.c:792
Jun 13 20:12:10 sudo[16270] <- user_in_group @ ./pwutil.c:957 := false
Jun 13 20:12:10 sudo[16270] <- usergr_matches @ ./match.c:699 := false
-Origin
n host ; TTY=pts/0 ; PWD=/home/nathan.peters ; USER=root ; COMMAND=/bin/su -
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: Monday, June 13, 2016 10:30 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa
ember: uid=nathan.peters,cn=users,cn=accounts,dc=dev-mydomain,dc=net
[nathan.peters@cass1 ~]$
-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: Saturday, June 11, 2016 2:02 AM
To: Nathan Peters
Cc: Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [Fre
al Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: Wednesday, June 8, 2016 11:14 AM
To: Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [FreeIPA 4.3.0] CentOS 6.8 sudo fails
I'm pretty lost
pe subtree
# filter:
(&(cn=sysadmins)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto
I have a fresh installation of CentOS 6.8 joined to a FreeIPA 4.3.0 domain on
Fedora 23.
When I try to sudo on this host, it fails. Here are the log entries from
/var/log/secure. Note that we have several hundred CentOS 6.5-6.7 machines
where this works fine.
Is this a new bug in CentOS 6.8?
ipa-dev-van.dev-globalrelay.net/ipa/ui/>
* limits exceeded for this query
Nathan Peters
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
I have created a trust between my FreeIPA domain and an active directory
domain. I can get a kerberos ticket properly from the other domain at the
command line on the IPA server.
I have also created sudo and HBAC rules to allow my AD users to logon to the
IPA domain controller using the recomme
We have a FreeIPA 4.1.4 domain running on CentOS 7.1.
We have noticed that from certain machines, sudo is instant, and from others,
it takes about 5 seconds.
All machines involved can resolve each other through DNS (both forward and
reverse lookups).
Running an strace reveals that sssd_pam is
I'm trying to create a trust with AD on FreeIPA 4.3.0 domain at domain level 1.
When I try though the cli I get this error :
ipa: ERROR: communication with CIFS server was unsuccessful
When I try through the web ui I get :
IPA Error 4016: RemoteRetrieveError
Following debugging steps and setting
eipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-26-16 6:03 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Freeipa 4.3.0 : Forward only Policy fails for reverse
lookup zones
I have my FreeIPA server setup with a forward only policy for DNS.
If I perform an nslook
I have my FreeIPA server setup with a forward only policy for DNS.
If I perform an nslookup against either of the configured forward servers, I
can do a reverse lookup properly.
If I perform the same nslookup against my local server, it will not find the
entry.
I have confirmed that there are
.
Thanks for pointing out the actual bug. I'm fairly new to debugging 389 DS so
knowing what branch needed to be fixed was invaluable.
-Original Message-
From: Martin Basti [mailto:mba...@redhat.com]
Sent: January-26-16 12:57 PM
To: Nathan Peters; Rich Megginson; freeipa-
ctually 3 issues :
===
1. Missing aci on base cn=config entry
2. Missing aci on dc\3Dipatestdomain\2Cdc\3Dnet, mapping tree, config branch
3. acis are on the o=ipaca branch, but they are wrong as they only apply to
cert manager, and not all users
-Original Message-
From: M
(objectCl
ass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreeme
nts"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Ag
reements,cn=permissions,cn=pbac,dc=ipatestdomain,dc=net";)
aci: (targetattr=*)(targetfilter="(|(objectcla
e)(version 3.0;acl
"permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=myproddomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
shold || dnaType || objectclass)(version 3.0;acl &q
oupdn = "ldap:///cn=Modify DNA
Range,cn=permissions,cn=pbac,dc=dev-mydomain,dc=net";)
aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThre
shold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";
allow (read, search, compare) gro
conn=76094 op=5 UNBIND
[21/Jan/2016:19:54:40 -0800] conn=76094 op=5 fd=143 closed - U1
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: January-21-16 7:45 AM
To: freeipa-users@redhat.com
Subject: Re: [Fre
lib/dirsrv/slapd-DEV-mydomain-NET/db/userRoot
nsslapd-dncachememsize: 10485760
# search result
search: 2
result: 0 Success
# numResponses: 13
# numEntries: 12
-Original Message-
From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: January-21-16 7:29 AM
To: Nathan Peters; freeipa
r who they search from or against if GSSAPI is used.
