Re: [Freeipa-users] Is WinSync A Bad Choice?

On 2 February 2017 at 09:19, Jason B. Nance wrote: > >- User/group management in general becomes largely a command-line > operation (such as mapping groups so they can be used in HBAC and sudo > rules) > > While this is a nice-to-have, it isn't a deal breaker. > This

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

On Wed, Feb 01, 2017 at 09:44:34PM +0100, Gorazd wrote: > Hello, > > i am interested if there is any feature matrix available for FreeIpa > version of dogtag packaging. So which features of DogTak are not included > or does come with limitations when installed with Freeipa (such as OCSP is >

Re: [Freeipa-users] Is WinSync A Bad Choice?

On 01.02.2017 23:44, Lachlan Musicman wrote: On 2 February 2017 at 09:19, Jason B. Nance > wrote: >- User/group management in general becomes largely a command-line operation (such as mapping groups so they can be used in HBAC and

Re: [Freeipa-users] Is WinSync A Bad Choice?

On 02.02.2017 00:05, Lachlan Musicman wrote: On 2 February 2017 at 09:51, Martin Basti > wrote: On 01.02.2017 23:44, Lachlan Musicman wrote: (aside: does FreeIPA have plans to move toward PatternFly? http://www.patternfly.org/ )

Re: [Freeipa-users] Is WinSync A Bad Choice?

>>> - User/group management in general becomes largely a command-line operation >> > (such as mapping groups so they can be used in HBAC and sudo rules) >> While this is a nice-to-have, it isn't a deal breaker. > This definitely exists in WebUI? Unless you mean something I don't understand. >

Re: [Freeipa-users] Is WinSync A Bad Choice?

On Wed, Feb 01, 2017 at 03:00:55PM -0600, Jason B. Nance wrote: > Hello everyone, > > I'm about to deploy a fresh IPA domain that needs to integrate with Active > Directory. In my lab environment I've setup a trust with AD and the > following items are driving me away from using the trust: >

Re: [Freeipa-users] Is WinSync A Bad Choice?

On 2 February 2017 at 09:51, Martin Basti wrote: > > On 01.02.2017 23:44, Lachlan Musicman wrote: > > > > (aside: does FreeIPA have plans to move toward PatternFly? > http://www.patternfly.org/ ) > > > Unless I missed something, FreeIPA 4.x already uses patternfly > >

Re: [Freeipa-users] Is WinSync A Bad Choice?

>> - Users can't login to a Linux box using just "username" (user@ad.domain >> is >> used) > > In the current version you can use the 'default_domain_suffix' option in > sssd.conf on the clients. In RHEL-7.4 we are looking into making this > limitation go away. Thank you very much,

Re: [Freeipa-users] Is WinSync A Bad Choice?

On 2 February 2017 at 10:06, Jason B. Nance wrote: > > >- User/group management in general becomes largely a command-line >> operation (such as mapping groups so they can be used in HBAC and sudo >> rules) >> >> While this is a nice-to-have, it isn't a deal breaker. >> >

Re: [Freeipa-users] Gateway_timeout Error

Hey Martin, Is gateway error has anything to do with --no-wait-for-dns flag that i used when i created the replica image? i have another test IPA setup working fine in the same env and the only difference i see that in that env i did not use --no-wait-for-dns for replicas Thanks, Deepak On

Re: [Freeipa-users] guidance on SID-UID mapping via sssd-ad -- one child domain works fine, 2nd domain generating SID-to-UID mapping error

On Wed, Feb 01, 2017 at 12:29:37PM -0500, Chris Dagdigian wrote: > Hi folks, > > I've posted here and gotten amazing help on our odd setup with IPA having a > 1-way trust to a massive remote AD forest with 90+ domain controllers and > lots of child domains. > > I'm running into a strange issue

Re: [Freeipa-users] [SOLVED] Re: guidance on SID-UID mapping via sssd-ad -- one child domain works fine, 2nd domain generating SID-to-UID mapping error

On Wed, Feb 01, 2017 at 02:41:35PM -0500, Chris Dagdigian wrote: > > Update: > > Resolved. A bit of googling led me to some good RHEL pages as well as > mailing list messages from Alex B that were concise and helpful. > > To summarize for others who may have this problem: > > 1. Don't make

