[Freeipa-users] Fwd: FreeIPA installation on centos 7

2017-02-02 Thread amit bhatt
-- Forwarded message -- From: amit bhatt Date: Thu, Feb 2, 2017 at 10:56 PM Subject: FreeIPA installation on centos 7 To: freeipa-users@redhat.com My QA development setup is running with IPA VERSION: 4.2.0 on centos 7 and I want to install the same

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Fraser Tweedale
On Thu, Feb 02, 2017 at 11:56:55AM +0100, Gorazd wrote: > Hi Fraser, > > thank you for your comment. > > Still doing some decision making, could anyone know if for example KeyCloak > (as identity and acces managment solution)+DogTag could have the same or > better experience (since dogtag has

[Freeipa-users] ipactl services running, but auth not working

2017-02-02 Thread pgb205
We have multiple ipa servers but only one is continuously affected by the strange problem described in the subject line.Users report not being able to login to servers that are using a specific ipa_server. Looking at this server ipactl shows everything as RUNNING. ipactl restart fixes the issue

[Freeipa-users] Smart Card login into an Active Directory User

2017-02-02 Thread spammewoods
I am running an IPA server (4.4.0) on RHEL 7.3 which is integrated with a Windows Active Directory server. I am trying to configure the IPA server to allow the Active Directory Users to log into Gnome with a CAC smart card. I’m having a hard time finding any instructions on how to do this.

Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-02 Thread Sumit Bose
On Thu, Feb 02, 2017 at 04:57:05PM +0100, Jan Karásek wrote: > Hi, > > I just looked into RHEL 6.9 beta repos and I can see there is > sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel > 6.9 will come support for using different UPN then domain name. I am talking >

Re: [Freeipa-users] How to enable krb5_child log

2017-02-02 Thread Jakub Hrozek
On Thu, Feb 02, 2017 at 05:19:07PM +0100, Kees Bakker wrote: > Hi > > Sorry, I did search wherever I could but I couldn't find it. > How do I enable krb5_child debug log? I'm on an Ubuntu > system which by default writes an empty /var/log/krb5_child.log > > Is it a section in

[Freeipa-users] How to enable krb5_child log

2017-02-02 Thread Kees Bakker
Hi Sorry, I did search wherever I could but I couldn't find it. How do I enable krb5_child debug log? I'm on an Ubuntu system which by default writes an empty /var/log/krb5_child.log Is it a section in /etc/sssd/sssd.conf? Is it in /etc/krb5.conf? What do I have to add where to get logging in

[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

2017-02-02 Thread Jan Karásek
Hi, I just looked into RHEL 6.9 beta repos and I can see there is sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9 will come support for using different UPN then domain name. I am talking about AD trust scenario where user in AD domain sits in

Re: [Freeipa-users] Gateway_timeout Error

2017-02-02 Thread deepak dimri
Hi All, I am stuck with this gateway error on my replicas. I recreated the replicas but that did not help either. I realised that if i just keep my primary ipa up then i do not get the error on the secondary/replica server. The error logs on replica shows hits are getting successfully executed

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Alexander Bokovoy
Hi, On to, 02 helmi 2017, Gorazd wrote: Hi Fraser, thank you for your comment. Still doing some decision making, could anyone know if for example KeyCloak (as identity and acces managment solution)+DogTag could have the same or better experience (since dogtag has more features than IPA's

Re: [Freeipa-users] Dogtag vs Freeipa Dogtag

2017-02-02 Thread Gorazd
Hi Fraser, thank you for your comment. Still doing some decision making, could anyone know if for example KeyCloak (as identity and acces managment solution)+DogTag could have the same or better experience (since dogtag has more features than IPA's bundeled dogtag) than using Freeipa, what are

Re: [Freeipa-users] unable to delete a user - which has a double??

2017-02-02 Thread lejeczek
On 01/02/17 19:16, Martin Basti wrote: Hello, you have to use ldapdelete command and remove it manually Martin and the user's group? I'm using a gui and it protests: .. Deleting a managed entry is not allowed. It needs to be manually unlinked first.] .. I've already have the user

Re: [Freeipa-users] unable to delete a user - which has a double??

2017-02-02 Thread lejeczek
On 01/02/17 19:12, Jochen Hein wrote: Hi lejeczek writes: I think it had something to do with an initial(long time ago) migration. How to safely delete such a user? Or one of them? $ ipa user-del appmgr --no-preserve ipa: ERROR: The search criteria was not specific

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Jakub Hrozek
On Wed, Feb 01, 2017 at 04:19:39PM -0600, Jason B. Nance wrote: > >> - Users can't login to a Linux box using just "username" > >> (user@ad.domain is > >> used) > > > > In the current version you can use the 'default_domain_suffix' option in > > sssd.conf on the clients. In RHEL-7.4 we

Re: [Freeipa-users] Is WinSync A Bad Choice?

2017-02-02 Thread Alexander Bokovoy
On ke, 01 helmi 2017, Jason B. Nance wrote: - User/group management in general becomes largely a command-line operation > (such as mapping groups so they can be used in HBAC and sudo rules) While this is a nice-to-have, it isn't a deal breaker. This definitely exists in WebUI? Unless you