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-20-16 11:41 PM
To: Rich Megginson; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rich Megginson
Sent: January-20-16 11:44 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with
DuplicateEntry: This entry already exists
On 01/2
aLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 1970010100Z
nsds5replicaLastInitEnd: 1970010100Z
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
-Original Message
tEnd: 1970010100Z
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: January-19-16 12:33 PM
To: Nathan Peters; Ludwig Krispenz
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Fre
I assume you mean look at the DS log on the machine being installed?
There is no "err=68" anywhere in the access file :
[root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]# grep "err=68" access
[root@dc2-ipa-dev-van slapd-DEV-GLOBALRELAY-NET]#
Here is the last few lines of the latest attempt to jo
a Installation fails with the
hostname is not the primary hostname
On 18.1.2016 04:23, Nathan Peters wrote:
> 2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a
> primary hostname for localhost 2016-01-18T03:00:07Z DEBUG Primary
> hostname for localhost: dc2-ipa-dev-va
This is another issue I'm not sure how to debug or solve in 4.3.0. A failed
replica installation left a replica with stuff in the tree, but not configured
properly on the localhost. I did ipa-server-install -uninstall as suggested by
the installation program and it deleted the local copy of th
2016-01-18T03:00:07Z DEBUG Check if dc2-ipa-dev-van.mydomain.net is a primary
hostname for localhost
2016-01-18T03:00:07Z DEBUG Primary hostname for localhost:
dc2-ipa-dev-van.mydomain.net
2016-01-18T03:00:07Z DEBUG Search DNS for dc2-ipa-dev-van.mydomain.net
2016-01-18T03:00:07Z DEBUG Check if d
I have no idea how to troubleshoot this. I am trying to run
ipa-adtrust-install on FreeIPA 4.3.0 Fedora 23 domain.
Samba4-command and all other samba4 packages necessary are installed.
It fails at step 3 for apparently no reason. Googling reveals pretty much
nothing about what a talloc magic
not great news for anyone stuck on a
CentOS or RHEL machine with no upgrade path to 4.3.0 without switching to
Fedora who is experiencing the category of bugs (there were definitely multiple
ones) that I encountered trying to fix these replication issues.
-Original Message-
From: Nathan Peter
Hey Zeal,
When you join a FreeIPA client to a domain, as long as you put the address of
at least one of the FreeIPA servers (if they are serving DNS) in the
/etc/resolv.conf file, they will use DNS to find FreeIPA servers. Specifically
they look for _SRV records. I think they naturally prefer
--Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-15-16 10:00 AM
To: Ludwig Krispenz
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0
No dice on the rebui
controllers with
Fedora 23 domain controllers, I was able to perform the upgrade to Fedora 30.
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-16-16 2:13 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA 4.3.0
I'm attempting to add a Fedora 23 Server as a replica in a FreeIPA 4.2.0 CentOS
7.2 domain so I can begin migrating my domain to 4.3.0 and Fedora.
Because the domain is still domain level 0, I've prepared the replica file on
the old CA master (4.2.0) and installed it on the new Fedora replica an
:lkris...@redhat.com]
Sent: January-15-16 12:19 AM
To: Nathan Peters
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0
On 01/15/2016 08:32 AM, Nathan Peters wrote:
> I think I've finally started to make some progress on this. I
dn: cn=clean 8, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=dev-mydomain,dc=net
replica-id: 8
cn: clean 8
dn: cn=clean 6, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=dev-mydomain,dc=net
replica-id: 6
cn: clean 6
dn:
-ipa-dev-nvan.mydomain.net:389} 56986b54
nscpentrywsi: nsruvReplicaLastModified: {replica 86
ldap://dc1-ipa-dev-nvan.mydomain.net:389} 56976208
nscpentrywsi: nsruvReplicaLastModified: {replica 91
ldap://dc2-ipa-dev-nvan.mydomain.net:389} 56973881
nscpentrywsi: nsruvReplicaLastModified: {replica 97
ldap://dc1-i
iginal Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Nathan Peters
Sent: January-14-16 12:53 PM
To: Rob Crittenden; Ludwig Krispenz; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Replication failing on FreeIPA 4.2.0
I'm begin
I'm beginning to suspect there may be something wrong with my ldap database.
