[Freeipa-users] cleanallruv - no replica's :(

Hey all I hoped anyone may be able to assist. I had 2 dead replica's and use the cleanallruv.pl as they refused to leave otherwise. ` /usr/sbin/cleanallruv.pl -v -D "cn=directory manager" -w - -b 'dc=mosaic451,dc=com' -r 17 ` 17 being the bad guy. Well it ran `woohoo` but deleted all of my

Re: [Freeipa-users] another certmonger question

On Fri, Sep 30, 2016 at 10:45 AM, Rob Crittenden wrote: > Natxo Asenjo wrote: > >> >> >> On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > > wrote: >> >> Natxo Asenjo wrote: >> >> >> >> On Tue, Sep 27, 2016 at

Re: [Freeipa-users] RBAC - User Administrator - OTP tokens

On 27.09.2016 17:16, Prashant Bapat wrote: RBAC Role "User Administrator" should have access to all users OTP tokens. Specifically to remove if some one has lost their token. We get this a lot. I found no permissions that give this access. Can someone explain if this can be added easily

Re: [Freeipa-users] Replica created with expired certs

Jim Richard wrote: Can I and how… delete all certs for all hosts I mean, we only use FreeIPA for user login/sssd That said, do we even need those certs? There is no simple answer, really. Yes, you can deleted all certs for all hosts (not recommended as some of those are for IPA services).

Re: [Freeipa-users] Replica created with expired certs

Jim Richard wrote: another interesting thing, my httpd/error_logs are constantly getting spammed with: (I removed the stuff between the single quotes) Notice those names don’t match, should they? Me thinks not since those “principal=“ items are ALMOST all hosts that no longer exist in the

Re: [Freeipa-users] another certmonger question

Natxo Asenjo wrote: On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden > wrote: Natxo Asenjo wrote: On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden

Re: [Freeipa-users] Certificate format error reported by GUI

Ah, ok, does /var/log/httpd/error_log contain any error after looking at hosts using GUI? And could you please send output of ipactl status after the error ocurres? On 09/30/2016 02:40 AM, Jim Richard wrote: Hi Paul, 3.0.0 on Centos 6.8 Jim Richard

Re: [Freeipa-users] SELinux errors with sssd-krb5-common-1.13.0-40.el7_2.12.x86_64

On Thu, Sep 29, 2016 at 12:07:13PM -0400, Prasun Gera wrote: > I need to set SELinux to enforcing to get the relevant SSSD logs, right ? yes, I think this would help to identify the operation which triggers the AVC because it should fail. bye, Sumit > > On Thu, Sep 29, 2016 at 3:42 AM, Sumit

[Freeipa-users] FreeIPA as CA for your own internal webservices

Hi Guys, I'm wondering how it's possible to use FreeIPA as your own CA for apache vhosts and such. I need to many certificates for subdomains (wildcards) that its undoable and I would like to use my FreeIAP installs for this. I installed the root certificate on windows from my IPA install and

Re: [Freeipa-users] Install IPA Servers with third-party certificate(external CA)

On Thu, Sep 29, 2016 at 10:03:08PM -0400, beeth beeth wrote: > Thanks Florence and Rob! The replica worked after adding the certs during > the replica preparation. > > Now I got several IPA clients installed with user authentication(ssh login > with the users in IPA) working after some work.

Re: [Freeipa-users] HBAC rules stop working

On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote: > server: > ipa-server-4.2.0-15.sl7_2.19.x86_64 > sssd-1.13.0-40.el7_2.12.x86_64 > > client: > sssd-1.14.1-3.el7.centos.x86_64 > > AD trust - users are in AD. HBAC rule in place for client to allow a user > to login/ssh/su/etc. >

Re: [Freeipa-users] external groups and /etc/group

On Thu, Sep 29, 2016 at 08:01:59PM -0400, Rusty Shackleford wrote: > On Thu, Sep 29, 2016 at 4:47 PM, Jakub Hrozek wrote: > > > > > I think you are looking for: > > https://sourceware.org/glibc/wiki/Proposals/GroupMerging > > > > Well that's a bummer. Thanks for getting