Re: [Freeipa-users] Freeipa 4.3.0 replica installation fails with DuplicateEntry: This entry already exists

Thank you, I found root cause why "System: Read Replication Agreements" ACI is not on replica. https://fedorahosted.org/freeipa/ticket/5631 I have to figure out why this permission is added on centos7.2, because IMO this bug is there from 4.0. On 24.01.2016 03:22, Nathan Peters wrote: I

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/25/2016 01:34 PM, thierry bordaz wrote: > On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: >> Hello, >> >> I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have >> on all two masters a Error. >> >> NSMMReplicationPlugin - replication keep alive entry

Re: [Freeipa-users] multimaster ad one way trust setup

Cool Thanx Rob Verduijn 2016-01-25 12:59 GMT+01:00 Alexander Bokovoy : > On Mon, 25 Jan 2016, Rob Verduijn wrote: >> >> Since the first option has less impact, that one sounds the most >> interesting. >> However, does this also remain functional when the first ipa server is

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Authentication Issues

Hello All, Installation Notes: - ipa-server-4.2.0-15.el7.centos.3.x86_64 - ipa-server-trust-ad-4.2.0-15.el7.centos.3.x86_64 Configured it as a non-dns server install with a trust to server.dev, but after I established the trust and rebooted the machine. It's looking for

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/25/2016 01:43 PM, Martin Kosek wrote: On 01/25/2016 01:34 PM, thierry bordaz wrote: On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin -

Re: [Freeipa-users] Replica Error with freeIPA Centos 7.2

On 01/23/2016 11:08 PM, Günther J. Niederwimmer wrote: Hello, I have installed freeIPA from a CentOS 7.2 with a replica Server, but I have on all two masters a Error. NSMMReplicationPlugin - replication keep alive entry

[Freeipa-users] Active Directory and IPA Client

Hello, I have a trust established between Windows Active Directory and IPA. From the IPA server I can get details about AD users but not from a server configured as an IPA client. [root@ipa_server ~]# getent passwd ad_user@ad_domain ad_user@ad_domain:*:1869402973:1869402973:ADUser

Re: [Freeipa-users] Active Directory and IPA Client

On Mon, Jan 25, 2016 at 10:15:42AM -0700, Cameron Christensen wrote: > Hello, > > I have a trust established between Windows Active Directory and IPA. > From the IPA server I can get details about AD users but not from a > server configured as an IPA client. > > [root@ipa_server ~]# getent

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

My system-auth-ac files looks like: authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so use_first_pass authrequired pam_deny.so

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: Thanks Alexander. Is there a place where there are example pam stacks that work with active directory and hbac? Defaults in RHEL/Fedora should be enough: - install RHEL/Fedora, - apply ipa-client-install, then you get proper setup. That's

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

OK. I have done this and am using the pam stack that is the result of what you here describe. A few threads back you mentioned that this could be a reason why my hbac are not restricting access. I have no hbac rules currently and any active directory user can access any host. Is there

Re: [Freeipa-users] Active Directory users are not controlled by HBAC

On Mon, 25 Jan 2016, Birnbaum, Warren (ETW) wrote: OK. I have done this and am using the pam stack that is the result of what you here describe. A few threads back you mentioned that this could be a reason why my hbac are not restricting access. I have no hbac rules currently and any active

Re: [Freeipa-users] Default shell for AD-domain accounts

On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote: > Hi, > > H microsoft removes the UI, but leaves the schema extension. > Does not really make sense, but after some googling this does seem to > be the case. > > Your comment made me check google with some different keywords and I

Re: [Freeipa-users] Default shell for AD-domain accounts

Maybe the difference was that I used a fresh demo installation from windows 2012r2 server. I only added the ad-controller, dns and ntp functionality for testing. (and all the patches...which literaly takes a day to complete on a system with 4 cores and 4G ram) I also found out that dnsseq is not

[Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

Hi I have setup a multi-master IPA and it seems to be working fine. The clients ( laptops and servers ) are not using the DNS of IPA. I was wondering, while configuring ipa-client, which server do I reference to when it asks the ipa-server hostname ? Both the master server has different

Re: [Freeipa-users] IPA KDC Proxy

On 2016-01-25 08:17, Winfried de Heiden wrote: > Great, > > Changing > > /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = false > > to > > # cat /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = true > > along with adding the windows realm to

Re: [Freeipa-users] Freeipa deployment request

On 22.1.2016 16:22, Visakh MV wrote: > Hi team, > > We have plan to integrate windows ad and openshift origin with freeipa. We > have doubt about that DNS working between those. And also needs > configuration details of replication between those. If guys you provide any > kind of information for

Re: [Freeipa-users] IPA KDC Proxy

OK clear, many thanks! Winny Op 25-01-16 om 09:45 schreef Christian Heimes: On 2016-01-25 08:17, Winfried de Heiden wrote: Great, Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat

Re: [Freeipa-users] IPA KDC Proxy

"RHEL 6.x libkrb5 has no support for KDC proxy" Too bad, I was afraid for that Winny Op 25-01-16 om 08:36 schreef Alexander Bokovoy: HEL 6.x libkrb5 has no support for KDC proxy -- Manage your subscription for

[Freeipa-users] multimaster ad one way trust setup

Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

On 25.1.2016 10:47, Zeal Vora wrote: > Hi > > I have setup a multi-master IPA and it seems to be working fine. > > The clients ( laptops and servers ) are not using the DNS of IPA. > > I was wondering, while configuring ipa-client, which server do I reference > to when it asks the ipa-server

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

Thanks Petr. So if the domain is example.com, in DNS, what would be the IP associated with it ? As there are 2 master servers, each of them will have different IP address. On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek wrote: > On 25.1.2016 10:47, Zeal Vora wrote: > > Hi > >

[Freeipa-users] Incremental update failed and requires administrator action

Hello ! I recently installed a replica (master2) in addition of my master (master1) with IPA 3.0.0-47 on RHEL6.6. I don't know from when exactly, but the dirsrv (and the whole ipa service) on master1 crashes regularly with the following logs. ### [22/Jan/2016:15:38:20 +0100] -

Re: [Freeipa-users] multimaster ad one way trust setup

On Mon, 25 Jan 2016, Rob Verduijn wrote: Hi all, When you have an ipa 4.2 server with an one way trust to the ad. What steps are needed to install a second ipa master that also has a one way trust to the ad ? Depends on what you want to achieve. If you want second IPA master to be able to

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

On 25.1.2016 12:08, Zeal Vora wrote: > Thanks Petr. > > So if the domain is example.com, in DNS, what would be the IP associated > with it ? > > As there are 2 master servers, each of them will have different IP address. Please see following text about DNS SRV records:

Re: [Freeipa-users] How to reference to IPA Server in Multi-Master Setup ?

On 25/01/16 12:08, Zeal Vora wrote: Thanks Petr. So if the domain is example.com, in DNS, what would be the IP associated with it ? As there are 2 master servers, each of them will have different IP address. On Mon, Jan 25, 2016 at 4:34 PM, Petr Spacek wrote: On

Re: [Freeipa-users] Incremental update failed and requires administrator action

could you get a core dump from the crash: http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes Ludwig On 01/25/2016 12:08 PM, bahan w wrote: Hello ! I recently installed a replica (master2) in addition of my master (master1) with IPA 3.0.0-47 on RHEL6.6. I don't know from when

Re: [Freeipa-users] multimaster ad one way trust setup

On Mon, 25 Jan 2016, Rob Verduijn wrote: Since the first option has less impact, that one sounds the most interesting. However, does this also remain functional when the first ipa server is taken offline ? Yes. What this option enables is to allow IPA master to become 'trust agent' which means