I actually completed deleted dc1-nvan and dc2-nvan last night, leaving only
dc1-van. I then re-provosioned dc1-nvan and dc2-nvan from scratch (os install
and everything).
After re-provisioning I was finally able to m
Ok. I did that and it ended properly. Debugging was enabled properly.
Here are the logs from dc1 where it is refusing the update ? Not sure how to
parse these...
[12/Jan/2016:23:11:15 +] NSMMReplicationPlugin - ruv_add_csn_inprogress:
successfully inserted csn 569560240005 into p
No, the replication logs are still giving strange output and errors.
I started a new thread here with a better title to indicate that this is
strictly an IPA replication issue :
https://www.redhat.com/archives/freeipa-users/2016-January/msg00139.html
> On Mon, Jan 11, 2016 at 03:01:40PM -0800, n
I have 3 FreeIPA 4.2.0 servers running on CentOS 7.2
I am getting replication errors that I cannot seem to figure out.
Here is the setup : (I refer to master and slave because apparently your
CA is the only one who can create replica certs so it is the 'master')
dc1 : master, been running for a
I'm not sure which mailing list is the best for this because it involves 2
products, but I think the fault here is with FreeIPA.
Basically I have a Katello server running as a realm proxy. It is joined
as a client to the FreeIPA domain. I have provisioned 20 hosts last week
using its Foreman rea
> Your expectation #1 is correct, but there can be multiple reasons why it
> fails.
>
> Did you try to set forward policy = only as I advised you in the previous
> e-mail? Forward policy 'first' does not make sense when split-DNS is
> involved
> because you can end up with mixture of records from d
>>> Looking at the log entries, it appears that there may have been a
>>> network
>>> connectivity 'blip' (maybe a switch or router was restarted) at some
>>> point
>>> and even after connectivity was restored, the global forwarding was
>>> failing because the "we can't contact our forwarder" statu
>>> Looking at the log entries, it appears that there may have been a
>>> network
>>> connectivity 'blip' (maybe a switch or router was restarted) at some
>>> point
>>> and even after connectivity was restored, the global forwarding was
>>> failing because the "we can't contact our forwarder" statu
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain
Sorry about this post. I sent this email to the list 3 times over the
last 48 hours and it was finally accepted after the 3rd send when I
changed the subject to something totally not descriptive of my problem.
Original email with original subject also finally posted today :(
> We have a FreeIPA
This issue has occured again and I am once again trying to troubleshoot it.
show forwarder
--
-bash-4.2$ ipa dnsconfig-show
Global forwarders: 10.21.0.14
Allow PTR sync: TRUE
attempt ping
-bash-4.2$ ping stash.externaldomain.net
ping: unknown host stash.externaldoma
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain
We have a FreeIPA domain running IPA server 4.1.4 on CentOS 7.
We have no per zone forwarding enabled, only a single global forwarder.
This seems to work fine, but then after a while (several weeks I think)
will randomly stop working.
We had this issue several weeks ago on a different IPA domain
Issue was an AllowGroups directive in /etc/ssh/sshd_config that was
blocking this. It was not a FreeIPA issue :)
> Setup : FreeIPA server 4.1.2 on CentOS 7.
> FreeIPA client on CentOS 5.11
>
> Client installed properly with the exception of the following error about
> updating A records (from ipa
Setup : FreeIPA server 4.1.2 on CentOS 7.
