Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

On 08.11.2016 14:57, lejeczek wrote: hello I've changed an uid of a.user but system: $ id a.user - still shows old id. When is the system supposed to notice that change? thanks L. Hello, you probably need to erase SSSD cache on client, sss_cache -E if I remember correctly Martin --

[Freeipa-users] Determine if hosts are still active.

I'm running IPA 4.2 in SSO in a highly dynamic AWS EC2 environment. Is there a way to tell if a host that has joined the domain is still active using an LDAP query so that I can determine hosts that have been torn down and no longer exist and remove them from the directory? I have looked at

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Alessandro De Maria wrote: > Hello Martin, > > still no luck unfortunately. > > The client is an ubuntu 14.04 server, and I believe it is enrolled already. > > The /etc/ipa/ca.pem is correct and already installed, and I even added > it to the /etc/ssl/certs directory (which is why my curl

[Freeipa-users] What is the use of /etc/krb5.conf?

I thought /etc/krb5.conf controls which kerberos server the clients talk to. As a test, I removed /etc/krb5.conf and rebooted the client. After reboot, I can still log in and "kinit user" . Removing /etc/krb5.keytab, however would stop user from logging in and sssd to start. -- Manage your

Re: [Freeipa-users] CSN not found

On 03/11/16 19:58, Mark Reynolds wrote: dbscan -f /var/lib/dirsrv/slapd-INSTANCE/db/changelogdb >results of above scan do not look like that CSN form reported in >dirsrv's error log, it is: >.. >=116156 >=116157 >=116158 >.. That doesn't look quite right, Just to confirm you should be doing

Re: [Freeipa-users] system to pick up pa user-mod --uid change - how long?

On 08/11/2016 13:57, lejeczek wrote: I've changed an uid of a.user but system: $ id a.user - still shows old id. When is the system supposed to notice that change? You might want to force the cache to expire early. Try: sss_cache -U or sss_cache -u (I'm afraid I don't know what

Re: [Freeipa-users] What is the use of /etc/krb5.conf?

On 11/08/2016 05:13 PM, Ask Stack wrote: I thought /etc/krb5.conf controls which kerberos server the clients talk to. As a test, I removed /etc/krb5.conf and rebooted the client. After reboot, I can still log in and "kinit user" . Removing /etc/krb5.keytab, however would stop user from logging

[Freeipa-users] SRV (mixed?) records

hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related toolkit(on that server) shows zone & records,

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Thank you Rob and Martin, the correct place on Ubuntu seems to be: /etc/pki/nssdb/ This directory does not seem to be initialised by the *ipa-client-install* tool. Now my script still doesn't work, but offer brand new errors :) Thank you On 8 November 2016 at 14:55, Rob Crittenden

Re: [Freeipa-users] SRV (mixed?) records

On 08.11.2016 19:41, lejeczek wrote: hi everyone when I look at my domain I see something which seems inconsistent to me (eg. work5 is not part of the domain, was --uninstalled) Do these record need fixing? I'm asking becuase one of the servers, despite the fact the ipa dns related

Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

I will try to your solutions. Thanks! -- 祝： 工作顺利！生活愉快！ -- 长沙研发中心 郑磊 电话：18684703229 邮箱：zheng...@kylinos.cn 公司：天津麒麟信息技术有限公司 地址：湖南长沙市开福区三一大道工美大厦十四楼 -- Original -- From: "Lukas Slebodnik";

Re: [Freeipa-users] Configuring httpd error when selinux ispermissive

Yes, the problem is solved after I added the httpd_run_ipa boolean to the selinux-policy on Ubuntu. Thank you! -- 祝： 工作顺利！生活愉快！ -- 长沙研发中心 郑磊 电话：18684703229 邮箱：zheng...@kylinos.cn 公司：天津麒麟信息技术有限公司 地址：湖南长沙市开福区三一大道工美大厦十四楼 --

[Freeipa-users] attrlist_replace - attr_replace : failed

hi everyone I have a three servers which seemingly!? work but all three log: attrlist_replace - attr_replace (nsslapd-referral, ldap://swir.xx.xx and swir.xx.xx is the server which ipa-replica-prepared and on it I see: attrlist_replace - attr_replace (nsslapd-referral, ldap://whale.xx.xx

Re: [Freeipa-users] FreeIPA + DHCP-LDAP - Fedora 24 - broken

On 7.11.2016 17:45, Raul Dias wrote: > You are right, > > This might be more a Fedora issue than FreeIPA. I am hoping that someone else > is also using DHCP with LDAP (specially with FreeIPA). > > I am using the IPA-dhcp plugin: https://github.com/jefferyharrell/IPA-dhcp > > ldapsearch -x shows

Re: [Freeipa-users] attrlist_replace - attr_replace : failed

On 8.11.2016 15:19, lejeczek wrote: > hi everyone > > I have a three servers which seemingly!? work but all three log: > > attrlist_replace - attr_replace (nsslapd-referral, ldap://swir.xx.xx > > and swir.xx.xx is the server which ipa-replica-prepared and on it I see: > > attrlist_replace -

Re: [Freeipa-users] Remove AD domain in auth commands

On 11/07/2016 09:11 PM, James Harrison wrote: Hello Sorry didn't explain. The ipa is the default domain, but I also want to use the Windows domain to authenticate, but I want the OS to detect what realm to use in the ssh command. Thanks On Mon, 7 Nov, 2016 at 11:48, Martin Basti

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

On 11/07/2016 04:45 PM, Alessandro De Maria wrote: Hi Martin, I tried from the host I am executing the script from, and I get: certutil -L -d /etc/httpd/alias/ certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. From the FreeIPA

Re: [Freeipa-users] ipalib: SEC_ERROR_UNTRUSTED_ISSUER

Hello Martin, still no luck unfortunately. The client is an ubuntu 14.04 server, and I believe it is enrolled already. The /etc/ipa/ca.pem is correct and already installed, and I even added it to the /etc/ssl/certs directory (which is why my curl command in the first email does not complain)

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

2016-11-08 16:33 GMT+08:00 郑磊 : > Hello everyone, > I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is > enable, and its mode is permissive. I met a problem at configuring the httpd > process, but the process won't be interrupted. The configuration

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

Command returns the result: root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on Cannot set persistent booleans without managed policy. root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/getsebool httpd_run_ipa Error getting active

[Freeipa-users] Configuring httpd error when selinux is permissive

Hello everyone, I have been setting up freeipa(its version is 4.3.1) on Ubuntu. Selinux is enable, and its mode is permissive. I met a problem at configuring the httpd process, but the process won't be interrupted. The configuration information is as follows: Configuring the web interface

Re: [Freeipa-users] AD trust and UPN issue

Hi, I can configrm that UPN issue is fixed in RHEL 7.3. That is great, thank you a lot. It looks like solution came with sssd 1.14.x right ? Anybody knows if there are plans to implement it into RHEL 6.x (ipa-client) ? Currently my ipa-clients on RHEL 6.8 (sssd 1.13.3.-22) are not able to

Re: [Freeipa-users] Configuring httpd error when selinux is permissive

On (08/11/16 16:57), 郑磊 wrote: >Command returns the result: >root@ipaserver:/tmp/freeipa-4.3.1# /usr/sbin/setsebool -P >httpd_can_network_connect=on httpd_run_ipa=on httpd_manage_ipa=on >Cannot set persistent booleans without managed policy. > >root@ipaserver:/tmp/freeipa-4.3.1#

[Freeipa-users] system to pick up pa user-mod --uid change - how long?

hello I've changed an uid of a.user but system: $ id a.user - still shows old id. When is the system supposed to notice that change? thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for