Re: [Freeipa-users] caching of lookups / performance problem

On Tue, Jan 31, 2017 at 08:05:18PM +, Sullivan, Daniel [CRI] wrote: > Hi, > > I figured out what was going on with this issue. Basically cache timeouts > were causing a large number of uid numbers in an arbitrarily-timed directory > listing to have expired cache records, which causes those

Re: [Freeipa-users] Needs help understand this timeout issue

Hmm, suspect its happening on the server.. thous I haven't been able to pinpoint a log entry that confirms my suspecting. I have pinpointed the timeout to happen after 58 seconds after completely removing the SSSD cache and restaring SSSD, which leads me to think my issue is related to

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

Alexander Bokovoy wrote: > On ti, 31 tammi 2017, Rich Megginson wrote: >> On 01/31/2017 04:46 PM, Michaël Van de Borne wrote: >>> That was the feared, but somehow expected, answer. >>> >>> Any entry point/documentation about how to start such a script? >> >> Do FreeIPA and OpenLDAP still support

Re: [Freeipa-users] Gateway_timeout Error

On 02/01/2017 10:22 AM, deepak dimri wrote: Hi All, I have two IPA servers - primary and secondary running. the secondary ipa server is installed using ipa replica image of primary. While doing the testing i realised that when i manually shut down my primary ipa server making my secondary

Re: [Freeipa-users] Needs help understand this timeout issue

>From looking af at TCP dump, I can see that if a client requests a AD user >from IPA, IPA does a full user lookup in AD, even though the IPA server have >the user in local cache? It looks like a single group generates a LOT of traffic to AD like: client -> IPA IPA -> client IPA -> AD AD -> IPA

[Freeipa-users] Gateway_timeout Error

Hi All, I have two IPA servers - primary and secondary running. the secondary ipa server is installed using ipa replica image of primary. While doing the testing i realised that when i manually shut down my primary ipa server making my secondary server to serve the UI. And now when i try to

Re: [Freeipa-users] Needs help understand this timeout issue

The ldap_enumeration_search_timeout is for enumeration, this is for looking up all users, try using the ldap_opt_timeout and or ldap_opt_timeout for a single user lookup. If a lookup is timing out you will definitely see it in your domain logs, it’s hard to miss. I would take the time to

Re: [Freeipa-users] Replica FQDN / Domain question

On 01.02.2017 14:06, Christophe TREFOIS wrote: Hi all, Small question which might be naive. We have an existing setup with 4 replicas, all with FQDNs like replica1.example.com and REALM example.com . We want to add another replica,

Re: [Freeipa-users] Gateway_timeout Error

On 02/01/2017 11:17 AM, deepak dimri wrote: Hello Martin, Thank you so much for your reply. I checked /etc/ipa/default.conf 'xmlrpc_uri' on my secondary server and its pointing to its own hostname and not to primary server hostname :( any other clue, Martin? I have tried without proxy and

[Freeipa-users] Replica FQDN / Domain question

Hi all, Small question which might be naive. We have an existing setup with 4 replicas, all with FQDNs like replica1.example.com and REALM example.com. We want to add another replica, replica5, whose FQDN would have a different domain, so say

Re: [Freeipa-users] Needs help understand this timeout issue

Have you checked to see if the user is expired in the cache, or if it is impacted by entry_cache_nowait_percentage (ref sssd.conf). The default entry timeout is only 90 minutes and entry_cache_nowait_percentage default is 50. ldbsearch -H /var/lib/sss/db/timestamps_xxx.xxx.uchicago.edu.ldb >

Re: [Freeipa-users] caching of lookups / performance problem

Alright cool, thank you for getting back to me. I appreciate your input and expertise. Dan > On Feb 1, 2017, at 9:08 AM, Jakub Hrozek wrote: > > On Wed, Feb 01, 2017 at 02:35:00PM +, Sullivan, Daniel [CRI] wrote: >> Jakub, >> >> Thank you for getting back to me.