FreeIPA client on CentOS 5.11
Client installed properly with the exception of the following error about
updating A records (from ipaclient-install.log)
2015-09-25 12:24:23,195 DEBUG Writing nsupdate commands to
/etc/ipa/.dns_update.txt:
zone ipadomain.net
and ipa 4.* during the first join on a clean OS. Can't confirm it was
working before. Is it normal behavior?
Allow PTR sync is enabled.
Cheers,
Le 12 sept. 2015 7:44 AM, "Nathan Peters" <mailto:nat...@nathanpeters.com>> a écrit :
On 9/11/2015 10:32 AM, Simo Sorce
On 9/11/2015 10:32 AM, Simo Sorce wrote:
On Fri, 2015-09-11 at 10:25 -0700, nat...@nathanpeters.com wrote:
I have been trying to figure this out for a while now but when I join
machine to FreeIPA, the installer properly creates forward DNS
entries,and DNSSSHFP entries, but does not create rever
I have been trying to figure this out for a while now but when I join a
machine to FreeIPA, the installer properly creates forward DNS entries,
and DNSSSHFP entries, but does not create reverse entries. Without the
PTR records, kerberos logins are always failing on these machines.
The reverse zon
2 FreeIPA 4.1.4 servers running on CentOS 7.
dc1 has a sync agreement to a windows server.
It has been running fine since June 5 when I re-initialized a sync
agreement that had somehow uninitialized itself. Original issue report
here :
https://www.redhat.com/archives/freeipa-users/2015-June/msg0
I have been trying to create accounts in FreeIPA that have the same level
of permission as the built-in administrator account. Basically, I want to
do the equivalent of what you can do in Active Directory by adding someone
to the Domain Administrators group.
We need this because it is not an acce
-Original Message-
From: Rob Crittenden
Sent: Saturday, June 20, 2015 1:17 PM
To: Nathan Peters
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
"System: Read HBAC Rules" with bindtype "all" to a p
-Original Message-
From: Rob Crittenden
Sent: Friday, June 19, 2015 3:38 PM
To: nat...@nathanpeters.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] invalid 'permission': cannot add permission
"System: Read HBAC Rules" with bindtype "all" to a privilege
nat...@nathanpet
> nat...@nathanpeters.com wrote:
>> FreeIPA server 4.1.3 on CentOS 7
>>
>> I am trying to create a set of privileges or roles that will allow me to
>> create a user who has read-only access to as much of the FreeIPA web UI
>> as
>> possible. Basically my manager want the type of view into FreeIPA
FreeIPA server 4.1.3 on CentOS 7
I am trying to create a set of privileges or roles that will allow me to
create a user who has read-only access to as much of the FreeIPA web UI as
possible. Basically my manager want the type of view into FreeIPA that
they have in AD using the 'AD Users and Compu
> On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
>> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
>> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3
>>
>> When I try to log in using MIT kerberos and a valid ticket it works on
>> one
>> client, and
> On Tue, Jun 16, 2015 at 04:32:31PM -0700, nat...@nathanpeters.com wrote:
>> I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
>> 1.11.6-30. The server is CentOS 7 / IPA 4.1.3
>>
>> When I try to log in using MIT kerberos and a valid ticket it works on
>> one
>> client, and
I have 2 CentOS 6 clients both running FreeIPA client 3.0.0-42 and sssd
1.11.6-30. The server is CentOS 7 / IPA 4.1.3
When I try to log in using MIT kerberos and a valid ticket it works on one
client, and fails on the other. I have compared the /etc/krb5.conf,
/etc/sssd/sssd.conf and /etc/openld
> On 06/08/2015 01:19 PM, nat...@nathanpeters.com wrote:
==
um WTF? making it a one way only agreement invalidates the
lastinitstart
value?
==
>>> Looks like a bug.
>> Ok, this is a pretty serious bug if making it one way can knock it
>> offline
>>
>> ==
>> um WTF? making it a one way only agreement invalidates the
>> lastinitstart
>> value?
>> ==
>
> Looks like a bug.
Ok, this is a pretty serious bug if making it one way can knock it offline
permanently. Where should I file this bug report?
