On 11/03/2012 01:12 PM, Pavel Zhukov wrote:
Can you do NS lookup of the IPA server from the AMM box?
yes
Can you do kinit from the AMM box against IPA?
Can you do ldapsearch from the AMM box against IPA?
no, AMM has restricted shell and web GUI.
Hmm, that is unfortunate. Can you run tcpdump
On 11/04/2012 01:25 PM, Steven Jones wrote:
Hi,
Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should be
in your RH supported channel tree?
The passsync.msi has to go on each AD box
Each Domain Controller.
Also note that you asked if "Can I be able to synchronize the c
On 11/04/2012 02:23 PM, William Muriithi wrote:
> Hi all,
>
> I am in the process of deploying freeIPA 2.2 to authenticate Linux
> systems and have been able to setup everything nicely with separate
> domain. I mean users are currently using separate password to access
> Linux system and another s
So, we're in a datacenter that lost power over sandy. (It's not our only one,
so the app was fine.)
I'm now trying to bring the DC back online, and IPA is having issues with it's
inability to reach other replicas.
* We're using IPA for DNS as well as the kerberos & LDAP services.
Does
On 11/05/2012 12:51 PM, Matthew Barr wrote:
> So, we're in a datacenter that lost power over sandy. (It's not our
> only one, so the app was fine.)
>
> I'm now trying to bring the DC back online, and IPA is having issues
> with it's inability to reach other replicas.
>
> * We're using IPA for DNS
"Also note that you asked if "Can I be able to synchronize the current AD
user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
You cannot synchronize already existing passwords with IPA 2.x. You
would have to force AD users to change their passwords in order to get
the clear t
Steve, thanks
> Hi,
>
> Yes you can winsync and passsync RHEL6.3 IPA from win2k3 r2 + AD, it should
> be in your RH supported channel tree?
>
Nope, using Centos 6.3. I checked and looks like I can find
passsync.msi from here. I am hoping its the same Windows binaries
supplied to RedHat paying
nice (and nice its in 6.4)
:)
I need to read up on trusts.
However from limited experience in an AD forests with trusts they get very
complex and the security can go bye bye. Ive seen pen tests that come in from
a trusted domain, using an account with too many privaledges a bad password in
a
Rich,
>
> In addition to other comments I want to step back and give a bit of a
> bigger picture.
> 1) Regardless of what approach you choose we recommend using the latest
> available version at the moment of deployment.
Good suggestion. This mean I should use version 3. Problem that would
have
Hi,
Im not at work yet but the default is something like
cn=users,dc=example,dc=com, its not needed to be specified though (maybe it
should be to encourage ppl to check) so I did my first sync and wiped all my
users out of IPA! oops
So you have specify it with something like --win-subtree
corner case?
as in not very standard?
In which case, yes I suppose so. AD is a very complex thing and you can
customise it it seems. As a Linux person wandering into such a thing as a
non-standard AD and not knowing this its a bit of a minefield.but of course
you dont know you are in on
>> * We're using IPA for DNS as well as the kerberos & LDAP services.
>
> Is it installed with forwarders to some other DNS server? Is that server
> alive and running? It is reachable?
> If not you might want to add host name and IP of the IPA server into the
> /etc/hosts
Yep, that was the ti
Steven Jones wrote:
"Also note that you asked if "Can I be able to synchronize the current AD
user credentials with
FreeIPA 2.2 or do I have to upgrade to FreeIPA 3.0"
You cannot synchronize already existing passwords with IPA 2.x. You
would have to force AD users to change their passwords in or
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather know sooner than
later when it comes to this.
-Erinn
signature.asc
Description: OpenPGP digital signature
Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather know sooner than
later when it comes to this.
Kudos for planning ahead!
What kind of CA do you have installed. Are
On 11/05/12 10:25, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> I hope I haven't missed it in searching around, but how does one update
>> the CA certificate in IPA?
>>
>> Though it is a year out from expiring I would rather know sooner than
>> later when it comes to this.
>
> Kudos for p
Erinn Looney-Triggs wrote:
On 11/05/12 10:25, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiring I would rather know sooner than
later when it comes to this.
On 11/05/12 10:42, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 11/05/12 10:25, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
I hope I haven't missed it in searching around, but how does one update
the CA certificate in IPA?
Though it is a year out from expiri
Hello,
A couple of questions regarding DNS / Allow PTR sync.
1. If you have a zone 'example.com' and you enable "Allow PTR sync", should
you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)?
2. Do you have to wait a specified amount of time for the PTR record to be
remo
On 11/05/2012 01:51 PM, Tim Hughes wrote:
>
> I am trying to migrate from a fedora-ds-1.1.2-1.fc6 server to
> ipa-server-2.2.0-16.el6.x86_64 with the following command
>
>
> ipa migrate-ds ldaps://fedora-ds-server.internal --continue
> --with-compat --base-dn=dc=custsvc,dc=mycompany
> --user-contai
Hi,
I defined some users that are not members of the ipausers group, for
some reason this users are able to login to the server using the ipa client
tools and the web interface https://myipaserver/ipa/ui
I don't want any users look at other users information, is there a way
to
On 11/05/2012 01:40 PM, William Muriithi wrote:
> Rich,
>
>> In addition to other comments I want to step back and give a bit of a
>> bigger picture.
>> 1) Regardless of what approach you choose we recommend using the latest
>> available version at the moment of deployment.
> Good suggestion. This
On 11/05/2012 02:01 PM, Steven Jones wrote:
> corner case?
>
> as in not very standard?
>
> In which case, yes I suppose so. AD is a very complex thing and you can
> customise it it seems. As a Linux person wandering into such a thing as a
> non-standard AD and not knowing this its a bit of a
On 11/05/2012 05:57 PM, Marcello Giannoni UCLA wrote:
> Hi,
>
> I defined some users that are not members of the ipausers group, for
> some reason this users are able to login to the server using the ipa client
> tools and the web interface https://myipaserver/ipa/ui
> I don't want a
On 11/05/2012 04:35 PM, Michael Mercier wrote:
> Hello,
>
> A couple of questions regarding DNS / Allow PTR sync.
>
> 1. If you have a zone 'example.com' and you enable "Allow PTR sync", should
> you also enable the option in the reverse zone (e.g. 168.192.in-addr-arpa.)?
> 2. Do you have to wai
On 11/05/2012 01:34 PM, Steven Jones wrote:
> nice (and nice its in 6.4)
>
> :)
>
> I need to read up on trusts.
>
> However from limited experience in an AD forests with trusts they get very
> complex and the security can go bye bye. Ive seen pen tests that come in
> from a trusted domain, usin
Hi,
Yes.In hindsight its pretty obvious when you have a new product connecting
to another complex product in a "foreign way" in a enterprise / complex
environment that some shake-out is going to happen. I guess I didnt know what
I didnt know and I got accelerated in deploying IPA faster an
27 matches
Mail list logo
