Re: [Freeipa-users] Converting a user group to a non-posix group
On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 199483 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= -- Modified group posix -- Group name: posix Description: foo Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Converting a user group to a non-posix group
On Mon, June 11, 2012 12:21, Martin Kosek wrote: On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 199483 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= -- Modified group posix -- Group name: posix Description: foo Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However we have some groups that are POSIX that does not need to be POSIX groups. I've done the change with an LDAP editor earlier, but that was the supported solution I was looking for. Thanks. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Converting a user group to a non-posix group
On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:21, Martin Kosek wrote: On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 199483 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= -- Modified group posix -- Group name: posix Description: foo Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However we have some groups that are POSIX that does not need to be POSIX groups. I've done the change with an LDAP editor earlier, but that was the supported solution I was looking for. Thanks. Is the --delattr= option new for 2.2? It does not exist in my 2.1 installation. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Converting a user group to a non-posix group
On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:21, Martin Kosek wrote: On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 199483 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= -- Modified group posix -- Group name: posix Description: foo Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However we have some groups that are POSIX that does not need to be POSIX groups. I've done the change with an LDAP editor earlier, but that was the supported solution I was looking for. Thanks. Is the --delattr= option new for 2.2? It does not exist in my 2.1 installation. Rgds, Siggi It is new in IPA 2.2. In your case, you would need to set --setattr and specify all required object classes minus posixgroup. Unfortunately, I see that new objectclass handling is not right in IPA 2.1: # ipa group-mod posix --setattr=gidnumber= --setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject ipa: ERROR: unknown object class top,groupofnames,nestedgroup,ipausergroup,ipaobject Thus, I think that using an LDIF you created may be the easiest way to perform this task in IPA 2.1. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Converting a user group to a non-posix group
On Mon, June 11, 2012 13:42, Martin Kosek wrote: On Mon, 2012-06-11 at 13:05 +0200, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:53, Sigbjorn Lie wrote: On Mon, June 11, 2012 12:21, Martin Kosek wrote: On Sat, 2012-06-09 at 14:12 +0200, Sigbjorn Lie wrote: Hi, Is there a supported method for converting a posix user group to a non-posix user group? Regards, Siggi I am not aware of any supported method. This step is more tricky than making a non-posix group a posix one, because you could break for example some existing file ownerships for such group. But if you really want to make a posix group non-posix you could run this group-mod command: # ipa group-show posix Group name: posix Description: foo GID: 199483 # ipa group-mod posix --delattr=objectclass=posixgroup --setattr=gidnumber= -- Modified group posix -- Group name: posix Description: foo Ah, excellent. Yes I'm aware that it might break ownerships if the POSIX attrs is in use. However we have some groups that are POSIX that does not need to be POSIX groups. I've done the change with an LDAP editor earlier, but that was the supported solution I was looking for. Thanks. Is the --delattr= option new for 2.2? It does not exist in my 2.1 installation. Rgds, Siggi It is new in IPA 2.2. In your case, you would need to set --setattr and specify all required object classes minus posixgroup. Unfortunately, I see that new objectclass handling is not right in IPA 2.1: # ipa group-mod posix --setattr=gidnumber= --setattr=objectclass=top,groupofnames,nestedgroup,ipausergroup,ipaobject ipa: ERROR: unknown object class top,groupofnames,nestedgroup,ipausergroup,ipaobject Thus, I think that using an LDIF you created may be the easiest way to perform this task in IPA 2.1. Ok, that's what I've done so far. Thanks. regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] groups migration
Hi, I (almost) managed to migrate groups from my previous server. That is groups names migrated perfectly, unfortunately when I login to web panel all groups are empty. I used following command: ipa migrate-ds ldap://192.168.1.125:389 --bind-dn=cn=admin,dc=domain,dc=com --group-container='ou=groups' --group-objectclas='posixGroup' I will appreciate any help. regards, Maciej Sawicki ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA webserver cert expired.