> ipa-replica-manage re
> [root@dc1 ~]# ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectclass=nsDSWindowsReplicationAgreement
> Enter LDAP Password:
> dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
> \2Cdc\3Dnet,cn=mapping tree,cn=config
> nsds7WindowsReplicaSubtree: OU=Staff,DC=
I am trying my best to figure out why any FreeIPA internal
'administrators' that I create cannot search DNS entries.
The builtin admin user can search and get results for DNS entries just
fine, but we would rather not share this account with every sysadmin in
our staff.
I have created a new role
> On 06/08/2015 10:18 AM, nat...@nathanpeters.com wrote:
> This looks like incremental update is successful . . .
>
>> nsds5replicaUpdateInProgress: FALSE
>> nsds5replicaLastInitStart: 0
>> nsds5replicaLastInitEnd: 0
>
> . . . but this indicates that the sync agreement has never been
> initialized,
>>> Is it possible this is an old winsync agreement that is no longer
>>> valid?
>> I have only ever made a single winsync agreement on this server that I
>> know of. How would I tell if an agreement is no longer valid?
>>
>>
>
> ldapsearch -xLLL -D "cn=directory manager" -W -b cn=config
> objectc
> On 06/05/2015 03:31 PM, nat...@nathanpeters.com wrote:
>>> I have noticed that happen a couple times in the last few days.
>>> FreeIPA
>>> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server
>>> 2008R2 domain controller.
>>>
>>> The web ui will stop working and just show a blank
> On Fri, 05 Jun 2015, Nathan Peters wrote:
>>I had originally set this up with AD trust but when we found out that
>>our alternative UPNs were not supported we switched to ad sync. I
>>removed the trust relationship from the webui by deleting all trusts
>>showing in th
I had originally set this up with AD trust but when we found out that our
alternative UPNs were not supported we switched to ad sync. I removed the
trust relationship from the webui by deleting all trusts showing in the ui.
I then set it up for sync.
Do I need to remove the trust from the com
> I have noticed that happen a couple times in the last few days. FreeIPA
> server 4.1.3 on CentOS 7 with a sync relationship to a Windows server
> 2008R2 domain controller.
>
> The web ui will stop working and just show a blank page.
>
> When I try to do a ipactl status the command just freezes a
I have noticed that happen a couple times in the last few days. FreeIPA
server 4.1.3 on CentOS 7 with a sync relationship to a Windows server
2008R2 domain controller.
The web ui will stop working and just show a blank page.
When I try to do a ipactl status the command just freezes and does noth
>> I am running FreeIPA 4.1.3 on CentOS7.
>>
>> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.
>>
>> The client hostname is ipaclient.login.mydomain.net.
>>
>> The FreeIPA domain is mydomain.net.
>>
>> This post here :
>> https://www.redhat.com/archives/freeipa-users/2015-Ap
> I am running FreeIPA 4.1.3 on CentOS7.
>
> I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.
>
> The client hostname is ipaclient.login.mydomain.net.
>
> The FreeIPA domain is mydomain.net.
>
> This post here :
> https://www.redhat.com/archives/freeipa-users/2015-April/msg003
> On Wed, 2015-06-03 at 09:57 -0700, nat...@nathanpeters.com wrote:
>> Comments inline
>>
>> > On (02/06/15 15:25), nat...@nathanpeters.com wrote:
>> >>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the
>> client
>> >> is
>> >>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>> >>
>>
Comments inline
> On (02/06/15 15:25), nat...@nathanpeters.com wrote:
>>I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client
>> is
>>CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
>>
>>I have created a user in FreeIPA and he has access to a server through
>>HBAC rules. This
I am running FreeIPA 4.1.3 on CentOS7.
I am attempting to join a CentOS 6.5 client using ipa-client 3.0.0-42.
The client hostname is ipaclient.login.mydomain.net.
The FreeIPA domain is mydomain.net.
