Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

I think thers something seriously wrong with my system not able to run any IPA commands klist Ticket cache: KEYRING:persistent:0:0 Default principal: ad...@xyz.com Valid starting Expires Service principal 2016-08-23T16:26:36 2016-08-24T16:26:22 krbtgt/xyz@xyz.com

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

My disk was getting filled too fast logs under /var/log/dirsrv was coming around 5 gb quickly filling up Is there a way to make the logging less verbose On Tue, Aug 23, 2016 at 6:41 PM, Petr Spacek wrote: > On 23.8.2016 15:07, Rakesh Rajasekharan wrote: > > I was able to

[Freeipa-users] IPA to IPA trust

Hello IPA team, Is there a way to implement IPA to IPA trust between different domains? We are thinking of using more than one domain, however we will need users to cross login from one domain to another. Regards, Andrey -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

i changed the loggin level to 4 . Modifying nsslapd-accesslog-level But, the hang is still there. though I dont see the sigfault now On Tue, Aug 23, 2016 at 9:02 PM, Rakesh Rajasekharan < rakesh.rajasekha...@gmail.com> wrote: > My disk was getting filled too fast > > logs under

[Freeipa-users] Deleting a duplicate user

We were in the final stages of migrating FreeIPA from 3.0 to 4.2. During the migration, both the 3.0 replicas and the 4.2 replicas were in the replica pool. User account changes made to 3.0 would replicate to 4.2 just fine, but changes wouldn’t replicate from 4.2 to 3.0. Admins should have

[Freeipa-users] The 3rd party cert for IPA Web GUI

Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and use it for httpd (Web GUI), without breaking anything else? I've acquired one and added it to nssdb (/etc/httpd/alias). # certutil -L -d /etc/httpd/alias Certificate Nickname

Re: [Freeipa-users] Deleting a duplicate user

On Tue, 23 Aug 2016, Zak Wolfinger wrote: We were in the final stages of migrating FreeIPA from 3.0 to 4.2. During the migration, both the 3.0 replicas and the 4.2 replicas were in the replica pool. User account changes made to 3.0 would replicate to 4.2 just fine, but changes wouldn’t

[Freeipa-users] Two masters and one of them is desynchronized

Hello ! I am using IPA 3.0.0 on RedHat 6.6 servers. I have two masters and this evening, I realized that one of them was desynchronized, some users and groups were missing. I was wondering if there was an ipa command to resynchronize replica which are not sync with the other ? Thank you in

Re: [Freeipa-users] Deleting a duplicate user

On Tue, 23 Aug 2016, Alexander Bokovoy wrote: On Tue, 23 Aug 2016, Zak Wolfinger wrote: We were in the final stages of migrating FreeIPA from 3.0 to 4.2. During the migration, both the 3.0 replicas and the 4.2 replicas were in the replica pool. User account changes made to 3.0 would replicate

[Freeipa-users] Default gid for AD trust users

Is there any way to control the default gid for AD trust users? At the moment each user has it's own default group, e.g.: uid=22603(user@ad.domain) gid=22603(user@ad.domain) It would be nice to be able to set this to an actual group. Thanks. -- Orion Poplawski Technical Manager

Re: [Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...

On 8/16/2016 11:09 AM, Alexander Bokovoy wrote: On Tue, 16 Aug 2016, Zarko Dudic wrote: Thanks Rob. This command creates the CSR. # ipa-server-install --subject 'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca And verification with command : # openssl req -in

Re: [Freeipa-users] clean-ruv

Ah. I see. I mixed those up but I see that those would have to be consistent. However, I have been trying to beat some invalid RUV to death for a long time and I can't seem to kill them. For example, bellevuenfs has 9 and 16 which are invalid: [ianh@seattlenfs ~]$ ldapsearch -ZZ -h

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.8.2016 09:07, Martin Basti wrote: > > > On 23.08.2016 02:08, Matt . wrote: >> Hi Guys, >> >> What is the way to notify or update a Bind slave which is not an IPA server ? >> >> Do I need to manuallu add an also-notify to the /etc/bind.conf on the >> IPA master or is there a different way

Re: [Freeipa-users] can't get sudo to work.

Thanks Jakub, I've attached a file with the output from looking in the log files mentioned in the link you gave me. I'm not sure exactly what is wrong, I don't know how to interpret messages like: name 'tba-sadm' matched without domain, user is tba -sadm (is that good or bad?) Any advice is

Re: [Freeipa-users] can't get sudo to work.