Re: [Freeipa-users] Identification with openLDAP and authorization with FreeIPA

Ok, thank you very much guys for your ideas. That's why I definitely love open source... :) Cheers, m. Le 01-02-17 à 09:04, Michael Ströder a écrit : Alexander Bokovoy wrote: On ti, 31 tammi 2017, Rich Megginson wrote: On 01/31/2017 04:46 PM, Michaël Van de Borne wrote: That was the

Re: [Freeipa-users] caching of lookups / performance problem

On Wed, Feb 01, 2017 at 02:35:00PM +, Sullivan, Daniel [CRI] wrote: > Jakub, > > Thank you for getting back to me. Yeah, I agree with what you are saying. > The problem that I’m really trying to solve is the how to get them requested > reasonably often part. A good use case for my

Re: [Freeipa-users] caching of lookups / performance problem

Jakub, Thank you for getting back to me. Yeah, I agree with what you are saying. The problem that I’m really trying to solve is the how to get them requested reasonably often part. A good use case for my problem is basically; 1) Somebody starts an interactive job on a compute node (this is

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

On 02/01/2017 05:47 PM, Steve Huston wrote: Would it be better to file this as a new bug, or reopen 4291? Hi, we are already aware of the problem and working on a fix (please see https://bugzilla.redhat.com/show_bug.cgi?id=1398600 and https://fedorahosted.org/freeipa/ticket/6575). HTH,

Re: [Freeipa-users] Gateway_timeout Error

sorry for not replying to all! I have apache reverse proxy front ending the ipa servers. As i mentioned if i try hitting ipa replica WebUI directly then i do get the objects loaded on the browser after waiting for over a minute or so. replica server

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

Awesome! Thank you. On Wed, Feb 1, 2017 at 12:05 PM, Florence Blanc-Renaud wrote: > On 02/01/2017 05:47 PM, Steve Huston wrote: >> >> Would it be better to file this as a new bug, or reopen 4291? >> > Hi, > > we are already aware of the problem and working on a fix (please see

Re: [Freeipa-users] Backend & UI plugin update for 4.4.x

Would it be better to file this as a new bug, or reopen 4291? On Tue, Jan 31, 2017 at 5:00 PM, Steve Huston wrote: > Seems like this is to blame: https://fedorahosted.org/freeipa/ticket/4291 > > The checkin says, "Installation in pure IPv6 environment failed >

Re: [Freeipa-users] Gateway_timeout Error

On 02/01/2017 04:26 PM, deepak dimri wrote: Yes, Martin - i do see requests hitting replica.. /var/log/httpd/error_log shows: [Wed Feb 01 15:16:47.469766 2017] [:error] [pid 2464] ipa: INFO: ad...@xxx.xyz.com : batch: host_show(u'xxx.abx.xyz ',

[Freeipa-users] unable to delete a user - which has a double??

hi all, take a look: $ ipa user-find --uid 3501 -- 1 user matched -- User login: appmgr First name: app Last name: developer Home directory: /home.sysops/appmgr Login shell: /bin/bash Principal alias: appmgr@PRIVATE Email address: appmgr@private UID: 3501

Re: [Freeipa-users] unable to delete a user - which has a double??

Hello, you have to use ldapdelete command and remove it manually Martin On 01.02.2017 19:30, lejeczek wrote: hi all, take a look: $ ipa user-find --uid 3501 -- 1 user matched -- User login: appmgr First name: app Last name: developer Home directory:

[Freeipa-users] [SOLVED] Re: guidance on SID-UID mapping via sssd-ad -- one child domain works fine, 2nd domain generating SID-to-UID mapping error

Update: Resolved. A bit of googling led me to some good RHEL pages as well as mailing list messages from Alex B that were concise and helpful. To summarize for others who may have this problem: 1. Don't make changes to sssd.conf if your provider is "ipa" - in this case you work only with

Re: [Freeipa-users] unable to delete a user - which has a double??

Hi lejeczek writes: > I think it had something to do with an initial(long time ago) > migration. > How to safely delete such a user? Or one of them? > > $ ipa user-del appmgr --no-preserve > ipa: ERROR: The search criteria was not specific enough. Expected 1 > and found 2.

Re: [Freeipa-users] Replica FQDN / Domain question

Hi Martin, Thanks for the reply! That's the plan. As we can't really change REALM easily or as it's not recommended, we have to unfortunately drag this "issue" with us. This by the way, leads us to not being able to setup SRV records as we collide with an AD in the same organisation. Real

[Freeipa-users] Dogtag vs Freeipa Dogtag

Hello, i am interested if there is any feature matrix available for FreeIpa version of dogtag packaging. So which features of DogTak are not included or does come with limitations when installed with Freeipa (such as OCSP is already part of CA and could not be installed seperately), in contrast

[Freeipa-users] Is WinSync A Bad Choice?

Hello everyone, I'm about to deploy a fresh IPA domain that needs to integrate with Active Directory. In my lab environment I've setup a trust with AD and the following items are driving me away from using the trust: - Users can't login to a Linux box using just "username" (user@ad.domain