Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Now all is ok :) # ipa trust-add --type=ad mydomain.com --admin Administrator --password Active Directory domain administrator's password: --- Added Active Directory trust for realm "mydomain.com"

Re: [Freeipa-users] Add objectclasses to computer schema

On 09/09/2015 06:32 PM, Thomas Suiter wrote: Is there an equivalent host/computer default objectclasses that there is for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are wanting to add some additional attributes to all of the servers, I’m able to add the object class to

Re: [Freeipa-users] attempting to restore IPA

Hello Steven! I would like to help you but unfortunately I have no chance to guess what went wrong. To help us help you please report any issue in a way described on FreeIPA Troubleshooting page (http://www.freeipa.org/page/Troubleshooting). Most importantly we need the following: 1.

[Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

OS: RHEL 7.1 w IDM I'm seeing these messages in my master's log messages. I don't know if it's related, but I think I started seeing them after I set up a replica. Everything seems to be working fine, but I'm worried that things will break if delta grows beyond a point. I tried steps in

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

Thanks. I'm not virtualizing though. Should I still add it ? On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway wrote: > Hi, > > I assume you are virtualising. > > Try adding "tinker panic 0" to /etc/ntp.conf. > > It should make it tolerant to heavily drifting virtual

[Freeipa-users] DNS Server

Hello, what is the best way to include a external Nameserver for a IPA Host? My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup a extra Instance for a IPA Master Server and I have now to include the CNAMe Server like "smtp.example.com CNAME imap.example.com" or cvan I

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

Hi, I assume you are virtualising. Try adding "tinker panic 0" to /etc/ntp.conf. It should make it tolerant to heavily drifting virtual clocks. Cheers, Andrew On 10 September 2015 at 13:46, Prasun Gera wrote: > OS: RHEL 7.1 w IDM > > I'm seeing these messages in my

Re: [Freeipa-users] Add objectclasses to computer schema

Thomas Suiter wrote: > Is there an equivalent host/computer default objectclasses that there is > for ipa config-mod –groupobjectclasses/--userobjectclasses ? We are > wanting to add some additional attributes to all of the servers, I’m > able to add the object class to individual servers but not

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

Thats odd. You would normally not need it on bare metal. It could be broken hardware. On 10 September 2015 at 14:05, Prasun Gera wrote: > Thanks. I'm not virtualizing though. Should I still add it ? > > On Thu, Sep 10, 2015 at 5:02 AM, Andrew Holway

Re: [Freeipa-users] DNS Server

On 10.9.2015 15:38, Günther J. Niederwimmer wrote: > Hello, > > what is the best way to include a external Nameserver for a IPA Host? > > My DNS (DNSSEC) server is running on a extra Instance (KVM) now I have setup > a > extra Instance for a IPA Master Server and I have now to include the

Re: [Freeipa-users] Vector/hi-res logo

On Thu, 10 Sep 2015, Martin Kosek wrote: On 09/08/2015 08:13 PM, Ian Pilcher wrote: Now that I'm actually using IPA authentication for a few services within my house, I'm going to set up a simple "start page" with a few links, including a link to IPA web UI for password changes. I'd like to

[Freeipa-users] PKI-CAD service fails, IPA won't start

Hello: So recently, we received some new workstations that I loaded with Ubuntu 12.04. The person who had this sysadmin position before me set up the IPA domain and had it running for quite some time. I went to add one of the systems to the domain through a script he created, something in the

Re: [Freeipa-users] Vector/hi-res logo

On 09/08/2015 08:13 PM, Ian Pilcher wrote: > Now that I'm actually using IPA authentication for a few services within > my house, I'm going to set up a simple "start page" with a few links, > including a link to IPA web UI for password changes. I'd like to use > the FreeIPA logo, but I've only

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

The hardware is not very old (ivybridge). The entries appear every few minutes in the log. The /etc/ntp.conf has not been modified manually. It lists 3 servers - 0.rhel.pool.ntp.org, 1 and 2. At the end, there are also a couple of additional local servers with the comment added by

Re: [Freeipa-users] certificate add subject alt Name

Hi, I'm not sure I understood all of your problem, but here are some information that may help: - First, you don't change a certificate, but you can revoke it a make a new one - If you need to add a SubjectAltName to a certificate, you may have realized that the -D parameter makes the request to

Re: [Freeipa-users] Logging?

On 09/09/2015 09:50 PM, Janelle wrote: > Hello, > > I was wondering if anyone has played with thee extended logging of IPA and > specifically SSSD and the kibana dashboards they put together. > https://www.freeipa.org/page/Centralized_Logging > > I can't seem to get "clients" to send the login

Re: [Freeipa-users] Logging?

On 9/10/15 7:55 AM, Martin Kosek wrote: On 09/09/2015 09:50 PM, Janelle wrote: Hello, I was wondering if anyone has played with thee extended logging of IPA and specifically SSSD and the kibana dashboards they put together. https://www.freeipa.org/page/Centralized_Logging I can't seem to get

Re: [Freeipa-users] Vector/hi-res logo

On 10.9.2015 17:22, Alexander Bokovoy wrote: > On Thu, 10 Sep 2015, Martin Kosek wrote: >> On 09/08/2015 08:13 PM, Ian Pilcher wrote: >>> Now that I'm actually using IPA authentication for a few services within >>> my house, I'm going to set up a simple "start page" with a few links, >>> including

Re: [Freeipa-users] ntpd frequency error xxx PPM exceeds tolerance 500 PPM

So I did a bit of googling and tinker panic 0 only makes sense for virtual machines. Is there any way to confirm if it is indeed a hardware issue ? On Thu, Sep 10, 2015 at 5:16 AM, Andrew Holway wrote: > Thats odd. You would normally not need it on bare metal. It could

[Freeipa-users] Migrating from iDM/FreeIPA RHEL 6.5 to 7.1 - CA Server Master

Following instructions from here... https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html RHEL6 server # rpm -qa ipa-server ipa-server-3.0.0-42.el6.x86_64 RHEL7 server # rpm -q ipa-server

[Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

Hi, I'm trying to setup my Amazon Linux instances to be able to fetch the IPA users public ssh key. Do I have to setup a binddn and bindpw in the ldap.conf file and use /usr/libexec/openssh/ssh-ldap-wrapper or is there a better way to do it? Thanks, Gustavo -- Manage your subscription for the

Re: [Freeipa-users] AuthorizedKeysCommand for clients using nss-pam-ldapd

One way to do it is write a small script which will fetch the keys from LDAP. As for authentication, I make the SSH public key anonymously readable for everyone. On 11 September 2015 at 05:00, Gustavo Mateus wrote: > Hi, > > I'm trying to setup my Amazon Linux

Re: [Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Sorry, I've read ipv6.disable=1 in this article http://www.freeipa.org/page/Active_Directory_trust_setup#Prerequisites, I understood wrong this prerequisite and went directly to the next chapter, in my mind I was conviced that IPv6 must be disabled :) I will try with IPv6 enabled, and then I will