I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I assume).
But when I ssh from the first
On 03/19/2015 05:04 PM, Roberto Cornacchia wrote:
Yes.
[root@meson ~]# cat /etc/resolv.conf
search hq.example.com http://hq.example.com
nameserver 192.168.0.72
Sorry from the short log I posted it's not visible, but that ip
address is the address of the ipa server (ipa.hq.example.com
It's just that /var/lib/sss/db is not cleared between subsequent server
installs and uninstall, and that seems to be creating problems on the
server since the server is also a client. If you do
install-uninstall-install on the server with the same domain name for both
the installs, you cannot
On 03/19/2015 07:55 PM, nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my
Hi
I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)
--Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support
Cool stuff. Thanks.
I had a look at our SRV records and found the following:
_kerberos-master._tcp
_kerberos-master._udp
_kerberos._tcp
_kerberos._udp
_kpasswd._tcp
_kpasswd._udp
_ldap._tcp
_ntp._udp
No mention of and ipa srv records. Does sssd use _ldap._tcp?
Thanks,
Andrew
On 18 March 2015
On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote:
Cool stuff. Thanks.
I had a look at our SRV records and found the following:
_kerberos-master._tcp
_kerberos-master._udp
_kerberos._tcp
_kerberos._udp
_kpasswd._tcp
_kpasswd._udp
_ldap._tcp
_ntp._udp
No mention of and
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com wrote:
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
Hi there,
I'm planning to deploy freeIPA on our lan.
It's small-ish and completely based on FC21, so I expect everything to
work
like a charm.
Except one detail. We have
On 03/18/2015 07:21 PM, Rich Megginson wrote:
On 03/18/2015 11:07 AM, Kim Perrin wrote:
ah, good question. Relevant errors around trying to use the ldif I
included to remove replica ID 97 --
[18/Mar/2015:04:01:51 +] NSMMReplicationPlugin - CleanAllRUV Task:
Waiting for all the replicas to
Isn't this documented well (yet) ?
The RH docs are always very detailed about it, but I'm not sure
here... I see solutions but not 100% from A to Z to make sure we do it
the proper way.
2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
Not worried, I need to try.
I think it's not an
nat...@nathanpeters.com wrote:
I have finally gotten all of my Solaris servers to accept AD users but the
behavior is inconsistent.
In my FreeIPA domain, I can login to a Linux server and then ssh to the
Solaris server and I am automatically logged in because of my Kerberos
ticket (I
The right way to sequest a SAN, this seems to need some extra config file ?
2015-03-19 15:04 GMT+01:00 Rob Crittenden rcrit...@redhat.com:
Matt . wrote:
Isn't this documented well (yet) ?
Is what documented yet?
rob
The RH docs are always very detailed about it, but I'm not sure
here...
On 03/19/2015 02:46 PM, Roberto Cornacchia wrote:
Hi Dmitri,
I do realise my question is borderline and I accept that it is
considered off-topic.
I did post it here because I believe it's not *only* about NFS, but
also about its interaction with freeIPA. The issue of NFS home and in
I'm running a bit out of time today, but I'll be doing some 7.1 builds tomorrow
anyway, so I'll spin up the test package for you.
On 19 Mar 2015, at 16:31, Gould, Joshua joshua.go...@osumc.edu wrote:
RHEL 7.0 fully up to date.
sssd-krb5-common-1.12.2-58.el7.x86_64
Hi,
let say that I created a SSL certificate:
ipa service-add HTTP/www.test.lan
ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k
/etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D www.test.lan -K
On 3/18/15 10:10 PM, Kim Perrin wrote:
This is about the 6th time of tried installing this replica. Each time
I run the ipa-replica-manage del and ipa-csreplica-manage del command
before trying. I also build new replica install files each time.
Obviously I can't figure out what the problem is.
Matt . wrote:
Isn't this documented well (yet) ?
Is what documented yet?
rob
The RH docs are always very detailed about it, but I'm not sure
here... I see solutions but not 100% from A to Z to make sure we do it
the proper way.