On 6/5/12 2:33 PM, Rob Crittenden wrote: JR Aquino wrote: On Jun 5, 2012, at 11:18 AM, Paul Tader wrote: A couple days ago my (apache) certificates expired. Users are able to kinit but tools such as sudo fail because of the expired certificates. Lots of reading/Google'ing later I found this script (steps) to renew these certs: I'm just curious, but, isn't certmonger supposed to automatically renew these? Is certmonger failing in this case? Yes, the first thing to do is figure out why certmonger didn't automatically renew the certificates. Then it should be as simple as setting the date back, letting certmonger do its thing, then setting it forward again. That is very strange certmonger output. You might try setting the date back a couple of days and trying something like: ipa-getcert resubmit -i 20110706215145 And see what the status goes to. rob (Sorry for the delay reply) No luck with setting the date back and resubmitting the certificate. # /etc/init.d/ntpd stop Stopping ntpd (via systemctl): [ OK ] # date 060112002012 Fri Jun 1 12:00:00 CDT 2012 # /etc/init.d/httpd stop Stopping httpd (via systemctl):[ OK ] # /etc/init.d/httpd start Starting httpd (via systemctl):[ OK ] # ipa-getcert resubmit -i 20110706215145 Resubmitting 20110706215145 to IPA. # ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20110706215109': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RELAM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215129': status: CA_UNREACHABLE ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL connect error). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes Request ID '20110706215145': status: GENERATING_CSR ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Unauthorized)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=REALM.NET subject: CN=srv01.company.net,O=REALM.NET expires: 2012-06-03 20:19:49 UTC eku: id-kp-serverAuth track: yes auto-renew: yes ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa client - turn off NetworkManager?
On 06/09/2012 06:24 AM, Joe Linoff wrote: Hi: I read somewhere that I should turn off the NetworkManager service on the IPA server. Should I do same on the clients? Thanks, Joe ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users There was a problem with earlier versions which now is addressed for quite some time. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation Hang on Fedora 17
I have recently been having problems on RHEL so I thought I would try installing a Fedora 17 installation to test this but appear to be running into further problems. Everything appears to go well with the installation until it stops on the following line: - Applying LDAP updates The last two lines in the log are: - 2012-06-11T15:33:05Z DEBUG cn: Write IPA Configuration 2012-06-11T15:33:05Z DEBUG description: Write IPA Configuration I have seen reported that there was a problem in the F17 Beta release where a downgrade of '389-ds-base' would address this but this does not seem to be an option now. Does anyone know the underlying cause of the hang? Maybe there is something I can do to address this. Regards, Darran Lofthouse. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installation Hang on Fedora 17
On 06/11/2012 12:25 PM, Darran Lofthouse wrote: I have recently been having problems on RHEL so I thought I would try installing a Fedora 17 installation to test this but appear to be running into further problems. Everything appears to go well with the installation until it stops on the following line: - Applying LDAP updates The last two lines in the log are: - 2012-06-11T15:33:05Z DEBUG cn: Write IPA Configuration 2012-06-11T15:33:05Z DEBUG description: Write IPA Configuration I have seen reported that there was a problem in the F17 Beta release where a downgrade of '389-ds-base' would address this but this does not seem to be an option now. Does anyone know the underlying cause of the hang? Maybe there is something I can do to address this. Regards, Darran Lofthouse. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users And now to the whole list... Have you downgraded your DS packages as recommended here http://www.freeipa.org/page/DS_Issues_Note ? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa client - turn off NetworkManager?
On Mon, 2012-06-11 at 12:25 -0400, Dmitri Pal wrote: On 06/09/2012 06:24 AM, Joe Linoff wrote: Hi: I read somewhere that I should turn off the NetworkManager service on the IPA server. Should I do same on the clients? ... There was a problem with earlier versions which now is addressed for quite some time. Just for clarity, do you mean that there were issues with early SSSD (which there were, and have long been fixed; years now) or do you mean that Network Manager now works reasonably with FreeIPA as well? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users