Re: [Freeipa-users] netgroups not working for exports in freeipa
On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote: Hi I'm migrating from a legacy NIS setup to ipa. I have a number of NIS netgroups (of hosts) that are being used to export (non-kerberos) nfs shares to which I would like to migrate to ipa. I've create a new netgroup in ipa (for testing) and added some hosts to it (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when exporting an nfs share using the @netgroup syntax in /etc/exports that the netgroup will be looked up in ipa and the share will be exported to the hosts in the netgroup. /etc/nsswitch.conf has a line: netgroup: files nis sss /etc/exports has a line: /var/tmp/testexport @rmjnetgroup1(ro) I haven't, so far, been able to mount the exported share on a client so I'm wondering if this setup would be expected to work? What is confusing to me is that the section in the Redhat 6 Identity Management guide on netgroups also has information on running the NIS listener plugin so I'm wondering if perhaps this only works when running the nis listener. I'm trying to avoid that. I'd welcome any clarification on how to do non-kerberised nfs exports to groups of hosts. Does getent netgroup rmjnetgroup1 show the hosts you'd expect? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] netgroups not working for exports in freeipa
On 28/01/15 10:57, Jakub Hrozek wrote: On Tue, Jan 27, 2015 at 10:03:37PM +, Roderick Johnstone wrote: Hi I'm migrating from a legacy NIS setup to ipa. I have a number of NIS netgroups (of hosts) that are being used to export (non-kerberos) nfs shares to which I would like to migrate to ipa. I've create a new netgroup in ipa (for testing) and added some hosts to it (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when exporting an nfs share using the @netgroup syntax in /etc/exports that the netgroup will be looked up in ipa and the share will be exported to the hosts in the netgroup. /etc/nsswitch.conf has a line: netgroup: files nis sss /etc/exports has a line: /var/tmp/testexport @rmjnetgroup1(ro) I haven't, so far, been able to mount the exported share on a client so I'm wondering if this setup would be expected to work? What is confusing to me is that the section in the Redhat 6 Identity Management guide on netgroups also has information on running the NIS listener plugin so I'm wondering if perhaps this only works when running the nis listener. I'm trying to avoid that. I'd welcome any clarification on how to do non-kerberised nfs exports to groups of hosts. Does getent netgroup rmjnetgroup1 show the hosts you'd expect? Indeed it does. The individual triples listed for the netgroup contain entries like: (host,-,domain) where host is a fully qualified hostname which is dns resolvable. (For info if I do ypcat on one of my NIS netgroups I get a triple like this: (host,,) where host is the fully qualified host name, and nothing in the domain field. I've actually tried two netgroups with different domains set. The first one (rmjnetgroup) I made without specifying the --nisdomain option to ipa netgroup-add and domain in the output above shows as my dns domain (which is a lower case version of my kerberos realm). I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I could mount the shares when I exported explicitly to the fully qualified host name, and that worked ok. So, thinking that the problem was with the domain name I made a new netgroup (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name for our nis domain as shown with the domainname command. I couldn't mount nfs shares when exporting to @rmjnetgroup1 either. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] replication question
Hi Danel, thanks a million! Raising the nsslapd-sasl-max-buffer-size to 2 megs from 65k did the trick!! Kind regards, Csaba Kollar On 27 Jan 2015, at 17:44, dbisc...@hrz.uni-kassel.de wrote: Hi, On Tue, 27 Jan 2015, Csaba Kollar wrote: I’ve installed ipa-server-3.0.0-42.el6.centos.x86_64 on CentOS 6.6 servers. Configured first as a master. Configured second as a replica. Everything went smooth, no errors. If I create a user on the master, it automatically shows up on the replica. BUT If I create a user on the replica, I cannot see on the master the created user. (or if i delete a user on replica which was created on master, it stays on the masters) I’ve tried to force-sync the master without luck: [root@centosm ~]# ipa-replica-manage force-sync --from centosr.macp.sh [...] sounds like the problem I had recently, please check https://fedorahosted.org/freeipa/ticket/4807 for details. Mit freundlichen Gruessen/With best regards, --Daniel. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- * Email confidentiality notice * Xanadu Consultancy Limited is a limited company registered in Ireland with registered number 500416 and VAT registered number IE 9793319P. Our registered office is at Floor 2, River House, Blackpool Retail Business Park, Cork, Ireland. We have a branch office registered in England and Wales with company number FC030315, whose address is at Unit 710 Highgate Studios, 53-79 Highgate Road, London, NW5 1TL. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to us, and immediately and permanently delete it. Do not use, copy or disclose the information contained in this message or in any attachment. Xanadu Consultancy Limited cannot accept liability for any statements made which are clearly the sender’s own and not expressly made on behalf of Xanadu Consultancy Limited. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] authenticate samba 3 or 4 with freeipa: building ipasam.so on Ubuntu
Alexander Bokovoy abokovoy@... writes: On Wed, 14 Jan 2015, Raoul Becke wrote: Alexander Bokovoy abokovoy at ... writes: Thank you very much for this detailed instructions. It seems not to be too complicated and I think giving it a 2nd try - the only thing that worries me a bit is: This would work more or less same in 3.0 but you would need to add permissions differently because 3.x doesn't have as easy permission constructing means as 4.0 has. Is there a document that describes how to do this in: Name: ipa-server Arch: x86_64 Version : 3.3.3 Or a document that describes the differences then I can take it from there. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project