On 08/23/2016 11:26 AM, Tony Brian Albers wrote: Thanks Jakub, I've attached a file with the output from looking in the log files mentioned in the link you gave me. I'm not sure exactly what is wrong, I don't know how to interpret messages like: name 'tba-sadm' matched without domain, user is

Re: [Freeipa-users] clean-ruv

On 08/23/2016 11:52 AM, Ian Harding wrote: Ah. I see. I mixed those up but I see that those would have to be consistent. However, I have been trying to beat some invalid RUV to death for a long time and I can't seem to kill them. For example, bellevuenfs has 9 and 16 which are invalid:

Re: [Freeipa-users] Unknown Error - error (pop-up) window

On 08/22/2016 09:46 PM, Zarko Dudic wrote: Hi all, IPA version: ipa-server-4.2.0-15.0.1.el7_2.18.x86_64 Kernel: 3.8.13-118.10.2.el7uek.x86_64 I start seeing pop-up window titled "Unknown Error" with message "error" and buttons Retry and Cancel. It happens when selecting almost anything on

[Freeipa-users] can't get sudo to work.

Hi guys, I've been trying to get sudo to work for our day-to-day admin who have their own usergroup in IPA called subadmin. For some reason I can't really get sudo to work, I suspect I am missing something simple, but I can't really figure out what it is. This is my config: # ipa sudorule-find

[Freeipa-users] clean-ruv

I've followed the procedure in this thread: https://www.redhat.com/archives/freeipa-users/2016-May/msg00043.html and found my list of RUV that don't have an existing replica id. I've tried to remove them like so: [root@seattlenfs ianh]# ldapmodify -D "cn=directory manager" -W -a Enter LDAP

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.08.2016 02:08, Matt . wrote: Hi Guys, What is the way to notify or update a Bind slave which is not an IPA server ? Do I need to manuallu add an also-notify to the /etc/bind.conf on the IPA master or is there a different way how to accomplish this ? I hope this is possible and anyone

Re: [Freeipa-users] clean-ruv

looks like you are searching the nstombstone below "o=ipaca", but you are cleaning ruvs in "dc=bpt,dc=rocks", your attrlist_replace error refers to the bpt,rocks backend, so you should search the tombstone entry ther, then determine which replicaIDs to remove. Ludwig On 08/23/2016 09:20

Re: [Freeipa-users] Possible bug in SSSD/IPA/AD trust

- On Aug 11, 2016, at 3:56 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Thu, Aug 11, 2016 at 03:11:10PM +0200, Troels Hansen wrote: >> Hi, we are curretly workig on a larger IPA test project and I have a problems >> which have been buggin me for some time now: > > Which version? Most

Re: [Freeipa-users] can't get sudo to work.

Thanks Simon, Is this a known issue? We're on Centos 7.2 and yes, the sssd version is 1.13 /tony On Tue, 2016-08-23 at 06:49 +, Simpson Lachlan wrote: > What version of sssd are you using? > > We found that it wouldn't work w sssd<1.14 > > On the IPA server, it would say "yep rule

Re: [Freeipa-users] can't get sudo to work.

On Tue, Aug 23, 2016 at 06:24:23AM +, Tony Brian Albers wrote: > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have > their own usergroup in IPA called subadmin. > > For some reason I can't really get sudo to work, I suspect I am missing > something simple,

Re: [Freeipa-users] can't get sudo to work.

On Tue, Aug 23, 2016 at 07:11:44AM +, Tony Brian Albers wrote: > Thanks Simon, > > Is this a known issue? We're on Centos 7.2 and yes, the sssd version is > 1.13 > > /tony IIRC Simpson's issue was related to using AD trusts and default_domain_suffix. I would recommend looking at logs first

Re: [Freeipa-users] can't get sudo to work.

