Re: [Freeipa-users] Choosing the right way to create trust

On 12.2.2014 21:49, Genadi Postrilko wrote: Client's local hostname must match the DNS A record? I would recommend you to try it and report results. We can't be sure what will happen (in Kerberos libraries and applications) until you try that. -- Petr^2 Spacek __

Re: [Freeipa-users] trouble creating a replica in the cloud

thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5 and was able to get past it, but now I'm failing with this: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipare

Re: [Freeipa-users] authentication against compat

Is SSSD working for IPA sudo now? I saw this From Jakub Horozek in this list a little while back: Unfortunately with 6.5 there is still no sudo ipa provider, there might be with one in 6.6. So in order to download the sudo rules you need to configure the LDAP sudo provider manually. Will. On

Re: [Freeipa-users] authentication against compat

On 02/12/2014 05:00 PM, Tamas Papp wrote: On 02/12/2014 07:30 PM, Dmitri Pal wrote: Please check SSSD web site for guidelines and if you have any questions do not hesitate to ask on the sssd-users list. SSSD is the best you can get nowadays for the connection of the client systems to the centra

Re: [Freeipa-users] authentication against compat

On 02/12/2014 07:30 PM, Dmitri Pal wrote: > > Please check SSSD web site for guidelines and if you have any > questions do not hesitate to ask on the sssd-users list. > SSSD is the best you can get nowadays for the connection of the client > systems to the central identity stores. > If you plan t

Re: [Freeipa-users] authentication against compat

On 02/12/2014 11:29 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> >> On 02/12/2014 09:53 PM, Jakub Hrozek wrote: >>> On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: > I don't know it. > After a quick look I wasn't able to set it up correctly, 'id USER

Re: [Freeipa-users] authentication against compat

On Thu, 13 Feb 2014, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to

Re: [Freeipa-users] authentication against compat

On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 09:53 PM, Jakub Hrozek wrote: On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: I don't know it. After a quick look I wasn't able to set it up correctly, 'id USER' didn't connected to it's socket like with nscd/nlscd, however nsswi

Re: [Freeipa-users] authentication against compat

On 02/12/2014 09:53 PM, Jakub Hrozek wrote: > On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: >>> I don't know it. >>> After a quick look I wasn't able to set it up correctly, 'id USER' >>> didn't connected to it's socket like with nscd/nlscd, however >>> nsswitch.conf was configured.

Re: [Freeipa-users] authentication against compat

On Wed, Feb 12, 2014 at 03:04:24PM +0100, Petr Spacek wrote: > >For the records I figured out, that switching from nscd to nslcd did the > >trick. > > BTW why you don't use SSSD? It is packaged for Ubuntu for sure. NSCD > is ... obsolete. SSSD has some very nice features like off-line > cache etc.

Re: [Freeipa-users] authentication against compat

On Wed, Feb 12, 2014 at 01:30:59PM -0500, Dmitri Pal wrote: > >I don't know it. > >After a quick look I wasn't able to set it up correctly, 'id USER' > >didn't connected to it's socket like with nscd/nlscd, however > >nsswitch.conf was configured. > >Maybe with the upcoming 14.04 or do you have a w

Re: [Freeipa-users] Choosing the right way to create trust

Client's local hostname must match the DNS A record? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SELinux user categories

On Feb 12, 2014, at 3:20 PM, Rob Crittenden wrote: > Josh wrote: >> >> On Feb 11, 2014, at 2:52 PM, Rob Crittenden wrote: >> >>> Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden >>> > wrote: > Josh wrote: >> I have a situation where

Re: [Freeipa-users] SELinux user categories

Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file

Re: [Freeipa-users] SELinux user categories

On Feb 11, 2014, at 2:52 PM, Rob Crittenden wrote: > Josh wrote: >> >> On Feb 11, 2014, at 2:44 PM, Rob Crittenden > > wrote: >> >>> Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxuserma

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

On 02/12/2014 02:09 PM, Shree wrote: Rob I really appreciate your help, please bear with me. At this point I need to take you back to my ipa-replica-install and what happened there. [1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Rob I really appreciate your help, please bear with me. At this point I need to take you back to my  ipa-replica-install and what happened there. [1] My command: ipa-replica-install --setup-ca /var/tmp/replica-info-ldap2.mydomain.com.gpg --skip-conncheck  This ended with a  Done configuring NTP

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

OK I thought CA is a part of IPA ? Below is from my master IPA server [root@ldap ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ldap ~]# I can certainly send you a log if needed.

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree wrote: OK I thought CA is a part of IPA ? Below is from my master IPA server [root@ldap ~]# ipactl status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING [root@ldap ~]# I can certainly send you a

Re: [Freeipa-users] trouble creating a replica in the cloud

Dmitri Pal wrote: On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and f

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Shree wrote: Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have

Re: [Freeipa-users] authentication against compat

On 02/12/2014 09:30 AM, Tamas Papp wrote: On 02/12/2014 03:04 PM, Petr Spacek wrote: On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

Peter Actually I mentioned earlier that my clients are in a separate VLAN and cannot access the master. We have made provisions for the master and the replica to sync by opening the needed ports in the firewall. We have also opened up ports between the clients and the replica. I have tested the

Re: [Freeipa-users] trouble creating a replica in the cloud

On 02/11/2014 05:02 PM, Todd Maugh wrote: Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I

Re: [Freeipa-users] Recommend version of Samba for a CentOS 6.5 IPA client?

