[Freeipa-users] SELinux error during ipa-server-install
Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? Thanks in advance Marco [root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . * Plugin catchall (100. confidence) suggests *** If you believe that java should be allowed name_connect access on the Unknown by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Contextsystem_u:system_r:pki_ca_t:s0 Target Contextsystem_u:object_r:ephemeral_port_t:s0 Target Objects [ None ] Sourcejava Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 59940 Host freeipa01.unix.mydomain.it Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 Target RPM Packages Policy RPMselinux-policy-3.10.0-75.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing ModePermissive Host Name freeipa01.unix.mydomain.it Platform Linux freeipa01.unix.mydomain.it3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 Alert Count 2 First SeenFri 10 Feb 2012 01:16:43 PM CET Last Seen Fri 10 Feb 2012 01:17:29 PM CET Local ID 885f3218-de29-4254-b095-0439320b3a50 Raw Audit Messages type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for pid=2663 comm=java dest=59940 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode= freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170): arch=c03e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java subj=system_u:system_r:pki_ca_t:s0 key=(null) Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect audit2allow audit2allow -R ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Marco I had a very similar issue trying to do the same thing a while back on the day RHEL 6.2 went GA.. My situation was SElinux enforcing, then run ipa-server-install.. it gets half way through the process and it fails then I tried SELinux permissive, to get the exact same issue I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and ran the setup again, and I was able to install successfully. In my situation, it was related to the selinux pki policy. When this was loaded, it caused the ipa setup to fail... an update was made available in rhel which allowed me to move forward with selinux in enforcing mode. Have you patched Fedora 16 with the latest updates? my situation was quite a while ago so I would have imagined that there would be an update to that issue with Fedora as well if this is actually the same issue I encountered. .. Do you get the same issue with selinux disabled at all? Dale On 02/10/2012 12:30 PM, Marco Pizzoli wrote: Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? Thanks in advance Marco [root@freeipa01 ~]# sealert -l 885f3218-de29-4254-b095-0439320b3a50 SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from name_connect access on the None . * Plugin catchall (100. confidence) suggests *** If you believe that java should be allowed name_connect access on the Unknown by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep java /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pki_ca_t:s0 Target Context system_u:object_r:ephemeral_port_t:s0 Target Objects [ None ] Source java Source Path /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre /bin/java Port 59940 Host freeipa01.unix.mydomain.it http://freeipa01.unix.mydomain.it Source RPM Packages java-1.6.0-openjdk-1.6.0.0-61.1.10.4.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-75.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name freeipa01.unix.mydomain.it http://freeipa01.unix.mydomain.it Platform Linux freeipa01.unix.mydomain.it http://freeipa01.unix.mydomain.it 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 Alert Count 2 First Seen Fri 10 Feb 2012 01:16:43 PM CET Last Seen Fri 10 Feb 2012 01:17:29 PM CET Local ID 885f3218-de29-4254-b095-0439320b3a50 Raw Audit Messages type=AVC msg=audit(1328876249.581:170): avc: denied { name_connect } for pid=2663 comm=java dest=59940 scontext=system_u:system_r:pki_ca_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socketnode=freeipa01.unix.mydomain.it http://freeipa01.unix.mydomain.it type=SYSCALL msg=audit(1328876249.581:170): arch=c03e syscall=42 success=yes exit=0 a0=29 a1=7fc00b462680 a2=1c a3=7fc00b462410 items=0 ppid=1 pid=2663 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java