This post here :
https://www.redhat.com/archives/freeipa-users/2015-April/msg00368.html
states t
I am running FreeIPA 4.1.3 on CentOS 7 for the server and on the client is
CentOS 6.5 with client 3.0.0-42 (sssd 1.11.6-30).
I have created a user in FreeIPA and he has access to a server through
HBAC rules. This user has created a public / private keypair and uploaded
the public key from his per
> I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when
> one of my FreeIPA users tries to sudo (he has permissions via group
> membership) I get the following error in /var/log/messages
>
> May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing
> failed : Inva
I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when
one of my FreeIPA users tries to sudo (he has permissions via group
membership) I get the following error in /var/log/messages
May 27 20:51:34 ipaclient sssd[be[mydomain.net]]: dereference processing
failed : Invalid argumen
"created the hashes"? There is nothing in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html#ad-ca-req
about creating any hashes.
Sorry I should have been more specific. I mean updated the hash symlinks
whic
I have updated the bug report you filed below.
The issue was that the instructions would only work in Windows Server 2003
because My Network Places was removed in 2008 and above. Since the manual
clearly states that the AD sync is to be performed with server 2008 / 2012
only it made no sense
> On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
"cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
supersecretpassword --passsync supersecretpassword --cacert
/etc/openldap/cacerts/addc2-test.c
> On 05/14/2015 11:33 PM, nat...@nathanpeters.com wrote:
[root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
"cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
supersecretpassword --passsync supersecretpassword --cacert
/etc/openldap/cacerts/addc2-test.c
>> [root@ipadc1 cacerts]# ipa-replica-manage connect --winsync --binddn
>> "cn=ad sync,cn=Users,dc=test,dc=mycompany,dc=net" --bindpw
>> supersecretpassword --passsync supersecretpassword --cacert
>> /etc/openldap/cacerts/addc2-test.cer addc2.test.mycompany.net -v
>> Directory Manager password:
>>
> On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote:
>> I have tried to setup synchronization between a FreeIPA domain and an AD
>> domain. The certificates are in the right place.
>>
>> [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
>> user,cn=Users,dc=datacenter,dc=a
> On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote:
>> I have tried to setup synchronization between a FreeIPA domain and an AD
>> domain. The certificates are in the right place.
>>
>> [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
>> user,cn=Users,dc=datacenter,dc=a
I have tried to setup synchronization between a FreeIPA domain and an AD
domain. The certificates are in the right place.
[root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync
user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword
--passsync secretpassword --cac
> On 05/08/2015 12:25 PM, nat...@nathanpeters.com wrote:
>> We have all of our users in a trusted Active Directory domain and it
>> would
>> be nice to allow them to administer our DNS using their AD accounts.
>>
>> I tried creating a group called DNS administrators and assigning it the
>> DNS admi
We have all of our users in a trusted Active Directory domain and it would
be nice to allow them to administer our DNS using their AD accounts.
I tried creating a group called DNS administrators and assigning it the
DNS administrator privilege and then adding my ad_domain_admin group
(containing t
> On Wed, May 06, 2015 at 11:15:15AM -0700, nat...@nathanpeters.com wrote:
>> Ok, I have attempted to set this up by adding the AD domain to my
>> configuration and it still isn't working.
>> I just want to confirm what I'm trying to accomplish here before I list
>> what I've done to troubleshoot t
> On 05/06/2015 12:14 AM, Nathan Peters wrote:
>>> From this link :
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb
>>
>>
>> The diagram in that section
> On 05/06/2015 02:15 PM, nat...@nathanpeters.com wrote:
>> Ok, I have attempted to set this up by adding the AD domain to my
>> configuration and it still isn't working.
>> I just want to confirm what I'm trying to accomplish here before I list
>> what I've done to troubleshoot this.
>>
>> We have
when
> notifications are sent.
>
> For testing purposes I use these commands (on server):
> $ tcpdump -i any 'port 53'
> $ rndc notify mydomain.net.
>
> Look for a line from tcpdump with note 'notify' in it. I can see the
> notify
> packet as soon
1 - 100 of 203 matches
Mail list logo