2015-03-12 16:59 GMT+01:00 Matt . yamakasi@gmail.com:
Nicolas Zin wrote:
Hi,
let say that I created a SSL certificate:
ipa service-add HTTP/www.test.lan
ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k
/etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan
Hi,
I am curious, Is there a possibility to add email address for the
admin user in the IPA web UI?
In my current configuration admin user is a Linux system user and
also used by IPA.
I think there should be possibility to enter an email address for that
user, but UI has no button/link (add)
Giedrius Tuminauskas wrote:
Hi,
I am curious, Is there a possibility to add email address for the
admin user in the IPA web UI?
In my current configuration admin user is a Linux system user and also
used by IPA.
I think there should be possibility to enter an email address for that
user,
On 03/19/2015 02:36 PM, Rob Crittenden wrote:
Giedrius Tuminauskas wrote:
Hi,
I am curious, Is there a possibility to add email address for the
admin user in the IPA web UI?
In my current configuration admin user is a Linux system user and also
used by IPA.
I think there should be
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
(described here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able
to autenticate AIX 7.1 clients against an AD
Janelle wrote:
On 3/18/15 10:10 PM, Kim Perrin wrote:
This is about the 6th time of tried installing this replica. Each time
I run the ipa-replica-manage del and ipa-csreplica-manage del command
before trying. I also build new replica install files each time.
Obviously I can't figure out what
Janelle wrote:
Hello again,
Ok, probably a stupid question. If you increase cache sizes and tune
389-ds on the backend, do those changes replicate or do you need to make
them across the other servers as well?
For example:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype:
Hello again,
Ok, probably a stupid question. If you increase cache sizes and tune
389-ds on the backend, do those changes replicate or do you need to make
them across the other servers as well?
For example:
dn: cn=config,cn=ldbm database,cn=plugins,cn=config
changetype: modify
replace:
I am having problems with sudo and using _srv_ in the sssd config.
This works:
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://test-freeipa-1.cloud.domain.de
ldap_sudo_search_base = ou=sudoers,dc=cloud,dc=native-instruments,dc=de
ldap_sasl_mech = GSSAPI
ldap_sasl_authid =
On 03/19/2015 05:10 AM, Gonzalo Fernandez Ordas wrote:
Hi
I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)
--Let me double check a couple of things. You wrote you installed
PassSync on
On 03/19/2015 05:29 AM, Roberto Cornacchia wrote:
On 6 March 2015 at 11:15, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 03/06/2015 10:56 AM, Roberto Cornacchia wrote:
Hi there,
I'm planning to deploy freeIPA on our lan.
It's small-ish and
I thought a bit more about the issue of conflicts in /var/lib/sss/db, and I
think it's a pretty significant problem, probably from a security
standpoint too. The fact that it's trying to authenticate against something
stale and incorrect would imply that it might erroneously authenticate
against
Hi Dmitri,
I do realise my question is borderline and I accept that it is considered
off-topic.
I did post it here because I believe it's not *only* about NFS, but also
about its interaction with freeIPA. The issue of NFS home and in particular
about their creation is touched in all the links I
On 19 Mar 2015, at 20:09, Prasun Gera prasun.g...@gmail.com wrote:
I thought a bit more about the issue of conflicts in /var/lib/sss/db, and I
think it's a pretty significant problem, probably from a security standpoint
too. The fact that it's trying to authenticate against something
On 19 Mar 2015, at 21:18, Roberto Cornacchia roberto.cornacc...@gmail.com
wrote:
It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find clear:
I had seen the instructions you pointed me at. These are
On 03/19/2015 04:46 PM, Roberto Cornacchia wrote:
Hi,
This should really work like a charm, and I'm sure it is a stupid
mistake of mine if it doesn't, but I really can't find out what goes
wrong.
Both IPA server and client are on FC21, very up to date.
Server installation (standard, with
It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is what I don't find clear:
I had seen the instructions you pointed me at. These are not specifically
about home directories.
However, this section is:
Hi,
This should really work like a charm, and I'm sure it is a stupid mistake
of mine if it doesn't, but I really can't find out what goes wrong.
Both IPA server and client are on FC21, very up to date.
Server installation (standard, with dns) worked well. Required ports open
in the firewall.
Thanks, Jakub.