subj=system_u:system_r:pki_ca_t:s0 key=(null) Hash: java,pki_ca_t,ephemeral_port_t,None,name_connect audit2allow audit2allow -R ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNRJxAAoJEAJsWS61tB+qfxwP/0NwjnWGYw0VjKJmKcob73a+ 9Ei7VSj8byE0Aa5VnPtYqvKn0ug082JlwL1g/Ojq0A3d6vJVEHBda+vGoCDafh0z Vko6pxXBqBmYbafvhB+AABr03xKUQV6ttbKvDUHt1miWq3F8qKJKCeHywNf5TOW4 Tnf3f9b6yWLsh89LbBqGWvtTSMdnuHXNleNmPjgInfY3Y3NvYVcmBTIUG6kWVMus YmKrhAK31gaTlj+iGfwIojayhUbplW3whYiCn38USMoVxNYfUYlyYN2WaAjHFNhT iapFpZ5ScYsA1Ki3OjA27JHvswZXVjIRqjfD+LZdQRhjbaUqCVB0IUIhFW+D+Qqf ydsDgtYzMaSOSmCiwHiFql6wczK8BplCVeeCKca8z6FEjkDLoGYCAMqE294VPA5e 0lB/ltVxzFGWMLuFyLsdn2RuzTE6pP5BT/Wd0nIvUxHkOTusI7P7Ir4Yg6uyLEP0 3rgIz//nxxI/udBmBjgD8E/At7VpV/gKa4CA0o3qLKtLU8tMvdFtnCFGv9Z7yZzW igfZYPeCINZk8WkwEio2R5Sqkt88ldr4JNQ4yGnoiEMTcxMYqQjeeo615bovHix6 07CjXjIBlNYSDPW1pFyDc2O+AOq5jhF2A36bHRHFNATNDv/tpjw3AZGjxpOCWqAV HPn/clZOVTamNdkXPRiC =iR+/ -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
Hi Dale, On Fri, Feb 10, 2012 at 1:50 PM, Dale Macartney d...@themacartneyclan.comwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Marco I had a very similar issue trying to do the same thing a while back on the day RHEL 6.2 went GA.. My situation was SElinux enforcing, then run ipa-server-install.. it gets half way through the process and it fails then I tried SELinux permissive, to get the exact same issue I then completely disabled SElinux in /etc/sysconfig/selinux, rebooted and ran the setup again, and I was able to install successfully. In my situation, it was related to the selinux pki policy. When this was loaded, it caused the ipa setup to fail... an update was made available in rhel which allowed me to move forward with selinux in enforcing mode. Have you patched Fedora 16 with the latest updates? my situation was quite a while ago so I would have imagined that there would be an update to that issue with Fedora as well if this is actually the same issue I encountered. .. I updated my system few days ago and I'm currently not seeing further updates available. These are my packages: [root@freeipa01 ~]# rpm -qa|grep -i selinux selinux-policy-3.10.0-75.fc16.noarch libselinux-2.1.6-5.fc16.x86_64 libselinux-python-2.1.6-5.fc16.x86_64 pki-selinux-9.0.17-1.fc16.noarch libselinux-utils-2.1.6-5.fc16.x86_64 selinux-policy-targeted-3.10.0-75.fc16.noarch freeipa-server-selinux-2.1.4-4.fc16.x86_64 Do you get the same issue with selinux disabled at all? Actually I haven't tried, but I'm sure to not encounter this problem in that case. As I wrote, I'm running in permissive mode so I only get warning on what it would have been blocked by SELinux, not the effective block to the execution. My setup (apparently) completed correctly. I still have to check-on-the-job :-) Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
On Fri, 10 Feb 2012, Marco Pizzoli wrote: Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? https://bugzilla.redhat.com/show_bug.cgi?id=739708 Allowing connecting to ephemeral port is something that Ade still not decided on yet. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux error during ipa-server-install
Hi Alexander, On Fri, Feb 10, 2012 at 2:47 PM, Alexander Bokovoy aboko...@redhat.comwrote: On Fri, 10 Feb 2012, Marco Pizzoli wrote: Hi guys, I'm working on Fedora16 and FreeIPA 2.1.4. I executed the command ipa-server-install and during the setup digging in the logs i can find this error, related to SELinux. I'm running in Permissive mode, so nothing prevented me to successfully complete my setup. Is this an error in the policy? https://bugzilla.redhat.com/show_bug.cgi?id=739708 Allowing connecting to ephemeral port is something that Ade still not decided on yet. Thanks for the info. Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replicas in a state of confusion
On Thu, 2012-02-09 at 17:01 -0700, Rich Megginson wrote: This may be related to https://fedorahosted.org/389/ticket/273 and https://fedorahosted.org/389/ticket/274 which have been fixed in 1.2.10 In this case Ian please open a bugzilla, it looks like we need to address this in RHEL6. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Dovecot SSO Authentication HowTo is now available on Wiki
