Re: [Freeipa-users] Sudo on Ubuntu Client works, on CentOS it doesn't

2014-10-13 Thread Lukas Slebodnik
On (13/10/14 01:16), Matt . wrote: OK, found it... I needed to comment out my other ldap lines, but I wonder why this is needed on CentOS and Ubuntu works without them. Which version of CentOS do you mean? LS -- Manage your subscription for the Freeipa-users mailing list:

Re: [Freeipa-users] FW: FW: FW: named and IpA

2014-10-13 Thread Petr Spacek
On 10.10.2014 10:32, Jan Pazdziora wrote: On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: Thanks for the additional data.It starts to make sense now, but I'm wondering if that could possibly be

Re: [Freeipa-users] FW: FW: FW: named and IpA

2014-10-13 Thread Jan Pazdziora
On Mon, Oct 13, 2014 at 01:02:38PM +0200, Petr Spacek wrote: There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior

[Freeipa-users] mastercrl.bin very old

2014-10-13 Thread Natxo Asenjo
hi, yet another certificate authority question. We have a centos 6.5 ipa environment with two domain controllers (kdc01, kdc02). The first one is the first replica and maintains the crl (or so it should). Recently our monitoring warned us that the web host certificate for kdc01 was about to

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-13 Thread Andreas Ladanyi
On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot of numbers in the dumpfile. Which number belongs to which LDAP attribute in the (test)

Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

2014-10-13 Thread Carlos Raúl Laguna
2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site, looking forward to forest trust and it seem that they introduced new functions to support

[Freeipa-users] strange error from EL 7 install?

2014-10-13 Thread Janelle
Happy Monday everyone... Wondering if anyone else is seeing this error since this weekend? Trying to add in a new IPA replica, which of course requires the software installed -- this is in CentOS 7 using COPR repo and : -- Finished Dependency Resolution Error: Package:

Re: [Freeipa-users] strange error from EL 7 install?

2014-10-13 Thread Janelle
After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock Loading mirror speeds from cached hostfile * base:

Re: [Freeipa-users] mastercrl.bin very old

2014-10-13 Thread Natxo Asenjo
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the

Re: [Freeipa-users] mastercrl.bin very old

2014-10-13 Thread Rob Crittenden
Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28

[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Орхан Касумов
Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146   For some reason the instructions in that post don`t lead to a working solution. Getent passwd/group return no data from the

Re: [Freeipa-users] mastercrl.bin very old

2014-10-13 Thread Natxo Asenjo
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Jakub Hrozek
On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146   For some reason the instructions in that post don`t lead to

[Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread quest monger
Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without re-installing the server and clients.

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread Rob Crittenden
quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and Sudo works on all clients. I would like to replace the self-signed cert that is used on Port 389 and 636. Is there a way to do this without

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread quest monger
I was told by my admin team that Self-signed certs pose a security risk. On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden rcrit...@redhat.com wrote: quest monger wrote: Hello All, I installed FreeIPA server on a CentOS host. I have 20+ Linux and Solaris clients hooked up to it. SSH and

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Lukas Slebodnik
On (13/10/14 20:33), Jakub Hrozek wrote: On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: Good day to everybody. There`s a post on how to make a FreeBSD client work with a FreeIPA server: https://forums.freebsd.org/viewtopic.php?f=39t=46526p=260146#p260146   For some reason

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread quest monger
I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html But looks like those instructions apply to a first time fresh install, not for upgrading an

Re: [Freeipa-users] mastercrl.bin very old

2014-10-13 Thread Natxo Asenjo
On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url

Re: [Freeipa-users] Migrate KRB DB hashes to IPA LDAP

2014-10-13 Thread Simo Sorce
On Mon, 13 Oct 2014 17:30:58 +0200 Andreas Ladanyi andreas.lada...@kit.edu wrote: On my old system from which i migrated the users/group accounts uses the Kerberos own DB without LDAP for the principals. I could dump the master key : kdb5_util dump filename K/M@REALM Now i have a lot

Re: [Freeipa-users] sysctl and/or limits.conf?

2014-10-13 Thread Dmitri Pal
On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I tried the website, but did not see anything. Have about 3000

Re: [Freeipa-users] Migration from FreeIPA-Windows to FreeIPA-samba4

2014-10-13 Thread Dmitri Pal
On 10/13/2014 11:40 AM, Carlos Raúl Laguna wrote: 2014-10-09 18:12 GMT-04:00 Dmitri Pal d...@redhat.com mailto:d...@redhat.com: On 10/09/2014 04:38 PM, Carlos Raúl Laguna wrote: Hello to everyone, for some time now i have been pretty much stalking the samba project site,

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread quest monger
I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread William Graboyes
Hi there, My understanding is the only way to install a third party cert is to start from scratch. The part that is unclear to me is if there is a method of exporting the data prior to, and importing the data after the fresh instance of freeipa has been installed. I assume that one would

Re: [Freeipa-users] sysctl and/or limits.conf?

2014-10-13 Thread James
On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings to sysctl and maybe limits.conf? I

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread Dmitri Pal
On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a

Re: [Freeipa-users] sysctl and/or limits.conf?

2014-10-13 Thread Dmitri Pal
On 10/13/2014 06:58 PM, James wrote: On 13 October 2014 18:18, Dmitri Pal d...@redhat.com wrote: On 10/12/2014 08:07 PM, James wrote: On 12 October 2014 19:55, Janelle janellenicol...@gmail.com wrote: Hi again, I was wondering if there were any suggestions for performance of IPA and settings

Re: [Freeipa-users] Replace Self-Signed Cert

2014-10-13 Thread quest monger
makes sense. i will still try out that cert add command in my test environment, just to see if it works. looks like for now, 4.1 upgrade is my best option. On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal d...@redhat.com wrote: On 10/13/2014 06:45 PM, quest monger wrote: I did the default IPA

Re: [Freeipa-users] sysctl and/or limits.conf?

2014-10-13 Thread Janelle
Hi again, A lot of this information has been very useful. I did have a question I could not answer. I noticed in the Deployment Recommendations docs, it says not to have any more than 4 replication agreements. Perhaps I am missing something, but I don't see how to get a replica to be a

Re: [Freeipa-users] strange error from EL 7 install?

2014-10-13 Thread Fraser Tweedale
On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote: After further investigation - it looks like the PKI base was altered/updated because even on a running server a yum update produces same error: # yum check-update Loaded plugins: fastestmirror, product-id, subscription-manager,

Re: [Freeipa-users] strange error from EL 7 install?

2014-10-13 Thread Janelle
Actually, I did find a fix and forgot to post. I was able to mirror the COPR repo, and after reviewing it, found that simply removing the pki-base...fc21 directory, and regenning the repo data with createrepo, fixed the problem. It drops the version of PKI back to the 10.1 branch and that

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

2014-10-13 Thread Orkhan Gasimov
Thanks to both of you for the interest. Here`s the info you asked: 1. Putting debug_level = 7 either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some