Re: [Freeipa-users] errors when one ipa server down

2012-09-18 Thread Jakub Hrozek
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in

Re: [Freeipa-users] Cmd-line Unprovision OTP setting for a host

2012-09-18 Thread Charlie Derwent
Hi I've used ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST} In the past and that seems to work quite well. The ideal for me would be a situation where the IPA information could persist between rebuilds. Cheers, Charlie On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan

[Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread James James
Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? Thanks.

Re: [Freeipa-users] winsync agreement wipes IPA users

2012-09-18 Thread Rich Megginson
On 09/17/2012 07:10 PM, Steven Jones wrote: Hi, I understand that I'll lose users that are cn=Staff_Admins,dc=etc So the Q is why I am losing users in the --win-subtree cn=VUW_Staff,dc= etc This I dont understand I have the -v already, anyway to make it very verbose?

Re: [Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread Rob Crittenden
James James wrote: Hi everybody, can somebody help me with the memberof plugin ? Is there a way to add the memberof attribute like it was in 389-ds ? For my mailing list program, I want to have the email of the emails of all the person belongings to a group. Is there a filter to do that ? To

Re: [Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread James James
Thanks for your answer. In my group I have to users but when I use this command : $ ldapsearch -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' '(memberOf=cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com)' mail the result is: # search result search: 2 result: 0 Success How can I check

Re: [Freeipa-users] Cmd-line Unprovision OTP setting for a host

2012-09-18 Thread Dmitri Pal
On 09/18/2012 07:34 AM, Charlie Derwent wrote: Hi I've used ipa host-disable ${HOST}; ipa host-mod --password=${PASS} ${HOST} In the past and that seems to work quite well. The ideal for me would be a situation where the IPA information could persist between rebuilds. Can you please

Re: [Freeipa-users] MemberOf plugin and LDAP filter

2012-09-18 Thread Rob Crittenden
James James wrote: Oups in the first message I should write : I want to have the email of the emails of all the person belonging to a group. and not I want to have the email of the emails of all the person belongingS to a group. :0) I'd pick a user you know is in the group and start there:

Re: [Freeipa-users] errors when one ipa server down

2012-09-18 Thread Michael Mercier
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Rob Crittenden
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry for falling off like that. I opened a RedHat ticket on the issue, and have been running in circles with them. I forgot to check on the list for responses. I'm still having problems. Someone suggested I try: kinit -kt

Re: [Freeipa-users] errors when one ipa server down

2012-09-18 Thread Jakub Hrozek
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]#

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Nathan Lager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 IM going to respond inline to avoid confusion. On 09/18/2012 03:22 PM, Rob Crittenden wrote: I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you do this by

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Rob Crittenden
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 IM going to respond inline to avoid confusion. On 09/18/2012 03:22 PM, Rob Crittenden wrote: I think we need to start with the basics, so here is a slew of questions, things to try: You said you enabled password auth? Did you

Re: [Freeipa-users] Password requirements too stringent

2012-09-18 Thread Tim Hildred
So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam@ykatabam ~]$ ssh ykata...@dns1.ecs-cloud.lab.eng.bne.redhat.com

Re: [Freeipa-users] sudden ipa errors.

2012-09-18 Thread Lager, Nathan T.
- Original Message - From: Rob Crittenden rcrit...@redhat.com To: Nathan Lager lag...@lafayette.edu Cc: freeipa-users@redhat.com Sent: Tuesday, September 18, 2012 5:17:00 PM Subject: Re: [Freeipa-users] sudden ipa errors. Ok, what are the permissions on the keytab,