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All I have added a walk through on configuring Dovecot to use IMAPS with SSO support to the Wiki. http://freeipa.org/page/Dovecot_IMAPS_Integration_with_FreeIPA_using_Single_Sign_On Feed back is more than welcome Dale -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPNSetAAoJEAJsWS61tB+qossP/1v7doKC1fliPUAvOywcIH+n WLYFnXoGIO4mlRUXEcdU+TDUO1gdFp5v+gXxx5ERWBYbEMOXDEer9tRkxVIyDd1x YcqShRq5Fh8M7Cj0EsurzKEoW36LbUmPaG5TXA3ImEU+wvVNJOUnPazKwUvfrAtO 4PV34rBW5cZD1Y5vVgV2cWut7W8fVqyFS/sOt0mS3Zf2N33lTne3ak4RnZ2f6i5B 2P/zUvbi8GYOVZvjibWTwwiE+o1SJlst7cLJxCaIhpZ0FmVZkq+LG7Q3ObGScwto zXGHiL2d7UA1RJTzp6tn+rPGJgVVh9JQ9ndVVmGk5kskhPbaCuqDknk/f12qB4/X PAmE7jPKIN/Eysp7q1V5MuU9Y6ngxVLkdYENZcq45k6mnZ1EWuidt7W93ax/R9ai ywKTbMaHw5JUqEgt4ij8bA6WJgN4VSaLbBms5w3JmepOd3UTSINH7ghcTsctBfuZ 65FdKc732UvZCb/jJ0q7BribMj4dSOmA5Z6vTE5r9k0Ef+a1dtvdJ8jwpAZD93cg arZeJgva7cnbkrZ1uDbJ/oLiUTJjLDccCEciSyPRzTTBWvGXCoRDgVloSwwLLfFS Y8RZOPCKslfgFqTZR3VpNJJeXBUscagyUt11y4c/yqef2444jKWJ549nhpZXVb94 7MNXWOzHHzDbNHyTcESS =TnXT -END PGP SIGNATURE- 0xB5B41FAA.asc Description: application/pgp-keys 0xB5B41FAA.asc.sig Description: PGP signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher sgall...@redhat.com wrote: On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? For -devel version I think freeipa-devel is better. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
Simo Sorce wrote: On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher sgall...@redhat.com wrote: On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? For -devel version I think freeipa-devel is better. Simo. Just to add that this version has known upgrade problems so I wouldn't recommend upgrading an existing installation at this time. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher sgall...@redhat.com wrote: On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- __**_ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/**mailman/listinfo/freeipa-usershttps://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-** fedora.repohttp://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.**org/ipa-devel/ipa-devel-rhel.** repo http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? For -devel version I think freeipa-devel is better. Simo. Just to add that this version has known upgrade problems so I wouldn't recommend upgrading an existing installation at this time. Hi Rob, Is there a ticket on which I can put me in Cc to track it? Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
Marco Pizzoli wrote: On Fri, Feb 10, 2012 at 3:56 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Simo Sorce wrote: On Fri, 2012-02-10 at 15:30 +0100, Marco Pizzoli wrote: On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com wrote: On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- _ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/__mailman/listinfo/freeipa-users https://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.__org/ipa-devel/ipa-devel-__fedora.repo http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.__org/ipa-devel/ipa-devel-rhel.__repo http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. Good to know! Thanks a lot. Testing nightly build will involves me reporting problems and/or errors. Which mailing list should I have to use? -users or -devel ? For -devel version I think freeipa-devel is better. Simo. Just to add that this version has known upgrade problems so I wouldn't recommend upgrading an existing installation at this time. Hi Rob, Is there a ticket on which I can put me in Cc to track it? There are a number of them: https://fedorahosted.org/freeipa/ticket/2147 https://fedorahosted.org/freeipa/ticket/2341 https://fedorahosted.org/freeipa/ticket/2344 rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rich, can one create two different winsync agreements that use different sub trees on the AD side? Yes, if they also use two different sub trees on the IPA side. Otherwise, you have two different winsync agreements covering the same ipa subtree - I have no idea what would happen. If there anything that would prevent it to work? May be it should be done from 2 IPA replicas? You might still have problems with that scenario, just delayed. That is, the