What version of sssd are you using? We found that it wouldn't work w sssd<1.14 On the IPA server, it would say "yep rule applies", but then on any particular machine it wouldn't (well, it would - but only intermittently). There's a COPR repo for Centos7 if you aren't on Fedora/RedHat. Cheers

Re: [Freeipa-users] Possible bug in SSSD/IPA/AD trust

On Tue, Aug 23, 2016 at 08:42:42AM +0200, Troels Hansen wrote: > > > - On Aug 11, 2016, at 3:56 PM, Jakub Hrozek jhro...@redhat.com wrote: > > > On Thu, Aug 11, 2016 at 03:11:10PM +0200, Troels Hansen wrote: > >> Hi, we are curretly workig on a larger IPA test project and I have a > >>

Re: [Freeipa-users] Freeipa 4.2.0 hangs intermittently

On 23.8.2016 15:07, Rakesh Rajasekharan wrote: > I was able to fix that may be temporarily... when i checked the network.. > there was another process that was running and consuming a lot of network ( > i have no idea who did that. I need to seriously start restricting people > access to this

[Freeipa-users] SUDO and group lookup in AD trust

Running RHEL 7.2: ipa-client-4.2.0-15.el7_2.18 sssd-ipa-1.13.0-40.el7_2.12.x86_64 ipa-server-4.2.0-15.el7_2.18.x86_64 I have a sudo rule where I try to give sudo access based on a AD group. # groups drext...@net.dr.dk drext...@net.dr.dk : drext...@net.dr.dk ...

Re: [Freeipa-users] can't get sudo to work.

Not sure if it's related or not but I also reported an instance of similar behavior of this on Ubuntu 16.0.1 On Tue, Aug 23, 2016 at 2:24 AM, Tony Brian Albers wrote: > Hi guys, > > I've been trying to get sudo to work for our day-to-day admin who have > their own

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

OK, but what kind of records are you talking about then ? 2016-08-23 12:25 GMT+02:00 Petr Spacek : > On 23.8.2016 09:07, Martin Basti wrote: >> >> >> On 23.08.2016 02:08, Matt . wrote: >>> Hi Guys, >>> >>> What is the way to notify or update a Bind slave which is not an IPA

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.8.2016 12:43, Matt . wrote: > OK, but what kind of records are you talking about then ? I'm not sure what else should I say. NS records: the ones added by $ ipa record-add @ --ns-rec=. (please note the trailing period) Does it answer your question? Petr^2 Spacek > > 2016-08-23 12:25

Re: [Freeipa-users] private user groups for existing users

siology.io wrote: i've noticed that some of my users (imported from openldap) don't have personal user groups, but the new ones that i make within freeipa do. Is there a way of marking the existing accounts such that they get user groups made for them ? I couldn't seem to see the groups that

Re: [Freeipa-users] IPA Error 4301: CertificateOperationError

Fraser Tweedale wrote: On Mon, Aug 22, 2016 at 11:52:46PM +, Z D wrote: Hello, There is the error on ver 4.2 while viewing certs: "IPA Error 4301: CertificateOperationError", next it read " Certificate operation cannot be completed: Unable to communicate with CMS ([Errno 113] No route to

Re: [Freeipa-users] can't get sudo to work.

Pavel Březina wrote: On 08/23/2016 01:55 PM, Tony Brian Albers wrote: Here you are: [root ~]# ldapsearch -Y GSSAPI -b $dc '(ou=*)' -s onelevel # profile, $domain dn: ou=profile,$dc objectClass: top objectClass: organizationalUnit ou: profiles ou: profile # search result search: 4 result:

[Freeipa-users] private user groups for existing users

i've noticed that some of my users (imported from openldap) don't have personal user groups, but the new ones that i make within freeipa do. Is there a way of marking the existing accounts such that they get user groups made for them ? I couldn't seem to see the groups that IPA is making in the

Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal

Hi Rob, I was concerned, just because it nowhere clearly stated what ipa-ca-agent / caAdminCert with default serial id #6 is used for and how it affects the system when expired. So if it is not needed by IPA, I also do not strictly need to recreate a new valid Cert for that. Is it sure,

Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal

realstarhealer wrote: Hi Rob, I was concerned, just because it nowhere clearly stated what ipa-ca-agent / caAdminCert with default serial id #6 is used for and how it affects the system when expired. It isn't used at all. This is the admin cert typically used when interfacing with the

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

And then allow the ip of the ipa server for update or tranfser on the slave ? Because I don't see anything coming in. 2016-08-23 12:47 GMT+02:00 Petr Spacek : > On 23.8.2016 12:43, Matt . wrote: >> OK, but what kind of records are you talking about then ? > > I'm not sure

Re: [Freeipa-users] Update NON-ipa Bind slave server from IPA-DNS edit/update

On 23.8.2016 13:21, Matt . wrote: > And then allow the ip of the ipa server for update or tranfser on the slave ? > > Because I don't see anything coming in. The config has two parts: 1. master (IPA DNS)