On 02/11/2014 04:22 PM, Mark Gardner wrote: Before I go installing Samba for File Sharing. I wanted to make sure I was installing the correct version of Samba without conflicting with the Linux server being an IPA client. Currently installed sambaX packages: samba-client.x86_64

Re: [Freeipa-users] authentication against compat

On 02/12/2014 03:04 PM, Petr Spacek wrote: > On 12.2.2014 15:01, Tamas Papp wrote: >> >> On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: >>> On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> hi All

Re: [Freeipa-users] authentication against compat

On 12.2.2014 15:01, Tamas Papp wrote: On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -

Re: [Freeipa-users] authentication against compat

On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> >> On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: >>> On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` >>>

Re: [Freeipa-users] By default on port 389 , any encryption between client and server

barry...@gmail.com wrote: Hi all: Some doc said it already build in TLS on 389 ... is it nsslapd-minssf on the dse.ldif? Yes. Should i need to set 636 ldaps ? or set higher nsslapd-minssf enough? Higher minssf should be enough. It will require GSSAPI or startTLS on a connection. What do

Re: [Freeipa-users] authentication against compat

On 02/12/2014 01:34 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> >> On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: >>> On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` >>>

Re: [Freeipa-users] authentication against compat

On Wed, 12 Feb 2014, Tamas Papp wrote: On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=acco

Re: [Freeipa-users] authentication against compat

On 02/12/2014 01:07 PM, Alexander Bokovoy wrote: > On Wed, 12 Feb 2014, Tamas Papp wrote: >> hi All, >> >> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w >> `cat pw` >> ldap_bind: Referral (10) >>referrals: >>ldap:///uid=USER,cn=users,cn=accounts,dc=foo >> >> >>

Re: [Freeipa-users] authentication against compat

On Wed, 12 Feb 2014, Tamas Papp wrote: hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 t

[Freeipa-users] authentication against compat

hi All, $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w `cat pw` ldap_bind: Referral (10) referrals: ldap:///uid=USER,cn=users,cn=accounts,dc=foo [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from ::1 to ::1 [12/Feb/2014:12:54:15 +0100] conn

Re: [Freeipa-users] RHEL 7 beta trust - slow domain user authentication to Linux hosts

On Mon, Feb 10, 2014 at 02:08:22PM -0500, Steve Dainard wrote: > Sure: > ... > (0x0400): Attempting kinit for realm [MIOVISION.CORP] > (Mon Feb 10 10:14:58 2014) [[sssd[krb5_child[9879 [validate_tgt] > (0x0400): TGT verified using key for > [host/snapshot-test.miolinux.c...@miolinux.corp]. >

Re: [Freeipa-users] Choosing the right way to create trust

On Wed, Feb 12, 2014 at 11:45:50AM +0100, Petr Spacek wrote: > On 12.2.2014 11:32, Alexander Bokovoy wrote: > >On Wed, 12 Feb 2014, Genadi Postrilko wrote: > >>What about adding alias DNS record of hostname.ipa.zone.corp to all linux > >>machines, so they will keep the old FQDM. > >What would it gi

Re: [Freeipa-users] Choosing the right way to create trust

On 12.2.2014 11:32, Alexander Bokovoy wrote: On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue T

Re: [Freeipa-users] Choosing the right way to create trust

On Wed, 12 Feb 2014, Genadi Postrilko wrote: What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. What would it give to you? AD DC uses FQDN to decide which KDC is responsible to issue TGT (and other tickets). If it belongs to its o

Re: [Freeipa-users] Choosing the right way to create trust

What about adding alias DNS record of hostname.ipa.zone.corp to all linux machines, so they will keep the old FQDM. On Feb 12, 2014 10:49 AM, "Martin Kosek" wrote: > On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > > I work in environment where the AD is the DC of the windows machines , > > whil

Re: [Freeipa-users] SELinux user categories

Moving to freeipa-devel since we're going rather deep. On 02/12/2014 10:02 AM, Martin Kosek wrote: On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden mailto:rcrit...@redhat.com>> wrote: Josh wrote: I have a situation where I need to suppor

Re: [Freeipa-users] Unable to access systems

On Tue, Feb 11, 2014 at 02:00:56PM -0400, Terry Soucy wrote: > We are transitioning from one IPA instance to a new IPA instance. The > version of IPA instances is the same, and all is functioning normally on > the existing IPA, but when I attempt to transition a host to the new IPA > instance, I ge

Re: [Freeipa-users] SELinux user categories

On 02/11/2014 08:52 PM, Rob Crittenden wrote: > Josh wrote: >> >> On Feb 11, 2014, at 2:44 PM, Rob Crittenden > > wrote: >> >>> Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file

Re: [Freeipa-users] Are multiple dns databases possible in freeipa?

On 11.2.2014 20:47, Rob Crittenden wrote: m...@tdiehl.org wrote: Hi, I am in the process of evaluating ipa on Centos 6.5. So far I really like what I see but the one problem I cannot find a viable solution for is how can I do internal and external views with dns stored in ipa? Google seems to i

Re: [Freeipa-users] Choosing the right way to create trust

On 02/11/2014 07:29 PM, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust with AD. > The curre

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

On 11.2.2014 23:53, Shree wrote: Following ports are opened between the 1) Between the master and the replica (bi directional) 2) client machine and the ipa replica (unidirectional). When the replica was up it worked fine as far as syncing was concerned. 80 tcp 443 tcp 389 tcp 636 tcp

Re: [Freeipa-users] Choosing the right way to create trust

On Tue, Feb 11, 2014 at 08:29:43PM +0200, Genadi Postrilko wrote: > I work in environment where the AD is the DC of the windows machines , > while the linux machines (RHEL 5\6) are not centrally managed. > I would like to create an IPA server to manage the linux machines while > creating a trust wi