ipa subtree is the same on both replicas, so you still have the same problem, just delayed by the speed of replication. The only way to know for sure would be to get some concrete examples, then try it out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On 02/10/2012 01:46 PM, Rich Megginson wrote: On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rich, can one create two different winsync agreements that use different sub trees on the AD side? Yes, if they also use two different sub trees on the IPA side. Otherwise, you have two different winsync agreements covering the same ipa subtree - I have no idea what would happen. If the users are different then there should be no collision. Are you concerned about two winsyncs stepping on each other in terms of keeping the view (persistent search or something like) at IPA data consistent? If there anything that would prevent it to work? May be it should be done from 2 IPA replicas? You might still have problems with that scenario, just delayed. That is, the ipa subtree is the same on both replicas, so you still have the same problem, just delayed by the speed of replication. The only way to know for sure would be to get some concrete examples, then try it out. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 3:24 PM, Stephen Gallagher sgall...@redhat.comwrote: On Fri, 2012-02-10 at 10:50 +0100, Marco Pizzoli wrote: Hi, On Mon, Jan 30, 2012 at 4:55 PM, Dmitri Pal d...@redhat.com wrote: On 01/30/2012 09:47 AM, Marco Pizzoli wrote: Hi guys, Next days I'm going to start a test deployment of FreeIPA 2.1 but the following days I'm planning to have a look on the new features FreeIPA 2.2 brings. Are you going to release a alpha/beta package anytime in the future? Thanks in advance Marco -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes alpha is planned for next couple weeks. Sorry for asking again, but I'm really interested in this. Any news on the expected release date? I'm available to test it and give feedbacks, once released. If you're interested in testing the nightly builds, you can install one of the below repository files into /etc/yum.repos.d Fedora 15-17: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-fedora.repo RHEL 6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo Then you can 'yum update' to the latest nightlies. I wget-ed the repo file on a 64bit fedora16 system but I'm failing in seeing the package for 64-bit systems. Please, could you tell me what my error is? [root@freeipa02 yum.repos.d]# yum info freeipa-server Loaded plugins: langpacks, presto, refresh-packagekit Available Packages Name: freeipa-server *Arch: i686* Version : 2.1.4 *Release : 1.20120209T0216Zgit11c25a4.fc16* Size: 957 k *Repo: ipa-devel* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: freeipa-server *Arch: x86_64* Version : 2.1.4 *Release : 4.fc16* Size: 958 k *Repo: updates* Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). [root@freeipa02 yum.repos.d]# uname -a Linux freeipa02.unix.domain.it 3.2.3-2.fc16.x86_64 #1 SMP Fri Feb 3 20:08:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] syncing users more not limited to a subtree
On 02/10/2012 12:18 PM, Dmitri Pal wrote: On 02/10/2012 01:46 PM, Rich Megginson wrote: On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rich, can one create two different winsync agreements that use different sub trees on the AD side? Yes, if they also use two different sub trees on the IPA side. Otherwise, you have two different winsync agreements covering the same ipa subtree - I have no idea what would happen. If the users are different then there should be no collision. Are you concerned about two winsyncs stepping on each other in terms of keeping the view (persistent search or something like) at IPA data consistent? Yes. If there anything that would prevent it to work? May be it should be done from 2 IPA replicas? You might still have problems with that scenario, just delayed. That is, the ipa subtree is the same on both replicas, so you still have the same problem, just delayed by the speed of replication. The only way to know for sure would be to get some concrete examples, then try it out. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On 02/10/2012 02:22 PM, Marco Pizzoli wrote: I wget-ed the repo file on a 64bit fedora16 system but I'm failing in seeing the package for 64-bit systems. Please, could you tell me what my error is? We just finished rebuilding the repo. Please try again. We don't have a mechanism to lock the repo while it's being populated so on occasion you may see some odd failures if you happen to hit it while it's updating. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On 02/10/2012 02:35 PM, Marco Pizzoli wrote: No, same as before. Is it yum makecache sufficient to renew my metadata? Sounds like it should work, I'm not in the habit of using makecache, I tend to use the big hammer 'yum clean --all' I just checked the repo the files are there, so I assume yum is somehow confused. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replicas in a state of confusion
On Feb 10, 2012, at 1:36 PM, Rich Megginson wrote: This may be related to https://fedorahosted.org/389/ticket/273 and https://fedorahosted.org/389/ticket/274 which have been fixed in 1.2.10 In this case Ian please open a bugzilla, it looks like we need to address this in RHEL6. I'll confess that I don't fully understand what tombstone is... Regardless, I'm not sure that either of those tickets apply to the issue at hand. As I understand it, Ticket 273 outlines an issue with searching for tombstone entries after successfully setting up a replica (which as far as I'm hearing, we haven't done). And ticket 274 concerns indexing the tombstone entries. I am able to search for tombstone entries (http://pastebin.com/raw.php?i=a4ytYZvt) and don't see the errors specified in ticket 274. in 1.2.9.9 the ruv tombstone entry was indexed correctly, so that's why you see it. For ticket 274, you would only see those errors if you actually attempt to reindex the entryrdn index. That said, perhaps there's some bug with tombstone re: the automountmap entries in my LDAP instance. Do you think that would be sufficient to cause the replication issues I'm seeing? It could be. Taken together, both of those tickets resolve problems with tombstone indexes. At any rate, I would like to know if you can reproduce your issues with 1.2.10.rc1 To confirm, the first step would be to examine your entryrdn index to see what the problematic entries look like e.g. dbscan -f /var/lib/dirsrv/slapd-DOMAIN/db/userRoot/entryrdn.db4 | grep -C 2 automountmapname=auto.direct Here's the output from the primary: 139:cn=global_policy ID: 139; RDN: cn=global_policy; NRDN: cn=global_policy 13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct ID: 13; RDN: nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct; NRDN: nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct 141:krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org ID: 141; RDN: krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org; NRDN: krbprincipalname=ldap/sbgrid-directory.in.hw...@sbgrid.org -- 450:nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master ID: 450; RDN: nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master; NRDN: nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master 451:nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct ID: 451; RDN: nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct; NRDN: nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct 452:nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct ID: 452; RDN: nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct; NRDN: nsuniqueid=61a1ff04-370b11e1-80c28103-f403dc04,description=/- auto.direct -- 466:automountmapname=auto.master ID: 466; RDN: automountmapname=auto.master; NRDN: automountmapname=auto.master 467:automountmapname=auto.direct ID: 467; RDN: automountmapname=auto.direct; NRDN: automountmapname=auto.direct 468:description=/- auto.direct ID: 468; RDN: description=/- auto.direct; NRDN: description=/- auto.direct -- ID: 12; RDN: nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master; NRDN: nsuniqueid=3c37a106-eadf11e0-b9798103-f403dc04,automountmapname=auto.master C11:cn=default ID: 13; RDN: nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct; NRDN: nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct C11:cn=default ID: 261; RDN: nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountMapName=auto_master; NRDN: nsuniqueid=ee37db01-ee0511e0-b8f78103-f403dc04,automountmapname=auto_master -- ID: 450; RDN: nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master; NRDN: nsuniqueid=61a1ff02-370b11e1-80c28103-f403dc04,automountmapname=auto.master C449:cn=test ID: 451; RDN: nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct; NRDN: nsuniqueid=61a1ff03-370b11e1-80c28103-f403dc04,automountmapname=auto.direct C449:cn=test ID: 456; RDN: nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs; NRDN: nsuniqueid=7bdfdb01-371311e1-80c28103-f403dc04,automountmapname=auto_nfs -- ID: 464; RDN: nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home; NRDN: nsuniqueid=bdbd5105-371411e1-80c28103-f403dc04,description=home C465:cn=default ID: 467; RDN: automountmapname=auto.direct; NRDN: automountmapname=auto.direct C465:cn=default ID: 466; RDN: automountmapname=auto.master; NRDN: automountmapname=auto.master -- P139:cn=global_policy ID: 132; RDN: cn=SBGRID.ORG; NRDN: cn=sbgrid.org P13:nsuniqueid=3c37a107-eadf11e0-b9798103-f403dc04,automountmapname=auto.direct ID: 11; RDN: cn=default; NRDN: cn=default
Re: [Freeipa-users] syncing users more not limited to a subtree
Rich Megginson wrote: On 02/10/2012 11:41 AM, Dmitri Pal wrote: On 02/10/2012 10:28 AM, Rich Megginson wrote: On 02/10/2012 04:01 AM, David Juran wrote: Hello I wonder if it's somehow possible to sync AD-users more selectively then just by sub-tree. In my case, I'm dealing with a very large organisation where the users that are to be synced to IPA aren't grouped by a subtree in AD but rather spread out. Can this be handled somehow? I don't think so, but can you provide some examples? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Rich, can one create two different winsync agreements that use different sub trees on the AD side? Yes, if they also use two different sub trees on the IPA side. Otherwise, you have two different winsync agreements covering the same ipa subtree - I have no idea what would happen. If there anything that would prevent it to work? May be it should be done from 2 IPA replicas? You might still have problems with that scenario, just delayed. That is, the ipa subtree is the same on both replicas, so you still have the same problem, just delayed by the speed of replication. The only way to know for sure would be to get some concrete examples, then try it out. I'll just add that we don't currently support multiple winsync agreements against the same AD server. I opened a ticket on this yesterday. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FreeIPA support for AIX as a client?
Hi guys, I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is supported for version 5.3. What about versions 6.1 and 7.1? Are they really not supported or simply not been verified they can work? Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, 2012-02-10 at 16:18 -0500, John Dennis wrote: On 02/10/2012 03:49 PM, Marco Pizzoli wrote: -- Finished Dependency Resolution *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != libldb-1.1.4-1.fc16.1.x86_64* This error is because you've got both a 32-bit and 64-bit version of libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit version is 1.1.4, they're not the same. However the ipa-devel repo does have both the 32-bit and 64-bit version of 1.1.4 available in the x86-64 repo ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.i686.rpm ipa-devel/fedora/16/x86_64/os/libldb-1.1.4-1.fc16.1.x86_64.rpm So the repo looks good, not sure what yum is complaining about, it should see both 32-bit and 64-bit is available for version 1.1.4 and install both, unless of course you've got a dependency on the 1.1.0 32-bit version, but yum should tell you that. SSSD has to be built against a specific version of LDB. It's not compatible with mixed-versions in your install. Also, yum SHOULD have prevented installing different versions of libldb in multilib. I'm not sure why it didn't. So with all that said, the easiest thing to do would be to 'yum remove libldb.i686' and then try updating again. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA 2.2 alpha or beta available somewhere?