On 19 March 2015 at 21:23, Jakub Hrozek jhro...@redhat.com wrote:
On 19 Mar 2015, at 21:18, Roberto Cornacchia
roberto.cornacc...@gmail.com wrote:
It's possible that I'm simply not getting the point, or that I don't
understand the documentation correctly, but this is
[root@meson ~]# dig ipa.hq.spinque.com
humph, sorry about the confusion, I missed one in my anonymisation step..
that would be dig ipa.hq.example.com
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org
Yes.
[root@meson ~]# cat /etc/resolv.conf
search hq.example.com
nameserver 192.168.0.72
Sorry from the short log I posted it's not visible, but that ip address is
the address of the ipa server (ipa.hq.example.com)
[root@meson ~]# dig ipa.hq.spinque.com
; DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21
I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switch to:
sudo_provider=ipa
That does indeed seem to work. Thanks!
and remove all the ldap_ config parameters as well as krb5_server.
--
Manage your subscription for the
Thank you Rob, it worked like a charm.
Giedrius
At Thursday, 19-03-2015 on 13:41 Martin Kosek wrote:
On 03/19/2015 02:36 PM, Rob Crittenden wrote:
Giedrius Tuminauskas wrote:
Hi,
I am curious, Is there a possibility to add email address for the
admin user in the IPA web UI?
In my
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
(described here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able
to autenticate AIX 7.1 clients against an AD
On Wed, Mar 18, 2015 at 05:55:52PM -0400, Rob Crittenden wrote:
getcert status
process 31282: arguments to dbus_message_new_method_call() were
incorrect, assertion path != NULL failed in file dbus-message.c line 1262.
This is normally a bug in some application using the D-Bus library.
I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
mapping. It appears tied to the group lookup at login. There seem to be
many posts about it, but I haven¹t found anything to help much. sssd pegs
RHEL 7.0 fully up to date.
sssd-krb5-common-1.12.2-58.el7.x86_64
sssd-ipa-1.12.2-58.el7.x86_64
sssd-1.12.2-58.el7.x86_64
sssd-tools-1.12.2-58.el7.x86_64
sssd-common-1.12.2-58.el7.x86_64
sssd-ad-1.12.2-58.el7.x86_64
sssd-krb5-1.12.2-58.el7.x86_64
sssd-ldap-1.12.2-58.el7.x86_64
On Thu, Mar 19, 2015 at 11:31:16AM -0400, Gould, Joshua wrote:
RHEL 7.0 fully up to date.
Are you sure? Looks like 7.1 to me based on the NVRs.
sssd-krb5-common-1.12.2-58.el7.x86_64
sssd-ipa-1.12.2-58.el7.x86_64
sssd-1.12.2-58.el7.x86_64
sssd-tools-1.12.2-58.el7.x86_64
On Thu, Mar 19, 2015 at 11:05:45AM -0400, Gould, Joshua wrote:
I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
mapping. It appears tied to the group lookup at login. There seem to be
many
Hi there,
I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
(described here:
http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able to
autenticate AIX 7.1 clients against an AD domain using LDAP. After the trust
was created all seems to work well
You are correct. 7.1.
Sent with Good (www.good.com)
-Original Message-
From: Jakub Hrozek [jhro...@redhat.commailto:jhro...@redhat.com]
Sent: Thursday, March 19, 2015 11:37 AM Eastern Standard Time
To: Gould, Joshua
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Really slow
On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
I am having problems with sudo and using _srv_ in the sssd config.
This works:
# For the SUDO integration
sudo_provider = ldap
ldap_uri = ldap://test-freeipa-1.cloud.domain.de
ldap_sudo_search_base =
Hi Jakub,
Name: ipa-client
Arch: x86_64
Version : 3.3.3
Release : 28.0.1.el7.centos.3
On 19 March 2015 at 17:33, Jakub Hrozek jhro...@redhat.com wrote:
On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
I am having problems with sudo and using _srv_ in the
On Thu, Mar 19, 2015 at 05:38:49PM +0100, Andrew Holway wrote:
Hi Jakub,
Name: ipa-client
Arch: x86_64
Version : 3.3.3
Release : 28.0.1.el7.centos.3
I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switch to:
51 matches
Mail list logo