On Fri, Feb 10, 2012 at 10:18 PM, John Dennis jden...@redhat.com wrote: On 02/10/2012 03:49 PM, Marco Pizzoli wrote: -- Finished Dependency Resolution *Error: Protected multilib versions: libldb-1.1.0-1.fc16.i686 != libldb-1.1.4-1.fc16.1.x86_64* This error is because you've got both a 32-bit and 64-bit version of libldb installed, note how the 32-bit version is 1.1.0 and the 64-bit version is 1.1.4, they're not the same. Actually I think the situation is a little bit different. To explain myself better I start by posting this output: [root@freeipa02 ~]# rpm -qa|grep libldb libldb-1.1.0-1.fc16.x86_64 Look for a second at the output i posted before. As you can see [cut] -- Running transaction check --- Package libldb.i686 0:1.1.0-1.fc16 will be installed [cut] The package libldb-32bit is being submitted to yum as a candidate from a dependence on a package situated in your ipa-devel repository. I'm not a yum expert, can you confirm what I notice? However the ipa-devel repo does have both the 32-bit and 64-bit version of 1.1.4 available in the x86-64 repo ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.i686.rpm ipa-devel/fedora/16/x86_64/os/**libldb-1.1.4-1.fc16.1.x86_64.**rpm So the repo looks good, not sure what yum is complaining about, it should see both 32-bit and 64-bit is available for version 1.1.4 and install both, unless of course you've got a dependency on the 1.1.0 32-bit version, but yum should tell you that. That's about as much help as I can give you at the moment. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- _ Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA support for AIX as a client?
On 02/10/2012 04:16 PM, Marco Pizzoli wrote: Hi guys, I see in the (Fedora 15) FreeIPA documentation that IBM AIX as a client is supported for version 5.3. What about versions 6.1 and 7.1? Are they really not supported or simply not been verified they can work? You are definitely welcome to try and provide step by step instructions. It should work we just never had this as a priority. This is a real help that you can provide while we are fixing the SSSD build. :-) If the instructions are testable and repeatable we will post them on the IPA wiki. I would grant you access to create pages if you want to go this route. Thanks Dmitri Thanks Marco ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Roles and permissions
On 02/07/2012 03:54 PM, Steven Jones wrote: Hi, Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Yes, I can see that delegating is going to be very hard to do securely / properly.at least with [my] limited knowledgeMy problem is that I have a central IT department but many schools who want to be as autonomous as possible (totally if they can achieve it). I also have managers who only understand AD somewhatand they think this can all be done without themselves understanding what is to be done, so they make/have requirements that might seem reasonable but really are not but I dont know enough to say so. So it could well be on a case by case basis I have to design such a delegation.looks like I will need a good level of understanding which I obviously lack.I mean I cant even get across to you what I mean!!! doh. Having briefly chatted to an AD guy this problem isnt just faced by IPA... :( regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 7 February 2012 4:32 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Roles and permissions Steven Jones wrote: Hi, Trying to get my head around theseis it possible to create a group administrator say engineering team administrator and have that role only able to add specific users (how to specify?) to specific user groups (say) ie I want to be able to delegate responsibility for limited groups and users to others and limit their functioanilty...? Need a little more to go on. It is that how to specify question that really matters. How DO you distinguish between users? You can add extra attributes to break them into groups, or you can literally put them into extra groups and manage them that way (easiest). But you definitely need a way to distinguish them. Creating this type of permission would require a bit of LDAP knowledge, mostly just knowing which attributes to use. It all depends on what responsibility you are delegating. I'm not entirely sure what you're after so I don't want to guess and end up down a deep rabbit hole, but it is probably going to be easiest to break the permissions into smaller components like: Users in group A can manage the membership of group B Users in group A can manage this small set of attributes of members of group B Both of these are relatively straightforward. I can provide examples if you can give me some more guidance on what you're looking for. I dont find that section of the manual very easy to understandI'd like examples or more explanation Also if such a say (bad) engineering team administrator could add anyone say THE admin to a group that the (bad) admin had password changes in/on then this allows the bad admin to change that admin user passwordthe user then effectively owns the IPA system...? Yes, it would be a problem if you granted password change permission to a bad admin. That is true in any system. Given that we've got a ticket open to limit those who can change the password of those in the admins group to those in the admins group, so helpdesk can change user's passwords but not admins. That is currently possible. regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Does this answer your question: http://adam.younglogic.com/2012/02/group-managers-in-freeipa/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users